For Windows-based systems, I have seen that changes to the Registry or System Di

Question

For Windows-based systems, I have seen that changes to the Registry or System Directories are some of the things which are used to track if a machine has been compromised. Similar things must exist for other platforms- and I must admit that I am unaware of them.

My curiosity here is that what are the best metrics which a security personnel may want to leverage (at the host itself or at the Network-admin level) to decide whether a system has been compromised, and do them in an OS-agnostic way? That is, these metrics should not change - irrespective of Windows, *nix, Mac, or handheld devices with Android etc.

Explanation / Answer

There is no simple set of metrics I'm afraid. Modern computers are designed to be general purpose and so are very complex.

Modern compromises may also be complex. Many Windows compromises are very hard to detect and certainly wouldn't touch the registry.

Some changes to look for across systems are:

From this, you can probably recognise that you need to have very tight change controls and methods to track changes.

Related Questions

Navigate

• Browse (All)
• Browse F
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.