Cybersecurity Guide for State and Local Law Enforcement
The National Consortium for Advanced Policing (NCAP) recently released the two attached reports, described below, on cyber security and state and local law enforcement:
Cybersecurity Guide for State and Local Law Enforcement. This guide for state and local law enforcement on cybersecurity includes practical information both on how agencies and officers can protect themselves against cyber threats, as well as how they can protect businesses and individuals in their communities from cybercrime and related threats.
Cybersecurity for State and Local Law Enforcement: A Policy Roadmap to Enhance Capabilities
Cybersecurity for State and Local Law Enforcement: A Policy Roadmap to Enhance Capabilities, NCAP-CCHS Issue Brief. This issue brief complements the NCAP guide by proposing a set of policy recommendations about how executive branch agencies, Congress, and state and local legislators can enhance the role and effectiveness of state and local law enforcement with respect to cybersecurity.
Understanding Digital Footprints—Steps to Protect Personal Information for law enforcement
Cybercrime is an ever-growing issue for state, local, tribal, and territorial (SLTT) law enforcement. With advancements in technology, coupled with the oversharing of personal information, law enforcement not only needs to ensure the public’s safety online but also be cognizant of the digital footprint that people are leaving behind.
This document provides material designed to assist law enforcement personnel in protecting themselves and their families from becoming cyber targets: protecting personal information, cyber dos and don’ts, and links to further cyber training and resources.
Cyber Attack Lifecycle
The process by which sophisticated cyber attacks are conducted can be described as a lifecycle. The illustration and following description has been prepared by Mandiant Consulting (a FireEye Company), a provider of incident response and information security consulting services.
Source: Mandiant Consulting, see https://www.fireeye.com/services.html.
Initial Reconnaissance: The attacker conducts research on a target. The attacker identifies targets (both systems and people) and determines his attack methodology. The attacker may look for Internet-facing services or individuals to exploit. The attacker’s research may also involve the following activities:
• Identifying websites that may be vulnerable to web application vulnerabilities
• Analyzing the target organization’s current or projected business activities
• Understanding the target organization’s internal organization and products
• Researching conferences attended by employees
• Browsing social media sites to more effectively identify and socially-engineer employees
Initial Compromise: The attacker successfully executes malicious code on one or more systems. This most likely occurs through social engineering (most often spear phishing), by exploiting a vulnerability on an Internet-facing system, or by any other means necessary.
Establish Foothold: The attacker ensures he maintains continued control over a recently compromised system. This occurs immediately following the initial compromise. Typically, the attacker establishes a foothold by installing a persistent backdoor or downloading additional utilities or malware to the victim system.
Escalate Privileges: The attacker obtains greater access to systems and data. Attackers often escalate their privileges through password hash dumping (followed by password cracking or pass-the-hash attacks); keystroke/credential logging, obtaining PKI certificates, leveraging privileges held by an application, or by exploiting a vulnerable piece of software.
Internal Reconnaissance: The attacker explores the victim’s environment to gain a better understanding of the environment, the roles and responsibilities of key individuals, and to determine where an organization stores information of interest.
Move Laterally: The attacker uses his access to move from system to system within the compromised environment. Common lateral movement methods include accessing network shares, using the Windows Task Scheduler to execute programs, using remote access tools such as PsExec, or using remote desktop clients such as Remote Desktop Protocol (RDP), DameWare, or Virtual Network Computing (VNC) to interact with target systems using a graphical user interface.
Maintain Presence: The attacker ensures continued access to the environment. Common methods of maintaining a presence include installing multiple variants of malware backdoors or by gaining access to remote access services such as the corporate Virtual Private Network (VPN).
Complete Mission: The attacker accomplishes his goal. Often this means stealing intellectual property, financial data, mergers and acquisition information, or Personally Identifiable Information (PII). Once the mission has been completed, most targeted attackers do not leave the environment, but maintain access in case a new mission is directed.
The information provided here is not intended as an endorsement of any business or individual.