seguridad de la información y controles contra hackers - getting hacked 101 intro to info sec and...
TRANSCRIPT
ABOUT YOUR INSTRUCTOR
• JUAN ORTIZ
• BLOG: JUANORTIZ.PRO
• BORN AND RAISED IN PUERTO RICO
• INFO SEC, VIRTUALIZATION, CLOUD,
ARCHITECTURE AND BUSINESS INTEGRATION
COURSE SCHEDULE
Start End Content
8:30 9:00 Class Introduction
9:00 10:15 Module 1: Basic facts, myths and sad realities
10:15 10:30 Morning Break
10:30 12:00 Module 1: Labs
12:00 1:00 Lunch Break
1:00 2:15 Module 2: Securing the Infrastructure
2:15 2:30 Afternoon Break
2:30 4:00 Module 2: Labs
4:00 4:15 Wrap up and Q&A
AGENDA
• DEFINE AND UNDERSTAND COMPONENTS OF INFORMATION SECURITY
• UNDERSTAND INFOSEC ENEMIES
• DEFINE VULNERABILITIES
• EXPLAIN COUNTERMEASURES
• DEMO & LABS
PURPOSE AND METHODOLOGY• THIS IS AN INTRODUCTORY COURSE
• DESIGNED TO BE A FAST WAY TO GET UP TO SPEED IN INFORMATION SECURITY
• THIS COURSE COVERS A BROAD SPECTRUM OF SECURITY TOPICS AND IS LIBERALLY SPRINKLED WITH REAL LIFE EXAMPLES
• A BALANCED MIX OF TECHNICAL AND MANAGERIAL ISSUES MAKES THIS COURSE APPEALING TO ATTENDEES WHO NEED TO UNDERSTAND THE SALIENT
FACETS OF
• INFORMATION SECURITY BASICS
• THE BASICS OF RISK MANAGEMENT.
• WE BEGIN BY COVERING BASIC TERMINOLOGY AND CONCEPTS
• THEN MOVE TO EXAMPLES OF THREATS
• WE COVER THE BASICS OF CRYPTOGRAPHY, SECURITY MANAGEMENT, AND WIRELESS TECHNOLOGY
• THEN WE LOOK AT POLICY AS A TOOL TO EFFECT CHANGE IN YOUR ORGANIZATION.
• IN THE FINAL DAY OF THE COURSE, WE PUT IT ALL TOGETHER WITH AN IMPLEMENTATION OF DEFENSE IN-DEPTH.
CAVEATS• THE COURSE IS DESIGNED TO BE PERFORMED ON A WINDOWS ENVIRONMENT
• YOU SHOULD NOT BRING A REGULAR PRODUCTION LAPTOP FOR THIS CLASS! WHEN INSTALLING
SOFTWARE, THERE IS ALWAYS A CHANCE OF BREAKING SOMETHING ELSE ON THE SYSTEM. STUDENTS
SHOULD ASSUME THAT ALL DATA COULD BE LOST.
• IT IS CRITICAL THAT STUDENTS BE ABLE TO LOGIN TO THE ADMINISTRATOR LEVEL ACCOUNT
• END POINT SECURITY SOLUTIONS CAN PREVENT PROGRAMS FROM BEING INSTALLED CORRECTLY ON THE
SYSTEM. STUDENTS NEED TO BE ABLE TO TEMPORARILY DISABLE END POINT SECURITY SOLUTIONS OR
MAKE EXCEPTIONS TO ALLOW PROGRAMS TO RUN.
SECURITY
• IT HAS MANY DEFINITIONS
• IN REALITY IT IS A SENSE OF SECURITY
• KEY TERMS: THREAT, EXPOSITION, VULNERABILITY COPING, RISK
• CAT AND MOUSE GAME
• THERE ARE MANY STRATEGIES
• DEFENSE IN-DEPTH
REPEAT YOUR PASSWORDS• Facebook
• Gmail
• Youtube
• eBay
• PayPal
• BPPR
• Yahoo
• Amazon
• Netflix
• Microsoft
• Spotify
• Pandora
• Dropbox
• OneDrive
• SmartPhone
• iCloud
• GoDaddy
• IMDB
• Wikipedia
• Muchas más
DON’T USE MULTI FACTOR AUTHENTICATION
• AUTENTICACIÓN
• ALGO QUE SABES
• ALGO QUE TIENES
• ALGO QUE ERES
• EN QUE LUGAR ESTAS
• DISPONIBLE COMÚNMENTE
• AUTORIZACIÓN
DON’T ENCRYPT YOUR DATA
• FTP
• Telnet
• Simple Mail Transfer Protocol (SMTP)
• HTTP
• Post Office Protocol 3 (POP3)
• Internet Message Access Protocol (IMAPv4)
• Network Basic Input/OutputSystem
(NetBIOS),
• Simple Network Management Protocol
(SNMP)
DON’T USE ANTI-MALWARE
• Any system can be
vulnerable to
infection
• The attacker uses
naiveness as
weapon
• There are many
effective tools
Before After
DO NOT PATCH YOUR MACHINE• ERVERY HUMAN MADE SOFTWARE HAS FLAWS
• THIS APPLIES TO OS, FIRMWARE, DRIVERS AND SOFTWARE
• BE AWARE – WINDOWS UPDATE DOES NOT PATCH THIRD PARTY SOFTWARE
DOWNLOAD FREE STUFF
• THE PIRATE BAY
• KICKASSTORRENTS
• TORRENTZ
• EXTRATORRENT
• YIFY-TORRENTS
• EZTV
• ISOHUNT.TO
• LuckyWire
• BearShare
• Morpheus
• LimeZilla
• Nodezilla
• Warez
• Blubster
DO NOT BE SUSPICIOUS• COMMON SENSE IS THE LEAST COMMON OF THE SENSES
• IF ITS TOO GOOD TO BE TRUE, IT PROBABLY IS
• IF A LIE IS WELL DEVELOPED, WE WILL NOT HESITATE TO CLICK THAT MALICIOUS LINK
• POLL: ASK A RANDOM PERSON WHAT IS HIS WEAKEST PASSWORD IN EXCHANGE FOR A PEN
• RECIPROCITY: IT’S NATURAL TO RETURN THE FAVOR.
• PEOPLE LIKE TO BE PRAISED
• PEOPLE ARE AFRAID OF POWER POSITIONS
MODULE 1 - EXERCISES AND LABS
• LAB 1 - CREATE A STANDARD USER ACCOUNT
• LAB 2 - CONFIGURE MICROSOFT UPDATES
• LAB 3 - CONFIGURE THIRD PARTY SOFTWARE UPDATES (SECUNIA PERSONAL SOFTWARE INSPECTOR)
• LAB 4 - CONFIGURE PASSWORD MANAGEMENT (LASTPASS, KEEPASS)
MODULE 2 - SECURING THE INFRASTRUCTURE APPRECIATING THE RISKS ASSOCIATED WITH BEING CONNECTED TO THE INTERNET
ATTACK TYPES• PUBLIC INFORMATION - SEARCH ENGINES, SOCIAL NETWORKS AND EVEN JOB SEARCH
• NAME RESOLUTION ATTACKS
• SESSION HIJACKING, SPOOFING, MAN IN THE MIDDLE
• DENIAL OF SERVICE
• CROSS SITE SCRIPTING, COOKIE STEALING
• VIRUS, TROJANS, KEYLOGGERS AND WORMS
• VULNERABILITIES
• COVERT TRACKS
ATTACKER RESOURCES
• LACK OF PLANNING AND PROTECTION PROVIDE THE BEST ATTACKING ENVIRONMENT
• THERE ARE A LOT OF TOOLS FREELY AVAILABLE, OTHERS READY FOR SELL
• THERE ARE REALLY BAD PEOPLE ON THE INTERNET, ON BUSINESS
• DEEP WEB AND ANONYMIZERS – THEY EXIST AND ARE PRETTY EFFICIENT
DEFENSE MECHANISMS• POLICIES AND DATA WIPING
• UPDATES AND CLIENT SECURITY SOFTWARE
• ENCRYPTION – SYMMETRIC VS ASYMMETRIC, ONE WAY HASHES, CERTIFICATES AND DISK ENCRYPTION
• FIREWALLS, IDS, DMZ, HONEY POTS
• SECURE NETWORK PROTOCOLS
• SEGMENTATION
• BACKUP, REPLICATION AND REDUNDANCY
• SECURITY AWARENESS TRAINING
• ASSESSMENTS – PENTEST AND VA
MODULE 2 - EXERCISES AND LABS
• LAB 5 - CONFIGURE FILE BACKUP (SYNCBACK, AZURE BACKUP)
• LAB 6 - CONFIGURE ENCRYPTION AND SECURE CONTAINERS (TRUECRYPT/VERACRYPT/BITLOCKER)
• LAB 7 – CALCULATING HASHES (HASHCALC)
• LAB 8 – SCANNING FOR MALWARE (MALWAREBYTES)
• LAB 9 – WIPE HARD DRIVE SPACE (CCLEANER, KILLDISK)
CONCLUSION• THERE IS NO SUCH THING AS “COMPLETELY SECURE”
• IF IT IS TOO GOOD TO BE TRUE, IT PROBABLY IS
• A LAYERED PLAN WILL BE THE MOST EFFECTIVE
• KEEP IT SIMPLE, WHEN POSSIBLE
• MOST ATTACKS ARE EFFECTIVE DUE TO IGNORANCE
• ONCE YOU RUN YOUR SECURITY PLAN, DO NOT LEAVE IT AS IT IS. VERIFY IT CONSTANTLY
• MAKE DRILLS AND TESTS