Those who have done security consulting or auditing will probably answer this question far better and quicker than I. In fact, I bet there are checklists available that I could grab in minutes to answer this. Maybe I’ll check for some after posting…
Nonetheless, I decided to do a thought exercise with myself: What would you look at or do to discover the biggest information security issues in a corporate environment in a quick amount of time? It’s one thing to be on a job for a year and ferret out all the dark secrets, snowflake servers, and weak adherence to policy. It’s another thing to take a job interview or day-long interview with someone(s) about security posture (and more than likely get told what sounds good and correct).
But what would one look for to get a quick, accurate, and fairly wholistic look at the state of security, and thus formulate some findings and courses of action to tackle them? And I’m not going to take the easy route (necessarily) and list off the CIS Top 20 Controls, even though they’re a good place to orient the evaluating of an environment. I also want to avoid questions that few people can answer easily or are easy softballs, like knowing what data is on all mobile devices that might go missing, or that encryption is employed on all mobile devices.
1. Interview the technical people in the trenches. Ask them what the biggest security problems are. Not all of them will care about security or have any thoughts beyond their own job, and some will not be very open in group settings or with a manager present, but I have long been of the opinion that people in the trenches have a finger closer to the pulse than most management will care to admit. Find the subset of IT geeks that have security opinions, invite them to dinner and some beers/wines, and ask the questions.
2. Internal authenticated vulnerability scan that covers at least 50% of the environment and at least a sampling of every major Operating System (including workstations). There are some main goals here, such as seeing patch level and consistency, and configuration consistency in the environment.
3. Scan and analyze health of Active Directory. This includes not just looking at the objects, but permissions with a Bloodhound scan of AD.
4. Inventory scan of local administrative access (or equivalent) on all Operating Systems.
5. Percentage of confidence in these systems being accurate and complete: hardware inventory, software inventory, network and business systems diagrams.
6. The state of policies and supporting procedures documents relating to technical security controls. This is not talking about an Acceptable Use Policy for end-users or high level policy statements, but how detailed and easy these are to find and consume.
7. Describe the security awareness training offerings for internal employees.
8. Analyze network firewall policies/configurations. For this, I am looking at how organized the rules are, how tight they are, and how documented they are. What is the process to change them?
9. What are the next 5 projects related to security initiatives? If none, how many security employees are there? Basically, if someone doesn’t have security projects, perhaps they are in a mature mode with existing staff. If neither really exist beyond reaching for strange ideas that probably aren’t approved or backed by management, there probably is not much security emphasis, if any at all.