Without naming names, what are the most egregious issues you’ve discovered when verifying a vendor’s security?
Sort By:
Oldest
Head of Information Security in Manufacturing7 months ago
When verifying a vendor's security, several egregious issues often come to light, which can significantly impact the vendor's security posture and their clients. These include:1. Lack of Encryption: Data is not adequately encrypted, risking unauthorized access.
2. Weak Access Controls: Access is too lenient or poorly managed, leading to potential unauthorized access.
3. Outdated Systems: Vendors fail to update or patch systems, leaving known vulnerabilities open.
4. No Incident Response: The absence of a solid incident response plan means unpreparedness for handling breaches.
5. Poor Segmentation: Inadequate network segmentation facilitates easier lateral movement for attackers.
6. Non-compliance: Vendors not adhering to industry standards and regulations question their security commitment.
7. Weak Authentication: Lack of strong authentication methods, like multi-factor authentication, makes systems easily accessible.
8. Lack of Training: Employees without proper security training can unintentionally cause breaches.
9. Insufficient Privacy Measures: Poor handling of personal data can lead to privacy violations.
10. Ineffective Vendor Management: Not assessing risks from their vendors (fourth-party risk) introduces hidden vulnerabilities.
... to name some issues I have seen in my 30 years in information security.
Senior VP & CISO7 months ago
NO security program, ciso, policy
In Local LAN DHCP is configured with a public IP pool not owned by the vendor.
The firewall admin dashboard is accessible from the Public IP.