Information Security Vulnerability List – 1
Information Security Vulnerability List – 1
No | Vulnerability |
1 | Disposal or reuse of storage media without proper erasure |
2 | Inadequate change control |
3 | Inadequate network management |
4 | Lack of back-up procedures |
5 | Lack of proof of sending or receiving a message |
6 | Lack of updates for malicious code protection software |
7 | No segregation of duties |
8 | No separation of test and operational facilities |
9 | Uncontrolled copying |
10 | Unprotected public network connections |
11 | Lack of security policy |
12 | Security policy is incomplete |
13 | Security policy is outdated |
14 | Lack of a dedicated information security forum |
15 | Lack of co-ordination within Forum |
16 | Inadequate skill set within Forum |
17 | Inadequate representation from relevant departments |
18 | No support for organization-wide information security initiatives |
19 | No review of information security incidents |
20 | Roles and Responsibilities not clearly defined |
21 | Roles and Responsibilities not documented |
22 | Lack of authorization process for information processing facilities |
23 | Improper user management approval |
24 | Inadequate checking of hardware and software compatibility with other system components |
25 | Use of personal information processing facility in the workplace |
26 | Lack of security controls for use of personal information processing facility in the workplace |
27 | Lack of experienced information security adviser |
28 | Lack of co-operation between organizations |
29 | No review of information security policy |
30 | Unrestricted logical access to IT systems |
31 | Security requirement is not properly mentioned in SLA |
32 | Information maintenance and destruction mechanism is not mentioned in SLA |
33 | IT Service availability requirement is not mentioned in the SLA |
34 | Security requirement is not properly mentioned in contract |
35 | Information maintenance and destruction mechanism is not mentioned in contract |
36 | IT Service availability requirement is not mentioned in the contract |
37 | Legal requirements are not specified in the contract |
38 | Controls are not specified in contract to prevent unauthorized access to company’s information |
39 | Auditing on outsourcing activities are not mentioned in the contract |
40 | No inventory of assets |
41 | No classification guidelines |
42 | No periodic assessment of classification guidelines |
43 | Inadequate labeling of critical devices and components |
44 | Inadequate guidelines for personnel creating the document |
45 | Labeling does not reflect the classification employed |
46 | Security not included in job responsibilities |
47 | Negligence or insufficient checks |
48 | No periodic review and val procedures by senior staff |
49 | NDA agreement not in place |
50 | Insufficient training |
51 | Untrained handling of equipment or data |
52 | Lack of policy requiring all enquires for information to be withheld until the identity of the requestor can be verified. |
53 | No formal procedure for reporting security incidents |
54 | Incident reporting procedure not being communicated effectively across the employees |
55 | No formal procedure for reporting security weaknesses |
56 | No formal procedure for reporting software malfunctions |
57 | No mechanism in place to quantify and monitor the incidents |
58 | No disciplinary process |
59 | The monitoring is not performed on a regular basis |
60 | The legal documents are not access controlled |
61 | Access to the servers is not restricted |
62 | Data on HDD is not erased |
63 | Password protected screen savers are not present |
64 | Critical devices (VPN tokens, two factor authentication tokens are left unattended in the desk |
65 | Documented procedures are absent |
66 | Operation procedure doesn’t address information handling |
67 | Operation procedure doesn’t address system recovery procedure |
68 | Unregulated changes to the users laptop PCs |
69 | Unregulated changes in the systems |
70 | Incident management procedure is not present |
71 | Recovery procedure is absent in incident management procedure |
72 | Previous incident and its solution is not logged |
73 | No audit trail or evidence for problem analysis |
74 | No segregation of duties |
75 | No separation of development and operational facilities |
76 | Information maintenance is not taken care |
77 | Inadequate bandwidth capacity of ISP link |
78 | Inadequate storage capacity for servers and applications |
79 | Bugs in system |
80 | Absence of Antivirus software software on the desktops and servers |
81 | Absence of Antispyware software on the desktops and servers |
82 | Virus and spyware signature is not updated |
83 | No backup is present |
84 | No procedures for recovery of information. |
85 | Backup media is not tested for restoration |
86 | Logging is absent |
87 | Firewall is not present between server segment and user segment |
88 | Management LAN is not separated from production segment by firewall |
89 | Different WAN locations are not separated by firewall |
90 | Publicly access servers are fully exposed to internet |
91 | Unable to track the media |
92 | Insecure storage and no access restriction of system documentations |
93 | No control on information/software distribution |
94 | No control on software distribution |
95 | Information is not protected during distribution |
96 | No authentication |
97 | No authorization |
98 | No accountability |
99 | No authentication for e-mail system |
100 | Clear text e-mail transmission |
101 | No use of digital signature |
102 | Accuracy, intigrity and information classification are not maintained |
103 | Information is not protected in other form of exchange like fax, voice calls, public discussions etc. |
104 | There is no access control defined for business applications/Network |
105 | Manuals (Training, Technical) are not stored in a secure and access controlled place |
106 | There is no access control mechanism on theĀ reports (Top Management, Monthly/Quarterly etc) |
107 | Inadequate access rights definition; reports are stored on unprotected shares. |
108 | Permissions are not assigned appropriately on file shares |
109 | Critical documents such as Legal documents are not access controlled |
110 | Security flaws involved in integrating old desktop operating system into a server-based network |
111 | Share level security is not provided by the OS |
112 | Test Machines have no access control mechanism in place |
113 | Files are not access controlled (Files on storage devices) |
114 | Eavesdropping on calls |
115 | Operations manuals are not stored in a safe and easily accessible place |
116 | No formal user registration and de-registration process |
117 | User id’s are not unique |
118 | Maker-Checker process not being followed for creating and assigning rights to the user |
119 | Access right of employees is not reviewed on a periodic basis |
120 | Temporary access rights given to a user is not disabled after use |
121 | No documentation of the users having various privilege levels |
122 | Improper granting of privileges |
123 | Files are not access controlled |
124 | Inadvertent sharing of the file system |
125 | No documentation for the privilege levels been assigned to the users |
126 | Weak password |
127 | Temporary initial passwords are not forced to change |
128 | Passwords are sent in a insecure manner to the users |
129 | Passwords are stored unencrypted in the local machine |
130 | No review of user access rights |
131 | passwords written on paper and kept in the desktop |
132 | Passwords not changed even after a long period |
133 | Passwords not changed even after a system compromise |
134 | Sharing of passwords without official reasoning |
135 | No policy on use of network services |
136 | No enforced path being implemented for critical information facility |
137 | Remote users are not getting authenticated |
138 | Call Back and procedures and controls not tested properly |
139 | Automatic connection to a remote computer is enabled |
140 | No protection for remote diagnostic ports |
141 | No segregation of networks |
142 | No network connection control for shared networks (e.g Email application, one-way file transfer, interactive access |
143 | No network routing control for shared networks |
144 | No security for network services |
145 | No security for Automatic terminal identifier |
146 | No logon warning banner on log on |
147 | Help messages revealing log on variables/features |
148 | No limit for unsuccessful logon attempts |
149 | No time limit for idle session |
150 | logging is not enabled for unsuccessful log-on
|