SlideShare una empresa de Scribd logo

GDPR & Forensics Readiness -English

Studio Fiorenzi Security & Forensics
Studio Fiorenzi Security & Forensics

Forensics Readiness in the Company, how to prepare the company for forensics tracking of data breach or computer incidents by reducing costs and increasing efficiency. Forensics Readiness is a framework for corporate protection in order to be able to act in court and with insurance companies to document and detail the "deft"

Tecnología
1 de 28
Descargar para leer sin conexión
+ GDPR & Forensics Readiness How prepare the company to management and forensic tracking of data breach and cyber incidents
Presentazioni  Doctor of computer science (computer science)  I deal with computer security and Digital Forensics for over 15 years  Enrolled in the panel of experts of civil cases # 7519 since 2003 of the court of Florence and enrolled in the panel of experts of criminal case # 422 from 2011 of the court of Florence  Enrolled in the panel of and experts of Chamber of Commerce CCIAA of Florence # 1130 from 2004  Organizer and speaker for conferences on the topic of information security and computer forensics  Co Author for the aspects of computer forensics to the book "Internet e il danno alla persona " published by Giappichelli in 2012  ECCE Certificate European Certificate on the fight against Cybercrime and Electronic Evidence (ECCE) 2009  ISO27001 Lead Auditor  Board of Directors of ONIF – National Observatory on Digital Forensics  CTS CLUSIT – Technical Committee CLUSIT Member  IISFA-International Information System Forensics Association 2
Data breach and computer incident Data breach: a security incident in which sensitive data, protected or reserved are accessed, viewed, copied, transmitted, or used by a third party not authorized. incident: any event which is not part of the standard operation of a service and which causes, or may cause, an interruption and a reduction in the quality of that service 3
GDPR & Breach notification: • Who has breached • How has breached • When has breached • Where the breach has start 72 hours • Sanitize the systems • Restore data • Patch systems to keep data and applications secure few hours • Find the digital evidence sources • Collect the evidence in forensic mode • Live Analysis of the breach • Offline Analysis of collections • Find a security solution Very short time 4
Handle The Breach: Time, team and skill Crisis Units Incident Response Team Sys admins: dba, win, linux, network, firewall Forensics Team Legal Comunication HR Finance 5
Forensics, IR, DR e BC: Agevolare e non ostacolare Security Policy BC/DR Forensic Readiness Policy Incident Handling Process and Operational rules Facilitate and not hinder 6
Forensics Readiness: Forensics Readiness Policy •Goals •Roles and responsibilities •Implementation •Scope of Application •Legislation •Training Forensics Readiness Plan •Roles and responsibilities •Team Specialist (int/ext) •Resource •Economic •Software,tools •Storage, etc.. •Task Flow •Testing •Training & awarnes Forensics Readiness Procedure •Evidence Collection •Live •Post mortem •Network etc.. •Analysis procedure •Reporting •Procedure Recovering "Forensics Readiness" is defined as the ability of an organization to maximize its ability to collect and use digital evidence, minimizing the cost of a digital forensics investigation 7
Forensics Readiness Let's go to the company's implementation 8
FR Operational Steps  Identify possible sources and types of digital evidence useful to the business  Determine the technical and legal requirements for collecting digital evidence  Identify and define the resources needed to safely collect digital evidence so as to make them legally compliant  Review resources allocated to keep mail protection.  Establish a Policy for Safe Management and Conservation of Potential Information Sources  Implement and ensure that the monitoring system is able to detect major accidents  Define under what circumstances it is necessary to activate a complete computer investigation  Forming and raising staff awareness of accidents in order to understand their role in the management of evidence in a context of legal admissibility  Document real cases describing the accident and its impact  Ensure a legal review of the procedures to facilitate accident response actions  Define corporate business scenarios that may require digital evidence  Ensure that SLA contracts with vendors meet the requirements and goals of forensics readiness. 9
FR, let’s consider E-Commerce Internet Service Switch Reverse Proxy Router Application Server DataBase Server backoffice Mailsever Fornitori- contenuti / manutentori programmatori sistemisti 10 Internet
FR – lets’ start with alt least: 1. NTP Server e GMT 2. DNS 3. DHCP 4. Directory Server 5. Log Management system (SIEM)  Log collection  Parsing  Log correlation  Analysis & Alerting  Log storing Tamper Proof 11
FR – Go on collecting logs..  having a log collection system available we could collect logs from:  Router  Firewalls  VPN terminator  Switchs  Servers: system logs  Log complex service asi :SAP, CRM, SharePoint, print server, physical access controletc.. Is it enough… to detect an accident or a breach? 12
What we want to watch : Where can the threats come from? • Internet • Extranet • Insider How: • Direct attacks to exploit system and application vulnerabilities • Brush force attacks • DOS Attacks • Trusted Channel Attacks (vpn / extranet, internal connections: sysadmin, backoffice) 13
We have a SIEM, let’s use its power Also collect the log from • Reverse Proxy • Application server • Applicativo in esecuzione sull’AS • Database audit log (tuned!) • Antivirus • Mail Server And add a bit more information • CyberThreats Intellingence (IP, url, username list) • Emerging Threats IP list • Bad IP (malicius, compromised, TOR, malware etc.. list) 14
SIEM: Correlation, Analysis, Alerting Use the logs and the information contained therein to understand it • We're in someone's sights • There is an abnormal activity • There is a compromise • We have unfaithful employees and collaborators Tuning SIEM correlation roules & allarm • Develop • Test • Eliminate false positives • Keep up to date to current cyber risk scenario 15
SIEM: Correlation, Analysis, Alerting • Track "legitimate" connections coming from Bad IP on log sources • Drop / Reject Inbound Connections from Bad IP to FW • Network scanning • Off-Hour Internal Activity IoA Indicator of Attack • Outgoing connections "legitimate" towards Bad IP • Drop / reject connections to Bad IP • Multiple failed login from a single host • Multiple login with single username from different region • Outbound DNS traffic • Errors in logs Application log errors IoC Indicator of Compromission • User Profiling Using "Reported" • Accounts and Cards • Bad IP • Behavior analysis IP / user traffic Antifrode 16
SIEM: Correlation, Analysis, Alerting How to alert Email Ticketing Escalation SMS IVR 17
FR:over the logs BC/DR & Forensics Readiness: evidence could have been archived months ago Backup • Monitoring backup outcomes • recovery test VM Snapshot • Monitoring snapshot outcomes • Recovery test Export DB • Export db istances Capacity Planning Storage • Log, evidence, retantion • Systems mangement & planning Software & configuration versioning 18
How do you become aware of incident ofbreach? incident o breach FR • Active system security monitoring • Accidentally • Customers and / or Suppliers Senza FR • Accidentally • Customers and / or Suppliers Timeliness and proactivity Too late for business and reputation 19
Take the alarm: serious accident or data breach L’unità di crisi convoca: CEO Team Forense HR Legal Incident Response BC&DR 20
FR :Forensics Team on work Identifying the perimeter of system involved Time evaluation of events Interruption of maintenance or extraordinary tasks on systems within the perimeter Start network dump if threat agent still present on systems Start snapshot systems Start of Live investigation Forensics, Data Recovery, and eDiscovery over an IP network Start procedures for recovering raw log data from SIEM of systems in the perimeter of breach Digital signre with hash time mark of all collected evidence acquired Continuous and analytical documentation of the operations undertaken Analysis of • log, • snapshot, • Live data • to reconstruct the events that led to the breach: who, from where, how, how long and what he did: stolen, modified, consulted Time and technique reconstruction of how breach has come 21
Without Forensics Readiness It detects accident by accident or for customer or supplier reporting or worse. From newspapers / internet Difficulty determining the perimeter involved Unable to estimate time offset of breach Start network dump if threat agent still present on systems Post-mortem forensic copy of systems involved in the incident Digital signature with hash time mark of all collected evidence acquired Continuous and analytical documentation of the operations undertaken Analysis of the few available evidence • live data • Forensics copy fo systems Extremely complex timing and technical reconstruction of how breach has come 22
FR: Advanced mod To have a more complete analysis we could add IPS/IDS HoneyPot NAC Wireless Lan controller Network monitoring (MRTG) Network Behaviour Analysis Integrity check of systems and of configurations Url e content Filtering 23
Forensics Readiness: Why?  Forensics Readiness is incident prevention and not Incident response  Today it is necessary to assume that an incident will occur even if the risk assessment has low probability, and Forensics Readiness allows us to handle it in advance  Because Forensics Readiness systematically collects information over time, and allows you to detect situations where people who are threatening you, whether inside or outside, will try to  Clear the evidence of the breach  Kepp silent on system for use them for other attack  Permanence for months before "burning" his victims 24
Data breach: un fenomeno in crescita 25
Forensiscs Readiness ROI Fail of adopting forensic readiness may result in: Business Loss - Reputable Damage Loss of revenue - loss of customers Legal actions - Incapacity to meet SLAs, inappropriate actions, etc ... Furto di dati, modifica o distruzione Inability to effectively restore administrative access / control Suspension of business delivery systems 26
Forensics Readiness ROI Forensic readiness ensure: Quickly determine the attack vector Understand and isolate pertinent information, minimizing the resources you need Interrupt abusive access timely Contenere i danni e ridurre il tempo di inattività Detects trends over time Get discounts on cyber insurance premiums 27
And at last… «The future depends on what we do in the present» Mahatma Gandhi Dott. Alessandro Fiorenzi Email af@studiofiorenzi.it Mobile: +393487920172 https://www.studiofiorenzi.it 28

Recomendados

Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 

Recomendados

Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Anti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsAnti forensics-techniques-for-browsing-artifacts
Anti forensics-techniques-for-browsing-artifactsgaurang17
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsdeaneal
 
Digital forensics
Digital forensicsDigital forensics
Digital forensicsNicholas Davis
 
IDS Evasion Techniques
IDS Evasion TechniquesIDS Evasion Techniques
IDS Evasion TechniquesTudor Damian
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remediesManish Kumar
 
7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)Massimo Farina
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Informatica Forense
Informatica ForenseInformatica Forense
Informatica ForenseAnalista Forense
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Le fasi di un Penetration testing
Le fasi di un Penetration testingLe fasi di un Penetration testing
Le fasi di un Penetration testingAlessandra Zullo
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditingSweta Kumari Barnwal
 
Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 

Más contenido relacionado

La actualidad más candente

Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remediesManish Kumar
 
7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)Massimo Farina
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Dr. Ahmed Al Zaidy
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewSam Bowne
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1Sam Bowne
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsOldsun
 
Le fasi di un Penetration testing
Le fasi di un Penetration testingLe fasi di un Penetration testing
Le fasi di un Penetration testingAlessandra Zullo
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...Jisc
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemAlchemist095
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

La actualidad más candente (20)

Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Types of malicious software and remedies
Types of malicious software and remediesTypes of malicious software and remedies
Types of malicious software and remedies
 
7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)7 laboratorio-di-analisi-forense bonu-04.02 (1)
7 laboratorio-di-analisi-forense bonu-04.02 (1)
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11Fundamentals of Information Systems Security Chapter 11
Fundamentals of Information Systems Security Chapter 11
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it Compares
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Informatica Forense
Informatica ForenseInformatica Forense
Informatica Forense
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts Review
 
CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1CNIT 121: Computer Forensics Ch 1
CNIT 121: Computer Forensics Ch 1
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Le fasi di un Penetration testing
Le fasi di un Penetration testingLe fasi di un Penetration testing
Le fasi di un Penetration testing
 
The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...The adversary playbook - the tools, techniques and procedures used by threat ...
The adversary playbook - the tools, techniques and procedures used by threat ...
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
 
Lecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file systemLecture 9 and 10 comp forensics 09 10-18 file system
Lecture 9 and 10 comp forensics 09 10-18 file system
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 

Similar a GDPR & Forensics Readiness -English

Digital forensic
Digital forensicDigital forensic
Digital forensicChandan Sah
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostPrecisely
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicDhiren Gala
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001eaiti
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 

Similar a GDPR & Forensics Readiness -English (20)

Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Digital forensic
Digital forensicDigital forensic
Digital forensic
 
Digital Forensic
Digital ForensicDigital Forensic
Digital Forensic
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
File000117
File000117File000117
File000117
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 
Karunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident HandlingKarunia Wijaya - Proactive Incident Handling
Karunia Wijaya - Proactive Incident Handling
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
Business Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer ForensicBusiness Intelligence (BI) Tools For Computer Forensic
Business Intelligence (BI) Tools For Computer Forensic
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Intrusion detection 2001
Intrusion detection 2001Intrusion detection 2001
Intrusion detection 2001
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 

Último

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Último (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

GDPR & Forensics Readiness -English

  • 1. + GDPR & Forensics Readiness How prepare the company to management and forensic tracking of data breach and cyber incidents
  • 2. Presentazioni  Doctor of computer science (computer science)  I deal with computer security and Digital Forensics for over 15 years  Enrolled in the panel of experts of civil cases # 7519 since 2003 of the court of Florence and enrolled in the panel of experts of criminal case # 422 from 2011 of the court of Florence  Enrolled in the panel of and experts of Chamber of Commerce CCIAA of Florence # 1130 from 2004  Organizer and speaker for conferences on the topic of information security and computer forensics  Co Author for the aspects of computer forensics to the book "Internet e il danno alla persona " published by Giappichelli in 2012  ECCE Certificate European Certificate on the fight against Cybercrime and Electronic Evidence (ECCE) 2009  ISO27001 Lead Auditor  Board of Directors of ONIF – National Observatory on Digital Forensics  CTS CLUSIT – Technical Committee CLUSIT Member  IISFA-International Information System Forensics Association 2
  • 3. Data breach and computer incident Data breach: a security incident in which sensitive data, protected or reserved are accessed, viewed, copied, transmitted, or used by a third party not authorized. incident: any event which is not part of the standard operation of a service and which causes, or may cause, an interruption and a reduction in the quality of that service 3
  • 4. GDPR & Breach notification: • Who has breached • How has breached • When has breached • Where the breach has start 72 hours • Sanitize the systems • Restore data • Patch systems to keep data and applications secure few hours • Find the digital evidence sources • Collect the evidence in forensic mode • Live Analysis of the breach • Offline Analysis of collections • Find a security solution Very short time 4
  • 5. Handle The Breach: Time, team and skill Crisis Units Incident Response Team Sys admins: dba, win, linux, network, firewall Forensics Team Legal Comunication HR Finance 5
  • 6. Forensics, IR, DR e BC: Agevolare e non ostacolare Security Policy BC/DR Forensic Readiness Policy Incident Handling Process and Operational rules Facilitate and not hinder 6
  • 7. Forensics Readiness: Forensics Readiness Policy •Goals •Roles and responsibilities •Implementation •Scope of Application •Legislation •Training Forensics Readiness Plan •Roles and responsibilities •Team Specialist (int/ext) •Resource •Economic •Software,tools •Storage, etc.. •Task Flow •Testing •Training & awarnes Forensics Readiness Procedure •Evidence Collection •Live •Post mortem •Network etc.. •Analysis procedure •Reporting •Procedure Recovering "Forensics Readiness" is defined as the ability of an organization to maximize its ability to collect and use digital evidence, minimizing the cost of a digital forensics investigation 7
  • 8. Forensics Readiness Let's go to the company's implementation 8
  • 9. FR Operational Steps  Identify possible sources and types of digital evidence useful to the business  Determine the technical and legal requirements for collecting digital evidence  Identify and define the resources needed to safely collect digital evidence so as to make them legally compliant  Review resources allocated to keep mail protection.  Establish a Policy for Safe Management and Conservation of Potential Information Sources  Implement and ensure that the monitoring system is able to detect major accidents  Define under what circumstances it is necessary to activate a complete computer investigation  Forming and raising staff awareness of accidents in order to understand their role in the management of evidence in a context of legal admissibility  Document real cases describing the accident and its impact  Ensure a legal review of the procedures to facilitate accident response actions  Define corporate business scenarios that may require digital evidence  Ensure that SLA contracts with vendors meet the requirements and goals of forensics readiness. 9
  • 10. FR, let’s consider E-Commerce Internet Service Switch Reverse Proxy Router Application Server DataBase Server backoffice Mailsever Fornitori- contenuti / manutentori programmatori sistemisti 10 Internet
  • 11. FR – lets’ start with alt least: 1. NTP Server e GMT 2. DNS 3. DHCP 4. Directory Server 5. Log Management system (SIEM)  Log collection  Parsing  Log correlation  Analysis & Alerting  Log storing Tamper Proof 11
  • 12. FR – Go on collecting logs..  having a log collection system available we could collect logs from:  Router  Firewalls  VPN terminator  Switchs  Servers: system logs  Log complex service asi :SAP, CRM, SharePoint, print server, physical access controletc.. Is it enough… to detect an accident or a breach? 12
  • 13. What we want to watch : Where can the threats come from? • Internet • Extranet • Insider How: • Direct attacks to exploit system and application vulnerabilities • Brush force attacks • DOS Attacks • Trusted Channel Attacks (vpn / extranet, internal connections: sysadmin, backoffice) 13
  • 14. We have a SIEM, let’s use its power Also collect the log from • Reverse Proxy • Application server • Applicativo in esecuzione sull’AS • Database audit log (tuned!) • Antivirus • Mail Server And add a bit more information • CyberThreats Intellingence (IP, url, username list) • Emerging Threats IP list • Bad IP (malicius, compromised, TOR, malware etc.. list) 14
  • 15. SIEM: Correlation, Analysis, Alerting Use the logs and the information contained therein to understand it • We're in someone's sights • There is an abnormal activity • There is a compromise • We have unfaithful employees and collaborators Tuning SIEM correlation roules & allarm • Develop • Test • Eliminate false positives • Keep up to date to current cyber risk scenario 15
  • 16. SIEM: Correlation, Analysis, Alerting • Track "legitimate" connections coming from Bad IP on log sources • Drop / Reject Inbound Connections from Bad IP to FW • Network scanning • Off-Hour Internal Activity IoA Indicator of Attack • Outgoing connections "legitimate" towards Bad IP • Drop / reject connections to Bad IP • Multiple failed login from a single host • Multiple login with single username from different region • Outbound DNS traffic • Errors in logs Application log errors IoC Indicator of Compromission • User Profiling Using "Reported" • Accounts and Cards • Bad IP • Behavior analysis IP / user traffic Antifrode 16
  • 17. SIEM: Correlation, Analysis, Alerting How to alert Email Ticketing Escalation SMS IVR 17
  • 18. FR:over the logs BC/DR & Forensics Readiness: evidence could have been archived months ago Backup • Monitoring backup outcomes • recovery test VM Snapshot • Monitoring snapshot outcomes • Recovery test Export DB • Export db istances Capacity Planning Storage • Log, evidence, retantion • Systems mangement & planning Software & configuration versioning 18
  • 19. How do you become aware of incident ofbreach? incident o breach FR • Active system security monitoring • Accidentally • Customers and / or Suppliers Senza FR • Accidentally • Customers and / or Suppliers Timeliness and proactivity Too late for business and reputation 19
  • 20. Take the alarm: serious accident or data breach L’unità di crisi convoca: CEO Team Forense HR Legal Incident Response BC&DR 20
  • 21. FR :Forensics Team on work Identifying the perimeter of system involved Time evaluation of events Interruption of maintenance or extraordinary tasks on systems within the perimeter Start network dump if threat agent still present on systems Start snapshot systems Start of Live investigation Forensics, Data Recovery, and eDiscovery over an IP network Start procedures for recovering raw log data from SIEM of systems in the perimeter of breach Digital signre with hash time mark of all collected evidence acquired Continuous and analytical documentation of the operations undertaken Analysis of • log, • snapshot, • Live data • to reconstruct the events that led to the breach: who, from where, how, how long and what he did: stolen, modified, consulted Time and technique reconstruction of how breach has come 21
  • 22. Without Forensics Readiness It detects accident by accident or for customer or supplier reporting or worse. From newspapers / internet Difficulty determining the perimeter involved Unable to estimate time offset of breach Start network dump if threat agent still present on systems Post-mortem forensic copy of systems involved in the incident Digital signature with hash time mark of all collected evidence acquired Continuous and analytical documentation of the operations undertaken Analysis of the few available evidence • live data • Forensics copy fo systems Extremely complex timing and technical reconstruction of how breach has come 22
  • 23. FR: Advanced mod To have a more complete analysis we could add IPS/IDS HoneyPot NAC Wireless Lan controller Network monitoring (MRTG) Network Behaviour Analysis Integrity check of systems and of configurations Url e content Filtering 23
  • 24. Forensics Readiness: Why?  Forensics Readiness is incident prevention and not Incident response  Today it is necessary to assume that an incident will occur even if the risk assessment has low probability, and Forensics Readiness allows us to handle it in advance  Because Forensics Readiness systematically collects information over time, and allows you to detect situations where people who are threatening you, whether inside or outside, will try to  Clear the evidence of the breach  Kepp silent on system for use them for other attack  Permanence for months before "burning" his victims 24
  • 25. Data breach: un fenomeno in crescita 25
  • 26. Forensiscs Readiness ROI Fail of adopting forensic readiness may result in: Business Loss - Reputable Damage Loss of revenue - loss of customers Legal actions - Incapacity to meet SLAs, inappropriate actions, etc ... Furto di dati, modifica o distruzione Inability to effectively restore administrative access / control Suspension of business delivery systems 26
  • 27. Forensics Readiness ROI Forensic readiness ensure: Quickly determine the attack vector Understand and isolate pertinent information, minimizing the resources you need Interrupt abusive access timely Contenere i danni e ridurre il tempo di inattività Detects trends over time Get discounts on cyber insurance premiums 27
  • 28. And at last… «The future depends on what we do in the present» Mahatma Gandhi Dott. Alessandro Fiorenzi Email af@studiofiorenzi.it Mobile: +393487920172 https://www.studiofiorenzi.it 28