Our Vision

To give customers the most compelling IT Support experience possible.

Our Mission

Our mission is simple: make technology an asset for your business not a problem.

Our Values

We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.

Our Values

We develop relationship that makes a positive difference in our customers Business.

Our Values

We exibit a strong will to win in the marketplace and in every aspect of our Business

Showing posts with label Teamwork. Show all posts
Showing posts with label Teamwork. Show all posts

Google Hacking :-

Basic Operators:-
1) And (+) :- This operator is used to include multiple terms in a query which is to be searched in google.
example:- if we type "hacker+yahoo+science" in google search box and click search, it will reveal the results something which are related to all the three words simultaneously i.e. hacker, yahoo and science.

2 ) OR (|) :- The OR operator, represented by symbol( | ) or simply the word OR in uppercase letters, instructs google to locate either one term or another term in a query.

3) NOT :- It is opposite of AND operator, a NOT operator excludes a word from search.
example:- If we want to search websites containing the terms google and hacking but not security then we enter the query like "google+hacking" NOT "security".

Advanced Operators:-
1) Intitle :- This operator searches within the title tags.
examples:- intitle:hacking returns all pages that have the string "hacking" in their title.

intitle:"index of" returns all pages that have string "index of" in their title.

Companion operator:- "allintitle".

2) Inurl :- Returns all matches, where url of the pages contains given word.
example:- inurl:admin returns all matches, where url of searched pages must contains the word "admin".

Companion operator:- "allinurl".

3) Site :- This operator narrows search to specific website. It will search results only from given domain. Can be used to carry out information gathering on specific domain.
example:- site:www.microsoft.com will find results only from the domain www.microsoft.com

4) Link :- This operator allows you to search for pages that links to given website.
example:- link:www.microsoft.com
Here, each of the searched result contains asp links to www.microsoft.com

5) Info :- This operator shows summary information for a site and provides links to other google searches that might pertain to that site.
example:- info:www.yahoo.com

6) Define :- This operator shows definition for any term.
example:- define:security
It gives various definitions for the word "security" in different manner from all over the world.

7) Filetype :- This operator allows us to search specific files on the internet. The supported file types can be pdf, xls, ppt, doc, txt, asp, swf, rtf, etc..
example:- If you want to search for all text documents presented on domain www.microsoft.com then we enter the query something like following.
"inurl:www.microsoft.com filetype:txt"

Google Search :- "Active Webcam Page" inurl:8080 Description- Active WebCam is a shareware program for capturing and sharing the video streams from a lot of video devices. Known bugs: directory traversal and cross site scripting.

Google Search :- "delete entries" inurl:admin/delete.asp Description- AspJar contains a flaw that may allow a malicious user to delete arbitrary messages. The issue is triggered when the authentication method is bypassed and /admin/delete.asp is accessed directly. It is possible that the flaw may allow a malicious user to delete messages resulting in a loss of integrity.

Google Search :- "phone * * *" "address *" "e-mail" intitle:"curriculum vitae"
Description- This search gives hundreds of existing curriculum vitae with names and address. An attacker could steal identity if there is an SSN in the document.

Google Search :- intitle:"index of" finance.xls Description- Secret financial spreadsheets 'finance.xls' or 'finances.xls' of companies may revealed by this query.

Google Search :- intitle:"index.of" robots.txt Description- The robots.txt file contains "rules" about where web spiders are allowed (and NOT allowed) to look in a website's directory structure. Without over-complicating things, this means that the robots.txt file gives a mini-roadmap of what's somewhat public and what's considered more private on a web site. Have a look at the robots.txt file itself, it contains interesting stuff. However, don't forget to check out the other files in these directories since they are usually at the top directory level of the web server!

Google Search :- intitle:index.of.admin Description- Locate "admin" directories that are accessible from directory listings.

Google Search :- inurl:"nph-proxy.cgi" "start browsing" Description- Returns lots of proxy servers that protects your identity online.

HTTP and FTP status code

HTTP/1.1 Status Codes

Code Name and Notes

100 Continue

101 Switching Protocols


200 OK Everything is normal

201 Created

202 Accepted

203 Non-Authoritative Information

204 No Content

205 Reset Content

206 Partial Content


300 Multiple Choices

301 Moved Permanently Update your URL, this has moved for good.

302 Found

303 See Other

304 Not Modified

305 Use Proxy

306 Unused

307 Temporary Redirect This is temporarly moved, don't update your bookmarks.

Client Error

400 Bad Request Server didn't understand the URL you gave it.

401 Unauthorized Must be authenticated

402 Payment Required Not used really

403 Forbidden Server refuses to give you a file, authentication won't help

404 Not Found A file doesn't exist at that address

405 Method Not Allowed

406 Not Acceptable

407 Proxy Authentication Required

408 Request Timeout Browser took too long to request something

409 Conflict

410 Gone

411 Lengh Required

412 Precondition Failed

413 Reqeust Entity Too Large

415 Unsupported Media Type

416 Request Range Not Satisfiable

417 Expectation Failed

Server Error

500 Internal Server Error Something on the server didn't work right.

501 Not Implemented

502 Bad Gateway

503 Service Unavailable Too busy to respond to a client

504 Gateway Timeout

505 HTTP Version Not Supported

Creative Commons Attribution-Share Alike 3.0 Unported – Bryan English - http://bluelinecity.com


FTP Code -- Explanation 

100 Series The requested action is being initiated, expect another reply before proceeding with a new command. 

110 Restart marker replay . In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "="). 

120 Service ready in nnn minutes. 

125 Data connection already open; transfer starting. 

150 File status okay; about to open data connection. 

200 Series The requested action has been successfully completed. 

202 Command not implemented, superfluous at this site. 

211 System status, or system help reply. 

212 Directory status. 

213 File status. 

214 Help message.On how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user. 

215 NAME system type. Where NAME is an official system name from the registry kept by IANA. 

220 Service ready for new user. 

221 Service closing control connection. 

225 Data connection open; no transfer in progress. 

226 Closing data connection. Requested file action successful (for example, file transfer or file abort). 

227 Entering Passive Mode (h1,h2,h3,h4,p1,p2). 

228 Entering Long Passive Mode (long address, port). 

229 Entering Extended Passive Mode (|||port|). 

230 User logged in, proceed. Logged out if appropriate. 

231 User logged out; service terminated. 

232 Logout command noted, will complete when transfer done. 

234 Specifies that the server accepts the authentication mechanism specified by the client, and the exchange of security data is complete. A higher level nonstandard code created by Microsoft. 

250 Requested file action okay, completed. 

257 "PATHNAME" created. 

300 Series The command has been accepted, but the requested action is on hold, pending receipt of further information. 

331 User name okay, need password. 

332 Need account for login. 

350 Requested file action pending further information 

400 Series The command was not accepted and the requested action did not take place, but the error condition is temporary and the action may be requested again. 

421 Service not available, closing control connection. This may be a reply to any command if the service knows it must shut down. 

425 Can't open data connection. 

426 Connection closed; transfer aborted. 

430 Invalid username or password 

434 Requested host unavailable. 

450 Requested file action not taken. 

451 Requested action aborted. Local error in processing. 

452 Requested action not taken. Insufficient storage space in system.File unavailable (e.g., file busy). 

500 Series Syntax error, command unrecognized and the requested action did not take place. This may include errors such as command line too long. 

501 Syntax error in parameters or arguments. 

502 Command not implemented. 

503 Bad sequence of commands. 

504 Command not implemented for that parameter. 

530 Not logged in. 

532 Need account for storing files. 

550 Requested action not taken. File unavailable (e.g., file not found, no access). 

551 Requested action aborted. Page type unknown. 

552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset). 

553 Requested action not taken. File name not allowed. 

600 Series Replies regarding confidentiality and integrity 

631 Integrity protected reply. 

632 Confidentiality and integrity protected reply. 

633 Confidentiality protected reply. 

10000 Series Common Winsock Error Codes 

10054 Connection reset by peer. The connection was forcibly closed by the remote host. 

10060 Cannot connect to remote server. 

10061 Cannot connect to remote server. The connection is actively refused by the server.

zero-day vulnerability CVE-2022-26134 in atlassian  Confluence

 A critical zero-day vulnerability (CVE-2022-26134) in #atlassian  #Confluence Data Center and Server is under active exploitation, install web shells,

πŸ€” What do you need to know:  The vulnerability has been detected in the wild by Volexity, which means attackers are actively exploiting it

☹️ All supported versions of #Confluence Server and Data Center are affected (these are on-premise)

US government's CISA urges administrators "to block all internet traffic to and from those devices until an update is available and successfully applied." 
Atlassian-hosted instances of Confluence are not affected.

πŸ™Œ What You Need to Do : Atlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the Confluence Server and Data Center Release Notes. You can download the latest version from the download centre.

Note: If you run Confluence in a cluster, you will not be able to upgrade to the fixed versions without downtime, also known as a rolling upgrade. Follow the steps in Upgrading Confluence Data Center.

Technical Details: πŸ€”
In the breach analyzed by Volexity, threat actors installed BEHINDER, a JSP web shell that allows threat actors to execute commands on the compromised server remotely.

“BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with Meterpreter and Cobalt Strike. As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out,” threat researchers Andrew Case, Sean Koessel, Steven Adair, and Thomas Lancaster explained.

Hunt Query:πŸ€“

Sourcetype == WAF && URL Contains '${' OR URI Contains '${'

Linux Hunt:

<install directory>/logs/*.log

grep "\${" log file path

Special Thanks: faisalusuf

Windows Hunt:

findstr -i noop.jsp "C:\Program Files\Atlassian\Confluence\logs*"

findtr -i “${“ <install directory>/logs/*.log

🧐 Indicator Of Compromise:















Volixity Founder steven adair added below advise regarding this vulnerability 

 It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far. 

Everyone's setup may be different but Confluence largely only has these JSP files:



 ./admin/default.jsp ./classpath.jsp 





 Look for files not listed.

Check for files on disk not listed and in access logs with 200 responses. Further, check if any of these files have been modified. In particular noop.jsp is popular and it's usually around 103 bytes. 

Also Sean Koessel also noted in multiple cases to look for ".java" files in the ./confluence/org/apache/jsp/ directory that should not be there. You may find a webshell or backdoor here as well from a .jsp file that was deleted already. 

Examining the catalina*.out files #Confluence creates is also a potential great source. It may log unrelated vuln scans but a number of case of webshell writes or command execution have been logged here. E.g. look for "RealCMD" or ".jsp" and evaluate what you see



Cyber Security Interview questions

Q1) Define Cybersecurity?

Ans. Cybersecurity refers to the protection of internet-connected systems such as software, 

hardware, electronic data, etc., from cyber attacks. In a computing text, it is referred to as protection against unauthorized access.

Q2) What is Cryptography?

Ans. Cryptography is a method to transform and transmit the confidential data in an encoded way to 

protect the information from third parties for whom data is not authorized.

Q3) What is the difference between Threat, Vulnerability, and Risk?

Ans.•Threat: Someone with the potential to cause harm by damaging or destroying the official data to a system or organization.

Ex: Phishing attack

Vulnerability: It refers to weaknesses in a system that makes threat outcomes more possible and even more dangerous.

Ex: SQL injections, cross-site scripting

Risk: It refers to a combination of threat probability and impact/loss. In simple terms, it is related to potential damage or loss when threat exploits the vulnerability.

•Threat probability * Potential loss = Risk

Q4) What is Cross-Site Scripting and how it can be prevented?

Ans. Cross-Site Scripting is also known as a client-side injection attack, which aims at executing malicious scripts on a victim’s web browser by injecting malicious code.

The following practices can prevent Cross-Site Scripting:

•Encoding special characters

•Using XSS HTML Filter

•Validating user inputs

•Using Anti-XSS services/tools

Q5) What is the difference between IDS and IPS?

Ans.Intrusion Detection Systems (IDS) 

It only detects intrusions but unable to prevent 

intrusions.It's a monitoring system and it needs human or another system to look at the results.

Intrusion Prevention Systems (IPS)

It detects and prevents intrusions.It’s a control system.

It needs a regularly updated database with the latest 

threat data.

Q6) What is a Botnet?

Ans.•A Botnet is a group of internet-connected devices such as servers, PCs, mobile devices, etc., that are affected and controlled by malware.

•It is used for stealing data, sending spam, performing distributed denial-of-service attack (DDoS attack), and more, and also to enable the user to access the device and its connection.

Q7) What is a CIA triad?

Ans. CIA (confidentiality, integrity, and availability) triad is a model designed to handle policies for information security within an organization.

Confidentiality - A collection of rules that limits access to information.

Integrity - It assures the information is trustworthy and reliable.

Availability - It provides reliable access to data for authorized people.

Q8) Symmetric Vs Asymmetric encryption.

Ans.Purpose: Symmetric Encryption Uses a single key to encrypt and decrypt information.

Speed: Symmetric encryption performs faster

Algorithms: AES, RC4, DES, QUAD, 3DES, Blowfish etc

Asymmetric Encryption: Uses a pair of public and private keys to encrypt and decrypt information

Purpose Preferred for transferring huge data Mostly used for exchanging secret keys safely.

Asymmetric encryption performs slower compared to symmetric encryption.

Algorithm: Diffie-Hellman and RSA 

Q9) What is the difference between hashing and encryption?

Ans. Both hashing and encryption are used to convert readable data into an unreadable format. The significant difference is that encrypted data can be transformed into original data by decryption, whereas hashed data cannot be processed back to the original data.

Q10) What is two-factor authentication and how it can be implemented for public websites?

Ans.•Tw0-factor authentication is also referred to as dual-factor authentication or two-step verification where the user provides two authentication factors for protecting both user credentials and resources while accessing.

•The two-factor authentication can be implemented on public websites such as Twitter, Microsoft, LinkedIn, and more for enabling another protection on your already protected account with a password.

•For enabling this double factor authentication, you can easily go to settings and then manage security settings.

Q11) What is the use of a firewall and how it can be implemented?

Ans. A firewall is a security system used to control and monitor network traffic. It is used for protecting the system/network from malware, viruses, worms, etc., and secures unauthorized access from a private network.

The steps required to set up and configure the firewall are listed below:

•Change the default password for a firewall device.

•Disable the remote administration feature.

•Configure port forwarding for specific applications to function correctly, such as an FTP server or a web server.

•Firewall installation on a network with an existing DHCP server can cause errors unless its firewall’s DHCP is disabled.

•Make sure the firewall is configured to robust security policies.

Q12) What is the difference between vulnerability assessment and penetration testing?

•The terms Vulnerability assessment and penetration testing are both different, but serve an essential function of protecting network environment.

Vulnerability Assessment: It’s a process to define, detect, and prioritize the vulnerabilities in computer systems, network infrastructure, applications, etc., and gives the organization with the required information to fix the flaws.

Penetration Testing: It is also called as pen testing or ethical hacking. It’s a process of testing a network, system, application, etc.to identify vulnerabilities that attackers could exploit. In the context of web application security, it is most widely used to augment a web application firewall (WAF).

Q13) What is the difference between stored and reflected XSS?

Ans.•Stored XSS Attacks - The attacks where the injected scripts are stored on the target servers permanently. In this, the victim retrieves the malicious script from the server when requests the stored information.

Reflected XSS Attacks - In this, the user has to send the request first, then it will start running on the victim’s browser and reflects results from browser to the user who sent the request.

Q14) What is a three-way handshake process?

Ans. A three-way handshake process is used in TCP (Transmission Control Protocol) network for transmission of data in a reliable way between the host and the client.It’s called three-way handshake because three segments are exchanged between the server and the client.

SYN : The client wants to establish a connection with the server, and sends a segment with SYN(Synchronize Sequence Number) to the server if the server is up and has open ports.

SYN + ACK : The server responds to the client request with SYN-ACK signal bits set if it has open ports.

ACK : The client acknowledges the response of a server and sends an ACK(Acknowledgment) packet back to the server.

Q15) What are HTTP response codes?

Ans. HTTP response codes display whether a particular HTTP request has been completed.

•1xx (Informational) - The request has been received, and the process is continuing.

•2xx (Success) - The request was successfully received and accepted.

•3xx (Redirection) - Further action must be taken to complete it.

•4xx (Client Error) - Request cannot be fulfilled or has incorrect syntax.

•5xx (Server Error) - Server fails to fulfill the request.

Q16) What are the techniques used in preventing a Brute Force Attack?

Ans. Brute Force Attack is a trial and error method that is employed for application programs to decode encrypted data such as data encryption keys or passwords using brute force rather than using intellectual strategies. It’s a way to identify the right credentials by repetitively attempting all the possible methods.

Brute Force attacks can be avoided by the following practices:

•Adding password complexity: Include different formats of characters to make passwords stronger.

•Limit login attempts: set a limit on login failures.

•Two-factor authentication: Add this layer of security to avoid brute force attack.

Q17) List the common types of cybersecurity attacks.

Ans. The following are the most common types of cybersecurity attacks:

•Malware  •SQL Injection Attack •Cross-Site Scripting (XSS) •Denial-of-Service (DoS)

•Man-in-the-Middle Attacks •Credential Reuse •Phishing •Session Hijacking

Q18) Define data leakage and its types?

Ans. Data Leakage refers to the illegal transmission of data to an external destination or unauthorized entity within an organization. It can transfer data either physically or electronically. It usually occurs via the web, emails, and mobile data storage devices.

Types of data leakage:

1. The Accidental Breach - Majority of data leakage incidents are accidental.

Ex: An entity may choose the wrong recipient while sending confidential data.

2. The Disgruntled or ill-intentioned Employee - The authorized entity sends confidential data to an unauthorized body.

3. Electronic Communications with Malicious Intent - The problem is all the electronic mediums are capable of file transferring and external access sources over the internet.

Q19) What is the use of Traceroute?

Ans. A Traceroute is a network diagnostic tool, used for tracking the pathway of an IP network from source to destination. It records the period of each hop the packet makes while its route to its destination.

Q20) How to prevent CSRF attacks?

Ans. CSRF is referred to as Cross-site Request Forgery, where an attacker tricks a victim into performing actions on their behalf.

CSRF attacks can be prevented by using the following ways:

•Employing the latest antivirus software which helps in blocking malicious scripts.

•While authenticating to your banking site or performing any financial transactions on any other website do not browse other sites or open any emails, which helps in executing malicious scripts while being authenticated to a financial site.

•Never save your login/password within your browser for financial transactions.

•Disable scripting in your browser.

Q21) What is port scanning?

Ans. A port scanning is an application designed for identifying open ports and services accessible on a host network. Security administrators mostly utilize it for exploiting vulnerabilities, and also by hackers for targeting victims.

Some of the most popular port scanning techniques are listed below:

•Ping scan  •TCP connect •TCP half-open •Stealth scanning – NULL, FIN, X-MAS •UDP

Q22) What is the need for DNS monitoring?


•DNS (Domain Name System) is a service that is used for converting user-friendly domain names into a computer-friendly IP address. It allows website under a particular domain name which is easy to remember.

•DNS monitoring is nothing but monitoring DNS records to ensure does it route traffic properly to your website, electronic communication, services, and more.

Q23) What is the difference between hashing and salting?


•Hashing is majorly used for authentication and is a one-way function where data is planned to a fixed-length value.

•Salting is an extra step for hashing, where it adds additional value to passwords that change the hash value created.

Q24) How to prevent ‘Man-in-the-Middle Attack’?

Ans. The following practices prevent the ‘Man-in-the-Middle Attacks’:

•Have a stronger WAP/WEP Encryption on wireless access points avoids unauthorized users.

•Use a VPN for a secure environment to protect sensitive information. It uses key-based encryption.

•Public key pair based authentication must be used in various layers of a stack for ensuring whether you are communicating the right things are not.

•HTTPS must be employed for securely communicating over HTTP through the public-private key exchange.

Q25) What are the common methods of authentication for network security?


•Biometrics - It is a known and registered physical attributes of a user specifically used for verifying their identity.

•Token - A token is used for accessing systems. It makes more difficult for hackers to access accounts asthey have long credentials.

•Transaction Authentication - A one time pin or password is used in processing online transactions through which they verify their identity.

•Multi-Factor Authentication - It’s a security system that needs more than one method of authentication.

•Out-of-Band Authentication - This authentication needs two different signals from two different channels or networks. It prevents most of the attacks from hacking and identity thefts in online banking.

Q26) Which is more secure SSL or HTTPS?


•SSL (Secure Sockets Layer) is a secure protocol which provides safer conversations between two or more parties across the internet. It works on top of the HTTP to provide security.

•HTTPS (Hypertext Transfer Protocol Secure) is a combination of HTTP and SSL to provide a safer browsing experience with encryption.

•In terms of security, SSL is more secure than HTTPS.

Q27) What is the difference between black hat, white hat, and grey hat hackers?

Ans.•Black-hat hacker is a person who tries to obtain unauthorized access into a system or a network to steal information for malicious purposes.

•White-hat hackers are also known as ethical hackers; they are well-versed with ethical hacking tools, methodologies, and tactics for securing organization data. They try to detect and fix vulnerabilities and security holes in the systems. Many top companies recruit white hat hackers.

•Grey hat hacker is a computer security expert who may violate ethical standards or rules sometimes, butdo not have malicious intent of black hat hacker.

Q28) What is cognitive security?

Ans. Cognitive security is one of the applications of AI technologies that is used explicitly for identifying threats and protecting physical and digital systems based on human understanding processes.

Self-learning security systems use pattern recognition, natural language processing, and data mining to mimic the human brain.

Q29) What is phishing and how it can be prevented?

Ans. Phishing is a malicious attempt of pretending oneself as an authorized entity in electronic communication for obtaining sensitive information such as usernames, passwords, etc. through fraudulent messages and emails.

The following practices can prevent phishing:

•Use firewalls on your networks and systems.

•Enable robust antivirus protection that has internet security.

•Use two-factor authentication wherever possible

•Maintain adequate security.

•Don't enter sensitive information such as financial or digital transaction details on the web pages that youdon't trust.

•Keep yourself updated with the latest phishing attempts.

Q30) What is SQL injection and how it can be prevented?

Ans. SQL Injection (SQLi) is a type of code injection attack where it manages to execute malicious SQL statements to control a database server behind a web application. Attackers mostly use this to avoid application security measures and thereby access, modify, and delete unauthorized data.

The following ways will help you to mitigate or prevent SQL injection attacks:

•Include Prepared Statements (with Parameterized Queries)

•Use Stored Procedures

•Validate user input

•Hide data from the error message

•Update your system

•Store database credentials separate and encrypted

•Disable shell and any other functionalities you don’t need


Q31) How will you keep yourself updated with the latest cybersecurity news?

Ans. The following ways will help you to keep up with the latest cybersecurity updates:

•Follow news websites and blogs from security experts.

•Browse security-related social media topics.

•Check vulnerability alert feeds and advisory sites.

•Attend cybersecurity live events.


Q32) What is a DDOS attack and how to stop and prevent them?

Ans. A DDOS (distributed denial-of-service ) is a malicious attempt of disrupting regular traffic of a network by flooding with a large number of requests and making the server unavailable to the appropriate requests. The requests come from several unauthorized sources and hence called distributed denial of service attack.

The following methods will help you to stop and prevent DDOS attacks:

•Build a denial of service response plan

•Protect your network infrastructure

•Employ basic network security

•Maintain strong network architecture

•Understand the Warning Signs

•Consider DDoS as a service


Q33) What do you understand by compliance in Cybersecurity?


•Compliance means living by a set of standards set by organization/government/independent party.

•It helps in defining and achieving IT targets and also in mitigating threats through processes like 

vulnerability management.


Q34) What is the use of Patch Management?


•The purpose of patch management is to keep updating various systems in a network and protect them against malware and hacking attacks.

•Many enterprise patch management tools manage the patching process by installing or deploying agentson a target computer, and they provide a link between centralized patch server and computers to be patched.

Q35) What is the difference between a false positive and false negative in IDS?


•A false positive is considered to be a false alarm and false negative is considered to be the most complicated state.

•A false positive occurs when an IDS fires an alarm for legitimate network activity.

•A false negative occurs when IDS fails to identify malicious network traffic.

Compared to both, a false positive is more acceptable than false negative as they lead to intrusions without getting noticed.

Q36) what is the difference between the Red team and Blue team?


•Red team and blue team refers to cyber warfare. Many organizations split the security team into two groups as red team and blue team.

•The red team refers to an attacker who exploits weaknesses in an organization's security.

•The blue team refers to a defender who identifies and patches vulnerabilities into successful breaches.

Q37) Explain System hardening?


•Generally, system hardening refers to a combination of tools and techniques for controlling vulnerabilities in systems, applications, firmware, and more in an organization.

•The purpose of system hardening is to decrease the security risks by reducing the potential attacks and condensing the system’s attack surface.

The following are the various types of system hardening:

1.Database hardening

2.Operating system hardening

3.Application hardening

4.Server hardening

5.Network hardening

Q38) What is a cybersecurity risk assessment?

Ans. A cybersecurity risk assessment refers to detecting the information assets that are prone to cyber attacks(including customer data, hardware, laptop, etc.) and also evaluates various risks that could affect those assets.

It is mostly performed to identify, evaluate, and prioritize risks across organizations.

The best way to perform cybersecurity risk assessment is to detect:

•Relevant threats in your organization

•Internal and external vulnerabilities

•Evaluate vulnerabilities impact if they are exploited

Q39) What are the seven layers of the OSI model?

Ans. The main objective of the OSI model is to process the communication between two endpoints ina network.

The seven open systems interconnection layers are listed below:

Application layer (layer 7) - It allows users to communicate with network/application whenever required to perform network-related operations.

Presentation layer (layer 6) - It manages encryption and decryption of data required for the application layer. It translates or formats data for the application layer based on the syntax of the application that accepts.

Session layer (layer 5) - It determines the period of a system that waits for other application to respond.

Transport layer (layer 4) - It is used for sending data across a network and also offers error checking practices and data flow controls.

Network layer (layer 3) - It is used to transfer data to and fro through another network.

Data-link layer (layer 2) - It handles the flow of data to and fro in a network. It also controls problems that occur due to bit transmission errors.

•Physical layer (layer 1) - It transfers the computer bits from one device to another through the network. Italso controls how physical connections are set up to the network and also bits represented into signals while transmitting either optically, electrically, or radio waves

Q40) What are the several indicators of compromise(IOC) that organizations should monitor?

Ans. The key indicators of compromise that organizations should monitor are listed below:

•Unusual Outbound Network Traffic  •HTML Response Sizes

•Geographical Irregularities •Increases in Database Read Volume

•Log-In Red Flags •Unexpected Patching of Systems

•Large Numbers of Requests for the Same File •Web Traffic with Unhuman Behavior

•Suspicious Registry or System File Changes •Unusual DNS Requests

•Mobile Device Profile Changes •Bundles of Data in the Wrong Place

•Mismatched Port-Application Traffic •Signs of DDoS Activity

•Anomalies in Privileged User Account Activity

Problem solving tips for helpdesk personnel

Working on a help desk is all about problem solving. Users have problems and look to us for a solution. 

We all know that there are some people who are very good at solving problems and there are those who sometimes struggle. The good ones aren't necessarily more technical, they just have an almost uncanny ability to solve problems which have everyone else stumped.
If you are one of those that sometimes struggle, don't worry, it is possible to improve by following some very simple guidelines which we will show you on this site.

On this site we will take you through some of the key steps. The examples are all based on a IT help desk but the principles are universal. 

We present this guide in the form of several numbered steps. This doesn't mean to say that problem solving is a linear process, very often you will need to loop back to an earlier stage.

The Symptoms: It is vital you identify the symptoms. Quite often a user will call with "My computer is not working", but we all know how useless that is ! Here are some questions that are applicable to practically all problems:

1. What is the exact error message?
This maybe obvious, but sometimes it is easy to jump to conclusions based on partial information. If possible, get the user to send you a screen dump (hold down the ALT button, then press the PrtScr buttons, go to e.g. Word, create a new document and select Paste from the Edit menu)

2. What were you doing at the time?
By determining this you can identify which program or which part of the program is causing the problem.

3. Has the error always occurred or just started?
If the program has never worked, then it is possibly a fault with program. If it used to work OK, then you will need to find out at what point in time it stopped working.

4. If it has just started, have you recently installed any other software or made any other changes?
People are very reluctant to admit they have made changes - perhaps they are worried they will get into trouble? So, you will generally find that the answer to this question is "No", but never believe it. The program was working, now it isn't - something must have changed. Bear in mind that the user might not be aware of changes (e.g. many programs and even the operating system may do automatic updates) or they might not realize the significance of some apparently unrelated change.

5. Does it affect all machines or just yours?
If there are other machines that can use the program without problem, then the fault obviously lies with the configuration of this individual's machine.
If every machine has the same problem, it might be that they all have the same configuration problem or it might be a problem with the application's data.

6. In the case of networked programs. if you use the program from a different machine, do you get the same error?
If the error does not appear when you use the same application program from a different machine, then it is likely to be a fault in the configuration of the user's machine.

Examine the Evidence

What evidence is relevant? Do you have enough evidence? These are two key questions when problem solving but you aren't going to know the answers to them until you start postulate possible causes and want to test them further.

Experience may sometimes tell you that certain facts are irrelevant. This is good, and will help you concentrate on what you think is relevant, BUT, don't forget about them and keep an open mind.
Your biggest tool for gathering evidence is of course your question and answer sessions with the user, but there are other tools which you can use:

Filemon is a great utility which logs all file activity. Set it running, the go to the problem program and generate the error. Stop Filemmon and look at the log. It generates a great deal of information but it is very easy to see problems.

Event logs: Most operating systems have both application and event logs. Check these to see if anything is relevant.

Confirm everything:  Quite often you have to tease the information out of a user over several question and answer situations. Once you feel that you understand the problem, make sure you confirm it with the user :

"So, as I understand it, if you clck the Update button while creating a new record, the screen crashes with an error "Record must be unique". This was working fine on Friday, no-one else has this problem, and you haven't made any changes to your machine over the weekend. Is that correct?"
If they don't confirm then you must repeat step 1 until you are both happy that you are talking about the same problem.

Research: You know what the symptoms are, you know in what circumstances they appear, now you have to start finding a solution.

Of course, it might be that someone has already done the hard work for you - others may have had, and solved, this problem. There are several sources of information you might try:

Knowledge base : Somewhere, you should have a record of all past problems (and their solutions), otherwise you are going to keep wasting an awful lot of time. This should be in a form that is easily searched. You could use e.g. a spreadsheet, a simple document, a database, or a program designed specifically for the task. As long as it is easy to use.

The Internet : The Internet is a fantastic resource. The only problem is the sheer volume of information. A good search engine is key to getting the best of it. You can almost guarantee that someone, somewhere has had the same problem as your user and if you are lucky, there might be an answer already.

Colleagues: You might try asking your workmates, they may have seen this problem before. Of course, this will disrupt their work so it is not the most efficient use of resources and they will soon get tired of you if you make it a habit. This should only be used as a last resort.

Postulate and test:  By now, you know what the symptoms are and you have done some research on similar problems. You should by now have some theories as to the cause of the problem.

Now you need to test your theories. This usually involves further questioning of the user:
"Your monitor is blank; can you check if there is a green light on the front, bottom right of the monitor?"
If there is, then you know there is power to the monitor, but is there a signal?
"Do you have another monitor nearby that you can plug in instead?"
If the new monitor works, then it is a problem with the old one. If the problem persists, chase it back up the wire...
"Can you put the original monitor onto a different machine? Does it work Ok there?"
If it does, the the fault is with the original PC.
"Is there a green light on the front right of the PC?"
If there is, the problem is probably with the PC itself.

Don't assume or jump to conclusions. Take a step by step approach, eliminating possibilities as you go. Sometimes when there are many possible answers you are able to narrow the field considerably by taking an initial broad brush approach. In the above example the first question we asked was "...can you check if there is a green light ...". If the answer was no, then either the monitor wasn't plugged in or there was a power failure. Perhaps a better first question would be "Plug a desk lamp into the same socket - does it work?"

Keep an open mind. You might find yourself going right down one avenue of investigation only to come to a full stop. Don't forget your other theories, go back and test these as well.

Identify the Problem

You know what the symptoms are, you have confirmed everything with the user, had one or more ideas as to the problem and now you have narrowed it down to just one. You must double-check that this you have identified it correctly. There is no point in telling your user to buy a new monitor if all they have to do is wait for the power failure to be restored!
In the ideal world you will be able to devise one test that identifies the problem without doubt.
Of course, in the real world, all you can do is take your best guess, try your solution and hope. The mark of a good support person is how accurate that "guess" is. If you have followed the steps so far, gathered enough evidence, confirmed everything with the user and eliminated other possibilities logically, then your "guess" should be pretty accurate.

Provide a Solution:  This is what the user expects you to do, right? After all, you know what the problem is so fix it.

Most of the time you might have an easy solution. Other times there might not be an immediate fix available - you might need to order a spare part or it might require a new software release. There are even those situations where you don't know what the problem is. In any case, you need to communicate and manage expectations.
·         If you have a solution, communicate the fix to the user clearly and ensure they understand.
·         If you don't have an immediate solution, again make sure the user understands this and the likely timeframes. Make sure you schedule an action for yourself to monitor this.
·         If you don't have any solution to the problem, do you have a work-around 

Confirm the Solution: You have told the user how to fix their problem, or you have arranged someone to do it for them. After the fix has gone in, you must confirm with the user that their problem has been solved. You can't assume that the engineer visited, or that the new part worked.
Keep in touch with the user until you know the problem has been resolved.

Communicate and Record : The worst thing for a user is if they believe their problem is not being given attention. They don't care that you have dozens of other users to deal with. That isn't (and shouldn't be) their concern. 

You must manage expectations, if you say "I'll get back to you", their idea of when you should do so might be very different to yours. Instead, say "I'll get back to you before 12:00 tomorrow" and make sure you do, even if it is to tell them that there has been no progress.

Record everything. No one has a perfect memory and no one only ever deals with one thing at a time. You must make a note of conversations, actions, agreements etc.
·         You can easily hand tasks over to other personnel
·         You rarely work on one problem to the exclusion of others until it is completed. So you will be switching back and forth and will need some sort of reminder as to what has happened beforehand.
·         You will build up a knowledge base of problems and solutions for use in the future.
·         If there are recriminations, you have a record of what was done!
In what form you record this is up to you. You could use a document, a simple database, write your own program or use software specifically designed for use by helpdesks.

Sample Ticket Template #01
Which application is the user having issues with?
 - Please include the URL if it is a Web application.
 OR - Please include the folder path if it's a file.
What is the Incident?  What is the User Experiencing?
/-Type description
What is the Error Message?
Capture message number or description
When did this problem happen?
What is the Impact to the Business/User?
---------------How many users affected by this one or more / is it happening across the organization?
How urgent is the resolution of this incident?
 (Delete as necessary)
 COB today/ 1 day/ 2 days/ End of week
Do you have a work around?  Is there any other work you can do, can you use someone else's PC?  Is there another means by which you can get the required task completed?
What is the name of the users machine? *
 - Shadow user's machine to get this information
Ask user to open command prompt then type hostname
What is the IP address of the users machine? *
 - Shadow user's machine to get this information
Or Ask user to open command prompt then type ipconfig [windows]/ifconfig [linux]
 Please attach a screenshot of the error
 - Shadow user's machine to get full screenshot
Or ask user to take screen shot and email it to you.

Sample Communication Template #01

As a standard procedure, we require approval from your manager so we can fulfill your request.
Please provide this at your earliest convenience (via email if possible).

Thank you
ICT Service Desk Team

Sample Communication Template #02
ICT Service Desk Call Back No Response: #01
Dear [         ],

We have attempted to contact you on 1 occasion to resolve your service request, however we have been unsuccessful. 

If you still require assistance for this request, please contact the Service Desk on 00 0000 0000.

ICT Service Desk Team

Twitter Facebook Favorites More