Jose L. Quinones, BS

MCP, MCSA, MCT, CEH, CEI, GCIH, GPEN, RHSA

UPR, School of Medicine – IT Director

Obsidis Consortia, Inc. – President & Founder

Security B Sides Puerto Rico – Organizer

Init6 Security User Group – Founder & Mentor

GLC Corporation – Technical Instructor

“The Cleaner”

PRgov - Information Security Council Member

“Jedi Master”

Virus

Trojans

Worms

Bot-nets

Ramsomware

60% of small businesses that experience a data breach are out of business within 6 months.

IBM says there were 1.5 Million attacks alone in 2013, and 81% of them happened to small businesses.

Visa reports that 90% of the payment data breaches reported come from small businesses.

Policies and procedures

Backup (321)

Business Continuity

Disaster Recovery

Acceptable Use Policy

Following the principles of:

Least privilege

Separation of Duties

Rotation of Duties

Access Control

Authentication

Authorization

Accounting

• Technologies

• Firewalls / UTMs / NGFs

• Anti-virus/spam

• Web filtering

• Patch management (Updates)

• Security Monitoring (Vulns, IDS, IPS)

• Remote Access VPN

• Cloud

• Mobile

• Application White Listing

Do not use personal information for passwords

Do not use dictionary words as passwords

Use at least 3 of the following: a-z, A-Z, 0-9, !@#$%^&*

At least 12-16 characters long

Use passphrasesEx. I like cold pizza, 1 Lik3 c0ld Pizz4!

Use a password manager (LastPass)

Use authentication on your network

Control and know your applications

Use a UTMs/NGFs not a simple firewall

Apply web filtering (Ex. OpenDNS)

Black listing vs. White listing

Social media monitoring

Don’t use IE or Safari

Use Chrome and Firefox

Plugins for Chrome and Firefox Adblock Plus

Webfilter

HTTPS-Everywhere

LastPass

NoScript *

* Only for advance users

Ensure your provider maintains your POS updated

Review your SLA with the service provider

Isolate the POS in the network

Monitor for abnormalities

If possible install antivirus on your POS

Install an IDS/IPS on your POS network

Use only when absolutely necessary

Isolate guest network

Authenticate & control access

Limit the number of services available (http, https, dns)

Use WPA2 with a strong password

Control output power *

Turn off beacon broadcasting *

Use MAC filtering ** Not effective against a skilled attacker

Common Techniques Impersonation Pretext Framing Elicitation

Common attacks Customer Service Tech support Delivery person Phone Email/Phishing

http://www.social-engineer.org/framework/general-discussion/

How to recognize Phishing Legitimate organizations don’t ask for sensitive data over an email.

Is the grammar and lexicon appropriate (broken language)

Did you expect a message from that person?

Is the website name spelled correctly (Ex. Amazone.com)

How to respond to Phishing DELETE immediately

Don’t click stuff, enter the link in the browser by hand

Hover over the link to verify the link

Don't open e-mail attachments

If you fell for it … Change your passwords

Contact any institutions you think its been compromised

Report it to: http://www.ic3.gov

What about network access?

Does it work with User Account Control or standard user?

Are you certified in this product/technology?

What technologies are compatible with this? (Cloud, Virtualization, Mobile Devices)

Just turn off the firewall

… give Everyone full control permissions

You need Administrator privileges for the application to work.

Create a generic user for everyone

1. Use Password protected access control

2. Control application access and permission

3. Keep the OS and firmware current (update)

4. Backup your data

5. Use remote or automatic wipe if stolen or lost

6. Don’t store personal financial data on your device

7. Beware o free apps

8. Try mobile antivirus (Android)

9. Control Wireless connectivity (Wi-Fi, Bluetooth, NFC, RFID)

10. If possible use a Mobile Device Management (MDM) solution

Read carefully the Terms and conditions of service, and the Privacy Policy

You only assurance is a good contract (get a lawyer) & SLA

Encrypt everything before uploading it to the cloud

Not all clouds are the same, understand you needs.

Get the service from a reputable provider.

“Security is a process, not a product.” -- Bruce Schneier

“you either think you are secure or you know you are not.” -- Yoyo

“Tradition becomes our security, and when the mind is secure it is in decay.” -- Jiddu Krishnamurti

Blog: http://codefidelio.org

Email: josequinones@codefidelio.org

Twitter: @josequinones

G+: https://plus.google.com/u/2/+JoseLQuinonesBorrero