Troubleshooting security problems is a systematic process of identifying, diagnosing, and resolving security incidents in computing systems. Effective troubleshooting requires balancing security with usability — overly restrictive measures can hinder productivity, while lax security invites breaches.
A structured approach ensures that security problems are resolved efficiently and thoroughly.
The first step is to observe and document what is wrong. Common symptoms include:
Tradeoff: Monitoring tools that detect these symptoms (e.g., intrusion detection systems) improve security but may raise privacy concerns and add cost.
System logs are one of the most powerful tools in security troubleshooting. They provide an audit trail of events including:
| Log Type | Information Provided |
|---|---|
| Authentication logs | Failed/successful login attempts, timestamps |
| Access logs | Which files were opened, by whom, and when |
| Network logs | IP addresses, data transferred, connection attempts |
| System event logs | Configuration changes, software installs |
By analysing these logs, a security analyst can pinpoint the source and timeline of a breach.
Once a threat is suspected, the affected device should be isolated from the network immediately. This prevents:
Tradeoff: Isolation improves security but reduces availability (a pillar of the CIA triad), temporarily disrupting the user's work.
| Tool | Purpose |
|---|---|
| Network Scanner / IP Scanner | Identifies all active devices on a LAN; detects rogue/unauthorized devices |
| Antivirus / Anti-malware Scanner | Detects and removes malicious software |
| Task Manager / Process Monitor | Identifies suspicious processes consuming resources |
| Sandboxing | Executes suspicious code in an isolated environment to observe behaviour safely |
| Vulnerability Scanner | Scans systems for known weaknesses |
Sandboxing is an isolated virtual environment where suspicious software or code can be executed without affecting the host system. It allows analysts to:
Tradeoff: Sandboxing is highly effective but requires additional computational resources and technical expertise, increasing cost.
Based on the diagnosis, apply the appropriate remedy:
After applying the fix, confirm the problem is resolved and continue monitoring to ensure the threat does not recur.
Incident Response (IR) is an organised, planned approach to addressing and managing the aftermath of a security breach or cyberattack. Its goals are to:
| Phase | Description |
|---|---|
| Preparation | Establish IR policies, train staff, set up monitoring tools |
| Identification | Detect and confirm that a security incident has occurred |
| Containment | Isolate affected systems to prevent spread |
| Eradication | Remove the threat (malware, attacker access) |
| Recovery | Restore systems and data to normal operation |
| Lessons Learned | Conduct Root Cause Analysis (RCA) to prevent future incidents |
Root Cause Analysis is performed after an incident to identify the underlying vulnerability that allowed the breach to occur. It answers the question: Why did this happen?
RCA prevents the same problem from recurring by addressing the source, not just the symptoms.
Example: If a phishing email led to a breach, the RCA might reveal that staff lacked security awareness training — the root cause. The fix would be mandatory training, not just resetting passwords.
Every security measure involves a tradeoff. When recommending cybersecurity measures, consider:
| Factor | Consideration |
|---|---|
| Efficiency | Does the measure slow down legitimate users? |
| Cost | Is the tool affordable for the organisation? |
| Privacy | Does monitoring infringe on user privacy? |
| Ethics | Is it ethical to log all user activity? |
Example tradeoffs:
The goal is to find the optimal balance that protects the system without unnecessarily burdening users.
When diagnosing a security problem, identify which pillar of the CIA Triad is violated:
| Pillar | Violated When... | Example Attack |
|---|---|---|
| Confidentiality | Unauthorised access to data | Data breach, eavesdropping |
| Integrity | Data is modified without authorisation | Database tampering, MitM attack |
| Availability | Authorised users cannot access data/systems | Ransomware, DoS attack |