Uzair Afzal

  Incident Response: Security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within an organization, or that has potential to do so. It includes the multiple phases which are discussed below: Preparation: In this phase helps personal on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedure. It also includes establishing procedures to prevent incidents. Identification: All events are not security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident or not. Containment: After successful identification of incident security personal attempt to isolate or contain it. This might include quarantining a device or removing it from the network. Eradication: After isolation of the system from the network. It is necessary to remove the components from the attack. It means

SIEM: Security information and event management(SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. Then combine the services of security event management(SEM) and security information management(SIM) solutions. A SEM provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents. Why SIEM? SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor. Consider an organization with over 1,000 servers. When an incident occurs on just one of those servers, administrators need to know about it as quickly as possible. The SIEM provides continuous monitoring and provides real-time reporting. Aggregation: Aggregation refers to combining several dissimilar items. Into a single item. A SIEM can collect data from multiple sources, such as firewalls, IPS, proxy servers, and more and aggregate this data and store it in such a way that it is easy t

  Advance Attacks and Protection: In this section we will discuss some common types of attacks that can be launched against the systems and networks. Spoofing: Spoofing occurs when one person or entity impersonates or masquerades as someone or something else. There are two common types of spoofing attack one is IP spoofing and the other one is MAC spoofing. We can prevent IP spoofing by blocking the packet if it contains the private IP address on public interface. SYN Flood Attack: The SYN Flood attack is a common attack used against servers on the internet. They are very easy for attackers to launch and difficult to stop, and can cause significant problems. It can disrupt the TCP handshake process and can prevent legitimate clients from connecting. In a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. So it consumes the server resources. We can prevent it by setting the threshold for SYN packet. MITM: Man in the Middle attack is a form of active

  Malware and its types: It is also known as malicious software. It includes a wide range of software that has malicious intent. Malware is not the software that users knowingly purchase or download and install. It is important to realize that there are several different types of malware that are discussed below Virus: Virus is the malicious code that attaches itself to the host application. The host application must be executed to run, and the malicious code executes when the host application is executed. When the virus is activated it delivers its payload. Payload might delete files, cause random reboots, join the computer to botnet or enable backdoor. Worms: Worm is self-replicating malware that travels throughout a network without the assistance of host application or user interaction. A worm resides in memory and can use different transport protocol to travel over the network. Worms can replicate themselves hundreds of times and spread to all the system in the network. Logic Bomb:

Wireless Attacks: There are several known attacks against the wireless networks. Most can be avoided by using strong security protocols such as WPA2 and CCMP. Disassociation Attacks: This attack effectively removes the wireless client from the wireless network. In disassociation attack, attackers send a disassociation frame to the AP with spoofed MAC address of the victim. The AP receives the frame and shutdown the connection. Victim then disconnected from the AP and need to go through the authentication process again to reconnect. WPS Attack: WPS is susceptible to the brute force attack. This attack keep trying different PINs until it succeeds. Once it discover the PIN, it can discover the passphrase in both WPA2 and WPA networks. Rogue AP: Rogue AP is an AP placed within a network without official authorization. It might be installed by the employee or attacker. Attacker may connect to a rogue access point to network devices in wireless closets that lack adequate physical security. T

  Network Devices: Network connects computing devices together so that users can share resources, such as data, printers, and other devices. Switch: Switch can learn which computers are attached to each of its physical ports. It then uses this knowledge to create internal switched connections when two computers communicate with each other. Security benefits of switch: If an attacker connects his computer to the port of switch and installs the protocol analyzer. He would not capture the unicast traffic going through the switch to other ports. So, switch reduces the risk of an attacker capturing data with a sniffer. Switches also increase the efficiency of a network. Router: Router connects multiple network segments together into a single network and routes traffic between the segments. It route the traffic from segment to segment. Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment. Segments separated by routers are sometimes referred to as broad

Access Control Models: Access Controls ensures that only authenticated and authorized entities can access resources. Role Based Access Controls: It uses roles to manage rights and permissions for users.This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns the specific rights and permissions to the roles instead of users. Rule Based Access Controls: Rule Based Access Controls uses rules. Rules can be static and dynamic. Static rules are implemented on routers or on firewalls. Examples of dynamic rules are IPS then modify rules to block the traffic from an attacker. Discretionary Access Controls: Every object has an owner, and the owner establishes access for the objects.  Mandatory Access Controls: It uses labels sometimes referred to as security labels to determine access. Administrators assign labels to users and files/folders. When the label matches then the system grants access to that files/fold

  Authentication Services: In this section we will discuss the authentication services. The main goal of these services are to ensure that unencrypted credentials are not sent across the network. In other words they ensure that credentials are not sent in clear text. Kerberos: It is a network authentication mechanism mostly used in both windows active directory domain and some Unix environments. Kerberos provides mutual authentication that can help prevent MITM attacks and uses tickets to help prevent replay attacks. Working of Kerberos: The KDC(key distribution center) uses a complex process of issuing TGTs(Ticket granting tickets) and other tickets. The KDC packages user credentials within the ticket. Tickets provide authentication for users when they access resources such as files on the file server. These tickets are sometimes referred to as tokens. NTLM: New Technology LAN Manager is a suite of protocols that provide authentication, integrity, and confidentiality within windows sy

Authentication Factors: An authentication may require administrators to implement one factor of authentication for basic authentication, two factors for more authentication and more factors for higher security. In this section we will discussed the authentication factors that an organization can use for secure authentication Something you know: It refers to a shared secret, such as a password or even a PIN. It is the least secure authentication factor. However organizations can increase the security of password by implementing the strong password policy. Something you have: It refers to the something you physically hold. It includes smart cards, CAC(Common Access Cards) and hardware token. Something you are: It refers to the use of biometrics for authentication. It is the strongest form of authentication because they are most difficult for an attacker to falsify. Somewhere you are: It refers to the identification of a user based on the user’s geo location. But it is not foolproof becau

Security Controls: There are hundreds of thousands of security controls that organizations can implement to reduce the risks. Some of the common security controls we will discuss in this section.      Technical Control: These controls use technology to reduce vulnerabilities. An administrator installs and configures technical controls and then these technical controls automatically provide protection. Some of the technical controls are discussed below: Encryption:           It is the strong technical control to ensure confidentiality. Anti Virus Software:           It provides the protection against the malware functions. IDS and IPS:           IDS/IPS can monitor the network or host for intrusion and provide the ongoing protection Firewalls:           Firewalls restrict the traffic going in or out of the network. Least Privileges:           Least privileges specifies that individuals or processes are granted only privileges then need to perform the assigned tasks. Administrative Contr

 Mitigation of Network Threats: In this section we will discuss best practices we can use to mitigate various network threats. How do we better protect ourselves against various outsiders or even insiders that might be trying to compromise our network resources.   Signature Management: we should use devices like an intrusion prevention system sensor or an intrusion detection system sensor, those sensors rely on signatures, patterns that allow them to recognize well known attacks. We should make sure to keep our signature database whether it's IDS or IPS or virus signatures, any sort of signatures that can help us identify malicious traffic. Device Hardening: we should not use the default configurations or default passwords. We should disable any unnecessary services that might be running on a device. If a server doesn't need to have web services running, maybe we disable web services on that server. Change of Native VLAN: Configure the trunk’s untagged VLAN to a non default val

  Network Security: Network security is getting a lot of attention these days. There are a lot of threats going on and organizations need to defend them. In this section we will discuss the most important attacks. Before going into different types of attacks first we need to understand the difference between vulnerability and exploit. Vulnerability: A weakness in the system is known as vulnerability. Exploit: Exploit is any software or code which take an advantage of vulnerability to compromise the system. Need of Network Security: In this digital era we are using devices to transmit digital information.There are many layers to consider when addressing network security across an organization. Attacks can happen at any layer in the network security layers model, so your network security hardware, software and policies must be designed to address each area. Main need of network security is that we transmit this information in a secure manner. We can say that to achieve the CIA triad.

Cloud Computing: It is the use of remote servers on the internet to store and manage process data rather than local servers or on personal computers.     1. Service Model of Cloud: IaaS: Infrastructure as a services provides the virtualization of computing resources over the internet. There is no need for a physical machine. It allows the organization to outsource its equipment requirements, including the hardware and all support operations. The IaaS service provider owns equipment, houses it in its data center, and performs all the required hardware maintenance. The customer essentially rent access to the equipment and often pays on a per-use basis. PaaS: Platform as a service provides hardware and software tools over the internet without control over underlying architecture like storage, memory and servers. Cloud provides the ability to the customer to deploy applications using tools provided by the provider. SaaS: It includes any software or application provided to user over a netwo

  Virtualization Fundamentals: A technical method to divide the physical resource into as many logical resources as we want to. It can be any resource like CPU,Memory etc. Mostly we used hypervisors for virtualization.      Hypervisor: Hypervisor is a type of software or firmware that creates or runs virtual machines. It is also known as VMM(Virtual Machine Manager).      Type 1 Hypervisor: This type of hypervisor directly runs on the system hardware. Guest operating system runs on the hypervisor.Type 1 hypervisor acts as their own operating system. VMware ESXi is the type of Type 1 hypervisor. ESXi provides a virtualization layer that abstracts the CPU,Storage and network resources of physical hosts into multiple virtual machines.      Type 1 Hypervisor: Hypervisor that runs on the conventional operating system and the host operating system provides. VMware workstation or virtual box are examples of Type 1 Hypervisor. It does not have direct access to the hardware resources.

Routing Protocols: Routing Protocols helps us to determine how your data gets to its destination and helps to make that routing process as smooth as possible. Below are the most important protocols. RIP: Routing Information Protocol is the distance vector protocol. It is used both in LAN and WAN. Rip determines the network paths based on the IP destination and the hop count of the journey. RIP broadcasts the routing information to others after every 30 seconds so that the other routers update their routing information. OSPF: Open Shorted First Protocol is the link state protocol based on the shortest path first algorithm. The SPF routing algorithm used to calculate the shortest path spanning-tree to ensure efficient data transmission of packets. OSPF routers maintain databases detailing information about the surrounding topology of the network. This database is filled with data taken from Link State Advertisements sent by other routers. It also uses the Dijkstra algorithm to recalculat

WAN Technologies: Packet Switched and Circuit Switched: In Circuit switch network there is always a connection between the two end points and on the other hand a circuit switch network connection is established whenever you need it. In circuit switch network resources are always used if there is no need for any resource. Frame Relay: It is the alternative of leased line(dedicated line).It is the layer 2 technology. It uses the concept of virtual circuits. Connection is identified by DLCI(Data link connection identifier) ATM: Asynchronous Transfer Mode is higher throughput than a frame relay network. It transmits any type of data but data is transferred in fixed cells(53 bytes). It transfers packets in connection oriented networks known as VC(Virtual Circuit). It ensures that the packet reaches in order. Each virtual circuit is identified by VCI. DSL: Digital subscriber line is one of the more popular broadband technologies nowadays. DSL itself is group of technologies. One of them is A

Network Services: In this section We will learn about the service that can run on the network like DNS,DHCP, NAT etc. We will also learn about the SDN which means that program written In any language automatically configure the network devices. VPN: VPN stands for Virtual Private Network.VPN is used when there are muliple office of an organization and when we interconnects these offices then data transmits through various routers and internet service providers. So in this case we need Private network and then we configure VPN. VPN helps us to transmit data in Encrypted form over the internet.                     Types of VPN:                          Site to Site VPN: In site to site VPN we just configure the VPN on the receiver and sender side router. If there are multiple devices between these routers then only the sending and receiving router is responsible for data encryption. Each router is considered as an end point of the tunnel.                          Remote access VPN: Remot

Network Topologies: Network topologies are the methods to connect different computers in different ways. This section well describes the network topologies. Types of Topologies:  Physical Topology: Physical Layout or design of the network is known as the physical topology. We can see and touch the design of the network.  Logical Topology: Flow of data on the physical topology is referred to as logical topology. It means that in what respect data flows. 1. Star: A star topology is sometimes referred to as Hub-and-spoke topology. In which centralized device the hub and the other devices are spokes. This topology had huge benefits over the ring and bus topology, that is when any links broke or failed it would not affect the other network but it has disadvantage which is a single point of failure. It means that if the central hub fails it will affect the overall network. 2. Mesh: In mesh topology we have multiple connections interconnected with one another. If we have offices in different