Podcast
Questions and Answers
What are some troubleshooting tactics for access control issues?
What are some troubleshooting tactics for access control issues?
Anomalies in event logs are not important in security assessments.
Anomalies in event logs are not important in security assessments.
False
Data exfiltration involves the process of moving data from inside a private network to an external network, when the victim no longer has complete control over the _______.
Data exfiltration involves the process of moving data from inside a private network to an external network, when the victim no longer has complete control over the _______.
data
Match the following phases of the Basic Forensic Process with their descriptions:
Match the following phases of the Basic Forensic Process with their descriptions:
Signup and view all the answers
Study Notes
Addressing Security Issues/Digital Forensics
- Troubleshooting common security issues involves:
- Responding to security incidents
- Investigating security incidents
- Access control issues
- Encryption issues
- Data exfiltration
- Anomalies in event logs
- Security configuration issues
- Software issues
- Personnel issues
- Asset management issues
- Incident response plans
Access Control Issues
- Troubleshooting tactics:
- Check for configuration changes to authentication mechanisms
- Ensure authentication servers can communicate over the network
- Ensure users are given proper access rights and are in the right groups
- Check if accepted credentials align with the user's presented credentials
- Check for configuration changes to authorization mechanisms
- Ensure permissions are designed to adhere to the principle of least privilege
- Ensure users and groups don't have access to resources they shouldn't
Encryption Issues
- Troubleshooting tactics:
- Ensure secure remote protocols like SSH are used
- Ensure web-based communication is secured using SSL/TLS
- Ensure users know not to store passwords in plaintext
- Ensure custom apps encrypt data at rest, in transit, and in use
- Check if a certificate is out of date
- Ensure certificates use strong algorithms like SHA-256 and RSA
- Ensure key management program adheres to established rules
- Ensure private keys are not stored in locations accessible to attackers
Data Exfiltration
- Definition: The process by which an attacker takes data stored inside a private network and moves it to an external network
- Victim no longer has complete control over data
- Troubleshooting tactics:
- Incorporate a DLP solution
- Encrypt all data at rest
- Maintain offsite backups
- Ensure systems with sensitive data are access controlled
- Restrict network channels usable for outbound traffic
Anomalies in Event Logs
- Reviewing logs is an important part of any security assessment architecture
- Troubleshooting tactics:
- Scan logs for anomalies such as multiple consecutive authentication failures
- Unscheduled changes to a system's configuration
- Excessive or unexplained critical system/application failures
- Excessive consumption of bandwidth recorded in network device logs
- Sequencing errors or gaps in the event log
Security Configuration Issues
- Network device issues:
- Ensure WAPs are implementing WPA with strong passphrase
- Ensure RADIUS clients/servers are connected
- Ensure no other signals are interfering with WAP
- Ensure wired AP is physically segmented from public areas
- Firewall issues:
- Ensure inbound rules are set to implicit deny
- Ensure outbound rules are configured according to policy
- Ensure legitimate ports/IP addresses are blocked on the outbound
- Content filter issues:
- Ensure blacklisted content doesn't overlap with legitimate content
- Ensure whitelist is comprehensive
- Ensure filter can correctly identify unwanted content
- Intrusion detection issues:
- Ensure IDS rules are customized to fit the organization
- Ensure IDS rules are not too broadly or narrowly defined
- Ensure IDS is positioned to detect traffic from all expected segments
Software Issues
- Unauthorized software:
- Check event logs to determine when the software was installed
- Check event logs and browsing history to determine the source of software
- Place the software in a sandbox before analyzing its running state
- Conduct an anti-malware scan
- Unlicensed software:
- Determine what functionality is lost and its impact on the business
- Check if other software can compensate for the loss in functionality
- Contact vendor and purchase the appropriate licenses
- Determine if any patches are available
- Outdated software:
- Consider removing the vulnerable software if it is too much of a risk
- Consider replacing the outdated software with an alternative
- Consult patch management policy to determine the best way to apply patches
Personnel Issues
- Policy violations:
- Determine the policy item that was violated
- Bring the violation to the person's attention and make suggestions
- Develop a training program to better inform personnel on policy
- Social media and personal email use:
- Ensure personnel understand the effects of divulging info on social media and personal email
- Incorporate DLP to prevent sensitive info being sent over personal email
- Limit social media and personal email use at the office through policy
- Train users to spot social engineering attempts
- Insider threat:
- Establish what info and access a person may be able to give to attackers
- Uphold the principle of least privilege to minimize social engineering effects
- Employ personnel management to avoid one person having too much power
- Regularly review and audit privileged users' activities
Asset Management Issues
- Definition: The process of taking inventory of and tracking all of the organization's valuable objects
- Troubleshooting tactics:
- Ensure all assets are using barcodes, passive RFID, or other tracking systems
- Ensure there is a process for tagging newly acquired or developed assets
- Ensure there is a process for removing obsolete assets
- Check to see if any assets have conflicting IDs
- Check to see if any assets have inaccurate metadata
- Ensure asset management software can read and interpret tags
- Update asset management software as needed
Incident Response Plans
- Definition: A document or series of documents that describe procedures for detecting, responding to, and minimizing the effects of security incidents
- Components:
- IRT establishment and maintenance
- Documented list of what constitutes a security incident
- Definitions for each category or type
- Step-by-step processes to follow when an incident occurs
- Roles and responsibilities for IRT members
- Reporting requirements
- Escalation parameters
- Testing and validation measures
- Tabletop exercises
- Functional exercises
First Responders
- Definition: The first experienced person or a team of trained professionals who arrive at the scene of an incident
- Roles:
- Security professional
- Human resources professional
- IT support professional
Incident Report
- Definition: A report that includes a description of the events that occurred during a security incident
- Components:
- The Basic Forensic Process
- Preservation of forensic data
- Receipt of legal hold
- Detailed descriptions of scope of preserved information
- Data custodian must acknowledge and preserve data
- Establishment of audit trail
- Forensic evidence must be verifiable
Basic Forensic Process
- Phases:
- Collection
- Examination
- Analysis
- Reporting
- Description:
- Identify the attacked system and label it
- Record and acquire details from all related personnel
- Maintain the integrity of the data
- Use automated and manual methods to forensically process collected data
- Assess and extract the evidence
- Analyze the results of the examination phase
- Obtain useful information that justifies the reason for the collection and examination
- Report the results of the forensic analysis
Preservation of Forensic Data
- Definition: A process designed to preserve all relevant information when litigation is reasonably expected to occur
- Components:
- Legal hold
- Receipt of legal hold
- Preservation of information
- Establishment of audit trail
- Data custodian must acknowledge and preserve data
Basic Forensic Response Procedures
- Procedures:
- Capture forensic image and memory
- Examine network traffic and logs
- Capture video evidence
- Determine the exact time an event took place
- Record the time offset
- Order of volatility
Chain of Custody
- Definition: The record of evidence handling from collection, to presentation in court, to disposal
- Components:
- Collection
- Analysis
- Presentation in court
- Disposal
Computer Forensics
- Definition: The practice of collecting and analyzing data from computing devices and potentially presenting the information as a form of evidence in a court of law
- Deals primarily with recovery and investigation of evidence
- Still an emerging field
- Blend of legal elements and computer science
- Some investigations are conducted without the involvement of legal action
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Identify and respond to security incidents, troubleshoot common issues, and investigate access control problems. Learn tactics to ensure authentication and access rights.