- What work and personal devices do staff use to accomplish their work, store work related files, or engage in work communications?
- What organizational and external/personal services do staff use to accomplish their work, store work related files, or engage in work communications?
- How do staff communicate internal and external? What tools do they use?
- What are the existing in/formal security practices that the participants use to address risks.
- Who has physical access to what? Who has remote access to what?
- When are devices not monitored by trusted staff?
- How could adversaries gain access? (forced entry, theft, social engineering, seizure)
- Are there mitigation procedures if devices are lost or taken by adversaries? (e.g.: encrypted drives, offsite backups?)
- Treat the information learned/collected with the utmost sensitivity and security. Physical notes should be destroyed immediately after use and digital notes should be kept in line with overall SAFETAG standards.
- Basic systems administration experience for common operating systems
- List of all assets in the organization and whom they belong to.
- Notes on un/documented access controls measures for the office
- List of software running on staff devices and date of last update
- List of known vulnerabilities, and identifiable malware, that the office is vulnerable to.
- List of malware found by running updated anti-virus on office computers (if anti-virus installed during device inspection.)
- List of specific unsecured servers, workstations, external hard drives and any other digital resources
- Notes on existing security measures for all digital systems
- Written-down passwords
- Guidelines: "Guidelines on Firewalls and Firewall Policy" (NIST 800-41)
- Benchmarks: "Security Configuration Benchmarks" (CIS Security Benchmarks)
- Repository: "National Checklist Program Repository - Prose security checklists" (National Vulnerability Database)
- Security Guidance: "Operating Systems Security Guidance" (NSA)
- Windows Utility: "HardenTools" (Security Without Borders)
- Guide: "How to Teach Humans to Remember Really Complex Passwords" (Wired)
- Guide: "Security on Passwords and User Awareness" (HashTag Security)
- Video: "What’s wrong with your pa$$w0rd?" (TED)
- Article: "Password Security: Why the horse battery staple is not correct" (Diogo Mónica)
- Organization: "Passwords Research" (The CyLab Usable Privacy and Security Laboratory (CUPS))
- Guide: "Hacker Lexicon: What Is Password Hashing?" (Wired)
- Guide: "7 Password Experts on How to Lock Down Your Online Security" (Wired)
- Password Survery: Encountering Stronger Password Requirements: User Attitudes and Behaviors (CUPS)
- identify what privileges services are running as
- identify is the admin user is called admin or root
- Identify if users are logging in and installing software as admin.
- Checklist: "Firewall Configuration Checklist." (NetSPI)
- Identifying if a device is using encryption by OS
- Encryption availablility by OS
- Encryption Guides
- Guide: "Physical Penetration Test" (About The Penetration Testing Execution Standard)
- Checklist: "Check list: Office Security" (Frontline Defenders)
- Manual: Planning, improving and checking security in offices and homes
- Guide: "Physical Security Assessment - pg. 122" (OSTTM)
- Guide: "Workbook on Security: Practical Steps for Human Rights Defender at Risk" (Frontline Defenders)
- Guide: "Protect your Information from Physical Threats" (Frontline Defenders)
- Policy Template: Information Security Policy Templates (SANS)
Privilege Separation Across OS:
Examining Firewalls Across OS:
Identifying Software Versions:
Device Encryption By OS:
Identifying Odd/One-Off Services:
Device and Behaviour Assessment_The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software…
Password Security Survey_Weak and "shared" passwords are prevalent - even after hundreds of well-publicized global password breaches, "password" and "12345" remain…
A Day in the Life_The auditor checks staff devices for updated systems and software, anti-virus and other security capabilities, and identifies software…
A Night in the Life_The auditor interviews the staff about their practices, personal devices, software and other security capabilities that they use outside of…
Assessing Usage of Cloud Services_During the organizational assessment you will almost certainly come across 3rd party cloud-based service providers being used by the audited…
Network Scanning_Network scanning is a technique used to gather information about devices connected on a certain network. It involves enumerating open ports…
Guided Tour_During this component an auditor tours the audit location(s) and flags potential risks related to physical access at that location.
Check Browser and Plugin Vulnerabilities_Though modern browsers are better at self-updating, and the prevalence of powerful plugins like flash and java are slowly declining, it is…