When did you last do a risk assessment? Please share that document with me. I would particularly like to see the risk assessment table.
A. Make sure your IT provider is periodically assessing the risks to your IT systems. They should be recommending upgrades and new solutions for you from time-to-time, and you should be listening. They need to be able to express the threat in operational and economic terms in order to justify the expenditure. If your IT provider can’t give you a clear and coherent answer on when and how they last did this, send them off with a task and a deadline.
Q. When did you last do a vulnerability scan? What were the results of that scan? I would like to see the report. Who did the remediation? When is our next scan planned?
A. Your IT provider should prepare and submit to you an assessment of how well your security is being managed. If your IT provider cannot give you clear cut answers on when they last did a vulnerability scan, provide a copy of the report and then tell you what they did to remediate the vulnerabilities, then you as an organization are running blind in the wild west of the new digital Internet era.
Q. What is the status of our software patching? Let me see a report on our patching status? What software patching best practices are we following?
A. Software patching is the task of updating software you use that invariably has new flaws discovered every month that hackers can use to compromise and exploit your IT systems. If you don’t apply these patches on a regular basis, you are definitely vulnerable to data loss. Your IT provider should be able to tell you how often they patch your systems, how they decide what to patch, what tools they use to do this and what the process is. If your IT provider is on top of this, they should be able to provide you a report on the status of the patches on all your servers, PCs, applications, firewalls, etc. They should, if they really have their act together, be able to provide you with documentation on how they do this patching task and how often.
Q. Who manages our firewalls? Who assesses what ports we should have open and closed, both in-bound and out-bound? How old is our firewall technology and does it have newer unified threat management capabilities like IPS?
A. Firewalls are a common appliance to help block bad people from getting into your network. Both executives and some IT providers tend to put far too much faith in firewalls. Firewalls are designed to let traffic into your network. Let that sink in… they let traffic in. Sure, they lock certain doors called ports, but in order to do business you must unlock some doors. Bad people can come in that way just like everyone else. Furthermore, most IT providers are marginally equipped to configure a firewall, so when something doesn’t work they unlock all the doors. When it works they leave it that way. Your job is to find out who manages the firewall(s), what is their level of competency and how often they review the requirements of both inbound and outbound ports. Ask what kind of reports can be produced weekly or monthly from your firewall and who is responsible for viewing them. Most people setup a firewall and then forget about it. If no one is looking at the reports, then you don’t know what is going on with the firewall. Also ask if your firewall supports new advanced security techniques like intrusion prevention. If it is old or too low end, you should consider an upgrade.
Q. Who manages our group policy and when was it last updated? How are we managing user accounts so they have the least privilege required to do their job?
A.Group policy is a set of tools within the windows active directory environment that makes life easier and more consistent for your IT provider to manage the system. If you have Linux or other systems, there are analogs to AD. Within group policy network, administrators create user accounts and set permissions to access drives, applications, printers, etc. Inexperienced or lazy network admins will give far too many rights to users, sometimes even giving full administrator rights. This is especially common when something does not work right for a user. At that point it is easier to just give the user a bunch of rights they don’t need rather than figuring out how to do that the right way. Providing a user just enough access to properly do their job is called least privilege. Your job is to ask the right questions to assess the capabilities of your IT provider and how they have setup the system. Good specific questions to ask are:
- Q. How have you set password complexity? A. They should be able to answer with something like, “We have set minimum password length to eight characters, and follow the updated NIST recommendations.”
- Q. How frequently does group policy force users to change their password? A. The answer should be something similar to, “Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their password regularly. It is now recommended changing passwords when you know they have been compromised.”
- Q. Do you use login scripts of startup scripts to install antivirus and other software? A. The answer should be that they are using startup scripts. If they are using login scripts that means your users have local admin rights and that can present a very serious security issue for the whole firm.
If you are unsure about any of this, a consultant in short order can take a look at your system and assess where you are at with regard to least privilege configurations.
Q. How are we handling email spam filtering and AV/malware scanning?
A. Spam filtering has grown in importance. Initially, spam filter was done just to avoid the nuisance of all the junk email we all get every day. More recently, most spam filtering systems will also scan emails for viruses and damaging malware like ransomware. Ask your IT provider how they are handling spam filtering and scanning emails for malware. The best solution is a service that constantly updates the methods by which they block offending email messages. This is typically billed monthly per email account. Another method is to use spam filtering tools in dedicated appliances or built into firewalls. If this is how your IT provider is blocking spam, then you must ask them who updates the spam filtering software and rule sets and how often they do this. Spam filtering services will do this multiple times per day. Your IT provider should be doing it at least once per month at the barest of minimums.
Q. Can we get ransomware? If so, why or why not? If we do get ransomware, how will you help us recover?
A. This is a bit of a playful question in a high-stakes game. The right answer is “Yes, you can get ransomware.” But you need to grill your IT provider about what tools and techniques they are using to protect your firm from ransomware. There are so many other threats that face you and your company, but this one is a good place to start to see what kind of answer you get. They should be telling you that they:
- Filter and scan all incoming email
- Use a content filtering service such as OpenDNS
- Employ link reputation checking techniques
- Block certain file types in email attachments
- Educate your user community on safe and dangerous computer use practices
- And that they have a rock-solid backup and disaster recovery plan that they can explain in great detail and demonstrate in operation.
Practicing good network security is what professionals call a layered approach. That means you need to be doing a lot of things concurrently that all overlay each other in order to provide you a good security posture. There is no such thing as a silver bullet when managing your security. All of these different tools and techniques build upon each other to catch and prevent different types of threats. You must do them all. Even then no one can assure you that you are completely safe. What you must strive for is a good, fit security posture. Doing so will dramatically reduce the likelihood of a problem and give you a good path to recovery if you do experience a problem.
This list of questions is nowhere near complete or comprehensive. It is only a starting point for you to ask some specific questions to try and unearth whether you have a problem with managing your IT security. If you get good, clean and complete answers to all these questions and you don’t sense that you are being manipulated, then you are probably in a good place. If you don’t get good answers, your IT provider is unclear and unable to provide coherent answers, stumbles and backtracks, is manipulative in the responses, then you should consider that you are in a very bad place with your network security posture. Getting an outside assessment as soon as possible is most strongly advised.
If you want a more comprehensive view of what you should be doing to manage and budget security on an economical basis using tools you probably already have on hand, call Lane Technology Solutions at 407-647-7787 today for a free IT evaluation. Let’s Connect.