Skip to content
Choose a tag to compare

SAFETAG updates and curricula refresh

@joncamfield joncamfield released this
Choose a tag to compare

This release rolls up new content from recent sprints as well as formatting and structural improvements from the translation process and from the Code as Conduct work. The SAFETAG Curricula has also been updated to better match updates to the SAFETAG methodology over the past 2 years.

New Method and Activities for reviewing organizational policies

While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.

New and Updated Activities

"Night in the Life"

This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.

Self Doxing

Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).

Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.

This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.

Cloud Provider Assessment

It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.

This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.

Updates to Network Scanning: Assessing IoT devices

We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it's worth highlighting an entire activity devoted to working with VOIP systems.

Additional variants for recon and vulnerability scanning

New activity variants to review alternative tools and approaches to both recon and vulnerability scanning have been added to cover foca and maltego for automated reconnaissance, and burp, nico, and owasp as part of the web vulnerability scanning activity.

Structural changes

Network Access is now part of Network Mapping

Based on feedback; the network access component has been rolled in to network mapping to focus more on assessment rather than pen-test style approaches.

Work still in draft

The SAFETAG community has also began a section called "Fear Mapping" to help identify, quantify, and manage fears and address psychosocial barriers to organizational security. See issue #397 for the status and next steps.