Half the battle is knowing what is going on

Posted on: 22 December 2021 30 September 2022
Categories: Business, Disaster Recovery, Opinion, Security, Strategy, War Stories
Tags: Business Process Improvement, Change, security, Strategy

If you have ever been in a tricky situation, you will know that half the battle is knowing what is going on – you can’t fix a problem if you don’t know what has happened. However, root cause analysis needs to wait until after the issue is resolved.

Too often, I have seen people jumping into a problem, treating the symptoms or fall-out of a situation, blind to the origins or causes of the event.

Within cybersecurity, investigation of the threat is required to find the entry point, any persistent threats, and what was affected – once you know what is going on, then you can start addressing it.

War story – restoring backup

Early in my career, we had a legacy system that had the ability to call external programs when an event was triggered – the only problem is that the legacy system could only start a command with an 8.3 file name that ended in .exe – and no parameters could be passed. The solution to this problem was a script “wrapper” that would enable short batch files or scripts to be compiled into individual .exe files, which allowed the legacy system to call upon hundreds of these uniquely named files to perform different activities. One day, all of these files just disappeared. So, the initial reaction was to restore them from backup, however as soon as they were restored they were immediately deleted again. The belief that it was a malicious employee or hacking attack was ruled out due to the specific and obscure location of the files and lack of any other damage, but it turned out it was a virus threat. The most recent anti-virus signature update was able to recognise the .exe header from the script wrapper tool that some malicious user on the Internet had used for a virus, and so blocked the entire tool and every file ever made with it. The solution was to exclude the script folder from the virus scanning path – a 30 second job.

READ ARTICLE: Fail fast does not mean you want to fail

Analysis paralysis

The other side of the issue is when people spend so much effort and time in analysing an issue, they find more and more information that they are overwhelmed with information overload and cannot make a decision.

Skills evaporation

The BCP Drill

Make your new systems intuitive

Think before you scan a QR code

Share this knowledge

Christian Wickham

181