8 Questions For Uncovering Information Security Vulnerabilities

Tips for testing information security vulnerability hypotheses with questions designed to head off potential problems.

The following is a list of sample hypotheses you can test at your organization as you seek to find and eliminate information security weaknesses.

Hypothesis 1.

The network perimeter is porous, permitting easy access to any outsider.

Diagnostic Questions:

  • How many sites are connected directly to the core network without intermediate firewalls?
  • How many of these sites have deployed unsecured wireless networks?

Hypothesis 2.

An outsider can readily obtain access to internal systems because password policies are weak.

Diagnostic Questions:

  • Starting with zero knowledge, how many minutes are required to gain full access to network domain controllers?
  • What percentage of user accounts could be compromised in 15 minutes or less?

Hypothesis 3.

Once on the network, attackers can easily obtain administrator credentials.

Diagnostic Question:

How many administrative-level passwords could be compromised in the same 15 minute time frame?

Hypothesis 4.

An intruder finding a hole somewhere in the network could easily jump straight to the core transactional systems.

Diagnostic Question:

How many internal “zones” exist to compartmentalize users, workgroup servers, transactional systems, partner systems, retail stores, and Internet-facing servers?

Hypothesis 5.

Workstations are at risk for virus or worm attacks.

Diagnostic Question:

How many missing operating system patches are on each system?

Hypothesis 6.

Viruses and worms can spread quickly to large numbers of computers.

Diagnostic Questions:

  • How many network ports are open on each workstation computer?
  • How many of these are “risky” ports?

Hypothesis 7.

Application security is weak and relies too heavily on the “out of the box” defaults.

Diagnostic Questions:

  • How many security defects exist in each business application?
  • What is the relative “risk score” of each application compared to the others?

Hypothesis 8.

The firm’s deployments of applications are much riskier than those made by leaders in the field (for example, investment banking).

Diagnostic Question:

Where does each application rank relative to other enterprise applications @stake has examined for other clients?

Andrew Jaquith is a Yankee Group analyst and founder of the discussion site Securitymetrics.org. This list of sample questions comes from in his book, "Security Metrics: Replacing Fear, Uncertainty and Doubt." See a related excerpt here.

This story, "8 Questions For Uncovering Information Security Vulnerabilities" was originally published by CSO.

Related:
NEW! Download the Fall 2018 digital issue of CIO