Learn how to investigate potential insider threats from unauthorized USB devices on Linux systems. Discover the best method to identify indicators of compromise (IoCs) and update security measures to prevent data exfiltration.
Table of Contents
Question
A security analyst is conducting an investigation regarding a potential insider threat. An unauthorized USB device might have been used to exfiltrate proprietary data from a Linux system.
Which of the following options would identify the IoCs and provide the appropriate response?
A. Review the network logs and update the firewall rules.
B. Review the operating system logs and update the DLP rules.
C. Review the vulnerability logs and update the IDS rules.
D. Obtain the device ID using dmesg and update the portable storage inventory.
Answer
D. Obtain the device ID using dmesg and update the portable storage inventory.
Explanation
When investigating a potential insider threat involving unauthorized USB devices on a Linux system, the best approach is to obtain the device ID using the dmesg command. The dmesg command displays the kernel ring buffer, which contains messages related to device detection and initialization.
By running dmesg, you can identify the specific USB device that was connected to the system, including its vendor ID, product ID, and serial number. This information serves as an indicator of compromise (IoC) and helps in tracking the unauthorized device.
Once the IoCs have been identified, the appropriate response is to update the portable storage inventory. This involves documenting the unauthorized USB device’s details and taking necessary actions, such as:
- Revoking access to the device
- Investigating the user associated with the device
- Analyzing the system for any data exfiltration attempts
- Implementing stricter security controls for portable storage devices
Updating the portable storage inventory ensures that the organization maintains an accurate record of authorized and unauthorized devices, facilitating future investigations and preventing similar incidents.
The other options are not as effective in this scenario:
A. Reviewing network logs and updating firewall rules may help prevent unauthorized network access but do not directly address the issue of unauthorized USB devices.
B. Reviewing operating system logs and updating DLP (Data Loss Prevention) rules can help detect and prevent data exfiltration but do not specifically target unauthorized USB devices.
C. Reviewing vulnerability logs and updating IDS (Intrusion Detection System) rules focus on identifying and mitigating vulnerabilities but do not directly address the use of unauthorized USB devices.
In summary, obtaining the device ID using dmesg and updating the portable storage inventory is the most appropriate action to identify the IoCs and respond to the potential insider threat involving an unauthorized USB device on a Linux system.
CompTIA CAS-004 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the CompTIA CAS-004 exam and earn CompTIA CAS-004 certification.