Sample Questions For Finding Information Security Weaknesses

Sample Questions for Finding Information Security Weaknesses

SUBHYPOTHESESDIAGNOSTIC QUESTIONS
The network perimeter is porous, permitting easy access to any outsider.
  • How many sites are connected directly to the core network without intermediate firewalls?
  • How many of these sites have deployed unsecured wireless networks?
An outsider can readily obtain access to internal systems because password policies are weak.
  • Starting with zero knowledge, how many minutes are required to gain full access to network domain controllers?
  • What percentage of user accounts could be compromised in 15 minutes or less?

Once on the network, attackers can easily obtain administrator credentials.
  • How many administrative-level passwords could be compromised in the same time frame?
An intruder finding a hole somewhere in the network could easily jump straight to the core transactional systems.
  • How many internal "zones" exist to compartmentalize users, workgroup servers, transactional systems, partner systems, retail stores, and Internet-facing servers?
Workstations are at risk for virus or worm attacks.
  • How many missing operating system patches are on each system?
Viruses and worms can spread quickly to large numbers of computers.
  • How many network ports are open on each workstation computer?
  • How many of these are "risky" ports?
The firms deployments of applications are much riskier than those made by leaders in the field (for example, investment banking).
  • Where does each application rank relative to other enterprise applications [we have] stake has examined for other clients?
Application security is weak and relies too heavily on the "out of the box" defaults.
  • How many security defects exist in each business application?

    What is the relative "risk score" of each application compared to the others?

Copyright © 2007 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.