Enhancing Cybersecurity: A Comprehensive Log Analysis Using IDEA Software

In today's digital age, the security of online platforms is paramount. As part of my recent project, I conducted a thorough cybersecurity audit focusing on network logs using IDEA auditing software. The primary objective was to identify suspicious IP addresses responsible for Distributed Denial of Service (DDoS) and Brute Force attacks and to enhance the overall security framework.

Project Overview

Business Process: Network Logs (Cybersecurity Process) - IT Operations

Objective: Identify suspicious IP addresses that perform DDoS and Brute Force attacks.

Tool used: Caseware IDEA is a powerful auditing and data analysis tool used by financial professionals. It allows users to import, and analyse large datasets, automate tasks, and visualize data through charts and dashboards. IDEA supports compliance and risk management by identifying anomalies and generating detailed reports for audits and forensic accounting.

Testing Procedures:

1.??Data Acquisition: Downloaded data from AWS Dataset and loaded it into IDEA software. Verified that all columns were unique and included essential fields.

2.??Data Standardization: Standardized timestamps and categorized IP addresses as internal or external.

3.??Analysis: Identified IPs with prolonged interactions, highlighted vulnerabilities to specific ports, and determined the geographic origin of blocked IPs.

IDEA Commands Used:

#1. Top 5 IP hitting 172.31.69.25 IP

#2. Use of CRITERIA to identify the? potential open Ports (Port 20,21,22,80)

Ports are used to facilitate communication between different devices on a computer network

Port 80: Used for HTTP (Hypertext Transfer Protocol) traffic, typically for web browsing.

Port 20: Used for FTP data transfer, facilitating the transfer of files between FTP client and server.(Used for Vendor to upload the required files or secure communication)

Port 21: Used for FTP (File Transfer Protocol) control commands, governing the communication between FTP client and server

Port 22: Used for SSH (Secure Shell) connections, enabling secure remote access to servers. Used for employees to access company’s network remotely

On the left side, I applied criteria for FTP Port 20 and 21 to check FTP access, which should be restricted to Vendors only. As highlighted (blue), the listed source IP addresses are performing attacks on the FTP link, which should not be accessible to normal users.

Exception noted for Port 20 and 21: Additional security controls are needed as attackers attempted to breach the FTP access seven times.

On the right side, I applied criteria for SSH connection (Port 22) to verify VM access. The security mechanism for SSH (Port 22) is functioning correctly, as no attacks were captured.

I applied criteria for FTP Port 80 to check HTTP access, which all users can access to view the products. It was noted that attackers attempted to hijack the session almost 28 times.

Exception noted for Port 80: Additional security controls are needed as attackers tried to breach the HTTP access 28 times.

To mitigate this, the HTTP site should be enabled with HTTPS protocol, and more firewall security should be applied.

#3 : Use of Visual Connector to Identify the Blocked IP address from IP address link and to Locate the Country of Origin

I have applied criteria to identify the logs where attacks have occurred. Subsequently, I used Visual Connector to link one database and extract the resending values. Field Manipulation was employed to ensure both tables have the same data type for the connection.

Results indicate the country of origin for the attacks is a restricted country, and we have already blocked some IP addresses.

IPs highlighted in pink are from a restricted country.

IPs highlighted in yellow, along with their range, need to be blocked.

Key Findings

The audit revealed several critical insights:

·?FTP Ports (20, 21): Unauthorized activities from various source IP addresses indicated a need for stricter security controls for these ports.

·?SSH Port (22): The security mechanisms were found to be effective, maintaining the integrity of VM access.

·?HTTP Port (80): Multiple session hijacking attempts were identified, necessitating a transition to HTTPS and enhanced firewall security.

·Origins of Attacks: Most attacks originated from company-restricted countries highlighting the importance of broadening IP address-blocking strategies.

Recommendations

1.?Enhanced Security Measures: Implement additional security protocols for FTP Ports 20 and 21 to restrict access to authorized vendors only.

2.?Transition to HTTPS: Convert HTTP access to HTTPS to prevent session hijacking attempts.

3.?Geographic Blocking: Broaden the scope of IP address blocking, focusing on the countries identified as sources of attacks.

References:

https://www.unb.ca/cic/datasets/ids-2018.html

https://www.caseware.com/us/products/idea/

#CyberSecurity #NetworkSecurity #ITOperations #DataAnalysis #IDEASoftware #AWSDataSet #DDoS #BruteForce #ITAudit