InappropriteFirewallrules (notRDP)UnidentifiedPCIrequirementsDNSloggingnotenabledPlain textpassworddiscoveredin shareDefaultadmincredentialsGuestSSID butnoisolationUnpatchedExchangeWindowsServer2003/2008DefaultSNMPWritevalue"We updatewhen thereareproblems"WirelessPSK olderthan 2years"We justuseWindowsDefender"Windows7passwordspreadsheetWindowsXP>50%passwordscrackedNo truenetworksegmentation"We're assecure aswe canbe."NoDMZIndividualpermissionsin sharesNoMFAManualBackupsComputersnot joinedto DomainNo IRPlanMinimalGroupPolicyNo DRPlanNoEDRNooffsitebackupsNoSecurityAwarenessTrainingStaleObjectsolder than1yearcrackedadminpasswordPasswordsneverexpireAdobeFlashclosetspaghettiNo driveencryptionTelnet"We'venever hadanincident."Unlicensedhardwareor softwareTeamviewer/ VNCExternalRDPShares with"Everyone,Full Control"NoDKIM /DMARCNoSPFrecordUsersare localadminsWhitelisteddomains inemail filterInappropriteFirewallrules (notRDP)UnidentifiedPCIrequirementsDNSloggingnotenabledPlain textpassworddiscoveredin shareDefaultadmincredentialsGuestSSID butnoisolationUnpatchedExchangeWindowsServer2003/2008DefaultSNMPWritevalue"We updatewhen thereareproblems"WirelessPSK olderthan 2years"We justuseWindowsDefender"Windows7passwordspreadsheetWindowsXP>50%passwordscrackedNo truenetworksegmentation"We're assecure aswe canbe."NoDMZIndividualpermissionsin sharesNoMFAManualBackupsComputersnot joinedto DomainNo IRPlanMinimalGroupPolicyNo DRPlanNoEDRNooffsitebackupsNoSecurityAwarenessTrainingStaleObjectsolder than1yearcrackedadminpasswordPasswordsneverexpireAdobeFlashclosetspaghettiNo driveencryptionTelnet"We'venever hadanincident."Unlicensedhardwareor softwareTeamviewer/ VNCExternalRDPShares with"Everyone,Full Control"NoDKIM /DMARCNoSPFrecordUsersare localadminsWhitelisteddomains inemail filter

Risk Assessment Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  1. Inapproprite Firewall rules (not RDP)
  2. Unidentified PCI requirements
  3. DNS logging not enabled
  4. Plain text password discovered in share
  5. Default admin credentials
  6. Guest SSID but no isolation
  7. Unpatched Exchange
  8. Windows Server 2003/2008
  9. Default SNMP Write value
  10. "We update when there are problems"
  11. Wireless PSK older than 2 years
  12. "We just use Windows Defender"
  13. Windows 7
  14. password spreadsheet
  15. Windows XP
  16. >50% passwords cracked
  17. No true network segmentation
  18. "We're as secure as we can be."
  19. No DMZ
  20. Individual permissions in shares
  21. No MFA
  22. Manual Backups
  23. Computers not joined to Domain
  24. No IR Plan
  25. Minimal Group Policy
  26. No DR Plan
  27. No EDR
  28. No offsite backups
  29. No Security Awareness Training
  30. Stale Objects older than 1year
  31. cracked admin password
  32. Passwords never expire
  33. Adobe Flash
  34. closet spaghetti
  35. No drive encryption
  36. Telnet
  37. "We've never had an incident."
  38. Unlicensed hardware or software
  39. Teamviewer / VNC
  40. External RDP
  41. Shares with "Everyone, Full Control"
  42. No DKIM / DMARC
  43. No SPF record
  44. Users are local admins
  45. Whitelisted domains in email filter