Security+: Given a Scenario, Troubleshoot Common Security Issues
Domain 2.3 of the Security+ Sy0-501 exam is a new addition to this version of the certification that seeks to determine your understanding of basic security-related troubleshooting and fault-finding. The exam requires a certain level of real-world understanding on the part of the test candidate, so we will take a look at how you can best prepare yourself for this subdomain.
Unencrypted Credentials and Clear Text
The exam expects you to understand that clear text transmissions and unencrypted credentials as a means of authentication are no longer acceptable on modern networks and the internet. CompTIA tests your understanding in this regard and you can expect questions that touch on this, either directly or indirectly. This has real-world relevance as well, so your key takeaway from this is that you do not want to use unencrypted communications that transmit credentials.
In addition, candidates should know about secure methods of encryption such as VPN protocols like TLS, SSH and IPSec. Candidates are expected to know that some versions of FTP, Telnet, and unencrypted HTTP are useful for some troubleshooting exercises where packet sniffers can inspect traffic and determine what data is vulnerable.
Logs and Events Anomalies
The Sy0-501 tests your knowledge about log storage and what the best practices are, such as what data needs to be stored, as well as what to do in the event of your log storage system becoming affected or compromised. Outlining how to mitigate any potential information loss and external manipulation is important in these scenarios, so be sure to understand the concepts involved here. You should be familiar with logging services, log file permissions, and where to look for specific anomalies in the log files. Candidates should also be aware of solutions such as backup restorations, localized system repairs to centralized log, and event and records keeping systems on the network. Understand what you should do if suspicious activities are detected on the network.
Candidates must understand what privileges and permissions mean in the context of general computer usage, as opposed to what user rights are. This includes terms such as the principle of least privilege, which is the methodology employed by network administrators that gives users just enough control over their systems to accomplish their day-to-day tasks. Given too many privileges, the user may inadvertently and adversely affect the enterprise, while too few privileges will lead to the user not being able to work properly.
Candidates must also understand group policies for network resources and how to determine which users need access to specific resources and which do not need access. Troubleshooting permission issues is also a requirement, as is an understanding of group permissions in a network environment, especially in scenarios where single users are members of multiple groups with potentially conflicting policies.
Understand what an access violation is. Know the difference between unauthorized access to a network or network resources and improperly configured user permissions that result in unauthorized access. The exam will test your knowledge on system-specific access violations, such as changed system files, missing system files, and other evidence of unusual file states and possible access violations on the system.
Candidates should understand what circumstances are necessary to allow for certificate issues, as well as how to prevent them from appearing within their environment. Candidates should be familiar with digital certificate and CA problems, as well as public keys and trusted root lists. Candidates should also understand what steps need to be taken in the event of a certificate being used in criminal activities, CRL, OCSP, and general certificate troubleshooting.
Candidates should be aware of how a data exfiltration event means that there has been an intrusion from outside of the network and what steps need to be taken in the aftermath. Data loss and data leakage need to be understood, along with what potential losses could be incurred by the company. Steps to troubleshoot data exfiltration should also be understood, as well as basic counter measures. Understand how data logs could be useful when conducting an event post mortem and what to look out for.
Understand how a misconfigured device has the potential to act as a starting point for an attack on your system, and what you should do when you discover a device that has not been configured correctly. The exam will test your knowledge about procedures such as baseline documentation, procedures and best practice for configuring network devices. These devices include:
- Firewalls—You need to be aware that a misconfigured firewall has the potential to open up the internal network to external threats, allowing unauthorized access to the network and leaving the organization vulnerable to malware and other malicious software. You should know about patches, updates, configuration errors, and management interface access. Basic security concepts such as changing the default administrator passwords and disabling the WAN management interface should also be understood by the candidate.
- Content Filter—Knowing how content can fail, as well as what that failure can mean for your network is important, and questions relating to this might be in the exam. Candidates should understand basic payload structures and basic encoding formats, such as ASCII, Hex and Unicode, as well as processed results when dealing with content filters. Exploits such as meta-characters and undesirable datasets within data packets should also be understood for the exam.
- Access Points—Misconfigured access points are among the most common points of attack, so the Sy0-501 requires candidates to understand what measures should be taken to prevent unauthorized access, such as outdated firmware, default username and passwords, unlocked management interfaces, and more. Candidates must also know about best practice with regard to WPA-2 encryption and password creation, as well as multi-factor authentication.
Weak Security Configurations
Candidates must understand how to avoid bad security configurations across a wide range of devices and environments. Basic methodologies that need to be covered include replacing old hardware with compliant versions that have better security features, firmware updates, and configuration updates and updating network configurations to prevent unauthorized access. Evaluation cycles, security assessments and security recommendations should be understood by the candidate for the exam.
The Security+ highlights that the human component of a security system is usually the weakest link in the chain, so the Sy0-501 requires candidates to be familiar with some of these potential human failings. Understand how people can jeopardize the security of a network by being unintentionally complicit in harming the network, making errors that harm the system, or purposefully flouting the company policies that are in place to protect systems. Familiarize yourself with personnel strategies that minimize risk within the organization to prevent human-created risks. Also understand personnel-specific fields such as awareness training, personnel evaluation, user logs, and user intent.
Candidates should be familiar with policy violations for the exam, as well as the different types of actions to take in the event of a security incident as a result of a policy violation. Be familiar with outcomes, such as retraining, reassignment, and termination. The severity of the outcome will be determined by the seriousness of the breach.
For the exam, candidates should know that an insider threat is a deliberate effort on the part of an employee to cause damage to the network, reveal company secrets, or adversely effect the operation of the enterprise. Examples are: revealing remote access and passwords and intentional viral and malware infections via insecure media, such as a mobile device or removable media. Understand what needs to be done in the aftermath of such an event and how the information and resources within the organization might need to be reassessed and re-secured.
The exam touches on social engineering and how it is used against businesses to gain unauthorized access to company information and resources. Understand the key components of an investigation after such an event, as well as training programs and countermeasures for the exam.
Candidates must be familiar with company acceptable usage policies, how to prevent access to such social media sites via firewalls and filters on the network, as well as group policy implementations to restrict such access.
The exam requires candidates to understand the dangers that personal email can have on the organization. Items such as malware and email viruses are such examples. Blocking access is one such common solution, and could come up in the exam as a way to troubleshoot and prevent such access from occurring.
Unauthorized software, especially pirated and cracked software, has the potential to bring malware into a network. For the exam, think about the software that could be installed in such a scenario, and what category it fits into:
- Legitimate software useful in the work environment
- Malicious or potentially malicious
- Not work-related
For the exam, learn what to do if you discover any of the above instances.
For the exam, candidates should be aware of what to do in the event of a baseline definition, either remove the unit from production, or change the baseline if the deviation is actually beneficial. Understand concepts such as static systems and restrictive system modification policies.
License Compliance Violation (Availability and Integrity)
Understand the importance of legal software in the avoidance of legal issues for a business. Also be aware of how software can only be used when properly licensed and under what circumstances you would find software being used outside of the license scope, which would therefore be problematic. Explore over-utilization by installing multiple instances of software that exceeds the license quantities as an example of non-compliance.
Candidates must understand how tracking hardware and software is achieved through asset management. Be familiar with updates, revisions, replacements, and upgrades as part of the asset management process. Learn about theft, loss, and accidental disposal as part of asset management. Also understand the concept and necessity for manual verification of asset management systems by means of a physical count or stock take.
Authentication issues cover a large territory, but candidates should be familiar with credential violations, what to do in the event of credential leaks, system breaches that result in the invalidation of all passwords, and steps to follow after an account impersonation incident. Authentication issues can also result from system failures, so failed authentication troubleshooting steps should also be learned as part of your preparation for the exam.
Preparing for the Security+ requires many different avenues of study and the topics that are covered span multiple segments of information security, making it an excellent starting point for anyone looking to get into cybersecurity. Be sure to check out InfoSec Institute’s comprehensive Security+ Training Boot Camp. It has been designed especially for those wishing to get started with their Security+ and it is an excellent way to get prepared to pass your exam. More information can be found here.