I Am a Non-Technical Executive... What Seven Things Should I Be Asking My IT Guys About IT Security?

Irvine, CA - Overseeing IT and security is a daunting task, even if you are an IT professional. If you are an executive to whom IT reports, then the task becomes near impossible. The list of following questions is designed to empower you to have a meaningful discussion with your IT team so you can be an informed and responsible manager pursuing your due diligence role in protecting the assets of your firm. If you are an IT professional, these are questions you should be prepared to answer.

1.       Q. When did we last do a risk assessment? Please share that document with me. I would particularly like to see the Risk Assessment Table.

A.      Make sure your IT team is periodically assessing the risks to your IT systems.  They should be recommending upgrades and new solutions for you from time-to-time, and you should be listening.  They need to be able to express the threat in operational and economic terms in order to justify the expenditure.  If your team can’t give you a clear and coherent answer on when and how they last did this, send them off with a task and a deadline.

2.       Q. When did we last do a Vulnerability Scan? What were the results of that scan? I would like to see the report.  Who did the remediation? When is our next scan planned?

A.      Vulnerability scans are typically done by outside contractors in order to get an unbiased opinion.  Your team can do it internally with tools such as the Nessus Scanner, but it is probably best done by someone who knows the tool and knows how to read the results.  This person can then prepare and submit to you an unbiased assessment of how well your security is being managed.  If your team cannot give you clear cut answers on when they or someone else last did a vulnerability scan, provide a copy of the report and then tell you what they did to remediate the vulnerabilities, then you as an organization are running blind in the wild west of the new digital Internet era.

3.       Q. What is the status of our Software Patching? Let me see a report on our patching status? What Software Patching Best Practices are we following?

A.      Software patching is the task of updating software you use that invariably has new flaws discovered every month that hackers can use to compromise and exploit your IT systems.  If you don’t apply these patches on a regular basis, you are most definitely vulnerable to data loss.  Your team should be able to tell you how often they patch your systems, how they decide what to patch, what tools they use to do this and what the process is.  If your team is on top of this, they should be able to provide you a report on the status of the patches on all your servers, PCs, applications, firewalls, etc. They should, if they really have their act together, be able to provide you with documentation on how they do this patching task and how often. If you have concerns about your software patching status, it is typically not very expensive to have someone outside the firm perform a scan, generate a report and then render an opinion for you.

4.       Q. Who manages our Firewalls?  Who assesses what ports we should have open and closed, both in-bound and out-bound? How old is our firewall technology and does it have newer Unified Threat Management capabilities like IPS?

A.      Firewalls are a common appliance to help block bad people from getting into your network.  Both executives and IT people tend to put far too much faith in firewalls. Firewalls are designed to let traffic into your network. Let that sink in… they let traffic in.  Sure, they lock certain doors called ports, but in order to do business you must unlock some doors. Bad people can come in that way just like everyone else.  Furthermore, most IT people are marginally equipped to configure a firewall, so when something doesn’t work, they unlock all the doors.  When it works they leave it that way.  Your job is to find out who manages the firewall(s), what is their competency and how often do they review the requirements of both inbound and outbound ports.  Ask what kind of reports can be produced weekly or monthly from your firewall and who is responsible for viewing them. Most people set-up a firewall and then forget about it.  If no one is looking at the reports, then you don’t know what is going on with the firewall.  Also ask if your firewall supports new advanced security techniques like intrusion prevention.  If it is old or too low end, you should consider an upgrade.  Also consider having another professional from outside your firm look at how the firewall is configured.

5.       Q. Who manages our Group Policy and when was it last updated?  How are we managing user accounts so they have the Least Privilege required to do their job?

A.      Group policy is a set of tools within the Windows Active Directory environment that makes life easier and more consistent for your IT team to manage the system.  If you have Linux or other systems, there are analogs to AD.  Within group policy network administrators create user accounts and set permissions to access drives, applications, printers, etc.  Inexperienced or lazy network admins will give far too many rights to users, sometimes even giving full administrator rights.  This is especially common when something does not work right for a user. At that point it is easier to just give the user a bunch of rights they don’t need rather than figuring out how to do that the right way. Providing a user just enough access to properly do their job is called least privilege.  Your job is to ask the right questions to assess the capabilities of your admin(s) and how they have set-up the system.  Good specific questions to ask are:

·         Q. How have you set password complexity? A. They should be able to answer with something like, “We have set minimum password length to eight characters, with at least one number and one special character.

·         Q. How frequently does Group Policy force users to change their password? A. The answer should be something similar to, “Our Group Policy requires users to change their password every 90 days and they cannot reuse a password for at least 10 cycles.

·         Q. Do you use login scripts of startup scripts to install anti-virus and other software? A. The answer should be that they are using startup scripts. If they are using login scripts then that means your users have local admin rights and that can present a very serious security issue for the whole firm.

If you are unsure about any of this, a consultant in short order can take a look at your system and assess where you are at with regard to least privilege configurations.

6.       Q. How are we handling e-mail Spam Filtering and AV/Malware Scanning?

A.      Spam filtering has grown in importance since 2013. Initially spam filter was done just to avoid the nuisance of all the junk e-mail we all get every day. More recently, most spam filtering systems will also scan e-mails for viruses and damaging malware like ransomware. Ask your IT team how they are handling spam filtering and scanning e-mails for malware. The best solution is a service that constantly updates the methods by which they block offending e-mail messages. This is typically billed monthly per e-mail account.  Another method is to use spam filtering tools in dedicated appliances or built into firewalls.  If this is how your team is blocking spam, then you must ask them who updates the spam filtering software and rule sets and how often do they do this. Spam filtering services will do this multiple times per day. Your team better be doing it at least once per month at the barest of minimums.   

7.       Q. Can we get Ransomware?  If so, why or why not? If we do get ransomware, how will you get us recovered?

A.      This is a bit of a playful question in a high stakes game.  The right answer is “Yes, we can get ransomware.”  But you need to grill your team about what tools and techniques they are using to protect your firm from ransomware. There are so many other threats that face you and your company, but this one is a good place to start to see what kind of answer you get. They should be telling you that they:

·         Filter and scan all in-coming e-mail

·         Use a content filtering service such as OpenDNS

·         Employ link reputation checking techniques

·         Block certain file types in e-mail attachments

·         Educate your user community and safe and dangerous computer use practices

·         And that they have a rock solid back-up and disaster recovery plan that they can both explain in great detail and demonstrate in operation. Click Here for some tips on how to make sure you have a Rock Solid Backup and Disaster Recovery Plan

Practicing good network security is what professionals call a layered approach. That means you need to be doing a lot of things concurrently that all overlay each other in order to provide you a good security posture.  There is no such thing as a silver bullet when managing your security.  All of these different tools and techniques build upon each other to catch and prevent different types of threats.  You must do them all.  Even then no one can assure you that you are completely safe.  What you must strive for is a good, fit security posture.  Doing so will dramatically reduce the likelihood of a problem and should you experience a problem that you will have a good path to recovery.

This list of questions is nowhere near complete or comprehensive.  It is only a starting point for you to ask some specific questions to try and unearth whether you have a problem with regards to managing your IT security. If you get good, clean and complete answers to all of these questions and you don’t sense that you are being manipulated, then you are probably in a good place. If you don’t get good answers, the respondent is unclear and unable to provide coherent answers, stumbles and backtracks, is manipulative in the responses, then you should consider that you are in a very bad place with regards to your network security posture.  Getting an outside assessment as soon as possible is most strongly advised.

If you want a more comprehensive view of what you and your IT team should be doing to manage and budget security on an economical basis using tools you probably already have on hand, Click Here to download WHAT 12 SECURITY THINGS SHOULD I FOCUS ON TO BE DEFENSIBLE IN 2016?