Are we secure?
Can you answer this question? If your boss asked you tomorrow what would you say? Early in my career, when I didn’t know any better, I probably would have said “Yeah, of course we are” with an attitude and a grin nonetheless. Being that I have a few years under my belt and have been humbled on a few occasions my response today would not be the same, though I would probably still grin.
I think it is an unfair question and generally will be asked by someone who doesn’t know any better. Security is not an absolute, so sitting back and stating that you are secure is not advised. Absence of a security incident does not mean that you are secure, it means that you are lucky. Think of someone asking if you are healthy, what would your answer be? You may feel healthy and haven’t needed to visit the doctor recently but does the absence of an ailment mean you are healthy? Of course not! You could go in for a checkup and find out you have really high blood pressure and cholesterol. You went from thinking you are healthy to realizing you are not, but you now have data points to measure against. The same goes for security, unless you have metrics you can’t accurately (or honestly) answer that question.
So how should you respond to that question? I would start by making sure the individual asking realizes that security is not an absolute. Make sure they understand it can not be answered with a global yes or no. You need to break the question into smaller components. Hopefully you are gathering metrics that answer specific questions, so use those metrics to fuel your answer. What metrics do you need, well I haven’t completely figured that out yet, and I don’t know of anyone who has. That said, if I were asked the question tomorrow here is how I would break it down:
- Number of recent security incidents: Get the discussion off to a good start, because hopefully you haven’t had any incidents recently. This allows you to drop the, “Well in the past x months we have had no security incidents.” Atta boy!
- External Penetration Testing: Scan the external IP range for open ports and vulnerabilities. This does not take very long and can give you a lot of data points to talk about. I am a numbers guy, so I would break it down into percentages based on number of systems scanned and their level of security.
- Patching: Break this down into clients and servers. What is the patching process? What is the mean time from patch release to system patched? Show that I have patching under control in a timely manner.
- Data Protection: Are the hard drives encrypted, especially for mobile users? Are backup tapes sent offsite, if so is the data protected via strong encryption?
- Password Policy: Do you have one? Run a password crack against your user accounts. How many accounts were cracked? Were any of the cracked accounts privileged? What the the average time to crack?
- Remote Access: How many different options are available for remote access? How are they secured? Does everyone have remote access or just certain employees?
- Compare: If you don’t have any contacts at a comparable organization, get some. This was you can do some comparisons to see how you match up with other similar companies. This is always a good reality check and management eats this up.
- Planning: What I have planned to improve any areas we are lacking and why we need the improvement.
There are other areas that you should be looking at depending on your business but I won’t get into database or specialized application security. The above points I think will apply to every business though so a good starting point. Do you agree? What am I missing?
Filed under: Security | Leave a Comment
Tags: metrics, Security