I don't know about you, but I can tell in about a minute how much someone I've just met knows about computers, networks, and security. It's in what they say, how they respond, and what they think about particular subjects. I bet most of you can do the same. And like me, I bet you've found these first impressions to be surprisingly accurate.
The same snap judgement occurs when I'm asked to perform a thorough security survey of a network or company. Although my professional checklists run to hundreds of items, I normally go through a handful when I first arrive on site, which gives me a fairly accurate indicator of the network's overall health.
[ Also on InfoWorld: Believe it or not, these 10 crazy IT security tricks actually work. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
My average security review lasts from one to four weeks, depending on the scope and the details required. My reports are often 40 to 80 pages long. But the reality is that I can make a pretty accurate prediction of what that final report will look like by checking just 10 items:
1. Proactive security monitoring
Year after year, the Verizon Data Breach Report (PDF) consistently says that most malicious intrusions could have been noticed earlier or the damage minimized if the appropriate monitoring was put in place. Most of the places I review have hideous event log management. They may have events turned on and they may be generating logs all over the place, but they don't collect, review, or respond to what those logs report. A company with a solid, pervasive event log management system -- and a review process that leverages it -- is probably doing a lot of the other stuff right, too, if only because these systems tend to be last on the list of security measures.
2. Number of unneeded programs and services
I usually review two items under this category: all installed programs and services, as well as all programs automatically executed when the computer starts. Unnecessary programs and services means more attack space for intruders to exploit. When I find a bare minimum of programs and services installed, I know I'm in a place that values the "less is more" paradigm. It's also important to ask if the people in charge of particular computers if they understand the reason for each of the installed programs and services.
3. Patch management breadth and timeliness
Everyone patches, but do they do it well? That means that all installed programs and services have all critical patches installed -- not just the operating system, but also the browser add-ons, productivity software, and firmware. I can't tell you how many places think they have rock-solid patching only to discover that most common browser add-ins (such as Oracle Java, Adobe Acrobat Reader, Adobe Flash) aren't patched. Nor are the management tools -- pretty common on servers. Each server typically has the same server management software, but when I check the version, I find it hasn't been updated in years. That management software may contain multiple, publicly known holes that were patched years ago. Hackers love that.
4. Antimalware coverage and status
This one is self-explanatory: Do they have antivirus software installed? Is it up to date? Do they have solid antispam, antiphishing, anti-adware, and the myriad other tools needed to protect desktops and servers? How often are they updated? Within 24 hours is a minimum, but I often see servers with antimalware definitions that are two days old. Jeez.