7 keys to better risk assessment

When bad guys penetrate a network, too many defenders worry about what they stole rather than how they broke in. Focus on causes! Here's how

I’ve said it before: The No. 1 problem with computer security is poor root-cause analysis, where security pros fail to identify and track the ways an environment was exploited, be it malware or human attack.

Common root causes include social engineering, password guessing/cracking, unpatched software, misconfiguration, denial of service, and physical attacks.

If defenders worried about the right root causes, they’d concentrate as much about adware finding its way onto a computer as they would a terribly malicious Trojan. Both require equal effort to defend against. Figuring out how to stop break-ins is the ultimate objective of any defender, and understanding root causes goes a long way toward that goal.

To find out what malware did, all you have to do is disassemble its code: It can only do what its instructions told it to do. Determining how it got in is a lot harder. You can often follow a hacker’s movement around a network using event logs. But it’s more difficult to find the root exploit used to breach your defenses -- particularly when management is screaming in your ear to stop such and such critical asset from going out the door.

Here are some ways to do better root-cause analysis:

To continue reading this article register now

Microsoft's very bad year for security: A timeline