A large manufacturing organisation sought assurance regarding the controls governing the IT Security function and an evaluation of the effectiveness of the policies in place.
We provided a large manufacturing company with a comprehensive review of IT security controls within the organisation. The objective was to determine whether appropriate policies and controls were designed and implemented, operating effectively, and periodically reviewed to ensure ongoing use.
- We reviewed the Information Security Policies in place at the company.
- Extensive external and internal vulnerability assessments were performed using specialised hacking techniques.
- We examined the logical access and security controls in place.
- A review of the use of PDA devices and the potential security threats posed by such devices was carried out.
The critical findings can be summarised as follows:
- A number of servers appeared to be missing a significant number of Microsoft Security Patches.
- A number of administrator accounts were identified with weak passwords.
- System shares on the main information system allowed access controls to be bypassed.
The significant findings can be summarised as follows:
- IT Security Polices were not fully implemented on a number of the servers examined.
- IT Security policies referenced security standards that were not defined.
- Insecure storage mechanisms were used for storing sensitive passwords.
- Administrators within the information system could switch to any user profile without audit trails being maintained or users being notified.
- MS SQL Service Packs and Hot fixes were not applied on the databases supporting the main applications.
- Access to system shares was not appropriately restricted on the main servers.
- Default SNMP community strings were present on a large number of servers.
- The backup software had been configured with the default user on a number of servers.
- A number of dormant accounts were noted on the domain controller.
- A number of Blackberry security settings had not been implemented.