Security Detective Monitoring Data Analysis - Ethan White

docx

School

Salisbury University *

*We aren’t endorsed by this school

Course

MISC

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

11

Uploaded by BaronFlower12556

Report
CST 610 Project 2 Cyberspace and Cybersecurity Foundations Security Detective Monitoring Data Analysis Template Prepared By: Ethan White 1
Version 1.0 Table of Contents Introduction ............................................................................................................................ 3 Objectives ........................................................................................................................... 3 Definitions .......................................................................................................................... 3 Predictions .......................................................................................................................... 3 Methodology ....................................................................................................................... 3 Reflections .......................................................................................................................... 3 2
Introduction [Summarize the purpose of doing this work] The purpose of this Security Detective Monitoring Data Analysis document is to test FICBANK’s ability to collect and query security monitoring data by conducting a preliminary analysis of the security monitoring data. The security monitoring data is three different logs, access-1.log, apache_logs, and access-2.log Objectives 1. Prepare to assess FICBANK’s security monitoring infrastructure. 2. Conduct a preliminary security monitoring data analysis. Definitions cat outputs file content, e.g. cat leaping.log | Pipe – takes the output of the command on the left and uses it as input for the command on the right wc Word count – counts the number of lines, words, and characters cut Extracts fields (columns that you specify) from lines Sort Alphabetizes input Uniq Deduplicates – detects repeated lines if they are adjacent and removes the duplicates Head Displays the first 10 lines of input: use “head – [number]” to change the default number Grep Conducts a case-sensitive search |\ The “or” operator, being escaped by a backslash so that the system doesn’t try to interpret it as a pipe Awk Processes a condition if one is provided and then takes an action. The default action is to print whatever meets the criteria of the condition. Predictions Document the predictions you made before starting the hands-on activity here. 1. What kinds of information do you think will be in the log file(s)? a Information about the computer that made a request or received a request to do something. The date that the request happened. The action of the request and where the request originated. 2. What information might not be in the log file(s)? a What exactly the request does such as specifics to how the request was carried out or not able to be carried out 3. What tools, techniques, and practices might be best suited to analyzing security monitoring data? 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
a A great understanding of how to get useful information from logs. Bash scripts that can sort and organize the data to user specific requests in order to get the exact information needed from a large database. An understanding of exploits that could have been logged to analyze them. Methodology [Provide an answer to each question in the hands-on instructions along with evidence of your practice work] Access-1.log Questions 1.) There were 127 get requests logged. 2.) There was 5 unique status codes returned by the server 3.) The largest response body in bytes was 561 bytes. 4.) There was 10 CONNECT, 127 GET, 4 HEAD and 4 POST attempts made. 4
5.) There was 11 entries that contained raw binary data. 6.) Of these 11 entries there were 10 that were likely the result of an attempt to establish an SSL or TLS connection. 7.) There were 55 unique user agents, excluding empty or missing user agents. 8.) There were 11 request made by Firefox. 5
9.) There were 2 attempts to exploit CVE-2020-8515. Apache_log Questions 1.) There were 10,000 total lines in the log file. 2.) There were 1753 unique IP’s in the log file. 3.) The IP address that the server got the most traffic from was 66.249.73.135 for a total of 482 requests. 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4.) The URL that was most visited was favicon.ico which was visited 807 times. 5.) The total number of requests which got a 200 response is 9126. Access-2.log Questions 1.) There were 60 GET request made. 2.) There were 48 unique IP addresses that made requests. 7
3.) There were different IP addresses to reach the server. 4.) There were 19 requests that yielded a 200 status. 5.) There were 38 requests that yielded a 400 status. 6.) The 186.64.69.141 IP address rang at the doorbell. 8
7.) Googlebot version 2.1 visited the website 8.) 61.161.130.241 attempted to exploit the shellshock vulnerability by using bash commands 9.) The most frequently used version of Firefox was 31 9
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
10.) The most common HTTP method used was the GET method. Reflections General: 1. What tools did you use to collect and query security monitoring data? a I used Bash commands and the Visual Code search function in order to collect and query security monitoring data. 10
2. What data sources did you analyze during the project? a The three data sources I analyzed during the project were access-1.log, access- 2.log and apache_logs. 3. How did you validate the accuracy of the security monitoring data? a I would validate the accuracy of the security monitoring data by doing commands to check for data and then commands to check were there was not the data I was looking for. Then by comparing the two data points I was able to verify whether the commands were accurate or if there needed to be changes to filter out incorrect information. 4. What challenges did you face when analyzing the security monitoring data? a I went down a long rabbit hole for the question “what IP address rang at the doorbell” When googling the question for further information into what this might mean. I ended up looking at a lot of ring doorbell documentations for connecting a ring doorbell to a network. Only when manually searching through access-2.log did I find the answer to the question and also the answer to why my bash search for “doorbell” did not work, since it was misspelled as “Ringing.at.your.dorbell!”. Other than that I did not face any big challenges since I am well versed in Bash commands and how to search through data. Technical: 1. What insights did you gain about the types of attacks that FICBANK may face based on the security monitoring data analysis? a Some insights that I gained is that FICBANK may be faced with attacks from vulnerabilities in previous versions of software. This can be seen in how IP’s are accessing different Firefox versions. Some of these versions are not the newest version which means that there might be vulnerabilities that could have been patched. This could be exploited on IP’s that do not use the latest version of software. 2. How did you approach identifying patterns and anomalies in the security monitoring data? a By first looking at all the different HTTPS methods used I can find patterns and anomalies that could be vulnerabilities or malicious attempts to get FICBANK information. For instance, in Access-2.log there was 60 GET, 15 CONNECT, 1 HEAD, 1 POST, and 1 QUIT method used. If this information is documented each time there is a log file you could see patterns and anomalies in it that could be from security breaches. For example if one month the logs show an excessive amount of QUIT methods then there is an anomaly that could be a vulnerability being exploited since this was not the previous pattern. 3. What methodologies did you use to conduct the practice analysis of the security monitoring data? 11

Related Documents

4-1 Discussion Roles & Responsibilities in IT.docx
3-1 Discussion IT Security - Phishing.docx
5-1 Discussion Technology & Tools.docx
DISCUSSION 4.docx
DISCUSSION 8.docx
DISCUSSION 3.docx
Chapter 1 Homeland Security.docx
API Testing.pdf
Lone Pine Outfitter Analysis.doc
3.1 Discussion Assignment – Global Government Policies.docx
CST2234-Stakeholders SRS Midterm.docx
DiPaolo Brittany FPX 5334 4-1.pdf