What to do after you’ve secured your servers and computers

You’ve hardened all you could on your servers or computers, you have a strong password with MFA, you update regularly or automatically everything and are wondering what can be done next?

Like you probably know, you can never be 100% protected and there is always a way criminals can find to access private information. For those who tells me they are 100% secure, here is an example:

You have a secure WordPress website at www.mysite.com which has nice plugins to secure it, you maintain it up to date and you have MFA. You then go in a public cafe to make some changes to your website. You enter your WordPress URL in your browser, get the login window, enter your password + your MFA and get access to your website. You then make some changes and everything works as normal. Then a few days later your site gets defaced, or worse. What happened?

What you missed here is that an attacker in the same cafe as you was able to change the IP returned when you did a DNS query for your domain (either through MITM or by changing the DNS Server in the router config). He then redirected you to a new domain: www.rnysite.com. This new domain is owned by the attacker and directs you to a sever that runs Modlishka. This attacking tool essentially proxies all your traffic to your real website www.mysite.com, even validating your password + MFA and making the changes you ask for, but he also makes a copy of all the traffic, taking your cookies and password. Although he doesn’t have your MFA, he now has your cookies. Oh and if that’s not enough, it’s possible now to brute-force the TOTP seed with Hashcat with only 2 TOTP token. (Here is a definition of Brute-force attack)

So now what?

Well, here comes logging, aggregating, correlating and alerting — also known as a Security Information and Event Management, or SIEM.

But what is a SIEM? As Varonis puts it:

Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.

SIEM collects security data from network devices, servers, domain controllers, and more. SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.

Source: https://www.varonis.com/blog/what-is-siem/

Now that we established what is a SIEM and why it is needed, how to we get started with this?

Well, to get started using a SIEM, you can read my blog posts on the subject! My goal is to make it easy to understand and accessible to anyone with some IT experience.

Next post: SIEM 101 — Introduction

--

--

--

Passionate about information security, development and technology in general, I like to share my experience with different technologies. I also love travel!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

OneTwoSeven — HackTheBox Machine Writeup

Ways to Identify and Tackle Click Fraud

Patch Notes: v0.1.3 Alpha

To holders who hold the White Paper of 5Degrees Protocol NFT!

This is How You can Prevent Log4J2 Vulnerability

The Metalife $MIFE Global Private Sale

Masternode Governance is coming

{UPDATE} Helicopter Rescue Simulator Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tristan Dostaler

Tristan Dostaler

Passionate about information security, development and technology in general, I like to share my experience with different technologies. I also love travel!

More from Medium

5 Ways CISOs Can Improve Their Cyber Resilience

CISO MindMap 2022: What do InfoSec Professionals really do?

Your Cyber Travel Checklist

Cybersecurity Travel Checklist HALOCK reasonable security

Network Security: Most Common Cyberattacks on Computer Networks