Presentation is loading. Please wait.

Presentation is loading. Please wait.

FBI Phoenix Incident Response Planning, Law Enforcement Issues,

Published byIrene Lane Modified over 6 years ago

Similar presentations

Presentation on theme: "FBI Phoenix Incident Response Planning, Law Enforcement Issues,"— Presentation transcript:

1 FBI Phoenix Incident Response Planning, Law Enforcement Issues,
and THE BIG PICTURE FBI Phoenix Computer Crime Squad Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives

2 Viruses, Worms, Malicious Code
Denial of Service Child Pornography Identity Theft pornography Internet Fraud warez Threats Spam 419 Nigerian Scam Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives Viruses, Worms, Malicious Code Unauthorized Access FBI Phoenix – Computer Crime Squad

3 ISO 17799 STANDARDS Security Policy Security Organization
Asset classification and control Personnel Security Physical and environmental security Communications and operations management Access Control Systems Development and maintenance Business Continuity Management Compliance (HIPAA) (Gramm-Leach-Bliley)

4 EDUCATION SOCIAL ENGINEERING FBI Phoenix – Computer Crime Squad
Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

5 Anatomy of a Cyber Incident
Incident is discovered/reported Activate: Incident Management Team Notify: Security, Legal, Law Enforcement Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

6 Incident Management Team
Created prior to incident Protocols pre-defined One person in charge One person responsible for evidence Team may cover shifts Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

7 Keep a log of events & document loss Document what you know, when
you know, who knows, what you do, who does it (think testimony) Document Loss: resources used lost revenues, cost of consultants, equipment cost (think testimony) Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

8 Evidence Hard drives Backup data Security logs Event logs
Initialed, dated, documented Employment records Think proof of story. Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

9 What to do during /after an Incident.
Audit trails & logging What logs were active at the time of the attack? Begin keystroke monitoring Consent to Monitor (banner in place?) SysAdmin Monitoring Authority Can be used even absent consent or a warning banner Identify and recover available evidence System log files, system images, altered/damaged files, intruders’ files, network logs (routers, SNMP, etc.), traditional evidence Secure evidence and maintain simple “chain-of-custody” records A Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

10 Example Banner This is a ___________ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ___________ use. _________ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized __________ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this __________ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this __________ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.

11 What To Do (continued) Identify source(s) of the attack.
Record specific damages and losses Including hours spent on recovery Now recoverable under Patriot Act provisions Important for prosecution Prepare for repeat attacks. Protecting Mission Critical vs. Proprietary Data Theorize - nobody knows your system better than you. Determine how the intrusion happened. Identify possible subjects and motives. Be patient with law enforcement.

12 What NOT To Do Do NOT use the compromised systems before preserving any evidence. Do not make assumptions as to Federal jurisdiction or prosecutorial merit. Do not assume that by ignoring the incident, or damage to your files, that it will go away. Do not correspond via on a compromised network regarding the incident or the investigation.

13 What to Expect if you call the FBI
Agents will keep your information confidential. Agents will interview key witnesses IT Managers / Operators Agents may offer assistance in recovering logs; securing systems Agents may seek to identify the individual responsible Possible plea bargaining Possible trial Sentencing (upon conviction) Restitution These steps do NOT occur quickly!

14 US strategy Network Security Issues Computer Crime Squad Objectives:
Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives

15 Sarbanes – Oxley Act of 2002 (accounting)
Civil, Regulatory, Criminal Issues: Asset Protection Reporting oversight Due diligence – protection of other people’s private information Due diligence – protection of resources so they won’t be used against someone else Sarbanes – Oxley Act of 2002 (accounting) Gramm – Leach - Bliley of 1999 (financial) Health Insurance Portability & Accountability Act of 1996 California SB 1386 (companies with clients in California)

16

17

18

19 prescription national security standards promoted
VOLUNTARY adherence (biz) regulation AND/OR civil litigation, insurance information sharing a. vulnerabilities, threats b. attacks 11 Feb ISM Canada, a data management firm and a subsidiary of IBM Canada is the plaintiff in a class action suit asking for millions of dollars. An ISM employee has been charged by Sakatewan police with possessing stolen property, a 30 Gig hard drive containing tax records for 43,000 businesses and details of 650,000 clients of Investors Group, Canada’s largest mutual fund. Included as plaintiffs in the suit are the Saskatchewan government and several other companies which also had client information on the drive. (

20 ISACs Information Sharing & Analysis Centers Aviation Gas & Oil
Chemical Government Electrical Energy Information Technology Emergency Services Telecommunications Financial Services Transportation (surface) Food Water Information Sharing & Analysis Centers Prior to 9/11 Presidential Decision Directive (PDD) 63 recommended the eight critical infrastructure sectors establish Information Sharing & Analysis Centers (ISACs), but few were created and even fewer were functioning when the 9/11 attack occurred. Following 9/11 more ISACs were formed and all are developing to serve their respective industry. The most developed ISAC appears to be the North American Electrical Reliability Council (NERC), which actively promotes security best practices. Many of the ISACs, such as Financial Services and Telecommunications, appear to have members only among the larger companies in their industry. InfraGard can be useful in filling in the gaps left by ISACs in businesses or organizations not covered by ISACs, and in small business which are not members of their industry ISAC. InfraGard: FBI and private/public sector partnership

21 DHS nipc CIA Dept of Defense ISACs NSA Federal Agencies Federal Lead
law enforcment InfraGard

22 www.nipc.gov FBI Phoenix – Computer Crime Squad Objectives:
Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

23 9700+ members information sharing
56 FBI offices chapters 9700+ members information sharing Objectives: Explain networks and vulnerabilities Context of networks Vulnerabilities/Exploitations Investigative objectives Proactive objectives FBI Phoenix – Computer Crime Squad

24 contact FBI PHOENIX SA Tom Liffiton 602.279.5511 x3105 602.650.3105
FBI PHOENIX

Download ppt "FBI Phoenix Incident Response Planning, Law Enforcement Issues,"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Network security policy: best practices

Network security policy: best practices
Chapter 2 Modern Private Security

Chapter 2 Modern Private Security
Ensuring Information Security

Ensuring Information Security
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Chapter 13: Data Security & Disaster Recovery Database Management Systems.

Chapter 13: Data Security & Disaster Recovery Database Management Systems.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
General Awareness Training

General Awareness Training
Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman

Proving Your Case - Computer Security Terrence P. Maher Abrahams Kaslow & Cassman
Electronic Records Management: What Management Needs to Know May 2009.

Electronic Records Management: What Management Needs to Know May 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Similar presentations

Ads by Google