This component consists of trip preparation activities that are needed to ensure the technical and facilitated components of the audit are able to be conducted effectively and within the on-site time-frame and in coordination with the organization.
A SAFETAG audit has a short time frame. Preparation is vital to ensure that time on the ground is not spent negotiating over the audit scope, updating the auditors systems, searching for missing hardware, or refreshing oneself with the SAFETAG framework. To that end negotiations with the host organization help reveal if the organization has the capacity to undertake the audit and respond to its findings.
Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Resource List: Password Dictionary Creation Resources (SAFETAG)
Resource List: Social Engineering Resources (SAFETAG)
Facilitation Preparation
Tip Sheet: Facilitator Preparation Tips ( Integrated Security )
Guidelines: "Facilitator Guidelines" (Aspiration Tech)
Guide: "Session_Design" (Aspiration Tech)
Kit: "Resource Kit" (eQualit.ie)
Questions: "Pre-Event_Questions" (Aspiration Tech)
Guide: "Break Outs" (Aspiration Tech)
Resources: "Be a Better Trainer" (Level-up)
Password Dictionary Creation
Documentation: "John the Ripper password cracker" (OpenWall)
Password Dictionaries: "Password dictionaries" (Skull Security)
Project Site: "CeWL - Custom Word List generator" (Robin Wood)
Presentation: "Supercharged John the Ripper Techniques" (Rick Redman - KoreLogic)
Project Site: "Hashcat: advanced password recovery" (hashcat.net)
Guide: "KoreLogic's Custom rules" (Rick Redman - KoreLogic)
Guide: "Creating custom username list & wordlist for bruteforciing" (Nirav Desai)
Source Code: "JohnTheRipper: bleeding-jumbo branch"
Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
Template: "Rules of Engagement Template" (NIST SP 800-115)
Other Pre-Engagement Resources
Standard: "Pre-Engagement" (The Penetration Testing Execution Standard: Pre-Engagement Guidelines)
Template: Pre-Inspection Visit ( VulnerabilityAssessment.co.uk)
Incident Handling Resources
Legal Considerations
Data Security Standards
undefined
" Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."↩
" Some activities common in penetration tests may violate local laws. For this reason, it is advised to check the legality of common pentest tasks in the location where the work is to be performed."↩
"In addition, some service providers require advance notice and/or separate permission prior to testing their systems. For example, Amazon has an online request form that must be completed, and the request must be approved before scanning any hosts on their cloud. If this is required, it should be part of the document."↩
NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. Section 7.1 Coordination↩
"Obviously, being able to get in touch with the customer or target organization in an emergency is vital."↩
"Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."↩
"Traveling teams should maintain a flyaway kit that includes systems, images, additional tools, cables, projectors, and other equipment that a team may need when performing testing at other locations."↩