No self-written questions:Allowing users to write their own questions introduces risk. It could result in strong, unique questions that are difficult for hackers to answer—but it could also result in weak and easily-exploitable questions. Self-written questions rely on the user’s own security ...
Example:"If I saw that a co-worker wasn't doing their job, I would first politely talk to them about it. I would remind them that the safety of this facility is our responsibility. If their behaviour continued, I would refer to the employee handbook to learn the procedure for these ins...
With a constant "challenge our security posture" mindset, these are 3 of the key questions that you should be asking formally and regularly (at least once per quarter):1. Is our Cybersecurity Insight Team challenging the status quo? It's a question which may beg asking: Do we even have...
When the only option is to select a security question from a list, don’t just pick up one at random.Not all security questions are the same. A poor choice of security question and the answer can create a BIG security hole in your account. Here are two shoddy security questions. Where ...
The second alternative is to opt out of security questions. For example, if you're given the chance to write your own security question, you can enter a question like "What is the answer?" or reference an in-joke that only you would know. You can then provide an answer that's as se...
Think of a reason why it's completely hosed—failure of the entire RAID array, fire in the data center, evil script kiddies, sysadmin mistake— and see how your team copes. Some questions to ask when all is done: 1 If you don't have another of these systems to fail over to, where...
Financial service call centres may ask security questions with a numerical answer –‘state the current balance of your account’, for example. A margin for error is allowed in the answer, as few people know their exact account balance off-hand. But this tolerance level causes trouble for call...
Use the following questions when you review the code's input and data validation:Does the code validate data from all sources? Does the code use a centralized approach to input and data validation? Does the code rely on client-side validation? Is the code susceptible to canonicalization attacks...
Use the following questions to guide your review.Does the code validate form field input? The application should not contain code similar to the following example. code Copy <asp:TextBox id="txtName" ></asp:TextBox> Instead, the text is validated using the RegularExpressionValidator cont...
As you plan security on your system and decide how much security you need, consider these questions: • Is there a company policy or standard that requires a certain level of security? • Do the company auditors require some level of security? • How important is your system and the ...