The RCMP Tech Crime Unit Information Systems Security

The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005

E Div. Technological Crime Unit • Who / What is the Tech Crime Unit anyway? – Mandate is: • to conduct technical analysis of computer storage medium • to conduct investigations of true computer crime (unauthorized access, mischief to data)

E Div. Technological Crime Unit • Who / What is the Tech Crime Unit anyway? – Unit created in July 2002 and subsequent transfer of 5 members – Unit has grown to current size of 14 regular members and two support staff

E Div. Technological Crime Unit • Who / What is the Tech Crime Unit anyway? – Approx. half of our members have undergrad degrees – Permanent posting to the Tech Crime Unit requires successful completion of an 18 month understudy program – Training is always ongoing

E Div. Technological Crime Unit • Who / What is the Tech Crime Unit anyway? – Non personnel resources • In addition to the RCMP computer equipment, we maintain our own 21 TB san to support our technical analysis work.

New Laws • Criminal Code Production Orders – These are a court order similar to a general search warrant • They replace a search warrant in that it dose not technically require a search. • Required to produce the records when and in the form demanded in the production order. • In the future you may see Preservation Orders

• So…. What do you do when… – Your data is destroyed

So…. What do you do when… – Your data is destroyed – An unauthorized user has gained access

• So…. What do you do when… – Your data is destroyed – An unauthorized user has gained access – Data has been modified By an intentional act…

Priorities • Objectives (Primary) – Maintain the function / operation of your system

Priorities • Objectives (Primary) – Maintain the function / operation of your system – Maintain the integrity of your system

Priorities • Objectives (Primary) – Maintain the function / operation of your system – Maintain the integrity of your system – Prevent further security problems

Priorities • When there is a security breach, it may be too late to start logging. – MOTO: - Have logging in place; make sure that your business can continue

Priorities • When there is a security breach, it may be too late to start logging. – MOTO: - Have logging in place; make sure that your business can continue – Turn on all logging that is possible. Save log files (reports) from all routers possible.

Secondary Objective • When do you call the police?

Secondary Objective • When do you call the police? – When you know (or believe) that you have an intentional security breach (criminal offence) • A criminal code offence requires “intent”.

Secondary Objective • What are the offences?

Secondary Objective • What are the offences? – Mischief to Data • Dual / maximum 5 years

Secondary Objective • What are the offences? – Mischief to Data • Dual / maximum 5 years – Unauthorized Use of Computer (Access) • Dual / maximum 10 years

Secondary Objective • What are the offences? – Mischief to Data • Dual / maximum 5 years – Unauthorized Use of Computer (Access) • Dual / maximum 10 years – Other Criminal Code offences – but not “Theft of Information”

Secondary Objective • What do police require to initiate an investigation?

Secondary Objective • What do police require to initiate an investigation? – A reason to believe that an offence has taken place. • Obviously, the more information that can be offered, the more quickly we can investigate.

Secondary Objective • When will police take action? ?

Secondary Objective • When will police take action? ? – We do not normally investigate attacks on home computers

Secondary Objective • When will police take action? ? – We do not normally investigate attacks on home computers – UNLESS: • Threat of physical harm • Threat of Damage to property • Related to other serious matter

Secondary Objective • When will police take action? ? – We will investigate business related matters • Threat to livelihood • Loss of jobs

Secondary Objective • Who do you contact? ? – Contact your local police agency (911 is probably not appropriate )

Secondary Objective • Who do you contact? ? – Contact your local police agency (911 is probably not appropriate ) – Advise your local police agency that our unit is available to assist / investigate if they are not able to fully respond. • We will assign a priority and respond on that basis

Other Considerations? • Should you notify upstream / downstream? – That’s your call… • What are the risks to the other system / organization?

Other Considerations? What is the risk to your organization ? If you notify… If you don’t notify…

Other Considerations? What is the risk to your organization ? If you notify… If you don’t notify… What is the ethical thing to do?

Other Considerations? • Share information – This is one of the strongest defense mechanisms that is available

How does it work? • You’ve suffered (are suffering) an attack • You’ve notified the police • You’ve notified related organizations for their protection / information • NOW WHAT? ?

How does it work? • Secure your system (priorities) – Ensure that your business / operation can continue.

How does it work? – To assist police (or civil) investigation • Make and keep notes / chronological journal of events and actions • Retain all backups

How does it work? – To assist police (or civil) investigation • Make and keep notes / chronological journal of events and actions • Retain all backups • If possible remove & retain the current hard drives and restore the system on replacement hard drives.

How does it work? If not… Obtain and preserve a “bit image” copy of your system at the point that you are aware of the attack. • Linux ‘DD’ works well (Ghost would be a second choice) • Ensure that the destination drive has been ‘wiped’, not just reformatted

How does it work? • If an image of the system is not possible… – Make & retain copies of all of the log files possible

How does it work? • Police investigation can take considerable time. – Jurisdictional issues may prevent prosecution

How does it work? • IF we go to court…. – Detailed statements from all persons will be required. • Much better quality easier to do if notes kept from the time of the attack.

How does it work? • IF we go to court…. – Detailed statements from all persons will be required. • Much better quality easier to do if notes kept from the time of the attack. – Court will likely be a year or two away and will be at least a week in duration.

How does it work? • Disclosure… – Police and Crown Prosecutors will have to disclose ALL evidence upon which the case relies • Exception: Confidential information

How does it work? • Confidential Information… – This must be dealt with on a case by case basis.

How does it work? • Confidential Information… – This must be dealt with on a case by case basis. – Disclosure may be limited to only a portion of the confidential information

How does it work? • Confidential Information… – This must be dealt with on a case by case basis. – Disclosure may be limited to only a portion of the confidential information – Disclosure may be made to a third party

How does it work? • Confidential Information… – In a ‘worst case’ scenario a decision may have to be made to proceed or withdraw from the prosecution

Don’t be a “Client” • Enough about “when you suffer an attack” • How can you prevent “an attack”? ?

Don’t be a “Client • The boring and the usual!….

Don’t be a “Client • The boring and the usual!…. – Keep your service packs up to date

Don’t be a “Client • The boring and the usual!…. – Keep your service packs up to date – Ensure your authentication system is current and meets your security requirements

Don’t be a “Client • The boring and the usual!…. – Keep your service packs (software) up to date – Ensure your authentication system is current and meets your security requirements – TEST YOUR BACKUP / DISASTER RECOVERY!!!

Don’t be a “Client • Do you have policy? …

Don’t be a “Client • Do you have policy? … – Separation of Duties

Don’t be a “Client • Do you have policy? … – Separation of Duties – Required authentication

Don’t be a “Client • Do you have policy? … – Separation of Duties – Required authentication – Employee Termination procedures • A check list might be helpful

Don’t be a “Client • Are your employees aware of your policy? – Can they report a problem to a confidential person… and do they know who that person is?

Don’t be a “Client • Have you had an independent review of your policies / security / disaster recovery? ? – A fresh look can be invaluable

Don’t be a “Client • Where’s the threat? ? – A vulnerable system will eventually be hit from an external source

Don’t be a “Client • Where’s the threat? ? – A vulnerable system will eventually be hit from an external source – A secure system may also be hit from an internal source

Don’t be a “Client • Information from my contacts in private industry as well as my experience indicates… – You are at least as likely to be compromised from an internal threat as from an external threat.

Don’t be a “Client • We are happy to respond to your request for an investigation…. – We sincerely hope that you don’t have to call!!

Don’t be a “Client S/Sgt. Bruce Imrie Regional Coordinator Vancouver Integrated Technological Crime Unit ITCU Lab: 604 -598 -4087 Unit Pager: 604 -473 -2858 Email: bruce. imrie@rcmp-grc. gc. ca