FBI Phoenix

1. Incident Response Planning, Law Enforcement Issues, and THE BIG PICTURE FBI Phoenix Computer Crime Squad

2. Denial of Service Child Pornography Identity Theft pornography Internet Fraud warez E-mail Threats Spam 419 Nigerian Scam E-mail Viruses, Worms, Malicious Code Unauthorized Access FBI Phoenix – Computer Crime Squad

3. ISO 17799 STANDARDS • Security Policy • Security Organization • Asset classification and control • Personnel Security • Physical and environmental security • Communications and operations management • Access Control • Systems Development and maintenance • Business Continuity Management • Compliance (HIPAA) (Gramm-Leach-Bliley)

4. EDUCATION SOCIAL ENGINEERING FBI Phoenix – Computer Crime Squad

5. Anatomy of a Cyber Incident • Incident is discovered/reported • Activate: Incident Management Team • Notify: Security, Legal, Law Enforcement FBI Phoenix – Computer Crime Squad

6. Incident Management Team • Created prior to incident • Protocols pre-defined • One person in charge • One person responsible for evidence • Team may cover shifts FBI Phoenix – Computer Crime Squad

7. Keep a log of events & document loss Document what you know, when you know, who knows, what you do, who does it (think testimony) Document Loss: resources used lost revenues, cost of consultants, equipment cost (think testimony) FBI Phoenix – Computer Crime Squad

8. Evidence • Hard drives • Backup data • Security logs • Event logs • Initialed, dated, documented • Employment records • Think proof of story. FBI Phoenix – Computer Crime Squad

9. What to do during /after an Incident. • Audit trails & logging • What logs were active at the time of the attack? • Begin keystroke monitoring • Consent to Monitor (banner in place?) • SysAdmin Monitoring Authority Can be used even absent consent or a warning banner • Identify and recover available evidence • System log files, system images, altered/damaged files, intruders’ files, network logs (routers, SNMP, etc.), traditional evidence • Secure evidence and maintain simple “chain-of-custody” records A FBI Phoenix – Computer Crime Squad

10. Example Banner This is a ___________ computer system. Before processing classified and/or sensitive but unclassified information, check the security accreditation level of this system. Do not process, store, or transmit information classified above the accreditation level of this system. This computer system, including all related equipment, networks, and network devices (including Internet access) are provided only for authorized ___________ use. _________ computer systems may be monitored for all lawful purposes, including to ensure their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes, but is not limited to, active attacks by authorized __________ entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this __________ computer system, authorized or unauthorized, constitutes consent to monitoring. Unauthorized use of this __________ computer system may subject you to civil litigation and/or criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to monitoring for all lawful purposes.

11. What To Do (continued) • Identify source(s) of the attack. • Record specific damages and losses • Including hours spent on recovery • Now recoverable under Patriot Act provisions • Important for prosecution • Prepare for repeat attacks. • Protecting Mission Critical vs. Proprietary Data • Theorize - nobody knows your system better than you. • Determine how the intrusion happened. • Identify possible subjects and motives. • Be patient with law enforcement.

12. What NOT To Do • Do NOT use the compromised systems before preserving any evidence. • Do not make assumptions as to Federal jurisdiction or prosecutorial merit. • Do not assume that by ignoring the incident, or damage to your files, that it will go away. • Do not correspond via E-mail on a compromised network regarding the incident or the investigation.

13. What to Expect if you call the FBI • Agents will keep your information confidential. • Agents will interview key witnesses • IT Managers / Operators • Agents may offer assistance in recovering logs; securing systems • Agents may seek to identify the individual responsible • Possible plea bargaining • Possible trial • Sentencing (upon conviction) • Restitution These steps do NOT occur quickly!

14. Network Security Issues US strategy Computer Crime Squad

15. Civil, Regulatory, Criminal Issues: • Asset Protection • Reporting oversight • Due diligence – protection of other people’s private information • Due diligence – protection of resources so they won’t be used against someone else Sarbanes – Oxley Act of 2002 (accounting) Gramm – Leach - Bliley of 1999 (financial) Health Insurance Portability & Accountability Act of 1996 California SB 1386 (companies with clients in California)

19. national prescription • security standards promoted • VOLUNTARY adherence (biz) • regulation AND/OR • civil litigation, insurance • information sharing • a. vulnerabilities, threats • b. attacks

20. ISACs Information Sharing & Analysis Centers InfraGard: FBI and private/public sector partnership

21. CIA Dept of Defense ISACs DHS NSA nipc Federal Agencies Federal Lead Agencies law enforcment InfraGard

22. FBI Phoenix – Computer Crime Squad www.nipc.gov

23. 56 FBI offices 79 chapters 9700+ members information sharing FBI Phoenix – Computer Crime Squad

24. contact SA Tom Liffiton 602.279.5511 x3105 602.650.3105 tliffiton@fbi.gov FBI PHOENIX