The RCMP Tech Crime Unit - PowerPoint PPT Presentation

About This Presentation
Title:

The RCMP Tech Crime Unit

Description:

The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005 E Div. Technological Crime Unit Who / What is the Tech Crime Unit anyway? – PowerPoint PPT presentation

Number of Views:173
Avg rating:3.0/5.0
Slides: 63
Provided by: Bru7110
Category:

less

Transcript and Presenter's Notes

Title: The RCMP Tech Crime Unit


1
  • The RCMP Tech Crime Unit
  • Information Systems Security
  • Presented to
  • ISSA
  • January 26, 2005

2
E Div. Technological Crime Unit
  • Who / What is the Tech Crime Unit anyway?
  • Mandate is
  • to conduct technical analysis of computer
    storage medium
  • to conduct investigations of true computer crime
    (unauthorized access, mischief to data)

3
E Div. Technological Crime Unit
  • Who / What is the Tech Crime Unit anyway?
  • Unit created in July 2002 and subsequent transfer
    of 5 members
  • Unit has grown to current size of 14 regular
    members and two support staff

4
E Div. Technological Crime Unit
  • Who / What is the Tech Crime Unit anyway?
  • Approx. half of our members have undergrad
    degrees
  • Permanent posting to the Tech Crime Unit requires
    successful completion of an 18 month understudy
    program
  • Training is always ongoing

5
E Div. Technological Crime Unit
  • Who / What is the Tech Crime Unit anyway?
  • Non personnel resources
  • In addition to the RCMP computer equipment, we
    maintain our own 21 TB san to support our
    technical analysis work.

6
New Laws
  • Criminal Code Production Orders
  • These are a court order similar to a general
    search warrant
  • They replace a search warrant in that it dose not
    technically require a search.
  • Required to produce the records when and in the
    form demanded in the production order.
  • In the future you may see Preservation Orders

7
  • So. What do you do when
  • Your data is destroyed

8
  • So. What do you do when
  • Your data is destroyed
  • An unauthorized user has gained access

9
  • So. What do you do when
  • Your data is destroyed
  • An unauthorized user has gained access
  • Data has been modified
  • By an intentional act

10
Priorities
  • Objectives (Primary)
  • Maintain the function / operation of your system

11
Priorities
  • Objectives (Primary)
  • Maintain the function / operation of your system
  • Maintain the integrity of your system

12
Priorities
  • Objectives (Primary)
  • Maintain the function / operation of your system
  • Maintain the integrity of your system
  • Prevent further security problems

13
Priorities
  • When there is a security breach, it may be too
    late to start logging.
  • MOTO - Have logging in place make sure that
    your business can continue

14
Priorities
  • When there is a security breach, it may be too
    late to start logging.
  • MOTO - Have logging in place make sure that
    your business can continue
  • Turn on all logging that is possible. Save log
    files (reports) from all routers possible.

15
Secondary Objective
  • When do you call the police?

16
Secondary Objective
  • When do you call the police?
  • When you know (or believe) that you have an
    intentional security breach (criminal offence)
  • A criminal code offence requires intent.

17
Secondary Objective
  • What are the offences?

18
Secondary Objective
  • What are the offences?
  • Mischief to Data
  • Dual / maximum 5 years

19
Secondary Objective
  • What are the offences?
  • Mischief to Data
  • Dual / maximum 5 years
  • Unauthorized Use of Computer (Access)
  • Dual / maximum 10 years

20
Secondary Objective
  • What are the offences?
  • Mischief to Data
  • Dual / maximum 5 years
  • Unauthorized Use of Computer (Access)
  • Dual / maximum 10 years
  • Other Criminal Code offences but not Theft of
    Information

21
Secondary Objective
  • What do police require to initiate an
    investigation?

22
Secondary Objective
  • What do police require to initiate an
    investigation?
  • A reason to believe that an offence has taken
    place.
  • Obviously, the more information that can be
    offered, the more quickly we can investigate.

23
Secondary Objective
  • When will police take action??

24
Secondary Objective
  • When will police take action??
  • We do not normally investigate attacks on home
    computers

25
Secondary Objective
  • When will police take action??
  • We do not normally investigate attacks on home
    computers
  • UNLESS
  • Threat of physical harm
  • Threat of Damage to property
  • Related to other serious matter

26
Secondary Objective
  • When will police take action??
  • We will investigate business related matters
  • Threat to livelihood
  • Loss of jobs

27
Secondary Objective
  • Who do you contact??
  • Contact your local police agency (911 is
    probably not appropriate ?)

28
Secondary Objective
  • Who do you contact??
  • Contact your local police agency (911 is
    probably not appropriate ?)
  • Advise your local police agency that our unit is
    available to assist / investigate if they are not
    able to fully respond.
  • We will assign a priority and respond on that
    basis

29
Other Considerations?
  • Should you notify upstream / downstream?
  • Thats your call
  • What are the risks to the other system /
    organization?

30
Other Considerations?
  • What is the risk to your organization ?
  • If you notify
  • If you dont notify

31
Other Considerations?
  • What is the risk to your organization ?
  • If you notify
  • If you dont notify
  • What is the ethical thing to do?

32
Other Considerations?
  • Share information
  • This is one of the strongest defense mechanisms
    that is available

33
How does it work?
  • Youve suffered (are suffering) an attack
  • Youve notified the police
  • Youve notified related organizations for their
    protection / information
  • NOW WHAT??

34
How does it work?
  • Secure your system (priorities)
  • Ensure that your business / operation can
    continue.

35
How does it work?
  • To assist police (or civil) investigation
  • Make and keep notes / chronological journal of
    events and actions
  • Retain all backups

36
How does it work?
  • To assist police (or civil) investigation
  • Make and keep notes / chronological journal of
    events and actions
  • Retain all backups
  • If possible remove retain the current hard
    drives and restore the system on replacement hard
    drives.

37
How does it work?
  • If not
  • Obtain and preserve a bit image copy of your
    system at the point that you are aware of the
    attack.
  • Linux DD works well (Ghost would be a second
    choice)
  • Ensure that the destination drive has been
    wiped, not just reformatted

38
How does it work?
  • If an image of the system is not possible
  • Make retain copies of all of the log files
    possible

39
How does it work?
  • Police investigation can take considerable time.
  • Jurisdictional issues may prevent prosecution

40
How does it work?
  • IF we go to court.
  • Detailed statements from all persons will be
    required.
  • Much better quality easier to do if notes kept
    from the time of the attack.

41
How does it work?
  • IF we go to court.
  • Detailed statements from all persons will be
    required.
  • Much better quality easier to do if notes kept
    from the time of the attack.
  • Court will likely be a year or two away and will
    be at least a week in duration.

42
How does it work?
  • Disclosure
  • Police and Crown Prosecutors will have to
    disclose ALL evidence upon which the case relies
  • Exception Confidential information

43
How does it work?
  • Confidential Information
  • This must be dealt with on a case by case basis.

44
How does it work?
  • Confidential Information
  • This must be dealt with on a case by case basis.
  • Disclosure may be limited to only a portion of
    the confidential information

45
How does it work?
  • Confidential Information
  • This must be dealt with on a case by case basis.
  • Disclosure may be limited to only a portion of
    the confidential information
  • Disclosure may be made to a third party

46
How does it work?
  • Confidential Information
  • In a worst case scenario a decision may have to
    be made to proceed or withdraw from the
    prosecution

47
Dont be a Client
  • Enough about when you suffer an attack
  • How can you prevent an attack??

48
Dont be a Client
  • The boring and the usual!.

49
Dont be a Client
  • The boring and the usual!.
  • Keep your service packs up to date

50
Dont be a Client
  • The boring and the usual!.
  • Keep your service packs up to date
  • Ensure your authentication system is current and
    meets your security requirements

51
Dont be a Client
  • The boring and the usual!.
  • Keep your service packs (software) up to date
  • Ensure your authentication system is current and
    meets your security requirements
  • TEST YOUR BACKUP / DISASTER RECOVERY!!!

52
Dont be a Client
  • Do you have policy?

53
Dont be a Client
  • Do you have policy?
  • Separation of Duties

54
Dont be a Client
  • Do you have policy?
  • Separation of Duties
  • Required authentication

55
Dont be a Client
  • Do you have policy?
  • Separation of Duties
  • Required authentication
  • Employee Termination procedures
  • A check list might be helpful

56
Dont be a Client
  • Are your employees aware of your policy?
  • Can they report a problem to a confidential
    person and do they know who that person is?

57
Dont be a Client
  • Have you had an independent review of your
    policies / security / disaster recovery??
  • A fresh look can be invaluable

58
Dont be a Client
  • Wheres the threat??
  • A vulnerable system will eventually be hit from
    an external source

59
Dont be a Client
  • Wheres the threat??
  • A vulnerable system will eventually be hit from
    an external source
  • A secure system may also be hit from an internal
    source

60
Dont be a Client
  • Information from my contacts in private industry
    as well as my experience indicates
  • You are at least as likely to be compromised from
    an internal threat as from an external threat.

61
Dont be a Client
  • We are happy to respond to your request for an
    investigation.
  • We sincerely hope that you dont have to call!!

62
Dont be a Client
  • S/Sgt. Bruce Imrie
  • Regional Coordinator
  • Vancouver Integrated Technological Crime Unit
  • ITCU Lab 604-598-4087
  • Unit Pager 604-473-2858
  • Email bruce.imrie_at_rcmp-grc.gc.ca
Write a Comment
User Comments (0)
About PowerShow.com