We all know that management needs to get smarter about cybersecurity. Just take any headline of the past couple of weeks to see mistakes made by some very large organizations who have been hit with ransomware, had to deal with public data exposure, or found evidence that hackers had been living inside their networks for months. So in the interests of public service, feel free to distribute this short quiz. You can grade it on a curve, or use it as a teachable moment, for better cybersecurity practice.
- Which is the best password security policy?
- Everyone’s passwords must be replaced after 60 days
- You can’t reuse one of the same passwords you used in the last year
- All passwords must be at least 16 characters long and contain symbols too
- Users don’t need to know their passwords because we have SSO logins
- I have no idea how to answer this question
- Have you ever searched for potential data breaches about you or your company on the dark web?
- No, what is the dark web?
- Yes, using Tor and Onion sites
- Yes, and I track this using a third-party security service in near real-time
- Yes, we have developed our own tracking tools for this purpose
- I have no idea how to answer this question
- How often do you run phishing simulations and awareness drills?
- We built our own and run them every week
- We built our own a year ago, but no one knows how to run them
- We use a third-party vendor and run them every quarter
- We were told by our auditors to run them but haven’t implemented them yet
- I have no idea how to answer this question
- Who provides your DNS services for your company?
- Your ISP
- Your cloud provider (Google Cloud DNS, AWS Route 53, Microsoft Azure DNS or similar)
- Google Public DNS, Cisco/OpenDNS, Quad9 or similar
- Cloudflare, Akamai’s Enterprise Threat Protector, NS1 Domain Security Suite or similar
- Don’t know the answer
- Which is the most secure password?
- “Every good boy deserves favor” (passphrase)
- “E!bTzQZK4TCjadS4” (random collection of 16 or more characters)
- “Fido1234” (my dog’s name with some numbers appended, something easy to recall)
- Any password secured with a one-time code generator like Google Authenticator
- Any password secured with an SMS code
- I have no idea how to answer this question
- When an employee leaves my company, you do the following:
- I have an automated way to audit my Active Directory listings and other network access controls
- Someone on my staff sends an email HR to terminate their login sometime after their last workday
- I have automated mechanisms that outboard their access
- I use manual methods to terminate their access on my SSO
- None of the above
- Check how many of these authentication options you personally use for your account logins
- SMS texts of one-time codes
- Authenticator smartphone apps (like Google Authenticator, Duo or Authy)
- Hardware keys such as SecurID or Yubikey
- FaceID, TouchID or equivalent on your smartphone
- Risk-based methods that use geolocation or other factors
- None other than your user name and password
- A cyberconsultant calls saying your software contains malware. What do you do next?
- Call your lawyer
- Call your PR department
- Call your IT department
- Call the FBI
- Ignore the call
- What part of your computer infrastructure are protected by CASB and CSPM products?
- Servers in your data center
- Servers in your cloud
- Laptops that you brought home at the beginning of the pandemic
- I don’t know what you are talking about
- One of your end-users is hit with ransomware. What is your next step?
- Call your lawyer
- Open a Bitcoin account pronto and get ready to transfer funds
- Call your PR department
- Call your IT department
- Call the FBI
- I have no idea how to answer this question
- What is DLP?
- Data Loss Prevention
- Data level parallelism
- Dark Lord Potter
- Data leak protection
- Data link protocols
- I have no idea how to answer this question
- You get an email from your IT department with a note saying you have to update critical network software, and please install the attached file. What do you?
- Click on the attachment and install it.
- Call your friend in another department and check and see if they got a similar email.
- Call your IT person to make sure the email is legit.
- Delete the email immediately.
- I have no idea how to answer this question
- Do you have the following people on retainer?
- Cybersecurity law firm
- MSSP to handle ransomware response
- Accountant with a bitcoin access
- None of the above
- When was the last time you looked at your cybersecurity insurance policy terms?
- Last year when we got hacked
- Every year when it is time to renew it to ensure the terms are acceptable
- We don’t have such a policy
- Our corporate parent has a policy but I don’t know the specific terms
- Do you know what aspect of your cybersecurity refer to DKIM, SPF and DMARC?
- Your web servers
- Your email servers
- Your programmers writing more secure code
- Your personnel database servers
- I have no idea what you are talking about
- How did you test your disaster recovery plan?
- We simulated a partial cloud failure and saw what needed fixing
- We simulated a partial app failure and saw what needed fixing
- We have a full-fledged disaster recovery site and conducted an all-hands drill offsite
- We did none of these things
- We did all of these things
- What is a watering hole attack?
- When your laptop computer is infected with malware while you are at the water cooler.
- When your laptop computer crashes because you left some questionable content on it
- When your laptop computer visits a questionable website and you get infected with malware.
- I have no idea how to answer this question
- What does a red team do?
- Put out management fires between conflicting policies or employees
- Find malware that is a potential threat
- Find employees that are downloading porn
- I have no idea how to answer this question
- What additional security measures have you put in place since the beginning of the pandemic?
- VPNs
- Zero-trust networks
- Passwordless access using biometrics
- Encrypted emails
- None of the above
The notion that Google and Quad9 could be considered “similar” is, uh, disquieting. How do you feel Quad9 could be further improved?
I was merely saying they both offer a similar service. Certainly they are coming from different corporate directions. I have not used Quad9 so I would have to investigate them further. Do you have any opinion on them?
Pingback: Time to have a cybersec guru on your board | Web Informant
Pingback: Boards of directors need to be more cyber-aware. That gets complicated. – Blog