Executive Security Summary
THREAT SCORE
6
Overall Risk
3
Highest Vulnerability
2
Attack Surface
1
Largest Exploit Value
6
s3 - Security Six Shooter
Default passwords still exist on some systems, change immediately.
Shared accounts used to access critical resources; segregate and implement least privilege access controls.
No 3rd party vendor risk assessments taking place before doing business; implement immediately.
Multiple security control mechanisms needed in order for network to be PCI compliant.
Company website contains known vulnerabilities, consider migrating website to known secure vendors.
Implement company wide VPN.
MDM Threat Risk
6
Internal Threat Risk
6
Physical Security Threat Risk
3
External Threat Risk
5
threat category critical awareness
Mobile devices used on the corporate network and to access corporate resources are unmanaged. Stolen devices cannot be remote wiped or locked down to prevent theft of corporate data.
Credentials on critical infrastructure are hardcoded and not changed when someone who had access is no longer with the company. These credentials need to be on a regular interval or whenenever there is turnover involving an employee that has access to these systems.
Vulnerabilities
19
Top 3 Critical Round-Up
Fixable:
Bind Shell Backdoor Detected
VNC Server Password is “password”
SSL certificate has wrong hostname
No Fix Currently Available:
Supermicro embedded backdoor in hardware
Spectre/Meltdown vulnerability fixes unacceptable due to level of service degradation in current patch
Frequent power outages taking down critical, non-redundant, infrastructure
Ignored:
Group accounts used to access sensitive information
Employees leaving computers unlocked when away from desks
Passwords physically written down and left in plain sight