How to Protect Your Organization and Your Self From Cyber Attack?

There are many methods and techniques to avoid becoming a victim of cyber threats. Various Cyber Security and information security frameworks can be implemented in an organization to be secured from cyber threats. The most popular Cyber Security framework developed by the US government is the National Institute of Standards and Technology Framework.

For practical Implementation, there are various methods and approaches for our best and updated, and we have to protect our digital asset

Preparation:

To prepare for Cyber Threats, we must identify our digital assets, which can be our servers, databases, storage devices, source code, Software Requirements any idea of intellectual property that can be digitally attacked and compromised.

Identification of Assets:

After identifying an asset, we have to mark a severity level of an asset and make a list. Possibilities lost ratio in case of a cyber-attack on a particular asset.

Example:

Tool:

Cyber Security Asset Management by Qualys is an advanced tool used to store a record of assets as well as digit assets. You can view the software at https://www.qualys.com/apps/cybersecurity-asset-management/

Asset Types:?

Hardware: Hardware assets can be protected by enhancing physical security across our asset data; the database server must be protected physically and monitored with CCTV cameras. Some data centers can be targeted as a physical threat. To be protected from physical danger, we must have physical security and multiple cloud backup locations of our server, database, and digital access copies. Access control must be implemented only by an authorized person must be allowed, and a record of every activity must be maintained.

Mechanism Implementation:

• Access control only authorized persons must be allowed, and records must be saved of activities performed
• Must-Have physical security in the form of security guards and fences
• Have CCTV cameras monitored
• Multiple Location Backup can cloud back up (Cluster backups)

Hardware assets are less likely to be attacked because data centers have very high physical security makes it hard for cyber threats to attack, although it is anyone

Software: Any software which is system software (Operating System) or application software can be the victim of cyber threat because any software is not 100 % secure. There are vulnerabilities in operating systems that be exploited by cybercriminals, also known as hackers. There are security professionals who save a database of known vulnerabilities available at the website of cve https://cve.mitre.org/? and the website of Nist https://nvd.nist.gov/vuln

There are well-known vulnerabilities reported through which security professionals see how they were exploited and fix them. Hackers used them to see if that vulnerability existed, and if so exists, they used that pre-built exploit to exploit the software.

How do hackers find vulnerabilities?

Information gathering, known as resonance and vulnerability scanning. These vulnerability scans use known to exploit available Nist and Cve databases and compare the available services and version matches in the current software and if they exist.

Most Well known Vulnerabilities scanners are

Nesuss and Metaspolitable. Hackers, as well as security professionals.

Tools:

Nessus:

Nessus is an advanced vulnerability tool that scans the application and services and compares them to its database.

Download link https://www.tenable.com/products/nessus

Metaspolitable:

It is also a framework with pre-built exploits ready to perform the exploit. It is open-source and community-driven. All the exploit's source codes are available.

Detection and Analysis:

How can we know if our software or network has been compromised and how it is compromised?

It is done through logging. So whatever we perform in software or hardware, there is a log generated of that whoever login into the system there is authentication log generated of that particular user.

Suppose our administrator credentials have been compromised. If we see a history admin login after the duty hours, it seems to be suspicious, as if we are admin and we know we did not log in. Although professional hackers clear the logs, there is a solution to that SIEM ( Security Information and Event Management)

It is a client and agent-based model. An agent is installed in the endpoint, which sends all the logs to the server. The point is that even if a hacker has compromised our server or machine, the logs are already on the server. From there, we can investigate our records of which incident happened.

It is a type of software that provides a centralized view of security-related events and activities across an organization's information technology (IT) infrastructure.

IT analyzes data from various sources, such as firewalls, intrusion detection systems, servers, and applications, to identify potential security threats and suspicious activity. The system aggregates and correlates this data to provide a comprehensive overview of the organization's security posture, which helps security teams to detect and respond to threats quickly.

SIEM tools can also automate some security processes, such as incident response and threat mitigation. By providing a centralized view of security events, SIEM systems enable security teams to have better visibility into their organization's security posture, helping them to make informed decisions about risk management and security strategy.

Tools:

ELK:

?Elastic search Kibana and log stash combined is an open-source SIEM used to store and view logs with much more advanced features combined

Elasticsearch, Logstash, and Kibana are commonly used together as a suite of tools for managing and analyzing large volumes of data.

• Elasticsearch is based on the Lucene library. It is designed to store, search, and analyze large volumes of data in real-time. Elasticsearch is commonly used to power search functionality on websites and to support logging and monitoring systems.
• Logstash is a data processing pipeline that collects, processes, and transforms data from multiple sources. It handles a wide range of data types and formats, and it can be used to ingest data into Elasticsearch or other data stores.
• Kibana is a data visualization tool that is used to explore and visualize data stored in Elasticsearch. It provides a graphical interface for creating dashboards, charts, and other visualizations of data.

Together, these three tools form the ELK stack (Elasticsearch, Logstash, and Kibana) or the Elastic Stack. The Elastic Stack can be used for a variety of applications, such as log analysis, application performance monitoring, and security analytics.

?Wazuh:?

Wazuh is an open-source security information and event management (SIEM) platform. It provides a way to collect, analyze, and correlate security events from different sources in real-time to detect and respond to security threats.

Wazuh SIEM is designed to be scalable and highly customizable, making it suitable for both small and large organizations. It includes a range of features such as log management, file integrity monitoring, intrusion detection, vulnerability assessment, and compliance management.

The Wazuh platform consists of three main components: the Wazuh manager, the Wazuh agents, and the Wazuh app. The Wazuh manager collects and processes security event data from different sources, the Wazuh agents are installed on the monitored hosts to collect and send data to the manager, and the Wazuh app provides a user interface for monitoring and analyzing security events.

Overall, Wazuh SIEM is a powerful tool for organizations to improve their security posture by detecting and responding to security incidents in real-time.

It can be downloaded from here https://wazuh.com/

Splunk:

Splunk is a popular SIEM (Security Information and Event Management) platform used by organizations for collecting, monitoring, analyzing, and responding to security events and threats. It offers a comprehensive set of features and capabilities that help organizations improve their security posture.

Splunk can collect and analyze data from various sources such as logs, network traffic, applications, and endpoints. It uses machine learning algorithms and advanced analytics to identify anomalies and suspicious activity and provides real-time alerts and notifications to security teams.

The Splunk SIEM platform consists of several components, including the Splunk Enterprise Security App, which provides a centralized view of security events and incidents. It also includes the Splunk Phantom app, which helps automate response actions, and the Splunk User Behavior Analytics app, which uses machine learning to detect insider threats.

Splunk SIEM also supports a range of compliance frameworks, such as PCI DSS and HIPAA, to help organizations meet regulatory requirements. Additionally, it offers integrations with third-party security tools, making it easy to extend the platform's capabilities.

Overall, Splunk SIEM is a powerful and flexible platform that helps organizations to detect, investigate, and respond to security incidents more effectively.

It can be downloaded from https://www.splunk.com/en_us/products.html

Mechanism Implementation:

• Perform regular vulnerabilities scan and if found remove the service or software which has vulnerability and update it if available or use an alternative service until the vulnerable service or software has been fixed.
• Perform log analysis and auditing of what's going on at each point and unusual logs must be further investigated.
• Regular auditing policy must be implemented including access control, firewall logs, and blacklisting and whitelisting reports must be present.

Containment Eridation and recovery:

Even if our organization has been attacked there is a method through which hackers access our system it might be a bug, vulnerability, or a social engineering trick.

To prevent those we can implement a firewall, Antivirus, endpoint detection (EDR), and close unused or vulnerable open ports. And there must be a backup of every application server and data which in case of any extreme disaster may be recoverable.

Firewall:

A firewall is used to block inbound and outbound traffic it can be a network firewall as well endpoint firewall both must be implemented and there should be logging done of which traffic is being allowed through the firewall.

Antivirus:

Antivirus: it responds in real-time if the signature of known malware is detected it will be removed automatically if the signature is not known it can still give a hint of an unknown signature.

EDR:

EDR: it stands for Endpoint Detection and Response. It refers to a category of security software tools that are designed to detect, investigate, and respond to cybersecurity threats on endpoints such as desktops, laptops, and servers.

EDR solutions typically use a combination of techniques such as behavioral analysis, machine learning, and threat intelligence to identify suspicious activity on an endpoint. Once a threat is detected, the EDR solution can take action to contain it, such as isolating the infected endpoint from the network, blocking the malicious process, or deleting the malware.

EDR solutions are an important component of modern cybersecurity strategies, as they provide organizations with real-time visibility into their endpoints, and help to detect and respond to threats quickly and effectively.

Port Scanning:

For every Public traffic is going and coming from an open port there should be regular port scans and why those ports are open and it there any replacement of the vulnerable port and policy must be implemented?

Tools:

Network Firewall

FortiGate is a brand of firewall and security appliances developed by Fortinet. It is a network security solution that provides businesses and organizations with comprehensive security features, including firewall, intrusion prevention, VPN, anti-malware, and web filtering capabilities.

FortiGate firewalls use a combination of signature-based and behaviour-based detection techniques to identify and block known and unknown threats. They also incorporate advanced features like sandboxing, which allows suspicious files to be run in a controlled environment to determine whether they are malicious or not.

FortiGate firewalls are available in a variety of form factors to meet the needs of different organizations, from small businesses to large enterprises. They can be deployed on-premises, in the cloud, or as a virtual appliance.

Overall, FortiGate firewalls are a popular choice for organizations looking for a reliable and feature-rich network security solution that can protect against a wide range of threats.

Software firewall:

Windows firewall is built in the windows and Linux environment, there is an ufw and Ip tables firewall poly we allow the traffic and deny on 5 tuples rule

• Source Ip address
• Source port?
• Destination Ip
• Destination Port
• Action Allow or deny

Antivirus:

There is no single "best" antivirus software that is universally recommended for everyone, as different antivirus programs have different strengths and weaknesses, and the best choice will depend on the specific needs and preferences of the user. That being said, here are some popular antivirus software programs that are highly rated by users and experts:

1. Bitdefender Antivirus Plus: This antivirus software consistently ranks highly in independent tests for malware detection and is known for its ease of use and low system impact.
2. Norton AntiVirus Plus: Norton is a well-established brand in the antivirus industry and offers reliable malware detection, as well as features such as a password manager and firewall.
3. Kaspersky Anti-Virus: Kaspersky is known for its advanced malware detection capabilities and includes features such as a virtual keyboard and secure browser for online banking and shopping.
4. Avira Antivirus Pro: Avira is a lightweight antivirus program that offers reliable malware detection and includes features such as a VPN and system optimizer.
5. McAfee Total Protection: McAfee is a comprehensive security suite that includes antivirus, firewall, anti-spam, and parental controls, among other features.

Port Scanner:

A port scanner is a software tool that is used to scan a network or a specific host computer for open ports. A port is a communication endpoint in a computer network, and each port is associated with a specific protocol, such as HTTP for web traffic (port 80) or FTP for file transfers (port 21).

Port scanners work by sending packets to a range of IP addresses and ports and analyzing the responses to identify open ports. This information can be used by network administrators and security professionals to identify potential vulnerabilities in their networks and assess the security of their systems.

There are different types of port scanners, including:

1. TCP Port Scanners: These scanners send TCP packets to the target ports and analyze the responses to determine whether the port is open or closed.
2. UDP Port Scanners: These scanners send UDP packets to the target ports and analyze the responses to determine whether the port is open or closed.
3. Banner Grabbers: These tools extract information from the banner messages sent by servers when they receive a connection request on a particular port. The banner message may reveal information about the server, such as its version number, which can be useful for identifying vulnerabilities.

Some popular port scanning tools include Nmap, Angry IP Scanner, and Advanced Port Scanner. It is important to note that port scanning can be used for both legitimate and malicious purposes, and it is important to obtain permission before scanning a network or computer that you do not own. Nmap is the most popular networking scanning tool.

Back up:

Backing up your data regularly is an essential part of any cybersecurity strategy, as it allows you to recover your data in the event of a data breach or other catastrophic event. Here are some tips for effective cyber data backup:

1. Use a reliable backup solution: There are many backup solutions available, from simple external hard drives to cloud-based services. Choose a backup solution that meets your needs and budget, and that offers features such as encryption, versioning, and automatic backup scheduling.
2. Backup frequently: The more frequently you back up your data, the less data you stand to lose in the event of a cyber attack. Consider backing up your data daily or even multiple times per day, depending on how critical your data is.
3. Test your backups: It's important to periodically test your backups to ensure that they are working properly and that you can recover your data in the event of a data loss.
4. Secure your backups: Make sure that your backups are stored securely and are not accessible to unauthorized users. This may involve encrypting your backups or storing them offsite in a secure location.
5. Have a disaster recovery plan: In the event of a cyber-attack or another disaster, you should have a plan in place for recovering your data and getting your systems back up and running. This may involve using your backups to restore your data or working with a professional data recovery service.

Mechanism Implementation:

• Implement network and endpoint firewall
• Install antivirus and end-detection response?
• Document the whitelisting as well as back listings
• Close? unused ports and whitelisting?
• Regular updates and backups

Post-Incident Activity:

Post-incident activity refers to the activities that take place after a cybersecurity incident has occurred. These activities are important for understanding the scope of the incident, assessing the damage, and preventing similar incidents from occurring in the future. Here are some common post-incident activities:

1. Incident debriefing: Hold a meeting with key stakeholders to discuss the incident, including what happened, how it was discovered, and what steps were taken to contain and mitigate the damage.
2. Forensic analysis: Conduct a forensic analysis of the affected systems and data to determine the extent of the damage and the cause of the incident.
3. Damage assessment: Assess the financial, operational, and reputational damage caused by the incident.
4. Notification: Determine if there is a legal or regulatory obligation to notify affected parties, such as customers or employees, and if so, make the necessary notifications.
5. Remediation: Take steps to remediate any vulnerabilities or weaknesses that were exploited in the incident to prevent similar incidents from occurring in the future.
6. Review of incident response plan: Review the organization's incident response plan to determine if any changes or updates are necessary based on lessons learned from the incident.
7. Employee training: Provide additional training to employees on how to identify and respond to cybersecurity incidents to improve the organization's overall security posture.

Post-incident activities are critical for minimizing the damage caused by a cybersecurity incident and improving an organization's ability to respond to future incidents. It is important to have a well-defined incident response plan in place and to regularly review and update it to ensure that it remains effective.

Implementation Mechanism:

• Every incident should be documentation
• The reason for which the incident happened must be audited by changing the policy of access control it can be a firewall rule or authentication
• Multifactor authentication can be used
• Proxy tunnel and limited people must be allowed for admin privileges
• At least privileges must be implemented
• Regular password updates
• Practice session training must be done
• Data should be stored in an encrypted harddisk
• Regular backups must be done
• Pentesting should be performed
• Software and system should be updated regularly
• No cracked software or outdated software must be used
• Admin privileges can be done by Virtual private network
• Block of tor nodes they are used for ransomware attacks in the network
• Lesson learned