Secure or not? 10 spot checks will tell you

I don’t know about you, but I can tell in about a minute how much someone I’ve just met knows about computers, networks, and security. It’s in what they say, how they respond, and what they think about particular subjects. I bet most of you can do the same. And like me, I bet you’ve found these first impressions to be surprisingly accurate.

The same snap judgement occurs when I’m asked to perform a thorough security survey of a network or company. Although my professional checklists run to hundreds of items, I normally go through a handful when I first arrive on site, which gives me a fairly accurate indicator of the network’s overall health.

[ Also on InfoWorld: Believe it or not, these 10 crazy IT security tricks actually work. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld’s Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

My average security review lasts from one to four weeks, depending on the scope and the details required. My reports are often 40 to 80 pages long. But the reality is that I can make a pretty accurate prediction of what that final report will look like by checking just 10 items:

1. Proactive security monitoring

Year after year, the Verizon Data Breach Report (PDF) consistently says that most malicious intrusions could have been noticed earlier or the damage minimized if the appropriate monitoring was put in place. Most of the places I review have hideous event log management. They may have events turned on and they may be generating logs all over the place, but they don’t collect, review, or respond to what those logs report. A company with a solid, pervasive event log management system — and a review process that leverages it — is probably doing a lot of the other stuff right, too, if only because these systems tend to be last on the list of security measures.

2. Number of unneeded programs and services

I usually review two items under this category: all installed programs and services, as well as all programs automatically executed when the computer starts. Unnecessary programs and services means more attack space for intruders to exploit. When I find a bare minimum of programs and services installed, I know I’m in a place that values the “less is more” paradigm. It’s also important to ask if the people in charge of particular computers if they understand the reason for each of the installed programs and services.

3. Patch management breadth and timeliness

Everyone patches, but do they do it well? That means that all installed programs and services have all critical patches installed — not just the operating system, but also the browser add-ons, productivity software, and firmware. I can’t tell you how many places think they have rock-solid patching only to discover that most common browser add-ins (such as Oracle Java, Adobe Acrobat Reader, Adobe Flash) aren’t patched. Nor are the management tools — pretty common on servers. Each server typically has the same server management software, but when I check the version, I find it hasn’t been updated in years. That management software may contain multiple, publicly known holes that were patched years ago. Hackers love that.

4. Antimalware coverage and status

This one is self-explanatory: Do they have antivirus software installed? Is it up to date? Do they have solid antispam, antiphishing, anti-adware, and the myriad other tools needed to protect desktops and servers? How often are they updated? Within 24 hours is a minimum, but I often see servers with antimalware definitions that are two days old. Jeez.

5. Privileged groups and memberships

How many users are in elevated groups? Companies with good security have a bare minimum, bad ones have insane numbers, and top-notch companies have none. For example, in Active Directory shops, I like to see a handful (or less) of permanent members in the Enterprise Admins and Domain Admins groups, more commonly, I’ve been in companies with hundreds of members in these groups. Heck, each year I find a company that has the Authenticated Users group as a member of their highest-privileged groups, and it’s been that way for ages. I also review sensitive and shared directories for excessive permissions.

6. Lifecycle management

Good lifecycle management is worth its weight in gold. Lifecycle management starts by making sure every object in a namespace (such as Active Directory, DNS, and so on) is needed before it’s added. An owner is always assigned; if anyone has any questions, everyone can easily see who to contact. But my quick litmus test is to see if they regularly remove old members when that object or member is no longer needed. Lots of companies are great at the process control for adding items, but horrible at following up afterward, especially on deprovisioning.

7. Security hardening

I always take a quick look at basic security settings on workstations and servers. Do they have the basic recommended security settings enabled, are settings tighter than normal, or have they made their computers weaker? I don’t care about a misconfigured setting here and there, but you want to see a pattern of strength and protection.

8. Authentication sophistication

Although the protection provided by smartcards, RSA tokens, and other two-factor authentication methods are often oversold, any authentication method beyond plain log-on passwords is a positive. It means the company is interested in preventing easy authentication credential theft. If they only use passwords, I have two questions out of the gate: Are the passwords long and complex (or at least long)? And do they use the strongest available authentication hashes and protocols? If not, the looters have already paid many visits, most likely.

9. Configuration consistency

You want to see consistency for all the items listed so far. Hackers thrive on inconsistency. Inconsistency is how most compromises happen. Consistency takes resolve from start to finish, beginning with consistent images and builds and instructions. You need consistent processes and watchful change and configuration controls. I see consistency when I survey multiple computers and find the same programs installed on the same roles: no more software, no less. I see consistency when I see the same directory structure and folders: no more and no less. I see the same management and monitoring tools. Consistency is the backbone of all security recommendations. Even if a company has security gaps, if I see consistency (in both the good and the bad), I know the company will have an easier time closing holes and becoming more secure. Rampant inconsistency could well mean that everything I find or recommend will be nearly useless. 

10. Up-to-date education

Lastly, I like to see good, up-to-date, end-user and staff education. Does the end-user education include the latest threats or are company newsletters still warning about untrusted websites, file attachments, and macro viruses?

You might hire me for a few weeks to analyze your environment. But the truth is that my first impression forms right after I check a few computers. And my first impressions are rarely wrong.

This story, “Secure or not? 10 spot checks will tell you,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.