For better security, ditch the automatic tools

Automated scanning tools have their place, but plenty of threats can only be found with an old-fashioned manual search

I'm often paid to run expensive vulnerability scanning tools against hundreds or thousands of computers. Whereas vulnerability scanning has much value, I find that my manual reviews of those same assets usually reveals things that the automated scans do not.

Automated scanners can only find what they are pre-programmed to seek -- no more, no less. But we humans are good at spotting seemingly innocent-looking yet out-of-place details, then following the intuitive trail to the root cause. When I'm asked to run both an automated vulnerability scan and a manual scan (which is most of the time), I always find more interesting and high-criticality issues using my own forensics analysis.

[ Also on InfoWorld.com: Stuxnet worm + Iran + mainstream media = Global nuclear meltdown | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

For example, many times I've found compromised computers with hacker tools sitting in strange directories on the hard drive, malware that is undetectable to the organization's antivirus scanner. Recently I found a remote access Trojan disguised as the client's antivirus software process, but it started from a popular browser's temporary file storage location. The automated vulnerability scanner tool had missed the malicious bot, but my interest was piqued by the fact that two antivirus processes with the same name were running at the same time. I thought it was a common type of memory bug until I saw the strange location.

Every IT shop should randomly sample workstations and servers on a periodic basis, looking for unordinary settings, files, and configurations. Either do it yourself, if you have the interest and abilities, or assign it to a different person on your team each time so that one person may be able to pick up on something another might have missed (over the long term).

The idea is to query and document very normal information that would not usually set off an automated scanning tool's alarm. Looking for worms and viruses is best left to antivirus scanners. Validating security-configuration compliance should be reserved for tools designed for that purpose, and an automated patching tool is the top choice for seeking out missing patches.

Rather, for manual reviews, you want to look for and list the ordinary -- but keep an eye open for the extraordinary. When you see something unusual, investigate it. More often than not, the breadcrumbs will lead to a nonmalicious agent. Even so, the process will boost your understanding of your environment. Following a good breadcrumb trail is worth the effort, whether or not it leads to a bad element.

1 2 Page
Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies