Task 1
Fault Finding Report
Introduction
This report presents a technical fault-finding investigation into three user-reported incidents at SkyLink Financial Systems Ltd. Each incident has been analysed to determine the root cause, assess operational and security risks, and provide implementable recommendations. Recommendations use established security controls such as least privilege, centralised identity management, endpoint management, and secure remote access.
User A Financial Analyst – Database Connectivity Failures
Issue Summary:
The Financial Analyst reports repeated “connection timed out” errors when retrieving transaction reports from on-premises database servers.
Root Cause Analysis:
The affected workstation is running on unsupported operating systems and legacy office software, which likely lack modern TLS support and up-to-date cipher suites required by the database. Network diagnostics indicate that potential name resolution and routing problems. The environment uses DHCP for addressing and the DCHP scope is heavily utilised, increasing the risk of transient IP address assignment and collisions. In combination, these factors produce intermittent TCP session failures between the client and the database endpoint.
Technical evidence to collect during troubleshooting:
Verify client OS and application versions and check supported TLS versions.
Execute network tests: ping to database IP, tracer to database IP, and nslookup for database hostname.
Capture a packet trace (Wireshark) while reproducing the timeout to observe TCP handshake and TLS negotiation failures.
Inspect DHCP leases on the router for address churn and duplicate assignments.
Review firewall rules for blocked internal ports, specifically the database port.
Impact Assessment:
The analyst cannot perform timely financial reporting, increase business risk and expose SkyLink to possible regulatory non-compliance. Unsupported OS and software also present exploitable vulnerabilities that raise the company's risk for external attacks.
Remediation and Justification (ordered by priority):
Upgrade the workstation to a supported OS and client software to ensure compatibility with modern TLS negotiation and vendor security patches.
Assign a static IP or create a DHCP reservation for the analyst’s device to eliminate transient DHCP issues while longer term DHCP sizing is implemented.
Review and correct DNS records to ensure reliable hostname resolution for database services.
Audit and update internal firewall rules to allow the required internal database ports from authorised subnets and confirm there are no deny rules erroneously applied to office LAN ranges.
Run a packet capture to verify successful TLS handshakes and confirm remediation.
Introduce endpoint patch management and configuration baselines to prevent recurrence
Acceptance criteria for closure:
The analyst can connect to the database without timeouts during the repeated test runs.
Packet captures show successful TCP handshake and TLS negotiation.
No DHCP conflicts are recorded for the workstation during a monitored period.
User B Compliance Manager – VPN Disconnections and License Limits
Issue Summary:
The compliance manager experiences frequent VPN disconnections with clear reporting that the system has reached maximum concurrent connections, preventing timely upload of compliance audit files.
Root cause analysis:
The VPN management system displays a 12/12 active connection count, and several connections are authenticated as the shared “Admin” account from unknown or personal devices. The VPN configuration allows shared administrative credentials and lacks device posture checks. This results in license exhaustion, untrusted device access, and poor session accountability.
Technical evidence to collect during troubleshooting:
Export the VPN active session list and correlate authenticated usernames to device identifiers and client certificate information.
Review VPN license configuration and usage logs to confirm connection peaks and time-of-day patterns.
Examine VPN server configuration for shared logins, allowed authentication methods, and enforcement of device authentication or client certificates.
Check for unencrypted or unauthenticated sessions by reviewing session encryption status and authentication flags.
Impact assessment:
License exhaustion prevents authorised staff from connecting and may drive users to insecure workarounds. Shared admin credentials eliminate user accountability and increase insider threat risk. Unmanaged devices connecting over the VPN may introduce malware or exfiltrate sensitive data.
Remediation and justification (ordered by priority):
Immediately revoke shared administrator credentials and rotate all privileged passwords. Replace shared accounts with unique per-user accounts authenticated via an authoritative identity provider.
Implement Multi-Factor Authentication for VPN logins and enforce certificate‑based or device‑managed authentication for corporate endpoints.
Increase VPN concurrent connection capacity short term, or implement an access gateway that scales, to remove the operational bottleneck while policy changes are implemented.
Deploy Mobile Device Management or modern endpoint management (for example Microsoft Intune) to enforce device compliance before VPN access is granted.
Add session logging and centralised VPN audit logs to the SIEM for real‑time alerting of unusual concurrent connections and non‑corporate device access.
Update the VPN policy to prohibit the use of personal devices for privileged accounts and to require corporate device registration.
Acceptance criteria for closure:
The Compliance Manager and other authorised users can connect reliably during peak usage.
VPN logs show unique user authentication and device compliance enforcement.
No sessions authenticate using the old, shared Admin credentials.
User C IT Security Officer — Unauthorized Administrator Accounts and Permission Changes
Issue summary:
The IT Security Officer reports unexpected changes in server access permissions and the appearance of new administrator accounts that lack formal approval.
Root cause analysis:
The VPN and server environment currently permit shared administrator credentials and does not enforce password complexity or change control. The VPN management table indicates the Administrator Password value is weak and that shared admin logins are enabled. There is either insufficient audit logging or inadequate monitoring of privilege changes, which prevents timely detection. These conditions permit privilege escalation, either by malicious insiders or through compromised shared credentials.
Technical evidence to collect during troubleshooting:
Export full audit trails for user and group management events from Active Directory or local server event logs.
Identify the origin IPs and device identifiers that performed administrative account creations or privilege changes.
Check for the presence of service accounts with broad privileges that could be abused.
Review local and VPN account configuration to determine whether shared credentials are permitted and to confirm password strength policy settings.
Impact assessment:
Unmonitored privilege changes allow attackers or malicious insiders to gain elevated access without oversight, enabling data exfiltration, tampering, or persistence. This undermines regulatory compliance and can result in severe operational and reputational damage.
Remediation and justification (ordered by priority):
Disable shared administrative logins and enforce unique, auditable administrative accounts. Implement an approval workflow for privileged account creation.
Enforce strong password complexity and rotation policies via group policy or central identity management; require a minimum length and complexity and implement password vaulting for highly privileged accounts.
Implement Role-Based Access Control such that administrative privileges are only provided for specific tasks and are time‑limited where possible.
Enable comprehensive audit logging across AD, servers, and VPN appliances and forward logs to a SIEM for correlation and alerting on privilege changes and anomalous behaviour.
Deploy Just‑In‑Time (JIT) privileged access solutions or Privileged Access Management to reduce standing administrative privileges.
Conduct a full privileged account inventory and perform an access review to remove unnecessary admin accounts and document all remaining privileges.
Acceptance criteria for closure:
All administrative account creation events are subject to approval and logged.
SIEM generates alerts for any change to privileged groups, and these alerts are triaged by security operations.
No new administrative accounts can be created without the documented approval process.
General Recommendations and Implementation Roadmap
Short term (0–30 days)
Rotate all shared credentials and disable shared admin accounts immediately.
Increase VPN capacity or apply interim measures to prioritise critical users while policy changes are applied.
Enable and collect critical audit logs for AD, VPN, and servers.
Medium term (30–90 days)
Deploy endpoint management for corporate devices and enforce device compliance and MFA for remote access.
Replace legacy workstations with supported OS and implement patch management.
Reconfigure DHCP scope sizing and implement DHCP reservations for critical infrastructure.
Long term (90+ days)
Implement RBAC, Privileged Access Management, and SIEM-driven detection and response.
Replace the consumer-grade router with an enterprise firewall and implement network segmentation to isolate servers and services.
Migrate file services where appropriate to managed cloud storage with strong identity and access controls (for example SharePoint with Azure AD).
Conclusion:
The investigation identifies clear, actionable root causes across the three incidents: unsupported endpoints and DHCP/DNS/routing issues causing database timeouts, VPN license exhaustion and shared credential misuse causing connection failures, and weak privileged account governance causing unauthorized administrative changes. The recommended combination of immediate credential rotations enforced device and identity controls, centralised logging, and staged infrastructure upgrades will resolve the faults reported and materially reduce Sky Link's security risk profile. Implementing these controls and verifying them through the detailed test plan will provide evidence to satisfy operational and compliance requirements.
Test Plan
Purpose: Verify and resolve the three users' faults identified at SkyLink Financial Systems Ltd by carrying out repeatable, auditable tests that validate diagnostics, remediation and user acceptance.
Scope: User A (database connectivity), User B (VPN capacity and authentication), User C (privileged account control), and supporting network components (DHCP, DNS, firewall, NAS).
Test Ownership: IT support engineer executes tests; IT security reviews audit logs; affected users confirm acceptance.
Document control: record actual outcomes, screenshots/log exports, changes made and user sign-off for each test.
Test ID | User | Device/Software | Test Purpose | Expected Outcome |
T1 | A | Client PC | Verify ICMP connectivity to DB server | Ping replies with <100 ms and 0% packet loss |
T2 | A | Client PC | Trace network path to DB server | No persistent timeouts; identify problematic hop |
T3 | A | Client PC | DNS resolution for DB hostname | Correct IP returned matching server inventory |
T4 | A | Client PC | Capture TLS handshake to DB | Successful TLS 1.2+ handshake and application TLS cipher suite |
T5 | A | DHCP server/router | Check DHCP lease | No duplicate leases; available pool greater or equal to required clients. |
T6 | B | VPN server | Enumerate active VPN sessions and devices | Active sessions associated to unique users and corporate devices |
T7 | B | VPN client | Attempt login with shared admin credentials | Login denied or blocked |
T8 | B | VPN client | Login with unique user credentials and MFA | Successful authenticated session with encryption |
T9 | B | VPN server | Simulate over-capacity connection | 13th connection denied; server logs show capacity limit |
T10 | C | AD/VPN logs | Audit recent privilege changes and source IPs | All privilege changes logged with source and timestamp |
T11 | C | Admin console | Attempt to create admin without approval | Creation blocked or requires approval workflow |
T12 | C | Password Policy | Enforce password complexity and test update | Weak password rejected; complexity enforced |
T13 | Infra | Firewall | Verify SMB access from office LAN to NAS | SMB ports open for authorised subnets, blocked externally |
T14 | Infra | NAS | Review NAS ACLs and recent uploads | Only authorised users have right; inappropriate files flagged. |
T15 | Infra | SIEM | Verify SIEM alerting for privilege changes | SIEM triggers and alert is generated and assigned |
T16 | Infra | Patch Management | Verify endpoint patch baseline | Client meets required patch level of flagged for remediation |
Detailed Step-by-Step tests
T1 – ICMP connectivity to database server
Purpose: confirm basic IP connectivity and packed loss between client and database server.
Preconditions: client connected to office LAN; database server IP known.
Steps:
On client, open command prompt as standard user.
Run: Ping –n 20 <database_IP>
Observe packet loss and round-trip times.
Evidence to collect: command output screenshot or copy; note packet loss and average latency.
Expected results: 0% packet loss or minimal: average RTT <100 ms.
Rollback / next action: if >0% packet loss, run T2 and collect packet capture.
T2 – Traceroute to database server
Purpose: identify routing hops and locate timeouts or high – latency hops.
Preconditions: client connected to office LAN; database server IP known.
Steps:
On client, open command prompt.
Run: tracert <database_IP>
Record any hips that show timeouts or excessive latency (>200ms)
Evidence to collect: tracert output
Expected results: continuous route with no hops showing repeated timeouts.
Next action: if a problematic hop exists, coordinate with network team to inspect switch/ router configuration and check ACLs.
T3 – DNS resolution for database hostname
Purpose: verify that DNS resolves the database hostname to the correct IP
Preconditions: client network configured to use corporate DNS.
Steps:
On client, open command prompt
Run: nslookup <database_hostname>
Confirm returned IP matches documented database IP.
Evidence to collect: nslookup output screenshot
Evidence result: hostname resolves to intended IP
Next Action: If mismatch, update DNS record on authoritative DNS server and flush DNS cache (ipconfig/flushdns) on client.
T4 — TLS handshake capture to database
Purpose: confirm secure TLS negotiation and cipher suite compatibility.
Preconditions: Wireshark installed on diagnostic workstation or use Windows Network Monitor; user authorised to capture network traffic.
Steps:
Start packet capture on client or network tap while reproducing the DB connection.
Initiate the application request to the database that previously timed out.
Stop capture after failure/success.
In capture, apply filter for TCP port used by DB and inspect TLS ClientHello/ServerHello.
Evidence to collect: exported pcap snippets showing TLS handshake messages and cipher suite.
Expected result: ClientHello and ServerHello present; TLS version 1.2 or 1.3 negotiated; no handshake failures.
Next action: if TLS handshake fails, update client TLS stacks or database server cipher configuration to support compatible ciphers.
T5 — DHCP lease usage and conflict check
Purpose: ensure DHCP scope has capacity and no IP conflicts exist.
Preconditions: access to router/DHCP server admin console.
Steps:
Login to DHCP server or router admin page.
Export current lease table.
Search for duplicate MAC addresses or overlapping static assignments.
Check scope usage percentage.
Evidence to collect: exported lease table CSV and screenshots.
Expected result: scope usage below critical threshold (e.g., <90%); no duplicate addresses.
Next action: expand DHCP scope or create reservations for critical devices if scope exhausted.
T6 — Enumerate active VPN sessions and device compliance
Purpose: correlate active VPN sessions to unique users and corporate device IDs. Preconditions: admin access to VPN management system.
Steps:
Login to VPN management console.
Export the active session list including username, source IP, client certificate/device ID, authenticated flag and encryption flag.
Map sessions to known corporate device inventory.
Evidence to collect: exported session CSV and annotated mapping.
Expected result: all active sessions map to unique authorised users and corporate-managed devices.
Next action: flag any sessions that are “Admin” or unauthenticated and disconnect immediately.
T7 — Attempt VPN login with shared Admin credentials
Purpose: verify shared Admin credentials are no longer valid or are blocked for remote access.
Preconditions: change shared password or disable account prior to test.
Steps:
On a test non-corporate device, open VPN client.
Attempt to authenticate using previous shared Admin username and password.
Observe authentication outcome and check server logs.
Evidence to collect: client error message screenshot and server auth log entry. Expected result: authentication denied and logged.
Next action: if authentication succeeds, revoke credentials and investigate access points.
T8 — Login with unique credentials and MFA
Purpose: validate per-user authentication with MFA and device compliance enforcement.
Preconditions: test account in AD with MFA enrolled and device enrolled in Intune or equivalent.
Steps:
On corporate device, open VPN client and enter user credentials.
Complete MFA challenge (push or OTP).
Confirm session establishes and encryption is enabled.
Evidence to collect: successful connection screenshot and session detail showing encryption enabled.
Expected result: successful login with encryption and device compliance passed.
Next action: if MFA fails, verify identity provider settings and conditional access policies.
T9 — Simulate 13th VPN connection to test capacity limit
Purpose: confirm behaviour when maximum concurrent connections reached. Preconditions: lab accounts and test devices available to simulate connections.
Steps:
Establish 12 concurrent VPN sessions using test accounts.
Attempt to connect a 13th session and observe client message and server logs.
Record server response and any queue or deny behaviour.
Evidence to collect: logs for attempted connections and client error screens. Expected result: 13th session denied with explicit capacity message and server logs show denial reason.
Next action: if 13th connects, verify license enforcement and update VPN licensing or access gateway configuration.
T10 — Audit privileged changes and source attribution
Purpose: verify all privilege escalations are logged with source IP and actor. Preconditions: access to Active Directory/Domain Controllers and VPN logs and SIEM. Steps:
Query AD security event logs for event IDs related to group membership changes and account creations over the period of concern.
Cross-reference event timestamps with VPN session logs to determine originating device IPs.
Export findings into a forensic report.
Evidence to collect: exported event log entries and cross-referenced timeline. Expected result: each privilege change has an accountable user and originating IP.
Next action: if anonymous or shared accounts found, implement password rotation and enable more detailed auditing.
T11 — Attempt to create admin account without approval
Purpose: validate that administrative account creation requires an approval workflow. Preconditions: request management system that enforces approvals or role-based provisioning configured.
Steps:
With a standard privileged requestor account, initiate account creation request in provisioning system.
Observe whether creation is completed automatically or held pending approval.
Check resulting account status and creation audit.
Evidence to collect: provisioning request record and resulting account creation logs.
Expected result: account remains pending until approved and creation is auditable.
Next action: if account created without approval, reconfigure provisioning policy and disable direct admin creation by non-approved operators.
T12 — Enforce and test password complexity policy
Purpose: ensure password policy rejects weak passwords and enforces rotation. Preconditions: AD Group Policy or identity provider controls accessible.
Steps:
Update password policy to require minimum 12 characters, upper/lowercase, digits and symbols, and password history.
On test user, attempt to set password to “12345678” and document system response.
Attempt to set a compliant password and confirm acceptance.
Evidence to collect: GPO policy screenshot and password change attempt logs. Expected result: weak password rejected; compliant password accepted and logged.
Next action: roll out policy to all privileged accounts and enforce immediate password reset.
T13 — Verify SMB access from office LAN to NAS and firewall rules
Purpose: confirm internal SMB access allowed and external SMB blocked. Preconditions: firewall admin access and NAS admin account.
Steps:
From an office PC, map network drive using \\<NAS_IP>\<share> and authenticate with test user.
From an external network, attempt same mapping and observe firewall behaviour.
On firewall, review rules for TCP 445/139 and confirm source/destination restrictions.
Evidence to collect mapping success screenshot from office; failed attempt from external; firewall rule screenshots.
Expected result: office LAN can access SMB shares; external connections blocked or NATed with explicit deny for SMB.
Next action: if external access allowed, amend firewall rules to deny SMB from WAN.
T14 — NAS ACL and content audit
Purpose: identify non-work content and validate ACLs prevent unauthorised write. Preconditions: NAS admin credentials and read access to storage usage logs.
Steps:
Login to NAS admin UI and export folder ACL listing.
Run a storage usage report and list files added within the target timeframe.
Search for common media extensions and executables and flag them.
Evidence to collect: ACL export CSV and list of flagged files with timestamps and uploader accounts.
Expected result: write permissions limited to authorised user groups; non-work files identified for removal.
Next action: remove flagged files, notify users and update acceptable use policy.
T15 — Verify SIEM alerting for privilege changes
Purpose: confirm SIEM receives and alerts on privilege-related events.
Preconditions: SIEM configured to ingest AD and VPN logs.
Steps:
Trigger a controlled privilege change on a non-production account.
Monitor SIEM for correlated alert creation and notification to security operations.
Validate alert content includes user, source IP and timestamp.
Evidence to collect: SIEM alert export and incident ticket reference.
Expected result: SIEM generates alert within defined SLA and contains sufficient context.
Next action: tune SIEM rules to reduce false positives if necessary.
T16 — Endpoint patch and baseline verification
Purpose: ensure client meets corporate patch and configuration baseline. Preconditions: endpoint management system operational and baseline defined.
Steps:
Query endpoint management for client compliance report.
From client, run baseline check agent or local security compliance tool.
Document missing updates or non-compliant settings.
Evidence to collect: compliance report and remediation task list.
Expected result: client meets baseline or is flagged for immediate remediation. Next action: remediate via patch deployment and re-evaluate.
Comments
Post a Comment