technical: problems: Problems, Today
Problems in Computer Security
by Brent Kirkpatrick
(Date Published: 2/23/2018.)
Our definitions will be ad-hoc, rather than formal. Detection is the process of identifying unauthorized activity, in run-time, compile-time, or data. Clean-up is the act of removing all unauthorized machine code and preventing re-infection. Digital forensics finds (obvious) traces of foreign machine code on the disk or in memory.
Digital forensics pretends that there is no hacking unless there is conclusive evidence that includes a list of steps for reproducing the infection. This means that digital forensics is conservative. Detection, on the other hand, is much more liberal. The goal of detection is to predict if a computer is hacked, even if there are false positives. Clean-up can be done regardless of detection or digital forensics, so detection is only a sufficient event to trigger clean-up. Clean-up is not finished until the hackers are contained and re-infection prevented.
Clean-up is the most time-intensive step of these three. If the hackers have implemented many automated attacks, clean-up must proceed until all the automated attacks are detected and mitigated. Clean-up usually involves taking steps to block attacks and then patching, quarantining, or restoring BIOSes and operating systems from images and clean installs. While detection is a process that is allowed to have false positives and false negatives, clean-up is not allowed false negatives.
Intrepid Net Computing uses scientific approaches for clean-up.
defendIT (TM). AI-driven security measures derived from security incident data.
Computer Security Today -- Why is it hard?