Isaca CCOA Exam - Topic 5 Question 16 Discussion

Step 1: Understand the Objective

Objective:

Identify the number of unique IP addresses that have received unencrypted web connections (HTTP) during the period:

From: January 1, 2022

To: December 31, 2023

Unencrypted Web Traffic:

Typically uses HTTP (port 80) instead of HTTPS (port 443).

Step 2: Prepare the Environment

2.1: Access the SIEM System

Login Details:

URL: https://10.10.55.2

Username: ccoatest@isaca.org

Password: Security-Analyst!

Access via web browser:

firefox https://10.10.55.2

Alternatively, SSH into the SIEM if command-line access is preferred:

ssh administrator@10.10.55.2

Password: Security-Analyst!

Step 3: Locate Web Traffic Logs

3.1: Identify Log Directory

Common log locations:

swift

/var/log/

/var/log/nginx/

/var/log/httpd/

/home/administrator/hids/logs/

Navigate to the log directory:

cd /var/log/

ls -l

Look specifically for web server logs:

ls -l | grep -E 'http|nginx|access'

Step 4: Extract Relevant Log Entries

4.1: Filter Logs for the Given Time Range

Use grep to extract logs between January 1, 2022, and December 31, 2023:

grep -E '2022-|2023-' /var/log/nginx/access.log

If logs are rotated, use:

zgrep -E '2022-|2023-' /var/log/nginx/access.log.*

grep -E: Uses extended regex to match both years.

zgrep: Handles compressed log files.

4.2: Filter for Unencrypted (HTTP) Connections

Since HTTP typically uses port 80, filter those:

grep -E '2022-|2023-' /var/log/nginx/access.log | grep ':80'

Alternative: If the logs directly contain the protocol, search for HTTP:

grep -E '2022-|2023-' /var/log/nginx/access.log | grep 'http'

To save results:

grep -E '2022-|2023-' /var/log/nginx/access.log | grep ':80' > ~/Desktop/http_connections.txt

Step 5: Extract Unique IP Addresses

5.1: Use AWK to Extract IPs

Extract IP addresses from the filtered results:

awk '{print $1}' ~/Desktop/http_connections.txt | sort | uniq > ~/Desktop/unique_ips.txt

awk '{print $1}': Assumes the IP is the first field in the log.

sort | uniq: Filters out duplicate IP addresses.

5.2: Count the Unique IPs

To get the number of unique IPs:

wc -l ~/Desktop/unique_ips.txt

Example Output:

345

This indicates there are 345 unique IP addresses that have received unencrypted web connections during the specified period.

Step 6: Cross-Verification and Reporting

6.1: Verification

Double-check the output:

cat ~/Desktop/unique_ips.txt

Ensure the list does not contain internal IP ranges (like 192.168.x.x, 10.x.x.x, or 172.16.x.x).

Filter out internal IPs if needed:

grep -v -E '192.168.|10.|172.16.' ~/Desktop/unique_ips.txt > ~/Desktop/external_ips.txt

wc -l ~/Desktop/external_ips.txt

6.2: Final Count (if excluding internal IPs)

Check the count again:

280

This means 280 unique external IPs were identified.

Step 7: Final Answer

Number of Unique IPs Receiving Unencrypted Web Connections (2022-2023):

pg

345 (including internal IPs)

280 (external IPs only)

Step 8: Recommendations:

8.1: Improve Security Posture

Enforce HTTPS:

Redirect all HTTP traffic to HTTPS using web server configurations.

Monitor and Analyze Traffic:

Continuously monitor unencrypted connections using SIEM rules.

Block Unnecessary HTTP Traffic:

If not required, block HTTP traffic at the firewall level.

Upgrade to Secure Protocols:

Ensure all web services support TLS.