When it comes to IT security, it is easy to focus on tools, techniques and all of the latest threats. While those things are undeniably important, it is also important to perform a periodic, brutally honest self assessment. This article outlines some of the more important questions to ask yourself during such an assessment. This is by no means a comprehensive list, but rather is designed to help you to start asking yourself difficult questions about your organization’s security.
1. Are the Vendors that You Use Looking Out for Your Best Interest?
I once had a travel agent who never could seem to get me booked at the resorts I requested. I tried to book a week at a particular resort in Jamaica once, but the best that he could do was to put me at another resort on the other side of the island. On another occasion, I wanted to stay at a certain hotel in Vegas, but my travel agent booked me at a different place down the street. Eventually, I discovered that this particular travel agency pushed certain properties because the agency received a higher commission. My travel agent wasn’t looking out for my best interest, but rather his own.
The reason why I tell this story is because I have seen similar things happen with tech vendors. If you have been using a particular supplier or consulting firm for a while, it is worth questioning whether those organizations are really looking out for your best interests. Are they recommending products based on your organization’s security requirements, or are they baiting you into purchasing certain products in the name of making a larger commission? Hopefully the supplier really is looking out for you, but it is important to do an occasional reality check.
2. Could Deep Architectural Changes Improve Your Security?
While it may be tempting to pose the question “Is my organization as secure as it could be,” the answer to that question will inevitably be no. There is always going to be something that can be done to make the organization more secure. As such, a better question is whether there are difficult and/or expensive architectural-level changes that could be made in an effort to improve the organization’s overall security. Obviously, most people don’t want to take on a difficult or expensive project if they don’t have to, especially if the project has the potential to introduce other issues. At the same time, though, there is something to be said for identifying areas in which the organization’s IT infrastructure could be made more secure, and then establishing a business justification for either making or not making the change.
One example of such a change might be rerouting certain types of traffic to a dedicated VLAN or to an isolated network segment. Similarly, you be able to improve the security of certain resources by switching to a different operating system or by investing in a newer network switch.
3. What is Your Organization’s Recovery Plan?
Threats against an organization are widely varied, and so simply asking “What is the recovery plan?” is inadequate. It is more helpful to ask "What is the recovery plan if a particular thing happens?" For example, what would you do if the organization was compromised by a major ransomware attack?
This is one of those questions that demands a detailed answer. It isn’t enough to say, “If a major ransomware infection occurred, I would restore a backup,” because other questions need to be answered. Some of those questions might include: "Whom would you notify?" "How long would the outage last?" "What would be the expected cost to the organization?" Having a prepared (and documented) answer to these types of questions might make the difference in being able to keep your job following an event
Of course, there is one extraordinarily important follow up question. "How will I keep the incident from happening again, and why am I not already doing it?"
4. Does the Organization Have a Culture of Security?
In some ways, I really don’t like this question, because it makes me think of all the times when I have seen an organization’s management try to get users to take security more seriously--only to be completely ignored. I have actually seen very few organizations that have successfully intertwined security into the corporate culture. Those that have succeeded have gone beyond giving users a basic security education to helping users understand that there are consequences to their actions.
5. Are Backups Vulnerable to Attack?
During the last couple of years, there has been a renewed interest in backups because they represent the best option for recovering from a ransomware attack. Even so, there are any number of ways in which backups can be attacked. A poorly implemented disk-based backup could conceivably be encrypted as a part of a ransomware attack. Conversely, an attacker might use an insecure backup as a tool for gaining access to sensitive information. As such, it is important to think long and hard about how to best secure an organization’s backups.