Test your Physical Access and Organization – Advanced Test

User Privileges are limitations on how much access an individual/employee has on a computer. Restricting User Privileges is crucial so that accidental data exposure, intentional privilege misuse and abuse, compromisation of user credentials from hackers and malware infections are reduced and avoided. Not only does user privilege restriction help in reducing the chances of a breach/cyber-attack happening, it also helps in limiting the scope of the breach if one happens.

Companies should be extremely careful with the information they publish. Companies should carefully manage the information they publish, in order to mitigate potential threats. 

Publishing information regarding their network architecture, organigram or any information regarding their employee’s such as names and job positions increases the risks of social engineering, targeted cyberattacks, compromised physical security, identity theft, employee privacy violations and much more. 

It is important that when interviewing people for job vacancies within a company the hiring staff does not overshare detailed technical descriptions of the technology used within the company. Doing so increases the risks of intellectual property exposure, security vulnerabilities, resource drain, competitive intelligence leakage and reputation damage. Interviewers should ensure alignment with legal and compliance guidelines, use hypothetical scenarios and carefully plan discussions in order to mitigate the risks mentioned above.

Having a registered domain name adds professional credibility and provides company visibility. By registering the domain name anonymously companies can protect their private information, prevent potential spam or unwanted solicitations.

ISO 27001 is an international standard for information security management systems. Some of its policies include: 

1. Information Security Policy
2. Data Protection Policy
3. Data Retention Policy 
4. Asset Management Policy
5. Access Control Policy
6. Risk Management Policy
7. Information Classification and Handling Policy
8. Information Security Awareness and Training Policy 
9. Acceptable Use Policy
10. Clear Desk and Clear Screen Policy
11. Remote Working Policy
12. Business Continuity Policy
13. Backup Policy
14. Malware and Antivirus Policy
15. Change Management Policy
16. Third Party Supplier Security Policy
17. Continual Improvement Policy
18. Logging and Monitoring Policy
19. Network Security Management Policy
20. Information Transfer Policy
21. Secure Development Policy
22. Physical and Environmental Security Policy
23. Cryptographic Key Management Policy
24. Cryptographic Control and Encryption Policy
25. Document and Record Policy

Information Security Policy – sets the principles, framework of supporting policies, responsibilities and addresses all programs, data, infrastructure, third parties, users and more. By creating a detailed and effective framework for ISP, companies ensure that their data is protected and security incidents such as data leaks and/or data breaches are prevented.  

Data Protection Policy – main goal is to protect and secure all data, as it is a policy dedicated to the use and management of data. Aspects such as legal compliance for data protection, roles and responsibilities in relation to data protection and data protection techniques must be covered by the policy in a company.  

Information Classification and Handling Policy – ensures that information is correctly classified and handled based on its classification. It sets the limitations on what an company or individual can do with the information based on its classification, which commonly is separated into three categories: Confidential, Public and Internal.  

Network Security Management Policy – covers access to networks, physical network devices, network services, network locations and security of network services. It essentially guards the information in networks and the supporting information facilities. 

Information Transfer Policy – ensures that when information is transferred both internally and/or externally that the correct treatment is applied and safeguards the transfer of information by using all types of communication facilities. Covers loss of information, information encryption and data transfer methods. 

Physical and Environmental Security Policy – its goals are prevention of unauthorized physical access, interference with the information and information processing facilities of a company. Cabling security, employee and visitor access, network access control and equipment protection are covered. 

Are security policies with third parties developed and enforced?

Developing and enforcing security policies with third parties is essential for data protection, mitigating risks associated with third party relationships, ensuring that security practices are consistent across all third-party relationships, ensuring and increasing legal protection in cases of security breaches and lastly, enforcing accountability to third parties for their actions.

Is the DNS split in two very restricted zones?

Splitting the DNS into two very restricted zones serves various purposes, such as enhancing network security, access control to internal resources, load balancing, content filtering, enabling companys to map internal and external hostnames to private and public IP addresses respectively and lastly allows for testing and development, ensuring that the testing environments are isolated.

For a company/company to prevent security issues such as data breaches, phishing attacks or information leakages, implementing security awareness for its employees is a crucial step. Some ways of implementing security awareness are having policies (such as password policies, firewall rules, data retention policies etc.), have employees take part in trainings which cover sensitive data management (such as data encryption, wireless networks and risk assessment and risk management plan) and know what kind of security tools the company needs (such as penetration testing, vulnerability scanning, firewalls and IDS/IPS) 

When it comes to the security of a company/company, and Information Security Department is an incredibly important asset, as this department is responsible for the implementation and maintenance of security policies, procedures and standards. Moreover, they provide security awareness trainings and education and ensure that every employee knows their role in maintain security in an organization/company.

Cyber security experts are specialists in charge of monitoring the company's network to prevent unauthorized access. To safeguard the systems from cyber threats, cyber security experts implement cyber strategies such as robust firewalls, encryption, strong passwords, and solid cyber frameworks.

The General Data Protection Regulation (GDPR) is a privacy and security law put into effect on the 25^th of May 2018, drafted by the European Union (EU), and its obligations are imposed everywhere, for as long as the data collected is related to the people in the EU. The regulation defines an array of legal terms at length, with some of the most important ones being personal data, data processing, data subject, data controller, data processor.

Companies need to have policies regarding the recording and treatment of security breaches as they provide a well-organized incident response approach, therefore minimizing potential damage caused by the breach, include guidelines for preservation of evidence and internal and external communications, as well as helps companies continuously improve.

It is important for companies to have a blue team and red team as inclusion of both teams enhances their security. Blue teams are responsible for security measurements and policies implementation and maintenance, conduction of security assessments, and development of incident response plans. On the other hand, Red Teams are responsible for testing and assessing the company's security, using a wide range of TTPs.

Penetration testing is an authorized simulated cyber-attack, which uses the same tools, techniques and processes (TTPs) as attackers, to find and evaluate the security of an organization/company. Regular penetration testing is important for the security of a company/company as it covers the aspect of security (finding vulnerabilities that can be exploited by hackers) and compliance (seeing if the company/company follows the certain security standards that are applied to them)

Prioritizing critical assets is a basic aspect of effective cybersecurity and risk management. Through critical assets prioritization companies ensure risk reduction and assessment, resource allocation, rapid incident response, increased security awareness and cyberattacks resilience.

Domain level cross-linking for critical assets is used to enhance the security and resilience of the assets, as it involves connecting the assets on a separate domain in order to isolate them from less critical systems. Doing so mitigates the risk of collateral damage, helps with resource allocation and ensures that essential business functions continue operating.

Data storage encryption on disk is important for several reasons, most important being data confidentiality (as it ensures that the data in the disk is kept confidential and is not easily accessed by unauthorized individuals), theft protection (in cases where the device is lost, encrypting the data prevents the thieves from easily accessing information) and mitigation against insider threats (employees with or without authorized access may try to misuse their privileges, such as making unauthorized copies of the data).

Employees signing a "statement of knowledge" is a very common practice which ensures documentation of raining, lability protection, fostering a security culture within an organization, and ensures that employees are reminded of their responsibilities in regard to security measurements.

Employee IDs serve as a method of instant identification of everyone in the building and as a way to restrict access to certain areas, thus protecting the staff, as well as any sensitive information that the company/company stores.  

By having visitors escorted by an employee, companies ensure that their security is enhanced through access control (visitors only have access to authorized areas within the company), identification of visitors (reduces the risk of individuals entering the premises of the company under false pretenses) and liability control.

Properly shedding documents ensures that any sensitive and/or private information is not leaked by anyone else, therefore increasing data protection, preventing identity theft, mitigating security breaches, as well as increasing customer-company trust.

Job roles in companies need to be separated and rotated, as this is a security layer which aids in prevention of fraud, burnout and insider threat, risk distribution, collaboration enhancement, dependency reduction and career development for employees, as it allows them to gain a much better understanding of the company.

Retention of sensitive data (how long it should be archived/stored) depends on various factors, those being industry standards, purpose of retention, data type and lifecycle, companies’ policies and legal requirements.

It is crucial for companies to have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), as they provide strategies and procedures for business continuity, risk mitigation, financial and data protection, as well as efficient recovery for IT systems and infrastructure.

A Disaster Recovery Site should be more than 50 km away as a significant distance between the DR and the company minimizes risks of localized disasters (power outage, natural disasters) and shared risks (sharing common infrastructure such as network connectivity), establishes redundancy and allows for better logistical planning in cases where the recovery team may need to travel to the Disaster Recovery Site.

Annual background checks should be based on factors such as the nature of the company, employee roles and contractual obligations. With that being said, annual background checks are important, as in many companies and companies they are considered a standard in maintaining security and compliance, as well as protecting a company's reputation.

By analyzing the risk of information periodically, companies ensure that they continuously improve by establishing security measures that are refined and optimized over time, as well as stay updated on evolving risks and the ever-changing threat landscape. Moreover, periodic analysis of risk information allows companies to continuously discover vulnerabilities, include changing assets in the risk assessment and identify user behavior that poses security risks.

Treating information risk is important in order to protect confidentiality, preserve integrity, allow business continuity, prevent against data breaches and various cyber threats, increase operational efficiency and reduce costs of potential security incidents. Furthermore, treating information risks helps companies maintain trust, protect their reputation and meet legal obligations.

Deactivating the credentials of employees who have left, whether temporarily or permanently, or who have been terminated, is a crucial security practice which significantly reduces the risks of insider threats, unauthorized access to sensitive information (through remote access or physical access) and in case of an incident, it allows for a much more manageable monitoring and investigation of active accounts. Additionally, doing so ensures that a company upholds its trust and reputation.

Employees’ names should be prohibited from marketers hit lists, as it is a security measure implemented by company’s due to data privacy, reputation management, personal information protection, and minimization of security risks, such as social engineering.

Giving personal information by phone is a huge security risks due to increased chances of social engineering attacks, such as colleague or superior impersonation, data security and protection, as the information given by phone may be recorded or intercepted, leading to data breaches.

Restriction of access to social networking sites from a company’s network is a security measurement which is commonly implemented, as failing to do so increases risks of data leakage, malware, phishing and increased bandwidth which can impact the performance of a company's applications.

Having policies which prohibit employees from attending public blogs or forums aids in mitigating security concerns, based on the nature of the company. Public forums or blogs can be potential sources of many security threats, including phishing scams and social engineering attacks, data leakage, where employees may accidentally share information about the company or the nature of their work, increasing the chances of malicious attackers exploiting vulnerabilities.

Using nicknames when participating in public blogs or forums is a form of simple security practice which allows separation of personal and professional life and increases the privacy of the employee by mitigating security risks such as phishing attacks or social engineering.

Hard disk-drive encryption of servers ensures that any information that is stored there is not easily accessible by anyone outside or inside of the company, therefore making the servers less susceptible to data breaches.

Using BIOS password for servers is one of the most important practices for security, as they provide an additional layer of physical and data protection, boot security, remote management and prevention of firmware attacks. It should be noted that although BIOS passwords are an important security practice, it should be used together with other measurements such as access controls, encryption and strong authentication.

A fundamental part of a company's cybersecurity strategy is monitoring the non-compliance of security breaches. Doing this practice on a yearly basis ensures that companies can identify trends and patterns in security breaches and incidents, allows them to make risk assessments and determine the impact a potential security breach can have and how secure and effective their security controls are. As non-compliance leads to a series of legal consequences, from lines to lawsuits, periodic monitoring helps companies to mitigate these risks and increase their security.

Reviewing security policies and procedures on a yearly period ensures that a company/company is up to date on their policies, as well as looks if there is any policy that is not applicable to them anymore/ needs to be changed.

Prioritization of vulnerabilities on a quarterly basis is a common security practice which benefits companies in terms of risk management, regular assessment, resource allocation, vulnerability strategic planning and incident prevention. Additionally, this practice helps companies adapt to evolving threats and continuously improve their approach to vulnerability management, enhancing their security overall.

It is crucial for information security audit to be enabled to monitor and track password attacks, as doing so helps with detection of unauthorized login attempts, provides valuable data that helps with incident response planning, the audited data can be used for forensic analysis and provide insights into patterns of password attacks.

Strict password policy rules ensure that employees do not use easy-to-guess and to hack passwords, therefore ensuring that their devices and data is safe from hackers. A strict password policy includes making passwords from 8 to 25 characters long, contains an array of letters (both uppercase and lowercase), numbers and symbols, does not contain any personal information, is not used for multiple devices and/or software and does not contain a word spelled completely.

Anti-Keyloggers are important as they protect against data theft, identity theft, safeguard financial information (online banking and shopping), secure personal communications (prevent email, chat messages capturing), preserve privacy by preventing unauthorized collection of personal data, mitigate spyware threats such as webcam activity monitoring, audio recording and protect against insider threats as authorized users may use keyloggers for malicious purposes.

Blocked USB ports is a very common practice of malware/phishing attacks prevention, as it does not allow employees or anyone outside of the company to physically install malware on the company’s devices.

Keystroke interference software, also known as keyloggers, is used to record and monitor keystrokes of users. It is crucial that companies that use such software, have policies in place regarding transparency and consent, data protection and security, privacy concerns and data retention.

Restricting physical access to sensitive computer systems is an extremely important security practice, as this way companies ensure that the systems are only used by a select employees, therefore limiting the pool of internal threats in case of data breaches.

If companies decide to use devices managed by third parties, it is important to have security policies in place. Such policies must include data protection measurements, implementation of strict access controls, regular security audits and assessments of the devices and ensuring that the devices meet endpoint security standards.

Educating staff on security issues within a company ensures that employees are up to date and follow the company's security procedures. Furthermore, educating employees regarding revealed security issues ensures that further security risks are mitigated, human error is reduced and response and incident handling is enhanced.  

Security policies or procedures unapplicable due to conflicts with business easy-of-use depend on the company, however, some examples are complex passwords policies, access controls, software installation restrictions and extensive monitoring and surveillance of employee activity.

BitLocker with TPM version 1.2 or later should be integrated as it offers a multitude of security benefits such as hardware-based encryption, pre-boot authentication, protection against unauthorized hardware changes and protection against cold boot attacks.