Elastic Data Core Components In Cybersecurity

Leave a reply

A typical network has a multitude of different logs to keep track of and most of those logs are in different formats. With huge amounts of disparate data, how is it possible to get an overview of network operations while also getting a sense of subtle anomalies or changes in the network? This article talks about all that you need to know about electronic data core components in cybersecurity.

The Elastic Stack attempts to solve this problem by providing a single interface view into a heterogeneous network. The Elastic Stack consists of Elasticsearch, Logstash, and Kibana (ELK). It is a highly scalable and modular framework for ingesting, analyzing, storing and visualizing data.

Elasticsearch is an open-core platform (open source in the core components) for searching and analyzing an organization’s data in near real-time. It can be used in many different contexts but has gained popularity in network security as a SIEM tool. Security Onion includes ELK and other components from Elastic including:

Beats – This is a series of software plugins that send different types of data to the Elasticsearch data stores.
ElastAlert – This provides queries and security alerts based on user-defined criteria and other information from data in Elasticsearch. Alert notifications can be sent to a console, or email and other notification systems such as TheHive security incident response platform.
Curator – This provides actions to manage Elasticsearch data indices.

Elasticsearch, which is the search engine component, uses RESTful web services and APIs, a distributed computing cluster with multiple server nodes, and a distributed NoSQL database made up of JSON documents. Additional functionality can be added through custom-created extensions.

The Elasticsearch company offers a commercial extension called X-Pack which adds security, alerting, monitoring, reporting, and graphs. The company also offers a machine-learning add-on as well as their own Elastic SIEM product.

Logstash enables the collection and normalization of network data into data indexes that can be efficiently searched by Elasticsearch. Logstash and Beats modules are used to ingest data into the Elasticsearch cluster.

Kibana provides a graphical interface to data that is compiled by Elasticsearch. It enables visualization of network data and provides tools and shortcuts for querying that data in order to isolate potential security breaches.

The core open source components of the Elastic Stack are Logstash, Beats, Elasticsearch, and Kibana, as shown in the figure.

Elastic Stack Core Components

Logstash
Logstash is an extract, transform and load the system with the ability to take in various sources of log data and transform or parse the data through translation, sorting, aggregating, splitting, and validation. After transforming the data, the data is loaded into the Elasticsearch database in the proper file format. The figure shows some of the fields that are available in Logstash as shown in the Kibana Management interface.

Kibana Management Frame Showing Logstash Index Details

Beats
Beats agents are open source software clients used to send operational data directly into Elasticsearch or through Logstash. Elastic, as well as the open-source community, actively develop Beats agents, so there are a huge variety of Beats agents for sending data to Elasticsearch in near real-time.

Some of the Beats agents provided by Elastic are Auditbeat for audit data, Metricbeat for metrics data, Heartbeat for availability, Packetbeat for network traffic, Journalbeat for Systemd journals, and Winlogbeat for Windows event logs. Some community-sourced Beats are Amazonbeat, Apachebeat, Dockbeat, Nginxbeat, and Mqttbeat to name a few.

Elasticsearch
Elasticsearch is a cross-platform enterprise search engine written in Java. The core components are open-source with commercial addons called X-packs that give additional functionality. Elasticsearch supports near real-time search using simple REST APIs to create or update JavaScript Object Notation (JSON) documents using HTTP requests. Searches can be made using any program capable of making HTTP requests such as a web browser, Postman, cURL, etc. These APIs can also be accessed by Python or other programming language scripts for automated operations.

The Elasticsearch data structure is called an inverted index, which is designed to allow very fast full-text searches. An index is like a database, it is a namespace for a collection of documents that are related to each other. An index can be partitioned or mapped into different types.

If you compare an Elasticsearch index to a traditional relational database, the index is like the database, the types are like the tables, and the documents are like the columns and rows, as shown in the table.

MySQL Component:	database	tables	columns/rows
Elasticsearch Component:	index	types	documents

Elasticsearch stores data in JSON-formatted documents. A JSON document is organized into hierarchies of key/value pairs, with a key being a name and the corresponding value is either a string, number, Boolean, date, array, or another type of data.

Kibana
Kibana provides an easy to use graphical user interface for managing Elasticsearch. By using a web browser, an analyst can use the Kibana interface to search and view indices.

The management tab allows you to create and manage indices and there types and formats. The discovery tab is a quick and powerful way to view your data and search it using the search tools.

The visualize tab allows you to create custom visualizations like bar charts, line charts, pie charts, heat maps, and more. The visualizations you create can be organized into customized dashboards for monitoring and analyzing your data. A Kibana dashboard is shown in the figure.

A Kibana Dashboard

Data Reduction

The amount of network traffic that is collected by packet captures and the number of log file entries and alerts that are generated by network and security devices can be enormous. Even with recent advances in Big Data, processing, storing, accessing, and archiving NSM-related data is a daunting task.

For this reason, it is important to identify the network data that should be gathered. Not every log file entry, packet, and alert needs to be gathered. By limiting the volume of data, tools like Elasticsearch will be far more useful, as shown in the figure.
Some network traffic has little value to NSM.

Encrypted data, such as IPsec or SSL traffic, is largely unreadable. Some traffic, such as that generated by routing protocols or spanning-tree protocol, is routine and can be excluded. Other broadcast and multicast protocols can usually be eliminated from packet captures, as can traffic from other protocols that generate alot of routine traffic.
In addition, alerts that are generated by a HIDS, such as Windows security auditing or OSSEC, should be evaluated for relevance.

Some are informational or of low potential security impact. These messages can be filtered from NSM data. Similarly, Syslog may store messages of very low severity that could be disregarded to diminish the quantity of NSM data to be handled.

Data Normalization

Data normalization is the process of combining data from a number of data sources into a common format. Logstash provides a series of transformations that process security data and transform it before adding it to Elasticsearch. Additional plugins can be created to suit the needs of the organization.

A common schema will specify the names and formats for the required data fields. Formatting of the data fields can vary widely between sources. However, if searching is to be effective, the data fields must be consistent.

For example, IPv6 addresses, MAC addresses, and date and time information can be represented in varying formats. Similarly, subnet masks, DNS records, and so on can vary in format between data sources. Logstash transformations accept the data in it’s the native format and make elements of the data consistent across all sources. For example, a single format will be used for addresses and timestamps for data from all sources.

IPv6 Address Formats

2001:db8:acad:1111:2222::33
2001:DB8:ACAD:1111:2222::33
2001:DB8:ACAD:1111:2222:0:0:33
2001:DB8:ACAD:1111:2222:0000:0000:0033

MAC Formats

A7:03:DB:7C:91:AA
A7-03-DB-7C-91-AA
A70.3DB.7C9.1AA

Date Formats

Monday, July 24, 2017 7:39:35pm
Mon, 24 Jul 2017 19:39:35 +0000
2017-07-24T19:39:35+00:00
1500925254

Data normalization is required to simplify searching for correlated events. If differently formatted values exist in the NSM data for IPv6 addresses, for example, a separate query term would need to be created for every variation in order for correlated events to be returned by the query.

Data Archiving

Everyone would love the security of collecting and saving everything, just in case. However, retaining NSM data indefinitely is not feasible due to storage and access issues. It should be noted that the retention period for certain types of network security information may be specified by compliance frameworks. For example, the Payment Card Industry Security Standards Council (PCI DSS) requires that an audit trail of user activities related to protected information be retained for one year.

Security Onion has different data retention periods for different types of NSM data. For pcaps and raw Bro logs, a value assigned in the securityonion.conf file controls the percentage of disk space that can be used by log files. By default, this value is set to 90%. For Elasticsearch, retention of data indices is controlled by Elasticsearch curator. Curator runs in a Docker container and executes every minute according to cron jobs. Curator logs it’s activity to curator.log. Curator defaults to closing indices older than 30 days. To modify this, change CURATOR_CLOSE_DAYS in /etc/nsm/securityonion.conf. As a disk reaches capacity, Curator deletes old indices to prevent your disk from filling up. To change the limit, modify LOG_SIZE_LIMIT in /etc/nsm/securityonion.conf.
Sguil alert data is retained for 30 days by default. This value is set in the securityonion.conf file.

Security Onion is known to require alot of storage and RAM to run properly. Depending on the size of the network, multiple terabytes of storage may be required. Of course, Security Onion data can always be archived to external storage by a data archive system, depending on the needs and capabilities of the organization.
Note: The storage locations for the different types of Security Onion data will vary based on the Security Onion implementation.

Log entries are generated by network devices, operating systems, applications, and various types of programmable devices. A file containing a time-sequenced stream of log entries is called a log file. By nature, log files record events that are relevant to the source. The syntax and format of data within log messages are often defined by the application developer.

Therefore, the terminology used in the log entries often varies from source to source. For example, depending on the source, the terms login, logon, authentication event, and user connection, may all appear in log entries to describe a successful user authentication to a server.

It is desirable to have consistent and uniform terminology in logs generated by different sources. This is especially true when all log files are being collected by a centralized point. The term normalization refers to the process of converting parts of a message, in this case, a log entry, to a common format.

In this lab, you will use command-line tools to manually normalize log entries. In Part 2, the timestamp field must be normalized. In Part 3, the IPv6 field requires normalization.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNAIJA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Fact Check Policy

Using Sguil In Investigating Network Data

Leave a reply

The primary duty of a cybersecurity analyst is the verification of security alerts. Depending on the organization, the tools used to do this will vary. For example, a ticketing system may be used to manage task assignments and documentation.

In Security Onion, the first place that a cybersecurity analyst will go to verify alerts is Sguil. In this article, I want to look at some of the ways of investigating network data in cybersecurity. Follow me as we are going to look at that in this article.

Sguil automatically correlates similar alerts into a single line and provides a way to view correlated events represented by that line. In order to get a sense of what has been happening in the network, it may be useful to sort on the CNT column to display the alerts with the highest frequency.

Right-clicking the CNT value and selecting View Correlated Events opens a tab that displays all events that are related by Sguil.

This can help the cybersecurity analyst understand the time frame during which the correlated events were received by Sguil. Note that each event receives a unique event ID. Only the first event ID in the series of correlated events is displayed in the RealTime Events tab. The figure shows Sguil alerts sorted on CNT with the View Correlated Events menu open.

Sguil Alerts Sorted on CNT

Sguil Queries

Queries can be constructed in Sguil using the Query Builder. It simplifies constructing queries to a certain degree, but the cybersecurity analyst must know the field names and some issues with field values. For example, Sguil stores IP addresses in an integer representation. In order to query an IP address in dotted-decimal notation, the IP address value must be placed within the INET_ATON() function. Query Builder is opened from the Sguil Query menu. Select Query Event Table to search active events.

The table shows the names of some of the event table fields that can be queried directly. Selecting Show DataBase Tables from the Query menu displays a reference to the field names and types for each of the tables that can be queried. When conducting event table searches, use the pattern event.fieldName = value.

Field Name	Type	Description
sid	int	the unique ID of the sensor
cid	int	the sensor’s unique event number
signature	varchar	the human-readable name of the event (e.g. “WEB-IIS view source via translate header”)
timestamp	datetime	the date and time the event occurred on the sensor
status	int	the Sguil classification assigned to this event. Unclassified events are priority 0.
src_ip	int	the source IP for the event. Use the INET_ATON() function to covert the address to the database’s integer representation.
dst_ip	int	the destination IP for the event
src_port	int	the source port of the packet that triggered the event
dst_port	int	the destination port of the packet that triggered the event
ip_proto	ing	IP protocol type of the packet. (6 = TCP, 17 = UDP, 1 = ICMP, others are possible)

The figure shows a simple timestamp and IP address query made in the Query Builder window. Note the use of the INET_ATON() function to simplify entering an IP address.

In the example below, the cybersecurity analyst is investigating a source port 40754 that is associated with an Emerging Threats alert. Towards the end of the query, the WHERE event.src_port = ‘40754’ portion was created by the user in Query Builder. The remainder of the query is supplied automatically by Sguil and concerns how the data that is associated with the events is to be retrieved, displayed, and presented.

Pivoting from Sguil

Sguil provides the ability for the cybersecurity analyst to pivot to other information sources and tools. Log files are available in Elasticsearch. Relevant packet captures can be displayed in Wireshark.

Transcripts of TCP sessions and Zeek (Bro) detection information are also available. The menu shown in the figure was opened by right-clicking on an Alert ID. Selecting from this menu will open information about the alert in other tools, which provides rich, contextualized information to the cybersecurity analyst.

Pivoting from Sguil

Additionally, Sguil can provide pivots to Passive Real-time Asset Detection System (PRADS) and Security Analyst Network Connection Profiler (SANCP) information. These tools are accessed by right-clicking on an IP address for an event and selecting the Quick Query or Advanced Query menus.

PRADS gathers network profiling data, including information about the behaviour of assets on the network. PRADS is an event source, like Snort and OSSEC. It can also be queried through Sguil when an alert indicates that an internal host may have been compromised.

Executing a PRADS query out of Sguil can provide information about the services, applications, and payloads that may be relevant to the alert. In addition, PRADS detects when new assets appear on the network.

Note: The Sguil interface refers to PADS instead of PRADS. PADS was the predecessor to PRADS. PRADS is the tool that is actually used in Security Onion. PRADS is also used to populate SANCP tables. In Security Onion, the functionalities of SANCP have been replaced by PRADS, however, the term SANCP is still used in the Sguil interface. PRADS collects the data, and a SANCP agent records the data in a SANCP data table.

The SANCP functionalities concern collecting and recording statistical information about network traffic and behaviour. SANCP provides a means of verifying that network connections are valid. This is done through the application of rules that indicate which traffic should be recorded and the information with which the traffic should be tagged.

Event Handling in Sguil

Finally, Sguil is not only a console that facilitates the investigation of alerts. It is also a tool for addressing or classifying alerts. Three tasks can be completed in Sguil to manage alerts. First, alerts that have been found to be false positives can be expired.

This can be done by using the right-clicking in the ST column for the event and using the menu or by pressing the F8 key. An expired event disappears from the queue. Second, if the cybersecurity analyst is uncertain how to handle an event, it can be escalated by pressing the F9 key.

The alert will be moved to the Sguil Escalated Events tab. Finally, an event can be categorized. Categorization is for events that have been identified as true positives.

Sguil includes seven pre-built categories that can be assigned by using a menu, which is shown in the figure, or by pressing the corresponding function key. For example, an event would be categorized as Cat I by pressing the F1 key. In addition, criteria can be created that will automatically categorize an event.

Categorized events are assumed to have been handled by the cybersecurity analyst. When an event is categorized, it is removed from the list of RealTime Events. The event remains in the database, however, and it can be accessed by queries that are issued by category.

This course covers Sguil at a basic level. Numerous resources exist on the internet for learning more.

Event Handling in Sguil

Working in ELK

Logstash and Beats are used for data ingestion in the Elastic Stack. They provide access to large numbers of log file entries. Because the number of logs that can be displayed is so large, Kibana, which is the visual interface into the logs, is configured to show the last 24 hours by default. You can adjust the time range to view broader or older ranges of data.

In order to see log file records for a different period of time, click the Last 24 hours tab in the upper right corner of Kibana. From there, set the Time Range by selecting the Quick tab for predefined time ranges. You can also enter the dates and times manually using the Absolute tab.

The figure shows an Absolute time range from May 17th to May 18th, 2020. Logs are ingested into Elasticsearch into separate indices or databases based on a configured range of time.

The best way to monitor your data in Elasticsearch is to build customized visual dashboards that track the data that you are interested in using. A variety of visual charts including bar graphs, pie charts, count metrics, heat maps, Geo maps, top number lists are available. In Kibana, visualizations and charts can be searched and filtered with specific metrics and buckets of data.

Queries in ELK

Elasticsearch is built on Apache Lucene, an open-source search engine software library that features full-text indexing and searching capabilities. Elasticsearch ingests data into documents called indices and those documents are mapped to various datatypes using index patterns. The index patterns create a data structure of JSON-formatted fields and values. The datatypes in the fields can be in the following formats:

Core Datatypes: Text (Strings), Numeric, Date, Boolean, Binary, and Range
Complex Datatypes: Object (JSON), Nested (arrays of JSON objects)
Geo Datatypes: Geo-point (latitude/longitude), Geo-shape (polygons)
Specialized Datatypes: IP addresses, Token count, Histogram, etc.)

Using Lucene software libraries, Elasticsearch has its own query language based on JSON called Query DSL (Domain Specific Language). Query DSL features leaf queries, compound queries, and expensive queries.

Leaf queries look for a specific value in a specific field, such as the match, term, or range queries. Compound queries enclose other leaf or compound queries and are used to combine multiple queries in a logical fashion. Expensive queries execute slowly and include fuzzy matching, regex matching, and wildcard matching.

Query Language
Along with JSON, Elasticsearch queries make use of the following elements: Boolean operators, Fields, Ranges, Wildcards, Regex, Fuzzy search, Text search.

Boolean Operators – AND, OR, and NOT operators:
- “php” OR “zip” OR “exe” OR “jar” OR “run”
- “RST” AND “ACK”
Fields – In colon-separated key: value pairs you specify the key field, a colon, a space and the value:
- dst.ip: “192.168.1.5”
- dst.port: 80
Ranges – You can search for fields within a specific range using square brackets (inclusive) or curly braces (exclusive) range:
- host:[1 TO 255] — Will return events with age between 1 and 255
- TTL:{100 TO 400} — Will return events with prices between 101 and 399
- name: [Admin TO User] — Will return names between and including Admin and User
Wildcards – The * character is for multiple character wildcards and the ? character for single-character wildcards:
- P?ssw?rd — Will match Password, and P@ssw0rd
- Pas* — Will match Pass, Passwd, and Password
Regex – These are placed between forward slashes (/):
- /d[ao]n/ — Will match both dan and don
- /<.+>/ — Will match text that resembles an HTML tag
Fuzzy Search – Fuzzy searching uses the Damerau-Levenshtein Distance to match terms that are similar in spelling. This is great when your data set has misspelt words. Use the tilde (~) to find similar terms:
- index.php~ – This may return results like “index.html,” “home.php”, and “info.php.”
- Use the tilde (~) along with a number to specify how big the distance between words can be:
- term~2 – This will match, among other things: “team,” “terms,” “trem,” and “torn”
Text search – Type in the term or value you want to find. This can be a field, or a string within a field, etc.

Query Execution
Elasticsearch was designed to interface with users using web-based clients that follow the HTTP REST framework. Queries can be executed using the following methods:

URI – Elasticsearch can execute queries using URI searches:
- http://localhost:9200/_search?q=query:ns.example.com
cURL – Elasticsearch can execute queries using cURL from the command line:
- curl “localhost:9200/_search?q=query:ns.example.com”
JSON – Elasticsearch can execute queries with a request body search using a JSON document beginning with a query element, and a query formatted using the Query Domain Specific Language.
Dev Tools – Elasticsearch can execute queries using the Dev Tools console in Kibana and a query formatted using the Query Domain Specific Language.

Note: Advanced Elasticsearch queries are beyond the scope of this course. In the labs, you will be provided with complex query statements, if necessary.

Investigating Process or API Calls

Applications interact with an operating system (OS) through system calls to the OS application programming interface (API), as shown in the figure. These system calls allow access to many aspects of system operation such as:

Software process control
File management
Device management
Information management
Communication

Malware can also make system calls. If the malware can fool an OS kernel into allowing it to make system calls, many exploits are possible.

HIDS software tracks the operation of a host OS. OSSEC rules detect changes in host-based parameters like the execution of software processes, changes in user privileges, and registry modifications, among many others. OSSEC rules will trigger an alert in Sguil. Pivoting to Kibana on the host IP address allows you to choose the type of alert based on the program that created it. Filtering for OSSEC indices results in a view of the OSSEC events that occurred on the host, including indicators that malware may have interacted with the OS kernel.

Action Point
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Digital Forensics In Cybersecurity: Facts To Note

Leave a reply

Now that you have investigated and identified valid alerts, what do you do with the evidence? The cybersecurity analyst will inevitably uncover evidence of criminal activity. In order to protect the organization and to prevent cybercrime, it is necessary to identify threat actors, report them to the appropriate authorities, and provide evidence to support prosecution.

Tier 1 cybersecurity analysts are often the first to uncover wrongdoing. Cybersecurity analysts must know how to properly handle evidence and attribute it to threat actors. In this article, we will be talking about some of the facts that you need to know about Digital Forensics in cybersecurity.

Digital forensics is the recovery and investigation of information found on digital devices as it relates to criminal activity. Indicators of compromise are the evidence that a cybersecurity incident has occurred.

This information could be data on storage devices, in volatile computer memory, or the traces of cybercrime that are preserved in network data, such as pcaps and logs. It is essential that all indicators of compromise be preserved for future analysis and attack attribution.

Cybercriminal activity can be broadly characterized as originating from inside of or outside of the organization. Private investigations are concerned with individuals inside the organization.

These individuals could simply be behaving in ways that violate user agreements or other non-criminal conduct. When individuals are suspected of involvement in criminal activity involving the theft or destruction of intellectual property, an organization may choose to involve law enforcement authorities, in which case the investigation becomes public.

Internal users could also have used the organization’s network to conduct other criminal activities that are unrelated to the organizational mission but are in violation of various legal statutes.

In this case, public officials will carry out the investigation.

When an external attacker has exploited a network and stolen or altered data, evidence needs to be gathered to document the scope of the exploit. Various regulatory bodies specify a range of actions that an organization must take when various types of data have been compromised. The results of forensic investigation can help to identify the actions that need to be taken.

For example, under the US HIPAA regulations, if a data breach has occurred that involves patient information, notification of the breach must be made to the affected individuals. If the breach involves more than 500 individuals in a state or jurisdiction, the media, as well as the affected individuals, must be notified.

A digital forensic investigation must be used to determine which individuals were affected, and to certify the number of affected individuals so that appropriate notification can be made in compliance with HIPAA regulations.

It is possible that the organization itself could be the subject of an investigation. Cybersecurity analysts may find themselves in direct contact with digital forensic evidence that details the conduct of members of the organization.

Analysts must know the requirements regarding the preservation and handling of such evidence. Failure to do so could result in criminal penalties for the organization and even the cybersecurity analyst if the intention to destroy evidence is established.

The Digital Forensics Process

It is important that an organization develop well-documented processes and procedures for digital forensic analysis. Regulatory compliance may require this documentation, and this documentation may be inspected by authorities in the event of a public investigation.

NIST Special Publication 800-86 Guide to Integrating Forensic Techniques into Incident Response is a valuable resource for organizations that require guidance in developing digital forensics plans.For example, it recommends that forensics be performed using the four-phase process.

The following describes the four basic phases of the digital evidence forensic process.

The Digital Evidence Forensic Process

Types of Evidence

In legal proceedings, evidence is broadly classified as either direct or indirect. Direct evidence is evidence that was indisputably in the possession of the accused or is eyewitness evidence from someone who directly observed criminal behaviour.
Evidence is further classified as:

Best evidence – This is evidence that is in its original state. This evidence could be storage devices used by an accused, or archives of files that can be proven to be unaltered.
Corroborating evidence – This is evidence that supports an assertion that is developed from the best evidence.
Indirect evidence – This is evidence that, in combination with other facts, establishes a hypothesis. This is also known as circumstantial evidence. For example, evidence that an individual has committed similar crimes can support the assertion that the person committed the crime of which they are accused.

Evidence Collection Order

IETF RFC 3227 provides guidelines for the collection of digital evidence. It describes an order for the collection of digital evidence based on the volatility of the data. Data stored in RAM is the most volatile, and it will be lost when the device is turned off. In addition, important data in volatile memory could be overwritten by routine machine processes.

Therefore, the collection of digital evidence should begin with the most volatile evidence and proceed to the least volatile, as shown in the figure.

Evidence Collection Priority

An example of most volatile to least volatile evidence collection order is as follows:

Memory registers, caches
The routing table, ARP cache, process table, kernel statistics, RAM
Temporary file systems
Non-volatile media, fixed and removable
Remote logging and monitoring data
Physical interconnections and topologies
Archival media, tape or other backups

Details of the systems from which the evidence was collected, including who has access to those systems and at what level of permissions should be recorded. Such details should include hardware and software configurations for the systems from which the data was obtained.

Chain of Custody

Although evidence may have been gathered from sources that support attribution to an accused individual, it can be argued that the evidence could have been altered or fabricated after it was collected. In order to counter this argument, a rigorous chain of custody must be defined and followed.
Chain of custody involves the collection, handling, and secure storage of evidence. Detailed records should be kept of the following:

Who discovered and collected the evidence?
All details about the handling of evidence including times, places, and personnel involved.
Who has primary responsibility for the evidence, when responsibility was assigned, and when custody changed?
Who has physical access to the evidence while it was stored? Access should be restricted to only the most essential personnel.

Data Integrity and Preservation

When collecting data, it is important that it is preserved in its original condition. Timestamping of files should be preserved. For this reason, the original evidence should be copied, and analysis should only be conducted on copies of the original. This is to avoid accidental loss or alteration of the evidence. Because timestamps may be part of the evidence, opening files from the original media should be avoided.

The process used to create copies of the evidence that is used in the investigation should be recorded. Whenever possible, the copies should be direct bit-level copies of the original storage volumes.

It should be possible to compare the archived disc image and the investigated disk image to identify whether the contents of the investigated disk have been tampered with. For this reason, it is important to archive and protect the original disk to keep it in its original, untampered with, condition.

Volatile memory could contain forensic evidence, so special tools should be used to preserve that evidence before the device is shut down and evidence is lost. Users should not disconnect, unplug, or turn off infected machines unless explicitly told to do so by security personnel.

Following these processes will ensure that any evidence of wrongdoing will be preserved, and any indicators of compromise can be identified.

Attack Attribution

After the extent of the cyberattack has been assessed and evidence collected and preserved, incident response can move to identify the source of the attack. As we know, a wide range of threat actors exist, ranging from disgruntled individuals, hackers, cybercriminals and criminal gangs, or nation-states.

Some criminals act from inside the network, while others can be on the other side of the world. The sophistication of cybercrime varies as well. Nation-states may employ large groups of highly-trained individuals to carry out an attack and hide their tracks, while other threat actors may openly brag about their criminal activities.

Threat attribution refers to the act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident.Identifying responsible threat actors should occur through the principled and systematic investigation of the evidence.

While it may be useful to also speculate as to the identity of threat actors by identifying potential motivations for an incident, it is important not to let this bias the investigation. For example, attributing an attack to a commercial competitor may lead the investigation away from the possibility that a criminal gang or nation-state was responsible.

In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and Procedures (TTP) that were used in the incident with other known exploits. Cybercriminals, much like other criminals, have specific traits that are common to most of their crimes.

Threat intelligence sources can help to map the TTP identified by an investigation to known sources of similar attacks. However, this highlights a problem with threat attribution. Evidence of cybercrime is seldom direct evidence. Identifying commonalities between TTPs for known and unknown threat actors is circumstantial evidence.

Some aspects of a threat that can aid in attribution are the location of originating hosts or domains, features of the code used in malware, the tools used, and other techniques. Sometimes, at the national security level, threats cannot be openly attributed because doing so would expose methods and capabilities that need to be protected.

For internal threats, asset management plays a major role. Uncovering the devices from which an attack was launched can lead directly to the threat actor. IP addresses, MAC addresses, and DHCP logs can help track the addresses used in the attack back to a specific device. AAA logs are very useful in this regard, as they track who accessed what network resources at what time.

The MITRE ATTACK Framework

One way to attribute an attack is to model threat actor behavior. The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework enables the ability to detect attacker tactics, techniques, and procedures (TTP) as part of threat defence and attack attribution.

This is done by mapping the steps in an attack to a matrix of generalized tactics and describing the techniques that are used in each tactic. Tactics consist of the technical goals that an attacker must accomplish in order to execute an attack and techniques are the means by which the tactics are accomplished.

Finally, procedures are the specific actions taken by threat actors in the techniques that have been identified. Procedures are the documented real-world use of techniques by threat actors.

The MITRE ATT&CK Framework is a global knowledge base of threat actor behaviour. It is based on observation and analysis of real-world exploits with the purpose of describing the behaviour of the attacker, not the attack itself. It is designed to enable automated information sharing by defining data structures for the exchange of information between its community of users and MITRE.

The figure shows an analysis of ransomware exploits from the excellent ANY.RUN online sandbox. The columns show the enterprise attack matrix tactics, with the techniques that are used by the malware arranged under the columns. Clicking the technique then lists details of the procedures that are used by the specific malware instance with a definition, explanation, and examples of the technique.

Note: Do an internet search on MITRE ATT&CK to learn more about the tool.

MITRE ATT&CK Matrix for a Ransomware Exploit

Fact Check Policy

Cyber Killer Chain In Cybersecurity: Facts To Know

Leave a reply

The Cyber Killer Chain was developed by Lockheed Martin to identify and prevent cyber intrusions. There are seven steps to the Cyber Kill Chain. Focusing on these steps helps analysts understand the techniques, tools, and procedures of threat actors.

When responding to a security incident, the objective is to detect and stop the attack as early as possible in the kill chain progression. The earlier the attack is stopped; the less damage is done and the less the attacker learns about the target network.

The Cyber Kill Chain specifies what an attacker must complete accomplishing there goal. The steps in the Cyber Kill Chain are shown in the figure.
If the attacker is stopped at any stage, the chain of attack is broken. Breaking the chain means the defender successfully thwarted the threat actor’s intrusion. Threat actors are successful only if they complete Step 7.

Note: Threat actor is the term used throughout this course to refer to the party instigating the attack. However, Lockheed Martin uses the term “adversary” in it’s description of the Cyber Kill Chain. Therefore, the terms adversary and threat actor are used interchangeably in this topic.

Reconnaissance

Reconnaissance is when the threat actor performs research, gathers intelligence, and selects targets. This will inform the threat actor if the attack is worth performing. Any public information may help to determine the what, where, and how of the attack to be performed.

There is alot of publicly available information, especially for larger organizations including news articles, websites, conference proceedings, and public-facing network devices. Increasing amounts of information surrounding employees is available through social media outlets.

The threat actor will choose targets that have been neglected or unprotected because they will have a higher likelihood of becoming penetrated and compromised. All information obtained by the threat actor is reviewed to determine it’s importance and if it reveals possible additional avenues of attack.

The table summarizes some of the tactics and defences used during the reconnaissance step.

Adversary Tactics	SOC Defenses
Plan and conduct research: Harvest email addresses Identify employees on social media Collect all public relations information (press releases, awards, conference attendees, etc.) Discover internet-facing servers Conduct scans of the network to identify IP addresses and open ports.	Discover adversary’s intent: Web log alerts and historical searching data Data mine browser analytics Build playbooks for detecting behaviour that indicates recon activity Prioritize defence around technologies and people that reconnaissance activity is targeting

Weaponization

The goal of this step is to use the information from reconnaissance to develop a weapon against specific targeted systems or individuals in the organization. To develop this weapon, the designer will use the vulnerabilities of the assets that were discovered and build them into a tool that can be deployed.

After the tool has been used, it is expected that the threat actor has achieved there goal of gaining access into the target system or network, degrading the health of a target, or the entire network. The threat actor will further examine network and asset security to expose additional weaknesses, gain control over other assets, or deploy additional attacks.

It is not difficult to choose a weapon for the attack. The threat actor needs to look at what attacks are available for the vulnerabilities they have discovered. There are many attacks that have already been created and tested at large.

One problem is that because these attacks are so well known, they are most likely also known by the defenders. It is often more effective to use a zero-day attack to avoid detection methods. A zero-day attack uses a weapon that is unknown to defenders and network security systems.

The threat actor may wish to develop there own weapon that is specifically designed to avoid detection, using the information about the network and systems that they have learned. Attackers have learned how to create numerous variants of there attacks in order to evade network defences.

The table summarizes some of the tactics and defences used during the weaponization step.

Adversary Tactics	SOC Defense
Prepare and stage the operation: Obtain an automated tool to deliver the malware payload (weaponizer). Select or create a document to present to the victim. Select or create a backdoor and command and control infrastructure.	Detect and collect weaponization artefacts: Ensure that IDS rules and signatures are up to date. Conduct full malware analysis. Build detections for the behaviour of known weaponizers. Is malware old, “off the shelf” or new malware that might indicate a tailored attack? Collect files and metadata for future analysis. Determine which weaponizer artefacts are common to which campaigns.

Delivery

During this step, the weapon is transmitted to the target using a delivery vector. This may be through the use of a website, removable USB media, or an email attachment. If the weapon is not delivered, the attack will be unsuccessful.

The threat actor will use many different methods to increase the odds of delivering the payload such as encrypting communications, making the code look legitimate, or obfuscating the code.

Security sensors are so advanced that they can detect the code as malicious unless it is altered to avoid detection. The code may be altered to seem innocent, yet still perform the necessary actions, even though it may take longer to execute.
The table summarizes some of the tactics and defences used during the delivery step.

Adversary Tactics	SOC Defense
Launch malware at target: Direct against web servers Indirect delivery through: Malicious email Malware on a USB stick Social media interactions Compromised websites	Block delivery of malware: Analyze the infrastructure path used for delivery. Understand targeted servers, people, and data available to attack. Infer intent of the adversary based on targeting. Collect email and web logs for forensic reconstruction.

Exploitation

After the weapon has been delivered, the threat actor uses it to break the vulnerability and gain control of the target. The most common exploit targets are applications, operating system vulnerabilities, and users. The attacker must use an exploit that gains the effect they desire.

This is very important because if the wrong exploit is conducted, obviously the attack will not work, but unintended side effects such as a DoS or multiple system reboots will cause undue attention that could easily inform cybersecurity analysts of the attack and the threat actor’s intentions.

The table summarizes some of the tactics and defences used during the exploitation step.

Adversary Tactics	SOC Defense
Exploit a vulnerability to gain access: Use software, hardware, or human vulnerability Acquire or develop the exploit Use an adversary-triggered exploit for server vulnerabilities Use a victim-triggered exploit such as opening an email attachment or malicious weblink	Train employees, secure code, and harden devices: Employee security awareness training and periodic email testing Web developer training for securing code Regular vulnerability scanning and penetration testing Endpoint hardening measures Endpoint auditing to forensically determine the origin of exploit

Installation

This step is where the threat actor establishes a back door into the system to allow for continued access to the target. To preserve this backdoor, it is important that remote access does not alert cybersecurity analysts or users.

The access method must survive through antimalware scans and rebooting of the computer to be effective. This persistent access can also allow for automated communications, especially effective when multiple channels of communication are necessary when commanding a botnet.

The table summarizes some of the tactics and defences used during the installation step.

Adversary Tactics	SOC Defense
Install persistent backdoor: Install webshell on a web server for persistent access. Create a point of persistence by adding services, AutoRun keys, etc. Some adversaries modify the timestamp of the malware to make it appear as part of the operating system.	Detect, log, and analyze installation activity: HIPS to alert or block common installation paths. Determine if malware requires elevated privileges or user privileges Endpoint auditing to discover abnormal file creations. Determine if malware is a known threat or a new variant.

Command and Control

In this step, the goal is to establish command and control (CnC or C2) with the target system. Compromised hosts usually beacon out of the network to a controller on the internet. This is because most malware requires manual interaction in order to exfiltrate data from the network.

CnC channels are used by the threat actor to issue commands to the software that they installed on the target.

The cybersecurity analyst must be able to detect CnC communications in order to discover the compromised host. This may be in the form of unauthorized Internet Relay Chat (IRC) traffic or excessive traffic to suspect domains.
The table summarizes some of the tactics and defences used during the command and control step.

Adversary Tactics	SOC Defense
Open channel for target manipulation: Open two-way communications channel to CNC infrastructure Most common CNC channels over the web, DNS, and email protocols CnC infrastructure may be adversary owned or another victim network itself	Last chance to block operation: Research possible new CnC infrastructures Discover CnC infrastructure through malware analysis Isolate DNS traffic to suspect DNS servers, especially Dynamic DNS Prevent impact by blocking or disabling the CnC channel Consolidate the number of internet points of presence Customize rules blocking of CnC protocols on web proxies

Actions on Objectives

The final step of the Cyber Kill Chain describes the threat actor achieving there original objective. This may be data theft, performing a DDoS attack, or using the compromised network to create and send spam or mine Bitcoin. At this point the threat actor is deeply rooted in the systems of the organization, hiding there moves and covering there tracks. It is extremely difficult to remove the threat actor from the network.

The table summarizes some of the tactics and defences used during the actions on the objectives step.

Adversary Tactics	SOC Defense
Reap the rewards of a successful attack: Collect user credentials Privilege escalation Internal reconnaissance Lateral movement through an environment Collect and exfiltrate data Destroy systems Overwrite, modify, or corrupt data	Detect by using forensic evidence: Establish incident response playbook Detect data exfiltration, lateral movement, and unauthorized credential usage Immediate analyst response for all alerts Forensic analysis of endpoints for rapid triage Network packet captures to recreate the activity Conduct damage assessment

Fact Check Policy

Understanding Diamond Model Of Intrusion Analysis

Leave a reply

The Diamond Model of Intrusion Analysis is made up of four parts, as shown in the figure. The model represents a security incident or event. In the Diamond Model, an event is a time-bound activity that is restricted to a specific step in which an adversary uses a capability over infrastructure to attack a victim to achieve a specific result.
The four core features of an intrusion event are adversary, capability, infrastructure, and victim:

Adversary – These are the parties responsible for the intrusion.
Capability – This is a tool or technique that the adversary uses to attack the victim.
Infrastructure – This is the network path or paths that the adversaries use to establish and maintain command and control over their capabilities.
Victim – This is the target of the attack. However, a victim might be the target initially and then used as part of the infrastructure to launch other attacks.

The adversary uses capabilities over infrastructure to attack the victim. The model can be interpreted as saying, “The adversary uses the infrastructure to connect to the victim. The adversary develops a capability to exploit the victim.” For example, a capability like malware might be used over the email infrastructure by an adversary to exploit a victim.

Meta-features expand the model slightly to include the following important elements:

Timestamp – This indicates the start and stop time of an event and is an integral part of grouping malicious activity.
Phase – This is analogous to steps in the Cyber Kill Chain; malicious activity includes two or more steps executed in succession to achieve the desired result.
Result – This delineates what the adversary gained from the event. Results can be documented as one or more of the following: confidentiality compromised, integrity compromised, and availability compromised.
Direction – This indicates the direction of the event across the Diamond Model. These include Adversary-to-Infrastructure, Infrastructure-to-Victim, Victim-to-Infrastructure, and Infrastructure-to-Adversary.
Methodology – This is used to classify the general type of event, such as port scan, phishing, content delivery attack, syn flood, etc.
Resources – These are one or more external resources used by the adversary for the intrusion event, such as software, adversary’s knowledge, information (e.g., username/passwords), and assets to carry out the attack (hardware, funds, facilities, network access).

The Diamond Model

Pivoting Across the Diamond Model

As a cybersecurity analyst, you may be called on to use the Diamond Model of Intrusion Analysis to diagram a series of intrusion events. The Diamond Model is ideal for illustrating how the adversary pivots from one event to the next.

For example, in the figure, an employee reports that his computer is acting abnormally. A host scan by the security technician indicates that the computer is infected with malware. An analysis of the malware reveals that the malware contains a list of CnC domain names. These domain names resolve to a list of IP addresses. These IP addresses are then used to identify the adversary, as well as investigate logs to determine if other victims in the organization are using the CnC channel.

Diamond Model Characterization of an Exploit

The Diamond Model and the Cyber Kill Chain

Adversaries do not operate in just a single event. Instead, events are threaded together in a chain in which each event must be successfully completed before the next event. This thread of events can be mapped to the Cyber Kill Chain previously discussed in the chapter.

The following example, shown in the figure, illustrates the end-to-end process of an adversary as they vertically traverse the Cyber Kill Chain, use a compromised host to horizontally pivot to another victim, and then begin another activity

thread:1. Adversary conducts a web search for victim company Gadgets, Inc. receiving as part of the results the domain name gadgets.com.

2. Adversary uses the newly discovered domain gadets.com for a new search “network administrator gadget.com” and discovers forum postings from users claiming to be network administrators of gadget.com. The user profiles reveal their email addresses.

3. Adversary sends phishing emails with a Trojan horse attached to the network administrators of gadget.com.

4. One network administrator (NA1) of gadget.com opens the malicious attachment. This executes the enclosed exploit allowing for further code execution.

5. NA1’s compromised host sends an HTTP Post message to an IP address, registering it with a CnC controller. NA1’s compromised host receives an HTTP Response in return.

6. It is revealed from reverse engineering that the malware has additional IP addresses configured which act as a back-up if the first controller does not respond.

7. Through a CnC HTTP response message sent to NA1’s host, the malware begins to act as a web proxy for new TCP connections.

8. Through information from the proxy that is running on NA1’s host, Adversary does a web search for “most important research ever” and finds Victim 2, Interesting Research Inc.

9. Adversary checks NA1’s email contact list for any contacts from Interesting Research Inc. and discovers the contact for the Interesting Research Inc. Chief Research Officer.

10. Chief Research Officer of Interesting Research Inc. receives a spear-phish email from Gadget Inc.’s NA1’s email address sent from NA1’s host with the same payload as observed in Event 3.

The adversary now has two compromised victims from which additional attacks can be launched. For example, the adversary could mine the Chief Research Officer’s email contacts for the additional potential victims. The adversary might also set up another proxy to exfiltrate all of the Chief Research Officer’s files.

Note: This example is a modification of the U.S. Department of Defense’s example in the publication “The Diamond Model of Intrusion Analysis”.

Fact Check Policy

How To Establish Incident Response Capability

Leave a reply

Incident Response involves the methods, policies, and procedures that are used by an organization to respond to a cyber attack. The aims of incident response are to limit the impact of the attack, assess the damage caused, and implement recovery procedures.

Because of the potential large-scale loss of property and revenue that can be caused by cyber-attacks, it is essential that organizations create and maintain detailed incident response plans and designate personnel who are responsible for executing all aspects of that plan. In this article, I want to talk about some of the ways to establish Incident Response Capability in cybersecurity.

The U.S. National Institute of Standards and Technology (NIST) recommendations for incident response are detailed in their Special Publication 800-61, revision 2 entitled “Computer Security Incident Handling Guide,”

Note: Although this chapter summarizes much of the content in the NIST 800-61r2 standard, you should be familiar with the entire publication as it covers four major exam topics for the Understanding Cisco Cybersecurity Operations Fundamentals exam.

The NIST 800-61r2 standard provides guidelines for incident handling, particularly for analyzing incident-related data, and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
The first step for an organization is to establish a computer security incident response capability (CSIRC). NIST recommends creating policies, plans, and procedures for establishing and maintaining a CSIRC.

Policy Elements
An incident response policy details how incidents should be handled based on the organization’s mission, size, and function. The policy should be reviewed regularly to adjust it to meet the goals of the roadmap that has been laid out. Policy elements include the following:

Statement of management commitment
Purpose and objectives of the policy
Scope of the policy
Definition of computer security incidents and related terms
Organizational structure and definition of roles, responsibilities, and levels of authority
Prioritization of severity ratings of incidents
Performance measures
Reporting and contact forms

Plan Elements
A good incident response plan helps to minimize damage caused by an incident. It also helps to make the overall incident response program better by adjusting it according to lessons learned. It will ensure that each party involved in the incident response has a clear understanding of not only what they will be doing, but what others will be doing as well. Plan elements are as follows:

Mission
Strategies and goals
Senior management approval
An organizational approach to incident response
How the incident response team will communicate with the rest of the organization and with other organizations
Metrics for measuring the incident response capacity
How the program fits into the overall organization

Procedure Elements

The procedures that are followed during an incident response should follow the incident response plan. Procedures elements are as follows:

Technical processes
Using techniques
Filling out forms,
Following checklists

These are typical standard operating procedures (SOPs). These SOPs should be detailed so that the mission and goals of the organization are in mind when these procedures are followed. SOPs minimize errors that may be caused by personnel that are under stress while participating in incident handling. It is important to share and practice these procedures, making sure that they are useful, accurate, and appropriate.

Incident Response Stakeholders

Other groups and individuals within the organization may also be involved with incident handling. It is important to ensure that they will cooperate before an incident is underway. Their expertise and abilities can help the Computer Security Incident Response Team (CSIRT) to handle the incident quickly and correctly. These are some of the stakeholders that may be involved in handing a security incident:

Management – Managers create the policies that everyone must follow. They also design the budget and are in charge of staffing all of the departments. Management must coordinate the incident response with other stakeholders and minimize the damage of an incident.
Information Assurance – This group may need to be called in to change things such as firewall rules during some stages of incident management such as containment or recovery.
IT Support – This is the group that works with the technology in the organization and understands it the most. Because IT support has a deeper understanding, it is more likely that they will perform the correct action to minimize the effectiveness of the attack or preserve evidence properly.
Legal Department – It is a best practice to have the legal department review the incident policies, plans, and procedures to make sure that they do not violate any local or federal guidelines. Also, if any incident has legal implications, a legal expert will need to become involved. This might include prosecution, evidence collection, or lawsuits.
Public Affairs and Media Relations – There are times when the media and the public might need to be informed of an incident, such as when their personal information has been compromised during an incident.
Human Resources – The human resources department might need to perform disciplinary measures if an incident caused by an employee occurs.
Business Continuity Planners – Security incidents may alter an organization’s business continuity. It is important that those in charge of business continuity planning are aware of security incidents and the impact they have had on the organization as a whole. This will allow them to make any changes in plans and risk assessments.
Physical Security and Facilities Management – When a security incident happens because of a physical attack, such as tailgating or shoulder surfing, these teams might need to be informed and involved. It is also their responsibility to secure facilities that contain evidence from an investigation.

The Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) framework was created to assess the ability of organizations that perform functions for the U.S. Department of Defense (DoD) to protect the military supply chain from disruptions or losses due to cybersecurity incidents. Security breaches related to DoD information indicated that NIST standards were not sufficient to mitigate against the increasing and evolving threat landscape, especially from nation-state treat actors. In order for companies to receive contracts from the DoD, those companies must be certified. The certification consists of five levels, with different levels required depending on the degree of security required by the project.

The CMMC specifies 17 domains, each of which has a varying number of capabilities that are associated with it. The organization is rated by the maturity level that has been achieved for each of the domains. One of the domains concerns incident response. The capabilities that are associated with the incident response domain are as follows:

Plan incident response
Detect and report events
Develop and implement a response to a declared incident
Perform post-incident reviews
Test incident response

The CMMC certifies organizations by level. For most domains, there are five levels, however, for incident response, there are only four. The higher the level that is certified, the more mature the cybersecurity capability of the organization. A summary of the incidence response domain maturity levels is shown below.

Level 2 – Establish an incident response plan that follows the NIST process. Detect, report, and prioritize events. Respond to events by following predefined procedures. Analyze the cause of incidents in order to mitigate future issues.
Level 3 – Document and report incidents to stakeholders that have been identified in the incident response plan. Test the incident response capability of the organization.
Level 4 – Use knowledge of attacker tactics, techniques, and procedures (TPT) to refine incident response planning and execution. Establish a security operation center (SOC) that facilitates a 24/7 response capability.
Level 5 – Utilize accepted and systematic computer forensic data gathering techniques including the secure handling and storage of forensic data. Develop and utilize manual and automated real-time responses to potential incidents that follow known patterns.

NIST Incident Response Life Cycle

NIST defines four steps in the incident response process life cycle, as shown in the figure.

Preparation – The members of the CSIRT are trained in how to respond to an incident. CSIRT members should continual develop knowledge of emerging threats.
Detection and Analysis – Through continuous monitoring, the CSIRT quickly identifies, analyzes, and validates an incident.
Containment, Eradication, and Recovery – The CSIRT implements procedures to contain the threat, eradicate the impact on organizational assets, and use backups to restore data and software. This phase may cycle back to detection and analysis to gather more information, or to expand the scope of the investigation.
Post-Incident Activities – The CSIRT then documents how the incident was handled, recommends changes for future response, and specifies how to avoid a reoccurrence.

The incident response life cycle is meant to be a self-reinforcing learning process whereby each incident informs the process for handling future incidents. Each of these phases are discussed in more detail in this topic.

Incident Response Life Cycle

Preparation

The preparation phase is when the CSIRT is created and trained. This phase is also when the tools and assets that will be needed by the team to investigate incidents are acquired and deployed. The following list has examples of actions that also take place during the preparation phase:

Organizational processes are created to address communication between people on the response team. This includes such things as contact information for stakeholders, other CSIRTs, and law enforcement, an issue tracking system, smartphones, encryption software, etc.
Facilities to host the response team and the SOC are created.
Necessary hardware and software for incident analysis and mitigation is acquired. This may include forensic software, spare computers, servers and network devices, backup devices, packet sniffers, and protocol analyzers.
Risk assessments are used to implement controls that will limit the number of incidents.
Validation of security hardware and software deployment is performed on end-user devices, servers, and network devices.
User security awareness training materials are developed.

Additional incident analysis resources might be required. Examples of these resources are a list of critical assets, network diagrams, port lists, hashes of critical files, and baseline readings of system and network activity. Mitigation software is also an important item when preparing to handle a security incident. An image of a clean OS and application installation files may be needed to recover a computer from an incident.
Often, the CSIRT may have a jump kit prepared. This is a portable box with many of the items listed above to help in establishing a swift response. Some of these items may be a laptop with appropriate software installed, backup media, and any other hardware, software, or information to help in the investigation. It is important to inspect the jump kit on a regular basis to install updates and make sure that all the necessary elements are available and ready for use. It is helpful to practice deploying the jump kit with the CSIRT to ensure that the team members know how to use its contents properly.

Preparation Phase

Detection and Analysis

Detection & Analysis Phase

Because there are so many different ways in which a security incident can occur, it is impossible to create instructions that completely cover each step to follow to handle them. Different types of incidents will require different responses.

Attack Vectors

Detection

Analysis

Scoping

Incident notification

An organization should be prepared to handle any incident but should focus on the most common types of incidents so that they can be dealt with swiftly. These are some of the more common types of attack vectors:

Web – Any attack that is initiated from a website or application hosted by a website.
Email – Any attack that is initiated from an email or email attachment.
Loss or Theft – Any equipment that is used by the organization such as a laptop, desktop, or smartphone can provide the required information for someone to initiate an attack.
Impersonation – When something or someone is replaced for the purpose of malicious intent.
Attrition – Any attack that uses brute force to attack devices, networks, or services.
Media – Any attack that is initiated from external storage or removable media.

Containment, Eradication, and Recovery

Containment, Eradication, and Recovery Phase

After security incident has been detected and sufficient analysis has been performed to determine that the incident is valid, it must be contained in order to determine what to do about it. Strategies and procedures for incident containment need to be in place before an incident occurs and implemented before there is widespread damage.

For every type of incident, a containment strategy should be created and enforced. These are some conditions to determine the type of strategy to create for each incident type:

How long it will take to implement and complete a solution?
How much time and how many resources will be needed to implement the strategy?
What is the process to preserve evidence?
Can an attacker be redirected to a sandbox so that the CSIRT can safely document the attacker’s methodology?
What will be the impact to the availability of services?
What is the extent of damage to resources or assets?
How effective is the strategy?

During containment, additional damage may be incurred. For example, it is not always advisable to unplug the compromised host from the network. The malicious process could notice this disconnection to the CnC controller and trigger a data wipe or encryption on the target. This is where experience and expertise can help to contain an incident beyond the scope of the containment strategy.

Post-Incident Activities

Post-Incident Activity Phase

After incident response activities have eradicated the threats and the organization has begun to recover from the effects of the attack, it is important to take a step back and periodically meet with all of the parties involved to discuss the events that took place and the actions of all of the individuals while handling the incident. This will provide a platform to learn what was done right, what was done wrong, what could be changed, and what should be improved upon.
Lessons-based hardening
After a major incident has been handled, the organization should hold a “lessons learned” meeting to review the effectiveness of the incident handling process and identify necessary hardening needed for existing security controls and practices. Examples of good questions to answer during the meeting include the following:

Exactly what happened, and when?
How well did the staff and management perform while dealing with the incident?
Were the documented procedures followed? Were they adequate?
What information was needed sooner?
Were any steps or actions taken that might have inhibited the recovery?
What would the staff and management do differently the next time a similar incident occurs?
How could information sharing with other organizations be improved?
What corrective actions can prevent similar incidents in the future?
What precursors or indicators should be watched for in the future to detect similar incidents?
What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

Incident Data Collection and Retention

By having ‘lessons learned’ meetings, the collected data can be used to determine the cost of an incident for budgeting reasons, as well as to determine the effectiveness of the CSIRT, and identify possible security weaknesses throughout the system. The collected data needs to be actionable. Only collect data that can be used to define and refine the incident handling process.
A higher number of incidents handled can show that something in the incidence response methodology is not working properly and needs to be refined. It could also show incompetence in the CSIRT. A lower number of incidents might show that network and host security has been improved. It could also show a lack of incident detection. Separate incident counts for each type of incident may be more effective at showing strengths and weakness of the CSIRT and implemented security measures. These subcategories can help to target where a weakness resides, rather than whether there is a weakness at all.
The time of each incident provides insight into the total amount of labor used and the total time of each phase of the incident response process. The time until the first response is also important, as well as how long it took to report the incident and escalate it beyond the organization, if necessary.
It is important to perform an objective assessment of each Incident. The response to an incident that has been resolved can be analyzed to determine how effective it was. NIST Special Publication 800-61 provides the following examples of activates that are performed during an objective assessment of an incident:

Reviewing logs, forms, reports, and other incident documentation for adherence to established incident response policies and procedures.
Identifying which precursors and indicators of the incident were recorded to determine how effectively the incident was logged and identified.
Determining if the incident caused damage before it was detected.
Determining if the actual cause of the incident was identified, and identifying the vector of attack, the vulnerabilities exploited, and the characteristics of the targeted or victimized systems, networks, and applications.
Determining if the incident is a recurrence of a previous incident.
Calculating the estimated monetary damage from the incident (e.g., information and critical business processes negatively affected by the incident).
Measuring the difference between the initial impact assessment and the final impact assessment.
Identifying which measures, if any, could have prevented the incident.
Subjective assessment of each incident requires that incident response team members assess their own performance, as well as that of other team members and of the entire team. Another valuable source of input is the owner of a resource that was attacked, in order to determine if the owner thinks the incident was handled efficiently and if the outcome was satisfactory.

There should be a policy in place in each organization that outlines how long evidence of an incident is retained. Evidence is often retained for many months or many years after an incident has taken place. In some cases, compliance regulations may mandate the retention period. These are some of the determining factors for evidence retention:

Prosecution – When an attacker will be prosecuted because of a security incident, the evidence should be retained until after all legal actions have been completed. This may be several months or many years. In legal actions, no evidence should be overlooked or considered insignificant. An organization’s policy may state that any evidence surrounding an incident that has been involved with legal actions must never be deleted or destroyed.
Data Type – An organization may specify that specific types of data should be kept for a specific period of time. Items such as email or text may only need to be kept for 90 days. More important data such as that used in an incident response (that has not had legal action), may need to be kept for three years or more.
Cost – If there is a lot of hardware and storage media that needs to be stored for a long time, it can become costly. Remember also that as technology changes, functional devices that can use outdated hardware and storage media must be stored as well.

Reporting Requirements and Information Sharing

Governmental regulations should be consulted by the legal team to determine precisely the organization’s responsibility for reporting the incident. In addition, management will need to determine what additional communication is necessary with other stakeholders, such as customers, vendors, partners, etc.
Beyond the legal requirements and stakeholder considerations, NIST recommends that an organization coordinate with organizations to share details for the incident. For example, the organization could log the incident in the VERIS community database.
The critical recommendations from NIST for sharing information are as follows:

Plan incident coordination with external parties before incidents occur.
Consult with the legal department before initiating any coordination efforts.
Perform incident information sharing throughout the incident response life cycle.
Attempt to automate as much of the information sharing process as possible.
Balance the benefits of information sharing with the drawbacks of sharing sensitive information.

Share as much of the appropriate incident information as possible with other organizations.

Fact Check Policy

8 Expert Tips To Clear CEH Exam In First Attempt

Leave a reply

With the Covid 19 pandemic ravaging the country, more and more businesses have had to shift online. While many businesses struggle to get their feet off the ground in the online sphere, organizations that help in IT training and obtaining ethical hacker certification have been around the block.

Whether you are getting your ethical hacker certification or an Azure certification, these online educational centres have you covered with all the prep material and concepts you need. Not a stranger to online learning; they have perfected their course material before teaching you.

8 Things To Know If You Want To Pass The CEH Examination

Given below are the top 8 things you need to know, which are also the tips that will help you clear the CEH examination successfully.

Practical Knowledge

Using real-world situations to help study will ensure you understand the concepts better. Thus, allowing you to grasp them more fully and recall them quickly during the cybersecurity certifications examination.

Predict The Pattern And Study Accordingly

The test aims to make candidates display essential skills as per the syllabus and then evaluate them. The difficulty of the tests is determined by leading ethical hackers in their field and the criteria for passing.

There are many websites available online that focus on predicting the pattern. While they may not be accurate, they can give you a clue as to how the paper will be structured. Studying according to the pattern, which means giving more attention to areas with higher mark weightage, is how you will pass the exam.

#1 Stay Focused

Staying focused will significantly benefit you, especially if you are balancing a full-time job while studying for the examination. Setting deadlines and completing self-made assignments within that limited time is one of the best ways to make sure you are on track.

These are just a few simple ways you can be well prepared for your exam if you don’t want to take assistance from a training centre or take up a related course. If you have time, you can take up these tips along with learning from an online or offline course as well.

#2 Make A Study Plan And A Study Group

The process of studying and applying for the ethical hacker certification can cost quite a bit. So whether you are going with a training partner or not, you should consider making a study plan. Being disciplined while following this plan will only help you prep properly.

Another method that has a lot of success is making study groups with other candidates applying for the same exam. Exchanging notes and clearing doubts with them is much more helpful than any study material you can buy.

#3 CEH Exam Pattern

While preparing, it is crucial to study the exam while also covering the syllabus. Sometimes knowing is not enough; you have to budget in time to finish the exam with time to spare.
The CEH exam offered by the EC council is an MCQ test of 125 questions. The test duration is 4 hours, and all the 125 MCQ questions have to be answered.

#4 Practice Exams

Practice exams are an essential tool when prepping for any exam; they let you know your strong points and your weak points, ensuring you spend adequate time on each. Taking practice tests during this time will also help you see which areas your knowledge is lacking in.

#5 Start Early

Sometimes it just boils down to who is better prepared and smarter and not who has understood the concepts better. The extra time you spend in prep will significantly benefit you when the time comes.

#6 Ask For Help

Do not be afraid to ask for help, especially when you need it. Either from your IT training partner or an online community of aspiring ethical hackers.

Conclusion

Going with Koenig Solutions as your IT training partner is one of the best decisions you can make for yourself. Not only do they provide extensive study material which will help you pass the exam, but through their practical approach, they give you a significant boost to get your career of ethical hacking off the ground.
The ethical hacking course offered by Koenig Solutions is specially crafted for those juggling work and trying to be a CEH for maximum knowledge retention.

Fact Check Policy

The Ultimate Online Privacy Guide for Journalists

Leave a reply

As a journalist in 2021, the dangers you face are ever-increasing. Without the proper protection from online threats, you risk hackers stealing confidential information, exposing your sources, breaking anonymity, and getting hold of your unpublished stories. You’d be a prime victim for blackmail — or worse.

Some of these dangers can even be extreme and life-threatening. According to UNESCO, 495 journalists were killed between 2014 and 2018, which is an 18% increase compared to the latest 5-year period. In addition, more journalists are being murdered in non-conflict zones than from within conflict zones. Out of all the journalists killed in 2018, 33% were TV journalists, 26% were print journalists, and journalists in online media formed a significant 15%.

Being based in a non-conflict zone no longer assures your safety like it used to. Working online from behind a screen can’t guarantee you’ll be protected either. As the journalism industry trend continues to move from print to digital, it is imperative to your well-being — and that of your colleagues and sources — that you put the appropriate online privacy safeguards in place.

Securing your software and hardware with the right encryption tools can help you keep your confidential files and sensitive information from falling into the wrong hands. It’s also vital to utilize privacy-enhancing software to protect your anonymity and that of all your contacts.

Below are 12 ways you can protect your work, your sources, and yourself in 2021.

#1 Send Messages to Sources on Secure Apps

Whenever you contact someone by text or voice, there’s a chance your messages will be intercepted or that a third-party is listening to your phone call. By using a messaging app with strong encryption, you no longer need to worry about unwanted eavesdropping.

Even though many messaging apps have basic encryption — and some even promise end-to-end encryption — you need to be careful which apps you choose. For example, WhatsApp claims to have end-to-end encryption, but it’s parent company Facebook has an extremely poor reputation for protecting it’s users’ privacy.

Thankfully, there are secure messaging apps available. These apps will ensure safe communication between you and your sources or colleagues.

Signal — Strong combination of end-to-end encryption and extremely limited logs. This was confirmed in a court case, when all the company could produce was the time of account creation and the last log on.
Telegram — Provides encryption, self-destructing messages, and two-factor authentication.
Threema — Threema doesn’t use your phone number but instead creates an anonymous ID for you. This is great for talking to someone whom you don’t want to directly give your number to.

Besides top-of-the-line encryption, the Signal app offers some additional privacy features

While all of the apps above offer end-to-end encryption and other security features, Signal and Telegram require your phone number. While the number is hashed and anonymized, I recommend using a brand new number that isn’t linked to you to sign up.

#2 Secure Your Email to Protect Confidential Files

Emails are mostly likely your main point of communication, aside from instant messaging. Unfortunately, major email providers are still failing to provide standard encryption options. This means your emails can be intercepted and read, especially at the recipient’s end.

If you’re planning to send or receive potentially sensitive data, it is best to sign up to secure an email service.
Tutanota is one of the best options available as it encrypts everything — including the subject line, text, attachments, and even your address book.

Use an encrypted email service like Tutanota, which encrypts all aspects of sent emails

Tutanota has a free and paid version, with storage space ranging from 1GB to 1TB.

When emailing someone using a mainstream email provider, Tutanota will send them a message with a link to enter a password and unlock your message. This keeps your emails anonymous in all circumstances. I like Tutanota as it’s constantly being improved by developers and privacy experts, and includes a free mobile client.

Other popular email services like ProtonMail and Hushmail offer many of the same features. However, Tutanota is the only one to encrypt the entirety of an email.

#3 Encrypt All Your Devices

You need to ensure that the devices you and your sources use are encrypted. This includes your computers, tablets, phones, and external hard drives.
There are three ways to protect your sensitive data on your devices:

Full-disk encryption (FDE): This is the most secure way to encrypt your device. Your disk will only be accessible with a password or PIN code. If your drive contains unfinished reporting and other sensitive files, this step is vital to take.
You can use BitLocker if you’re a Windows user, and macOS users can use FileVault. You can also use BitLocker to encrypt your external drives, such as USB drives and memory cards. macOS users do this via Disk Utility.
Encrypting specific files or folders: You can use open-source software, like VeraCrypt, to encrypt individual files and folders.
Air gapping: This is a basic form of protection where you keep your device disconnected at all times. However, this method is only effective if your system is perpetually offline — this means no Bluetooth or NFC either.

#4 Visit Websites Starting with HTTPS

What’s the difference between HTTP and HTTPS? HTTP doesn’t encrypt data sent between your browser and a website — but HTTPS does. This is essential if you’re interacting with sensitive data, need to log in with private credentials, or are making financial transactions.

An easy way to check if you’re on a secure page is to look at the address bar. Is the site you’re on using “http://” or “https://”? You should also pay attention to the small padlock symbol to the left of the address bar. This can show you if a connection isn’t secure, even if you appear to be on an HTTPS page.

Ensure your browser uses HTTPS and has a secure connection

#5 Use a Private Internet Browser

It’s no secret that many web browsers store your personal, private, and financial information. If you are reporting on a sensitive case, this data could be intercepted by hackers, the government, or other unwanted third-parties.
Don’t forget that it’s not just about securing your work, but ensuring you won’t be silenced in other ways. If you have particular online interests that you don’t want others knowing about, such as your porn viewing habits, these could be used against you as blackmail.

Using your browser’s private or incognito mode won’t ensure your privacy, as your ISP and other parties can still track what you’re doing. I recommend combining a private browser with a VPN, or using a more private browser.
Here are my recommended private browsers:

TOR (The Onion Router)

TOR is the most private option on this list. It was originally developed by the US Navy for anonymous communication.

TOR encrypts your data and “bounces” it randomly around the world via a network of volunteer relays. Additionally, all your requests are routed via HTTPS (a more secure protocol), no scripts are loaded
d (making you harder to track), and you’re permanently in incognito mode (so none of your browsing data is stored).
This way, you can research and communicate freely without worrying about being tracked, and even navigate the dark web.

Firefox

Run by the non-profit Mozilla organization, Firefox has an built-in tracker blocking and is monetized almost entirely via royalties from partnerships and distribution deals. This means none of your browsing data is sold to third-party companies to make money.

I highly recommend using the DuckDuckGo search engine in Firefox, which doesn’t store any data or track your activities. While DuckDuckGo doesn’t present as many search results as Google, it’s still a much safer option for performing anonymous research.

You can also use Firefox’s “Containers” add-on to separate your browsing activity without having to clear your history, log in and out, or use multiple browsers.

Brave Browser

Brave is based on Chromium, the open-source code powering Chrome. However, aside from the core code, the two browsers are very different. Unlike Chrome, Brave automatically blocks cross-site trackers, adverts, and upgrades your connection to HTTPS. This helps you remain more anonymous online.

Brave automatically blocks trackers and upgrades your connection to HTTPS

Warning! Avoid Chrome as Your Internet Browser
Google’s business model relies on collecting vast quantities of personal data and monetizing it. While this isn’t inherently dangerous, the data stored can be obtained by malicious third parties or law enforcement officials. In fact, you should avoid all of Google’s services to avoid your data being leaked.
Instead, you should consider signing up for their Advanced Protection scheme. This adds more defences and restrictions to your Google account and associated apps. It was specifically created by Google for journalists, activists, business leaders, and political campaign teams.

[embedyt] https://www.youtube.com/watch?v=a1i-3xwcSGA[/embedyt]

#6 Stay Anonymous Online with a VPN

A VPN, or Virtual Private Network, is a global network of servers that offer an anonymous and encrypted internet connection. The encryption hides all your online activities so that it is unidentifiable and no one can trace your browsing activities back to you.

A VPN is extremely useful if you’re reporting from countries where government surveillance is a threat. It helps you work under the radar of the country’s surveillance technology, keeping your traffic and online activities private.

Use a VPN to encrypt your traffic and avoid censorship by connecting to servers around the world

Before connecting to a VPN server, you should first check if the server is hosted in a country that is part of any intelligence-sharing alliances. These agreements may result in VPN providers being forced to hand over your online information to the government.

There are currently three significant alliances involving a total of 14 countries, with some potential third-party contributors.

5 Eyes — USA, UK, Canada, Australia, and New Zealand
9 Eyes — 5 Eyes Countries plus Denmark, France, The Netherlands, and Norway
14 Eyes — 9 Eyes Countries plus Germany, Belgium, Italy, Sweden, and Spain
Potential 3rd-Party Contributors — Israel, Japan, Singapore, and South Korea

You should also be careful not to connect to servers in countries with potentially hostile governments. For instance, if you’re reporting on a sensitive issue in Russia, you could be targeted by Russian intelligence. If you connect to a server that is physically in Russia, it is possible that the local authorities could be monitoring this server — and hence your online activities.

It’s especially important for journalists to get a VPN with a no-log policy. These providers will not store any information about your online activity. Highly recommended no-log VPNs for journalists are NordVPN, ExpressVPN, and Surfshark.

Don’t trust free VPNs! Free VPNs are not trustworthy enough for secure journalistic needs. To make a profit, free VPNs are even known to sell user data and give network access to malicious third parties. Make sure you thoroughly research any free services you use before entrusting them with your own valuable data.

For an in-depth look at how VPNs work, check out our complete beginner’s guide to VPNs.

#7 Use a Zero-Knowledge Cloud Provider

You can use cloud services to send large files to your colleagues or sources, especially if they’re geographically far away.
However, make sure you use a zero-knowledge cloud provider — this ensures your files will be encrypted before they’re uploaded. A unique password will than be issued to your recipient in order to decrypt the files.
Sync and pCloud are 2 zero-knowledge cloud services that provide secure end-to-end encryption, even with there free plans.

#8 Create Strong Passwords

It’s extremely important to use strong passwords, especially for your email accounts. If a hacker gets access to your primary email account, they could quickly use the same password to break into more of your online accounts.
However, contrary to popular belief, a password with a random combination of uppercase and lowercase letters, numbers, and symbols isn’t the strongest option. Neither is it the easiest to remember.

Here’s how you can create a strong password:

Make a long password — make sure it’s at least 11 characters long.
Use random words — you could flick randomly through a dictionary until you have 4+ words and link them together.
Ensure it’s easy to remember — choose several words that have no connection but that you are able to remember.
Use a unique password for each account — don’t repeat the same password twice.

People use weak passwords because they can’t remember more complex — and therefore stronger — passwords.
Luckily, you can use a password manager exist to store your login credentials. You’ll only have to remember one “master password” which has the ability to unlock the whole vault. I recommend using KeePass, LastPass, or Dashlane — all of these password managers secure and user-friendly, with free and paid plans available.

#9 Use Two-Factor Authentication (2FA)

If you’re storing sensitive material on one or more of your online accounts, 2FA is vital.
2FA requires two types of authentication before giving you access to your online account. You first enter your normal account login details, and than enter a randomized token send to your physical device.
The necessity for a physical device adds a strong extra layer of security. Even if someone gains access to your credentials, they will need this device to actually log in.

You can set up 2FA in 3 ways:

On your phone. For Android users, you can use andOTP or Google Authenticator. For iOS users, you can use OTP Auth or Yubico Authenticator. Authy is a good choice if you use both operating systems.
Via a physical device like YubiKey or Google Titan. It needs to be physically plugged in or tapped against your phone (if NFC is supported) for verification.
Via SMS or email. This is the least-secure method, but you should still set it up if it’s the only type of 2FA on offer.

While app-based 2FA is the easiest and most widely-supported method, physical 2FA is the safer choice.

#10 Watch out for Basic Dangers to Journalists

These online threats simple to avoid but can cause major issues if you fall victim.

Phishing

Phishing is a cyber attack that tricks victims into believing they are being contacted by a trusted company or service.
Here’s an example: You’ve received an email that looks like it’s from Google, which asks you to verify something on there site via a link. When you click the link and log in to the site, a hacker steals your login credentials. Even if you’re using 2FA and enter your code on the phishing website, hackers can use this information to immediately log in to your real account.

This means everything you’ve stored on Google — including Gmail and Google Drive — can now be accessed by the hacker.

You can see an example of a phishing email below:

This phishing email looks like it came from FedEx, but it has some red flags such as the strange email address

While it looks semi-official, you can see that it isn’t addressed to anyone in particular, and the formatting and punctuation are strange. However, the main red flag is the email address, which is clearly not related to FedEx.
You still need to be vigilant about what you open and click when receiving emails. Cyber attackers can still appear to use a company’s domain to impersonate a company or one of it’s employees.

Malware

Be careful of accidentally infecting your device with malware when browsing the internet. Journalists should be especially concerned about ransomware, which encrypts your whole hard drive and requests a monetary ransom in exchange.
Make sure you use your common sense and avoid visiting potentially malicious websites. Don’t browse non-secure websites and avoid websites inundated with adverts, especially pop-ups. Bookmark sites you regularly return to so you know you’re visiting the real version.

You can use Malwarebyte’s anti-malware software to regularly scan your computer for threats. The free version is enough to detect malware, but the premium version offers useful extras, including ransomware protection and real-time protection.

Regularly scan your machine for malware — Malwarebyte’s free version is a good option

You should also be aware of “malvertising”, which quietly deliver malware via adverts without you even realizing it. Use an adblocker such as uBlock Origin on Chrome or Firefox to protect yourself against this threat.

Keep Your Devices Updated

Keeping your devices updated ensures you’ll be protected from the newest security threats. This advice applies to the operating system on your laptop or computer, mobile devices, and programs or apps you use.

Lock Your Devices and Set up Tracking

Make sure you have some form of lock on your mobile device and computer. Passwords are more secure than fingerprints or facial unlocking.
In case you ever need to recover a lost device, you can set up device tracking on Android and iOS devices. You can also activate the option to remotely wipe your devices, in the event that confidential information comes to be possessed by the wrong person or group.

Make sure you can always track your mobile device, so you can locate or remotely wipe it

11. Use an Alternative to Slack in the Newsroom

Instant messengers and collaborative tools have made there way into workplaces around the world, such as Slack or Skype for Business. As journalists, you may be sending sensitive data and files to your colleagues via these channels. You need to make sure they can’t be accessed by unauthorized third parties.

Slack is one of the most widely-used collaboration tools, thanks to it’s user-friendliness. However, Slack does not employ security features such as end-to-end encryption or self-destructing messages.

More secure options are:

Keybase Teams — Similar to Slack, but with end-to-end encryption and a self-destruct feature that completely removes messages from the conversation.
Riot — Built on the open-source Matrix protocol, Riot offers the best implementation of end-to-end encryption plus a user-friendly interface.
Wickr — Includes end-to-end encryption, auto-deletion of messages, and forensic deleting of content from your device.
Semaphor — A zero-knowledge messenger protected with end-to-end encryption and blockchain technology.

#12 Educate Your Sources and Colleagues

The average person doesn’t know how to share confidential information in a secure way — and this includes your sources. It’s important that you show your contacts how they can protect any confidential files and communicate privately with encrypted messages and emails. Even if they already know, it’s in both of your best interests to discuss a standard operating procedure (SOP) before cooperating.
Explain to them that under no circumstances should they deviate from your SOP. It’s best to meet in person to avoid leaving any digital footprints — even if it’s just to set up there online safeguards.
Remember, even if your own online security is close to perfect, you may be vulnerable if your data leaks through other people. Your online security is only as strong as those in your circle of communication.

Lazy Security Costs Journalists — Protect Yourself Now

Every journalist needs to protect themselves online with strong security tools — from hackers, state-sponsored operatives, and others who actively work to prevent damning stories from being published.
Here are the fastest and easiest ways to secure your digital presence immediately:

By taking your first steps towards staying private online, you can keep your stories and investigative pieces secure until they’re ready to be published.

Fact Check Policy

Become Part Of our Fan Base on Facebook. Click Here.
Follow Us on Twitter. Click Here.
Many Crypto. One place. Use Roqqu

Hi, I now use RavenBank to send, receive and save money. I also pay my bills with ease, you should try it out too

Fact Check Policy

Online Advertising: Facts To Know As A Publisher

Leave a reply

In my previous article, I have talked about some of the facts that you need to know about Digital Marketing generally. In this article, I want to talk about some of the facts that you need to know about Online Advertising. Before I will do that, I would like to talk about some of the terminologies that you would like to come across when you are advertising online.

#1 Advertiser

This is an individual that has a product to sell and he is looking for means or individuals that can create such awareness on his behalf. A good example is Nestle or Nike using online mediums to advertise their products and services.

#2 Publisher

This is an individual that has content and he is looking for ways of monetising their content. They can allow adverts to be placed within their content in order to make money. A good example is a Blogger using Adsense to monetise his blog.

#3 Ad-network

The advertising network has the advertising infrastructure that allows both advertiser and publisher to meet so that the advertisers that need publicity and the publisher that needs money can come together in order to create awareness about products and services for the target audience.

#4 Consumer

He/ she is the bride looking for products and services that will satisfy his or her needs.

What then is Online Advertising?

Online Advertising is an effective form of advertising compared to other forms of advertising. The reason is that more than a billion people have access to the internet across the globe. online Advertising is also good because it is not passive. Customers can interact with it. It allows them to take action immediately.

It also includes email advertising and search engine marketing. mobile advertising, and social media marketing among others.

Here are some of the benefits…

#1 Attract Visitors

One of the major benefits of this form of advertising for users is that it will attract visitors to your website. If you are a blogger pr content creator expecting reasonable traffic on your website and you are relying on Search Engine traffic, it might not come on time.

If you are ready to place banner ads on popular blogs or bid for keywords in order to drive traffic to your website, you will be amazed at the level of traffic that you will have on your website. Online advertising gives you tons of traffic with immediate results.

#2 Convert Visitors

One of the reasons for running online campaigns is to turn visitors into customers. If you are running campaigns just to create awareness, it might not bring some immediate results.

Like I said in one of my articles, you cannot always get a 100 percent conversion rate for your campaign but you have to make sure that your campaign is captivating enough. It must consist of all the information that your prospects need in order to make buying decisions.

#3 Retain and Grow customers

Online advertising can also assist organisations in retaining and growing customers. There are some online customers that will buy your products and they may not necessarily come back for repeat purchases. You can actually run a campaign that will be targeted at this type of customer.

You can offer them mouth-watering offers that will make them engage in a repeat purchase. Running this type of campaign can also increase brand awareness among your target audience as well.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be thrilled to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria, and Phillips Consulting among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points that I have raised in this article. You might disagree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

Claim your 1 USDT for reading this post.

Free BNB up for Grab. Click here to claim yours.

Fact Check Policy

Creating A Blogging Strategy for Newbie Bloggers

Leave a reply

One of the most important prerequisites for successful blogging is planning. If you approach blogging with a detailed strategy, this will help you guide your actions and activities when creating, managing, and promoting your blog.

With blogging strategy, you design a plan of where you are and where you want blogging to take you. Regardless if you do blogging as a hobby, or you want to discover ways how to make blogging into a full-time job, creating a blogging strategy will help you with reaching your goals and figuring out the right actions that will help you get there.

#1 Goals

Start with goals. Goals are a necessary part of the planning process. Interestingly, a lot of people start blogging without any goals in mind. They start blogging just for the sake of getting published online, with no plans for the future or any idea on how to implement online marketing to promote this content.

However, goals help you keep everything organized and think about content creation more efficiently. It is crucial that blogging goals are:

• Custom – Define your own goals. Do not follow a pattern or a universal business plan with generic goals. Instead, create goals that are really plausible for your current situation and make sure you can benefit from these goals.

• Achievable – As much as you like for your blog to become an instant hit, there are no guarantees that it will. Instead, be realistic when creating goals. Take into account your current situation, whether you are starting from scratch or you already have a certain number of followers. Think about your competitors and how they are doing. All of this can affect the goals you can potentially achieve.

• Quantifiable – Having goals you can measure gives you an easy option to compare the planned goals and achieved results. These comparisons can help you understand and analyze your performance and find ways to improve your blogging strategy in the future. Numerical quantifiers are an ideal choice. For example, “increase the number of followers by 20%”, or “gain 200 new followers”. You could also add time frame for this goal to be achieved. So your goal would be “gain 200 new followers within four months”.

Goals can also be long-term or short-term, depending on the period you are going to take as a reference. Ideally, you should have both long-term and short-term goals
Planning gives your blog a purpose. It helps you determine what you want to achieve, and this enables you to define your story, your content, and find your voice.

#2 Target group

One of the goals of blogging is gaining trust and influence among your blog visitors. You want to establish yourself as an influencer in the industry and create a base of followers. What is going to help with this is defining your target group. You should be as detailed as possible when doing this. Try to narrow down the group of people you are addressing with your content.

As a result, you can create content that is better tailored to your target group. Not only is such content more effective with online users, but it also helps with achieving your goals.
Defining your target group also helps you:
• Plan the blog topics
• Identify ways to monetize your blog
• Determine content distribution channel
• Explore opportunities for online promotion

#3 Budget

The next step in your strategy is determining the budget. Depending on your blogging goals, depending on how you want your blog to grow, you will need a budget. The amazing thing about blogging is that you virtually need no investment to start doing it, except for your own time. You have free blogging platforms, you can use royalty free photos, joining social media is also free, there are plenty of free tools for bloggers, etc.

However, if you want to get your blog up to speed, it is advisable to consider it an investment.
The cost related to blogging which you should plan in your budget include the following:
• Hosting and domain name
• Premium templates, paid plugins, and other tools
• Budget for advertising (search engines, social media, etc.)
• Budget for content creation (it is always possible to hire help for proofreading, editing, creation of visual content, etc.)

#4 Content ideas

When you create a strategy, it is advisable to think about content ideas for your blog. This will give you a glimpse into what kind of content you could post on your blog. Since you will also be thinking about your target group, it will help you define content that is tailored based on their interest and expectations.

Start by thinking about content formats first. Here are a few ideas:
• How-to articles
• Case studies
• Ebooks
• Guides
• Guest posts
• Interviews
• Lists
• Podcasts

• Company news
• Videos

Take a look at the image below to find even more ideas when it comes to different content formats that are available to you when blogging:

Also, try to think about topic ideas and try to list at least twenty or even more of them. The best way to get content topic ideas is to do brainstorming.
Start by focusing on the keyword(s) relevant to your blog. Expand the list using synonyms or related keywords. Then try to add other phrases to start creating topics. Some ideas are the following:
• Top 5 [keyword]
• How to [keyword]
• 5 Things You Didn’t Know About [keyword]
• How [keyword] Are Like [other keyword or phrase]
• Why [keyword] Are The New Black
• How [keyword] Can Help You [Succeed/Understand Something/Get Better Results, etc.]
• 10 Ways to Use [keyword]

You could even use Content Idea Generator or Portent’s Content Idea Generator to help you with new content ideas.

The main benefit of defining content ideas are these opportunities:
• Create editorial calendar
• Plan promotional and other activities in advance
• Start working on blog monetization ideas
• Determine if you will be needing assistance with content creation and hire someone on time

#5 Metrics

The final step of your blogging strategy should be the choice of metrics you want to track and monitor. These metrics help you evaluate the success of your blogging strategy, which is why they are an essential asset in a strategy.
When you have metrics to monitor, you have the opportunity to see if you can achieve them and if not, how you can improve your strategy.
Metrics you should define within blogging strategy should include some (or even all) of the following:

#6 Engagement

Engagement is a metric that shows you how successful you are at engaging your followers. It can be analyzed through a variety of analytics data which include likes, shares, bounce rate, the average session duration, page views, signups, etc.

What this metric helps you conclude is how efficient you are in reaching your audience. It shows you success (or failure) at engaging the audience which helps you redefine your blogging strategy. It might be that you are targeting the wrong audience. You might need better content ideas, or your blog might need a revamp.

#7 Acquisition

This metric includes the data about who is sharing your content and where. Use the blog statistics to see the details about the number of clicks. Which articles are being shared the most? Where does this traffic originate from? Is it organic or social media driven traffic?

The goal of these metrics is to show you where your content is shared and how you are reaching your online users. This can help you find new (and better) ways to promote your content. It can also provide ideas about using paid advertising or expanding your influence on other content distribution platforms.

#8 Conversions

Finally, the last metric you want to focus on is conversions. A conversion is a desired action. While it is most commonly the case that a sale is considered a conversion, with blogging, it might be something different. For example, signing up for a newsletter or downloading free materials can be considered a conversion.
This metric should show a potential to grow as your blog grows. The ability to convert your visitors directly proves your influence thus shows you a growing power to persuade online visitors. This is an indicator of success, which is why conversions is the metric you should focus on as well.

Together, all of these metrics help you calculate ROI and directly measure the profitability of your blogging strategy. Use a free tool such as Google Analytics, to access your blog statistics and get the information about these and other metrics that help you evaluate the performance of your blog.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

CRMNUGGETS is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Migrate to Truehost Domain and Hosting. Very Cheap. Very Fast and 99.9% Reliable

Monitor Your Keywords and Ranking, Join SEOPOZ Today

Major Blogging Essentials For Newbies: What To Know

Leave a reply

There is a list of things to think about before you are ready to start blogging. These include blogging essentials, i.e., everything you will need to set up and create a blog. Having a list like this one is very helpful to keep everything organized from the beginning and planning your blogging strategy with more success.
One of the first things to choose is a blogging platform, after which you will also need the following:

#1 Hosting

Hosting, also called web hosting, is a service that allows individuals and companies to create and make their websites and blogs accessible to the online users. It is an online storage you will use to store your blog data, starting from CMS installation to all the files and images you want to share on your blog.

Platforms like Medium and LinkedIn do not require hosting because you get one when you create an account. It is one of the features these platforms offer to store your data and make it available to the online users. Having access to your own hosting provides much more control and flexibility, which is why a CMS such as WordPress.org could be your choice when choosing a platform. Of course, this hosting comes with an added cost, which can be paid monthly or annually, depending on the hosting provider, and the plan you choose.
The best way to make a choice is to explore hosting providers, the features they include and the prices they offer for their plans. Some of the popular hosting providers for bloggers include:
• InMotion Hosting
• SiteGround
• BlueHost
• GreenGeeks

#2 Domain name

A domain name is a part of the URL which is used to access the blog. It may or may not match the blog name, but it is generally recommended that it matches the blog name. When you create a blog and host it with the hosting provider of your choice, you will need to provide the domain name of your blog.
The complete URL starts with www. and it is followed by the domain name. It ends with a domain extension, which is most commonly .com, but you can choose other extensions such as .org, .blog, .net, etc.

You can use an online tool such as this one to conduct a domain name search and check if the domain name you want is free.

#3 Template

Blog template layout represents predesigned pages that are used to create a blog. You install the template after you install the blogging platform, or you get access to a selection (or sometimes only one layout) if you choose a hosted blogging platform. WordPress is generally known to offer the most extensive selection of blogging templates (also known as themes) including both free and premium templates.

To select a template, you will need to consider the blog layout design. It depends a lot on the type of content you want to create as well as on how you want this content to be presented on the blog. One way you can narrow down the search for a perfect template is by using the filtering feature to sort the results based on:
• Layout – Typically used layouts include grid layout, one-column layout, two-columns layout, etc.)

• Features – You can filter templates by features such as editor style, post formats, microformats, full-width template, custom menu, etc.
• Subject – Since templates are already pre-designed, they are often tagged based on the subject they would be suitable for. The subject you will be most interested in is a blog, but you can explore other categories if you are creating a niche blog.

#4 Gravatar image

Gravatar stands for Globally Recognized Avatar. It is an image that represents you online, and it appears when you interact with other WordPress blogs. It is a free service which is included as a
40
part of WordPress.com. To have Gravatar on a self-hosted blog, you will need to install a plugin that integrates the service.
This option is great for featuring blog authors and enabling them to gain more influence among the blog’s readers. Besides the image, a Gravatar profile can also include:
• Name
• Other profiles (such as social networks)
• Short description

#5 Comments

Comments should also be on the list of blog essentials because they enable you to engage with online readers directly. Some commenting features may already be a part of the core platform, but there are plenty of plugins to enhance the experience and add some new features, such as the option to post a comment with a Facebook account or through a blog commenting hosting service, such as Disqus.

The main benefit of comments is the possibility to increase engagement and encourage visitors to interact with the blog’s author through the comment section. This way you can get feedback, positive (or negative) reviews, additional questions or suggestions from your audience, etc. It can help you with improving your overall approach and blogging strategy.

Having comments does mean that you will have to be monitoring this section and moderate it to make sure you prevent any spam from getting publicly posted in the comment section of your blog. You will also need to devote time to answer any questions you might get in the comments. Since the idea is to engage the visitors, you should make sure to answer those questions promptly.

#6 Mailing list

One of the best ways to monetize a blog is through a mailing list, which is why this is essential for bloggers. Think about your subscribers as your asset. When someone decides to subscribe to your blog, it means that the person is interested in getting more news from you and following your future updates. This person values your opinion and wants to hear from you again.

What this means is that you have the power to influence these subscribers. It all starts with generating trust and reputation, but once you do that, you will discover a possibility to convert those visitors.

Among many different monetization tactics and promotions, email marketing stands out as one of the most profitable strategies in online marketing. It is a strategy with the highest conversion rate. As a result, the benefits you can obtain by having a mailing list are numerous.

#7 Social accounts

Bloggers use many different platforms for promoting their content and reaching online users. Social networks are certainly among the top within this group. Therefore, as a blogger, you should create social media accounts which will represent your blog or you as a blogger. You can also connect social accounts with blogging platform to take advantage of features such as automatic sharing on social media.

Social accounts provide an outlet for you to share content and reach online users. They also offer an opportunity to connect and further establish your reputation. Besides the obvious benefits, social accounts require regular management and implementation of a social media marketing strategy. Hence, you will need to explore this segment of online marketing and find the best ways to combine it with blogging.

#8 Images

Images will enhance your blog significantly. Based on many studies, blog posts with images receive far more clicks, shares, and overall engagement. Images are used to:
• Illustrate the most important aspects
• Draw attention of the readers

• Divide content into sections
• Provide more information about the topic

When using images in a blog post, make sure that:
• The images are of high quality
• You use right dimensions when adding them to the post
• The images are relevant to the topic
• You have the permission to use the images to avoid copyright infringements
• Optimize the images enabling the search engines to index them
Plugins
Plugins are installed to the blogging platform, and they add new features which are not a part of the core platform. Among the reasons why WordPress is such a popular platform for blogging, is the fact that the platform offers an extensive number of plugins, both free and premium. These enable blog owners to improve and optimize their blog with advanced features such as memberships, landing pages, contact forms, content optimization, image optimization, backup, migration, lead generation, editorial workflow, etc.

Despite many benefits they can bring to your blog, plugins have drawbacks as well. Plugins may cause security issues for your blog if there is a problem with the code, which is why you should only install reputable plugins. Additionally, the more plugins you install, the slower your blog will become. It does not matter if all of those are reputable plugins, they are still a burden to your platform and may cause pages to load more slowly. This is why it is important to update plugins regularly and to deactivate the ones you are not using.

#9 Unique content

The highlight of your blog is the content you share. The first characteristic of that content should be uniqueness. Search engines do not like duplicate content. You are also failing at providing value to your readers when you copy content from other blogs.

Instead, your focus should be original content that you create with your target group in mind. Think about how you can explore blogging topics and offer even more value on your blog. This way you will gain loyal readership and increase your influence in the online community. Content is also what is going to help you stand out and leverage the potential of blogging.

#10 Bloggers

Building relationships in the online world might be more challenging than in real life, but it still is an essential part of blogging. As you will see, the blogging community is quite vocal and strong, and it offers great potential for learning, exchanging experience, and finding possible collaborations. This is why relationships with other bloggers should be one of the essentials of blogging.

This list of the blogging essentials includes everything that is necessary for you to focus on when first starting out blogging, regardless the niche and the type of platform you will use. Try to create your unique plan including all of these essentials and how you will implement each into your blogging activity from the start.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Migrate to Truehost Domain and Hosting. Very Cheap. Very Fast and 99.9% Reliable

Monitor Your Keywords and Ranking, Join SEOPOZ Today

Highlighting Affiliate Marketing And Email Marketing

Leave a reply

Email marketing has the highest conversion rate of all types of online marketing. When you combine it with affiliate marketing, you can get a very profitable strategy to boost the performance of affiliate marketing.

Merchants

Merchants often use email marketing to get in touch with affiliates. It is a practical way to communicate with them, to send motivational offers, such as increased commissions, extended cookie life, etc. The purpose of these is to increase engagement and to perhaps activate some of the less productive affiliates.

An email is also a great tool for recruiting affiliates to join your program. You can do this recruitment by using your own mailing list, or you could collaborate with another website or blog with a relevant subscriber base that could help with extending your reach and recruiting potential affiliates from their mailing list.
When creating an email campaign, it is essential to:

• Make it personalized
• Keep it short and concise
• Use engaging subject line and CTA
• Optimize the email template
• Use visual elements
• Make sure the email is mobile-friendly.

Affiliates

As said at the beginning of this e-book, affiliates are usually bloggers, influencers, and experts who enjoy a certain following online. They have the audience they can promote affiliate links to, which is why they decide to use this form of marketing to boost their income. One of their primary assets is usually their mailing list. Bloggers work really hard to increase their subscriber base, using various methods for lead generation. They also usually keep these subscribers active through engaging newsletters where they share exclusive content designed for the subscribers.

Part of their email campaigns could be sharing affiliate links. Affiliates choose two ways to distribute affiliate links through email campaigns. Firstly, there are those who simply incorporate those links into a regular newsletter, with or without mentioning that the links are affiliate.

The second option is to have a separate email message for these kinds of links. For example, apart from a regular newsletter with blog updates, the second email message would be focused on promotion and titled differently from a regular newsletter. Some suggestions could be “Products we’ve been loving” or “Promo Tuesday by [BRAND NAME]”.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Migrate to Truehost Domain and Hosting. Very Cheap. Very Fast and 99.9% Reliable

Monitor Your Keywords and Ranking, Join SEOPOZ Today

Online Conversion Techniques: How to Boost Your Sales

Leave a reply

You’ve got your e-commerce website set up, and you know how to drive traffic to it, but are still stuck with low sales.

How do you fix that? By using online conversion techniques, also known as optimization techniques, you can increase your sales by focusing on the visitors coming to your site rather than the visitors leaving it. Here are some of the best online conversion techniques out there!

The Basics

When it comes to online sales, the conversion rate is key. In order to boost your sales and improve your conversion rate, there are a few techniques you can use.

First, make sure your website is user-friendly and easy to navigate.

Secondly, offer incentives like free shipping or discounts to encourage people to buy from you.

Finally, use strong calls to action on your website and in your marketing materials to encourage people to take the next step.

#1 Adding Trust Seals and Security Badges

One way to increase online sales is by adding trust seals and security badges to your website. This helps build trust with potential customers and show that you’re a credible business.

Plus, it can help boost your search engine ranking. Here’s how to do it:
1. Research which seals and badges are most trusted by your target market.

2. Apply for the seals and badges from the respective organizations.

3. Ensure they are displayed prominently on your site so they stand out.

4. Keep in mind, that this will take time so don’t expect results overnight!

The right seals and badges will only work if people know about them. Consider sending an email to current customers or running a promotion or sale as an incentive for people to visit your site.

#2 Getting Found in Google

If you want people to find your business when they search online, you need to make sure your website appears as high as possible in Google’s search results. This process is called Search Engine Optimization (SEO).

There are many ways to improve your SEO and increase your rank on Google. Keyword research can help a lot because it will show you what words or phrases other people are using to search for businesses like yours.

You then need to optimize the content of your website so that it matches these keywords as closely as possible.

#3 User Testimonials

When it comes to online sales, user testimonials can be extremely powerful. They provide social proof that your product or service is effective and can help increase conversion rates.

If you’re not using testimonials on your website, you’re missing out on a valuable opportunity to boost sales.

Find ways to collect customer reviews, the more the better!

Offer discounts or free products in exchange for reviews so people will have an incentive to give feedback.

These reviews should be displayed prominently throughout your site so they’re easily visible when people are browsing around. You may also want to include them in your newsletters, emails, or ads as well.

#4 The Right Call-to-Action

The first step to getting more conversions is having a strong call to action. This is what tells your visitors what you want them to do, and it should be clear, concise, and actionable.

Once you have a strong CTA, make sure it’s visible on your website. Place it above the fold so visitors will see it as soon as they land on your page. And finally, use persuasive language that urges visitors to take action.

Make every word count in order to convince people who are still undecided or need just one more push. You might even include an offer of some kind (discount, giveaway) in order to entice potential customers into purchasing your product or service.

#5 Creating Urgency

One of the most effective online conversion techniques is creating a sense of urgency. This can be done in a number of ways, such as offering a limited-time discount or displaying how many items are left in stock.

Urgency encourages visitors to take action before it’s too late, which can lead to more sales for your business.

If you’re running an online sale, consider adding countdown timers that display how much time is left on the sale. If you want to encourage customers to buy now and not wait until later, include phrases like Hurry! or Only X Left!

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be thrilled to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria, and Phillips Consulting among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points raised in this article. You might disagree with some of the issues raised. Let me know your views about the topic discussed. We would appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

Reserve Analysis For Projects: Facts To Note

Leave a reply

Please note that inaccurate time estimates will affect the schedule and may frustrate to e team involved in meeting the schedule. By minimising potential adjustments to the schedule, you and other stakeholders will not have to work overtime and you can preserve your reputation as a project manager.

Reserve analysis is the process of identifying and adding extra time that will serve as contingency or management reserves to the duration estimates.

Contingency reserved serves as buffets in recognition of scheduled risks or setbacks.

Management reserves are buffers added to the project tasks for unplanned changes to project scope and cost.

As the project progresses, reserves analysis is used to determine if the remaining or planned buffer is adequate for project completion.

Reserve analysis can run the risk of inflating cost revenue.

Typical example…

A cellphone manufacturing company contracted a vendor to integrate a new telecommunication technology within their current system. The project manager , Bob , has been assigned to manage this new project.

He creates a schedule to complete the project within one month. Bob anticipates that if the technical integration aspects are unavailable, the project will need to be extended for one more month.

Therefore, he specifies this is the project management plan and retains a contingency reserved of one month.

Some managers, upon reviewing the project management plan, advised Bob to add two more weeks as management reserve to the project in order to accommodate the risks that may occur due to unknowns-unknowns.

Fact Check Policy

Become Part Of our Fan Base on Facebook. Click Here.
Follow Us on Twitter. Click Here.
Many Crypto. One place. Use Roqqu

Hi, I now use RavenBank to send, receive and save money. I also pay my bills with ease, you should try it out too

Fact Check Policy

Best Paid Campaign Tools For Affiliate Marketers

Leave a reply

Another option for promoting affiliate links is through paid advertising. When using this type of online promotion, it is essential to have in mind the terms of service of the affiliate program, especially those terms that regulate promotion through search engine ads. The following tools can help with paid campaigns:

#1 Google Ads

It is most likely that you will run a search engine paid campaign, which is done through Google AdWords account. The platform enables the creation of ads, scheduling, targeting and analyzing ad performance.

#2 Bing Ads

If you are looking for an alternative that is designed for Bing, use this platform for search engine ads creation and management.
Facebook Ads – A lot of social networks offer advertising through the platform which can be done in a form of sponsored posts, or purpose-driven campaigns, such as driving traffic, increasing signups, etc. Using Facebook Ads Manager allows creating, managing, and monitoring of ads on Facebook and Instagram.

#3 Unbounce

The tool enables the creation of landing pages using drag and drop elements, templates, A/B testing feature, form builder and many more features. Since the landing page is usually the page linked to the paid ad, the first one the users will see once they click on the ad, this tool can help with increasing conversions.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that because I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Migrate to Truehost Domain and Hosting. Very Cheap. Very Fast and 99.9% Reliable

Monitor Your Keywords and Ranking, Join SEOPOZ Today

Major Health Benefits Of Kordi Royal Jelly

Leave a reply

Cordi Royal Jelly contains cordyceps Sinensis, gingko leaf extracts, and royal jelly freezing powder. Cordyceps Sinensis is a powerful life-enhancing tonic and an extremely effective and unique herb, it is highly beneficial to the body. Recent observations have shown that cordyceps can improve performance and muscle-building capacity, even though it does not contain any steroidal ingredients. Cordyceps benefit the vascular system by improving blood circulation, and it helps to regulate blood pressure and strengthen the heart muscle.

For many thousands of years, ginkgo has been used in traditional medicine. One of the most well-known effects of ginkgo Biloba is thought to have a strong impact on maintaining normal blood and reducing tissue damage. In addition, it can help maintain optimum levels of oxygen and glucose in the blood. The ability of ginkgo Biloba to influence and increase blood flow extends to the brain as well, and ginkgo is thought to enhance memory by increasing the amount of blood flow to the brain.

The royal jelly freezing powder can lower blood fat, prolong life, protein blood, improve sleep, anti-free radical, and enhance beauty.

Health benefit

Cordy Royal Jelly enhances blood circulation
It helps maintain normal cardiac function
It lowers high blood fat
It prevents and relieves a geriatric disease
It boosts memory
It maintains existing normal cholesterol levels
Promotes normal triglyceride levels

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Health Benefits Of M04 Blood Circulation Instrument

Leave a reply

In this article, we want to talk about the health benefits of the Kedi Blood Circulation instrument called the M04 Blood Circulation Instrument. Persons with underlisted diseases can benefit from foot reflexology and blood circulatory instruments.

Weight control
Flu
Chronic headaches
Hypertension
Lower blood pressure
Skin allergy
Backbone
Rheumatism
Splenic and gastric diseases
Insomnia
Kidney disease
Constipation
Paralysis
Stroke
Lumbar extrude
Hyperplasia of the prostate gland
Liver dysfunction
Sexual function
Chronic diarrhoea

Foot massage is a Chinese traditional medicine treasure. There is a famous Chinese saying “Human foot is like a tree root, if the root dies, the tree will die; if the foot is weak, the human will be sick. Chinese regard the foot as the second heart of humans.

Foot massage is self-health care suitable for everyone, even after your first treatment, you will feel rejuvenated and relaxed. The massage will increase blood supply to the rest of the body, it will ease the pressure, and reduce fatigue.

African people always wear sandals, while their feet are being exposed to the sun, rain, dust, bacteria, and viruses and are apt to be hurt, and infected, so the feet need to be taken care of. Our blood Circulatory instrument is specially designed for African people.

Foot reflexology is meant to increase the health and well-being in the whole body. It is based on the idea that all nerve zones begin in the feet, foot reflexology is thought to cure many ailments. By massaging certain areas of the foot, and applying certain pressures and strokes to particular areas, a practitioner of reflex zone therapy can provide many benefits.

Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavor. Some of those that I have trained include the staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We would appreciate it if you can drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNIGERIA is committed to fact-checking in a fair, transparent, and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.

Fact Check Policy

Health Benefits Of Kedi Slimming Belt

Leave a reply

Here are some of the major benefits of the Kedi Slimming belt:

A slimming belt enhances the burning process of excessive body fat which helps you have a slim body shape together with weight reduction. It would be more effective along with healthy food and sample and a normal lifestyle.

The design for spinal vibration massage way is equal to a basic exercise effect. It is, therefore, most useful for persons that are not able to find time for exercise.

The product could be used in any kind of environment yet it still gives you the joy and pleasure as if you are taking a massage at home for relaxation.

Spiral vibration massage can strengthen the digestion process thereby ejecting the toxic substance that remains in the body. It also promotes blood circulation, endues freshness for the skin and let muscle restore elasticity.

Do you want to have a nice shape? Do you want to lose weight faster? Do you want to flush out and eliminate toxins? Do you want to do more physical exercise without fatigue? Use Kedi slimming belt on those parts that need it most to easily burn calories, enhance metabolism, lose weight, ease muscle pain, and relieves back pain. It is great for the abdomen, waist, back and trips. It also helps to eliminate toxins and cellulite.

M03 Dolphin Massager

Dolphin Massager is Dolphin shaped. Its elegance and light design make it portable for use. The most important aspect of it is that it increases blood circulation, thereby increasing life span and a general sense of well-being. Its other benefits are as follows:
Stress relief: It reduces stress after a hard day’s work.
Sound sleep: It induces sound sleep.
Athletic performance: It enhances athletic performance as it relaxes tight muscles after exercise.
It strengthens the immune system.
It stimulates the digestive system and activates the urinary system.
It normalizes blood pressure.
It relieves muscle aches and banishes fatigue.

Fact Check Policy

Health benefits Of Kedi QingHao Capsule

Leave a reply

Health benefits Of Kedi QingHao Capsule

Artemisinin has a strong effect in killing plasmodium. In erythrocytes so as to control malaria outbreak and symptoms rapidly. It is thought to affect the function of the membrane-mitochondria system. Artemisinin works on the ultra-structure of parasites in the erythrocytes phase, including working on the food vesticles. The parasites died rapidly due to losing most of the nutrition and cytoplasm without supplements. The mechanism was unstable organic free radicals or other electrophilic media, which was produced by the peroxide.

Toxicology:
Increased fetal absorption was observed in pregnant mice in the reproduction toxicology test. No teratogenic effect was observed.

Pharmacokinetic
Artemisinin is rapidly absorbed and extensively distributed in main tissues after oral administration. Human pharmacokinetic parameters: oral dosage 2mg/kg. T max = 1.33h, Cmax=0.71 mgL, t1/2= 1.57hrs. Artemisinin is metabolized and excreted very rapidly.

Indications
All forms of malaria, are especially effective for the treatment of falciparum malaria and multidrug-resistant malaria.

Administration
Two capsules as a single dose at the time of initial diagnosis and then 6.24 and 48 hours thereafter (total course comprises 8 capsules). The oral dose may be taken with water.

Side Effect
No side effects were reported on clinical dosage. Few cases of temporary reticulocyte subsidence are noted.

Precautions
Artemisinin is not recommended during the first trimester of pregnancy unless the balance between safety and risk has been evaluated by Doctors.

Storage
Preserve in well-closed, light-resistant containers. Store in a dry and cool place.

Package
Capsule in blister, 10 capsules.

Validity
3 years.
Action Point
PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained include staff of Dangote Refinery, FCMB, Zenith Bank, and New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.

Fact Check Policy

Immune System: Diseases, Disorders & Function

Leave a reply

The role of the immune system — a collection of structures and processes within the body — is to protect against disease or other potentially damaging foreign bodies. When functioning properly, the immune system identifies a variety of threats, including viruses, bacteria and parasites, and distinguishes them from the body’s own healthy tissue, according to Merck Manuals. In this article, I am going to look at diseases, disorders and function. Follow me as we are going to look at that together in this article.

Innate vs. adaptive immunity

The immune system can be broadly sorted into categories: innate immunity and adaptive immunity.

Innate immunity is the immune system your born with, and mainly consists of barriers on and in the body that keep foreign threats out, according to the National Library of Medicine (NLM). Components of innate immunity include skin, stomach acid, enzymes found in tears and skin oils, mucus and the cough reflex. There are also chemical components of innate immunity, including substances called interferon and interleukin-1.

Innate immunity is non-specific, meaning it doesn’t protect against any specific threats.
Adaptive, or acquired, immunity targets specific threats to the body, according to the NLM. Adaptive immunity is more complex than innate immunity, according to The Biology Project at The University of Arizona. In adaptive immunity, the threat must be processed and recognized by the body, and than the immune system creates antibodies specifically designed to the threat. After the threat is neutralized, the adaptive immune system “remembers” it, which makes future responses to the same germ more efficient.

Major components

Lymph nodes: Small, bean-shaped structures that produce and store cells that fight infection and disease and are part of the lymphatic system — which consists of bone marrow, spleen, thymus and lymph nodes, according to “A Practical Guide To Clinical Medicine” from the University of California San Diego (UCSD). Lymph nodes also contain lymph, the clear fluid that carries those cells to different parts of the body. When the body is fighting infection, lymph nodes can become enlarged and feel sore.

PS: To Buy Fortifier Product Boost Your Immune System, Click Here. Please Not that the Product goes for N6,000.00 (Six Thousand Naira Only).

Spleen: The largest lymphatic organ in the body, which is on your left side, under your ribs and above your stomach, contains white blood cells that fight infection or disease. According to the National Institutes of Health (NIH), the spleen also helps control the amount of blood in the body and disposes of old or damaged blood cells.

Bone marrow: The yellow tissue in the centre of the bones produces white blood cells. This spongy tissue inside some bones, such as the hip and thigh bones, contains immature cells, called stem cells, according to the NIH. Stem cells, especially embryonic stem cells, which are derived from eggs fertilized in vitro (outside of the body), are prized for their flexibility in being able to morph into any human cell.

Lymphocytes: These small white blood cells play a large role in defending the body against disease, according to the Mayo Clinic. The two types of lymphocytes are B-cells, which make antibodies that attack bacteria and toxins, and T-cells, which help destroy infected or cancerous cells. Killer T-cells are a subgroup of T-cells that kill cells that are infected with viruses and other pathogens or are otherwise damaged. Helper T-cells help determine which immune responses the body makes to a particular pathogen.

Thymus: This small organ is where T-cells mature. This often-overlooked part of the immune system, which is situated beneath the breastbone (and is shaped like a thyme leaf, hence the name), can trigger or maintain the production of antibodies that can result in muscle weakness, the Mayo Clinic said. Interestingly, the thymus is somewhat large in infants, grows until puberty, than starts to slowly shrink and become replaced by fat with age, according to the National Institute of Neurological Disorders and Stroke.

Leukocytes: These disease-fighting white blood cells identify and eliminate pathogens and are the second arm of the innate immune system. A high white blood cell count is referred to as leukocytosis, according to the Mayo Clinic. The innate leukocytes include phagocytes (macrophages, neutrophils and dendritic cells), mast cells, eosinophils and basophils.

Diseases of the immune system

If immune system-related diseases are defined very broadly, than allergic diseases such as allergic rhinitis, asthma and eczema are very common. However, these actually represent a hyper-response to external allergens, according to Dr. Matthew Lau, chief, department of allergy and immunology at Kaiser Permanente Hawaii. Asthma and allergies also involve the immune system. A normally harmless material, such as grass pollen, food particles, mould or pet dander, is mistaken for a severe threat and attacked.

Other dysregulation of the immune system includes autoimmune diseases such as lupus and rheumatoid arthritis.

“Finally, some less common diseases related to deficient immune system conditions are antibody deficiencies and cell-mediated conditions that may show up congenitally,” Lau told Live Science.

Disorders of the immune system can result in autoimmune diseases, inflammatory diseases and cancer, according to the NIH.

Immunodeficiency occurs when the immune system is not as strong as normal, resulting in recurring and life-threatening infections, according to the University of Rochester Medical Center. In humans, immunodeficiency can either be the result of a genetic disease such as severe combined immunodeficiency, acquired conditions such as HIV/AIDS, or the use of immunosuppressive medication.

PS: To Buy Fortifier Product Boost Your Immune System, Click Here. Please Not that the Product goes for N6,000.00 (Six Thousand Naira Only).

On the opposite end of the spectrum, autoimmunity results from a hyperactive immune system attacking normal tissues as if they were foreign bodies, according to the University of Rochester Medical Center. Common autoimmune diseases include Hashimoto’s thyroiditis, rheumatoid arthritis, diabetes mellitus type 1 and systemic lupus erythematosus. Another disease considered to be an autoimmune disorder is myasthenia gravis (pronounced my-us-THEE-nee-uh GRAY-vis).

Diagnosis and treatment of immune system diseases

Even though symptoms of immune diseases vary, fever and fatigue are common signs that the immune system is not functioning properly, the Mayo Clinic noted.

Most of the time, immune deficiencies are diagnosed with blood tests that either measure the level of immune elements or there functional activity, Lau said.

Allergic conditions may be evaluated using either blood tests or allergy skin testing to identify what allergens trigger symptoms.

Overactive or autoimmune conditions, medications that reduce the immune response, such as corticosteroids or other immune-suppressive agents, can be very helpful.

“In some immune-deficiency conditions, the treatment may be replacement of missing or deficiency elements,” Lau said. “This may be infusions of antibodies to fight infections.”

Treatment may also include monoclonal antibodies, Lau said. A monoclonal antibody is a type of protein made in a lab that can bind to substances in the body. They can be used to regulate parts of the immune response that are causing inflammation, Lau said. According to the National Cancer Institute, monoclonal antibodies are being used to treat cancer. They can carry drugs, toxins or radioactive substances directly to cancer cells.

Milestones in the history of immunology

1718: Lady Mary Wortley Montagu, the wife of the British ambassador to Constantinople, observed the positive effects of variolation — the deliberate infection with the smallpox disease — on the native population and had the technique performed on her own children.

1796: Edward Jenner was the first to demonstrate the smallpox vaccine.

1840: Jakob Henle put forth the first modern proposal of the germ theory of disease.

1857-1870: The role of microbes in fermentation was confirmed by Louis Pasteur.

1880-1881: The theory that bacterial virulence could be used as vaccines was developed. Pasteur put this theory into practice by experimenting with chicken cholera and anthrax vaccines. On May 5, 1881, Pasteur vaccinated 24 sheep, one goat, and six cows with five drops of live attenuated anthrax bacillus.

1885: Joseph Meister, 9 years old, was injected with the attenuated rabies vaccine by Pasteur after being bitten by a rabid dog. He is the first known human to survive rabies.

1886: American microbiologist Theobold Smith demonstrated that heat-killed cultures of chicken cholera bacillus were effective in protecting against cholera.

1903: Maurice Arthus described the localizing allergic reaction that is now known as the Arthus response.

1949: John Enders, Thomas Weller and Frederick Robbins experimented with the growth of poliovirus in tissue culture, neutralization with immune sera, and demonstration of attenuation of neurovirulence with a repetitive passage.

1951: Vaccine against yellow fever was developed.
1983: HIV (human immunodeficiency virus) was discovered by French virologist Luc Montagnier.
1986: Hepatitis B vaccine was produced by genetic engineering.
2005: Ian Frazer developed the human papillomavirus vaccine.
Additional resources:

This article is for informational purposes only and is not meant to offer medical advice. This article was updated Oct. 17, 2018 by Live Science Health Editor, Sarah Miller.

PS: To Buy Fortifier Product Boost Your Immune System, Click Here. Please Not that the Product goes for N6,000.00 (Six Thousand Naira Only).