Skip to content

@joncamfield joncamfield released this Feb 27, 2019

This release rolls up new content from recent sprints as well as formatting and structural improvements from the translation process and from the Code as Conduct work. The SAFETAG Curricula has also been updated to better match updates to the SAFETAG methodology over the past 2 years.

New Method and Activities for reviewing organizational policies

While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.

New and Updated Activities

"Night in the Life"

This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

Self Doxing

Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).

Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.

This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.

Cloud Provider Assessment

It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.

This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.

Updates to Network Scanning: Assessing IoT devices

We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it's worth highlighting an entire activity devoted to working with VOIP systems.

Additional variants for recon and vulnerability scanning

New activity variants to review alternative tools and approaches to both recon and vulnerability scanning have been added to cover foca and maltego for automated reconnaissance, and burp, nico, and owasp as part of the web vulnerability scanning activity.

Structural changes

Network Access is now part of Network Mapping

Based on feedback; the network access component has been rolled in to network mapping to focus more on assessment rather than pen-test style approaches.

Work still in draft

The SAFETAG community has also began a section called "Fear Mapping" to help identify, quantify, and manage fears and address psychosocial barriers to organizational security. See issue #397 for the status and next steps.

Assets 9

@joncamfield joncamfield released this Feb 23, 2019 · 20 commits to master since this release

This release introduces Russian, Arabic, and an updated Spanish translation of the SAFETAG Methods, and updates them all to include recent contributions and re-organization.

Assets 6

@joncamfield joncamfield released this May 4, 2018 · 230 commits to master since this release

This release includes the following large changes:

  • Responding to Advanced Threats -- a new method and activities to detect and response to malware and for working with high-risk organizations, as well as improved guidance on conducting technical threat research. See for details.

  • Remote SAFETAG Audits -- improvements and guidance in conducting remote assessments when travel to the site is impractical, unsafe, or there are multiple offices to audit with limited travel availability. This includes technical and facilitated activity modifications and options for the auditor to direct depending on organizational capacity, as well as completely new activities. See for details.

  • New SAFETAG Playlist: Minimal Viable Audit -- a SAFETAG "playlist" focused on essential activities when facing a constrained timeline, and to use as a core to add custom activities on to. Build this playlist using , or view the attached MVA PDF.

  • Network and Vulnerability Scanning Improvements Better guidance and tool recommendations for website footprinting/auditing, and improved documentation for scanning for vulnerabilities.

  • OSINT / Recon Improvements -- Additional exercises to conduct research and identify the online footprint and potential points of vulnerability for an organization.

  • Core and Structural Improvements -- Creation of a Code of Conduct and a Contribution guide (see #299). Normalization of files/structure and removal of symlinks to better support Content as Code inclusion. Activities with multiple, parallel/duplicative options are now presented as variants within the activity's instructions.

Assets 4

@joncamfield joncamfield released this Sep 5, 2017 · 595 commits to master since this release

This release is a roll-up of edits to the SAFETAG English guide, incorporating both stylistic/editorial changes as well as new and updated activities.


Assets 2

@joncamfield joncamfield released this Jun 30, 2015 · 700 commits to master since this release

This release fixes a number of content and formatting issues, as well as includes a translation of the core SAFETAG materials into Spanish. The document creation scripts have been separated into a new repository, making this focused on the content of SAFETAG.

Assets 8

@joncamfield joncamfield released this Jun 25, 2015 · 740 commits to master since this release

This release is in preparation for SAFETAG translation work and is for reference.

Assets 2

@joncamfield joncamfield released this Apr 29, 2015 · 796 commits to master since this release

This release is a first step towards larger changes to the SAFETAG framework towards a much more abstracted process. The "guides" are now "methods" and the "examples" have been moved to a separate directory, "exercises", enabling them to be cross-linked and more easily referenced from the methods and curricula content.

Assets 5

@joncamfield joncamfield released this Apr 29, 2015 · 899 commits to master since this release

This is the slightly updated SAFETAG content and curricula based on the first trainings and independent review inputs

Assets 7

@joncamfield joncamfield released this Apr 29, 2015 · 796 commits to master since this release

The rebooted SAFETAG content used as the core of the SAFETAG training in 2014 and early 2015.

Assets 7
Jan 13, 2015


Making threat-by-focus links match rest of in-line approach
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.