Information Security Vulnerability List – 1

Information Security Vulnerability List – 1

No Vulnerability
1 Disposal or reuse of storage media without proper erasure
2 Inadequate change control
3 Inadequate network management
4 Lack of back-up procedures
5 Lack of proof of sending or receiving a message
6 Lack of updates for malicious code protection software
7 No segregation of duties
8 No separation of test and operational facilities
9 Uncontrolled copying
10 Unprotected public network connections
11 Lack of security policy
12 Security policy is incomplete
13 Security policy is outdated
14 Lack of a dedicated information security forum
15 Lack of co-ordination within Forum
16 Inadequate skill set within Forum
17 Inadequate representation from relevant departments
18 No support for organization-wide information security initiatives
19 No review of information security incidents
20 Roles and Responsibilities not clearly defined
21 Roles and Responsibilities not documented
22 Lack of authorization process for information processing facilities
23 Improper user management approval
24 Inadequate checking of hardware and software compatibility with other system components
25 Use of personal information processing facility in the workplace
26 Lack of security controls for use of personal information processing facility in the workplace
27 Lack of experienced information security adviser
28 Lack of co-operation between organizations
29 No review of information security policy
30 Unrestricted logical access to IT systems
31 Security requirement is not properly mentioned in SLA
32 Information maintenance and destruction mechanism is not mentioned in SLA
33 IT Service availability requirement is not mentioned in the SLA
34 Security requirement is not properly mentioned in contract
35 Information maintenance and destruction mechanism is not mentioned in contract
36 IT Service availability requirement is not mentioned in the contract
37 Legal requirements are not specified in the contract
38 Controls are not specified in contract to prevent unauthorized access to company’s information
39 Auditing on outsourcing activities are not mentioned in the contract
40 No inventory of assets
41 No classification guidelines
42 No periodic assessment of classification guidelines
43 Inadequate labeling of critical devices and components
44 Inadequate guidelines for personnel creating the document
45 Labeling does not reflect the classification employed
46 Security not included in job responsibilities
47 Negligence or insufficient checks
48 No periodic review and val procedures by senior staff
49 NDA agreement not in place
50 Insufficient training
51 Untrained handling of equipment or data
52 Lack of policy requiring all enquires for information to be withheld until the identity of the requestor can be verified.
53 No formal procedure for reporting security incidents
54 Incident reporting procedure not being communicated effectively across the employees
55 No formal procedure for reporting security weaknesses
56 No formal procedure for reporting software malfunctions
57 No mechanism in place to quantify and monitor the incidents
58 No disciplinary process
59 The monitoring is not performed on a regular basis
60 The legal documents are not access controlled
61 Access to the servers is not restricted
62 Data on HDD is not erased
63 Password protected screen savers are not present
64 Critical devices (VPN tokens, two factor authentication tokens are left unattended in the desk
65 Documented procedures are absent
66 Operation procedure doesn’t address information handling
67 Operation procedure doesn’t address system recovery procedure
68 Unregulated changes to the users laptop PCs
69 Unregulated changes in the systems
70 Incident management procedure is not present
71 Recovery procedure is absent in incident management procedure
72 Previous incident and its solution is not logged
73 No audit trail or evidence for problem analysis
74 No segregation of duties
75 No separation of development and operational facilities
76 Information maintenance is not taken care
77 Inadequate bandwidth capacity of ISP link
78 Inadequate storage capacity for servers and applications
79 Bugs in system
80 Absence of Antivirus software software on the desktops and servers
81 Absence of Antispyware software on the desktops and servers
82 Virus and spyware signature is not updated
83 No backup is present
84 No procedures for recovery of information.
85 Backup media is not tested for restoration
86 Logging is absent
87 Firewall is not present between server segment and user segment
88 Management LAN is not separated from production segment by firewall
89 Different WAN locations are not separated by firewall
90 Publicly access servers are fully exposed to internet
91 Unable to track the media
92 Insecure storage and no access restriction of system documentations
93 No control on information/software distribution
94 No control on software distribution
95 Information is not protected during distribution
96 No authentication
97 No authorization
98 No accountability
99 No authentication for e-mail system
100 Clear text e-mail transmission
101 No use of digital signature
102 Accuracy, intigrity and information classification are not maintained
103 Information is not protected in other form of exchange like fax, voice calls, public discussions etc.
104 There is no access control defined for business applications/Network
105 Manuals (Training, Technical) are not stored in a secure and access controlled place
106 There is no access control mechanism on theĀ  reports (Top Management, Monthly/Quarterly etc)
107 Inadequate access rights definition; reports are stored on unprotected shares.
108 Permissions are not assigned appropriately on file shares
109 Critical documents such as Legal documents are not access controlled
110 Security flaws involved in integrating old desktop operating system into a server-based network
111 Share level security is not provided by the OS
112 Test Machines have no access control mechanism in place
113 Files are not access controlled (Files on storage devices)
114 Eavesdropping on calls
115 Operations manuals are not stored in a safe and easily accessible place
116 No formal user registration and de-registration process
117 User id’s are not unique
118 Maker-Checker process not being followed for creating and assigning rights to the user
119 Access right of employees is not reviewed on a periodic basis
120 Temporary access rights given to a user is not disabled after use
121 No documentation of the users having various privilege levels
122 Improper granting of privileges
123 Files are not access controlled
124 Inadvertent sharing of the file system
125 No documentation for the privilege levels been assigned to the users
126 Weak password
127 Temporary initial passwords are not forced to change
128 Passwords are sent in a insecure manner to the users
129 Passwords are stored unencrypted in the local machine
130 No review of user access rights
131 passwords written on paper and kept in the desktop
132 Passwords not changed even after a long period
133 Passwords not changed even after a system compromise
134 Sharing of passwords without official reasoning
135 No policy on use of network services
136 No enforced path being implemented for critical information facility
137 Remote users are not getting authenticated
138 Call Back and procedures and controls not tested properly
139 Automatic connection to a remote computer is enabled
140 No protection for remote diagnostic ports
141 No segregation of networks
142 No network connection control for shared networks (e.g Email application, one-way file transfer, interactive access
143 No network routing control for shared networks
144 No security for network services
145 No security for Automatic terminal identifier
146 No logon warning banner on log on
147 Help messages revealing log on variables/features
148 No limit for unsuccessful logon attempts
149 No time limit for idle session
150 logging is not enabled for unsuccessful log-on

Please follow and like us: