Security Quiz: Are You Prepared for an Attack?

Does your company have a strategy for staving off attacks to your computer systems? Do you have the right tools in place to guard against potential threats? Take this quiz, written by the SANS Institute, to assess your preparedness.

Quiz results are displayed in a pop-up window. If your browser blocks pop-up windows, please change your settings to allow pop-ups before you take the quiz.

1. Have you conducted a penetration test in the past six months?

No, we have never had a penetration test

Yes, we conducted a test using internal personnel within the past six months

Yes, we brought in a third party to assess our network

Yes, we conduct a pen test every quarter (using internal and external testers) 2. Have you baselined the traffic on your network?

No, we do not monitor our network traffic

Yes, we have used tools that monitor our network, but no one watches it

on a daily basis

Yes, we have the tools and staff monitor traffic on a periodic basis

Yes, we have trained staff who know normal vs. unusual traffic on our network

and monitor it regularly, both internally and externally

3. Do you have an incidence response procedure?

No, we do not have an incidence response procedure

Yes, we have it, but we have never tested it

Yes, we have it, and have tested it

Yes, we have it, test it regularly and tweak it regularly

4. Do you have a security awareness program that reaches through your
entire organization?

No, we do not have a security awareness program

Yes, but it is limited to e-mail

Yes, we have e-mails and a Web site

Yes, we have a multifaceted security-awareness program that uses various
media, including the Web, e-mail, print, in-person classes and messages from
our executive team

5. Do you turn off unnecessary services on your servers?

No, we leave all services on after a default operating system install (in
case someone needs one)

No, but we have host-based intrusion detection

No, but we block access to these services inbound with our firewall

Yes, we turn off any service that we do not use with our security postinstall

6. Do you know what your network looks like?

No, we don't have time to diagram our network

We have a network diagram, but it's a year old

We manually update our diagram every six months

We have a proactive tool that keeps our network diagram up to date automatically

7. Are your patches up to date (operating system and antivirus signatures)?

No, we don't keep either up to date

We update our antivirus signatures regularly

We update our operating system patches regularly

We keep both antivirus and operating system patches up to date automatically

8. Do you do trend analysis on attacks that have occurred to better understand
how to prevent future attacks?

How do you know if you have had a security incident?

No, we don't track security incidents separately from other IT requests

Yes, we track security incidents, but we don't do trend analysis

Yes, we do trend our incidents and update our strategic plan around them

9. Have you conducted an information security risk assessment of your
entire organization within the past 12 months?

Risk assessment? What's that?

No, but we do a penetration test annually

Sort of; we do an IT risk assessment every year

Yes, we do an enterprise risk assessment across the entire enterprise

10. Do you have tools (automated or contractual) to help you secure remote
employees and external partners?

No, we do not require our remote employees or external partners to have

Yes, we make external and internal partners sign a contract with security
language imbedded in it

Yes, we have anyone connecting to our network have a minimum level of security
before they connect

Yes, we have anyone connecting to our network have a minimum level of security before they connect, and we audit them to verify their security

11. Does your organization have a disaster recovery plan?

No, but we do backups every day

No, but we do backups and test restores of our tapes

Yes, we have a disaster recovery plan on paper, but we have never tested

Yes, we have a disaster recovery plan and it's tested regularly

12. Do you have dedicated security personnel monitoring the events on
your network?

Gee, who is monitoring our network?

No, but we have an intrusion-detection dystem online

Yes, we have a group that monitors logs as just one of its regular duties
during regular business hours

Yes, we have a dedicated staff that monitors activity and is alerted during
off business hours

About the author

Kristy Westphal is a SANS Institute author and an information security officer at the Arizona Department of Economic Security. During her 12 years in IT, she has developed competencies in several flavors of Unix and Windows, as well as various aspects of information security and disaster recovery planning. She previously was a senior associate with the Risk and Advisory Services practice at KPMG and was information security officer at Pegasus Solutions. In this role, she conducted audits of IT security and vulnerability assessments on Unix, Linux and NT platforms, as well as network services.

SANS Institute

Quiz developed for Computerworld by the SANS Institute

Special Report

Proactive Security

Stories in this report:


Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon