Responding to Security Incidents

In this chapter, we will be looking at incident response, particularly with regard to the collection of volatile evidence for forensic analysis.

We will cover the following exam objectives in this chapter:

• Given a scenario, use appropriate software tools to assess the security posture of an organization: Protocol analyzer, network scanners, rogue system detection, network mapping, wireless scanners/cracker, password cracker, vulnerability scanner, configuration compliance scanner, exploitation frameworks, data sanitization tools, steganography tools, honeypot, backup utilities, banner grabbing, command-line tools, ping, netstat, tracert, nslookup/dig, ARP, ipconfig/ip/ifconfig, tcpdump, Nmap, and netcat

• Given a scenario, analyze and interpret the output from security technologies: HIDS/HIPS, antivirus, file integrity check, host-based firewall, application whitelisting, removable media control, advanced malware tools, patch management tools, UTM, DLP, data execution prevention, and web application firewalls

• Given a scenario, follow incident response procedures: Response plan, documented incident types/category definitions, roles and responsibilities, reporting requirements/escalation, cyber incident response teams, exercise, incident response process, preparation, identification, containment, eradication, recovery, and lessons learned

• Summarize basic concepts of forensics: Order of volatility, chain of custody, legal hold, data acquisition, capture system image, network traffic and logs, capture video, record time offset, take hashes, screenshots, witness interviews, preservation, recovery, strategic intelligence/counterintelligence gathering, active logging, and tracking man hours

• Explain disaster recovery and continuity of operations concepts: Backup concepts, differential, incremental, snapshots, and full, incremental, incremental backups and snapshots.

Chapter10 Responding to Security Incidents  Part 2

Managing Business Continuity

In this chapter, we will be looking at our business environment to provide systems availability, selecting the most appropriate method for disaster recovery following a disaster. This will be broken down into four distinct sections, and you must understand each of them:

• Implementing secure systems design

• The importance of secure staging deployment concepts

• Troubleshooting common security issues

• Disaster recovery and continuity of operations concepts

• Exam domain mapping

We will cover the following topics in this chapter: 

• Given a scenario, troubleshoot common security issues: Unencrypted credentials/clear text, logs and events anomalies, permission issues, access violations, certificate issues, data exfiltration, misconfigured devices, firewall, content filter, access points, weak security configurations, personnel issues, policy violation, insider threat, social engineering, social media, personal email, unauthorized software, baseline deviation, license compliance violation, (availability/integrity), asset management, and authentication issues

• Given a scenario, implement secure systems design: Hardware/firmware security, FDE/SED, TPM, HSM, UEFI/BIOS, secure boot and attestation, supply chain, hardware root of trust, EMI/EMP, operating systems, types, networks server, workstation, appliance, kiosk, mobile OS, patch management, disabling unnecessary ports and services, least functionality, secure configurations, trusted operating system, application whitelisting/blacklisting, disable default accounts/passwords, peripherals, wireless keyboards, wireless mice, displays, Wi-Fi-enabled MicroSD cards, printers/MFDs, external storage devices, and digital cameras

• Explain the importance of secure staging deployment concepts: Sandboxing, environment, development, test, staging, production, secure baseline, and integrity measurement

• Explain disaster recovery and continuity of operations concepts: Recovery sites, hot site, warm site, cold site, order of restoration, geographic considerations, off-site backups, distance, location selection, legal implications, data sovereignty, continuity of operations planning, exercises/tabletop, after-action reports, failover, alternate processing sites, and alternate business practices

Mock Exam 1

Chapter12 Mock Exam 1 Assessment

Chapter13 Mock Exam 2

Chapter13 Mock Exam 2 Assessment

Chapter13 Mock Exam 2 Assessment Part 2

Practical 1-drag and drop-attacks

Chapter15 Practical 2-drag and drop-Certificates

Chapter16 Practical 3-drag and drop-ports/protocol

Chapter17 Practical 4-drag and drop-Authentication factors

Chapter18  Practical 5-drag and drop-general

101 Labs - CompTIA Linux+

101 Labs - CompTIA Network+: Hands-on Practical Labs for the CompTIA Network+ Exam (N10-007