5. Privileged groups and memberships
How many users are in elevated groups? Companies with good security have a bare minimum, bad ones have insane numbers, and top-notch companies have none. For example, in Active Directory shops, I like to see a handful (or less) of permanent members in the Enterprise Admins and Domain Admins groups, more commonly, I've been in companies with hundreds of members in these groups. Heck, each year I find a company that has the Authenticated Users group as a member of their highest-privileged groups, and it's been that way for ages. I also review sensitive and shared directories for excessive permissions.
6. Lifecycle management
Good lifecycle management is worth its weight in gold. Lifecycle management starts by making sure every object in a namespace (such as Active Directory, DNS, and so on) is needed before it's added. An owner is always assigned; if anyone has any questions, everyone can easily see who to contact. But my quick litmus test is to see if they regularly remove old members when that object or member is no longer needed. Lots of companies are great at the process control for adding items, but horrible at following up afterward, especially on deprovisioning.
7. Security hardening
I always take a quick look at basic security settings on workstations and servers. Do they have the basic recommended security settings enabled, are settings tighter than normal, or have they made their computers weaker? I don't care about a misconfigured setting here and there, but you want to see a pattern of strength and protection.
8. Authentication sophistication
Although the protection provided by smartcards, RSA tokens, and other two-factor authentication methods are often oversold, any authentication method beyond plain log-on passwords is a positive. It means the company is interested in preventing easy authentication credential theft. If they only use passwords, I have two questions out of the gate: Are the passwords long and complex (or at least long)? And do they use the strongest available authentication hashes and protocols? If not, the looters have already paid many visits, most likely.
9. Configuration consistency
You want to see consistency for all the items listed so far. Hackers thrive on inconsistency. Inconsistency is how most compromises happen. Consistency takes resolve from start to finish, beginning with consistent images and builds and instructions. You need consistent processes and watchful change and configuration controls. I see consistency when I survey multiple computers and find the same programs installed on the same roles: no more software, no less. I see consistency when I see the same directory structure and folders: no more and no less. I see the same management and monitoring tools. Consistency is the backbone of all security recommendations. Even if a company has security gaps, if I see consistency (in both the good and the bad), I know the company will have an easier time closing holes and becoming more secure. Rampant inconsistency could well mean that everything I find or recommend will be nearly useless.
10. Up-to-date education
Lastly, I like to see good, up-to-date, end-user and staff education. Does the end-user education include the latest threats or are company newsletters still warning about untrusted websites, file attachments, and macro viruses?
You might hire me for a few weeks to analyze your environment. But the truth is that my first impression forms right after I check a few computers. And my first impressions are rarely wrong.
This story, "Secure or not? 10 spot checks will tell you," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.