Network Security

What is SIEM?

Photo by Sigmund on Unsplash

Learn what SIEM is and why it’s useful for your organization.

If you’ve taken a dip into cybersecurity, you’ve likely heard of SIEM — often pronounced “sim.” SIEM stands for Security Information and Event Management; SIEM solutions collect data that help IT admins analyze their system’s behavior. This can include things like:

  • Suspicious events, like unusual login location or time
  • Network activity
  • Data from servers, firewalls, computers, applications, and so on

SIEMs digest this data and make it easier for IT and Security teams to understand and work with. This could include dashboards, charts, graphs, and more. SIEMs also notify admins when something looks amiss, helping them stay up to date with the condition of their systems and act quickly if need be.

Why is SIEM important?

The information gathered by an SIEM solution is valuable for IT and Security teams because it helps them understand what is going on with their infrastructure. It’s beneficial in the event of a cyber attack, as this data can help them determine the timeline and method of the attack, as well as the affected systems. Data from one part of their infrastructure can be correlated with others, giving admins a more thorough picture of the attack.
Understanding what happens when your organization is attacked isn’t just a “nice-to-have” feature — keeping your information secure is crucial. Attacks show where your systems are vulnerable, and the data processed by SIEMs can help inform how you reinforce your security posture.

Data processing

SIEMs act as a central place for data collection, storage, and analysis — meaning less work for IT and Security teams that need to understand the data. Suppose your organization’s CISO or other executive needs a security report. In that case, SIEMs make it easy to pull the necessary data and present it in a digestible form, whether for a technical or non-technical audience.
SIEMs use machine-based sorting to classify telemetry data. When the SIEM detects potential threats and/or vulnerabilities, it categorizes them based on their severity and impact. This way, IT and Security teams can prioritize their response according to the potential consequences of the event.

Threat detection and incident response

When SIEMs leverage machine learning, they can be a powerful tool to spot advanced threats — including those that the cybersecurity community hasn’t discovered. Since SIEMs are a centralized data processor, they can correlate events in separate parts of your system. This contributes to SIEMs’ ability to interpret suspicious activity; this activity may seem relatively innocent on its own, but when associated with other events, the data starts to show indicators of malicious activity.

Compliance

SIEMs are a great tool to determine your devices’ compliance status. They can create reports for use in a compliance audit, for regulations like:

  • HIPAA: The US Health Insurance Portability and Accountability Act protects medical records and other personal health information.
  • PCI DSS: The Payment Card Industry Data Security Standards protect data related to credit card use.
  • GDPR: The EU General Data Protect Regulation governs how personal data is handled, giving users more control over their personal information.
  • SOX: The US Sarbanes-Oxley Act mandates how to handle financial information.
  • FERPA: The US Family Educational Rights and Privacy Act governs how student information can be accessed.

SIEMs and Mobile Device Management

Notifications and alerts from SIEMs tell admins when to take action. Remediating issues doesn’t happen within the SIEM — that’s where Mobile Device Management (MDM) comes in.
Organizations can integrate their SIEMs and MDM systems to correlate inventory data and respond to incidents. For instance, say your SIEM identifies a device with a vulnerable software version. With this data, your MDM can take action and update the software to help restore the device’s compliance status. MDMs also offer SIEMs rich inventory data that can be correlated with other events.

February 26, 2025 by Network Security 0

What is DNS Spoofing?

Photo by Lars Kienle on Unsplash

DNS spoofing, or DNS cache poisoning, is a phishing and cyber attack where false Domain Name System (DNS) information is introduced into a DNS resolver’s cache. This causes DNS queries to return an incorrect response, which commonly redirects users from a legitimate website to a malicious website designed to steal sensitive information or install malware.

There are several reasons why DNS spoofing is possible, but the principal problem is DNS was built in the 1980s when the Internet was much smaller, and security was not a primary concern. There is no in-built way for DNS resolvers to verify the validity of the data they store, and incorrect DNS information can remain until the time to live (TTL) expires or is manually updated.

How Do Attackers Poison DNS Caches?

DNS poisoning or DNS spoofing attacks work by impersonating DNS nameservers, making a request to a DNS resolver, and then forging the reply when the DNS resolver queries a nameserver. This is possible because DNS uses UDP, an unencrypted protocol, which makes it easy to intercept traffic with spoofing. DNS servers do not validate the IP addresses they are directing traffic to.

There are two common methods for poisoning DNS caches:

Man in the middle attack: The interception of communication between users and a DNS server to route users to a different or malicious IP address. In this situation, the attacker sits between the computer’s stub resolver and the recursive resolver, sending back a fake DNS result.

DNS server compromise: This type of attack occurs when an attacker gains direct access to the DNS server of a domain, generally through spear phishing or whaling, and updates the DNS entries to point to a malicious website. This type of attack is also known as DNS hijacking.

This works because, unlike TCP, which relies on both communicating parties performing a ‘handshake’ to initiate communication and verify the identity of devices, DNS requests and responses rely on UDP or User Datagram Protocol. With UDP, there is no guarantee that a connection is open, that the recipient is ready to receive, or that the sender is who they say they are. This leaves UDP communications vulnerable to MITM attacks; an attacker can send a message via UDP, pretending that it is a legitimate nameserver by forging header data. If the receiving DNS resolver accepts the fake response and caches, which can happen as there is no way to verify if the information is accurate and comes from a legitimate source. With that said, DNS spoofing attacks are not easy to pull off as the DNS resolver queries the authoritative nameserver giving attackers only a few milliseconds to fake the response before the real response arrives.

When are DNS Spoofing Attacks Successful?

For a DNS spoofing attack to be successful, attackers either need to know or guess:

Which DNS queries are not cached by the targeted DNS resolver so that the resolver will query the authoritative name server what port the DNS resolver uses, which was easy in the past but has since become much more difficult as DNS resolvers rotate their open ports to mitigate DNS spoofing The request ID number which authoritative nameserver the DNS resolver will query.

Furthermore, these malicious websites are often used to install computer worms, ransomware, and spyware on the user’s computer, giving the perpetrator long-term access.

How to Mitigate DNS Spoofing

The Domain Name System Security Extensions (DNSSEC or DNS Security Extensions) is a set of Internet Engineering Task Force (IETF) specifications designed to secure certain kinds of information the DNS provides. DNSSEC provides DNS resolvers origin authentication of DNS data, authenticated denial of existence, and data integrity but not availability or confidentiality.

Like TLS/SSL, DNSSEC uses public-key cryptography to verify and authenticate DNS data.

When DNSSEC is used, each answer to a DNS request contains an RRSIG DNS record and the requested record type. The RRSIG record is a digital signature of the requested DNS data. The digital signature is verified by locating the correct public key in the DNSKEY. The NSEC and NSEC3 records are used to provide cryptographic evidence of the non-existence of any request. This is also known as authenticated denial of existence.

The delegation signer (DS) is used to authenticate DNSKEYs by using a chain of trust. NSEC and NSEC3 also serve the purpose of providing robust resistance against spoofing.

The chain of trust starts with a set of verified public keys for the DNS root zone, the trusted third party. Domain owners generate their own public key/private key pair and upload them using their domain-name registrar’s DNS control panel, which pushes the keys via secDNS to the zone operator (for example, Verisign for the com zone), who signs and publishes them in the DNS.

This prevents resolvers from caching forged or manipulated DNS data and prevents cache poisoning.

In short, DNSSEC provides two security features to DNS:

Data origin authentication: This allows a resolver to cryptographically verify data from the zone requested.Data integrity protection: This allows a resolver to know that the data hasn’t been modified in transit and was originally signed by the zone owner’s private key.

These two security features all any recursive resolver to look up data in the zone and retrieve the zone’s public key, which is then used to validate the authenticity of provided DNS data. Resolvers then confirm the digital signature received matches what they expect and return it to the end-user. If the signature is not valid, the resolver assumes a cyber attack, discards the data, and returns an error.

While the primary concern of DNSSEC is to prevent the cyber threat of DNS spoofing, resulting in users being directed to the wrong place, DNSSEC provides the additional benefit of protecting text records (TXT) and mail records (MX). DNSSEC has also been used to bootstrap other cyber security systems that publish cryptographic certificates stored in DNS, such as Certificate records, SSH fingerprints, IPSec public keys, and TLS Trust Anchors.

That said, DNSSEC, unlike SSL certificates, does not provide confidentiality of data. DNSSEC responses are authenticated but not encrypted. Nor does DNSSEC protect against cyber attacks like distributed denial of service attacks (DDoS attacks).

DNSSEC also has several potential downsides, including:

Lack of data confidentiality: While DNSSEC authenticates, it does. not encode DNS responses. This means that perpetrators can still listen in on traffic and use this data for more sophisticated attacks; this is why SSL certificates are such an important part of Internet security. Deployment complexity: DNSSEC is easily misconfigured, which can cause servers to lose their security benefits or even deny access to the website altogether. No widespread adoption: While DNSSEC was published in 2005, it has not yet become mainstream, leaving any DNS records vulnerable to attacks.

Beyond DNSSEC, there are other ways you can prevent DNS spoofing:

Active monitoring: DNS data should be continuously monitored for changes, such as the appearance of a new external host, that could indicate compromise.

Patching: Like anything, DNS servers and software can be vulnerable to exploits and zero-day vulnerabilities. Ensure whoever is hosting your DNS records is meticulous about vulnerability management and attack surface management.

DNS updates Newer versions of DNS use port randomization and cryptographically secure transaction IDs to prevent DNS attackers and ensure your servers are up-to-date.

Password policies: Ensure you use strong passwords and, ideally, two-factor authentication for the account that manages your DNS records. And don’t forget about changing default passwords on network equipment, such as routers, which can put every device and user in danger if compromised. Read our guides on password security and network security for more information.

Invest in cybersecurity awareness training: Remember that many DNS spoofing attacks are either the result of or aim to initiate some phishing attack. Educate your staff about what to look for in phishing campaigns.

September 29, 2023 by Network Security 0

Bypassing Firewalls Using Nmap

Photo by Sigmund on Unsplash

Nowadays, almost every system is protected by firewalls or Intrusion Detection Systems (IDS). Nmap provides various ways to bypass these firewalls or IDS to perform port scans on a system.

TCP ACK Scan

nmap -sA x.x.x.x

How it works…The filtered and unfiltered port scan results depend on whether the firewall is stateful or stateless. A stateful firewall checks whether an incoming ACK packet is part of an existing connection. It blocks it if the packets are not part of any requested connection. Hence, the port will show up as filtered during a scan. Whereas, in the case of a stateless firewall, it will not block the ACK packets,

TCP Window Scan

nmap -sW x.x.x.x

Idle scan

Idle scanning is an advanced technique where no packets sent to the target can be traced back to the attacker’s machine. It requires a zombie host to be specified.

nmap -sI zombiehost.com domain.com

Idle scan works based on a predictable IPID or an IP fragmentation ID of the zombie host. First, the IPID of the zombie host is checked, and then a connection request is spoofed from that host to the target host. If the port is open, an acknowledgment is sent back to the zombie host, which resets (RST) the connection as it has no history of opening such a connection. Next, the attacker checks the IPID on the zombie again; if it has changed by one step, it implies an RST was received from the target. But if the IPID has changed by two steps, it means a packet was received by the zombie host from the target host, and there was an RST on the zombie host, which implies that the port is open.

July 29, 2023 by Network Security 0

Securing Linux On-Premises: Essential Measures for Intermediate Linux Administrators

Photo by Collin Armstrong on Unsplash

When it comes to safeguarding Linux in an on-premises environment, there are several important measures that intermediate Linux administrators should implement. By focusing on these key strategies, you can enhance the security of your Linux infrastructure and protect your systems effectively.

  1. Physical Security: Start by securing physical access to your on-premises Linux servers. Establish restricted access to server rooms or data centers, ensuring only authorized personnel can enter. Implement security controls like biometric authentication, access cards, or surveillance cameras to monitor and control physical access.
  2. Network Security: Implement robust security measures to protect your on-premises Linux systems. Utilize firewalls to filter network traffic and allow only necessary connections. Segment your network into different zones, isolating critical servers from less secure areas. Regularly update and patch network devices to address vulnerabilities and minimize potential risks.
  3. System Hardening: Harden your Linux systems by applying security best practices. Disable unnecessary services and ports to minimize the attack surface. Regularly update and patch your operating system and software applications to fix security vulnerabilities. Utilize strong and unique passwords for user accounts and consider implementing multi-factor authentication for an added layer of protection.
  4. User Access Controls: Implement strict user access controls to limit privileges and minimize the risk of unauthorized access. Enforce the principle of least privilege, granting users only the necessary permissions required to perform their tasks. Regularly review user accounts and revoke access for users who no longer require it.
  5. Security Monitoring: Implement a comprehensive security monitoring system to promptly detect and respond to potential security incidents. Configure and review system logs to identify any suspicious activities or signs of compromise. Utilize intrusion detection systems (IDS) or intrusion prevention systems (IPS) to monitor network traffic for unauthorized access attempts or malicious activities.
  6. Regular Backups: Implement a robust backup strategy to ensure data integrity and availability. Regularly back up your critical data and test the restoration process to verify its effectiveness. Store backups securely and offsite to mitigate the impact of physical incidents or disasters.
  7. Security Awareness and Training: Educate your staff on security best practices and raise awareness about potential threats. Train users to recognize social engineering techniques, phishing attempts, and other common attack vectors. Regularly update staff on emerging security trends and provide guidance on handling security incidents.

By implementing these measures, intermediate Linux administrators can significantly enhance the security of their on-premises Linux systems. Regularly review and update your security practices to stay ahead of emerging threats and ensure the ongoing protection of your Linux infrastructure.

April 15, 2023 by Network Security 0

What is Network Security?

Photo by Scott Webb on Unsplash

In this vulnerable world, it’s necessary to take steps for the sake of existence. It could be against anything; whether it is a disease, an accident or maybe even a flaw in the system of existence.

One of the most important parts of a lifestyle is a NETWORK. Everything is done on a network in the upcoming digital world. From viewing to advertising, from purchasing to selling and from learning to teaching. Therefore, it is necessary to secure a network just so all users can keep themselves protected.

Now the first question that comes to our mind is “What is network security?”

Network security is basically a number of steps we walk on or follow in order to protect ourselves from different kind of threats which may include integrity, confidentiality, and availability of our data. These steps can be applied to both hardware equipment as well as software technologies. Effective and sufficient security steps allow secure and efficient access to the network. The main objective of network security is to detect all the flaws and vulnerabilities and patch them up just so a user is provided with a secure connection.

Before following any step, a person always wonders as to why is network security necessary or important?

Apparently, the most important and greatest reason for this is the attacks that a lot of users fall victim to while spending their time on the internet. There’s a huge variety of attacks that are often performed to disrupt a network. Some of the most common attacks that are often performed these days from which we need to protect ourselves are Malware attacks which are often initialized to disrupt, damage or gain unauthorized access to a network or a computer system, Botnets where a number of private computers are infected using corrupted software so that those systems can be controlled altogether without the knowledge of their owners to initiate a new attack, DoS(Denial of Service) where an attacker spams a huge amount of data packet onto a system or a server just to make it lose its connection or to make it overload and break and so much more attacks like such. Sometimes we fall a victim to an entire organization’s attack because of multiple systems and an efficient amount of resources being present there just to initiate an attack regardless of all the efforts needed to be put in for the attack. As in May 2017, a huge amount of systems running the Microsoft operating system were exploited all over the world by a single attack known as “WannaCry ransomware”. This attack encrypted all the data present in target systems and the exploiters demanded ransom payment in the bitcoin currency from the victim user in return for their own data. The attack was estimated to have affected more than 0.2 million computer systems across 150 countries, with a total damage of about millions to billions of dollars.

One thing that we think about is, “What are the harmful events than a hacker can cause which makes us take steps towards network security?”

The most important reason for implementing network security is the destruction an attacker or hacker can cause to you or your system. An attacker can sniff out your every username and password that you use in different accounts, they can disrupt your funding cards like credit or debit card or even use those cards to steal money from you, they can misuse your social security number, they can steal your sensitive data and misuse them, they can steal your identity and impersonate you while committing some serious crime and there’s so much more an attacker/hacker can do to harm you. Being in an advanced world. there a lot of devices that have been invented that makes it efficient for an attacker to harm you one of which is “LAN TURTLE” which can blend in physically with other network devices and can be used to gain remote and unauthorized access to your system by completely bypassing the network firewall and can steal and store any data available, “Bash Bunny” another device that can hijack your network and inject any malware or virus through that network to corrupt or infect your system added to which, this device can also gain access to the shell of your system and steal out any information that the attacker wants. Another device that is known as “LANTAP” is one of the most famous yet notorious devices that is capable enough to tap into your network scan and analyze all the incoming and outgoing data through your network which can be modified or even disrupted in its path and also can be decrypted using various tools if ever encrypted.

All these words conclude up to the fact that network security is quite essential in the trending digital lifestyle just so we’re able to use the internet at its full extent without facing any negatives that could lead us to a great loss.

March 15, 2022 by Network Security 0

Recent Comments

No comments to show.