Troubleshooting Security Issues

Addressing Security Issues/Digital Forensics

• Troubleshooting common security issues involves:
  • Responding to security incidents
  • Investigating security incidents
  • Access control issues
  • Encryption issues
  • Data exfiltration
  • Anomalies in event logs
  • Security configuration issues
  • Software issues
  • Personnel issues
  • Asset management issues
  • Incident response plans

Access Control Issues

• Troubleshooting tactics:
  • Check for configuration changes to authentication mechanisms
  • Ensure authentication servers can communicate over the network
  • Ensure users are given proper access rights and are in the right groups
  • Check if accepted credentials align with the user's presented credentials
  • Check for configuration changes to authorization mechanisms
  • Ensure permissions are designed to adhere to the principle of least privilege
  • Ensure users and groups don't have access to resources they shouldn't

Encryption Issues

• Troubleshooting tactics:
  • Ensure secure remote protocols like SSH are used
  • Ensure web-based communication is secured using SSL/TLS
  • Ensure users know not to store passwords in plaintext
  • Ensure custom apps encrypt data at rest, in transit, and in use
  • Check if a certificate is out of date
  • Ensure certificates use strong algorithms like SHA-256 and RSA
  • Ensure key management program adheres to established rules
  • Ensure private keys are not stored in locations accessible to attackers

Data Exfiltration

• Definition: The process by which an attacker takes data stored inside a private network and moves it to an external network
• Victim no longer has complete control over data
• Troubleshooting tactics:
  • Incorporate a DLP solution
  • Encrypt all data at rest
  • Maintain offsite backups
  • Ensure systems with sensitive data are access controlled
  • Restrict network channels usable for outbound traffic

Anomalies in Event Logs

• Reviewing logs is an important part of any security assessment architecture
• Troubleshooting tactics:
  • Scan logs for anomalies such as multiple consecutive authentication failures
  • Unscheduled changes to a system's configuration
  • Excessive or unexplained critical system/application failures
  • Excessive consumption of bandwidth recorded in network device logs
  • Sequencing errors or gaps in the event log

Security Configuration Issues

• Network device issues:
  • Ensure WAPs are implementing WPA with strong passphrase
  • Ensure RADIUS clients/servers are connected
  • Ensure no other signals are interfering with WAP
  • Ensure wired AP is physically segmented from public areas
• Firewall issues:
  • Ensure inbound rules are set to implicit deny
  • Ensure outbound rules are configured according to policy
  • Ensure legitimate ports/IP addresses are blocked on the outbound
• Content filter issues:
  • Ensure blacklisted content doesn't overlap with legitimate content
  • Ensure whitelist is comprehensive
  • Ensure filter can correctly identify unwanted content
• Intrusion detection issues:
  • Ensure IDS rules are customized to fit the organization
  • Ensure IDS rules are not too broadly or narrowly defined
  • Ensure IDS is positioned to detect traffic from all expected segments

Software Issues

• Unauthorized software:
  • Check event logs to determine when the software was installed
  • Check event logs and browsing history to determine the source of software
  • Place the software in a sandbox before analyzing its running state
  • Conduct an anti-malware scan
• Unlicensed software:
  • Determine what functionality is lost and its impact on the business
  • Check if other software can compensate for the loss in functionality
  • Contact vendor and purchase the appropriate licenses
  • Determine if any patches are available
• Outdated software:
  • Consider removing the vulnerable software if it is too much of a risk
  • Consider replacing the outdated software with an alternative
  • Consult patch management policy to determine the best way to apply patches

Personnel Issues

• Policy violations:
  • Determine the policy item that was violated
  • Bring the violation to the person's attention and make suggestions
  • Develop a training program to better inform personnel on policy
• Social media and personal email use:
  • Ensure personnel understand the effects of divulging info on social media and personal email
  • Incorporate DLP to prevent sensitive info being sent over personal email
  • Limit social media and personal email use at the office through policy
  • Train users to spot social engineering attempts
• Insider threat:
  • Establish what info and access a person may be able to give to attackers
  • Uphold the principle of least privilege to minimize social engineering effects
  • Employ personnel management to avoid one person having too much power
  • Regularly review and audit privileged users' activities

Asset Management Issues

• Definition: The process of taking inventory of and tracking all of the organization's valuable objects
• Troubleshooting tactics:
  • Ensure all assets are using barcodes, passive RFID, or other tracking systems
  • Ensure there is a process for tagging newly acquired or developed assets
  • Ensure there is a process for removing obsolete assets
  • Check to see if any assets have conflicting IDs
  • Check to see if any assets have inaccurate metadata
  • Ensure asset management software can read and interpret tags
  • Update asset management software as needed

Incident Response Plans

• Definition: A document or series of documents that describe procedures for detecting, responding to, and minimizing the effects of security incidents
• Components:
  • IRT establishment and maintenance
  • Documented list of what constitutes a security incident
  • Definitions for each category or type
  • Step-by-step processes to follow when an incident occurs
  • Roles and responsibilities for IRT members
  • Reporting requirements
  • Escalation parameters
  • Testing and validation measures
  • Tabletop exercises
  • Functional exercises

First Responders

• Definition: The first experienced person or a team of trained professionals who arrive at the scene of an incident
• Roles:
  • Security professional
  • Human resources professional
  • IT support professional

Incident Report

• Definition: A report that includes a description of the events that occurred during a security incident
• Components:
  • The Basic Forensic Process
  • Preservation of forensic data
  • Receipt of legal hold
  • Detailed descriptions of scope of preserved information
  • Data custodian must acknowledge and preserve data
  • Establishment of audit trail
  • Forensic evidence must be verifiable

Basic Forensic Process

• Phases:
  • Collection
  • Examination
  • Analysis
  • Reporting
• Description:
  • Identify the attacked system and label it
  • Record and acquire details from all related personnel
  • Maintain the integrity of the data
  • Use automated and manual methods to forensically process collected data
  • Assess and extract the evidence
  • Analyze the results of the examination phase
  • Obtain useful information that justifies the reason for the collection and examination
  • Report the results of the forensic analysis

Preservation of Forensic Data

• Definition: A process designed to preserve all relevant information when litigation is reasonably expected to occur
• Components:
  • Legal hold
  • Receipt of legal hold
  • Preservation of information
  • Establishment of audit trail
  • Data custodian must acknowledge and preserve data

Basic Forensic Response Procedures

• Procedures:
  • Capture forensic image and memory
  • Examine network traffic and logs
  • Capture video evidence
  • Determine the exact time an event took place
  • Record the time offset
  • Order of volatility

Chain of Custody

• Definition: The record of evidence handling from collection, to presentation in court, to disposal
• Components:
  • Collection
  • Analysis
  • Presentation in court
  • Disposal

Computer Forensics

• Definition: The practice of collecting and analyzing data from computing devices and potentially presenting the information as a form of evidence in a court of law
• Deals primarily with recovery and investigation of evidence
• Still an emerging field
• Blend of legal elements and computer science
• Some investigations are conducted without the involvement of legal action