2.3 Given a scenario, troubleshoot common security issues.

Question 1

Unencrypted Credentials/Clear Text

Answer 1

Many Internet technologies and protocols do not encrypt network traffic by default, including the username and password when logging on to the device. Be sure to use encryption technologies such as SSL/TLS, VPNs, or secure versions of protocols when possible.

Question 2

Logs and Events Anomalies

Answer 2

When looking at your event logs and activity logs, be sure to watch for abnormal events that appear in the log. Any suspicious activity needs to be investigated further. From a misconfiguration point of view, verify that logging is enabled and that you know where the logs are stored for your system and devices.

Question 3

Permission Issues

Answer 3

Not configuring proper permissions on resources is a common reason why internal attacks are so successful. Be sure to review resource permissions on a regular basis and only give permissions that are needed (principle of least privilege).

Question 4

Access Violations

Answer 4

An access violation occurs when someone who is not authorized to access a system gains access. Make sure to require authentication before anyone can gain access to a network or system, and make sure that logon traffic is encrypted. Configure permissions on resources to make sure that no one can gain access to a resource who should not get access.

Question 5

Certificate Issues

Answer 5

Certificates are electronic files that contain keys used to encrypt communication. Certificates should be used to secure web traffic, e-mail traffic, and server-to-server communication, at the least. Be sure that the certificates being used have not expired, have not been revoked, and are from a trusted certificate authority.

Question 6

Data Exfiltration

Answer 6

Data exfiltration occurs when someone transfers data from a computer without permission to do so. To prevent data exfiltration, you can disable USB ports so that portable storage cannot be connected to a system, or you can use data loss prevention (DLP) features to block sensitive data from being copied or e-mailed outside the organization.

Question 7

Misconfigured Devices

Answer 7

Device misconfiguration is a big reason why attackers are able to gain access to systems they should not be able to access.

Question 8

Misconfigured Devices - Firewall

Answer 8

Ensure that firewalls are used to break the network into different network segments. A firewall with misconfigured rules allows users to access network segments they shouldn’t have access to. Make sure that each network segment’s firewall is properly configured to control what traffic can pass through the firewall to reach that specific network segment.

Question 9

Misconfigured Devices - Content Filter

Answer 9

Content filtering devices are used to control which content on the Internet employees can access. If content filtering rules are not configured properly, users could be visiting non-safe sites and have code execute on their systems.

Question 10

Misconfigured Devices - Access Points

Answer 10

Wireless access points and wireless home routers are commonly misconfigured. Be sure to review the configuration of your wireless access points and ensure that you have configured features such as MAC filtering, WPA2 encryption, and a strong encryption key, and that you have modified the default admin password.

Question 11

Weak Security Configuration

Answer 11

A big reason for security incidents is weak security configuration. For example, a network admin may configure encryption on the wireless network but choose a weaker encryption method or maybe use a weak encryption key. Be sure to review all security settings on devices, such as access control lists, passwords, encryption keys, encryption algorithms, and any filtering features that may be available.

Question 12

Personnel Issues

Answer 12

You can configure the best security settings on your devices and they may still be easy to hack into if you do not focus on training employees to be security aware. You must also be vigilant of insider threats.

Question 13

Personnel Issues - Policy Violation

Answer 13

Many security incidents occur because employees violate company security policies. Be sure to educate employees on security policies and why they are in effect. Employees are less likely to violate security policies if they understand why the policies exist and how adherence to them protects the company and its assets.

Question 14

Personnel Issues - Insider Threat

Answer 14

Most companies focus on firewalls as their security protection. That is important, of course, but you also need to protect company assets from insider threats such as disgruntled employees. Be sure to use authentication, permissions, and access control lists to control what employees have access to. Also, be sure to implement antimalware software to protect your internal systems from viruses.

Question 15

Personnel Issues - Social Engineering

Answer 15

Educate employees on common social engineering attacks so that they can identify when they are being targeted by social engineering. Education is the key to protecting against social engineering attacks.

Question 16

Personnel Issues - Social Media

Answer 16

Educate employees on what information can and cannot be posted on social media. You should have strict policies in place restricting workplace photos being posted on social media because they may contain sensitive information. For example, a picture of an employee sitting at her desk might also show a sensitive document open on the screen in the background or a document on the desk.

Question 17

Personnel Issues - Personal Email

Answer 17

Many employees use their personal e-mail account at work and could use this to e-mail company data outside of the company. Be sure to have DLP features in place to protect against data leaks. Also, be aware of personal cloud storage that employees may use to transfer data to and from work. You may consider blocking access to these sites on the firewall or content filtering device.

Question 18

Unauthorized Software

Answer 18

Organizations should have strict policies in place as to what software is allowed or not allowed to run on company systems. Application whitelisting refers to defining which software is allowed to run on a system. You can use a tool such as Windows AppLocker as part of your policy to restrict which software is allowed to run on a system.

Question 19

Baseline Deviation

Answer 19

A security baseline is a defined security state that systems must not deviate from. Any modification of a system that may open the system up and make it less secure needs to be vetted first and monitored closely if implemented.

Question 20

License Compliance Violation (Availability/Integrity)

Answer 20

Companies can face serious fines if found to be noncompliant with licensing of software. Tools are available that enable you to track the installation of software and ensure that you do not exceed the number of licensed
installs allowed.

Question 21

Asset Management

Answer 21

Once a system is placed into production, you need to maintain that system to keep it secure. Maintaining the systems centrally is the key to success with asset management. Use products such as Group Policy Objects (GPOs) and System Center Configuration Manager (SCCM) to manage the deployment of configuration, patches, drivers, and applications.

Question 22

Authentication Issues

Answer 22

Make sure that applications are configured for authentication in the most secure manner so that someone cannot tap into the authentication traffic and gain access to the network using credentials used by the application. Ensure that applications are using their own accounts and not default accounts such as the System account or the SA (Sys Admin) account when connecting to a database.