Presentation is loading. Please wait.

Presentation is loading. Please wait.

The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005.

Published byDouglas Farmer Modified over 9 years ago

Similar presentations

Presentation on theme: "The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005."— Presentation transcript:

1 The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005

2 E Div. Technological Crime Unit Who / What is the Tech Crime Unit anyway? –Mandate is: to conduct technical analysis of computer storage medium to conduct investigations of true computer crime (unauthorized access, mischief to data)

3 E Div. Technological Crime Unit Who / What is the Tech Crime Unit anyway? –Unit created in July 2002 and subsequent transfer of 5 members –Unit has grown to current size of 14 regular members and two support staff

4 E Div. Technological Crime Unit Who / What is the Tech Crime Unit anyway? –Approx. half of our members have undergrad degrees –Permanent posting to the Tech Crime Unit requires successful completion of an 18 month understudy program –Training is always ongoing

5 E Div. Technological Crime Unit Who / What is the Tech Crime Unit anyway? –Non personnel resources In addition to the RCMP computer equipment, we maintain our own 21 TB san to support our technical analysis work.

6 New Laws Criminal Code Production Orders –These are a court order similar to a general search warrant They replace a search warrant in that it dose not technically require a search. Required to produce the records when and in the form demanded in the production order. In the future you may see Preservation Orders

7 So…. What do you do when… –Your data is destroyed

8 So…. What do you do when… –Your data is destroyed –An unauthorized user has gained access

9 So…. What do you do when… –Your data is destroyed –An unauthorized user has gained access –Data has been modified By an intentional act…

10 Priorities Objectives (Primary) –Maintain the function / operation of your system

11 Priorities Objectives (Primary) –Maintain the function / operation of your system –Maintain the integrity of your system

12 Priorities Objectives (Primary) –Maintain the function / operation of your system –Maintain the integrity of your system –Prevent further security problems

13 Priorities When there is a security breach, it may be too late to start logging. –MOTO: - Have logging in place; make sure that your business can continue

14 Priorities When there is a security breach, it may be too late to start logging. –MOTO: - Have logging in place; make sure that your business can continue –Turn on all logging that is possible. Save log files (reports) from all routers possible.

15 Secondary Objective When do you call the police?

16 Secondary Objective When do you call the police? –When you know (or believe) that you have an intentional security breach (criminal offence) A criminal code offence requires “intent”.

17 Secondary Objective What are the offences?

18 Secondary Objective What are the offences? –Mischief to Data Dual / maximum 5 years

19 Secondary Objective What are the offences? –Mischief to Data Dual / maximum 5 years –Unauthorized Use of Computer (Access) Dual / maximum 10 years

20 Secondary Objective What are the offences? –Mischief to Data Dual / maximum 5 years –Unauthorized Use of Computer (Access) Dual / maximum 10 years –Other Criminal Code offences – but not “Theft of Information”

21 Secondary Objective What do police require to initiate an investigation?

22 Secondary Objective What do police require to initiate an investigation? –A reason to believe that an offence has taken place. Obviously, the more information that can be offered, the more quickly we can investigate.

23 Secondary Objective When will police take action??

24 Secondary Objective When will police take action?? –We do not normally investigate attacks on home computers

25 Secondary Objective When will police take action?? –We do not normally investigate attacks on home computers –UNLESS: Threat of physical harm Threat of Damage to property Related to other serious matter

26 Secondary Objective When will police take action?? –We will investigate business related matters Threat to livelihood Loss of jobs

27 Secondary Objective Who do you contact?? –Contact your local police agency (911 is probably not appropriate )

28 Secondary Objective Who do you contact?? –Contact your local police agency (911 is probably not appropriate ) –Advise your local police agency that our unit is available to assist / investigate if they are not able to fully respond. We will assign a priority and respond on that basis

29 Other Considerations? Should you notify upstream / downstream? –That’s your call… What are the risks to the other system / organization?

30 Other Considerations? What is the risk to your organization ? If you notify… If you don’t notify…

31 Other Considerations? What is the risk to your organization ? If you notify… If you don’t notify… What is the ethical thing to do?

32 Other Considerations? Share information –This is one of the strongest defense mechanisms that is available

33 How does it work? You’ve suffered (are suffering) an attack You’ve notified the police You’ve notified related organizations for their protection / information NOW WHAT??

34 How does it work? Secure your system (priorities) –Ensure that your business / operation can continue.

35 How does it work? –To assist police (or civil) investigation Make and keep notes / chronological journal of events and actions Retain all backups

36 How does it work? –To assist police (or civil) investigation Make and keep notes / chronological journal of events and actions Retain all backups If possible remove & retain the current hard drives and restore the system on replacement hard drives.

37 How does it work? If not… Obtain and preserve a “bit image” copy of your system at the point that you are aware of the attack. Linux ‘DD’ works well (Ghost would be a second choice) Ensure that the destination drive has been ‘wiped’, not just reformatted

38 How does it work? If an image of the system is not possible… –Make & retain copies of all of the log files possible

39 How does it work? Police investigation can take considerable time. –Jurisdictional issues may prevent prosecution

40 How does it work? IF we go to court…. –Detailed statements from all persons will be required. Much better quality easier to do if notes kept from the time of the attack.

41 How does it work? IF we go to court…. –Detailed statements from all persons will be required. Much better quality easier to do if notes kept from the time of the attack. –Court will likely be a year or two away and will be at least a week in duration.

42 How does it work? Disclosure… –Police and Crown Prosecutors will have to disclose ALL evidence upon which the case relies Exception: Confidential information

43 How does it work? Confidential Information… –This must be dealt with on a case by case basis.

44 How does it work? Confidential Information… –This must be dealt with on a case by case basis. –Disclosure may be limited to only a portion of the confidential information

45 How does it work? Confidential Information… –This must be dealt with on a case by case basis. –Disclosure may be limited to only a portion of the confidential information –Disclosure may be made to a third party

46 How does it work? Confidential Information… –In a ‘worst case’ scenario a decision may have to be made to proceed or withdraw from the prosecution

47 Don’t be a “Client” Enough about “when you suffer an attack” How can you prevent “an attack”??

48 Don’t be a “Client The boring and the usual!….

49 Don’t be a “Client The boring and the usual!…. –Keep your service packs up to date

50 Don’t be a “Client The boring and the usual!…. –Keep your service packs up to date –Ensure your authentication system is current and meets your security requirements

51 Don’t be a “Client The boring and the usual!…. –Keep your service packs (software) up to date –Ensure your authentication system is current and meets your security requirements –TEST YOUR BACKUP / DISASTER RECOVERY!!!

52 Don’t be a “Client Do you have policy?…

53 Don’t be a “Client Do you have policy?… –Separation of Duties

54 Don’t be a “Client Do you have policy?… –Separation of Duties –Required authentication

55 Don’t be a “Client Do you have policy?… –Separation of Duties –Required authentication –Employee Termination procedures A check list might be helpful

56 Don’t be a “Client Are your employees aware of your policy? –Can they report a problem to a confidential person… and do they know who that person is?

57 Don’t be a “Client Have you had an independent review of your policies / security / disaster recovery?? –A fresh look can be invaluable

58 Don’t be a “Client Where’s the threat?? –A vulnerable system will eventually be hit from an external source

59 Don’t be a “Client Where’s the threat?? –A vulnerable system will eventually be hit from an external source –A secure system may also be hit from an internal source

60 Don’t be a “Client Information from my contacts in private industry as well as my experience indicates… –You are at least as likely to be compromised from an internal threat as from an external threat.

61 Don’t be a “Client We are happy to respond to your request for an investigation…. –We sincerely hope that you don’t have to call!!

62 Don’t be a “Client S/Sgt. Bruce Imrie Regional Coordinator Vancouver Integrated Technological Crime Unit ITCU Lab: 604-598-4087 Unit Pager: 604-473-2858 Email: bruce.imrie@rcmp-grc.gc.ca

Download ppt "The RCMP Tech Crime Unit & Information Systems Security Presented to: ISSA January 26, 2005."

Similar presentations

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Confidentiality and HIPAA

Confidentiality and HIPAA
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Australian Competition & Consumer Commission

Australian Competition & Consumer Commission
Presentation by Mark Grady Vancouver Island University June 13, 2012.

Presentation by Mark Grady Vancouver Island University June 13, 2012.
Driver Safety Program.  Address Safety  Achieve Accountability  Meet ORM and LPAA Requirements.

Driver Safety Program.  Address Safety  Achieve Accountability  Meet ORM and LPAA Requirements.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Network security policy: best practices

Network security policy: best practices
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Introduction to Network Defense

Introduction to Network Defense
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Police Technology Chapter Eight

Police Technology Chapter Eight
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Similar presentations

Ads by Google