100 security questions you should ask your security expert

Ask these 100 questions!

Do you have a company? or are you working in a field which demands you to be secure and safe? then use these 100 questions. Ask these questions to your security expert and you will get an insight on the security status of your company or environment.  It is important to remember that security experts are humans. They are not machines that remember everything.

If your security expert or security manager is unable to answer these questions, then explain that it is important to get an insight on those missing answers as they are critical to the security status of the company/service. A couple of months ago we made a massive list of 100 security tips which will enable you to be more secure on the internet and on the workfloor.

One of the biggest reasons you should use these 100 questions is because of the following fact. Advanced Persistant Threats or ‘cyber attacks’ are increasing. The reason behind this is the fact that Windows XP is no longer being supported by Microsoft. This allows the cybercriminals to abuse millions of vulnerable Windows XP devices. DDoS attacks are increasing as Content Management Systems are more advanced then they were a couple of years ago. Hackers and cybercriminals are able to launch massive DDoS attacks by simply infecting vulnerable WordPress websites.

Recently The Netherlands published a report on how they replicated NSA techniques which allow them to hack phones via malicious SMS messages. The techniques and the idea of hacking phones with malicious messages was leaked by Edward Snowden.

Social media

Cybercriminals are abusing social media networks to infect unaware people with malicious code. Your security expert has the task to inform and spread awareness to users which could infect the environment of the company. This massive list of Facebook malware and schemes shows how hackers are using various techniques and methods to infect unaware and aware people with malicious code.

Ask your security expert these questions on Social Media

  1. Do we allow our users to access social media networks via our infrastructure?
  2. Why do we allow our users to acces the mentioned social media networks?
  3. Are they allowed to download and install files from the internet?
  4. Do we have a social media policy in the company?
  5. Which social media networks are used the most?
  6. Why don’t we ban the social media networks that are used the least?
  7. Are the users aware of what information is allowed to be shared on social media networks?
  8. Are the users informed on recommended security settings for their social media accounts?
  9. Are they using private or corporate e-mail accounts for their social media accounts?
  10. Do we use two-factor authentication for our social media network accounts? And are the users aware of the two-factor authentication method?

By asking these 10 questions, you will be aware of the social media security status in your company. These questions allow you to brainstorm with the security expert about possible social media threats.

The security status of your company website(s)

WordPress is one of the most used CMS software in the world. The chance is very high that your company is running a version of the WordPress CMS. If this is not the case, the following questions will still be effective. The questions below will give you an insight on the security status of the websites which are managed by your security experts and administrators. Cybercriminals are defacing company websites, hacktivists are DDoS’ing government websites, so there are enough reason to take a look at the security status of your corporate website(s).

  1. Do we run our websites on a shared environment?
  2. Why do we run our websites on a shared environment?
  3. What have we done to protect our websites against malicious internet users?
  4. Do we have a managed update and secure task setup for the webapplications?
  5. Are the steps being documented?
  6. Are we using encryption in our webapplication database?
  7. When was the last time we checked our webapplication for vulnerabilities?
  8. When was the last time a external company checked our webapplication for vulnerabilities?
  9. Is our webapplication up to date?
  10. Are we using external applications? and why are we using them?

Ask these questions to your security expert and you will get an insight on the security status of your webapplications.

Work hard, Play hard!

Social Engineering awareness

You, me, your security expert and everybody else will always be a weak link in the security infrastructure a company or service.I mentioned it before, we are not machines. We make mistakes and tend to ‘forget’ things. Cybercriminals are aware of these facts and they will exploit the human weakness to gain information about their target. Government agencies will use spies to infiltrate companies. These spies will perform espionage on the infiltrated company. Espionage and cybercrime is a big problem for companies as this directly hits their (future) finances.

Ask your security these questions about social engineering awareness:

  1. Do we allow open applications? Do we run a background check on the persons?
  2. Do we provide security awareness training and tutorials to our personel?
  3. Do we run social engineering tests on our personel? and do we inform them after the tests?
  4. Are there people in the company that might be extra vulnerable to social engineering attacks?
  5. What do we do with these people? How do we inform them?
  6. Are the security cameras working correctly?
  7. Are their any rogue accesspoints in the company?
  8. Do we allow private devices in the company?
  9. Do we check the people that enter the company, like the Pizza guy?
  10. Do we check them after they leave the company?

Play hard, secure hard!

Physhical computer security

Virtual security is a good thing, but if a hacker is able to breach the physhical computer security, he will be able to do anything with the computer. It is important to keep in mind that hardware is being used by cybercriminals and hackers to obtain valuable information. The perfect example is a USB keylogger which can be plugged at any USB port.

Be the first to comment

Leave a Reply