Uzair Afzal

  Incident Response: Security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of data or systems within an organization, or that has potential to do so. It includes the multiple phases which are discussed below: Preparation: In this phase helps personal on how to respond to an incident. It includes establishing and maintaining an incident response plan and incident response procedure. It also includes establishing procedures to prevent incidents. Identification: All events are not security incidents so when a potential incident is reported, personnel take the time to verify it is an actual incident or not. Containment: After successful identification of incident security personal attempt to isolate or contain it. This might include quarantining a device or removing it from the network. Eradication: After isolation of the system from the network. It is necessary to remove the components from the attack. It m...

SIEM: Security information and event management(SIEM) system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. Then combine the services of security event management(SEM) and security information management(SIM) solutions. A SEM provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents. Why SIEM? SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor. Consider an organization with over 1,000 servers. When an incident occurs on just one of those servers, administrators need to know about it as quickly as possible. The SIEM provides continuous monitoring and provides real-time reporting. Aggregation: Aggregation refers to combining several dissimilar items. Into a single item. A SIEM can collect data from multiple sources, such as firewalls, IPS, proxy servers, and more and aggregate this data and store it in such a way that it is easy t...

  Advance Attacks and Protection: In this section we will discuss some common types of attacks that can be launched against the systems and networks. Spoofing: Spoofing occurs when one person or entity impersonates or masquerades as someone or something else. There are two common types of spoofing attack one is IP spoofing and the other one is MAC spoofing. We can prevent IP spoofing by blocking the packet if it contains the private IP address on public interface. SYN Flood Attack: The SYN Flood attack is a common attack used against servers on the internet. They are very easy for attackers to launch and difficult to stop, and can cause significant problems. It can disrupt the TCP handshake process and can prevent legitimate clients from connecting. In a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. So it consumes the server resources. We can prevent it by setting the threshold for SYN packet. MITM: Man in the Middle attack is a form of act...

  Malware and its types: It is also known as malicious software. It includes a wide range of software that has malicious intent. Malware is not the software that users knowingly purchase or download and install. It is important to realize that there are several different types of malware that are discussed below Virus: Virus is the malicious code that attaches itself to the host application. The host application must be executed to run, and the malicious code executes when the host application is executed. When the virus is activated it delivers its payload. Payload might delete files, cause random reboots, join the computer to botnet or enable backdoor. Worms: Worm is self-replicating malware that travels throughout a network without the assistance of host application or user interaction. A worm resides in memory and can use different transport protocol to travel over the network. Worms can replicate themselves hundreds of times and spread to all the system in the network. Logic B...

Wireless Attacks: There are several known attacks against the wireless networks. Most can be avoided by using strong security protocols such as WPA2 and CCMP. Disassociation Attacks: This attack effectively removes the wireless client from the wireless network. In disassociation attack, attackers send a disassociation frame to the AP with spoofed MAC address of the victim. The AP receives the frame and shutdown the connection. Victim then disconnected from the AP and need to go through the authentication process again to reconnect. WPS Attack: WPS is susceptible to the brute force attack. This attack keep trying different PINs until it succeeds. Once it discover the PIN, it can discover the passphrase in both WPA2 and WPA networks. Rogue AP: Rogue AP is an AP placed within a network without official authorization. It might be installed by the employee or attacker. Attacker may connect to a rogue access point to network devices in wireless closets that lack adequate physical security. T...

  Network Devices: Network connects computing devices together so that users can share resources, such as data, printers, and other devices. Switch: Switch can learn which computers are attached to each of its physical ports. It then uses this knowledge to create internal switched connections when two computers communicate with each other. Security benefits of switch: If an attacker connects his computer to the port of switch and installs the protocol analyzer. He would not capture the unicast traffic going through the switch to other ports. So, switch reduces the risk of an attacker capturing data with a sniffer. Switches also increase the efficiency of a network. Router: Router connects multiple network segments together into a single network and routes traffic between the segments. It route the traffic from segment to segment. Because routers don’t pass broadcasts, they effectively reduce traffic on any single segment. Segments separated by routers are sometimes referred to as b...

Access Control Models: Access Controls ensures that only authenticated and authorized entities can access resources. Role Based Access Controls: It uses roles to manage rights and permissions for users.This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns the specific rights and permissions to the roles instead of users. Rule Based Access Controls: Rule Based Access Controls uses rules. Rules can be static and dynamic. Static rules are implemented on routers or on firewalls. Examples of dynamic rules are IPS then modify rules to block the traffic from an attacker. Discretionary Access Controls: Every object has an owner, and the owner establishes access for the objects.  Mandatory Access Controls: It uses labels sometimes referred to as security labels to determine access. Administrators assign labels to users and files/folders. When the label matches then the system grants access to that files/...