You don't need a high-powered consultant to determine whether your security sucks. Try this simple checklist instead I don’t know about you, but I can tell in about a minute how much someone I’ve just met knows about computers, networks, and security. It’s in what they say, how they respond, and what they think about particular subjects. I bet most of you can do the same. And like me, I bet you’ve found these first impressions to be surprisingly accurate.The same snap judgement occurs when I’m asked to perform a thorough security survey of a network or company. Although my professional checklists run to hundreds of items, I normally go through a handful when I first arrive on site, which gives me a fairly accurate indicator of the network’s overall health.[ Also on InfoWorld: Believe it or not, these 10 crazy IT security tricks actually work. | Learn how to greatly reduce the threat of malicious attacks with InfoWorld’s Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ] My average security review lasts from one to four weeks, depending on the scope and the details required. My reports are often 40 to 80 pages long. But the reality is that I can make a pretty accurate prediction of what that final report will look like by checking just 10 items: 1. Proactive security monitoringYear after year, the Verizon Data Breach Report (PDF) consistently says that most malicious intrusions could have been noticed earlier or the damage minimized if the appropriate monitoring was put in place. Most of the places I review have hideous event log management. They may have events turned on and they may be generating logs all over the place, but they don’t collect, review, or respond to what those logs report. A company with a solid, pervasive event log management system — and a review process that leverages it — is probably doing a lot of the other stuff right, too, if only because these systems tend to be last on the list of security measures. 2. Number of unneeded programs and servicesI usually review two items under this category: all installed programs and services, as well as all programs automatically executed when the computer starts. Unnecessary programs and services means more attack space for intruders to exploit. When I find a bare minimum of programs and services installed, I know I’m in a place that values the “less is more” paradigm. It’s also important to ask if the people in charge of particular computers if they understand the reason for each of the installed programs and services. 3. Patch management breadth and timeliness Everyone patches, but do they do it well? That means that all installed programs and services have all critical patches installed — not just the operating system, but also the browser add-ons, productivity software, and firmware. I can’t tell you how many places think they have rock-solid patching only to discover that most common browser add-ins (such as Oracle Java, Adobe Acrobat Reader, Adobe Flash) aren’t patched. Nor are the management tools — pretty common on servers. Each server typically has the same server management software, but when I check the version, I find it hasn’t been updated in years. That management software may contain multiple, publicly known holes that were patched years ago. Hackers love that. 4. Antimalware coverage and statusThis one is self-explanatory: Do they have antivirus software installed? Is it up to date? Do they have solid antispam, antiphishing, anti-adware, and the myriad other tools needed to protect desktops and servers? How often are they updated? Within 24 hours is a minimum, but I often see servers with antimalware definitions that are two days old. Jeez. 5. Privileged groups and membershipsHow many users are in elevated groups? Companies with good security have a bare minimum, bad ones have insane numbers, and top-notch companies have none. For example, in Active Directory shops, I like to see a handful (or less) of permanent members in the Enterprise Admins and Domain Admins groups, more commonly, I’ve been in companies with hundreds of members in these groups. Heck, each year I find a company that has the Authenticated Users group as a member of their highest-privileged groups, and it’s been that way for ages. I also review sensitive and shared directories for excessive permissions. 6. Lifecycle management Good lifecycle management is worth its weight in gold. Lifecycle management starts by making sure every object in a namespace (such as Active Directory, DNS, and so on) is needed before it’s added. An owner is always assigned; if anyone has any questions, everyone can easily see who to contact. But my quick litmus test is to see if they regularly remove old members when that object or member is no longer needed. Lots of companies are great at the process control for adding items, but horrible at following up afterward, especially on deprovisioning. 7. Security hardeningI always take a quick look at basic security settings on workstations and servers. Do they have the basic recommended security settings enabled, are settings tighter than normal, or have they made their computers weaker? I don’t care about a misconfigured setting here and there, but you want to see a pattern of strength and protection. 8. Authentication sophisticationAlthough the protection provided by smartcards, RSA tokens, and other two-factor authentication methods are often oversold, any authentication method beyond plain log-on passwords is a positive. It means the company is interested in preventing easy authentication credential theft. If they only use passwords, I have two questions out of the gate: Are the passwords long and complex (or at least long)? And do they use the strongest available authentication hashes and protocols? If not, the looters have already paid many visits, most likely. 9. Configuration consistency You want to see consistency for all the items listed so far. Hackers thrive on inconsistency. Inconsistency is how most compromises happen. Consistency takes resolve from start to finish, beginning with consistent images and builds and instructions. You need consistent processes and watchful change and configuration controls. I see consistency when I survey multiple computers and find the same programs installed on the same roles: no more software, no less. I see consistency when I see the same directory structure and folders: no more and no less. I see the same management and monitoring tools. Consistency is the backbone of all security recommendations. Even if a company has security gaps, if I see consistency (in both the good and the bad), I know the company will have an easier time closing holes and becoming more secure. Rampant inconsistency could well mean that everything I find or recommend will be nearly useless. 10. Up-to-date educationLastly, I like to see good, up-to-date, end-user and staff education. Does the end-user education include the latest threats or are company newsletters still warning about untrusted websites, file attachments, and macro viruses? You might hire me for a few weeks to analyze your environment. But the truth is that my first impression forms right after I check a few computers. And my first impressions are rarely wrong.This story, “Secure or not? 10 spot checks will tell you,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe