What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... ·...
Transcript of What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... ·...
![Page 1: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/1.jpg)
WhataBankISOShouldKnowAboutForensics
![Page 2: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/2.jpg)
DisclaimerMutualRiskAdvisorsisnotendorsingoraffiliatedwithanyofthecompanieslistedinthefollowingslides.
Doyourownduediligence&riskassessmentsontheproductsandlinksmentioned.
![Page 3: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/3.jpg)
OwenLaChat
SVP&ManagingDirector– MutualRiskAdvisors,Inc.
VP&ISO– MutualBank,Inc.$1.4BCommunityBank– 31 locationsinIN&MI.Nasdaq:MFSF
Former:• CyberSecurityTechnicalTeamLeader• InformationSystemsSecurityAuditor• Detective
![Page 4: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/4.jpg)
WheretoFocusResources?
o Policies&Procedureso RiskAssessmentso VendorManagemento Phishingo System&NetworkMonitoringo Logs/SIEMo IncidentResponse/Forensics
![Page 5: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/5.jpg)
Policies&Procedures
oArethefoundationalpiecesofagoodinformationsecurityprogram.o Shouldoutlineandmemorializeyourexpectations.o Shouldbeviewed,approved,andfollowedfromthetopdown.oOfteneitherspendtoomuchornotenoughtimedevelopingandtuning.
![Page 6: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/6.jpg)
RiskAssessments
o Isthepersoncompletingtheriskassessmentsqualifiedtoassessrisk?oAretheyfocusingonthelargestrisksandquantifyingcorrectly?oDothemitigatingcontrolsactuallymitigate?
![Page 7: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/7.jpg)
VendorManagement
o Vendorscanbealargerisktotheenvironment.oDovendorsfollowyourinfosecpolicies/procedureswhendealingwithyourdata?
o Logs?o Knowyourvendors,whattheydo,howtheydoit,theirweaknesses,etc.Duediligence.
o Testyourtechnicalvendorsregularly.o “Trust,butverify.”
![Page 8: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/8.jpg)
Phishing
oHowmanybreachesoccur.o Fairlydifficulttoconsistentlykickinthefrontdoorofthenetwork.o It’snecessarytoexaminesamplesforintelligencefromnewattackmethods.
o “ButIhaveaspamfilterandemployeesrarelyreportanyphishingemails.”
![Page 9: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/9.jpg)
NetworkMonitoring
o Knowyournetworkmapsandroutes.o Internal/externalsensors.
o DoIneedIDS/IPSsensorsontheinsideandoutside?o Externalsensors– “That’swhatafirewallisfor..”
o 24/7monitoring&internaloversight.oWhattrafficisitmissing?
o TLS/SSL?o HTTPwithanencryptedpayload…o IsTLS/SSLmalwaredataextractioncommon?
o Geolocation.o Fullpacketcaptureisanecessity.
![Page 10: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/10.jpg)
NetworkMonitoring- TrafficAnalysis
oMolocho Fullpacketcapture.ohttp://molo.ch/
oNetworkMineroNetworkanalysistool&offlinePCAPreassemblytool.ohttp://www.netresec.com/?page=Networkminer
oWiresharkohttps://www.wireshark.org
![Page 11: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/11.jpg)
NetworkMonitoring- IDS/IPS
o SecurityOnionohttps://securityonion.net/
o Snort/Suricataohttps://www.snort.org/ https://suricata-ids.org/
oOSSECohttp://ossec.github.io/downloads.html
o Broohttps://www.bro.org/
![Page 12: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/12.jpg)
SystemMonitoring
o Knowyourvulnerabilities.oAssesspatchlevels.oDeviceinventories.
o Applicationsinstalled,versionnumbers,OS,runningservices,etc.oKnowwhereyourdeprecatedappliances/softwarereside.oAttackermindset.
![Page 13: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/13.jpg)
Logs/SIEM
oWhat’sbeinglogged?oAreyouloggingtherightthingsandforenoughtime?oDoyouhavealogcollection/aggregationsystem?oAreyoucapturingWindowsEventLogs,Syslog,netflow,pcap,etc.
oAutomatedalertingbasedonpredefinedthresholds.oUsergetslockedout,VPNs,attemptedsoftwareinstalls,RDP,accountscreated/deleted,andmanymore.
![Page 14: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/14.jpg)
LogSolutions
o ELK(ElasticSearch,LogStash,Kibana)ohttps://www.elastic.co/webinars/introduction-elk-stack
o Solarwinds LEMohttp://www.solarwinds.com/log-event-manager
o Splunkohttps://www.splunk.com/
![Page 15: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/15.jpg)
IncidentResponse/Forensics
oWhoownsresponseactivities?o ITvsIS.Who’sincharge?oNewFFIECguidancefocusingmoreonISactivities.o LargeamountofcontrolplacedinISforhistorically“IT”duties.
o In-houseresources.oHowoftencanyouleverage?oCertificationso Training
oOutsourced– Forensicretainers.
![Page 16: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/16.jpg)
HostBasedForensics(Media)
o ForensicToolkitohttp://www.accessdata.com
o EnCase Forensicohttps://www.guidancesoftware.com/encase-forensic
o InternetEvidenceFinderohttps://www.magnetforensics.com/
oHashcatohttps://hashcat.net/hashcat/
![Page 17: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/17.jpg)
HostBasedForensics(Imaging&Memory)
o RAMCaptureUtilitiesoMagnetRamCapture
o https://www.magnetforensics.com/magnet-ief/o FTKImager
o http://www.accessdata.com
o RAMParsingUtilitiesoVolatility
o http://www.volatilityfoundation.org/
![Page 18: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/18.jpg)
TrackingNetworkAnomalies
![Page 19: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/19.jpg)
PhishingAttempt– Documentw/Macros
![Page 20: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/20.jpg)
IDSAlert– EXEdownloadedoverHTTP
![Page 21: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/21.jpg)
FullPacketCapture
![Page 22: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/22.jpg)
LogSystemAlert
![Page 23: What a Bank ISO Should Know About Forensics - Indiana Bankers a Bank ISO Should Know... · Disclaimer Mutual Risk Advisors is not endorsing or affiliated with any of the companies](https://reader035.fdocuments.in/reader035/viewer/2022070617/5e03f4e9cde16c1b4b20d2ab/html5/thumbnails/23.jpg)
HostBasedForensicEventConfirmation