SAFETAG is a curricula, a methodology, and a framework for security auditors working with advocacy groups.
This release rolls up significant community contributions to the SAFETAG framework.
In addition, this release includes a significant "clean up" of the SAFETAG structure in preparation for a more data-driven display of the content:
Currently these only impact the SAFETAG Guide in Englsih, so please review previous releases for the curricula and the most updated versions of SAFETAG in additional languages.
The next release, which will be v1.0.0, and will represent an even more significant change to the structure, flattening the Methods and Activity file fragments into one index.md file in preparation for improved collaboration and editing of the content as well as interactive display thereof.
This release rolls up new content from recent sprints as well as formatting and structural improvements from the translation process and from the Code as Conduct work. The SAFETAG Curricula has also been updated to better match updates to the SAFETAG methodology over the past 2 years.
While implicit across multiple parts of SAFETAG, this new method formalizes a review process for reviewing both formal and informal policies and practices of organizations; leveraging inputs from the Capacity Assessment methodology and adding two specific exercises, one for working with organizations with formal policies and one for identifying informal agreements and practices.
This activity has the auditor discuss with the staff about their practices, personal devices, software and other security capabilities that they use outside of work. This is used to develop a report component exposing how practices outside of their work can affect their personal security and that of the organization.
Doxing (also "doxxing", or "d0xing", a word derived from "documents", or "docs") consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).
Doxing is premised on the idea that "The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.
This activity aims to help participants identify any unwanted personal information that may be publicly available online, and to make them aware of the risk of doxing and how to prevent it.
It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.
This activity helps auditors both enumerate the cloud providers the organization works with (formally/officially and as shadow IT infrastructure), map out what data and metadata is shared where, what access and technical controls are available, and assess risks.
We have significantly updated and streamlined the network scanning activity to include overall guidelines for identifying and assessing IoT devices on office networks. In addition, it's worth highlighting an entire activity devoted to working with VOIP systems.
New activity variants to review alternative tools and approaches to both recon and vulnerability scanning have been added to cover foca and maltego for automated reconnaissance, and burp, nico, and owasp as part of the web vulnerability scanning activity.
Based on feedback; the network access component has been rolled in to network mapping to focus more on assessment rather than pen-test style approaches.
The SAFETAG community has also began a section called "Fear Mapping" to help identify, quantify, and manage fears and address psychosocial barriers to organizational security. See issue #397 for the status and next steps.
This release introduces Russian, Arabic, and an updated Spanish translation of the SAFETAG Methods, and updates them all to include recent contributions and re-organization.
This release includes the following large changes:
Responding to Advanced Threats -- a new method and activities to detect and response to malware and for working with high-risk organizations, as well as improved guidance on conducting technical threat research. See https://safetag.org/2018/05/04/Advanced_Threats.html for details.
Remote SAFETAG Audits -- improvements and guidance in conducting remote assessments when travel to the site is impractical, unsafe, or there are multiple offices to audit with limited travel availability. This includes technical and facilitated activity modifications and options for the auditor to direct depending on organizational capacity, as well as completely new activities. See https://safetag.org/2017/08/31/Remote_Audits.html for details.
New SAFETAG Playlist: Minimal Viable Audit -- a SAFETAG "playlist" focused on essential activities when facing a constrained timeline, and to use as a core to add custom activities on to. Build this playlist using index.mva.md , or view the attached MVA PDF.
Network and Vulnerability Scanning Improvements Better guidance and tool recommendations for website footprinting/auditing, and improved documentation for scanning for vulnerabilities.
OSINT / Recon Improvements -- Additional exercises to conduct research and identify the online footprint and potential points of vulnerability for an organization.
Core and Structural Improvements -- Creation of a Code of Conduct and a Contribution guide (see https://github.com/SAFETAG/SAFETAG/pull/299). Normalization of files/structure and removal of symlinks to better support Content as Code inclusion. Activities with multiple, parallel/duplicative options are now presented as variants within the activity's instructions.
This release is a roll-up of edits to the SAFETAG English guide, incorporating both stylistic/editorial changes as well as new and updated activities.
This release fixes a number of content and formatting issues, as well as includes a translation of the core SAFETAG materials into Spanish. The document creation scripts have been separated into a new repository, making this focused on the content of SAFETAG.
This release is in preparation for SAFETAG translation work and is for reference.
This release is a first step towards larger changes to the SAFETAG framework towards a much more abstracted process. The "guides" are now "methods" and the "examples" have been moved to a separate directory, "exercises", enabling them to be cross-linked and more easily referenced from the methods and curricula content.
This is the slightly updated SAFETAG content and curricula based on the first trainings and independent review inputs
The rebooted SAFETAG content used as the core of the SAFETAG training in 2014 and early 2015.