Security Troubleshooting

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 32 minutes
Video Transcription
Welcome to the cyber. Very video Siris on the Comedy of Security plus 5 +01 Certification and exam.
I'm your instructor, Ron Warner.
Please visit Cyber died. I t. For more information on this certification and many others
in this video I'll be talking about section 2.3
Given a scenario troubleshoot common security issues.
This is part of the second domain of the security, plus exam Technologies and tools.
Please see the earlier videos for more information on these topics.
Troubleshooting is one of the things we do as cyber security professionals. Things rarely go according to plan or here on schedule. We need to be ready when that inevitable problem occurs on your screen. You see numerous types of issues we see within the world of cyber security that are covered in
section 2.3.
In this video, I'll be talking about asset management, different type of identity and access permission issues,
certificate issues, data exfiltration, ADA leaving the your environment,
Miss configured devices and weak security configuration,
unauthorized software and license violations,
logs and event anomalies
and personnel issues.
Stay tuned as we dive into the world of security troubleshooting.
I start with asset management. Since it's step number one for both the nest cyber security framework and the Center for Internet Security controls,
you can't secure what you can't see. Can't secure what you don't know about. So it's important to have that inventory of your asset anything connected to your network both hardware, software applications and data assets.
If you can use automated tools to maintain that asset list,
network mappers and scanners are awesome tools of creating that inventory list of systems on your network like end map, which I explained in the previous video
a common security issue associated with asset management. Our assets devices that go lost, we're are stolen.
For example, mobile computers such as laptops, tablets, smartphones.
Do you have software to track them? If and when they're lost? Do you have the ability to remotely wipe the data that may be on those disks?
Another asset that may go lost or stolen is removable. Storage media, like USB drives,
thumb drive, so easy to lose so easy toe have stolen. If this contains any type of sensitive data,
then that could be a challenge for the company. The way to protect against this is tow. Have your asset inventory in place.
Another issue associate with asset management is software management allowing employees to install applications they shouldn't.
This could lead to malware, ransomware or even license violations. I'll talk about some of this later on in this video.
Access violations are another category of security issues in trouble shooting.
You already know that too much access creates risks for the organization. There's also two little access. Cause a loss of productivity,
just as user access could be managed by auditing.
Access. Violations can also be managed through auditing and logging and via enterprise level software. Access violations occur when someone accesses or attempts to access data or systems that they shouldn't be.
For example, if a user accesses files for which they have not been given permission,
that is an access violation.
Violations can occur from inside employees accessing beyond what they've been authorized. The other categories outside Attackers who have not been authorized to access any data or systems. The hacker's, if you will,
the solution for access violations,
auditing. So watching to see who's accessing, what when, where and how
reporting automating as much as possible, going to some type of a security operation center when an access violation is noticed,
and then having an incident response plan in place to address access violations.
Changing users permissions as needed to reduce the number of access violations.
Permissions issues goes right along with access violations. It's violating the concept of least privilege.
Each user or service is provided on Lee with permissions they need to do their job. Any promotion beyond that is a permission issue that would could lead to an access violation.
Common challenge, we see, is that permissions creep.
It's that employee who's been in the company forever and has access to everything within the corporation, all the application servers, et cetera, because no one ever says, Take away my access. Another challenge we see with permissions are inherited. Permission.
Do you? Does everyone within your organization need to be ableto right and execute
all of the files? They also condemn read
wars, read on Lee a capability.
Personally, I'd much rather have read only where I can't accidentally execute or right over a file. This helps protect me from making mistakes.
Consider the different permissions level within files and folders limiting to read only when right and execute are not needed
insufficient permissions, as previously mentioned, is also a challenge. People who don't have access they need to do their job
problem isn't that they'll sometimes find a way around it to get their job done, sometimes leading to other security violations. Solution to permission issues are auditing, reporting and response, just like the access violations you can use. Windows tools like GPR result for group policy
and access. Check
with, insists internals.
All regular users have likely experienced some type of an authentication issue. You know, you try to log in and you can't because you've mis typed your user name or password or you haven't expired password that you didn't realize you needed to change her. You forgot to change
another common authentication issue. Is it disabled or deleted account, whether on purpose or on error, for example,
accounts that are automatically set to expire. You have a vendor who's on your premise for six months. At the end of the six months, their I D should automatically expire if they still need to do work on months 78 and nine, and they need to extend their access rights.
The authentication server not being available or visible, could also be a challenge if you're using centralized or Federated authentication
for my work station. If I can't reach the authentication server, that can cause an authentication issue,
not enabling two factor authentication or multi factor authentication is also an issue.
There is a problem with passwords. There are very weak form of authentication.
I talked more about T F A and M F A and other videos.
Last authentication issue. Probably the most common users choosing poor passwords.
This takes education and using the automated tools to check a password as they're being chosen by the end users to make sure they're up to the strength meeting your password Policy solutions to authentication issues include account verification, ensuring that accounts are actually tied to human beings.
Checking the connectivity, making sure that there's not a network issue trying to reach an authentication server.
If you're seeing users who repeatedly are being locked out of their account, you should be reviewing the locks, determining why that is occurring and where they may be logging in from
lastly user education that help solve some of the password. Issue some of these other issues associated with authentication.
I previously mentioned about the problems with passwords.
Wolf press password rules are not enforced. That becomes an authentication issue
or unencrypted credentials that are kept in clear text. I've seen this happen within authentication systems. They were not hashed or encrypted but stored in clear text. That way, anyone with administrative access could see all of the user's passwords.
This is a system configuration issue where the application or service stores and sends that clear text passwords
password should never be stored or sent in clear text.
That's where hashing comes in referred to the other videos where I talk at that in depth about password hashing.
Additionally, people may store their passwords in clear text. Either online say they'll put it in a spreadsheet, a document or a database or offline by writing them down.
If people want to write down their passwords, I'm actually fine with that. They need to secure that piece of paper and a locked file cabinet or in a safe,
another common problem with unencrypted credentials as people just typing in their password by mistake in the user I D field
problem with this is that the password is then locked when the incorrect password attempt is loved
I'm your screen. You see some of the solutions associated with unencrypted credentials and clear tax security issues.
First of all, automating your password policies, creating that group policy that states the exact password strength that is required
proper system configuration and application development. Make sure passwords are never stored or transmitted in clear text,
using standard hashing algorithm for hashing passwords and then providing this be secure transmission media to secure the passwords as they're going across a network.
The use of password vault has also gotten to be quite standard rather than people writing down their passwords. You can use tools like Last Pass or keep *** Thing to Remember with using a password vault that it has an initial password you use to access the vault. Your password needs to be very,
very strong and make sure it's never disclosed.
So if you use a password vault, make sure you're following all of the rules. Plus for secure passwords is user education, reminding people about the power of passwords and how they need to have good passwords in place. The use of two factor and multi factor authentication also fixes a lot of these problems.
Then, lastly, what to do
when they run into problems. Who do they call?
All of these are standard solutions to unencrypted credentials and clear tax security issues.
Another common security issue we've all encountered is website certificate pop ups.
You see the example on your screen where the certificate has expired or cannot be validated. This could be caused by daytime not being set correctly on the certificate server expired certificates. So they're not kept up to date
and then a certificate is revoked. We also see challenges when SSL is used instead of t. L s on the Web server. As I've previously mentioned on Lee used T. L s on Web servers. SSL is no longer valid
self signed certificates. That may also be a certificate challenge to your Web service is
sea domain *** For more information on certificates and public key infrastructure
data data everywhere.
Data is leaving our networks being put on thumb drives and it becomes a problem data exfiltration. It's the unauthorized transfer or storage of data, and it could be malicious, such as data theft, where I'm trying to steal someone's personal information or personal health information
or unintentional, I'm gonna save that spreadsheet on my thumb drive to work on at home, and then I lose my thumb drive.
Those were all forms of data exfiltration
a solution. Data loss prevention DLP
Data loss prevention products can help prevent data exfiltration.
A good strategy is to use proactive measures instead of reactive ones.
A risk assessment will help in reducing the effects of data exfiltration.
Whenever any device or software application isn't configured correctly, it presents a significant security concern.
Miss Configuration could be failing to enable some security mechanism using weak security configurations, not setting standards and policies like a password policy, or simply incorrectly configuring the system's settings, allowing things through your firewall That shouldn't be because of Miss Configured firewall rules.
This applies to workstations, servers, routers, switches and all of the other devices on your network.
You see some other examples on your screen, for example, not enabling security features like turning on screen locking on your mobile device,
steadying firewall rules so you have old rules within your firewall that are no longer valid. That may allow an avenue into your network.
The ordering of rules within a firewall also is very important, or if the rules were not ordered properly. You could allow traffic through a firewall
not denied by default. See the earlier video on firewall rules. A common problem. Our default passwords. Thes air passwords set by the vendor on network of devices and appliances like WiFi. It's not as much of a challenge as it used to be, but it still can be.
Refer to your vendor documentation.
Make sure you change any default, identification and configuration settings.
Last security configuration issue is missing updates and patches, not ensuring that your systems are completely up to date. This includes all of the applications on all of the systems within your infrastructure. Think through each of these security configurations and see how you can fix these within your own infrastructure.
Another part of security configurations, our baselines. These are established by governmental mandate, regulatory bodies or industry requirements such as the payment card industry or hip. For US healthcare.
The issue is that the configuration management isn't in place, and you didn't even know if you have a secure configuration on all of your systems and servers within your infrastructure.
Another challenge is exceptions, both on the system level and people level.
How do you handle policy exceptions within your infrastructure? Do all systems need to be kept up to date? Or do you have some exceptions that could allow for a breach or malware
sea domain? One for more information on bass lines and frameworks.
Another concept associate with baseline deviation is when you've established normalization based on known practices within your environment, this is system or network activity. We see this with Sim and I. D. S I. P s devices, which knows the normal behavior on your network.
A baseline deviation. Meaning you're going above your normalized activity or below it.
It could be an issue of too much traffic or too little network traffic issues include the baseline isn't established. How do you know what is normal within your network for that particular network or system
or your baseline got corrupted? A baseline can get out of date due to updates and patches.
Dynamic baseline is more effective than stack based lining and allows for continual checking of your systems normal behavior to set a consistent baselines. This way, you know d Any deviancy that may occur.
There are also application issues associated with security.
First of all, unauthorized software for user's Consol applications on endpoint devices. They install games on their last laptops or desktops, or they have a smartphone provided by the company that is also used for personal use.
You should set a baseline of what's allowed for software, a white list and then blacklist. Any software that is not allowed
reduced the administrative privileges. Another common challenge. Our license compliance violations. The Business Software Alliance checks to make sure you're in compliance with all of your licensing agreements so people aren't downloading paid versions of software that really are not in compliance with license.
There are some simple solutions associated with these application issues.
First and foremost, implement a policy for software acquisitions on Lee. Certain people within your company should be allowed to acquire,
download and install software. Applications shouldn't be up to any employee within the company.
You need to also read all license agreements what is required? I know they're born, but read the license agreements to make sure you can stay in compliance.
Maintain an inventory list of your applications, know what you have on your systems and where each is used.
Last performed that audit for compliance.
Know what applications air on what systems and make sure complies with your inventory list and complies with your licensing to ensure there is no unauthorized software in your environment.
Blogging is the process of collecting data to be used for monitoring and auditing purposes. You should develop standards for each platform application system and server in your inventory and make this as a checklist and monitoring function.
When choosing what to log, carefully consider your options.
Logs can take up a lot of this disk space in new system. Resource is,
they also have to be read and monitored. If you log too much, the system boggs down and weeding through the locked files to determine what's important takes a very long time and simple things may be missed.
Be sure to mandate a common storage location for all logs. You centralized logging systems or s I. E. M.
Documentation also should state the proper methods for archiving and reviewing logs.
On your screen, you see solutions for logs and event anomalies. Such a centralized logging, the use of an S I am, or even a security operations center where all of the logs go to a remote service. Who's watching them for you.
All of these are important to understand. For Security Plus and as your role as a security professional.
The last topic in this section are personnel issues. This is people problems,
policy violations, people who knowingly violate a policy. That's why you need to have enforcement in place. It's critical tohave, upper management and support of your policies.
Insider threats. We don't have exact statistics for the insider threat because we don't always know when insiders air causing problems or not,
but it isn't known challenge. So be ready to address insider threats within your organization.
Social engineering is covered in another video, but is a common problem, particularly fishing, spamming, spearfishing, whaling, fishing, smashing and the like
social media use. It's also a challenge within some organizations. Are employees allowed to use social media from work systems, consider creating some policies and rules around the use of social media within your company.
Same idea with personal email, how, when and where is personal email allowed within your infrastructure.
Solutions include policies having security awareness, training and plays, and then potentially using a data loss prevention system to reduce the impact of social media and personal email to make sure people can't leak out sensitive information through social media or personal email.
Best way to understand personnel issues and to solve them is to understand how people work
in this section. I discussed some common challenges associated with troubleshooting and cyber security.
You see the list on your screen.
Let's practice with a sample question
for this common security issue. The first item to check as you begin the troubleshooting process is that the correct user name and password have been entered.
The answer is C authentication issues. Mistyped user I D and password happens to all of us.
This concludes the video for section 2.3. Given a scenario troubleshoot common security issues.
Refer to your study material for more information on these topics.
Up Next
CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By