CST 610 Project 2 Cyberspace and Cybersecurity Foundations Security Detective Monitoring Data Analysis Template Prepared By: Elliott Blumenstein Version 1.0

Table of Contents Introduction .................................................................................................................................... 3 Objectives .................................................................................................................................... 3 Definitions ................................................................................................................................... 3 Predictions .................................................................................................................................. 3 Methodology ............................................................................................................................... 3 Reflections ................................................................................................................................... 3

Introduction The Security Assessment Report exposed FICBank’s services and vulnerability. At the owner's request, this report will be a deep dive into the ability of FICBank's IT Infrastructure to detect, analyze, and assess potential threats. We will use various tools to access the logs of the machine and systems to provide a preliminary analysis of the results. Objectives 1. Prepare to assess FICBANK’s security monitoring infrastructure. 2. Conduct a preliminary security monitoring data analysis. Definitions During our analysis, there will be some keywords that the client will need help understanding. Below, we will explain some essential words that will provide what we are analyzing. “Log files – or simply ›logs‹ – are automatically generated text files that record specific technical information of a broad range of events taking place in a computer system or software application such as date, time, and type of event or executed action” (Strippel, 2020, p. 320). GET request in the log file- “HTTP communication consists of a retrieval request” (Roy T. Fielding, 2014). HTTP status code- three-digit numbers generated by a server to respond to a browser’s request (A, 2023). (XX portion of the status represents the more status than just 200, 300, and 400) - 2XX code request was successful - 3XX code indicates that the request has more than one possible response. - 4XX code indicates that the server cannot or will not process the request due to something perceived to be a client error. Secure Sockets Layer (SSL) - “a standard security technology for establishing an encrypted link between a server and a client” (SSL Security Definition, n.d.).

Transport Layer Security (TLS) – “one of the most widely used security protocols on the web for ensuring secured network communication” (Chen, 2019, p. 1). Predictions When looking at these log files, we should expect to find lines of code regarding IP addresses used to browse URLs. We should see the IP address, the time the URL was accessed, what URL was browsed, and the status code if it was successful or if it was an error. There should be an HTTP response size in bytes. In the lines of the log file, the URL should be present as well. These are the kinds of information we should see when we analyze the log files, but there is some information we might need to see in the log files. Log files much valuable information for monitoring and troubleshooting, but they may not always contain every piece of information. When visiting URLs, the user might be accessing visual or graphic information; we will not see that since log files are text-based and audio or multimedia content. The log files capture actions as they occur and might not provide historical information, so we do not expect to see all the historical information, which might need additional resources. When discussing resources, we must use specific resources to analyze the log files. We should use a text editor to find certain aspects of the code. Also, using the program Spider to write Python code to produce specific outputs, which we will discuss later in the analysis portion. Methodology Access-1.log The "GET" requests were easy to figure out how many there were. Using the program NotePad++, using the command CTRL+F, you could go into the find window and search for GET and receive a count of 127.

Above is a Python program called Spider; I had done some research and played with the code, but the code allowed me to have an output that gave the amount of how many unique status codes there were. In the code, the element counts how many spaces it took to find it. Also, using specific programs that allow me to get the correct code helped. With that, I got an output of five unique status codes. The largest response body in bytes that the Spider gave me was 561 bytes. The number of bytes is usually after the unique status code. Example: 64.233.172.114 - -

[02/May/2020:08:23:11 +0000] "GET /favicon.ico HTTP/1.1" 404 561 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon" The highlighted section is the status code, and right after is how big the response was. HTTP tunneling is used to create a network between two computers. Using the code, we were able to see that ten attempts were made. HTTP Tunneling is “used to create a network link between two computers in conditions of restricted network connectivity including firewalls, NATs, and ACLs among other restrictions” (Shyam, 2019). One hundred fifty- six entries have invalid request lines containing raw binary data. An invalid request line is an HTTP request line that does not conform to the format of an HTTP request.

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version

Access to all documents
Unlimited textbook solutions
24/7 expert homework help

BlumensteinElliott_CST610_Project2 (3)