How many computers is enough?
A good rule of thumb is to sample at least two computers in each role at each major company site. If you want to sound impressive, you can calculate a statistical confidence level. (A great statistical calculator for figuring out sample sizes is located here.)
For example, if I had a population of 1,000 computers and wanted a confidence level of 90 percent plus or minus 15 percent (75 percent is still a fairly high level of assurance), I would need to sample 29 computers. If wanted a 5 percent confidence level instead of 15 percent, I would have to sample 214 computers.
Once you've determined your sample size, you can decide whether to do a full forensic analysis or a limited analysis for each computer. I can do a fairly good limited analysis in about one to two hours per computer. Here are the things I look for:
- Up-to-date antimalware scanner (with a definition file no older than 24 hours) that is configured for constant detection
- Up-to-date software and patches (no more than a week old)
- Check security logs for abnormal events
- Check all autostarting software and research any unknown software found
- Review network traffic flows (in Windows you can do netstat -ano) looking for unusual activity
- Check all installed software and make sure everything is legitimate and needed
- Peruse folders and directories for rogue software or files
- Look for files and folders with excessive permissions
- Check the TCP/IP configuration and hosts file for rogue entries
In most cases, if a computer is compromised, these checks will catch it, depending on the talent of the person checking. Badness can always hide -- like rootkits do -- but normally, advanced persistent threats don't use rootkits, and the checks above will discover something funky that leads to even more specific discoveries.
I'm an even bigger fan of instituting checks that may detect badness even if your computers seem clean, including these:
- Monitor net flows and look for strange or unusual network traffic flows
- Use one or more honeypots
- Use a whitelisting program in audit mode and look for unusual software execution
Most of us don't have the time to achieve perfect assurance. But that doesn't mean you can't do a fairly good assessment that will give you confidence about the security and safety of your network. Don't let perfect be the enemy of the good.
This story, "Operation clean sweep: How to disinfect a compromised network," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.