Information Security Vulnerability List – 2

No Vulnerability
151 User id’s based on job description
152 No user identification and authentication
153 Weak password management system
154 Unrestricted use of system utilities
155 No provision of duress alarm for employees who mite be susceptible to coercion
156 No terminal timeout for systems in high risk environment
157 No additional controls for systems which cannot have terminal timeout
158 Access not given based on business application requirements
159 Sensitive systems are not kept in isolated environment
160 Auditing is not enabled on the files
161 No monitoring of system use
162 No clock synchronization facility
163 Lack of encryption software on the laptops
164 No guidelines for mobile computing
165 Lack of awareness, training for users for mobile computing
166 No guidelines/policy for teleworking
167 Security requirement specification is not available
168 Input string is not validated for length and type, sanitizing of input is not adequate
169 Weak Design and processing of application
170 Weak Authentication mechanism being used i.e.encryption not in use
171 Improper administration, plausibility checks to test the reasonability of output data are not in place
172 Information being exchanged in plain text
173 Poor Encryption technique is used
174 Adequate cryptographic measures not in place
175 Improper controls and Improper access to the keys
176 No qualified nomination of people who will update the operational software
177 Access to the source code not restricted
178 Improper change implementation or change control procedure not present
179 No technical review of operating system changes
180 Restrictions on changes to software packages are not either set or well communicated to users or implementers
181 Third party software are not procured from a reputable source
182 Third party software is not evaluated/ improper evaluation
183 SLA and NDA not signed with the third party software development firm
184 No escrow agreement with the third party software development firm
185 No pre planning for disaster recovery
186 Geographical location has fault lines (earthquake prone zone)
187 Geographical location is in an area susceptible to floods
188 Geographical location is in an area susceptible to storm
189 Building is located near to area vulnerable to accidents. (e.g., Petrol Pump, Gas station etc.,
190 Building is located near to power generating station
191 No Analysis or well approved business continuity strategy
192 No or poor implementation of BCP
193 No DRP framework present
194 DRP is not tested, implemented or verified
195 Statutory, regulatory and contractual requirements are not clearly defined
196 Copyright, design rights and trademark are not ket restricted
197 Records are not categorised or kep secretly
198 General information of living individuals is not kept secret
199 Warning on critical assets is either not or incorrectly displayed
200 agreements, laws, regulations or other instruments to control the access to or the use of cryptographic controls is not set
201 Evidences pertaining to respective law either civil or criminal are not present
202 Security Ploy is not being complied with legal and other issues
203 Controls of the audit of operational system are not either in place or present
204 Audit tools (software data files) are not protected
205 Unrestricted use of modems to dial in to the network
206 Lack of an inventory of dial-up lines leading to inability to monitor dial up access
207 Lack of audit logs to detect unauthorized access
208 Lack of user authentication
209 Lack of firewall
210 Lack of policies in respect of dial up access and modem use.
211 Lack of policy restricting staff to use of licensed software
212 Inadequate control of software distribution
213 Lack of software auditing
214 Unrestricted copying of software
215 Negligence or insufficient checks (Legal responsibilities and rights etc)
216 Insufficient security training
217 Lack of security awareness
218 Lack of monitoring mechanisms
219 Lack of policies for the correct use of telecommunications media and messaging
220 No removal of access rights upon job termination
221 No procedure to ensure return of asset upon job termination
222 Unmotivated or disgruntled staff
223 Unsupervised work by outside staff or staff working outside normal business hours
224 Personnel are not aware of threats from social engineering
225 No user awareness
226 No protection for office systems
227 Inadequate or careless use of physical access control to buildings, rooms and offices
228 Lack of physical protection for the building, doors, and windows
229 Location in an area susceptible to flood
230 Unprotected storage
231 Insufficient maintenance/faulty installation of storage media
232 Lack of periodic equipment replacement schemes
233 Susceptibility of equipment to humidity, dust, soiling
234 Susceptibility of equipment to temperature variations
235 Susceptibility of equipment to voltage variations
236 Unstable power grid
237 Unrestricted physical access to facilities and computer room
238 Blind spots due of improper placement of camera
239 Security perimeter is not clearly defined
240 Insufficient security man power
241 Insufficient access controls for critical facility
242 Servers are stored in a unsafe location with no access control mechanisms
243 Critical devices are not placed in controlled environment
244 Server is not stored in a rack or a cage
245 Critical devices are left carelessly lying around
246 Loading and unloading areas are not secured
247 Inadmissible temperature and humidity
248 No process for cleaning of equipment s
249 Lack of fire detection devices
250 Lack of automatic fire suppression system
251 Fire drills are not conducted
252 Fire fighting equipment s are not appropriate for electric fires/ equipment s in the Data Center
253 Stabilized power not available
254 Surge in electric current
255 Voltage variations
256 Redundant power supplies are not available
257 Power and telecommunication lines are exposed
258 Lack of redundancy and back-ups for the communication services
259 Lack of planning and implementation of communication cabling
260 Network cabling exposed and carelessly laid
261 Power cables not segregated from telecommunication cables
262 The maintenance for firefighting equipment’s are not performed on a periodic basis
263 Testing of the fire equipment’s are not performed
264 Lack of proper maintenance process for all critical equipment’s. (HVAC, Servers, etc.,)
265 Critical devices left unattneded in public palces
266 Destruction mechanism such as shredders not used
267 Hard copies are available freely
268 Critical devices (common hardware tokens) are taken home
269 Backup media are not kept in a fireproof safe
270 Off-site backup facility is not present
271 Backup medias are not secured
272 Unsafe storage
273 Medias are not erased at its end of life
274 Medias are not safely disposed
275 No information labeling
276 No access restriction
277 Paper information is not protected during distribution through courrier
278 Media is not protected
279 Media is not physically secured
280 Goodwill / Reputation Loss
281 Improper Disposal of documents
282 Lack of proper access rights management of removable and external storage media
283 Inappropriate access rights management
284 Inadequate classification present for the documentation
285 Employees not educated / unaware of security threats and counter measures
286 No policies and Procedures pertaining to access control, password management, secure disposal of data in place
287 Inadequate backup and restoration procedures in place
288 Usage of removable storage media
289 Improper retention of documents as per the contractual/regulatory requirements applicable
290 Public emails used for sharing organization information
291 Improper information sharing between employees
292 No security related roles and responsibilities defined for employee of POSOCO
293 Inadequate classification present for the documentation
294 Sensitive or confidential information is not appropriately protected
295 Files containing business  confidential information are kept out in open
296 Visitor baggage not being frisked
297 Inadequate backup and restoration procedures in place
298 Improper retention of documents as per the contractual/regulatory requirements applicable
299 Improper disposal of project documentation
300 Improper privilege (administrator level) set on all the machines
301 Monitors are not locked when employee is not on his/her desk
302 Users have privilege to download and install any software on their systems.
303 No access rights management on removable storage media
304 Personal and non business related information stored in the systems
305 No procedure in place to ensure that applications, systems and devices are updated and patched regularly
306 No policies and procedures in place (for example password management policy, backup and retrieval policy, physical and environmental policy, access control policy, email and internet usage policy, data retention and purging policy, etc.)
307 Improper files and folder sharing practices followed
308 Lack of security awareness.
309 No service level or confidentiality agreement signed with the vendors
310 No proof or records maintained for testing conducted
311 No Change management procedure in place
312 No process in place to ensure active monitoring of network device logs
313 No fault recording and capacity management is not carried out
314 Lack of structured cabling
315 No BCP/ DR planning in place
316 No backup of the configurations of the devices
317 No content filtering enabled to block unwanted traffic
318 No policies and procedures in place for network management
319 No procedure in place to track people entering and leaving a server room / ups room
320 No policies and procedures in place for server management
321 Inadequate back and restoration procedure
322 No procedure in place to track people entering and leaving a server/ups room
323 Department SOP Not present
324 No service level or confidentiality agreement signed with the vendors
325 Inadequate SLA monitoring
326 No policies and procedures in place for the software acceptable use
327 No proof or records maintained for testing conducted
328 No Change management procedure in place
329 Inadequate back and restoration procedure
330 Lack of security awareness.
331 No procedure in place to ensure that applications, systems and devices are updated and patched regularly

Please follow and like us: