The RCMP Tech Crime Unit

1

• The RCMP Tech Crime Unit
• Information Systems Security
• Presented to
• ISSA
• January 26, 2005

2
E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit anyway?
• Mandate is
• to conduct technical analysis of computer
  storage medium
• to conduct investigations of true computer crime
  (unauthorized access, mischief to data)

3
E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit anyway?
• Unit created in July 2002 and subsequent transfer
  of 5 members
• Unit has grown to current size of 14 regular
  members and two support staff

4
E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit anyway?
• Approx. half of our members have undergrad
  degrees
• Permanent posting to the Tech Crime Unit requires
  successful completion of an 18 month understudy
  program
• Training is always ongoing

5
E Div. Technological Crime Unit

• Who / What is the Tech Crime Unit anyway?
• Non personnel resources
• In addition to the RCMP computer equipment, we
  maintain our own 21 TB san to support our
  technical analysis work.

6
New Laws

• Criminal Code Production Orders
• These are a court order similar to a general
  search warrant
• They replace a search warrant in that it dose not
  technically require a search.
• Required to produce the records when and in the
  form demanded in the production order.
• In the future you may see Preservation Orders

7

• So. What do you do when
• Your data is destroyed

8

• So. What do you do when
• Your data is destroyed
• An unauthorized user has gained access

9

• So. What do you do when
• Your data is destroyed
• An unauthorized user has gained access
• Data has been modified
• By an intentional act

10
Priorities

• Objectives (Primary)
• Maintain the function / operation of your system

11
Priorities

• Objectives (Primary)
• Maintain the function / operation of your system
• Maintain the integrity of your system

12
Priorities

• Objectives (Primary)
• Maintain the function / operation of your system
• Maintain the integrity of your system
• Prevent further security problems

13
Priorities

• When there is a security breach, it may be too
  late to start logging.
• MOTO - Have logging in place make sure that
  your business can continue

14
Priorities

• When there is a security breach, it may be too
  late to start logging.
• MOTO - Have logging in place make sure that
  your business can continue
• Turn on all logging that is possible. Save log
  files (reports) from all routers possible.

15
Secondary Objective

• When do you call the police?

16
Secondary Objective

• When do you call the police?
• When you know (or believe) that you have an
  intentional security breach (criminal offence)
• A criminal code offence requires intent.

17
Secondary Objective

• What are the offences?

18
Secondary Objective

• What are the offences?
• Mischief to Data
• Dual / maximum 5 years

19
Secondary Objective

• What are the offences?
• Mischief to Data
• Dual / maximum 5 years
• Unauthorized Use of Computer (Access)
• Dual / maximum 10 years

20
Secondary Objective

• What are the offences?
• Mischief to Data
• Dual / maximum 5 years
• Unauthorized Use of Computer (Access)
• Dual / maximum 10 years
• Other Criminal Code offences but not Theft of
  Information

21
Secondary Objective

• What do police require to initiate an
  investigation?

22
Secondary Objective

• What do police require to initiate an
  investigation?
• A reason to believe that an offence has taken
  place.
• Obviously, the more information that can be
  offered, the more quickly we can investigate.

23
Secondary Objective

• When will police take action??

24
Secondary Objective

• When will police take action??
• We do not normally investigate attacks on home
  computers

25
Secondary Objective

• When will police take action??
• We do not normally investigate attacks on home
  computers
• UNLESS
• Threat of physical harm
• Threat of Damage to property
• Related to other serious matter

26
Secondary Objective

• When will police take action??
• We will investigate business related matters
• Threat to livelihood
• Loss of jobs

27
Secondary Objective

• Who do you contact??
• Contact your local police agency (911 is
  probably not appropriate ?)

28
Secondary Objective

• Who do you contact??
• Contact your local police agency (911 is
  probably not appropriate ?)
• Advise your local police agency that our unit is
  available to assist / investigate if they are not
  able to fully respond.
• We will assign a priority and respond on that
  basis

29
Other Considerations?

• Should you notify upstream / downstream?
• Thats your call
• What are the risks to the other system /
  organization?

30
Other Considerations?

• What is the risk to your organization ?
• If you notify
• If you dont notify

31
Other Considerations?

• What is the risk to your organization ?
• If you notify
• If you dont notify
• What is the ethical thing to do?

32
Other Considerations?

• Share information
• This is one of the strongest defense mechanisms
  that is available

33
How does it work?

• Youve suffered (are suffering) an attack
• Youve notified the police
• Youve notified related organizations for their
  protection / information
• NOW WHAT??

34
How does it work?

• Secure your system (priorities)
• Ensure that your business / operation can
  continue.

35
How does it work?

• To assist police (or civil) investigation
• Make and keep notes / chronological journal of
  events and actions
• Retain all backups

36
How does it work?

• To assist police (or civil) investigation
• Make and keep notes / chronological journal of
  events and actions
• Retain all backups
• If possible remove retain the current hard
  drives and restore the system on replacement hard
  drives.

37
How does it work?

• If not
• Obtain and preserve a bit image copy of your
  system at the point that you are aware of the
  attack.
• Linux DD works well (Ghost would be a second
  choice)
• Ensure that the destination drive has been
  wiped, not just reformatted

38
How does it work?

• If an image of the system is not possible
• Make retain copies of all of the log files
  possible

39
How does it work?

• Police investigation can take considerable time.
• Jurisdictional issues may prevent prosecution

40
How does it work?

• IF we go to court.
• Detailed statements from all persons will be
  required.
• Much better quality easier to do if notes kept
  from the time of the attack.

41
How does it work?

• IF we go to court.
• Detailed statements from all persons will be
  required.
• Much better quality easier to do if notes kept
  from the time of the attack.
• Court will likely be a year or two away and will
  be at least a week in duration.

42
How does it work?

• Disclosure
• Police and Crown Prosecutors will have to
  disclose ALL evidence upon which the case relies
• Exception Confidential information

43
How does it work?

• Confidential Information
• This must be dealt with on a case by case basis.

44
How does it work?

• Confidential Information
• This must be dealt with on a case by case basis.
• Disclosure may be limited to only a portion of
  the confidential information

45
How does it work?

• Confidential Information
• This must be dealt with on a case by case basis.
• Disclosure may be limited to only a portion of
  the confidential information
• Disclosure may be made to a third party

46
How does it work?

• Confidential Information
• In a worst case scenario a decision may have to
  be made to proceed or withdraw from the
  prosecution

47
Dont be a Client

• Enough about when you suffer an attack
• How can you prevent an attack??

48
Dont be a Client

• The boring and the usual!.

49
Dont be a Client

• The boring and the usual!.
• Keep your service packs up to date

50
Dont be a Client

• The boring and the usual!.
• Keep your service packs up to date
• Ensure your authentication system is current and
  meets your security requirements

51
Dont be a Client

• The boring and the usual!.
• Keep your service packs (software) up to date
• Ensure your authentication system is current and
  meets your security requirements
• TEST YOUR BACKUP / DISASTER RECOVERY!!!

52
Dont be a Client

• Do you have policy?

53
Dont be a Client

• Do you have policy?
• Separation of Duties

54
Dont be a Client

• Do you have policy?
• Separation of Duties
• Required authentication

55
Dont be a Client

• Do you have policy?
• Separation of Duties
• Required authentication
• Employee Termination procedures
• A check list might be helpful

56
Dont be a Client

• Are your employees aware of your policy?
• Can they report a problem to a confidential
  person and do they know who that person is?

57
Dont be a Client

• Have you had an independent review of your
  policies / security / disaster recovery??
• A fresh look can be invaluable

58
Dont be a Client

• Wheres the threat??
• A vulnerable system will eventually be hit from
  an external source

59
Dont be a Client

• Wheres the threat??
• A vulnerable system will eventually be hit from
  an external source
• A secure system may also be hit from an internal
  source

60
Dont be a Client

• Information from my contacts in private industry
  as well as my experience indicates
• You are at least as likely to be compromised from
  an internal threat as from an external threat.

61
Dont be a Client

• We are happy to respond to your request for an
  investigation.
• We sincerely hope that you dont have to call!!

62
Dont be a Client

• S/Sgt. Bruce Imrie
• Regional Coordinator
• Vancouver Integrated Technological Crime Unit
• ITCU Lab 604-598-4087
• Unit Pager 604-473-2858
• Email bruce.imrie_at_rcmp-grc.gc.ca