Activities
Regional Context Research
This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety concerns, as well as current news and persistent challenges.
Kick-Off Call/Meeting
Meet with your organization and begin developing an audit plan while collecting contextual data and important logistical considerations for the assessment.
Tool Usability Feedback Collection
SAFETAG assessors can evaluate tool usability for at-risk organizations and contribute to building feedback loops between users and tool teams.
A Day in the Life
The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software. This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.
A Night in the Life
The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of work. The auditor checks for known vulnerabilities to any out of date software and identifies risks in the practices and behaviors. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.
Accessing a MAC-filtered Network
Open and MAC-address-filtered wireless access points are not only open to anyone within range to join and listen in to, but also do not provide protection to those on the network itself, even if they do not "broadcast" their name. These may seem like great ways to prevent unauthorized users from accessing your network without resorting to passwords, but they are trivial to overcome.
Assessing Usage of Cloud Services
During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited organization. The organization may be interested in your assessment of the security of those services. This poses several challenges to you as an auditor: * auditing 3rd party web applications almost certainly falls outside of the scope of the audit engagement * you likely do not have an agreement with the service provider to scan their application * a proper assessment would take more time than is available for the organizational audit * you may not be familiar with the service or technology it is built on Despite these challenges, significant organizational processes and sensitive data may reside on or rely upon those 3rd party applications. It can be important to the audit to provide some preliminary investigation and risk assessment into the usage of any 3rd party cloud services they rely upon.
Assessing legal threats
Based on organizational guiding questions that help better frame and assess administrative or legal liability directly or indirectly derived from their work.
Assessment Plan
This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. [^PETS_legal_considerations]^,^[^PETS_separate_permissions] This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization. A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.
Audit Timeline and Planning
This section provides guidance on creating a realistic audit timeline for your assessment plan.
Automated Reconnaisance
This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources. While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. This remote work also feeds in to the Auditor's understanding of the organization's digital presence (and their own understanding thereof), and will guide specific vulnerabilities to investigate once on site.
Capacity Assessment Checklist
A monolithic, one-time interview with key staff is not always possible or advisable, but interacting with a variety of staff exposes valuable information about every aspect of the audit, from vulnerabilities to capacity to hidden barriers. This serves as a "cheat sheet" of some topics to explore both during the planning and preparation phase and throughout the audit process.
Check Browser and Plugin Vulnerabilities
Ensure that browsers in-use have updated plugins and are themselves updated.
Check Config Files
Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.
Confidentiality Agreement
Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.
Creating a Risk Matrix
As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of vulnerabilities is invaluable in keeping audit results from appearing overwhelming. In addition, this component ranks the vulnerabilties identified using the risk-matrix developed with the host organization's staff. Using the host-created framework will allow for a deeper understanding of the impact of vulnerabilities and encourage greater investment in addressing them.
DNS Enumeration
DNS Stands for Domain Name Service. In a nutshell, what it does is translate hosts/computer's name into it's IP addresses. It provides a way to know the IP address of any given machine on the internet, with the corresponding URL, or domain. You can consider it as telephone directory of the Internet. DNS enumeration is one of your initial steps in your overall vulnerability assessment and audit. It is one stage where it will allow you to discover more potential targets. Upon completion of this assessment stage, you may find issues such as leaked information caused by default settings and server misconfigurations. Along with these, you can also have a broader scope of targets, such as internal server IP addresses, company netblocks and domain/subdomain names. DNS Enumeration can be accomplished with different number of tools along with different approaches. This guide will discuss some of the approaches and the tools required to perform each of the activities. You can perform DNS enumeration passively or actively, depending on your operational security needs. **Passive**, or "indirect" approach refers to the enumeration process that doesn't send any traffic or packets from your machine, directly to your target. This can be done using 3rd tools such as online tools and cloud based scanners. **Active**, or "direct" approach refers to sending DNS queries and enumeration tests directly to the target. Consider that traffic is send over the target which may leave traces or traffic logs coming from your source IP. Active techniques include Zone Transfer, Reverse Lookup, Domain and Host Brute-Forcing, Standard Record Enumeration (wildcard, SOA, MX, A, TXT etc), Cache snooping, and Zone Walking
Device and Behaviour Assessment
The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software. This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.
Digital Forensics and Evidence Capture
This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle data from a device (laptop, desktop, HDD, memory stick, USB stick, etc.) that is needed to later perform a malware analysis or forensic evidence process.
Firewire Access to Encrypted/Locked computers
Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted Any attacker who obtains a running (including sleeping and hibernating!) Windows, Mac, or even Linux laptop with a Firewire port, an ExpressCard expansion slot, or a Thunderbolt port will be able to read, record or modify any sensitive information on the device, even if the screen is “locked” and the information is stored on an encrypted volume or in an encrypted folder. This applies to threats involving loss, theft and confiscation, but also to “checkpoint” scenarios in which the attacker may only have access for a few minutes. This attack requires physical control of a machine that is not powered off. Full details of the scope of the attack are available at http://www.breaknenter.org/projects/inception/ .
Follow-up Meeting
Schedule and have a follow up call to discuss the audit report. This provides a valuable touch-point for the organization to read the report and ask any clarifying questions to the auditor, as well as for the auditor to underscore any important steps for the organization.
Forensic Analysis
This component describes how to perform an analysis on captured evidence (e.g. hard drive image or memory dump) without altering the evidence. Any alteration, or even an environment or situation that creates the possibility of alteration, could lead to rejection of the evidence in a court of law or to malware analysis failures.
Guided Tour
During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.
Guiding Questions for High-Risk Organisations
This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.
Identifying Informal Agreements
The activity aims to assess which kind of informal agreements regarding best practices and security directives are formulated, accessed, implemented and/or enforced across the organization
Incident Response and Emergency Contact
Incident Response within the context of an audit refers to setting up a procedure for handling incidents during an audit in the event the auditor causes or uncovers a security incident during the course of the assessment. [^NIST_SP_800-115-Section_7.1]^,^[^PETS_emergency_contact] It is important to know these procedures in handling incidents to protect data integrity and create an audit trail to be used for investigation and collection of information.
Insecure Email Connections
A common issue with e-mail services is the lack of proper encryption. Staff should only be allowed to connect to the organization’s mail server using SSL or TLS encryption. When a staff member sends or receives email an attacker with access to the same local network can easily and invisibly read, record, or modify all messages in-transit to and from the organization’s mail server. Even an informed staff member who attempts to configure his email client to require SSL or TLS encryption will be unable to do so because the mail server does not support it. The adversary could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as %{organization}’s Internet Service Provider (ISP). Even an informed staff member who attempts to configure his email client to require SSL or TLS encryption will be unable to do so because the mail server does not support it. For webmail, a staff member who attempts to enter the secure (“https://”;) alternative webmail address when logging in, might be unable to do so, because the Webmail application does not support it.
Insecure Website Login
Administrative and user passwords on the site are submitted unencrypted.
Interviews
The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity. Q&A sessions are unabashedly _white box_ aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling _black box_ findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.
Long-Term Follow-up
Follow up with host after a few months to check on progress, get long-term feedback and connect with any new resources.
Making Introductions
Make introduction between host and known resources as needed.
Manual Reconnaissance
This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations.
Mobile Device Assessment
The auditor checks for the type of mobile devices in the organizations Follows a series of steps depending on the different mobile devices. The key considerations with regards to mobile devices are the user, the type of device, and the data it manages. - the data is kept secure; - device is configured with the recommended security settings; - the organizational policies and procedures with regards to mobile devices; - In case of organization owned devices, that management has control over its facilitates. These considerations contribute to the development of the report component.
Monitor Open Wireless Traffic
It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.
Network Access
This activity helps auditors to test the strength of defenses the organizations' network has in place to protect their local area network. This component consists of gaining access to the local area network through a wireless access point and unsecured physical channels (such as an ethernet jack).
Network Scanning
Gather information about devices connected on a network to determine types of device, operating systems, applications that are running, and a lot more
Network Traffic Analysis
Any content that is sent out over the network without encryption is easy to intercept; this includes email, web passwords, and chat messages. This attacker could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as the Internet Service Provider (ISP) of either the sender or receiver and other network-backbone connections made along the way.
Office Mapping
This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces. This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.
Operational Security Survey
This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved
Password Security Survey
Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.
Password Strength
This exercise supports the auditor in building an effective dictionary that is customized to an organization. This dictionary can then be used in a variety of ways: * By using the examples referenced in the [WPA Password Cracking](#wpa-password-cracking) exercise, the auditor can attack weak wifi passwords, which present a non-personal and non-disruptive way to demonstrate password security problems. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network. * An Auditor can show or discuss their preferred customization strategy and the tools (like JtR) that automatically "mutate" passwords with numbers, capitals, and so on, to demnonstrate the power of a computer to quickly get around common "tricks" * An Auditor can also use a password "survey" to get an understanding of password practices within the organization.
Private Data
Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. [^personal_information_to_keep_private])
Process Mapping
This activity helps to identify the processes that allow the organization to function (publishing articles, payments, communicating with sources, field work etc) the assets and systems (websites, software, PayPal accounts) they rely on, and which ones are critical to their work. Participating organization/s are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk. If done correctly, process mapping can help the auditor - Identify risk exposure - Communication issues and effective incident response - Identify what are affected (people, systems, technologies) - Identify areas of improvement in securing organization's process - Generate a mitigation/solution plan for missing security controls - Show the importance of digital security to staff, management team and stakeholders
Remote Asset Valuation
Key to evaluating risk is identifying and understanding what the organization is trying to protect, or the “assets” within an organization. In this exercise, we will be looking specifically at *information assets* within an organization.
Remote Facilitation
This component suggests approaches to use if in-person facilitation is not possible, and to include participation from remote staff or offices when an organization has multiple locations. This supplements the Data Assessment, Process Mapping, and Threat Assessment exercises, enabling them to be conducted remotely. This may not provide as deep results as in-person facilitation, but should provide adequate levels of expansion and verification of information needed, and even provide the secondary benefits in most cases of helping the organization build a shared understanding of its processes, risks, and riosk tolerances.
Remote Network and User Device Assessment
This component allows the auditor to work remotely to identify the devices on a host's network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.
Report Creation
This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the current state of security, the process by which the auditor came to that assessment, and recommendations that will guide the hosts progression to meet their security goals.
Resource Identification
In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit. This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.
Risk Modeling Using the Pre-Mortem Strategy
The pre-mortem strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." [^pre-mortum].
Risks of Data Lost and Found
Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that data.
Roadmap Development
This component consists of an auditor sorting their recommendations in relation to the organizations threats and capacity. The auditor prioritizes vulnerabilities, weighs the implementation costs of recommendations and then creates an actionable roadmap for the organization to make their own informed choices about possible next steps as they move forward.
Router Based Attacks
Check routers for default passwords, unpatched firmware, vulnerabilities, remote access, and misconfiguration.
Scavenger Hunt
This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in [SaferJourno](https://www.internews.org/sites/default/files/resources/SaferJournoGuide_2014-03-21.pdf), page 19, for additional ideas and guidance on conducting this activity.
Security policy review
The activity aims to understand the organization's internal security policy context, looking for existing policies, understanding how they translate into practice and/or are enforced, and evaluating them, and detecting potential improvements or updates.
Self Doxing
This helps identify personal information online, and its risk in enabling doxing.
Sensitive Data
Assessment of data and metadata managed by the organization with a security perspective
Social Engineering
This component focuses on assessing and educating organizational staff on how to prevent, identify, and respond to social engineering attempts (Phishing, information gathering, cons) that lead to Malware and handing over authentication tokens/information. The educational activities within this section are provided as an alternative to actual social engineering attacks against the organization. Audits of individual level behavior have a high chance of embarrassing or alienating the targeted staff. The result of this embarrassment can range from increased enthusiasm for the process to disengaging entirely. Supporting post-audit investment in the process is a core component of many activities. The possibility of derailing the investment the auditor has built during the audit makes social engineering attacks too large of a risk. [^stares_and_snide_comments] The security of a organization requires an investment by the entire staff. [^social_engineering_important_all] Activities like the social engineering activity aim to empower staff to start identifying their responsibility for the organizational safety.
Staff Feedback Survey
Providing a space for anonymous, guided feedback is valuable to gather information about how your audit work and the SAFETAG framework itself are supporting organizational understanding of risk and their ability to adapt. This long-term capacity building is critical to the SAFETAG framework, so finding ways to measure the impact of an audit towards these goals is important.
Suspicious Activity Analysis
Malware is a common tactic to target organizations. Malware like a Remote Access Trojan (or RAT) can provide an attacker with backdoor access to a targeted machine, enabling the attacker to steal information, record audio and video, as well as run commands on the infected machine. To stop this from happening, you have to identify the malicious process within the system and stop it, or reformatting the machine in case you don’t feel spending time on stopping the malicious process. It’s important to keep evidence, in case the auditee still has access to the original malicious software they received (e.g., an email, etc.), keep a copy of the file if you have the time and expertise to continue investigating or have the resources to submit it to other organizations working on analyzing such issues. Scanning the possible infected machine or the original suspicious file with an anti-virus will save you time and effort, in the case such malware is already in its database. Scanning should always be the first step, preventing you from spending excess time if the machine was infected with a less serious piece of malware. After determining the machine is infected, you can proceed in helping the staff member back up their information, scanning the files for malware, then reformatting the infected machine. Note, it is very difficult to clean an infected machine if you only have a short window of time. In case the machine was infected, taking an image of the operating system will allow you to replicate the infected machine and run it after you finish your audit for a more in-depth investigation or send it to an expert to work on investigating the malware. Note, this also can be difficult in an audit setting where time is limited. Also see operational security considerations that come with replicating the files of a staff member of a sensitive organization. Be sure this is absolutely necessary and the staff members provides consent before completing.
Technical Context Research
Research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity.
The Impacts of a "Found" Device
Lead staff in an activity identifying what critical data (as identified in during the Data Assessment) would be available if an adversary gained access to various devices.
The Impacts of a Lost Device
Lead staff in an activity were they describe the impact if various devices were destroyed.
Threat Identification
These activities build off of a process or data mapping exercise to connect actual processes or assets and data of the organization with potential threats, then drilling down into specific, likely threats the organization faces, adversaries who might take advantage of them, and the impact of this happening. The goal is to be able to answer the following questions: **Threat History** * What history of attacks does the threat actor have? * What techniques have they used? Have they targeted vulnerabilities that the organization currently has? * What is known about the types of threats used by an threat actor to attack similar organizations? **Threat Capability** * Does the threat actor have the means to exploit a vulnerability that the organization currently has? * Does the threat actor have the means to leverage widespread threats against all similar organizations, or will they have to prioritize their targets? **Threat Intent** * Have they targeted similar organizations? * Does the threat actor currently have the desire to conduct an attack against this type of organization? * Is the organization a priority threat target for the threat actor?
Threat Interaction
This helps the auditor enumerate threats that the organization is concerned about and the internal priorities of them. At the same time, it enables a discussion of how threats can interrelate and helps define the difference between a threat and a risk (a threat that has a vulnerability associated with it), and the value of mitigation. This exercise works well with larger groups, and can be woven in to the Threat Identification activity.
VoIP Security Assessment
VoIP technologies are commonly used nowadays as it provides an alternate flexible way of communication. With its numerous benefits, from toll-bypass, unified voice and data trunking and universally accessible voice-mail and fax-mail services, VoIP services has indeed come into its place as one of the most used communication services today. However, with the rise of cyber attacks, and the reality that any device that connects online can be a potential risk for attacks, VoIP has been on of the favorite target of spam, Interruptions, Voice phishing Hacking and privacy loss.
Vulnerability Research
After scanning and identifying which (if any) vulnerabilities are present within the software and systems of an organization, dig deeper to understand the impact of these vulnerabilities, possible evidence that they may have been exploited, and develop recommendations to remediate and avoid future instances of unpatched vulnerabilities.
Vulnerability Scanning
While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. [^NIST_exploit_confirm] But, the use of exploits puts the organization's systems at a level of increased risk [^NIST_pen_test_danger] that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. [^network-access]
WEP Password Cracking
WEP provides no effective protection for a wifi network. Most wifi routers offer WPA encryption as an option, and if this is available it should be immediately implemented. Some older routers (and wifi devices) do not support WPA. It is highly recommended to upgrade immediately to hardware that supports WPA and to eliminate all WEP network access.
WPA Password Cracking
The organization’s wireless Local Area Network (WLAN) protects the network and its users with WPA encryption. This is an important security measure, and a WPA-protected wireless network is much safer than an unencrypted “open” network or a WEP-protected network. (WEP is fundamentally flawed, and extremely simple attacks have been widely known for over a decade.) However, the ease with an attacker could guess the WPA key, or “WiFi password,” is a serious issue, particularly considering its importance as an essential perimeter control. An attacker who gains access to the wireless LAN immediately bypasses many protections that network administrators, and other users of the office network, often take for granted. Put another way, anyone able to guess the WPA key is immediately “inside the firewall.” Using a laptop and a wireless card with a standard, internal antenna (or using a customized smartphone or other small device), an attacker could easily position themselves close enough to the office to carry out the first phase of this attack, which would only take a few minutes. The second phase, which is supposed to be the difficult part, could take even less time. From the privacy of their own home or office, the attacker could use a minimally customized password dictionary to guess the WPA key . <!--For reporting, needs time-to-break WPA password -->
WPS PIN Cracking
WPS was built as an addition to WPA to make it easier to add devices without typing in secure passwords, but this ease of use means that a malicious actor can pose as a device and effectively reduce the potentially very difficult passwords WPA allows down to a simple numeric-only 8 character PIN. Further, the WPS system allows an attacker to work on this PIN in two parallel chunks, further reducing its security. This, like WEP, is a "live" attack - you have to stay connected to the network - but also like WEP, it is a guaranteed attack; your brute forcing of the WPS system will eventually (2-10 hours) allow you network access.
Web Vulnerability Assessment
Organizational websites are often a central part of their work, but resource constraints can leave them vulnerable to a wide variety of attacks, from simple DDoS (Distributed Denial of Service) attacks to being leveraged for online scams and malicious advertisin to targeted distruction and subversion. Insecure websites can even be used in "watering hole" attacks where malware is implanted into the site to intentionally target the website's audience. This activity provides a SAFETAG auditor with a suite of processes and tools to investigate organization and project websites for potential vulnerabilities. There are multiple ways to do this, from passive to more active scanning. SAFETAG takes great care to take a primarily passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. Care should be taken to review operational security concerns, work closely with the organization, and pursue a minimal approach focused on the priorities of the organization. See also the [Vulnerability Scanning activity](https://safetag.org/activities/vulnerability_scanning) for additional tools and approaches useful for investigating outside of the website itself the server level.
Website Footprinting
Using online tools as a starting point in assessing the auditee web application is a good way to expand online reconnaisance as well as start your vulnerability assessment. You can build a profile and a good understanding of the web application by identifying what comprises the web application and technologies behind. From there you can start your next move by putting together different strategies on conducting your vulnerability assessment. For example, after discovering accessable web directories, you can then start looking for forgotten or abandoned files and applications that might contain sensitive information like (Passwords) or an outdated and vulnerable applications. Content management systems, while powerful, require ongoing maintenance and updates to stay secure. Quite often these (or specific plugins) fall out of date and become increasingly vulnerable to automated as well as targeted attacks. Online tools offer ways of performing "passive" scans, in which your identity is hidden from the target organization, in cases where there are IDS/IPS, firewalls deployed. These should be used in conjuction with other outputs from reconnaisance to determine platforms and hosts which are out of scope.
Wireless Range Mapping
This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's wireless network extends beyond a controlled area. Wireless networks are often trusted as equivalent to the hardwired office networks they have largely replaced, but they have important differences. Wireless networks are often "visible" from outside the walls of the office - from common spaces or even the street. Without further access, this reveals a wealth of information about the organization's size and the type of devices connecting to their network.