Get to the root of security threats
Rather than focusing on how a virus spread, figure out how it made it through the door
Follow @rogeragrimesOne of my clients was recently hit (again) by the Conficker worm. The company's systems were all fully patched, yet the malware still managed to infiltrate hundreds of machines. It was evident that worm was able to spread rapidly via a network share vector. But the real question remains: How did the worm infiltrate the network in the first place, given that all the systems were patched?
This scenario perfectly illustrates the importance of root-cause analysis -- that is, determining how your company can be most successfully attacked by malware and malicious hackers. While there's no single, general recipe for achieving this goal -- that requires full security review of your particular environment -- you need to perform a dollar-wise risk assessment, starting with a root-cause analysis.
[ Also on InfoWorld: A new breed of risk-analysis products can provide the big security picture. | Recent tests find that security vendors can't protect against even known threats. ]
In the case of the Conficker infestation, the client didn't share the modality, but often the culprit is an infected USB key. A user, often an IT employee, sticks the drive into a computer, which then autoruns the worm. Voila! The root cause for hundreds of PCs infected over the network isn't network drive shares; it's an infected USB drive. Don't get me wrong: Addressing the network drive share problem is important, but addressing the first vector, the root cause, is more important.
Every company should endeavor to collect root-cause statistics and track them over time. Every time a malware program or exploit is found, investigators should document how they or the user thinks it happened. Collecting these sorts of metrics will allow you to spot emerging trends and enable you to respond more aggressively and more often to emerging modalities.
[ In the name of IT security, get a handle on your known unknowns. | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Many companies tell me that they don't have the staff to perform a complete forensic investigation on every malware infection. You don't need to be perfect, though; good enough will suffice. Many users can tell when their systems are infected. Eventually, their reports will reveal true patterns.
