- Does the organization have existing digital security practices or has it attempted to implement them in the past?
- What agreements will govern the audit?
- What will be the procedure for incident handling in the event that the auditor causes or uncovers an incident during the course of the assessment?
- What are the legal, physical, or social risks for the auditor & organization associated with conducting the audit or having audit results leak? pets_legal_considerations
- Does the security situation of the location or organization require additional planning? Are your software tools up to date and working as expected?
- Prepare Systems: Update and test your systems, A/V and audit toolslatest_version_of_tools, prepare storage devices and systems to reflect the required operational security, and ensure you have power supply adapters, cables and relevant adapters, usb drives, external wireless cards and any other equipment needed for testing.
- Prepare for Travel: Check travel logistics if needed -- visa, letter of invitation, travel tickets and hotel reservations. Note that some visas can take significant effort and may require the auditor to be without a passport while they are being processed.
- Carefully consider packing needs and explanations travel_kit_appendix^,^nist_sp_800-115-travel_prep
- An agreement with the organisation to receive the audit including scope, timeframe, confidentiality clauses, operational security measures or minimums, and points of contact.
- Systems updated and ready for testing.
- A custom password dictionary password_dictionary_resources (if password cracking activities expected).
- Risks to host and auditor conducting a SAFETAG audit.
- Modifications to the audit plan as necessary.
In case audit involves travel:
- Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
- Guidelines: "Facilitator Guidelines" (Aspiration Tech)
- Guide: "Session_Design" (Aspiration Tech)
- Kit: "Resource Kit" (eQualit.ie)
- Questions: "Pre-Event_Questions" (Aspiration Tech)
- Guide: "Break Outs" (Aspiration Tech)
- Resources: "Be a Better Trainer" (Level-up)
- Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
- Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
- Template: "Rules of Engagement Template" (NIST SP 800-115)
- Article: "The Difference Between a Vulnerability Assessment and a Penetration Test" (Daniel Miessler)
- Article: "Vulnerability Assessment and Penetration Testing" (gosafe)
- Article: "Legal Issues in Penetration Testing"
- Documentation: "John the Ripper password cracker" (OpenWall)
- Password Dictionaries: "Password dictionaries" (Skull Security)
- Project Site: "CeWL - Custom Word List generator" (Robin Wood)
- Presentation: "Supercharged John the Ripper Techniques" (Rick Redman - KoreLogic)
- Project Site: "Hashcat: advanced password recovery" (hashcat.net)
- Guide: "KoreLogic's Custom rules" (Rick Redman - KoreLogic)
- Guide: "Creating custom username list & wordlist for bruteforciing" (Nirav Desai)
- Source Code: "JohnTheRipper: bleeding-jumbo branch"
- Resource: "Media Legal Defense Initiative" (Media Legal Defense Initiative)
- Guide: "Security Incident Information Management Handbook" (RedR UK)
Creating Agreements and Rules of Engagement:
Password Dictionary Creation:
Other Pre-Engagement Resources:
Incident Handling Resources:
Data Security Standards:
Sensitive Data & Information Guides:
Incident Handling Resources:
Assessment Plan_This component allows an auditor and host to come to an understanding of the level of access that an auditor will have, what is off limits…
Confidentiality Agreement_Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of…
Incident Response and Emergency Contact_Incident Response within the context of an audit refers to setting up a procedure for handling incidents during an audit in the event the…
Regional Context Research_This exercise focuses on research and re-confirmation of regional issues from general trends to specific legal restrictions and safety…
Technical Context Research_This exercise focuses on research into the technical capacity of potential threat actors, including both historical attack data and any…
Audit Timeline and Planning_This section provides guidance on creating a realistic audit timeline for your assessment plan.