Answer These Ten Questions for Better Security

security questions

Written by Dan Callahan

I am a Senior Technical Advisor to CGNET. Formerly, I managed our Cybersecurity and Cloud Services businesses, and provided consulting to many clients over the years. I wear a lot of hats. Professionally, I'm a builder of businesses. Outside of work, I'm a hobby farmer, chef, skier, dog walker, jokester, woodworker, structuralist, husband and father.
๎‚Œ

Cyber Security

๎€ฅ

October 8, 2020

Our crack Communications Director Jackie recently came across this infographic from Microsoft.ย Itโ€™sย a ten-question security self-assessment; you can view or download it here. To be fair,ย itโ€™sย not actually an assessment.ย Itโ€™sย more like something to get you thinking about security.ย Iโ€™mย going to expand on the concept here, because answering these ten security questions will certainly give you an idea about how secure your organization is. I will reproduce the questions, then comment on what each question means.ย I willย spare you the part about which Microsoft security service maps to each question. Andย donโ€™tย worry; there are no โ€œwrongโ€ answers to these ten security questions.ย I am sure the pursuers of the Holy Grail wished that were the case when theyย attempted in their noble quest to cross the Bridge of Death.ย 

 

The Ten Security Questionsย 

ย 

 

One: Do You Have a Single Sign-On (SSO) Identity Framework?ย 

I remember some years ago when vendors started pushing the idea of Single Sign-On (SSO). It was a tough sell, because vendors focused on the benefit of making it easier for the user to sign on toย assorted services. I would almost hear the reply from customers. โ€œBegging your pardon, but we donโ€™t really want to spend money to save our users a few clicks in their sign-on experienceโ€.ย 

Today we have a more compelling reason for SSOโ€”security. With SSO, usersย donโ€™tย have to remember individual logins to theย assorted servicesย they access. Fewer logins mean fewer account credentials that can be lostย orย stolen.ย 

So, your answer to this first of ten security questions should be โ€œyes, of course!โ€ There are plenty of SSO solutions out there. Microsoft has a solution baked into Azure Active Directory. Okta and Ping Identity are two popular solutions in the market.ย 

 

Two: Which of the Following is True About Your Disaster Recovery Program?ย 

The Microsoft-supplied answers range from โ€œeverything is backed upโ€ to โ€œgee, we better do something there.โ€ There are tons of backup and restore solutions out there. Before you rush out to buy one, do a little homework.ย 

  • Do you want to back up just data? Or do you need to back up the servers and applications as well?ย 
  • What systems and data are most critical? What do you want up and running in an hour? Aย day? A week? Longer?ย 
  • Are you looking for high availability, a la a โ€œhot standbyโ€? Or can you live with restoring from a backupย that isย a day or two old?ย 

Once you work out your answers,ย you willย be inย a good positionย toย figure outย what solution is right for your organization.ย 

 

Three: Do You Monitor for Unauthorized Intrusion Activity?ย 

Of the ten security questions, this one may be the hardest. Because for most organizations, the answer is โ€œno, itโ€™s too expensiveโ€.ย I written before about how that may be changing as we see consumption-based pricing for this kind of monitoring.ย So, if you ruled intrusion activityย monitoringย out in the past,ย itโ€™sย time to reconsider.ย 

 

Four: Do You Have a Security Policy in Place?ย 

Congratulations, youย probably answeredย โ€œyesโ€ to this question.ย Butย weโ€™reย not done here just yet. Is your security policy sufficiently comprehensive? For instance, does it cover the working-from-home scenario that we are all living with?ย Are you enforcing your policy?ย I haveย seen more than a few organizations that show me their security policy, but then tell meย they areย not enforcing it, โ€œyetโ€.ย 

 

Five: How Do You Connect Your Company to Cloud Services?ย 

Ah, theย VPN (Virtual Private Network)ย question. I believe (with very few facts, as is my custom) that VPNโ€™sย areย outdated. At least,ย IPsecย VPNโ€™s fit that description. I suspectย IPsecย VPNโ€™s come from an era whenย fewย people tried to work out of the office, and no one thought it was going to be easy.ย And they were right.ย 

If you still have applications thatย you areย running in-house, you still have a need for a VPN. Hopefully, you can use an SSL-based VPN. But, with more organizations moving their applications to the cloud, itย makes sense to use the built-in SSL VPN capability of these services to connect.ย Letโ€™sย keep it easy for users to connect the wayย we wouldย like them to, OK?ย 

(If you need a refresher onย IPsecย vs. SSL VPNโ€™s, here you go.)ย 

 

Six:ย How Do You Monitor for Data Leaks?ย 

Depending on your industry, this is a big issue or a not-so-big one.ย The first question to ask is, โ€œwhat data do we have thatโ€™s highly sensitive or confidential?โ€ Use that answer to focus on what data you want to ensure doesnโ€™tย escape in a poorly thought-out email. Then look for tools that will help youย findย the data and manage its release.ย 

 

Seven:ย How Long Doesย Itย Take to Deploy Critical Security Updates to Software?ย 

This might be the most important of the ten security questions. I hope your answerย is in hours and not days or weeks. I get it that Way Back Whenย customers felt they had to do quality assurance testing for software updates from their vendors. Butย that isย notย the case these days.ย And with release cycles sometimes measuring in weeks nowadays, organizations that want to do their own testing face the prospect of never catching up with new software releases.ย 

 

Eight: How Do You Limit Access to Resources?ย 

Hello, Zero Trust model! This is now a critical question to address. Not everyone needs access to everything, all the time.ย Think (especially for administrator users) who has what role and how that role constrainsย the data and systems they can access. No more shared keys to the kingdom!ย 

 

Nine:ย Do You Perform Vulnerability Assessments on Your Environment?ย 

โ€œOr do you let hackers do that for you,โ€ heย cheekilyย asked.ย Donโ€™tย wait to find out how secure your environment is. Get a test!ย There are tools out there you can use. And there are plenty of consultants that can run the test for you. Most importantly, these consultants can sift through theย pages of warnings to let you knowย what isย most in need of attention.ย 

Get a vulnerability test, at least once a year. Twice a year would be even better.ย 

 

Ten:ย Are You Prepared to Deal with Ransomware Attacks and Demands?ย 

We haveย noted elsewhere that ransomware attacks are on the rise. And the attackers are even developing pricing models that maximize the ransom demandย based on characteristics of the victim organization.ย 

Expect that it may well happen, despite your best efforts. Be prepared to restore data and applications to affected machines.ย Then give the hacker a good Bronx cheer.ย 

 

Now That Youโ€™ve Answered These Ten Security Questionsย 

 

OK, so how did you do? Likely,ย you areย inย good shapeย on manyย of the ten security questionsย and a bit nervous about a few otherย questions. Not to worry.ย Cybersecurity is all about getting better.ย You haveย come a long way.ย Youโ€™veย got friends that can help you get further.ย And that, as our friends have said, is a noble quest.ย 

You May Also Like…

You May Also Like…

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Translate ยป
Share This
Subscribe
CGNET
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.