Basic Troubleshooting Process for Security

A technician must be able to effectively troubleshoot security problems.

Using the troubleshooting process to identify and correct security problems
helps technicians maintain a consistent approach to managing and
mitigating threats to data and equipment.

Applying the Troubleshooting Process to Security

The troubleshooting process is used to help resolve security issues.

The Six Steps of the Troubleshooting Process

The six steps of the troubleshooting process are:
Step 1. Identify the problem.
Step 2. Establish a theory of probable cause.
Step 3. Test the theory to determine the cause.
Step 4. Establish a plan of action to resolve the problem and implement
the solution.
Step 5. Verify full system functionality and, if applicable, implement
preventive measures.
Step 6. Document findings, actions, and outcomes.

Identify the Problem

Security-related issues can be as simple as preventing shoulder surfing or
more complex, such as having to remove infected files from multiple
networked computers. Use the troubleshooting steps listed in the preceding
section as guidelines to help in diagnosing and repairing security-related
problems.
Computer technicians must be able to analyze a security threat and
determine the appropriate method to protect assets and repair damage. The
first step in the troubleshooting process is to identify the problem. Table 13-
5 shows a list of open-ended and closed-ended questions to ask the
customer.
Table 13-5 Step 1: Identify the Problem

Open-Ended Questions Closed-Ended Questions

When did the problem start? Is your security software up to date?

What problems are you Have you scanned your computer

experiencing? for viruses recently?

What websites have you visited Have you opened any attachments
recently? from suspicious emails?

What security software is Have you changed your password

installed on your computer? recently?

Who else has used your Have you shared your password?
computer recently?

Establish a Theory of Probable Cause

After you have talked to the customer, you can begin to establish a theory of
probable causes. You may need to conduct additional internal or external
research, based on the customer’s description of the symptoms. Table 13-6
shows a list of some common probable causes of security problems.

Table 13-6 Step 2: Establish a Theory of Probable Cause

Common causes of security problems

 Virus

Trojan horse

Worm

Spyware

Adware

Grayware or malware

Phishing scheme

Password compromised

Unprotected equipment rooms

Unsecured work environment

Test the Theory to Determine Cause

After you have developed some theories about what is wrong, test your
theories to determine the cause of the problem. Table 13-7 lists some quick
procedures that can help you determine the exact cause of the problem or
even correct the problem. If a quick procedure corrects the problem, you
can verify full system functionality. If a quick procedure does not correct
the problem, you might need to research the problem further to establish the
exact cause.

Table 13-7 Step 3: Test the Theory to Determine Cause

Common steps to
determine cause
Disconnect from the network.

Update antivirus and spyware signatures.

Scan the computer with protection software.

Check the computer for the latest OS patches

and updates.

Reboot the computer or network device.

Log in as an administrative user to change a

user’s password.

Secure equipment rooms.

Secure the work environment.

Enforce the security policy.

Establish a Plan of Action to Resolve the Problem and
Implement the Solution
After you have determined the exact cause of the problem, establish a plan
of action to resolve the problem and implement the solution. Table 13-8
shows some sources you can use to gather additional information to resolve
an issue.

Table 13-8 Step 4: Establish a Plan of Action to Resolve the Problem and
Implement the Solution

If no solution is achieved in the previous step, further

research is needed to implement the solution, using these
sources.
Help desk
repair logs

Other
technicians

Manufacture
r FAQ
websites

Technical
websites

News
groups

Computer
manuals
 Device
manuals

Online
forums

Internet
search

Verify Full System Functionality and, if Applicable, Implement

Preventive Measures
After you have corrected the problem, you need to verify full functionality
and, if applicable, implement preventive measures. Table 13-9 shows a list
of the steps to verify the solution.

Table 13-9 Step 5: Verify Full System Functionality and, if Applicable,

Implement Preventive Measures

Verify solution and full

system functionality.
Re-scan the computer to ensure that no
viruses remain.

Re-scan the computer to ensure that no

spyware remains.

Check the security software logs to ensure

that no problems remain.
 Check the computer for the latest OS patches
and updates.

Test network and Internet connectivity.

Ensure that all applications are working.

Verify access to authorized resources such as

shared printers and databases.

Make sure entries are secured.

Ensure that the security policy is enforced.

Document Findings, Actions, and Outcomes

In the final step of the troubleshooting process, you must document your
findings, actions, and outcomes. Table 13-10 shows a list of the tasks
required to document the problem and the solution.

Table 13-10 Step 6: Document Findings, Actions, and Outcomes

Document your
findings, actions, and
outcomes
Discuss with the customer the solution that was
implemented.

Have the customer verify that the problem has

been solved.
 Provide the customer with all paperwork.

Document the steps taken to solve the problem

in the work order and the technician’s journal.

Document any components used in the repair.

Document the time spent solving the problem.

Common Problems and Solutions for Security

Knowing some of the common problems and solutions related to security
can speed the troubleshooting process.

Common Problems and Solutions for Security

Security problems can be attributed to a number of reasons. You will
resolve some types of security problems more often than others. Table 13-
11 identifies common problems and solutions for security.

Table 13-11 Common Problems and Solutions for Security

Symptoms Possible Causes Possible Solutions

A security alert is Windows Firewall is Enable Windows
displayed. disabled. Firewall.
Virus definitions are Update virus definitions.
out of date.
Symptoms Possible Causes Possible Solutions
Malware has been Remove malware.
detected.
A user is receiving The network is not Install/update antivirus
hundreds or thousands of providing detection or software or email
junk emails each day. spam protection for antispam software.
the email server.
An unauthorized wireless A user added a Disconnect and
access point is discovered wireless access point confiscate the
on the network. to increase the unauthorized device.
wireless range of the
company network.
Enforce the security
policy by taking actions
against the person
responsible for the
security breach.
An unknown printer repair Visitors are not being Contact security or the
person is observed monitored properly or police.
looking under keyboards user credentials have
and on desktops. been stolen. Educate users to never
hide passwords near their
work area.
System files have been The computer has a Remove the virus by
renamed, applications virus. using antivirus software.
crash, files are
disappearing, or file
Restore the computer
permissions have
from a backup.
changed.
Users with flash drives are Flash drives are not Set the antivirus software
infecting computers on the scanned by the to scan removable media
network with viruses. antivirus software when data is accessed.
when a network
computer accesses it.
Symptoms Possible Causes Possible Solutions
Your email contacts report Your email has been Change your email
spam coming from you. hijacked. password.

Contact email service

support and reset the
account.
Your wireless network is WEP can be Upgrade to WPA
compromised even though decrypted using encryption.
128-bit WEP encryption is commonly available
used. hacking tools.
Use MAC address
filtering for older
wireless clients.
Users are being redirected Domain name Flush the local DNS
to malicious websites. resolution has been cache by using ipconfig
compromised or DNS /flushdns to clear
spoofing is occurring. malicious entries.

Check the HOSTS file

for spoofed entries.

Check the priority order

for name resolution
services.

Validate the DNS

resolvers set as primary
and secondary in the
client’s IP address
configuration.
Symptoms Possible Causes Possible Solutions
User receives access Malware has changed Quarantine the infected
denied errors when the permissions of system and investigate
attempting to open files. files. closely.
Browser opens a page Spyware has been Check the host file for
other than what the user is installed. malicious entries. Also
attempting to access. verify that the DNS
servers the client is using
are correct.