Chapter 41. Incident Response, Communication, and Professionalism
This chapter covers the following A+ 220-1002 exam objectives:
• 4.6 – Explain the processes for addressing prohibited content/activity, and privacy, licensing, and policy concepts.
• 4.7 – Given a scenario, use proper communication techniques and professionalism.
How will you respond to incidents? How will you communicate with customers? How will you deal with the best practices, regulations, and laws that your organization complies with? We’ll answer these questions and more as we progress through this chapter.
A good technician not only knows how to work with technology, but also how to deal with customers, tough problems, and imminent threats. It’s the well-rounded technician that enjoys the most job security.
4.6 – Explain the processes for addressing prohibited content/activity, and privacy, licensing, and policy concepts.
ExamAlert
Objective 4.6 concentrates on the following: incident response, licensing/DRM/EULA, regulated data, and following all policies and security best practices.
One of the goals of policies and procedures, best practices, and regulations is to prevent incidents from occurring. However, it is inevitable, incidents will happen. As people we are imperfect, and therefore we create imperfect technologies. When the right criteria are met, small imperfections can pave the way for incidents to transpire. The important part is how we respond to these incidents and how we limit the damage.
Incident Response
First of all, we have to differentiate between an event and an incident. An event is simply something that happens within your computer or on the network. It could be good or bad. For example, an event could be an administrator connecting a system to another system through a mapped network drive according to the organization’s procedures. This is an occurrence that is positive. But there are adverse events as well, where negative consequences result; for example, unauthorized privilege escalation, or execution of malware. Rev it up further to the computer security incident. This is when there is an imminent threat or an outright violation of security policies, and a security breach has occurred. A technician, or team of techs, is expected to respond to incidents quickly and efficiently. One example of an incident is when an attacker initiates a DDoS attack (using a master system and a botnet) against a server, perhaps causing that server to crash. Or, if an attacker locks files on a server with ransomware.
How you follow up on an incident is a good measure of your ability to an organization. Incident response is the set of procedures that any investigator follows when examining a technology incident. How you first respond, how you document the situation, and your ability to establish a chain of custody are all important to your investigating skills.
First Response
When you first respond to an incident, your first task will be to identify exactly what happened. You must first recognize whether this is a simple problem that needs to be troubleshot or whether it is an incident that needs to be escalated. For example, if you encounter a person who has prohibited content on a computer, this can be considered an incident and you will be expected to escalate the issue to your supervisor, reporting on exactly what you have found. Copyrighted information, malware, inappropriate content, and stolen information could all be considered prohibited. So, before you do anything, you should report your findings to the proper channels and then make sure that the data and affected devices are preserved. This often means making a backup of the computer’s image. However, this will depend on your organization’s policies. You might be told to leave everything as is and wait for a computer forensics expert or a security analyst; it will depend on the scenario. The idea here is that the scene will be preserved for that other person so that he can collect evidence.
ExamAlert
As a first responder you will identify the incident, report through the proper channels and escalate if necessary, ensure data/device preservation, and document everything!
Incident Response Life Cycle
Let’s take it a bit further and discuss actual computer security incident response. Different organizations will have different views on how incident response should be handled. One common method is to incorporate a 4-phase life cycle:
1. Preparation: An organization with a well-planned incident response procedure (in advance), a strong security posture, and a knowledgeable chief information security officer (CISO) will be able to limit damage caused during an incident. Good communication is required, and the technician(s) should have access to secure storage facilities, digital forensic workstations, forensic software, and plenty of documentation on hand.
2. Detection and analysis: This includes the identification of exactly what is happening during the incident. Because there are literally thousands of attack vectors (perhaps much more), we can’t create step-by-step procedures for every type of incident. However, we can categorize incidents to a certain extent, and then take the appropriate steps based on what type of incident we have detected. For example, DDoS/brute force attacks, web-based attacks, spoofing/MITM, and theft. Once we know what the attack is, we can then analyze it with the right tools and methods. Of course, there will be a certain amount of thinking on your feet involved, a technician should be ready to adjust his or her mindset and methodologies in real-time. However, the process has to be quick, so that we can contain the problem rapidly.
3. Containment, eradication, and recovery: First is isolating the problem: quarantining systems, isolating networks, placing attackers’ processes in padded cells or other holding areas (if at all possible), removing devices, and so on. Then, removing the threat with other mitigation techniques that are necessary. After that, retrieving data, re-enabling systems, and recovering images and backups. Some organizations will break this down into multiple phases
4. Post-incident activity: Here a technician(s) reviews what happened and why, finalizing documentation, getting signatures, and contemplating as a team the lessons learned.
Note
This life cycle is documented in great detail within the NIST SP 800-61 Computer Security Incident Handling Guide:
https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
The CompTIA A+ won’t go far into the depths of this document, but if you are interested in a career that involves incident response, consider reading this, and have it on hand.
Remember that an organization might have more phases, or break them up differently. In addition, the incident response process will be in much greater detail then what is shown here. Be ready to study your organization’s documentation carefully!
Chain of Custody
If you are required to preserve evidence, one way to do this is to set up a chain of custody. This is the chronological documentation or paper trail of evidence. It should be initiated at the start of any investigation. It documents who had custody of the evidence all the way up to litigation (if necessary), and logs the transfer of evidence from person to person. It also verifies that the evidence has not been modified or tampered with. The log should include identifying information for systems such as: serial numbers, IP addresses, MAC addresses and so on; the names, titles and phone numbers of everyone who collected, analyzed and handled evidence; the time and date (universal), and where and how the evidence is stored.
ExamAlert
The chain of custody is a chronological, verifiable paper trail documenting who possessed evidence.
As an A+ tech, you will probably not get too involved with incident investigations, but you should know the basic concepts of first response, documentation, and chain of custody for the exam, as well as if you find yourself in a situation where you have found prohibited content or illegal activities. The bottom line is that many times your job will be to escalate the issue to the appropriate personnel.
Licensing/DRM/EULA
There are various types of licensing for software, hardware, support, and services. Let’s focus on software licensing here. Licensing could be free or paid for. For example, we mentioned Microsoft Windows client licenses previously in the book. It’s important to have this licensing well-organized and accessible. Most proof of licensing today is digital, so it should be stored in a safe place, possibly encrypted, backed up, and digitally validated.
Licensing is also important during incident response. Depending on the situation, you might need to locate licenses (or lack thereof) for software, client connections, and hardware; for example, the client access licenses (CALs) being used to access a Windows Server. License compliance violation can have legal ramifications, not to mention availability and integrity repercussions.
There are two terms related to licensing that you should know for the exam: EULA and DRM.
• EULA: An end-user licensing agreement is a contract or agreement that is made between a proprietary software vendor and the end-user. In most cases, the end-user is required to agree to the EULA before using the product. The EULA primarily defines the ways that the software can be used, and asserts limited liability due to issues and damages that occur through the use of the product. These are usually lengthy documents, but if a company plans to use software products that require an EULA, then the appropriate personnel should have a working legal understanding of them.
• DRM: Digital Rights Management (DRM) is a group of security controls designed to restrict the usage or proliferation of copyrighted software and products. For example, not allowing illegal copies through a variety of methods.
ExamAlert
EULA is a licensing agreement between a software vendor and the end-user. DRM restricts usage or proliferation of copyrighted software and products.
Essentially, if a technician finds that a user or company is illegally copying, circumventing, or modifying software, and doesn’t have the appropriate licensing, or is otherwise breaching the EULA or DRM agreement; then the technician should report what was found to the appropriate personnel or authorities, and log and document the situation according with incident response procedures.
Licenses can be commercial, for example if you use software from Microsoft or Apple, or they can be open-source, as is the case with Android, or Linux and the GNU General Public License (GPL).
In the case of commercial or closed-source licensing, the user, or corporation, is usually not allowed to share or modify the software. There are personal and enterprise level licenses. So, for example, a home user might have a computer with a paid personal license to use Microsoft Windows 10 Home Edition, but in a mid-sized to large organization, there will be enterprise-level licenses that are usually bought in bulk—for example Windows 10 Enterprise Edition.
Open-source licensing is usually free to use. With open-source licensing, the user is often allowed to study, modify, and share the software, even creating new distributions of it.
ExamAlert
Know the difference between open-source vs. commercial licenses. And, know the difference between personal license vs. enterprise licenses.
Be sure to organize and store licensing properly according to organizational policy, and know how to find licenses for your own organization, or if you are contracted to perform work for a customer.
Regulated Data
There are several types of data regulations that are on the A+ exam. These are designed to protect personal information and the people themselves. Here we’ll briefly discuss PII, PHI, PCI-DSS and GDPR.
PII
Personally identifiable information (PII) is something that every organization and technician should be concerned with, because it affects us all. PII is information used to uniquely identify, contact, or locate a person. This type of information could be a name, birthday, Social Security number, biometric information, and so on. In Chapter 39, “Documentation, Change Management and Disaster Recovery,” I mentioned the Privacy Act of 1974 and other laws, regulations and guidelines. These are designed to protect PII in a standardized way, but organizations will often have their own privacy policies which may be based off of these best practices, but will go further to define how users’ identities will be protected in a procedural manner.
PHI
Protected health information (PHI) is information that is protected under the HIPAA privacy rule. The Health Insurance Portability and Accountability Act (HIPAA) is a wide-ranging act that was passed in 1996 which governs the protection of all kinds of health information. If any organization in the United States needs wants to request, store, or access health information, that organization must abide by the rules within this act.
Best practices for PII and PHI are quite similar, let’s discuss a couple of these as they relate to digital records. Appoint a security admin (with compliance experience) to oversee the access and storage techniques of PII and PHI records. Physically secure computers, servers, server rooms, data centers, and network connections, where the records are being stored. Store records in an encrypted format, and transmit records from one system to another or from a system to the cloud using end-to-end encrypted sessions. This way, data at rest, data in motion, and data in transit can be protected. Otherwise, make use of the many security best practices that we have documented within this book’s security chapters, and keep in mind that PII and PHI records are at the top of the list when it comes to logging, auditing, and monitoring.
PCI-DSS
The payment card industry (PCI) is anything that concerns credit cards, debit cards, ATMs, point-of-sale (POS) machines, and so on, that organizations use or transact with when dealing with user cardholder data. The PCI Security Standards Council (PCI-SSC) developed a compliance program known as the Payment Card Industry Data Security Standards (PCI-DSS). These standards, and the varying levels of compliance define how credit card data is to be transacted and stored.
The best practices for PCI-DSS include a lot of the security methods we have discussed previously in this book, but from a more high-level viewpoint, the PCI-SSC is looking for: a sustainable security program; compliant policies and procedures; performance metrics (such as those defined in the NIST SP 800-55 Performance Measurement Guide for Information Security); specific assignments to qualified personnel (perhaps who certify to PCI-DSS); proper risk assessment and management techniques; monitoring of security controls (which is a big part of the compliance); maintaining evidence; incident response procedures; and general maintaining of security awareness.
PCI-DSS is important whether your organization is a small 5-employee office or an enterprise-level corporation.
Note
You can view the entire best practices document (updated to version 2 in 2019) as set forth by the PCI-SSC at the following link:
GDPR
General Data Protection Regulation (GDPR) is a European Union regulation that deals with data protection and privacy for people who live in the EU; but it has wide-ranging implications that caused many companies around the world (especially in the United States) to adopt the policies and best practices that support the regulation. One common example of an industry that was “turned upside down” by GDPR is the e-mail/ mailing list industry. This was due to the fact that these lists contained personal data which in many cases was not compliant with GDPR. The GDPR regulation defines how transparency should function, the proper securing of data, the awareness of what data is being collected, and citizen rights such as the right to access and request erasure of personal data. This regulation was enforceable as of May 25, 2018, and at the time, it seemed that technical changes, written policies, and proper opt-in/opt-out lists became realities almost overnight for many companies. It affects myself and every single company that I deal with.
ExamAlert
Know the types of regulated data including PII, PCI, GDPR and PHI.
However, as far as best practices, they are very similar to what we have mentioned already in this chapter, and the security methods include much of what we have discussed in the security sections of this book. These best practices focus on: the auditing of data; secure management of data; assess risk of data that is stored; assigning a Data Protection Officer (for companies with 250 employees or more); train employees about GDPR best practices; and have a data breach and incident response plan in place.
Note
For more information on GDPR, see the following link:
https://ec.europa.eu/info/law/law-topic/data-protection_en
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. You find illegal materials on a customer’s computer. Your boss commands you to preserve computer evidence until he gets to the scene. What is your boss asking you to begin?
A. Documentation
B. Chain of custody
C. First response
D. GDPR-compliance
2. Which of the following is not one of the steps of the incident response process?
A. Eradication
B. Recovery
C. Containment
D. Non-repudiation
3. You are the security administrator for your organization. You have just identified a malware incident. Of the following, what should be your first response?
A. Containment
B. Removal
C. Recovery
D. Monitoring
4. Which type of regulated data is specifically protected under the HIPAA privacy rule?
A. PII
B. PCI
C. GDPR
D. PHI
Cram Quiz Answers
1. B. Your boss is asking you to begin the process of a chain of custody: the chronological paper trail of evidence. It is a form of documentation, but a specific one. You were the first responder. These cases will be rare, but you should understand the terminology and what to do if you find illegal materials.
2. D. Non-repudiation, although an important part of security, is not part of the incident response process. Non-repudiation means that you have irrefutable proof that a person did something—it might include logs, audit trails, and so on. Eradication, containment, and recovery are all parts of the incident response process
3. A. Of the listed answers, most organizations’ incident response procedures will specify that containment of the malware incident should be first. Next would be the removal, then recovery of any damaged systems, and finally monitoring that should actually be going on at all times. But before all of this is the preparation phase, and of course, in the scenario, identification was already performed.
4. D. Protected health information (PHI) is information that is protected under the HIPAA privacy rule. The Health Insurance Portability and Accountability Act (HIPAA) is a wide-ranging act which governs the protection of all kinds of health information. Personally identifiable information (PII) is information used to uniquely identify, contact, or locate a person. The payment card industry (PCI) is anything that concerns credit cards, debit cards, ATMs, point-of-sale (POS) machines. The General Data Protection Regulation (GDPR) is a European Union regulation that deals with data protection and privacy.
4.7 – Given a scenario, use proper communication techniques and professionalism.
ExamAlert
Objective 4.7 focuses on: Use proper language and avoid jargon, acronyms, and slang, when applicable; maintain a positive attitude/project confidence; actively listen (taking notes) and avoid interrupting the customer; be culturally sensitive; be on time (if late, contact the customer); avoid distractions; dealing with difficult customers or situations; set and meet expectations/timeline and communicate status with the customer; and deal appropriately with customers’ confidential and private materials.
Mind your customer service skills. You might be a super-tech, but without people skills, your job market will be limited. By being professional and utilizing good communication skills, you increase the chances of receiving a good customer reaction. Also, these skills help you to get to the heart of the issue and can help to make you more efficient, saving time as you repair computer problems. Throughout the rest of the book, you learned how to repair the computer. Now put those abilities together with a professional demeanor and good communication skills and there should be no lack of new customers in the future.
Communication Techniques and Professionalism
For the CompTIA A+ 220-1002 exam, communication and professionalism consist of 9 categories:
• Use proper language and avoid jargon, acronyms, and slang, when applicable: Speak slowly, clearly and professionally so the customer can fully understand what you are saying. Refrain from slang and profanity. Avoid computer jargon and acronyms (for example, WPA2 or TCP/IP). If you use computer jargon, the customer might think that you are insecure and cannot clearly explain things. Stay away from the techno-babble. The customer expects you to know these things technically but to explain them in a simple manner. That’s the essence of a good teacher!
• Maintain a positive attitude/project confidence: Even if the customer thinks the situation is hopeless or the customer is frustrated, be positive. Sometimes problems that appear to be the worst have the easiest solutions! And there is always a solution. It’s just a matter of finding it. Also, as part of being positive, try to project confidence. Be calm and assure your customer that the problem will be solved.
• Actively listen (taking notes) and avoid interrupting the customer: The more you listen, the better you will understand the problem. Write down key points related to the problem the customer is having. Don’t interrupt the customer, even if you think you know what the problem is before the customer has fully explained the situation. Be respectful and allow the customer to completely explain the problem. The customer’s tale just might give you clues as to what the real problem is. Listen carefully but be assertive when eliciting answers.
• Be culturally sensitive: Understand that customers come from all walks of life. Be aware that cultural differences and similarities exist. Be respectful and kind. Use appropriate professional titles when applicable and when possible. Make an effort to ensure that both you and the customer understand each other and work towards a common goal. If you don’t at first understand the customer or if there is a language barrier, kindly ask the customer to repeat themselves.
• Be on time (if late, contact the customer): It’s all about punctuality. Be on time! If a customer has to wait, the situation might become difficult before you even begin. If you are running late, contact the customer, apologize, and let the customer know that you will be late.
• Avoid distractions: Phone calls should be screened and left to go to voicemail unless it is an emergency. The same goes for e-mails that arrive on your smartphone and text messages on the phone. If other customers call, explain to them that you are with a customer and will call them back shortly (or have your manager or co-worker take care of them if they are available). Avoid talking to co-workers when dealing with customers. The customer wants to feel valued and wants to get the problem fixed in a timely manner. Try to avoid personal interruptions in general. And avoid using those social media sites.
• Dealing with difficult customers or situations: By being patient, understanding, and respectful, you show customers that you are a professional and serious about fixing their computer problems. Never argue with customers or take a defensive or offensive stance. This is another one of those times in which I like to think of Mr. Spock. Approach customers’ computer problems and complaints from a scientific point of view. Try not to make light of a customer’s computer issues, no matter how simple they might seem, and avoid being judgmental of any possible user error. Try not to ask things such as “What did you do?” or “Who was working on this?” because these questions can come across as accusations. Ask computer-oriented, open-ended questions when eliciting answers from the customers (for example, ask “What is wrong with the computer?” or “What can you tell me about this computer?”). Stick with the senses; questions such as “What type of strange behavior did you see from the computer?” keeps customers more relaxed and can help you to narrow down the cause of the problem. Again, if a customer doesn’t come across clearly, restate what you believe to be the issue or repeat your question so that you can verify your understanding so both of you will be on the same page. Clarify the customers statements. Ask concise questions to the customer to further identify what the issue is and narrow the scope of the problem. After you think you understand what the problem is, you should always clarify by repeating the problem back to the customer. Restate the issue to verify everyone understands the problem. And again, do not disclose experiences via social media outlets.
• Set and meet expectations/timeline and communicate status with the customer: When you have a clear idea of what the customer’s trouble is, set a timeline; offer a reasonable assessment of how long it will take to fix the issue and what will be involved. Stay in contact with the customer, giving him updates at certain intervals—every half hour for smaller jobs and perhaps two or three times a day for larger jobs. If applicable, offer different repair or replacement options as the job progresses. At first, you might inform a customer that it appears a power supply needs to be changed. Later, you might find that an optical drive also needs to be replaced. Keep the customer up to date and offer options. Whatever the service, be clear as to the policies of your company and provide the proper documentation about the services you will be performing. After you finish the job, follow up with the customer to verify that the computer runs smoothly and that he is satisfied.
• Deal appropriately with customers’ confidential and private materials: Do not look at or touch confidential information. Ask the customer to move the confidential items to another area where you cannot see them. Do not look at or touch the confidential materials located on a computer, desktop, printer, and so on. This could include bank statements, accounting information, legal documents, and other top-secret company information. Going beyond this, don’t disclose any work experiences you had with an organization on social media outlets.
Always remember to do the right thing. If a customer asks you to do something that you think is inappropriate, be sure to verify exactly what it is the customer wants you to do. Then take appropriate action. For example, if a customer asks you to install company software on his personal laptop, you should verify that the installation is allowed under the company’s licensing agreements. If so, no harm is done. If not, you will have to politely refuse the customer. This type of customer behavior, while rare, should be reported to your manager.
ExamAlert
Be professional, punctual, positive, and practice all the other skills mentioned in this section. They are important for the exam—and much more important in the computer field.
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. How will speaking with a lot of jargon make a technician sound?
A. Competent
B. Insecure
C. Smart
D. Powerful
2. A customer experiences a server crash. When you arrive, the manager is upset about this problem. What do you need to remember in this scenario?
A. Stay calm and do the job as efficiently as possible.
B. Imagine the customer in his underwear.
C. Avoid the customer and get the job done quickly.
D. Refer the customer to your supervisor.
3. Which of the following are good ideas when dealing with customers? (Select two.)
A. Speak clearly.
B. Ignore them.
C. Avoid distractions.
D. Explain to them what they did wrong.
4. You are a field technician working at a customer’s site. One of the workers asks you to load a copy of an organization’s purchased software on a personal laptop. What should you do first?
A. Verify that the installation is allowed under the company’s licensing agreement.
B. Act as though you are distracted and ignore the user.
C. Leave the premises and inform the police.
D. Tell the worker that installing unlicensed software is illegal.
E. Notify the worker’s manager of a security breach.
5. You have been asked by a customer at a hospital to perform routine maintenance on a laser printer. Before you begin, you notice PHI has printed out. What should you do first?
A. Ensure the paper tray is full so that everything can print.
B. Place the printed output in a secure recycle bin and begin maintenance.
C. Kindly warn the customer that printing PHI at work is a HIPAA violation.
D. Ask the customer to move the printed output to another area.
Cram Quiz Answers
1. B. Too much computer jargon can make an end user think that you do not have the qualifications needed and are masking it with techno-babble.
2. A. There isn’t much you can do when a customer is upset except stay calm and fix the problem!
3. A and C. Speak clearly so that customers understand you, and avoid distractions so that the customers know they have your complete attention.
4. A. You should first check whether the company allows installations of paid software on personal computers or laptops. If it is allowed, go ahead and do the installation. If not, then you should refuse and notify your manager of the occurrence. Refusal can be tough at times, so be strong, and think about the consequences of your actions. They could directly affect you in a negative way.
5. D. Ask the customer to move the confidential information. Protected health information (PHI) is information that is protected under the HIPAA privacy rule. Before ensuring that the paper tray is full, you should first ask the customer to remove the private information. You should never throw away or recycle customer printed output unless they ask you to. Printing PHI at a hospital is routine and not a HIPAA violation. Remember to always behave professionally and protect people’s privacy. If you make this a regular practice, you will often receive a customer’s gratitude, and as time goes on, you will increase your job security.