No inventory of computer systems, software,
peripherals, etc.
Inconsistent host configurations - especially
laptops
No firewalls
No encryption or secure information transfer
Accounts and passwords have no expiration date
Default accounts have vendor passwords.
No technology or policy to enforce strong
passwords.
Inconsistent patch downloads across systems.
Users do not know to whom they should report
security problems especially after hours
No test environment
Informal testing
methods, and not systematic.
Only head of IT knows the domain password.
Administrator passwords are default vendor
passwords.
Some hardware systems are outdated
Inconsistent logging on user systems
You have 45 minutes to complete the following
Review the list of host security observations
Make comments about each observation - for
example, whether this is a serious problem, or not so serious, whether you
would give this a priority or not, whether you would have to wait for
availability of funds or not, etc.
List what assets are vulnerable and what the
potential impact on the organization if the assets were compromised.
What are the threats tot he confidentiality,
integrity and/or availability of the assets.
How could the threats be exploited?
What means might an intruder use?
What motive might the intruder have?
How could you protect against the threats?
From a Risk-Management point of view what would
be the expected loss?
What other observations or comments would you
like to make?