Post on 12-Jul-2015
UPR, School of Medicine – IT Director
Obsidis Consortia, Inc. – President & Founder
Security B Sides Puerto Rico – Organizer
Init6 Security User Group – Founder & Mentor
GLC Corporation – Technical Instructor
“The Cleaner”
PRgov - Information Security Council Member
“Jedi Master”
60% of small businesses that experience a data breach are out of business within 6 months.
IBM says there were 1.5 Million attacks alone in 2013, and 81% of them happened to small businesses.
Visa reports that 90% of the payment data breaches reported come from small businesses.
Policies and procedures
Backup (321)
Business Continuity
Disaster Recovery
Acceptable Use Policy
Following the principles of:
Least privilege
Separation of Duties
Rotation of Duties
Access Control
Authentication
Authorization
Accounting
• Technologies
• Firewalls / UTMs / NGFs
• Anti-virus/spam
• Web filtering
• Patch management (Updates)
• Security Monitoring (Vulns, IDS, IPS)
• Remote Access VPN
• Cloud
• Mobile
• Application White Listing
Do not use personal information for passwords
Do not use dictionary words as passwords
Use at least 3 of the following: a-z, A-Z, 0-9, !@#$%^&*
At least 12-16 characters long
Use passphrasesEx. I like cold pizza, 1 Lik3 c0ld Pizz4!
Use a password manager (LastPass)
Use authentication on your network
Control and know your applications
Use a UTMs/NGFs not a simple firewall
Apply web filtering (Ex. OpenDNS)
Black listing vs. White listing
Social media monitoring
Don’t use IE or Safari
Use Chrome and Firefox
Plugins for Chrome and Firefox Adblock Plus
Webfilter
HTTPS-Everywhere
LastPass
NoScript *
* Only for advance users
Ensure your provider maintains your POS updated
Review your SLA with the service provider
Isolate the POS in the network
Monitor for abnormalities
If possible install antivirus on your POS
Install an IDS/IPS on your POS network
Use only when absolutely necessary
Isolate guest network
Authenticate & control access
Limit the number of services available (http, https, dns)
Use WPA2 with a strong password
Control output power *
Turn off beacon broadcasting *
Use MAC filtering ** Not effective against a skilled attacker
Common Techniques Impersonation Pretext Framing Elicitation
Common attacks Customer Service Tech support Delivery person Phone Email/Phishing
http://www.social-engineer.org/framework/general-discussion/
How to recognize Phishing Legitimate organizations don’t ask for sensitive data over an email.
Is the grammar and lexicon appropriate (broken language)
Did you expect a message from that person?
Is the website name spelled correctly (Ex. Amazone.com)
How to respond to Phishing DELETE immediately
Don’t click stuff, enter the link in the browser by hand
Hover over the link to verify the link
Don't open e-mail attachments
If you fell for it … Change your passwords
Contact any institutions you think its been compromised
Report it to: http://www.ic3.gov
What about network access?
Does it work with User Account Control or standard user?
Are you certified in this product/technology?
What technologies are compatible with this? (Cloud, Virtualization, Mobile Devices)
Just turn off the firewall
… give Everyone full control permissions
You need Administrator privileges for the application to work.
Create a generic user for everyone
1. Use Password protected access control
2. Control application access and permission
3. Keep the OS and firmware current (update)
4. Backup your data
5. Use remote or automatic wipe if stolen or lost
6. Don’t store personal financial data on your device
7. Beware o free apps
8. Try mobile antivirus (Android)
9. Control Wireless connectivity (Wi-Fi, Bluetooth, NFC, RFID)
10. If possible use a Mobile Device Management (MDM) solution
Read carefully the Terms and conditions of service, and the Privacy Policy
You only assurance is a good contract (get a lawyer) & SLA
Encrypt everything before uploading it to the cloud
Not all clouds are the same, understand you needs.
Get the service from a reputable provider.
“Security is a process, not a product.” -- Bruce Schneier
“you either think you are secure or you know you are not.” -- Yoyo
“Tradition becomes our security, and when the mind is secure it is in decay.” -- Jiddu Krishnamurti
Blog: http://codefidelio.org
Email: josequinones@codefidelio.org
Twitter: @josequinones
G+: https://plus.google.com/u/2/+JoseLQuinonesBorrero