Preparation
Summary
This component consists of trip preparation activities that are needed to ensure the technical and facilitated components of the audit are able to be conducted effectively and within the on-site time-frame and in coordination with the organization.
Purpose
A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditors systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. To that end negotiations with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.
Guiding Questions
- Does the organization have existing digital security practice or attempted to implement them in the past?
- What is the process for procedure for incident handling in the event that auditor cause or uncover an incident during the course of the assessment?
- What are the legal, physical, or social risks for the auditor & organization associated with conducting the audit or having audit results leak? 1
- Does the security situation of the location or organization require additional planning? Are your software tools up to date and working as expected?
The Flow of Information
Approaches
- Create an Assessment Plan: Have a "scoping" meeting that outlines the level of access that an auditor will have, what is off limits, and the process for modifying the scope of the audit when new information arises. 2,3
- Negotiate a Confidentiality Agreement: Negotiate an agreement with the organization that outlines how an auditor will protect the privacy of the organization and the outcomes of the audit.
- Establish an Emergency Contact: Establish a procedure for incident handling and an emergency contact in the event that auditor cause or uncover an incident during the course of the assessment. 4,5
- Prepare for Travel: Check travel logistical needs -- visa, letter of invitation, travel tickets and hotel reservations. Note that some visas can take significant effort and may require the auditor to be without a passport while they are being processed.
- Prepare Systems: Update and test your systems, A/V and audit tools. 6, prepare storage devices and systems to reflect the required operational security, and ensure you have power supply adapters, cables and relevant adapters, usb drives, external wireless cards and any other equipment needed for testing. 7^, ^8
Outputs
- Any Visas or paperwork needed, plus travel arragements (tickets, hotels) for auditor travel.
- A custom password dictionary. 9
- A travel kit. 10,11
- Systems updated and ready for testing.
- Risks to host and auditor conducting a SAFETAG audit.
- Modifications to the audit plan as necessary.
Operational Security
- Update your OS, software, anti-virus, firewall settings, etc. (Do not be the weakest link for the host!)
- Determine the correct visa process for your trip.
- Carefully consider packing needs and explanations
Resources
Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Resource List: Password Dictionary Creation Resources (SAFETAG)
Resource List: Social Engineering Resources (SAFETAG)
Facilitation Preparation
Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Guidelines: "Facilitator Guidelines" (Aspiration Tech)
Guide: "Session_Design" (Aspiration Tech)
Kit: "Resource Kit" (eQualit.ie)
Questions: "Pre-Event_Questions" (Aspiration Tech)
Guide: "Break Outs" (Aspiration Tech)
Resources: "Be a Better Trainer" (Level-up)
Password Dictionary Creation
Documentation: "John the Ripper password cracker" (OpenWall)
Password Dictionaries: "Password dictionaries" (Skull Security)
Project Site: "CeWL - Custom Word List generator" (Robin Wood)
Presentation: "Supercharged John the Ripper Techniques" (Rick Redman - KoreLogic)
Project Site: "Hashcat: advanced password recovery" (hashcat.net)
Guide: "KoreLogic's Custom rules" (Rick Redman - KoreLogic)
Guide: "Creating custom username list & wordlist for bruteforciing" (Nirav Desai)
Source Code: "JohnTheRipper: bleeding-jumbo branch"
Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
Template: "Rules of Engagement Template" (NIST SP 800-115)
Other Pre-Engagement Resources
Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
Incident Handling Resources
Legal Considerations
Data Security Standards
Activities
undefined
" Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."↩
" Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."↩
"In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."↩
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination↩
"Obviously, being able to get in touch with the customer or target organization in an emergency is vital."↩
"Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."↩
"Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."↩
