Outlook blocks opening FQDN and IP address hyperlinks after installing protections for Microsoft Outlook Security Feature Bypass Vulnerability released July 11, 2023

 ISSUE

When you click on links in emails in Outlook Desktop where the path is to a fully qualified domain name (FQDN) or IP address you may see the following:

• An Outlook warning dialog with the error “Something unexpected went wrong with this URL”

  

• Silent failure for the untrusted file.

When you open links in emails in Outlook Desktop where the path is to either FQDN or IP address or hostname path you will see this dialog. This is also expected. 

If you need to disable this dialog, follow the instructions in the article Enable or disable hyperlink warning messages in Office programs.

HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security
DWORD: DisableHyperlinkWarning
Value: 1

This issue happens after installing the Outlook Desktop July 11th security updates. For additional information see the respective CVEs below.

MSRC CVE-2023-33151: Microsoft Outlook Spoofing Vulnerability

MSRC CVE-2023-35311: Microsoft Outlook Security Feature Bypass Vulnerability 

KB 5002427: Description of the security update for Outlook 2016: July 11, 2023 (KB5002427)

KB 5002432: Description of the security update for Outlook 2013: July 11, 2023 (KB5002432) 

STATUS: RESOLUTION

Warning: This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. Make sure the FQDN or IP address you add to Trusted Sites is a valid URL path for your company or network.

In order to ensure continued access to files on FQDN or IP address paths add those URLs to the Trusted Sites zone in accordance with Windows guidance, Intranet site is identified as an Internet site when you use an FQDN or an IP address.

1. Go to Windows Settings.

2. Search for and open Internet Options.

3. Click the Security tab, then select Trusted Sites.

4. Add the URL, UNC, FQDN path that you want to allow to "Add this website to the zone".
   For example, add file://server.usa.corp.com
   
   

   Note: If the entry you wish to add does not explicitly start with ‘https:’, you must first uncheck the ‘Require server verification (https) for all sites in this zone’ checkbox before it can be saved.

5. This workaround can also be deployed via group policy.

GPO: User Configuration 

Policy: \\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

Tips: 

• To avoid policy or zone processing failures as a result of incorrect syntax, it is highly advisable to first test the desired policy entry in the Internet Options UI:
  
  

• The Group Policy zone management interface does not provide input validation of entered values. By leveraging the tip above, administrators can ensure their policy values will be considered valid before deploying them broadly.

Note: The syntax for adding a URL for files on FQDN or IP address paths to a GPO is different than manually adding a file URL to Internet Options | Security | Trusted Sites. You need to add three forward slashes /// in front of the \\<ipaddress>.

For example:

• Manually adding \\10.123.452.37 enters file://10.123.452.37 in Trusted Sites list, this allows the file link to not be blocked.

• But for GPO you need to use the following syntax:  file:///\\10.123.452.37.
  This also enters file://10.123.452.37 in Trusted Sites list and allows the file link to not be blocked.

When you deploy by GPO if you have URLs that do not start with https, you may need to configure the setting to uncheck the box for Require server verification (https) for all sites in this zone.

Note: If the entry you wish to add does not explicitly start with ‘https:’, you must first uncheck the Require server verification (https) for all sites in this zone checkbox before it can be saved.

In order to configure GPO and not have to go through all clients one by one to uncheck the check box, these keys can be used:
HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags: 0x00000143(323)

Check box checked:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"Flags"=dword:00000047

Check box unchecked:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
"Flags"=dword:00000043

In order to add the file shares in registry by GPO, consider the following:

If it’s a Domain

For the Contoso example above, it is set in the registry here:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\contoso.com

If it is an IP address, it is set in the registry here:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1

And for each IP address share it is required to create a new Range key under Ranges.

'Saving changes is not permitted' error when you try to save a table in SQL Server

 

Error:

Saving changes is not permitted. The changes that you have made 

require the following tables to be dropped and re-created. 

You have either made changes to a table that can't be re-created 

or enabled the option Prevent saving changes that require the table to be re-created.

Resolution:

1. Open SQL Management Studio as an administrator

2. Go to Tools, then Options then "Designer"

3. Uncheck the Prevent saving changes that require table re-creation

4. Expand the database tables on the left object explorer of SQL Server 

and make the changes you plan to make. 

5. You may want to re-check the Prevent saving changes that require table re-creation

 in order to for the security feature to warn again.

Advanced Persistent Threat (APT)

 An advanced persistent threat (APT) is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.

APT attacks are initiated to steal data rather than cause damage to the target organization's network.

The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. Because a great deal of effort and resources can go into carrying out APT attacks, hackers typically select high-value targets, such as nation-states and large corporations, with the goal of stealing information over a long period of time.

To gain access, APT groups often use advanced attack methods, including advanced exploits of zero-day vulnerabilities, as well as highly-targeted spear phishing and other social engineering techniques. To maintain access to the targeted network without being discovered, threat actors will continuously rewrite malicious code to avoid detection and other sophisticated evasion techniques. Some APTs are so complex that they require full-time administrators to maintain the compromised systems and software in the targeted network.

The motives of advanced persistent threat actors are varied. For example, attackers sponsored by nation-states may target intellectual property to gain a competitive advantage in certain industries. Other targets may include power distribution and telecommunications utilities and other infrastructure systems, social media, media organizations, and electoral and other political targets. Organized crime groups may sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.

Although APT attacks can be difficult to identify, data theft is never completely undetectable. However, the act of exfiltrating data from an organization may be the only clue defenders have that their networks are under attack. Cybersecurity professionals often focus on detecting anomalies in outbound data to see if the network has been the target of an APT attack.

How an APT attack works

Attackers executing APTs typically take the following sequential approach to gain and maintain ongoing access to a target:

• Gain access. APT groups gain access to a target by targeting systems through the internet. Normally, through spear phishing emails or via an application vulnerability with the intention of leveraging any access by inserting malicious software into the target.
• Establish a foothold. After gaining access to the target, threat actors use their access to do further reconnaissance. They use the malware they've installed to create networks of backdoors and tunnels to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
• Gain even greater access. Once inside the targeted network, APT actors may use methods such as password cracking to gain administrative rights. This gives them more control of the system and get even deeper levels of access.
• Move laterally. Once threat actors have breached their target systems, including gaining administrator rights, they can then move around the enterprise network at will. They can also attempt to access other servers, as well as other secure areas of the network.
• Stage the attack. At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it.
• Take the data. The attackers harvest the data and transfer it to their own system.
• Remain until they're detected. Cybercriminals can repeat this process for long periods of time until they're detected, or they can create a backdoor so they can access the system again later.

Examples of advanced persistent threats

APTs are usually assigned names by their discoverers, though many advanced persistent threat attacks have been discovered by more than one researcher, so some are known by more than one name.

Advanced persistent threats have been detected since the early 2000s, and they date back as far as 2003 when China-based hackers ran the Titan Rain campaign against U.S. government targets in an attempt to steal sensitive state secrets. The attackers targeted military data and launched APT attacks on the high-end systems of government agencies, including NASA and the FBI. Security analysts pointed to the Chinese People's Liberation Army as the source of the attacks.

Some examples of advanced persistent threats include:

• The Sykipot APT malware family exploits flaws in Adobe Reader and Acrobat. It was detected in 2006, and further attacks using the malware reportedly continued through 2013. Threat actors used the Sykipot malware family as part of a long-running series of cyberattacks, mainly targeting U.S. and U.K. organizations. The hackers used a spear phishing attack that included links and malicious attachments containing zero-day exploits in targeted emails.
• The GhostNet cyberespionage operation was discovered in 2009. Executed from China, the attacks were initiated via spear phishing emails containing malicious attachments. The attacks compromised computers in more than 100 countries. The attackers focused on gaining access to the network devices of government ministries and embassies. These attacks enabled the hackers to control these compromised devices, turning them into listening and recording devices by remotely switching on their cameras and audio recording capabilities.
• The Stuxnet worm used to attack Iran's nuclear program was detected by cybersecurity researchers in 2010. It is still considered to be one of the most sophisticated pieces of malware ever detected. The malware targeted SCADA (supervisory control and data acquisition) systems and was spread with infected USB devices. The U.S. and Israel have both been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for Stuxnet.
• APT28, the Russian advanced persistent threat group also known as Fancy Bear, Pawn Storm, Sofacy Group and Sednit, was identified by researchers at Trend Micro in 2014. APT28 has been linked to attacks against military and government targets in Eastern Europe, including Ukraine and Georgia, as well as campaigns targeting NATO organizations and U.S. defense contractors.
• APT29, the Russian advanced persistent threat group also known as Cozy Bear, has been linked to a number of attacks, including a 2015 spear phishing attack on the Pentagon, as well as the 2016 attacks on the Democratic National Committee.
• APT34, an advanced persistent threat group linked to Iran, was identified in 2017 by researchers at FireEye, but has been active since at least 2014. The threat group has targeted companies in the Middle East with attacks against financial, government, energy, chemical and telecommunications companies.
• APT37, also known as Reaper, StarCruft and Group 123, is an advanced persistent threat linked to North Korea that is believed to have originated around 2012. APT37 has been connected to spear phishing attacks exploiting an Adobe Flash zero-day vulnerability.

Characteristics of advanced persistent threats

Advanced persistent threats often exhibit certain characteristics reflecting the high degree of and coordination necessary to breach high-value targets.

Most APTs are carried out in multiple phases, reflecting the same basic sequence of gaining access, maintaining and expanding access, and attempting to remain undetected in the victim network until the goals of the attack have been accomplished.

Advanced persistent threats are also distinguished by their focus on establishing multiple points of compromise. APTs usually attempt to establish multiple points of entry to the targeted networks, which enables them to retain access even if the malicious activity is discovered and incident response is triggered, enabling cybersecurity defenders to close one compromise.

Detecting advanced persistent threats

Advanced persistent threats have certain warning signs despite typically being hard to detect. An organization may notice certain symptoms after it has been targeted by an APT, including:

• unusual activity on user accounts;
• extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
• odd or uncharacteristic database activity, such as a sudden increase in database operations involving massive quantities of data; and
• presence of unusual data files, which may indicate data that has been bundled into files to assist in the exfiltration process.

Detecting anomalies in outbound data is perhaps the best way for cybersecurity professionals to determine if a network has been the target of an APT attack.

Risk Management: Disaster Recovery and Continuity of Operations Concepts

Disaster Recovery plan: Disaster recovery plan is also called as business continuity plan or business process continuity plan.

DRP: DRP stands for Disaster Recovery Planning should include information security, asset security, and financial security plans.

As part of disaster recovery, it is important to have a location from which the recovery of a failed site can take place. This location is known as a backup site. In the event of a disaster, your site is recreated at the specified backup site and made available. Once the failed site is recovered, the backup site will be reverted to its previous status.

There are three different types of backup sites:

1. Cold backup sites

2. Warm backup sites

3. Hot backup sites

1. Cold site: Here the bare minimums, such as space and furniture are available. Everything else need to be procured. The delay going to a fully operational site could be very large in this case

2. Warm site: Here, most of the hardware is in place, and probably you need to recover the site from off-site backup, and configure. The site could be restored in a reasonable amount of time.

3. Hot site: A facility designed to provide immediate availability in the event of a system or network failure. All the systems are appropriately configured and working. Only thing that is required is the restoration of latest backup.

Note that onsite backup is not a back up site.

Backup concepts: It is recommended to store the backup tapes in a secure, physically distant location. This would take care of unforeseen disasters like natural disasters, fire, or theft. It is also important that the backup tapes are regularly verified for proper recovery in a test server, even though recovery is not really required at that time. Otherwise, it may so happen that you find a backup tape corrupt when it is really required. The backup policy identifies the methods used to archive electronic and paper file systems. This policy works in conjunction with the information retention and storage policies.

A properly managed tape backups should include the following:

• Regular backups according to a pre-determined plan
• Verifying the backup tapes for integrity
• Labeling tapes properly for easy and unique identification
• Storing tapes securely at off-site location
• Destroying data on old tapes before disposing off the same

There are primarily three types of backups:

1. Full backup: Here all the data gets backed up. It usually involves huge amounts of data for large systems, and may take hours to complete. A full backup is preferred instead of incremental or differential backups where it is feasible. However, when there is large amount of data, full backup is done once in a while and incremental or differential backups are done in between. A backup plan is usually put in place prior to taking backup of data.

2. Differential backup: A differential backup includes all the data that has changed since last full backup. The "differential backup" that was taken earlier (after the "full backup" but before the current "differential backup") becomes redundant. This is because all changed data since last "full backup" gets backed up again.

3. Incremental backup: It includes all the data changed since last incremental backup. Note that for data restoration the full backup and all incremental backup tapes since last full backup are required. The archive bit is set after each incremental backup. Incremental backup is useful for backing up large amounts of data, as it backs up only the changes files since previous incremental backup.

Risk Response Strategies: Mitigation, Transfer, Avoidance, and Acceptance

 

6 Key Steps in the Risk Management Process

The risk management process can make the unmanageable manageable, and can allow the project manager to operate on what seems to be a disadvantage and turn it into an advantage. Let’s see how:

1. Risk identification

It is not possible to solve a risk if you do not know it. There are many ways to identify risk.

One way is through brainstorming, a methodology which allows a group to examine a problem.

Another method is that of individual interviews. It consists of finding people with relevant experience, so that it is possible to gather information that will help the project manager identify the risk and find a possible solution.

Imagining the current project and thinking about the many factors that can go wrong is another technique. What can you do if a key team member is sick? What can you do if the material does not arrive within the defined deadline? Etc.

An aid in this phase is also to read the reports of similar past projects, verifying the presence of any problems encountered during the path, and see how these have been solved.

2. Risk analysis

The next step is to determine the likelihood that each of these risks will occur. This information should also be included in the risk register.

When evaluating the risks of a project, it is possible to proactively address the situation. For example, potential discussions can be avoided, regulatory problems can be solved, new legislation must be known, etc.

Analyzing the risks is certainly difficult. There is never a limit to the information that can be collected in this sense.

Moreover, risks must be analyzed based on qualitative and quantitative analyzes. This means, that you determine the risk factor based on how it will potentially affect the project through a variety of metrics.

3. Risk prioritization

Not all risks have the same level of severity. It is therefore necessary to assess each risk in order to know which resources will be gathered to resolve it, when and if it occurs.

Some risks will be more acceptable, others may even risk to completely stop the project, making the situation quite serious.

Having a long list of risks can be daunting, but the project manager can manage them simply by classifying the risks as high, medium or low.

With this perspective, the project manager can then start planning how and when these risks will be addressed.

Some risks require immediate attention; these are the risks that can derail the project.

Other risks are important, they probably won’t threaten the success of the project, but will delay it.

Then, there are those risks that have little or no impact on the program and the overall project budget.

Some of these low priority risks could be important, but not enough to be urgently addressed. Indeed, they could be somehow ignored and also time could delete them and improve the situation.

4. Assign an owner to the risk

All the hard work of identifying and assessing risks is useless unless the project manager assigns someone to oversee the risk.

Who is the person responsible for that risk that, if this were to happen, would take charge of its resolution?

This decision, in general, is up to the project manager who knows the level of experience and training of each team member and is therefore able to assess the most suitable person to face a particular risk.

It is certainly important to identify the risks, but if these are not managed by a person in charge, the work will have been completely useless and the project will not be adequately protected.

5. Respond to the risk

Now comes the moment, when all that has been planned must be put into practice.

For each identified risk, based on priority, a mitigation plan or strategy is created.

The project manager should deal with the risk owner in order to decide together which strategy to implement to resolve the risk.

6. Risk monitoring

Obviously, every strategy to respond to the risk is useless if it is not monitored in its success – or failure.

The risk owner is also responsible for monitoring the progress towards resolution.

But also the project manager needs to stay updated in order to get an accurate picture of the overall progress and to identify and monitor potential new risks that may arise from the new situation.

It is better to ensure that dedicated communication channels for risk management are organized, so that important elements and information are not lost.

Risk mitigation

After the risk has been identified and assessed, the project team develops a risk mitigation plan, ie a plan to reduce the impact of an unexpected event.

Here are the four ways to manage or mitigate a risk:

• Risk avoidance
• Risk acceptance and sharing
• Risk mitigation
• Risk transfer

Each of these mitigation techniques can be an effective tool to reduce individual risks and the risk profile of the project.

Let’s see these four techniques in detail.

1. Risk avoidance

This technique usually involves developing an alternative strategy that is more likely to succeed, but is usually linked to a higher cost.

A very common risk elimination technique is to use proven and existing technologies rather than adopting new technologies, although they could lead to better performance or lower costs.

A project team can choose a supplier with a proven track record instead of a new supplier that offers significant price incentives; this, in order to avoid the risk of working with a new supplier that is not known whether it is reliable or not.

Eliminating a risk is definitely the best technique you can use. If the project manager can avoid it, surely he will not have negative impacts derived from it on the project.

2. Risk acceptance and sharing

This technique involves accepting the risk and collaborating with others in order to share responsibility for risky activities.

Many organizations working on international projects will reduce the political, legal, and employment risks associated with international projects by developing a joint venture with a company based in a particular country, for example.

Partnering with another company to share the risk associated with a part of the project is advantageous when the other company has experience that the project team does not have. If a risk event occurs, the partner company absorbs all or part of the negative impact of the event.

3. Risk mitigation

Risk mitigation represents an investment in order to reduce the risk on a project.

On international projects, for example, companies will often buy a guaranteed exchange rate in order to reduce the risk associated with exchange rate fluctuations.

A project manager can hire an expert to review technical plans or cost estimates on a project in order to increase confidence in that plan.

Assigning high-risk management activities to highly qualified project personnel is another risk reduction method.

Experts who run a high-risk business can often anticipate problems and find solution.

4. Risk transfer

Risk transfer is a risk reduction method that shifts risk from the project to another party.

A classic example of risk transfer is the purchase of an insurance. The risk is transferred from the project to the insurance company.

Purchasing an insurance is usually in areas beyond the control of the project team. Weather, political unrest, and strikes are examples of events that can have a significant impact on the project and that are beyond the control of the project team.

Simply put, it is simply a matter of paying someone else to accept the risk.

Risk management may seem superfluous at the beginning of the project. When a project manager is starting a new project, it is indeed difficult to think about things that could go wrong, especially if he is caught up in the initial enthusiasm.

It is essential to remember, however, that the development of a management plan will – most likely – be useful later during the development of the project.

This is why risk management must be considered an absolute priority from the start.

Interoperability Agreements

 There are multiple instances where an organization works with another organization as a third party and it can bring up a variety of security issues. A third party is an entity that isn’t directly involved in activities between two primary parties.

In many situations, it’s appropriate to use a non-disclosure agreement (NDA) to ensure that third parties understand their responsibilities. This can be a completely separate agreement, but is more commonly embedded as a clause in a contract with the third party.

In addition to NDAs, organizations often utilize different interoperability agreements to identify various responsibilities. These include ISAs, SLAs, MOUs, and BPAs.

Interconnection security agreement (ISA)

An ISA specifies technical and security requirements for planning, establishing, maintaining, and disconnecting a secure connection between two or more entities. For example, it may stipulate certain types of encryption for all data in transit.

Service level agreement (SLA)

An SLA is an agreement between a company and a vendor that stipulates performance expectations, such as minimum uptime and maximum downtime levels. Organizations use SLAs when contracting services from service providers such as Internet Service Providers (ISPs). Many SLAs include a monetary penalty if the vendor is unable to meet the agreed-upon expectations.

Memorandum of understanding (MOU)

An MOU expresses an understanding between two or more parties indicating their intention to work together toward a common goal. It is similar to an SLA in that it defines the responsibilities of each of the parties. However, it is less formal than an SLA and does not include monetary penalties. Additionally, it doesn’t have strict guidelines in place to protect sensitive data.

Many times, MOUs are used in conjunction with ISAs. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47, “Security Guide for Interconnecting Information Technology Systems,” includes more in-depth information on MOUs and ISAs.

Business partners agreement (BPA)

A BPA is a written agreement that details the relationship between business partners, including their obligations toward the partnership. It typically identifies the shares of profits or losses each partner will take, their responsibilities to each other, and what to do if a partner chooses to leave the partnership. One of the primary benefits of a BPA is that it can help settle conflicts when they arise.

Q. Your organization is considering storage of sensitive data in a cloud provider. Your organization wants to ensure the data is encrypted while at rest and while in transit. What type of interoperability agreement can your organization use to ensure the data is encrypted while in transit?

A. SLA

B. BPA

C. MOU

D. ISA

Answer. D is correct. An interconnection security agreement (ISA) specifies technical and security requirements for secure connections and can ensure data is encrypted while in transit.

None of the other agreements address the connection.

Spoofing Attack: IP, DNS & ARP

 Having a well-developed security posture is essential to any business. Organizations should not assume the security of their customers' data and instead must take proactive steps to ensure it throughout the development process. Veracode provides powerful cloud-based tools, including static and dynamic security analysis, to detect vulnerabilities and security flaws before attackers can take advantage of them.

One common threat to be wary of is spoofing, where an attacker fakes an IP address or other identifier to gain access to sensitive data and otherwise secure systems. According to a 2018 report by the Center for Applied Internet Data Analysis (CAIDA), there are close to 30,000 spoofing attacks per day.

What Is a Spoofing Attack?

Spoofing is when an attacker impersonates an authorized device or user to steal data, spread malware, or bypass access control systems.

There are many different types of spoofing, with three of the most common being:

• IP address spoofing - Attacker sends packets over the network from a false IP address
• ARP spoofing - Attacker links their MAC address to an authorized IP address already on the network
• DNS spoofing - Attacker initiates a threat such as cache poisoning to reroute traffic intended for a specific domain name traffic to a different IP address

IP Address Spoofing Attacks

An IP (Internet Protocol) address is a unique number used to identify a specific computer on a network. In IP address spoofing, attackers manipulate the IP header so that the packet appears to be coming from a legitimate source. This tricks the target machine into accepting malicious code or giving attackers access to sensitive data.

IP address spoofing can be used to carry out a denial-of-service attack. In this attack, attackers flood the network with more data than it can handle by sending hundreds or thousands of IP packets from multiple spoofed IP addresses. Alternatively, a specific machine's address can be spoofed to send many packets to other machines on the same network. Because machines automatically send responses when they receive an IP packet, this results in the spoofed machine being knocked offline.

Another way attackers use IP spoofing is to bypass authentication that relies upon a device’s IP address. Systems designed to assume a specific list of IP addresses is trustworthy can be tricked into accepting connections from untrusted machines that spoof a trusted machine’s IP address.

ARP Spoofing Attacks/ARP Cache Poisoning

ARP (Address Resolution Protocol) is used to identify legitimate machines on a network by resolving IP addresses to a specific MAC (Media Access Control) address. In ARP spoofing, an attacker sends ARP packets to the network, which appear to be from these legitimate devices. Because other machines on the network will think the attacker is legitimate, they will gladly send data back, which the attacker can use for other, more sophisticated attacks.

Successful ARP spoofing can be used to carry out:

• Denial-of-service attacks, where networks or machines are flooded with bogus data and taken offline
• Session hijacking, in which attackers exploit in-progress authentication by legitimate users to gain unauthorized access to data and devices
• Man-in-the-middle attacks, where attackers impersonate multiple devices to steal data intended for legitimate devices

DNS Spoofing Attacks

In DNS spoofing, an attacker provides false information to the DNS (Domain Name System) facility used by a given system, usually by inserting incorrect information into the local DNS cache. When an application needs to access a network resource by hostname, the system looks up the correct IP address associated with that name by using a DNS query to a DNS server that’s configured for the network. To reduce load on that server, most systems cache the responses to DNS queries for a time – so if an attacker is able to alter the contents of that cache, they can trick applications into accessing an IP different from those registered in the DNS system for a given hostname.

DNS server spoofing is often used to route web traffic to a server under the attacker's control and deliver computer viruses, and other malware onto users' machines, or to trick the user into supplying sensitive information.

How to Prevent and Mitigate Spoofing Attacks

Spoofing attacks can have disastrous consequences, but there are ways to reduce their likelihood and prevent them altogether.

Employ Packet Filtering with Deep Packet Inspection

Packet filtering analyzes IP packets and blocks those with conflicting source information. Because malicious packets will come from outside the network despite what their headers say, this is a good way to eliminate spoofed IP packets. Because attackers have developed techniques for evading simple packet filters, most packet-filter systems offer a DPI (Deep Packet Inspection) feature. DPI allows you to define rules based on both the header and the content of network packets, allowing you to filter out many kinds of IP spoofing attacks.

Authenticate users and systems

If devices on a network use only IP addresses for authentication, IP spoofing can bypass the authentication control. Connections between devices should be authenticated by the individual users or applications, or by using authenticity systems such as mutual certificate auth, IPSec, and domain authentication.

Use Spoofing Detection Software

Several programs help detect spoofing attacks, especially ARP spoofing. Consider a tool like NetCut, Arp Monitor, or arpwatch for ARP spoofing defense. These and other tools can inspect and certify legitimate data before it is received by a target machine can significantly lower the success of spoofing attacks.

Use Encrypted and Authenticated Protocols

Security experts have developed several secure communications protocols, including Transport Layer Security (TLS) (used by HTTPS and FTPS), Internet Protocol Security (IPSec), and Secure Shell (SSH). When used properly, these protocols authenticate the application or device to which you’re connecting, and encrypt data in transit, reducing the likelihood of a successful spoofing attack.