RCC’s LP Forum: police investigations and cybercrime
“All of our industries, no matter what the sector, have been affected,” said Detective Sergeant Vern Crowley, cybercrime investigations team, Ontario Provincial Police, during a recent Retail Council of Canada virtual event on loss prevention. “Education, health, large retailers, small and medium businesses across the gamut have been affected.”
In the event of an attack, malware is introduced, which elevates its privileges to the root domain “and moves laterally through your network so they can find all your most important data” — not just financial data but also employee records.
Data back-ups are extremely important and should be stored off-network and offline. They should also carry a separate set of credentials and passwords. Without this separation, the back-ups could be just as easily compromised as everything else on the network by ransomware. Once the malware has completed its task, it will exit and encrypt everything, leading to the ransom demand.
Hackers will also do their research prior to an attack, reviewing company websites and social media presence in order to identify whom to target in a phishing or spear-phishing email.
Crowley urged companies to take effective steps ahead of time to minimize the likelihood or impact of a potential attack. For example, delineate resources and ensure only the people who need access to important data are the ones who receive it (e.g., restrict HR file access to HR staff only).
A cyber incident response plan should incorporate everybody in the organization “from the executives all the way down to those that are actually using the technology. Make the plan so it’s easy to follow,” said Crowley.
If an incident does take place, keep a checklist detailing: what has happened, what systems have been affected, how long will it take to recover and any data been stolen.
Also preserve any digital evidence such as log files, system event logs, security event logs, firewall logs, and take screen captures during an event (even if it’s just the “blue screen of death”). If your network’s AV protection has been able to quarantine a virus, those files will be important to an investigation.
Unfortunately, many cybercrimes go unreported, said Crowley, due to concerns about potential reputation damage. But the role of the police is not to judge the readiness of your cybersecurity measures but to identify and catch the cybercriminals. Police involvement can help catch cybercriminals more quickly, preventing them from moving on to other potential victims.
There is great cooperation between police agencies from municipal to provincial to federal to even international in terms of cybercrime investigations, said Crowley. “It’s amazing, the collaboration.”
Evidence gleaned from one case could contribute to a wider investigation, he said, leading to a faster resolution and fewer victims.
In his seminar wrap-up, Detective Sergeant Crowley shared the following tips:
- In order to “target harden” use a password manager
- Maintain offline back-ups that have a separate set of credentials and passwords
- Update and patch your systems regularly
- Think before you click on suspicious links or emails
- Your important data sitting at rest should be encrypted