Home » Data Protection » Network Security

Sample Questions For Finding Information Security Weaknesses

Sidebar to Using Metrics to Diagnose Problems: A Case Study

By Andrew Jaquith

May 18, 2007 — CSO —

Sample Questions for Finding Information Security Weaknesses

SUBHYPOTHESES	DIAGNOSTIC QUESTIONS
The network perimeter is porous, permitting easy access to any outsider.	How many sites are connected directly to the core network without intermediate firewalls? How many of these sites have deployed unsecured wireless networks?
An outsider can readily obtain access to internal systems because password policies are weak.	Starting with zero knowledge, how many minutes are required to gain full access to network domain controllers? What percentage of user accounts could be compromised in 15 minutes or less?
Once on the network, attackers can easily obtain administrator credentials.	How many administrative-level passwords could be compromised in the same time frame?
An intruder finding a hole somewhere in the network could easily jump straight to the core transactional systems.	How many internal "zones" exist to compartmentalize users, workgroup servers, transactional systems, partner systems, retail stores, and Internet-facing servers?
Workstations are at risk for virus or worm attacks.	How many missing operating system patches are on each system?
Viruses and worms can spread quickly to large numbers of computers.	How many network ports are open on each workstation computer? How many of these are "risky" ports?
The firms deployments of applications are much riskier than those made by leaders in the field (for example, investment banking).	Where does each application rank relative to other enterprise applications [we have] stake has examined for other clients?
Application security is weak and relies too heavily on the "out of the box" defaults.	How many security defects exist in each business application? What is the relative "risk score" of each application compared to the others?

Read more about network security in CSOonline's Network Security section.

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

NETWORK SECURITY ESSENTIAL READING

Key concepts, strategies and tools for building an effective network security program. Learn about handling hackers, mitigating DDoS attacks, and much more.

Network security: The basics
Configure your network correctly, and know what's coming in and out. Network security proceeds from those two fundamental concepts.

Log management basics
Log management systems can bring you business intelligence—so choose the right type for your needs

Penetration testing: 10 tips for a successful program
Define your goals, develop attacker profiles, define deliverables, and more

The 7 deadly sins of network security
Thinking compliance equals security, failing to assess risk, and other classic blunders

What a botnet looks like
A visual, interactive tool for examining real botnet command-and-control structures

Next-generation firewalls: In depth

How to stress-test your network

The DDoS attack survival guide

Firewall audit tools: Dos and don'ts

Also find sample network security policies in CSO's tools, templates and policies library

Network Security Webcasts

» View All Network Security Webcasts

Network Security White Papers

» View All Network Security White Papers

Is the title 'security evangelist' really that bad?
I've been watching the recent discussion over the idea of security evangelists with interest, but held off on weighing in because I didn't want to come off as a bandwagon chaser. Now that the dust has settled a bit, it's time for me to opine. Let's review first.
read more
Teenage hackers could be our last, best hope
Busted: When security tools fail

More Salted Hash with Bill Brenner

White Papers

2011 DDoS Attacks: Top Trends and Truths

Business Case for Managed DNS

In Denial?...Follow Seven Steps for Better DoS and DDoS Protection

Obtaining Fortune 500 Security without Busting your Budget

The Security Landscape: Converging Waves of Pain

Bringing Your Internet Acceptable Use Policy up to 2012 Standards

Internet Filtering vs. User Activity Monitoring

The Business Case for Managed Security Services

Defending Against Advanced Persistent Threats

Enhanced Server Protection

Security Protection in Virtualized Environments

Four Things Your Server Could Tell You

New Advances in Enterprise Authentication

Solving Active Directory's Security Challenges

Less Secure Than You Think

Security Strategies to Virtualizing Internet-Facing Applications

Cloud Security Planning Guide

Cloud Security Vendor Round Table

Planning Guide - Technology for Tomorrow's Cloud

Cloud Security Insights for IT Strategic Planning

More White Papers »