Information Security Vulnerability List – 1
Information Security Vulnerability List – 1
| No | Vulnerability |
| 1 | Disposal or reuse of storage media without proper erasure |
| 2 | Inadequate change control |
| 3 | Inadequate network management |
| 4 | Lack of back-up procedures |
| 5 | Lack of proof of sending or receiving a message |
| 6 | Lack of updates for malicious code protection software |
| 7 | No segregation of duties |
| 8 | No separation of test and operational facilities |
| 9 | Uncontrolled copying |
| 10 | Unprotected public network connections |
| 11 | Lack of security policy |
| 12 | Security policy is incomplete |
| 13 | Security policy is outdated |
| 14 | Lack of a dedicated information security forum |
| 15 | Lack of co-ordination within Forum |
| 16 | Inadequate skill set within Forum |
| 17 | Inadequate representation from relevant departments |
| 18 | No support for organization-wide information security initiatives |
| 19 | No review of information security incidents |
| 20 | Roles and Responsibilities not clearly defined |
| 21 | Roles and Responsibilities not documented |
| 22 | Lack of authorization process for information processing facilities |
| 23 | Improper user management approval |
| 24 | Inadequate checking of hardware and software compatibility with other system components |
| 25 | Use of personal information processing facility in the workplace |
| 26 | Lack of security controls for use of personal information processing facility in the workplace |
| 27 | Lack of experienced information security adviser |
| 28 | Lack of co-operation between organizations |
| 29 | No review of information security policy |
| 30 | Unrestricted logical access to IT systems |
| 31 | Security requirement is not properly mentioned in SLA |
| 32 | Information maintenance and destruction mechanism is not mentioned in SLA |
| 33 | IT Service availability requirement is not mentioned in the SLA |
| 34 | Security requirement is not properly mentioned in contract |
| 35 | Information maintenance and destruction mechanism is not mentioned in contract |
| 36 | IT Service availability requirement is not mentioned in the contract |
| 37 | Legal requirements are not specified in the contract |
| 38 | Controls are not specified in contract to prevent unauthorized access to company’s information |
| 39 | Auditing on outsourcing activities are not mentioned in the contract |
| 40 | No inventory of assets |
| 41 | No classification guidelines |
| 42 | No periodic assessment of classification guidelines |
| 43 | Inadequate labeling of critical devices and components |
| 44 | Inadequate guidelines for personnel creating the document |
| 45 | Labeling does not reflect the classification employed |
| 46 | Security not included in job responsibilities |
| 47 | Negligence or insufficient checks |
| 48 | No periodic review and val procedures by senior staff |
| 49 | NDA agreement not in place |
| 50 | Insufficient training |
| 51 | Untrained handling of equipment or data |
| 52 | Lack of policy requiring all enquires for information to be withheld until the identity of the requestor can be verified. |
| 53 | No formal procedure for reporting security incidents |
| 54 | Incident reporting procedure not being communicated effectively across the employees |
| 55 | No formal procedure for reporting security weaknesses |
| 56 | No formal procedure for reporting software malfunctions |
| 57 | No mechanism in place to quantify and monitor the incidents |
| 58 | No disciplinary process |
| 59 | The monitoring is not performed on a regular basis |
| 60 | The legal documents are not access controlled |
| 61 | Access to the servers is not restricted |
| 62 | Data on HDD is not erased |
| 63 | Password protected screen savers are not present |
| 64 | Critical devices (VPN tokens, two factor authentication tokens are left unattended in the desk |
| 65 | Documented procedures are absent |
| 66 | Operation procedure doesn’t address information handling |
| 67 | Operation procedure doesn’t address system recovery procedure |
| 68 | Unregulated changes to the users laptop PCs |
| 69 | Unregulated changes in the systems |
| 70 | Incident management procedure is not present |
| 71 | Recovery procedure is absent in incident management procedure |
| 72 | Previous incident and its solution is not logged |
| 73 | No audit trail or evidence for problem analysis |
| 74 | No segregation of duties |
| 75 | No separation of development and operational facilities |
| 76 | Information maintenance is not taken care |
| 77 | Inadequate bandwidth capacity of ISP link |
| 78 | Inadequate storage capacity for servers and applications |
| 79 | Bugs in system |
| 80 | Absence of Antivirus software software on the desktops and servers |
| 81 | Absence of Antispyware software on the desktops and servers |
| 82 | Virus and spyware signature is not updated |
| 83 | No backup is present |
| 84 | No procedures for recovery of information. |
| 85 | Backup media is not tested for restoration |
| 86 | Logging is absent |
| 87 | Firewall is not present between server segment and user segment |
| 88 | Management LAN is not separated from production segment by firewall |
| 89 | Different WAN locations are not separated by firewall |
| 90 | Publicly access servers are fully exposed to internet |
| 91 | Unable to track the media |
| 92 | Insecure storage and no access restriction of system documentations |
| 93 | No control on information/software distribution |
| 94 | No control on software distribution |
| 95 | Information is not protected during distribution |
| 96 | No authentication |
| 97 | No authorization |
| 98 | No accountability |
| 99 | No authentication for e-mail system |
| 100 | Clear text e-mail transmission |
| 101 | No use of digital signature |
| 102 | Accuracy, intigrity and information classification are not maintained |
| 103 | Information is not protected in other form of exchange like fax, voice calls, public discussions etc. |
| 104 | There is no access control defined for business applications/Network |
| 105 | Manuals (Training, Technical) are not stored in a secure and access controlled place |
| 106 | There is no access control mechanism on theĀ reports (Top Management, Monthly/Quarterly etc) |
| 107 | Inadequate access rights definition; reports are stored on unprotected shares. |
| 108 | Permissions are not assigned appropriately on file shares |
| 109 | Critical documents such as Legal documents are not access controlled |
| 110 | Security flaws involved in integrating old desktop operating system into a server-based network |
| 111 | Share level security is not provided by the OS |
| 112 | Test Machines have no access control mechanism in place |
| 113 | Files are not access controlled (Files on storage devices) |
| 114 | Eavesdropping on calls |
| 115 | Operations manuals are not stored in a safe and easily accessible place |
| 116 | No formal user registration and de-registration process |
| 117 | User id’s are not unique |
| 118 | Maker-Checker process not being followed for creating and assigning rights to the user |
| 119 | Access right of employees is not reviewed on a periodic basis |
| 120 | Temporary access rights given to a user is not disabled after use |
| 121 | No documentation of the users having various privilege levels |
| 122 | Improper granting of privileges |
| 123 | Files are not access controlled |
| 124 | Inadvertent sharing of the file system |
| 125 | No documentation for the privilege levels been assigned to the users |
| 126 | Weak password |
| 127 | Temporary initial passwords are not forced to change |
| 128 | Passwords are sent in a insecure manner to the users |
| 129 | Passwords are stored unencrypted in the local machine |
| 130 | No review of user access rights |
| 131 | passwords written on paper and kept in the desktop |
| 132 | Passwords not changed even after a long period |
| 133 | Passwords not changed even after a system compromise |
| 134 | Sharing of passwords without official reasoning |
| 135 | No policy on use of network services |
| 136 | No enforced path being implemented for critical information facility |
| 137 | Remote users are not getting authenticated |
| 138 | Call Back and procedures and controls not tested properly |
| 139 | Automatic connection to a remote computer is enabled |
| 140 | No protection for remote diagnostic ports |
| 141 | No segregation of networks |
| 142 | No network connection control for shared networks (e.g Email application, one-way file transfer, interactive access |
| 143 | No network routing control for shared networks |
| 144 | No security for network services |
| 145 | No security for Automatic terminal identifier |
| 146 | No logon warning banner on log on |
| 147 | Help messages revealing log on variables/features |
| 148 | No limit for unsuccessful logon attempts |
| 149 | No time limit for idle session |
| 150 | logging is not enabled for unsuccessful log-on
|
