In the computing world, detecting problems is far easier than fixing them. Take antimalware software: It's always been better at accurately finding viruses and the like than at cleaning up and repairing infected systems. That left security professionals with an ongoing conundrum for the past three decades: How can we be certain we've cleaned up a system once it's been compromised? Just because it tells you it's infection-free doesn't mean it is. Malware can modify one bit, and because you don't know which bit has changed, you have to do a complete recovery.
The answer is you can't trust a system once it's been compromised unless you completely rebuild it. In today's world of insufficient backups, that task usually gets distilled into arduous and time-consuming tasks. For example, you may have to copy off all your data that isn't backed up, format the drive, re-install the operating system and software, then replace the data.
[ Roger A. Grimes offers a guided tour of the latest threats in InfoWorld's Shop Talk video, "Fighting today's malware." | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Some of my favorite security features, which protect against malicious hackers and malware, focus more on detecting than preventing or fixing problems. For example, most disk encryption software (such as Microsoft BitLocker Drive Encryption, Symantec PGP Whole Disk Encryption, or open source TrueCrypt) will alert you when the data it protects has been modified but cannot be repaired. No surprise here -- encryption and integrity are two different functions. Knowing you're exploited and knowing how to easily fix that exploit has always been a challenge.
For the past decade, there've been a growing number of solutions trying to improve the missing piece of the puzzle. Tripwire, one of the early and best-known host-intrusion applications, can not only detect unauthorized changes, it can restore systems to their known, compliant states. The problem with Tripwire and other "snapshot" software programs: They can tell you if a measured system has undergone a change, but they have no way of knowing if the measured system itself was trustworthy in the first place. How is a software program supposed to know if a system of which it takes a snapshot is unexploited to begin with? Normally the answer has been to make sure that the system you measure is clean and trustworthy at the start, but that's hard to ensure in a large enterprise environment.
