Author: Roger A. Grimes / Source: CSO Online
I’ve said it before: The No. 1 problem with computer security is poor root-cause analysis, where security pros fail to identify and track the ways an environment was exploited, be it malware or human attack.
Common root causes include social engineering, password guessing/cracking, unpatched software, misconfiguration, denial of service, and physical attacks.
[ Also on InfoWorld: 10 reasons why phishing attacks are nastier than ever | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld’s Security newsletter. ]
If defenders worried about the right root causes, they’d concentrate as much about adware finding its way onto a computer as they would a terribly malicious Trojan. Both require equal effort to defend against. Figuring out how to stop break-ins is the ultimate objective of any defender, and understanding root causes goes a long way toward that goal.
To find out what malware did, all you have to do is disassemble its code: It can only do what its instructions told it to do. Determining how it got in is a lot harder. You can often follow a hacker’s movement around a network using event logs. But it’s more difficult to find the root exploit used to breach your defenses — particularly when management is screaming in your ear to stop such and such critical asset from going out the door.
Here are some ways to do better root-cause analysis:
Make sure every defender — maybe every employee — in your organization understands the importance of root causes. It needs to be top of mind for everyone and built into as many tools as possible. Don’t skimp on the tools and instrumentation (or upgrade/adjust existing ones) to help you determine root causes.
Whenever anyone performs forensic analysis on a device, tell them their primary task is to determine the root cause of the initial exploit. Many forensic investigators don’t look anymore — or if they can’t figure it out right away, they don’t…
Click here to read more