Seguridad de la Información y Controles contra Hackers - Getting hacked 101 intro to info sec and controls
0 likes616 views
This document outlines the course structure for an introductory information security program led by instructor Juan Ortiz. It covers topics such as threats, vulnerabilities, countermeasures, and includes both theoretical knowledge and hands-on labs aimed at equipping students with essential security skills. The course emphasizes the importance of understanding risks and the necessity of implementing layered security measures while highlighting common cybersecurity pitfalls and best practices.
Seguridad de la Información y Controles contra Hackers - Getting hacked 101 intro to info sec and controls
- 2. ABOUT YOUR INSTRUCTOR • JUAN ORTIZ • JORTIZ@BITSNCS.COM • BLOG: JUANORTIZ.PRO • BORN AND RAISED IN PUERTO RICO • INFO SEC, VIRTUALIZATION, CLOUD, ARCHITECTURE AND BUSINESS INTEGRATION
- 3. COURSE SCHEDULE Start End Content 8:30 9:00 Class Introduction 9:00 10:15 Module 1: Basic facts, myths and sad realities 10:15 10:30 Morning Break 10:30 12:00 Module 1: Labs 12:00 1:00 Lunch Break 1:00 2:15 Module 2: Securing the Infrastructure 2:15 2:30 Afternoon Break 2:30 4:00 Module 2: Labs 4:00 4:15 Wrap up and Q&A
- 4. AGENDA • DEFINE AND UNDERSTAND COMPONENTS OF INFORMATION SECURITY • UNDERSTAND INFOSEC ENEMIES • DEFINE VULNERABILITIES • EXPLAIN COUNTERMEASURES • DEMO & LABS
- 5. PURPOSE AND METHODOLOGY • THIS IS AN INTRODUCTORY COURSE • DESIGNED TO BE A FAST WAY TO GET UP TO SPEED IN INFORMATION SECURITY • THIS COURSE COVERS A BROAD SPECTRUM OF SECURITY TOPICS AND IS LIBERALLY SPRINKLED WITH REAL LIFE EXAMPLES • A BALANCED MIX OF TECHNICAL AND MANAGERIAL ISSUES MAKES THIS COURSE APPEALING TO ATTENDEES WHO NEED TO UNDERSTAND THE SALIENT FACETS OF • INFORMATION SECURITY BASICS • THE BASICS OF RISK MANAGEMENT. • WE BEGIN BY COVERING BASIC TERMINOLOGY AND CONCEPTS • THEN MOVE TO EXAMPLES OF THREATS • WE COVER THE BASICS OF CRYPTOGRAPHY, SECURITY MANAGEMENT, AND WIRELESS TECHNOLOGY • THEN WE LOOK AT POLICY AS A TOOL TO EFFECT CHANGE IN YOUR ORGANIZATION. • IN THE FINAL DAY OF THE COURSE, WE PUT IT ALL TOGETHER WITH AN IMPLEMENTATION OF DEFENSE IN-DEPTH.
- 6. CAVEATS • THE COURSE IS DESIGNED TO BE PERFORMED ON A WINDOWS ENVIRONMENT • YOU SHOULD NOT BRING A REGULAR PRODUCTION LAPTOP FOR THIS CLASS! WHEN INSTALLING SOFTWARE, THERE IS ALWAYS A CHANCE OF BREAKING SOMETHING ELSE ON THE SYSTEM. STUDENTS SHOULD ASSUME THAT ALL DATA COULD BE LOST. • IT IS CRITICAL THAT STUDENTS BE ABLE TO LOGIN TO THE ADMINISTRATOR LEVEL ACCOUNT • END POINT SECURITY SOLUTIONS CAN PREVENT PROGRAMS FROM BEING INSTALLED CORRECTLY ON THE SYSTEM. STUDENTS NEED TO BE ABLE TO TEMPORARILY DISABLE END POINT SECURITY SOLUTIONS OR MAKE EXCEPTIONS TO ALLOW PROGRAMS TO RUN.
- 7. MODULE 1 - BASIC FACTS, MYTHS AND SAD REALITIES A FRAMEWORK FOR INFORMATION SECURITY
- 8. SECURITY • IT HAS MANY DEFINITIONS • IN REALITY IT IS A SENSE OF SECURITY • KEY TERMS: THREAT, EXPOSITION, VULNERABILITY COPING, RISK • CAT AND MOUSE GAME • THERE ARE MANY STRATEGIES • DEFENSE IN-DEPTH
- 10. ELEMENTS OF INFORMATION TECHNOLOGY
- 11. DEFENSE IN-DEPTH
- 12. “ ” THINGS TO DO IF YOU WANT TO GET HACKED DON’T DO THEM, PLEASE
- 13. BAD PASSWORDS, BAD IDEA
- 14. WE ARE STILL NOT LEARNING
- 15. REPEAT YOUR PASSWORDS • Facebook • Twitter • Gmail • Youtube • eBay • PayPal • BPPR • Yahoo • Instagram • Pinterest • Amazon • Netflix • Microsoft • Spotify • Pandora • Dropbox • OneDrive • SmartPhone • iCloud • GoDaddy • Linkedin • IMDB • Wikipedia • Muchas más
- 16. DON’T USE MULTI FACTOR AUTHENTICATION • AUTENTICACIÓN • ALGO QUE SABES • ALGO QUE TIENES • ALGO QUE ERES • EN QUE LUGAR ESTAS • DISPONIBLE COMÚNMENTE • AUTORIZACIÓN
- 17. CLICK EVERY POSIBLE LINK
- 18. PAY RANSOMS WHEN ASKED
- 19. DON’T ENCRYPT YOUR DATA • FTP • Telnet • Simple Mail Transfer Protocol (SMTP) • HTTP • Post Office Protocol 3 (POP3) • Internet Message Access Protocol (IMAPv4) • Network Basic Input/OutputSystem (NetBIOS), • Simple Network Management Protocol (SNMP)
- 20. DON’T USE ANTI-MALWARE • Any system can be vulnerable to infection • The attacker uses naiveness as weapon • There are many effective tools Before After
- 21. DO NOT PATCH YOUR MACHINE • ERVERY HUMAN MADE SOFTWARE HAS FLAWS • THIS APPLIES TO OS, FIRMWARE, DRIVERS AND SOFTWARE • BE AWARE – WINDOWS UPDATE DOES NOT PATCH THIRD PARTY SOFTWARE
- 22. DOWNLOAD FREE STUFF • THE PIRATE BAY • KICKASSTORRENTS • TORRENTZ • EXTRATORRENT • YIFY-TORRENTS • EZTV • ISOHUNT.TO • LuckyWire • BearShare • Morpheus • LimeZilla • Nodezilla • Warez • Blubster
- 23. DO NOT BE SUSPICIOUS • COMMON SENSE IS THE LEAST COMMON OF THE SENSES • IF ITS TOO GOOD TO BE TRUE, IT PROBABLY IS • IF A LIE IS WELL DEVELOPED, WE WILL NOT HESITATE TO CLICK THAT MALICIOUS LINK • POLL: ASK A RANDOM PERSON WHAT IS HIS WEAKEST PASSWORD IN EXCHANGE FOR A PEN • RECIPROCITY: IT’S NATURAL TO RETURN THE FAVOR. • PEOPLE LIKE TO BE PRAISED • PEOPLE ARE AFRAID OF POWER POSITIONS
- 24. MODULE 1 - EXERCISES AND LABS • LAB 1 - CREATE A STANDARD USER ACCOUNT • LAB 2 - CONFIGURE MICROSOFT UPDATES • LAB 3 - CONFIGURE THIRD PARTY SOFTWARE UPDATES (SECUNIA PERSONAL SOFTWARE INSPECTOR) • LAB 4 - CONFIGURE PASSWORD MANAGEMENT (LASTPASS, KEEPASS)
- 25. MODULE 2 - SECURING THE INFRASTRUCTURE APPRECIATING THE RISKS ASSOCIATED WITH BEING CONNECTED TO THE INTERNET
- 26. WHAT DOES A HACKER DO
- 27. NETWORK DESIGNS
- 28. ATTACK TYPES • PUBLIC INFORMATION - SEARCH ENGINES, SOCIAL NETWORKS AND EVEN JOB SEARCH • NAME RESOLUTION ATTACKS • SESSION HIJACKING, SPOOFING, MAN IN THE MIDDLE • DENIAL OF SERVICE • CROSS SITE SCRIPTING, COOKIE STEALING • VIRUS, TROJANS, KEYLOGGERS AND WORMS • VULNERABILITIES • COVERT TRACKS
- 29. ATTACKER RESOURCES • LACK OF PLANNING AND PROTECTION PROVIDE THE BEST ATTACKING ENVIRONMENT • THERE ARE A LOT OF TOOLS FREELY AVAILABLE, OTHERS READY FOR SELL • THERE ARE REALLY BAD PEOPLE ON THE INTERNET, ON BUSINESS • DEEP WEB AND ANONYMIZERS – THEY EXIST AND ARE PRETTY EFFICIENT
- 30. DEFENSE MECHANISMS • POLICIES AND DATA WIPING • UPDATES AND CLIENT SECURITY SOFTWARE • ENCRYPTION – SYMMETRIC VS ASYMMETRIC, ONE WAY HASHES, CERTIFICATES AND DISK ENCRYPTION • FIREWALLS, IDS, DMZ, HONEY POTS • SECURE NETWORK PROTOCOLS • SEGMENTATION • BACKUP, REPLICATION AND REDUNDANCY • SECURITY AWARENESS TRAINING • ASSESSMENTS – PENTEST AND VA
- 31. MODULE 2 - EXERCISES AND LABS • LAB 5 - CONFIGURE FILE BACKUP (SYNCBACK, AZURE BACKUP) • LAB 6 - CONFIGURE ENCRYPTION AND SECURE CONTAINERS (TRUECRYPT/VERACRYPT/BITLOCKER) • LAB 7 – CALCULATING HASHES (HASHCALC) • LAB 8 – SCANNING FOR MALWARE (MALWAREBYTES) • LAB 9 – WIPE HARD DRIVE SPACE (CCLEANER, KILLDISK)
- 32. CONCLUSION • THERE IS NO SUCH THING AS “COMPLETELY SECURE” • IF IT IS TOO GOOD TO BE TRUE, IT PROBABLY IS • A LAYERED PLAN WILL BE THE MOST EFFECTIVE • KEEP IT SIMPLE, WHEN POSSIBLE • MOST ATTACKS ARE EFFECTIVE DUE TO IGNORANCE • ONCE YOU RUN YOUR SECURITY PLAN, DO NOT LEAVE IT AS IT IS. VERIFY IT CONSTANTLY • MAKE DRILLS AND TESTS
- 33. WRAP UP AND Q&A