100 security questions you should ask your security expert

Published by Reza Rafati on

Do you have a company? or are you working in a field which demands you to be secure and safe? then use these 100 questions. Ask these questions to your security expert and you will get an insight on the security status of your company or environment.  It is important to remember that security experts are humans. They are not machines that remember everything.

If your security expert or security manager is unable to answer these questions, then explain that it is important to get an insight on those missing answers as they are critical to the security status of the company/service. A couple of months ago we made a massive list of 100 security tips which will enable you to be more secure on the internet and on the workfloor.

One of the biggest reasons you should use these 100 questions is because of the following fact. Advanced Persistant Threats or ‘cyber attacks’ are increasing. The reason behind this is the fact that Windows XP is no longer being supported by Microsoft. This allows the cybercriminals to abuse millions of vulnerable Windows XP devices. DDoS attacks are increasing as Content Management Systems are more advanced then they were a couple of years ago. Hackers and cybercriminals are able to launch massive DDoS attacks by simply infecting vulnerable WordPress websites.

Recently The Netherlands published a report on how they replicated NSA techniques which allow them to hack phones via malicious SMS messages. The techniques and the idea of hacking phones with malicious messages was leaked by Edward Snowden.

Social media

Cybercriminals are abusing social media networks to infect unaware people with malicious code. Your security expert has the task to inform and spread awareness to users which could infect the environment of the company. This massive list of Facebook malware and schemes shows how hackers are using various techniques and methods to infect unaware and aware people with malicious code.

Ask your security expert these questions on Social Media

  1. Do we allow our users to access social media networks via our infrastructure?
  2. Why do we allow our users to acces the mentioned social media networks?
  3. Are they allowed to download and install files from the internet?
  4. Do we have a social media policy in the company?
  5. Which social media networks are used the most?
  6. Why don’t we ban the social media networks that are used the least?
  7. Are the users aware of what information is allowed to be shared on social media networks?
  8. Are the users informed on recommended security settings for their social media accounts?
  9. Are they using private or corporate e-mail accounts for their social media accounts?
  10. Do we use two-factor authentication for our social media network accounts? And are the users aware of the two-factor authentication method?

By asking these 10 questions, you will be aware of the social media security status in your company. These questions allow you to brainstorm with the security expert about possible social media threats.

The security status of your company website(s)

WordPress is one of the most used CMS software in the world. The chance is very high that your company is running a version of the WordPress CMS. If this is not the case, the following questions will still be effective. The questions below will give you an insight on the security status of the websites which are managed by your security experts and administrators. Cybercriminals are defacing company websites, hacktivists are DDoS’ing government websites, so there are enough reason to take a look at the security status of your corporate website(s).

  1. Do we run our websites on a shared environment?
  2. Why do we run our websites on a shared environment?
  3. What have we done to protect our websites against malicious internet users?
  4. Do we have a managed update and secure task setup for the webapplications?
  5. Are the steps being documented?
  6. Are we using encryption in our webapplication database?
  7. When was the last time we checked our webapplication for vulnerabilities?
  8. When was the last time a external company checked our webapplication for vulnerabilities?
  9. Is our webapplication up to date?
  10. Are we using external applications? and why are we using them?

Ask these questions to your security expert and you will get an insight on the security status of your webapplications.

Work hard, Play hard!

Social Engineering awareness

You, me, your security expert and everybody else will always be a weak link in the security infrastructure a company or service.I mentioned it before, we are not machines. We make mistakes and tend to ‘forget’ things. Cybercriminals are aware of these facts and they will exploit the human weakness to gain information about their target. Government agencies will use spies to infiltrate companies. These spies will perform espionage on the infiltrated company. Espionage and cybercrime is a big problem for companies as this directly hits their (future) finances.

Ask your security these questions about social engineering awareness:

  1. Do we allow open applications? Do we run a background check on the persons?
  2. Do we provide security awareness training and tutorials to our personel?
  3. Do we run social engineering tests on our personel? and do we inform them after the tests?
  4. Are there people in the company that might be extra vulnerable to social engineering attacks?
  5. What do we do with these people? How do we inform them?
  6. Are the security cameras working correctly?
  7. Are their any rogue accesspoints in the company?
  8. Do we allow private devices in the company?
  9. Do we check the people that enter the company, like the Pizza guy?
  10. Do we check them after they leave the company?

Play hard, secure hard!

Physhical computer security

Virtual security is a good thing, but if a hacker is able to breach the physhical computer security, he will be able to do anything with the computer. It is important to keep in mind that hardware is being used by cybercriminals and hackers to obtain valuable information. The perfect example is a USB keylogger which can be plugged at any USB port.

Ask your security expert these questions on physical computer security

  1. What devices do we have connected to our infrastructure?
  2. What type of plugins do these devices allow?
  3. Have we disabled these plugins?
  4. Why are the enabled plugins still enabled?
  5. Are the enabled plugins being monitored or managed?
  6. Do we inform our users to look for ‘strange devices’ that are connected to the computer? (USB Keyloggers)
  7. Do we use security tokens?
  8. Are these security tokens being managed?
  9. Do we check if all the security tokens are still present at the rightfull owner?
  10. What do we do with old devices? Do we wipe the content on a responsible way? (Secure whiping functionality)

WiFi security

We all love WiFi, it allows you to be connected to a company network while you are moving around in the company. The personal of the company wants to use WiFi as this allows them to work faster and on various places. They demand a easy method to stay connected to the internet and they want to have their possible clients to be able to use the company WiFi networks. These demands can be found in each company. A security expert will have to think about how he will secure the company from malicious WiFi users.

Ask your security expert these questions on WiFi security:

  1. What type of authentication method do we use? and why do we use this authentication method?
  2. Do we broadcast our SSID? why do we broadcast our SSID?
  3. Do we use encryption?
  4. Do we monitor and manage our WiFi users?
  5. Do we use a extra layer of protection for our WiFi users? (VPN)
  6. Do we use MAC address management? and why do we use it?
  7. Do we pentest our WiFi accesspoints?
  8. When was the last time we tested our WiFi accesspoints?
  9. When was the last time a external company tested our WiFi accesspoints?
  10. What type of security policies can we enable for WiFi use?

 Leaked information on the internet

Edward Snowden,  AnonGhost, The Syrian Electronic Army and various hackers have shown countless times that they will leak information on the internet. Your security expert will have one question which will run through his mind all day long. When will we get hacked, and how will we respond to it?

Once information has been leaked on the internet, it is very hard to delete it from the internet.

Ask these questions on ‘Information leakage’:

  1. Have we been breached in the past?
  2. Are we currently being attacked by malicious users?
  3. Can you show me the statistics or reports of the attacks?
  4. Do we search the internet to find possible leaked company data?
  5. What critical environments do we have in the company?
  6. How are these critical environments secured?
  7. Are these environments audited?
  8. When was the last time we had an audit on the mentioned environments?
  9. When was the last time an external company audited these environemnts?
  10. Do we encrypt our confidential company data?

Business continuality

Your business or service needs to be stable and needs to generate money. A lot of companies need their webstore, cybercriminals are aware of this. Hackers and hacktivists will launch DDoS attacks on webshops as this will directly stop the flow of money.

Ask your security expert these questions on the security status of your business continuality:

  1. Do we have a plan or policy which guides us during a possible cyberattack?
  2. Do we have a critical environment which could directly impact the business continuality?
  3. Do we have qualified personel on the right places?
  4. Do we keep our employees happy – Is the security status setup in such a way that they are still able to work in a ‘productive’ way? instead of a ‘slow’ but ‘secure’ way?
  5. Do we create back-ups on a regular basis?
  6. Are there environments in the company that need extra security?
  7. Why do these environments need extra security?
  8. Are we reliable to a particular service?
  9. Do we have a back-up plan in case this service fails?
  10. Do we audit the questions above?

 Devices owned and used by the company

As mentioned above, there are a lot of devices which can be used in the company. Ask your security expert and administrator these questions on the devices on your company.

  1. What devices do we own in the company
  2. Are these devices managed
  3. Which devices cannot be updated?
  4. Which devices has been causing problems?
  5. Which devices hold classified information?
  6. Which devices hold or run critical processes?
  7. Are the mentioned devices audited?
  8. When was the last time that the mentioned devices have been audited?
  9. What do we do with the devices that are defect?
  10. Do you have any security tips regarding the devices in the company?

 Home users

It is possible that people in your company are allowed to bring devices back to home. This could be laptops, tablets, smartphones or other smart devices. These security status of the devices decreases as the devices leave the managed environment of the security expert. Once the mentioned devices are being used at homes, hotels, cafes, restaurants or pubs the chance increases that a malicious user will be able to infect the mentioned devices.

Ask your security expert these questions:

  1. Do we allow our employees to take devices out of the managed corporate environment?
  2. Why do we allow this?
  3. What devices are allowed to be taken?
  4. How do we manage these devices?
  5. How are these devices secured?
  6. Do we run (extra) audits on these devices?
  7. Who configures these devices?
  8. Are the users aware of the policy for using these devices?
  9. How do we inform our users?
  10. How often do we inform our users?

Extra: Let your security experts ask you these questions

  1. Are you aware of the current security status of your company or service?
  2. Is there a possibility to increase the budget or funds for security services or solutions?
  3. Can the security staff follow extra classes and courses?
  4. What do you think that is the most secure part in the company?
  5. Do you allow your family/children to use your devices?

Use this massive list of questions to have a perfect insight in the security status of your company. These questions will open up a positive conversation between the manager/employer and the security expert. Did you enjoy this massive list of security questions? or do you have additional questions which can be included in the list? Then leave us a comment!

Share this information

Reza Rafati

Founder of Cyberwarzone.com.