Armadillos and ships are useful for exploring the concept of security but not so much to describe my day-to-day work. In this post, I'll be providing a much more accurate list of what runs through my head when examining the security of an organisation.
Context is Key
Just like the armadillos of my previous post, is it only possible to examine the security of an organisation based on the context of that organisation. This context is made up of of both internal and external factors that will vary between organisations.
This means that the areas of security below may not be found in all organisations, the emphasis on different areas may vary across organisations, and some organisations (e.g. intelligence agencies and defence) may have areas of security not listed here.
Some factors that will affect how security may be implemented at a particular organisation include:
- Number of staff (do you have 1, 100, 1000, 10000 staff?)
- Physical presence (how many offices do you have, are they in countries with risks to the safety of staff)
- Web presence (do you have public websites, are websites limited to only vetted customers, no real web presence etc)
- Type of organisation (commercial, government, infrastructure, health, etc)
- Internal processes (do you have paper processes, is electronic data easily available to staff, do you allow remote work etc)
- Regulatory requirements (are there certain things you must do for security)
- Certification requirements (are there certain things you must do to maintain a certification)
- Security maturity (how large and experienced is your security team)
- Threat model (where are attacks and exploitation likely to come from)
- Organisational support (some companies just don't care about security)
Some example organisations include:
- A small family run real estate business
- A medium sized technology company with multiple offices and a public facing website
- A large financial services company with public websites limited to marketing
- A large electronics / equipment manufacturer
- An electricity provider
- A network of hospitals
- A government department
- A provider of military equipment
- Intelligence organisations
Due to where my experience has been derived, this list is much more indicative of service or software based organisations rather than those working in manufacturing or industrial areas.
With all that out of the way, here is my non-definitive list of questions broken down by broad category.
- How do you identify who are authorised staff?
- How to prevent unauthorised staff access to your premises?
- What about guests?
- How do limit damage by malicious actors?
- Do you have ways to identify malicious actors?
- Is your networking infrastructure physically accessible?
- Random attacks - e.g. robbery
- Semi-targeted attacks - e.g. protesters targeting your company
- Highly-targeted attacks - e.g. executives being targeted
- What about staff travelling to countries they are not familiar with?
- Who has access to your networks?
- Are your types of networks separated?
- How do you connect to your networks?
- How do you detect / prevent unauthorised devices?
- How do you detect / prevent malware and viruses spreading through the network?
- Do you have a firewall?
- How do you prevent staff taking data out of your network?
- Do you have anti-virus etc installed?
- How are devices provisioned?
- What data is kept / protected on devices?
- What backups do you have available?
- How are devices updated?
- What devices are given to staff?
- Are devices portable?
- How do you prevent theft?
- What recourse do you have in the case of theft?
- What software can be installed on devices?
- What password / lock screen policies exist?
- Is you code vulnerable to SQLI, RCE, XSS, CSRF?
- Does you code allow things that should not happen?
- What logging / auditing do you have in place?
- How is your system structured?
- Do you use security and cryptography libraries correctly?
- Are you leaking data?
- Is there separation of duties to limit damage in case of a hack?
- Are there logical errors in the code?
- Can this be used to DOS us?
- Do you have user and permission management?
- Are the libraries we are using safe?
- How can we detect / prevent malicious changes made by staff?
- What information do we need to protect?
- Are our systems patched?
- Who has access to our systems?
- How can you access our systems?
- Can we detect malicious changes on our systems?
- How can a malicious actor move amongst our systems?
- How can we detect / prevent an attack?
- How can we recover from an attack?
- What information is available to cleanup an attack?
- Where are logs stored?
- Can logs be tampered with?
- Can network traffic be tampered with?
- Is network traffic encrypted?
- Who can view live data?
- Are there varying levels of sensitivity for the data we store?
Product / Marketplace Security
- Can fraud occur? Can we detect / prevent / trace it?
- Can a feature be used to exploit us?
- Can a feature be used to exploit our users?
- Can a feature be used to exploit non-users?
- Are our users vetted?
- Do we know who are users are?
- How confident are we that our users are who they say they are?
- What about multiple accounts?
- Do we receive requests for information / subpoenas from law enforcement?
- Do we have bad behaviour that we need to report to law enforcement?
- How do detect and prevent use of our product by sanctioned countries / organisations / individuals?
- How do we prevent / detect / remove phishing websites?
- How do we prevent / detect / remove phishing emails?
- Are there scam organisations that affect the trust of our industry?
- How do prevent / detect / remove use of our intellectual property / copyright / trademark?