Inaccurate inventory of computer systems, software,
hardware, peripherals,
No firewalls
No encryption or secure information transfer
There is no check on student ids - anyone can
walk in and use a computer
Internet is available to anyone walking in
Accounts and passwords have no expiration date
Administrator passwords are default vendor
passwords.
Inconsistent patch policy across systems
Some hardware systems are outdated
Student computers will store information on
drive C only for that day then deleted when rebooting. However drive D will
store information for the semester
Users do not know to whom they should report
security problems especially after hours
Inconsistent logging on user systems
No test environment and Informal testing
methods, and not systematic.
Only one person knows the domain password.
You have 45 minutes to complete the following
Review the list of host security observations
Make comments about each observation - for
example, whether this is a serious problem, or not so serious, whether you
would give this a priority or not, whether you would have to wait for
availability of funds or not, etc.
List what assets are vulnerable and what the
potential impact on the organization if the assets were compromised.
What are the threats tot he confidentiality,
integrity and/or availability of the assets.
How could the threats be exploited?
What means might an intruder use?
What motive might the intruder have?
How could you protect against the threats?
From a Risk-Management point of view what would
be the expected loss?
What other observations or comments would you
like to make?