Guiding Questions

Outputs

References and resources for Infrastructure and Cloud Service Assessment

Device Assessment:

• Guidelines: "Guidelines on Firewalls and Firewall Policy" (NIST 800-41)

• Benchmarks: "Security Configuration Benchmarks" (CIS Security Benchmarks)

• Repository: "National Checklist Program" (NIST)

• Windows Utility: "HardenTools" (Security Without Borders)

Password Security:

• Guide: "How to Teach Humans to Remember Really Complex Passwords" (Wired)

• Video: "What’s wrong with your pa$$w0rd?" (TED)

• Article: "Password Security: Why the horse battery staple is not correct" (Diogo Mónica)

• Organization: "Passwords Research" (The CyLab Usable Privacy and Security Laboratory (CUPS))

• Guide: "Hacker Lexicon: What Is Password Hashing?" (Wired)

• Guide: "7 Password Experts on How to Lock Down Your Online Security" (Wired)

• Password Survery: Encountering Stronger Password Requirements: User Attitudes and Behaviors (CUPS)

Privilege Separation Across OS:

• identify what privileges services are running as
• identify is the admin user is called admin or root
• Identify if users are logging in and installing software as admin.

Examining Firewalls Across OS:

• Checklist: "Firewall Configuration Checklist." (NetSPI)

Identifying Software Versions:

Device Encryption By OS:

• Identifying if a device is using encryption by OS
• Encryption availablility by OS
• Encryption Guides

Anti-Virus Updates:

Identifying Odd/One-Off Services:

Physical Assessment:

• Guide: "Physical Penetration Test" (About The Penetration Testing Execution Standard)

• Checklist: "Check list: Office Security" (Frontline Defenders)

• Manual: Planning, improving and checking security in offices and homes

• Guide: "Physical Security Assessment - pg. 122" (OSTTM)

• Guide: "Workbook on Security: Practical Steps for Human Rights Defender at Risk" (Frontline Defenders)

• Guide: "Protect your Information from Physical Threats" (Frontline Defenders)

• Policy Template: Information Security Policy Templates (SANS)

Network Mapping Methods:

• Guide: "10 Techniques for Blindly Mapping Internal Networks"

• Directory: "Network Forensics Packages and Appliances" (Forensics Wiki)

• Directory: "Scripts and tools related to Wireshark" (Wireshark Wiki)

Network Access:

• Resource List: "Wireless Access Guides & Resources" (SAFETAG)

• List: "Default Password List" (defaultpassword.com)

• List: "Default Password List" (CIRT.net)

• List: "Default Password List - 2007" (Phenoelit)

Network Discovery Methods:

• Documentation: “Airodump-ng” (Aircrack-ng Wiki)

• References: "Links, References and Other Learning Materials" (Aircrack-ng Wiki)

• Project Site: "wifite: automated wireless auditor" (Google code)

• Source Code: "wifite" (GitHub)

Nmap Scanning:

• Guide: "The Official Nmap Project Guide to Network Discovery and Security Scanning" (Gordon “Fyodor” Lyon)

• Cheat Sheet: “Part 1: Introduction to Nmap” (Nmap Cheat Sheet: From Discovery to Exploits)

• Cheat Sheet: “Part 2: Advance Port Scanning with Nmap And Custom Idle Scan” (Nmap Cheat Sheet: From Discovery to Exploits)

• Cheat Sheet: “Part 3: Gathering Additional Information about Host and Network” (Nmap Cheat Sheet: From Discovery to Exploits)

• Cheat Sheet: “Part 4” (Nmap Cheat Sheet: From Discovery to Exploits)

• Cheat Sheet: “Nmap Cheat Sheet” (See-Security Technologies)

• Overview: “The Purpose of a Graphical Frontend for Nmap” (Zenmap GUI Users' Guide)

• Guide: “Zenmap GUI Users' Guide” (Zenmap GUI Users' Guide)

• Guide: “Surfing the Network Topology” (Zenmap GUI Users' Guide)

• Guide: “Host Detection” (nmap Reference Guide)