Chs 13, 14, 15

IRP, DiD, Categories of Network troubleshooting tools

An incident is

violation of security policy, or imminent threat to it

Ch 13 Phases of incident response are

1. Preparation

2. Incident Identification

3. Containment

4. Investigation

5. Eradication

6. Recovery & Repair

7. Lessons Learned

Preparation phase is

Get ready before anything goes wrong. Create plans, assign roles, and train the team (CSIRT).

Incident Identification phase is

Spot when something unusual happens. Decide if it’s a real security incident.

Containment phase is

Stop the damage from spreading. Disconnect affected systems and preserve evidence.

Investigation phase is

Figure out what happened and collect evidence safely. May involve experts or law enforcement.

Eradication phase is

Remove the threat that caused the incident. Fix vulnerabilities to prevent repeat attacks.

Recovery & Repair phase is

Restore systems and get everything running again safely. Replace anything damaged or affected.

Lessons Learned phase is

Review the incident. Ask: What worked? What didn’t? Use what you learn to improve your response plan.

DiD defined

an approach where a series of defensive security controls are layered to protect sensitive data

• Each layer of defensive security controls cost money

• Use network security risk assessment to asses where to put security controls in layered security architecture

• barriers = more points of failure hackers must go through

Layers of DiD include:

1. Policies & User Awareness

2. Physical Security

3. Perimeter Security

4. Network Security

5. Endpoint Security

6. Application Security

7. Data Security

Ch 15 - What are the five categories of network troubleshooting tools?

1. Physical Layer Tools

2. Network Performance Monitoring Tools

3. Network Connectivity and Testing Tools

4. Network Scanning and Discovery Tools

5. Vulnerability & Protocol Analysis Tools

1. Physical Layer Tools

Test and troubleshoot physical components like cables, connectors, and ports.

2. Network Performance Monitoring Tools

Measure bandwidth, data flow, and help track down slow or overloaded connections.

3. Network Connectivity and Testing Tools

Check if a device is reachable and verify network layer connectivity.

4. Network Scanning and Discovery Tools

Identify devices on a network (e.g., ARP scan, ping sweep, subnet scan).

5. Vulnerability & Protocol Analysis Tools

- Vulnerability tools scan for security weaknesses. - Protocol analyzers (like Wireshark) decode and examine network traffic for detailed troubleshooting.