Module 10:
In the world of cybersecurity, it’s not a matter of “if” but “when” a security incident occurs. Being prepared to address these incidents is essential for safeguarding an organization’s data and reputation. In this post, we’ll explore the key principles, strategies, and best practices for addressing incidents as part of your CompTIA Security+ cybersecurity journey.
Addressing Security Issues
- Troubleshoot Common Security Issues
- Respond to Security Incidents
- Investigate Security Incidents
Access Control Issues
| Access Issue | Troubleshooting Tactic |
|---|---|
| Authentication Issues | Check for configuration changes to authentication mechanisms. Ensure authentication servers can communicate over the network. Ensure users are given proper access rights and are in the right groups. Check if accepted credentials align with the users presented credentials. |
| Permissions issues | Check for configuration changes to authorization mechanisms. Ensure users are in groups that provide appropriate level of access. Ensure that objects are supporting relevant permissions for subjects. Design permissions to adhere to principle of least privilege. |
| Access violations | Ensure users and groups dont have access to resources they shouldnt. Check directory structure for unknown or suspicious accounts. Disable unused accounts. Check if an accounts privileges have been elevated. |
Encryption Issues
| Encryption Issue | Troubleshooting Tactic |
|---|---|
| Unencrypted credentials | Ensure you are using secure remote protocols like SSH. Ensure your web-based communication is secured using SSL/TLS. Ensure users know not to store passwords in plaintext. Ensure your custom apps encrypt data at rest, in transit, and in use. |
| Certificate issues | Check to see if a certificate is out of date. Ensure you are receiving CRLs in case a certificate is revoked. Ensure certificates use strong algorithms like SHA-256 and RSA. Check if certificate chain is installed on server and client. |
| Key management issues | Ensure key management program adheres to established rules for access. Ensure private keys are not stored in locations accessible to attackers. Ensure keys are backed up to removable media in case of system failure. |
Data Exfiltration
The process by which an attacker takes data stored inside a private network and moves it to an external network.
- Victim no longer has complete control over data.
Attackers may not destroy or ransom data if they’re just interested in the secrets.
- May do so if the attacker is interested in damaging or blackmailing the victim.
- Closely related to data loss/leakage.
Troubleshooting tactics:
- Incorporate a DLP solution.
- Encrypt all data at rest.
- Maintain offsite backups.
- Ensure systems with sensitive data are access controlled.
- Check if access controls arent restrictive enough.
- Restrict network channels usable for outbound traffic.
- Disconnect archived data systems from the network.
Anomalies in Event Logs
- Reviewing logs is an important part of any security assessment architecture.
- Behavior that differs from whats expected may indicate an issue.
Scan logs for anomalies such as:
- Multiple consecutive authentication failures.
- Unscheduled changes to a systems configuration.
- Excessive or unexplained critical system/application failures.
- Excessive consumption of bandwidth recorded in network device logs.
- Sequencing errors or gaps in the event log.
Security Configuration Issues
| Network Device | Troubleshooting Tactic |
|---|---|
| Access point | Ensure that WAPs are implementing WPA with strong passphrase. Check RADIUS clients/servers for connectivity. Ensure no other signals are interfering with WAP. Ensure wired AP is physically segmented from public areas. |
| Firewall | Check inbound/outbound rules to determine is rule is present. Ensure inbound rules are set to implicit deny. Ensure outbound rules are configured according to policy. Check to see legitimate ports/IP addresses are blocked on the outbound. |
| Content filter | Check if content filter is whitelisting or blacklisting. Ensure blacklisted content doesnt overlap with legitimate content. Ensure whitelist is comprehensive. Ensure filter can correctly identify unwanted content. |
| Intrusion detection system | Check if IDS rules are too broadly or narrowly defined. Ensure IDS rules are customized to fit organization. Check if IDS is positioned to detect traffic from all expected segments. Ensure IDS is configured to alert personnel. |
Baseline Deviations
When troubleshooting baseline deviations, keep in mind:
- The state of a system will drift over time due to normal operations.
- Updates may cause the baseline to be outdated.
- Deviations that are the result of an attack may be subtle.
- Enforcing baselines on workstations requires strict access control to be effective.
- Quickly address multiple critical systems with the same or similar deviation.
- The nature of a baseline deviation may reveal malicious intent.
Software Issues
| Issue | Troubleshooting Tactic |
|---|---|
| Unauthorized Software | Check the event logs to determine when the software was installed. Check event logs and browsing history to determine the source of the software. Place the software in a sandbox before analyzing its running state. Conduct an anti-malware scan. |
| Unlicensed Software | Determine what functionality is lost and its impact on the business. Check if other software can compensate for the loss in functionality. Contact vendor and purchase the appropriate licenses. |
| Outdated Software | Determine if any patches are available. Consult patch management policy to determine best way to apply patches. Consider removing the vulnerable software if deemed to much of a risk. Consider replacing the outdated software with an alternative. |
Personnel Issues
| Issue | Troubleshooting Tactic |
|---|---|
| Policy Violation | Determine the policy item that was violated. Bring the violation to the persons attention and make suggestions. Develop a training program to better inform personnel on policy. |
| Social Media and Personal Email Use | Ensure personnel understand the effects of divulging info on social media. Incorporate DLP to prevent sensitive info being sent over personal email. Limit social media and personal email use at the office through policy. |
| Social Engineering | Train users to spot social engineering attempts. Establish what info and access a person may be able to give to attackers. Uphold principle of least privilege to minimize social engineering effects. |
| Insider threat | Employ personnel management to avoid one person having too much power. Regularly review and audit privileged users activities. Conduct exit interviews and thoroughly off-board terminated personnel. |
Asset Management Issues
The process of taking inventory and tracking all of an organization’s valuable objects.
- Involves collecting and analyzing information about assets.
- Can help an organization make better decisions to achieve business goals.
- Process may fail to track objects, or store inaccurate information about objects.
Troubleshooting Tactics:
- Ensure all assets are using barcodes, passive RFID, or other tracking systems
- Ensure there is a process for tagging newly acquired or developed assets.
- Ensure there is a process for removing obsolete assets.
- Check to see if any assets have conflicting IDs.
- Check to see if any assets have inaccurate metadata.
- Ensure asset management software can read and interpret tags.
- Update asset management software as needed.
Handling Incidents
Incident Response is the practice of using an organized methodology to address and manage security breaches and attacks, while limiting damage and reducing recovery costs.
Incident Preparation
- Establish the foundation for effecting incident response.
- Establishment of organizational policy.
- Creation of response plan/strategy.
- Formation of communications plan.
- Establishment of documentation requirements.
- Formation of incident response team (IRT).
- Ensuring IRT has necessary access and resources.
- Education of IRT and other staff
Incident Detection and Analysis
- Identify deviations from normal operations and if they constitute an incident.
- Establishment of baselines and identifying resources that indicate deviation.
- Comparing of deviations to established metrics.
- Notification of IRT and establishment of communication channels.
- Selection of incident handlers.
- Ensuring that incident handlers document detection process.
Incident Containment
- Limit losses and prevent further damage.
- Short-term containment, e.g., network isolation.
- System backup to create duplicates of critical system images.
- Long-term containment, e.g., taking systems offline for repair.
Incident Eradication
- Remove or restore affected systems.
- Take steps necessary to return systems to operation.
- Implement additional security controls.
- Update incident documentation.
Incident Recovery
Bring affected systems back into the production environment.
- Time frame for operations to be restored.
- Testing tools and measures to ensure system functionality.
- Time frame for monitoring systems for anomalies.
Lessons Learned
Wrap up the process.
- Meeting with IRT and management to finalize incident timeline.
- Identification of problem and scope and steps taken to mitigate.
- Effectiveness of IRT and plan what needs improvement.
- Completion of incident documentation.
Incident Response Plans
A document or series of documents that describe procedures for detecting, responding to, and minimizing the effects of security incidents.
- IRT establishment and maintenance.
Documented list of what constitutes a security incident.
- Definitions for each category or type.
- Step-by-step processes to follow when an incident occurs.
- Roles and responsibilities for IRT members.
- Reporting requirements.
- Escalation parameters.
- Testing and validation measures.
- Tabletop exercises.
- Functional exercises.
First Responders
The first experienced person or a team of trained professionals who arrive at the scene of an incident.
- Security Professional
- Human Resources Professional
- IT Support Professional
Incident Report
A report that includes a description of the events that occurred during a security incident.
Guidelines for Responding to Security Incidents
- If an IRP exists, then follow the guidelines outlined within it to respond to the incident.
- If an IRP does not exist, then determine a primary investigator who will lead the team through the investigation process.
- Determine if the events actually occurred and to what extent a system or process was damaged.
- Try to isolate or otherwise contain the impact of the incident.
- Document the details of the incident.
Computer Forensics
The practice of collecting and analyzing data from computing devices and potentially presenting the information as a form of evidence in a court of law.
- Deals primarily with recovery and investigation of evidence.
- Still an emerging field.
- Blend of legal elements and computer science.
- Some investigations are conducted without the involvement of legal action.
The Basic Forensic Process
| Forensic Phase | Description |
|---|---|
| Collection | Identify the attacked system and label it Record and acquire details from all related personnel who have access to the system, as well as the evidence material. During this phase, maintain the integrity of the data. |
| Examination | Use automated and manual methods to forensically process collected data Assess and extract the evidence During this phase, maintain the integrity of the data. |
| Analysis | Analyze the results of the examination phase, using methods and techniques permissible by law. Obtain useful information that justifies the reason for the collection and examination. |
| Reporting | Report the results of the forensic analysis, including a description of the tools and methods used and why things were done that way. Brainstorm different ways to improve existing security controls and provide recommendations for better policies, tools, procedures, and other methods to include in the forensic process. |
Preservation of Forensic Data
Legal hold: A process designed to preserve all relevant information when litigation is reasonably expected to occur.
Receipt of legal hold
- Detailed descriptions of scope of preserved info.
- Data custodian must preserve and protect data.
- Can encompass paper documents and electronic info.
Preservation of information
- Data custodian must acknowledge receipt of legal hold,
- Current and future info may be subject to hold,
- Maintain repository for electronic info.
Establishment of audit trail
- Forensic evidence must be verifiable.
- Locate and analyze data sources and monitor compliance with hold.
- Automatically log all relevant audit trail info.
Basic Forensic Response Procedures
| Forensic Response Procedure | Description |
|---|---|
| Capture forensic image and memory. | Exact duplicate of computer evidence. Bit-for-bit copy of the storage media. Dumping memory while system is still powered. |
| Examine network traffic and logs | Look for traces left by attackers. Check all log files. |
| Capture video | Visual evidence. |
| Record the time offset | Determine the exact time an event took place. Regardless of time zone or physical location of device. |
| Take hashes | Compare hashes created at different times by different parties. Prove integrity of evidence. |
| Take Screenshots | Create a step-by-step record of all actions taken. Prevents tampering and validates forensic practices. |
| Identify witnesses | Observation and validation of forensic practices. |
| Track man hours and expenses | Use to assess incident damage. |
| Gather intelligence | Identify relevant information, even if not hard evidence. Beware of counterintelligence. |
Order of Volatility
The order in which volatile data should be recovered from various storage locations and devices after a security incident occurs.
- CPU registers, CPU cache, and RAM.
- Network caches and virtual memory.
- Hard drives and flash drives.
- CDs, DVDs, and printouts.
Chain of Custody
The record of evidence handling from collection to presentation in court, to disposal.
- Collection
- Analysis and Storage
- Presentation in Court
- Disposal
Guidelines for Investigating Security Incidents
- Develop or adopt a consistent process for handling and preserving forensic data.
- Assess the damage and determine the impact on affected systems.
Determine if outside expertise is needed.
- Consultants
- Notify local law enforcement if necessary.
- Secure the scene to contain hardware.
Collect all necessary evidence.
- Electronic data
- Hardware components
- Telephony system components
- Follow the order of volatility for electronic data gathering.
- Interview personnel to collect additional information.
- Report your findings to the proper people.
Addressing security incidents is a critical component of a CompTIA Security+ professional. Understanding the principles of incident response and implementing best practices can help organizations effectively mitigate and recover from security breaches, ensuring the integrity and availability of their data and systems.
You can find all of our CompTIA Sec+ guides here: CompTIA Sec+
We also have guides for the CompTIA A+ here: CompTIA A+
Recommendation:
Basic Security Testing with Kali Linux: https://amzn.to/3S0t7Vq
