CompTIA Security+® All-in-One Exam Guide, Fifth Edition (Exam SY0-501)

CHAPTER 8 Troubleshooting Common Security Issues

In this chapter, you will

• Identify common security issues

• Given a scenario, troubleshoot common security issues

Troubleshooting common security issues is a common aspect of a security professional’s daily job. Learning to recognize common security issues and the solutions to fixing them is an important skill to master.

Certification Objective This chapter covers CompTIA Security+ exam objective 2.3, Given a scenario, troubleshoot common security issues. This exam objective is a good candidate for performance-based questions, which means you should expect questions in which you must apply your knowledge of the topic to a scenario. The best answer to a question will depend upon specific details in the scenario preceding the question, not just the question. The question may also involve tasks other than just picking the best answer from a list. Instead, it may involve actual simulation of steps to take to solve a problem.

Unencrypted Credentials/Clear Text

Unencrypted credentials or cleartext credentials are unfortunately still a common security issue. When credentials are transferred from one machine to another, it is important to protect the transfer of this information from unauthorized observation. When information is sent between machines in cleartext or unencrypted form, the information being transmitted is subject to eavesdropping by any machine in the communication pathway. The information is also subject to release in the event of an error that results in the credential information being persisted in a log or displayed on someone’s screen. Maintaining security over credentials is essential to prevent their disclosure to unauthorized parties, and as such they should never be transmitted across cleartext forms of communication in unencrypted form.

Logs and Events Anomalies

Logs, or log files, are an everyday part of computing. What makes log files useful is the exercise of careful discrimination when choosing what is logged. The objective of logging is to record event anomalies. Event anomalies are conditions that differ from expected outcomes. One of the challenges is in determining what to log and what not to log. When logging something, it is important to determine whether that information has a potential security implication, or will be used in some form at a later time. Take the example of successful logins. This can be an important element to log on some resources. And if the successful login data is missing from a log when you expect it to be there because of other factors, this is an anomalous event. Was the log erased? Was there an error in the machine setup?

On a workstation, successful logins can be used to establish the beginning of a session. On some high-value assets, this information is important because the set of users accessing the information is most likely limited, and because of the value of the information, this information can be useful. If you notice, for example, that a particular user, who only accesses the system monthly to audit the machine, has started logging in every day, and late at night, this is clearly an anomalous event.

Permission Issues

Permission issues are problems associated with user permissions involving access and using resources. Verifying user rights and permission issues is a practice that should occur at a reasonable interval and be based on the level of user. Periodic review of rights and permissions is one of the more powerful security controls. But the strength of this control depends upon rights and permissions kept up to date and properly maintained. Ensuring that the list of users and associated rights is complete and up to date is a challenging task in anything bigger than the smallest enterprises. A compensating control that can assist in keeping user rights lists current is a set of periodic audits of the user base and associated permissions.

Access Violations

Access violations occur when someone attempts to access a resource that they do not have permission to access. There are two reasons for this error. First, the user is unauthorized and is either making a mistake or attempting to get past security. The other option is that permissions are set inappropriately. This second option is not as rare as one would think, but it also tends to be self-correcting, for if the user should have permission, they typically request the issue be fixed.

As attackers probe a network, looking for information to steal, they can frequently trigger access violations. Tracking and investigating unusual access violations can be an important tool to find intruders, especially intruders of the advanced persistent threat (APT) type. Finding the “unusual access violations” typically requires a security information and event management (SIEM) system to sort through and group violations and other indicators to highlight the data points of interest.

Certificate Issues

Certificates are means for carrying public keys and vouching for their authenticity. A common certificate issue is when a user attempts to use a certificate that lacks a complete chain of trust back to a trusted root, leaving the certificate hanging without any means of validation. These chain of trust violations can sometimes be “fixed” when the end user installs the certificate into the trust repository. But this then begs the question, should that certificate be trusted? Maintaining the repository of trusted certificates across an enterprise is another exercise in distributed configuration maintenance, a challenge to keep up to date. Failure to install a needed trust chain makes a key that should be trusted, untrusted. Failure by accepting a trust chain that should not be trusted means accepting certificates in the future that should not be trusted.

Data Exfiltration

Data is the primary target of most attackers. The value of the data can vary, making some data more valuable and, hence, more at risk of theft. Data exfiltration is where an attacker attempts to steal a copy of your data and export it from your system.

To prevent theft, a variety of controls can be employed. Some are risk mitigation steps, such as data minimization, which is the act of not storing data that isn’t needed by the enterprise for a specific business purpose in the future. If it must be stored and has value, then use technologies such as data loss prevention (DLP) to provide a means of protection. Simple security controls such as firewalls and network segmentation can also act to make data theft more difficult.

Another preventative measure for data exfiltration is the DLP (data loss prevention) technology. DLP is discussed in detail in Chapter 6. With respect to this section, DLP technology offers a way to observe in real time if there is an attempt to exfiltrate data that has been labeled as sensitive, and to some degrees offer ways to stop the transfer. USB devices can be of particular concern and one option available to Windows users is the extension of Bitlocker technology to USB drives, forcing encryption onto the drive and encrypting all data that moves to the drive, with a key that remains in the enterprise. This makes the data unreadable outside the enterprise.

Images

EXAM TIP We have covered six different common security issues—can you troubleshoot them? What are the symptoms of each, and how would you identify and differentiate each?

Misconfigured Devices

Misconfigured devices represent one of the more common security issues and can go completely unnoticed. Many security controls depend upon a properly configured device to function properly. Consider access control lists, for example; suppose you carefully select the users from the list to grant access to a system, limiting who can open a file, but you fail to notice that the top entry in the list, “everyone,” is checked. The result is that this one check box overrides all of your selections and nonselections, automatically granting everyone access by default. Without any warnings, this oversight just destroyed your attempt at access control.

Firewalls, content filters, and access points are all common systems with configurations that are critical for proper operation. This misconfiguration issue is common enough that the NIST Risk Management Framework (https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview) states specifically that controls must be tested once they are put in place to ensure they actually work as desired.

Firewall

Firewalls essentially are devices to enforce network access policy. Using a set of rules, a firewall either allows or blocks passage of packets. The key is the ruleset. A solid ruleset enables solid controls, whereas a sloppy ruleset enables sloppy controls. Over time, rulesets become less orderly and have issues due to exceptions. For example, while troubleshooting a connection issue, a network tech may request that a particular port be opened on a firewall, in response to which a “temporary” rule is created. After the testing is complete, another pressing issue might lead to the “temporary” rule being forgotten about and never removed. Consequently, an attacker could target the open port for exploitation. Auditing firewall rulesets against the business policy requirements will find these issues, but audits are time consuming and tedious. And when an auditor finds a rule that is clearly for testing, it must be determined if the test or exception that the rule is in place for is still ongoing, or is it over and the rule should be removed.

Content Filter

Content filters are used to limit specific types of content across the Web to users. A common use is to block sites that are not work related, and to limit items such as Google searches and other methods of accessing content determined to be inappropriate. Like all other policy enforcement devices, content filters rely upon a set of rules, and rule maintenance is an issue. One of the most common issues with content filters is too broad of a blocking. In a medical environment, blocking the word “breast” will not work, nor in a chicken plant. There needs to be a mechanism in place to lift blocks easily and quickly if a user objects and it is easy to determine they should have access.

Access Points

Access points are the first line of defense, where access to a network is either granted or denied. Access points, whether RJ-45 physical jacks or wireless, need a method of determining entry criteria, before allowing access to network resources. Whether by local ACL, advanced systems such as RADIUS, or network access control (NAC), access points are only as good as the rules behind them. They must be configured with appropriate criteria for determining which traffic to grant or deny access to the network. Maintaining the proper entry criteria across the backend systems that the access point depends upon to enforce these rules can be a challenge. This challenge grows in scale when hardware checks are incorporated and there is a lot of changing hardware, or personnel changes.

Images

EXAM TIP In this section, we looked at common issues with misconfigured devices, specifically firewalls, content filters, and access points. Consider how these would be described in terms of a scenario for exam questions.

Weak Security Configurations

Weak security configurations refer to the choice of a set of configuration parameters associated with a software application or operating system that results in greater than necessary security risk. One of the advantages of software is its ability to be configured to fit different situations, and some of these configurations are inherently more secure.

An example is in choosing cipher suites (algorithms) when setting up HTTPS. The most common example of a weak security configuration in this context is the choice of SHA-1 signature-based certificates. Although technically still usable, SHA-1 has been replaced by SHA-2, and many security professionals consider SHA-1 to be weak. Other examples would be to pick a configuration of SSLv2, or an RSA key length of 1024 bits. Using outdated or weak cipher suites is hard to justify when picking stronger options is merely a configuration setting away.

Another example is in establishing password policies with respect to an operating system or domain. Allowing users to choose weak passwords and allowing users unlimited password tries without locking the account are legitimate options, although ill-advised choices. Either of these choices would result in a weak security configuration of the OS.

Personnel Issues

Personnel issues in the context of security are the problems caused by users, through their actions and errors. People form an important part of the security environment in an organization. Poorly trained users can weaken even well-thought-out security plans by clicking e-mail links and the like. In many cases, the final line of defense is not the security team, but regular users, as they are the ones who are likely to be phished. People are easily attacked via social engineering, allowing an attacker to get the initial foothold on a system from which they can advance an attack.

Policy Violation

Policy violations occur when personnel do not adhere to written polices established by the organization. Enterprises set up a wall of policies to cover a wide range of security behaviors, from acceptable use policies, to password policies, to clean desk and vacation policies, and more. The purpose behind these policies is to provide guidance to the personnel in the organization regarding what is proper and acceptable behavior and what behaviors should be avoided. Personnel violate these policies for multiple reasons, including lack of knowledge, lack of situational awareness, and failure to follow directions (willful disobedience).

For personnel who lack knowledge of the policy, policy-specific training is the answer. For those who have problems with situational awareness, they may understand the policy but not recognize when it is applied, in which case the best answer is training with respect to awareness of the problem. Whereas both of these reasons for policy violations can be addressed and resolved through training, the third category, willful disobedience, requires a different approach. Every organization typically has a small percentage of employees who don’t care and will routinely violate policy. These personnel need to be identified and isolated in such a manner that they do not jeopardize the security for the entire organization. For punishments, it is important to integrate with HR and to use terms like “up to and including termination,” but not to specify punishments, as circumstances may preclude predetermining punishments in some cases.

Insider Threat

All activity on a system takes place under an account. An account defines a user, to which items such as the levels of privilege to objects can be assigned. Users have access granted to their account because trust is required for them to perform their duties, and this trust is reflected in the permissions given to their account. An insider who acts maliciously abuses this trust, and is considered an insider threat. An insider threat is a more significant challenge to the organization than an outside attacker because the insider already has at least basic privileges on the system. In the attack chain, one of the early steps, and sometimes a difficult step for outside attackers, is establishing basic user access on a system. The insider threat, in essence, begins with this step already completed.

If the malicious insider is someone with elevated privileges, such as a system administrator, then this form of attack can be especially harmful. A malicious insider with root-level access and skills can bypass many security measures and perform many damaging tasks while avoiding detection. The recent case of the NSA insider Edward Snowden shows how devastating this form of attack vector can be to an organization.

The best defense against insiders lies in a layered defense consisting of two parts. The first is through HR screening of new hires and monitoring of employee activity and morale. The other tool is separation of duties, which ensures that no single individual has the ability to conduct transactions alone (covered in more detail in Chapter 21). Ensuring that system admins do not have the ability to manipulate the logs on the systems they administer can be managed with multiple log servers and multiple sets of administrative controls.

Images

EXAM TIP Managing the malicious insider problem is a combination of people management through HR and separation of duties on the technical side.

Social Engineering

Social engineering is a form of hacking a user (see Chapter 2 for in-depth coverage). Training users to have an awareness of social engineering, enabling them to recognize social engineering is the best defense. If users are falling victim to social engineering, the best troubleshooting strategy is to provide them with comprehensive awareness training of social engineering techniques, enabling them to recognize and report social engineering attacks without falling victim. Social engineering is not just an isolated attack, but can act together with a phishing campaign to increase the odds that a user will click the item and become a victim. Social engineering is a pernicious problem that will continue to evolve, so users should receive awareness training on a regular basis.

Social Media

Social media is a popular method of communicating with friends, family, associates, and others across the Web. Sharing can be a valuable character quality in a person, but oversharing on social media can lead to risk. If employees are sharing company information via social media, that can result in a lot of security issues such as an employee inadvertently sharing confidential company information. Social engineers have been known to use social media postings to gain information that is used to socially engineer personnel, using their own information to allow a stranger to create a false sense of trust.

Most organizations have some form of social media policy that, in broad terms, prohibits sharing of work-related details via social media. But even posting non-work-related issues on social media can lead to work-related issues. For example, if an organization discovers that an employee is expressing extremist views on social media that coworkers are aware of and feel threatened by, the organization could face claims of a “hostile” work environment, a serious work issue. Social media has become one of the newest HR issues, and conducting awareness campaigns helping employees steer clear of the mines in this minefield is about the best defense.

Personal E-mail

The use of personal e-mail at work can cause a variety of issues. Personal e-mail can offer a data exfiltration pathway that is outside of corporate control. Personal e-mail can also act as a path for malware to enter the network, and the user’s machine specifically. For these and other reasons, many companies have a policy prohibiting personal e-mail in the workplace.

Images

EXAM TIP People are an integral part of a security system, whether normal users or security personnel. Having security-based HR policies associated with user behaviors, such as personal e-mail, content filters (web browsing behavior), acceptable use agreements, and more, is an important element in system security. Be prepared to recognize the types of issues associated with personnel and how they are resolved.

Unauthorized Software

One of the security challenges in an enterprise is the addition of unauthorized software to a system, which poses additional risks to the enterprise. This is why the first elements of the top 20 security controls (covered in Chapter 11) consist of knowing the authorized software and hardware in your environment. Unauthorized software can be either the use of an unapproved program or the use of an approved program with improper licensing (covered a bit later in the chapter).

There are several methods of controlling unauthorized software, including removing users’ ability to add software, and the use of whitelisting or deep-freeze technologies that restrict what can run on a machine. Deep-freeze software prohibits any lasting changes to a machine by reverting the disk drives back to the state they were in when the user logged in, preventing a whole host of issues from occurring. Regular audits of installed software can also identify systems with unauthorized software.

Images

EXAM TIP Unauthorized software can lead to baseline deviations or license compliance violations, and can be uncovered via asset management, so these topics are related. But if given a scenario, can you separate the issues and pick the one that best fits the details? Focusing on the scenario can help you identify the best answer.

Baseline Deviation

Baselining is the measuring of a system’s current state of security readiness. Various tools are available that you can use to examine a system to see if it has specific weaknesses that make it vulnerable to attack—weaknesses like default passwords, issues with permissions, and so forth. The way baselining is supposed to work is simple: you set up a system, measure the baseline, fix the issues, and declare the resulting system configuration as your baseline. Then, in the future, after changing applications, etc., you can measure the baseline again and look for any deviations. Whenever you update, patch, add a new application, it is possible to measure the security risk gap based on before and after baseline measurements.

A baseline deviation is a change from the original baseline value. This change can be positive, lowering risk, or negative, increasing risk. If the change increases risk, then you need to evaluate this new risk level for possible remediation. The biggest challenge is in running the baseline scans, or automating them, to determine when deviations occur.

License Compliance Violation (Availability/Integrity)

Software license violations can result in software disabling key functions. In many corporate environments, software licenses are administered via key servers and other mechanisms. When a user gets a message that the software license is not valid, or expired, that may be an error, but it might still affect the functioning of the software. Software that is in an improper license state may not receive proper updates. License compliance violations need to be resolved in a timely manner to prevent inadvertent availability issues. Even if the violation is in error, resolving the error is an important task to take care of in a timely fashion.

Asset Management

Asset management is an important fundamental security task, so much so that it is at the top of the top 20 common security controls. Understanding what hardware and software you have in the enterprise, where it is specifically located, and how it is configured is the foundation for many security elements. Poor asset management adds to system and application sprawl in the enterprise. Maintaining accurate asset records can be a challenge in an ever-changing IT environment, yet it remains an important task. There are many automated solutions to assist in this effort, and if your organization is large, you should take advantage of these tools. It is also important to understand the patch state of all the assets, and keep this up to date as well.

Authentication Issues

Authentication is a key process in maintaining security. When there are authentication issues, such as default passwords, the end result can be a vulnerability. When users log into a system, the system can create log entries. For high-value assets, your organization likely wants the system to log both the entry and exit of the user. For the vast majority of systems, it is more important to just look at authentication failures. Authentication failures occur when the system fails to present proper user identification to the access control system. An authentication failure may occur because a user just changed her password or mistyped the password. These errors are typically resolved after a couple of tries.

More concerning is a wave of hundreds or thousands of failed logins to a specific account, as this is a sign of brute-force hacking. Another concern is a distributed method of brute forcing, where a password is tried against multiple users in rapid fashion. Compared to a common brute-force attack, this method will show up in the logs as lower numbers of failed authentication across the accounts, but all of them will have the same IP address from where the attack was launched. This attack is hard to see in the logs, as it is scattered across numerous data points over time, but can be detected by many SIEM devices. Finding and blocking these types of authentication hacks is useful when the numbers of failed logins indicate attempts at breaking into the system, either via a single account or multiple accounts.

Chapter Review

In this chapter, you became acquainted with troubleshooting common security problems. Following the presentation of topics listed in exam objective 2.3, the chapter began with coverage of unencrypted credentials/clear text issues, logs and events anomalies, permission issues, access violations, and certificate issues. The chapter continued with data exfiltration issues and misconfigured devices, including firewalls, content filters, access points, and weak security configurations. The topic of personnel issues, including policy violations, insider threat, social engineering, social media, and personal e-mail, were presented. The chapter closed with the topics of unauthorized software, baseline deviations, license compliance violations (availability/integrity), asset management issues, and authentication issues.

Questions

To help you prepare further for the CompTIA Security+ exam, and to test your level of preparedness, answer the following questions and then check your answers against the correct answers at the end of the chapter.

1. Your friend in another department asks you to help him understand some fundamental principles about encryption and clear text. Identify three important principles about the risk incurred by unencrypted credentials and clear text.

2. Which of the following is a valid principle relevant to logs and event anomalies?

A. It’s important to determine what to log and what not to log.

B. You should gather and log as much information as you can.

C. Context doesn’t matter much when logging information.

D. Logs should be actively maintained and never be destroyed or overwritten.

3. Which of the following is true about managing user permission issues?

A. User rights and permissions reviews are not powerful security controls.

B. Ensuring that user lists and associated rights are complete and current is a straightforward task with today’s tools.

C. Compensating controls are unnecessary.

D. The strength of this control is highly dependent on it being kept current and properly maintained.

4. What is the most likely reason for access violation errors?

A. Intruders are trying to hide their footprints.

B. The user is unauthorized and is either making a mistake or is attempting to get past security.

C. A SIEM system will not identify access violations.

D. An APT intrusion won’t usually trigger access violations.

5. Which of the following is a risk typically related to certificates?

A. Failure to install a needed trust chain makes a key that should be trusted, untrusted.

B. A chain of trust violation can always be “fixed” when the end user installs a certificate into the trust repository.

C. Maintaining the repository of trusted certificates across an enterprise is a simple task.

D. Accepting a trust chain that should not be trusted means accepting certificates in the past that should be trusted.

6. Which of the following properly defines data exfiltration?

A. A means for carrying public keys and vouching for their authenticity.

B. Someone attempts to access a resource that they do not have permission to access.

C. An attacker attempts to steal a copy of your data and export it from your system.

D. Ensuring that the list of users and associated rights is complete and up to date.

7. Which of the following is true about firewalls?

A. Firewalls are encrypted remote terminal connections.

B. Over time, rulesets stabilize and become easier to maintain.

C. Firewalls are network access policy enforcement devices that allow or block passage of packets based on a ruleset.

D. Auditing firewall rules is a straightforward process.

8. Your manager asks you to help her understand some fundamental principles about device configuration. Identify three important principles about device configuration.

9. A friend approaches you at a personal social event and says he was unable to access a popular website at work, but other sites such as new sites seemed to work. Identify the most likely culprit.

10. Identify three reasons why poorly trained users present a significant security challenge.

11. Which of the following is not true about insider threats?

A. Segregation of duties can help manage insider threats.

B. Ensuring that system admins do not have the ability to manipulate the logs on the systems they administer can mitigate the insider threat.

C. The best defense against insider threats is a single strong layer of defense.

D. Managing the malicious insider problem is a combination of people management through HR and separation of duties.

12. Which of the following is not a risk related to social media?

A. An employee can inadvertently share confidential company information.

B. Extreme viewpoints can present a legal liability to the company.

C. Viable training programs can help mitigate social media risks.

D. The use of social media can facilitate social engineering.

13. Identify three essential policies an enterprise should have to properly manage the human aspects of network security.

14. Identify the primary reason why personal e-mail presents risks to the corporation.

15. List three methods of controlling unauthorized software.

Answers

1. Important principles about the risk incurred by unencrypted credentials and clear text include

• It is important to protect the transfer of authorizing credentials between computer systems from unauthorized observation.

• When information is sent between machines in cleartext or unencrypted form, the information being transmitted is subject to eavesdropping by any machine in the communication pathway.

• The information is also subject to release in the event of an error that results in the credential information being persisted in a log or displayed on someone’s screen.

• To prevent credential disclosure to unauthorized parties, they should never be transmitted across cleartext forms of communication in unencrypted form.

2. A. A valid principle relevant to logs and event anomalies is that you should determine what to log and what not to log.

3. D. When managing user permissions, it is important to recall that the strength of this control is highly dependent on being kept current and properly maintained.

4. B. The most likely reason for access violation errors is that the user is unauthorized and is either making a mistake or is attempting to get past security.

5. A. A risk typically related to certificates is the failure to install a needed trust chain, which makes a key that should be trusted, untrusted.

6. C. Data exfiltration is when an attacker attempts to steal a copy of your data and export it from your system.

7. C. Firewalls are network access policy enforcement devices that allow or block passage of packets based on a ruleset.

8. Important principles about device configuration are

• Misconfigured devices are one of the more common security issues and can go completely unnoticed.

• Many security controls depend upon a properly configured device to function properly.

• Firewalls, content filters, and access points are all common systems with configurations that are critical for proper operation.

• The misconfiguration issue is common enough that the NIST Risk Management Framework specifies that one must test controls once in place to ensure they actually do work as desired.

9. Content filters are used to limit specific types of content across the Web to users. A common use is to block sites that are not work related. They are used to limit items such as Google searches and other methods of accessing content determined to be inappropriate. Content filters typically rely upon a set of rules.

10. Poorly trained users present a significant security challenge because personnel can violate policies because they don’t understand why a policy exists or they lack situational awareness of how a policy is applied. It can also be the result of willful disobedience. Each of these can result in increased risk to the enterprise.

11. C. The best defense against insider threats is to have multiple strong layers of defense.

12. C. While social media significantly facilitates collaboration, it does introduce risks such as an employee inadvertently sharing confidential company information. An employee expressing extreme viewpoints can present a legal liability to the company. Viable training programs can help mitigate social media risks.

13. Essential policies an enterprise should have to properly manage the human aspects of network security include policies on personal e-mail, content filtering (web browsing behavior), and acceptable use.

14. Personal e-mail presents at least three risks to a corporation in that it offers a data exfiltration pathway that is outside of corporate control, it can act as a path for malware to enter the network, and it can act as a path for malware to enter user machines.

15. Three methods of controlling unauthorized software are

• Removing the user’s ability to add software

• Using whitelisting or freeze technologies to restrict what can run on a machine

• Conducting regular audits to identify unauthorized software