Presentation is loading. Please wait.

Presentation is loading. Please wait.

FBI Phoenix Computer Crime Squad SA Tom Liffiton 10/23/2003 Maricopa Association of Governments Telecommunications Advisory Group.

Published byRachel King Modified over 8 years ago

Similar presentations

Presentation on theme: "FBI Phoenix Computer Crime Squad SA Tom Liffiton 10/23/2003 Maricopa Association of Governments Telecommunications Advisory Group."— Presentation transcript:

1 FBI Phoenix Computer Crime Squad SA Tom Liffiton 10/23/2003 Maricopa Association of Governments Telecommunications Advisory Group

2 FBI Phoenix Computer Crime Squad Incident Response Planning, Law Enforcement Issues, and THE BIG PICTURE

3 FBI Phoenix – Computer Crime Squad 419 Nigerian Scam E-mail Identity Theft warez pornography Child Pornography Spam Denial of Service Viruses, Worms, Malicious Code Internet Fraud E-mail Threats Unauthorized Access

4 ISO 17799 STANDARDS Security Policy Security Organization Asset classification and control Personnel Security Physical and environmental security Communications and operations management Access Control Systems Development and maintenance Business Continuity Management Compliance (HIPAA) (Gramm-Leach-Bliley)

5 FBI Phoenix – Computer Crime Squad SOCIAL ENGINEERING EDUCATION

6 FBI Phoenix – Computer Crime Squad Incident is discovered/reported Activate: Incident Management Team Notify: Security, Legal, Law Enforcement Anatomy of a Cyber Incident

7 FBI Phoenix – Computer Crime Squad Created prior to incident Protocols pre-defined One person in charge One person responsible for evidence Team may cover shifts Incident Management Team

8 FBI Phoenix – Computer Crime Squad Document what you know, when you know, who knows, what you do, who does it (think testimony) Document Loss: resources used lost revenues, cost of consultants, equipment cost (think testimony) Keep a log of events & document loss

9 FBI Phoenix – Computer Crime Squad Evidence Hard drives Backup data Security logs Event logs Initialed, dated, documented Employment records Think proof of story.

10 FBI Phoenix – Computer Crime Squad What to do during /after an Incident. Audit trails & logging What logs were active at the time of the attack? Begin keystroke monitoring Consent to Monitor (banner in place?) SysAdmin Monitoring Authority Can be used even absent consent or a warning banner Identify and recover available evidence System log files, system images, altered/damaged files, intruders’ files, network logs (routers, SNMP, etc.), traditional evidence Secure evidence and maintain simple “chain-of-custody” records A

11 Example Banner This is a ___________ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ___________ use. _________ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized __________ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this __________ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this __________ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.

12 What To Do (continued) Identify source(s) of the attack. Record specific damages and losses Including hours spent on recovery –Now recoverable under Patriot Act provisions Important for prosecution Prepare for repeat attacks. Protecting Mission Critical vs. Proprietary Data Theorize - nobody knows your system better than you. Determine how the intrusion happened. Identify possible subjects and motives. Be patient with law enforcement.

13 What NOT To Do Do NOT use the compromised systems before preserving any evidence. Do not make assumptions as to Federal jurisdiction or prosecutorial merit. Do not assume that by ignoring the incident, or damage to your files, that it will go away. Do not correspond via E-mail on a compromised network regarding the incident or the investigation.

14 What to Expect if you call the FBI Agents will keep your information confidential. Agents will interview key witnesses –IT Managers / Operators Agents may offer assistance in recovering logs; securing systems Agents may seek to identify the individual responsible Possible plea bargaining Possible trial Sentencing (upon conviction) –Restitution These steps do NOT occur quickly!

15 US strategy Computer Crime Squad Network Security Issues

16 Civil, Regulatory, Criminal Issues: 1.Asset Protection 2.Reporting oversight 3.Due diligence – protection of other people’s private information 4.Due diligence – protection of resources so they won’t be used against someone else Sarbanes – Oxley Act of 2002 (accounting) Gramm – Leach - Bliley of 1999 (financial) Health Insurance Portability & Accountability Act of 1996 California SB 1386 (companies with clients in California)

17

18

19

20 prescription 1.security standards promoted a. VOLUNTARY adherence (biz) b. regulation AND/OR c. civil litigation, insurance 2. information sharing a. vulnerabilities, threats b. attacks national

21 Information Sharing & Analysis Centers InfraGard: FBI and private/public sector partnership AviationGas & Oil ChemicalGovernment Electrical EnergyInformation Technology Emergency ServicesTelecommunications Financial ServicesTransportation (surface) FoodWater ISACs

22 NSA CIA Dept of Defense law enforcment InfraGard ISACs Federal Agencies Federal Lead Agencies

23 FBI Phoenix – Computer Crime Squad www.nipc.gov

24 FBI Phoenix – Computer Crime Squad 56 FBI offices 79 chapters 9700+ members information sharing

25 SA Tom Liffiton 602.279.5511 x3105 602.650.3105 tliffiton@fbi.gov contact FBI PHOENIX

Download ppt "FBI Phoenix Computer Crime Squad SA Tom Liffiton 10/23/2003 Maricopa Association of Governments Telecommunications Advisory Group."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Association of Corporate Counsel Houston Chapter Meeting of June 8, 2010 What to Do When the Feds Come Knocking In-House Responsibilities for Criminal.

Association of Corporate Counsel Houston Chapter Meeting of June 8, 2010 What to Do When the Feds Come Knocking In-House Responsibilities for Criminal.
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Chapter 1 Introduction to Security

Chapter 1 Introduction to Security
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Network security policy: best practices

Network security policy: best practices
Chapter 2 Modern Private Security

Chapter 2 Modern Private Security
Ensuring Information Security

Ensuring Information Security
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
General Awareness Training

General Awareness Training
Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman

Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

Similar presentations

Ads by Google