Why Does the Law Enforcement Industry Need Security Awareness?

Law enforcement is not immune to cyber attacks. In fact, the sector faces multiple threats. How bad is it? We don’t know, and if we did, we wouldn’t tell you, because you could be a cyber criminal reading this and mentally filing the information away with a view to using it against law enforcement in some way in the future.

Suffice to say, law enforcement officials are human and vulnerable to the same social engineering manipulations as are civilians. Security awareness training can help protect them not only on the job, but also at home, where they and their families can be the target of vengeful criminals, hate crimes, and socio-politically motivated attacks.

What Risks / Threats Does the Law Enforcement Sector Face?

  • Ransomware — Over the past years, law enforcement has been increasingly targeted by ransomware attacks. The hazards include the potential loss of evidentiary data, identity theft, and witness intimidation. Computerworld reported that because Texas cops decided not to pay ransomware (around $4000) after an attack on a police department in 2016, a lot of video evidence and documents dating back to 2009 were lost. According to a press release issued by the Cockrell Hill Police Department, “… it was determined that the virus had been introduced onto the network from a spam email that had come from a cloned email address imitating a department issued email address.” Clearly, there was at least one police officer at the station in need of basic security awareness training.
  • Doxxing — PoliceOne.com identifies one of the most common attacks on police officers as doxxing (an attack whereby personal information is made public.) After the headline news-making Ferguson shooting, an international collective of hackers, wittily calling themselves Anonymous, released personal details about police Chief Jon Belmar, including photos of his family, his home address, and his phone number. No more than one would expect from a group called Anonymous.

    PoliceOne responded with some figures which we will publish despite what we said earlier, as they have apparently been published before: “In the context of a substantial rise in police killings from 2015 to 2016, doxxing presents a serious threat to our officers’ safety. NBC News, in an article published at the end of 2016, reported that there had been ‘an increase in total officers shot and killed — a 56 percent spike since last year — and a 250 percent rise in ambush fatalities.’ Nearly one-third of the 64 officers shot in the line of duty in 2016 were victims of ambush attacks.”

  • Terrorism and smart weapons — In the old days, suspicious characters were frisked for weapons like guns or knives. These days, a cell phone can be a lethal weapon and the latest technologies can be purchased online, anonymously.

    The New York Times reported in October 2016 that Kurdish forces in northern Iraq shot down a small drone the size of a model airplane. As they were taking it apart for further examination, it blew up, killing two Kurdish fighters. Simple, commercially available drones, which can be purchased on Amazon, can be easily fitted with a small explosive device, turning them into remotely piloted bombs.

    Today, cyber threats are “global” with an impact beyond national borders. For instance, a drug ring could originate outside national borders, but impact nationally. In an address delivered by Secretary Kelly at George Washington University Center for Cyber and Homeland Security, he said that that one of the greatest threats to cybersecurity came from transnational criminal organizations (TCOs). “If you are a terrorist with an internet connection, like the one on your ever-present cell phone, you can recruit new soldiers, plan attacks, and upload a video calling for jihad with just a few clicks.”

How do you set up a Security Awareness Program in the Law Enforcement Sector?

 Understand the law

Law enforcement officials need first to understand the law regarding the seizure of devices and digital evidence. For instance, in many cases investigators may seize electronic devices without a warrant, but must obtain a warrant in order to conduct a search on the device. A non-disclosure agreement (NDA) may be needed if law enforcement wants information from an Electronic Service Provider (ESP) about a subscriber and doesn’t want the ESP to notify the user that someone is requesting information about their account.

The FBI relies on dark web intelligence firms as frontline investigators in the fight against cybercrime. The problem is that these firms may operate outside the law (even accidentally). If you are collaborating with white hat hackers, you should ensure they understand the law, too.

The controversial Computer Fraud and Abuse Act, or CFAA, is a statute introduced in 1984 to define what exactly constitutes illegal access to a computer system or network. So far, there have been no court cases involving these dark web intelligence firms improperly accessing data hosted on the dark web. Watch this space.

Practice compliance

Law enforcement needs to be above suspicion. To this end, any security awareness program must ensure officials understand compliance issues surrounding security procedures. For instance, social media networking sites like Yahoo! and Facebook have detailed compliance guidelines specifically aimed at law enforcement. A snippet from one of these guidelines: “Yahoo! will be unable to search for and produce deleted material, including email and Group posts, unless such request is received within 24 hours of the deletion and is specifically requested by proper legal process. In most cases where deleted content is requested, Yahoo! will seek reimbursement for any engineer time incurred in connection with the request.” Their hourly rate is not published.

Proactive prevention of ransomware attacks

In 2014, the Tewksbury, Massachusetts police department became a victim of a ransomware attack. The department’s computers slowed down to the extent they were all but inaccessible. According to PoliceOne.com, “One of the most vital tools a police force has to safely carry out its duties – history – had become inaccessible.” Police Chief Timothy Sheehan said: “We went back to pen and paper. Logs were handwritten in the patrol cars, there was no access to the computers in the patrol cars, no access directly to the registry databases to find out if somebody had a lengthy criminal history, or anything like that.”

The Department of Justice has since issued guidelines for critical infrastructure entities to protect against ransomware, including:

  • To improve workforce awareness, the internal security team may test the training of an organization’s workforce with simulated phishing emails.
  • Enable strong spam filters to prevent phishing emails from reaching the end users.
  • Patch operating systems, software, and firmware on devices.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege.
  • Disable macro scripts from office files transmitted via email.
  • Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders.
  • Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
  • Execute operating system environments or specific programs in a virtualized environment.
  • Back up and secure data regularly.
  • Conduct an annual penetration test and vulnerability assessment.

Guard against doxxing

The inpublicsafety.com website reviewed a webinar hosted by American Military University (AMU) as part of its Law Enforcement Webinar Series. The presenter, James Deater, spent more than 23 years as a Maryland State Trooper specializing in wiretaps and other forms of electronic investigation techniques.

Some tips to guard against doxxing:

  • Ensure your software is always up-to-date and use an anti-virus program.
  • Use two-factor authentication for your personal accounts.
  • Try to post as little as possible any personal information about you and your family online.

Security Awareness

During the webinar, Deater discussed ways that officers can proactively remove personal information from the dozens of websites that sell this information. For more information, send an email (using your agency email address) to James Deater (JDeater@apus.edu).

Note: These webinars are only available to current law enforcement officers, crime analysts, and active military personnel. You can sign up here.

Cyber terrorism awareness

Police Magazine has some tips from Soheil Naimi, information security officer for the Los Angeles Sheriff’s Department:

  • Make sure there are multiple layers of protection between a hacker and the agency network, including firewalls, antivirus software, and intrusion detection systems.
  • Ensure there is a unit or at least a person devoted to maintaining cyber security; if necessary, hire from outside.
  • Utilize resources like the FBI’s Cyber Shield Alliance (CSA), which provides law enforcement partners with a catalog of cyber threat reports and tools made available exclusively for the law enforcement community.

Security Awareness Tips & Resources for the Law Enforcement Sector

  • FastCompany.com warns that police departments are more vulnerable to cyber threats as evidence goes digital. Officers who are interacting with digital systems must know the basics of digital evidence preservation— like not turning off a computer at a crime scene that could have encryption enabled — and security, like not putting thumb drives that could have malware on them into police computers. They also need to make sure that the digital tools they use are properly secure, which often means bringing in outside experts to evaluate vendors’ promises and audit police IT systems. In addition, police departments need to think carefully about how to protect data before they collect or store it, including taking into account the risk of insiders abusing legitimate access rights.
  • According to a McAfee Labs report, 2017 Threats Predictions, in the future there will be more cooperation between security vendors and law enforcement agencies to take down cybercriminals. The report found that investigation and prosecution of cybercrime is inversely related to the severity of the crime because these crimes are so much more complex and often cross multiple jurisdictions. New on the block, says the report, are security companies focused on deception, e.g. creating honey pots to trick adversaries with lures to draw them away from more valuable targets, and using alarmed files and drones. In the future, the risk of ransomware may well, thanks to these initiatives, decrease.
  • The Internet Crime Complaint Center (IC3) in 2015 issued an alert warning that law enforcement personnel and public officials may be at an increased risk of cyber attacks. US-Cert provides helpful guidelines specifically for police officers for staying safe on social network sites.
  • National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity all through the year.

 

References

http://www.metacompliance.com/blog/security-and-policing-why-user-awareness-makes-a-difference-in-law-enforcement/

https://www.dhs.gov/news/2017/04/18/home-and-away-dhs-and-threats-america

https://www.cfr.org/report/cyberattack-us-power-grid

https://www.computerworld.com/article/3163046/security/police-lost-8-years-of-evidence-in-ransomware-attack.html

https://www.scribd.com/embeds/337574421/content?start_page=1&view_mode=scroll&access_key=key-zdTIPidokkaDwvBR7YPj&irgwc=1&content=10079&campaign=Skimbit%2C%20Ltd.&ad_group=111346X1569473Xa49275cbdaa2d1ff877ba1ab8732579c&keyword=ft750noi&source=impactradius&medium=affiliate

https://www.bleepingcomputer.com/news/security/police-department-loses-years-worth-of-evidence-in-ransomware-incident/

https://www.nytimes.com/2016/10/12/world/middleeast/iraq-drones-isis.html

https://www.cyberscoop.com/dark-web-intelligence-fbi-investigations/

https://www.sans.org/reading-room/whitepapers/threatintelligence/artificial-intelligence-law-enforcement-37925

https://www.mcafee.com/us/resources/reports/rp-threats-predictions-2017.pdf

http://ag.nv.gov/uploadedFiles/agnvgov/Content/About/Administration/2008_Archive_ABTC.pdf

https://www.dhs.gov/national-cyber-security-awareness-month

https://www.policeone.com/cyber-attack/articles/371392006–9-cyberattacks-that-threatened-officer-safety-and-obstructed-justice/

https://www.fastcompany.com/3055955/police-departments-are-vulnerable-to-cyber-threats-as-evidence-goes-digital

http://www.iacpcybercenter.org/officers/cyber-crime-investigations/

https://www.eff.org/files/filenode/social_network/yahoo_sn_leg-doj.pdf

https://www.policeone.com/police-trainers/articles/235523006-5-tactics-to-protect-your-police-agency-from-ransomware/

https://www.justice.gov/criminal-ccips/file/872771/download

https://www.infosecinstitute.com/phishsim

https://inpublicsafety.com/2015/09/when-officers-become-the-target-how-to-protect-yourself-from-doxing/

http://www.policemag.com/channel/technology/articles/2014/09/cyber-terrorism-preventing-online-assault.aspx

https://www.policeone.com/cyber-attack/articles/371392006–9-cyberattacks-that-threatened-officer-safety-and-obstructed-justice/

Be Safe

Section Guide

Penny
Hoelscher

View more articles from Penny

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Penny
Hoelscher

View more articles from Penny