View
216
Download
1
Category
Tags:
Preview:
Citation preview
The RCMP Tech Crime Unit
&
Information Systems SecurityPresented to:
ISSA
January 26, 2005
E Div. Technological Crime Unit
• Who / What is the Tech Crime Unit anyway?– Mandate is:
• to conduct technical analysis of computer storage medium
• to conduct investigations of true computer crime (unauthorized access, mischief to data)
E Div. Technological Crime Unit
• Who / What is the Tech Crime Unit anyway?– Unit created in July 2002 and subsequent
transfer of 5 members– Unit has grown to current size of 14 regular
members and two support staff
E Div. Technological Crime Unit
• Who / What is the Tech Crime Unit anyway?– Approx. half of our members have undergrad
degrees– Permanent posting to the Tech Crime Unit
requires successful completion of an 18 month understudy program
– Training is always ongoing
E Div. Technological Crime Unit
• Who / What is the Tech Crime Unit anyway?– Non personnel resources
• In addition to the RCMP computer equipment, we maintain our own 21 TB san to support our technical analysis work.
New Laws
• Criminal Code Production Orders– These are a court order similar to a general
search warrant• They replace a search warrant in that it dose not
technically require a search.• Required to produce the records when and in the
form demanded in the production order.
• In the future you may see Preservation Orders
• So…. What do you do when…
– Your data is destroyed
So…. What do you do when…
– Your data is destroyed– An unauthorized user has gained access
• So…. What do you do when…
– Your data is destroyed– An unauthorized user has gained access– Data has been modified
By an intentional act…
Priorities
• Objectives (Primary)– Maintain the function / operation of your
system
Priorities
• Objectives (Primary)– Maintain the function / operation of your
system
– Maintain the integrity of your system
Priorities
• Objectives (Primary)– Maintain the function / operation of your
system
– Maintain the integrity of your system
– Prevent further security problems
Priorities
• When there is a security breach, it may be too late to start logging.
– MOTO: - Have logging in place; make sure that your business can continue
Priorities
• When there is a security breach, it may be too late to start logging.– MOTO: - Have logging in place; make sure that
your business can continue
– Turn on all logging that is possible. Save log files (reports) from all routers possible.
Secondary Objective
• When do you call the police?
Secondary Objective
• When do you call the police?
– When you know (or believe) that you have an intentional security breach (criminal offence)
• A criminal code offence requires “intent”.
Secondary Objective
• What are the offences?
Secondary Objective
• What are the offences?
– Mischief to Data• Dual / maximum 5 years
Secondary Objective
• What are the offences?
– Mischief to Data• Dual / maximum 5 years
– Unauthorized Use of Computer (Access)• Dual / maximum 10 years
Secondary Objective
• What are the offences?– Mischief to Data
• Dual / maximum 5 years
– Unauthorized Use of Computer (Access)• Dual / maximum 10 years
– Other Criminal Code offences – but not “Theft of Information”
Secondary Objective
• What do police require to initiate an investigation?
Secondary Objective
• What do police require to initiate an investigation?
– A reason to believe that an offence has taken place.
• Obviously, the more information that can be offered, the more quickly we can investigate.
Secondary Objective
• When will police take action??
Secondary Objective
• When will police take action??
– We do not normally investigate attacks on home computers
Secondary Objective
• When will police take action??
– We do not normally investigate attacks on home computers
– UNLESS:• Threat of physical harm
• Threat of Damage to property
• Related to other serious matter
Secondary Objective
• When will police take action??
– We will investigate business related matters
• Threat to livelihood
• Loss of jobs
Secondary Objective
• Who do you contact??
– Contact your local police agency (911 is probably not appropriate )
Secondary Objective
• Who do you contact??– Contact your local police agency (911 is
probably not appropriate )
– Advise your local police agency that our unit is available to assist / investigate if they are not able to fully respond.
• We will assign a priority and respond on that basis
Other Considerations?
• Should you notify upstream / downstream?– That’s your call…
• What are the risks to the other system / organization?
Other Considerations?
What is the risk to your organization ?
If you notify…
If you don’t notify…
Other Considerations?
What is the risk to your organization ?
If you notify…
If you don’t notify…
What is the ethical thing to do?
Other Considerations?
• Share information
– This is one of the strongest defense mechanisms that is available
How does it work?
• You’ve suffered (are suffering) an attack
• You’ve notified the police
• You’ve notified related organizations for their protection / information
• NOW WHAT??
How does it work?
• Secure your system (priorities)
– Ensure that your business / operation can continue.
How does it work?
– To assist police (or civil) investigation
• Make and keep notes / chronological journal of events and actions
• Retain all backups
How does it work?
– To assist police (or civil) investigation
• Make and keep notes / chronological journal of events and actions
• Retain all backups
• If possible remove & retain the current hard drives and restore the system on replacement hard drives.
How does it work?
If not…
Obtain and preserve a “bit image” copy of your system at the point that you are aware of the attack.
• Linux ‘DD’ works well (Ghost would be a second choice)
• Ensure that the destination drive has been ‘wiped’, not just reformatted
How does it work?
• If an image of the system is not possible…
– Make & retain copies of all of the log files possible
How does it work?
• Police investigation can take considerable time.
– Jurisdictional issues may prevent prosecution
How does it work?
• IF we go to court….
– Detailed statements from all persons will be required.
• Much better quality easier to do if notes kept from the time of the attack.
How does it work?
• IF we go to court….
– Detailed statements from all persons will be required.
• Much better quality easier to do if notes kept from the time of the attack.
– Court will likely be a year or two away and will be at least a week in duration.
How does it work?
• Disclosure…
– Police and Crown Prosecutors will have to disclose ALL evidence upon which the case relies
• Exception: Confidential information
How does it work?
• Confidential Information…
– This must be dealt with on a case by case basis.
How does it work?
• Confidential Information…
– This must be dealt with on a case by case basis.
– Disclosure may be limited to only a portion of the confidential information
How does it work?
• Confidential Information…
– This must be dealt with on a case by case basis.
– Disclosure may be limited to only a portion of the confidential information
– Disclosure may be made to a third party
How does it work?
• Confidential Information…
– In a ‘worst case’ scenario a decision may have to be made to proceed or withdraw from the prosecution
Don’t be a “Client”
• Enough about “when you suffer an attack”
• How can you prevent “an attack”??
Don’t be a “Client
• The boring and the usual!….
Don’t be a “Client
• The boring and the usual!….
– Keep your service packs up to date
Don’t be a “Client
• The boring and the usual!….
– Keep your service packs up to date– Ensure your authentication system is current
and meets your security requirements
Don’t be a “Client
• The boring and the usual!….
– Keep your service packs (software) up to date– Ensure your authentication system is current
and meets your security requirements
– TEST YOUR BACKUP / DISASTER RECOVERY!!!
Don’t be a “Client
• Do you have policy?…
Don’t be a “Client
• Do you have policy?…
– Separation of Duties
Don’t be a “Client
• Do you have policy?…
– Separation of Duties
– Required authentication
Don’t be a “Client
• Do you have policy?…
– Separation of Duties
– Required authentication
– Employee Termination procedures• A check list might be helpful
Don’t be a “Client
• Are your employees aware of your policy?
– Can they report a problem to a confidential person… and do they know who that person is?
Don’t be a “Client
• Have you had an independent review of your policies / security / disaster recovery??
– A fresh look can be invaluable
Don’t be a “Client
• Where’s the threat??
– A vulnerable system will eventually be hit from an external source
Don’t be a “Client
• Where’s the threat??
– A vulnerable system will eventually be hit from an external source
– A secure system may also be hit from an internal source
Don’t be a “Client
• Information from my contacts in private industry as well as my experience indicates…
– You are at least as likely to be compromised from an internal threat as from an external threat.
Don’t be a “Client
• We are happy to respond to your request for an investigation….
– We sincerely hope that you don’t have to call!!
Don’t be a “Client
S/Sgt. Bruce ImrieRegional Coordinator
Vancouver Integrated Technological Crime Unit
ITCU Lab: 604-598-4087
Unit Pager: 604-473-2858
Email: bruce.imrie@rcmp-grc.gc.ca
Recommended