Scenarios, Applications & Methods

Question 1

Protocol Analyzer

Answer 1

Example: Wireshark Protocol Analyzer
Use: Analyze wireless traffic performance to find IOC:s.

A protocol analyzer is a tool that can capture and analyze wired or wireless traffic passing over a given communications channel. This might also be called a packet sniffer, network analyzer, or packet analyzer.

Question 2

Network Scanner

Answer 2

Example: NMAP/Wireshark
Use: To identify unauthorized traffic, open ports etc.

Network scanners can help identify which servers are running on which hosts, and on which ports. After you’ve scanned, determine if those services should be running at all.
Scanners can be used for rogue system detection. You can actively scan for unauthorized devices. Alternatively, you can passively inspect traffic logs for communication with unauthorized devices.
Network scanners can also be used to create network diagrams of how machines are connected to one another.

Question 3

Password Cracker

Answer 3

Example: John The Ripper
Use: Analyzing passwords

These are tools used by attackers to find weak passwords. Admins could also use them to test the password health of their own users and detect problems early.

Question 4

Vulnerability Scanner

Answer 4

Example: Tenable
Use: Find Vulnerabilities

These are programs designed to scan a system for issues. These issues might include misconfiguration, old software versions, and so on. They can operate at the network level, host level or application level.

Question 5

SIEM

Answer 5

Example: Splunk
Use: Automated, to discover and treat security threats using logs.

SIEM stands for security information and event management. SIEM systems are hardware and software meant to analyze aggregated security data. They rely on a few different concepts

Question 6

Configuration compliance scanner

Answer 6

Example: Qualys
Use: A protocol for managing information related to security configurations, and validating them in an automated way.

Question 7

Exploitation frameworks

Answer 7

Example: Metasploit
Use: Used by attackers to exploit systems.

Question 8

Data Sanitization Tool

Answer 8

Use: allow you to “destroy, purge or otherwise identify for destruction” data on systems.

Question 9

Anti-Malware Tool

Answer 9

Example: Bitdefender, Norton, Cylance, Mcafee
Use: Anti-Malware programs scan a computer system to prevent, detect and remove malware.

Question 10

Troubleshoot common security issues - Unencrypted credentials/clear text

The problem: sending credentials from one machine to another in cleartext. This means that the unencrypted information could be subject to eavesdropping for use in later attacks. Cleartext credentials could also show up in logs.

Answer 10

The solution: don’t send credentials in clear text.

Question 11

Troubleshoot common security issues - Logs and events anomalies

The problem: Logs are meant to show event anomalies. You don’t want to dump ALL events into logs unless that information has a potential security implication or will be used in some form, later.

Answer 11

The solution: be conscientious about what needs to go into your logs so that you have a better signal-to-noise ratio. Log events that matter for security, specific to your organization.

Question 12

Troubleshoot common security issues - Permission issues

The problem: incorrect setting of user rights and permissions, such that people have more or fewer permissions than they should.

Answer 12

The solution: periodic reviews and audits of rights and permissions.

Question 13

Troubleshoot common security issues - Access violations

The problem: when someone tries to access a resource that they don’t have permission to access. This might be because they’re making a mistake or deliberately trying to get past security. It also might be that permissions are set inappropriately.

Answer 13

The solution: track access violations through a SIEM system to be aware of and act on violations.

Question 14

Troubleshoot common security issues - Certificate issues

The problem: when a user attempts to use a certificate that does not have a complete chain of trust back to a trusted root.

Answer 14

The solution: Manage trusted certificates well so that users are not “fixing” the issue by trusting the cert anyway.

Question 15

Troubleshoot common security issues - Data exfiltration

The problem: an attacker tries to steal data and export it out of your system.

Answer 15

The solution: don’t store data that doesn’t need to be stored. Use data loss prevent (DLP) tools as described in earlier chapters. Use firewalls and network segmentation to make it more difficult to exfiltrate.

Question 16

Troubleshoot common security issues - Misconfigured devices

The problem: when a device needs to be setup the correct way and you, well, botched it. This is usually a human error issue. Maybe you selected “everyone” on an access control list by accident.

Answer 16

The solution: regular audits, and most importantly, test that things are working as desired.

Question 17

Troubleshoot common security issues - Firewall

The problem: firewalls depend on rulesets to allow or block packets. Incomplete, incorrect or sloppy rulesets cause issues.

Answer 17

The solution: regular audits, of course. Also avoid making “temporary” rules to test out new things, because you’ll forget and they’ll become permanent.

Question 18

Troubleshoot common security issues - Content filter

The problem: content filters limit what users can view on a network. If the rules are too broad, you might be blocking valid or important resources.

Answer 18

The solution: make sure that your content filters are specialized to your organization, and that you can act to address miscommunications.

Question 19

Troubleshoot common security issues - Access points

The problem: access points can be configured with rules about which traffic to grant or deny access to a network. These rules and criteria can get unwieldy to manage.

Answer 19

The solution: same old answer… audits and security tools to manage things at scale.

Question 20

Troubleshoot common security issues - Weak security configurations

The problem: weak security configurations are configuration parameter choices that result in greater security risks.

Answer 20

The solution: avoid alloying deprecated protocols or cipher suites. Don’t allow users to have weak passwords or unlimited password attempts, and so on.

Question 21

Troubleshoot common security issues - Personnel issues

The problem: poorly trained users can weaken the security posture of a company, even if all your hardware and software is configured well.

Answer 21

The solution: invest in regular training for your employees.

Question 22

Troubleshoot common security issues - Policy violation

The problem: personnel don’t adhere to written policies of the organization.

Answer 22

The solution: if it’s a knowledge issue, invest in policy-specific training. If it’s an awareness issue, invest in awareness training. If it’s willful disobedience, make sure your HR policy has teeth.

Question 23

Troubleshoot common security issues - Insider threat

The problem: users inside the system who have access to and permissions on a network abuse their trust for malicious means.

Answer 23

The solution: make sure HR is screening new hires. Make sure you’re monitoring employee activity. And make sure you’ve got separation of duties so no single person has too much power.

Question 24

Troubleshoot common security issues - Social engineering

The problem: attackers use social engineering against your employees.

Answer 24

The solution: provide your employees with comprehensive awareness training so that they can recognize and combat social engineering attacks.

Question 25

Troubleshoot common security issues - Social media

The problem: social media over-sharing can result in giving away confidential information. This might help attackers with their social engineering attacks. And, employees with extreme viewpoints that they share online might land the company in hot water.

Answer 25

The solution: have some kind of social-media policy that lets employees know what company information is acceptable to share. Work with HR on the “extreme viewpoints” thing.

Question 26

Troubleshoot common security issues - Personal email

The problem: use of personal email means it’s easier for data exfiltration to happen. It also means that it’s easier for malware to get in.

Answer 26

The solution: prohibit use of personal email.

Question 27

Troubleshoot common security issues - Unauthorized software

The problem: installation and use of software that shouldn’t be allowed on a system.

Answer 27

The solution: use whitelisting to restrict what can run on a machine. Don’t give users permission to install programs. Regularly audit things.

Question 28

Troubleshoot common security issues - Baseline deviation

The problem: not a problem so much as a means of monitoring progress (or lack thereof).

Answer 28

The solution: measure the system’s current state by use of tools (default passwords, permission issues, and so on). Regularly re-measure the system and track progress or issues.

Question 29

Troubleshoot common security issues - Asset management

The problem: understanding what hardware and software you have, where it is, and how it’s configured is difficult at scale.

Answer 29

The solution: use tools and processes to make this a regular and as-much-as-possible automated task.

Question 30

Troubleshoot common security issues - Authentication issues

The problem: any issues related to authentication. This could mean leaving default passwords, it could also mean repeated failed logins. You get the idea.

Answer 30

The solution: avoid leaving default passwords in place. Log when users log-in, log-out, or have a failed log-in attempt, as needed. Act on brute-force login attempts.