SAFETAG updates and curricula refresh
This release rolls up new content from recent sprints as well as formatting and structural improvements from the translation process and from the Code as Conduct work. The SAFETAG Curricula has also been updated to better match updates to the SAFETAG methodology over the past 2 years.
New Method and Activities for reviewing organizational policies
While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.
New and Updated Activities
"Night in the Life"
This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.
Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).
Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.
This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.
Cloud Provider Assessment
It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.
This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.
Updates to Network Scanning: Assessing IoT devices
We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it's worth highlighting an entire activity devoted to working with VOIP systems.
Additional variants for recon and vulnerability scanning
New activity variants to review alternative tools and approaches to both recon and vulnerability scanning have been added to cover foca and maltego for automated reconnaissance, and burp, nico, and owasp as part of the web vulnerability scanning activity.
Network Access is now part of Network Mapping
Based on feedback; the network access component has been rolled in to network mapping to focus more on assessment rather than pen-test style approaches.
Work still in draft
The SAFETAG community has also began a section called "Fear Mapping" to help identify, quantify, and manage fears and address psychosocial barriers to organizational security. See issue #397 for the status and next steps.