Phase 10
Security Troubleshooting
Earlier in this book, we mentioned three main facets of your information assets that you, as the security professional, are required to protect:
- It is your job to protect the confidentiality of the organization’s information assets—that is, to keep the company’s secrets secret.
- It is your job to protect the integrity of the organization’s information assets—that is, to protect the information from being tampered with. No one is allowed to “cook the books.”
- It is your job to protect the availability of the organization’s information assets. If users cannot access the valuable information assets when they are needed, the information has lost its value, and the users lose productivity.
Security troubleshooting is largely about disaster recovery, which is a subset of protecting the availability of the information assets. If the server fails due to a bad driver or Registry modification, the resources that the server provides to users are no longer available. You must quickly return the system to a stable state and allow users to regain access to the resources that the server had been providing.
To address the need for recovery, you will look in this phase at Safe mode, which loads a minimum of drivers in an attempt to provide recovery after a faulty driver has been installed. Then you will look at Last Known Good Configuration (LKGC), which replaces the current Registry with a previously “known good” Registry. And finally, you’ll perform an Automated System Recovery (ASR) backup and then an ASR restore. An ASR restores the operating system, Registry, and drivers but does not protect data. You must use a backup utility to provide disaster recovery for your data.
Another task for the security professional is related to magnetic-media reuse. This task involves installing a hard drive in a system that had previously been installed in a different system.
As the security professional, you must protect the confidentiality of the data previously written on the disk. Data can be recovered from the free space on a disk after the file has been deleted and the Recycle Bin has been emptied. Data can even be recovered off a disk after re-partitioning and reformatting.
Finally, you will download and install a host-based intrusion detection and protection system to monitor the system for malware, malicious behavior, and attempted malicious access to your computer system from the network.
The tasks in this phase map to Domains 1, 2, and 4 in the objectives for the CompTIA Security+ exam (www.comptia.org/certifications/listed/security.aspx).