Cheap thread of hacky ways I’ve assessed InfoSec maturity at orgs where I’ve been an InfoSec manager:

- Ask InfoSec how staff securely transfer large files with other businesses. They will likely think one solution. Then get proxy logs and see what staff actually use.
- Ask what the accepted antivirus protection rate (percentage of protection) is on endpoints, then ask for AV console access and see what the rate actually is.

- Ask random employees you run into in day to day business if and they ask InfoSec questions to.
- Ask how many antivirus solutions are used, then if there’s an asset management system put in alternative AV product names, and so find out how many AV change projects finished.
- Ask the last time credential stuffing was detected. Then get web logs and look for credential stuffing.

- Shodan or BinaryEdge the network perimeter to see what is exposed. Then see if anybody knows the IP ranges.
- Check if the laptop you’re given is OS patched. Internet Explorer - Gear symbol - about - click on version number, takes you to monthly patch version. Check Office too.
- If there is an endpoint firewall installed on your laptop, check what the rules are.

- If there’s an in-house SOC, talk to them and see how pained their faces look.

- Talk to the network team if there is one. They know.
- Find the last AV alert for Emotet, see if there was an investigation, and if there was what actions were taken to stop it reaching endpoints.
You can follow @GossiTheDog.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: