Here is fun little quiz to help you gauge your security readiness. After reading each question give yourself score 0-3 on how confident you are on that question. You’ll need something to note score of each question and then add it all up. Self grading at the bottom. As with most tests, low scores means you’ve got some work to-do.
THE QUIZ
QUESTION 1: ASSET MANAGEMENT
How confident are you that you can answer all the following questions 100% accurately without prior notice in less than 15 minutes?
- Given a random IP on your network, specify what is it used for, what OS is it running, where it is located and who is responsible for it both financially and operationally (who paid for it, vs who patches and fixes it)
- Given a specific software package of a specific version (Office 97, Windows XP, Python 2.x, Adobe reader 11, Oracle WebLogic 10, etc.) list out all machines in your environment that have that package installed, along with who is operationally responsible.
- Given a specific machine, specify what services will be impacted by it being down and what machines/apps are dependent on this machine.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 2: IDENTITY AND ACCESS MANAGEMENT
How confident are you that you know exactly who has access to what, and that everyone still needs all that access?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 3: ACCESS POLICIES
How confident are you in your implementation of principle of least access?
0 – Don’t understand the question/not doing principle of least access
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 4: SECURITY POLICIES
If you were to undergo an unannounced security audit how confident that you could produce documentation on all your security processes, change management, etc., to the satisfaction of the auditor on the spot?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 5: MULTI FACTOR AUTHENTICATION (MFA)
How confident are you that your MFA setup, policies, restrictions, etc., will stop a threat actor from compromising accounts?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 6: PASSWORD MANAGEMENT
How confident are you that passwords for your service account and standalone non-AD accounts are being handled securely? How confident are you that your employees are maintaining secure password management processes?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 7: DATA BACKUP
How confident are you that you can restore critical system with all its data in a timely manner that minimizes impact on the business? Confidence based on faith or hope does not count.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 8: CONFIDENTIALITY, INTEGRITY AND ACCESS (CIA TRIAD)
What is your confidence level that when it comes to your company’s non-public information, only those that are supposed to see it, can see it, when they need to see it, and that it maintains full integrity? Blind faith confidence and faith based on hope is the same as no confidence
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 9: EVENT LOGGING
How confident are you that you will notice if a data leak is taking place, as in threat actor copying non-public information off-site, or other security incidents are taking place? Are you confident that after an incident you will have all the needed data to reconstruct what happened?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 10: VULNERABILITY MANAGEMENT
How confident are you that you know where all your security vulnerabilities are? Again, pure blind faith or confidence = no confidence.
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 11: CHANGE MANAGEMENT
How confident are you that can detail out all the changes happening in your environment at any point in time?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
QUESTION 12: THIRD PARTY RISK MANAGEMENT
How confident are you that employees of your vendors aren’t your threat actors?
0 – Don’t understand the question
1 – Not at all confident
2 – Some confidence
3 – Very confident
SCORING
25-36: You’ve got all your ducks in a nice and orderly row, and you have a pretty good idea where each row is.
13-24: Your ducks are loosely grouped together, and you kind of know where most of the groups are.
0-12:Ducks??? I have ducks??? Where are my ducks???