NooffsitebackupsGuestSSID butnoisolationDefaultSNMPWritevalueShares with"Everyone,Full Control"MinimalGroupPolicyNo DRPlanManualBackupsNoMFAWindowsServer2003/2008DNSloggingnotenabledStaleObjectsolder than1yearUnpatchedExchange"We justuseWindowsDefender"AdobeFlashcrackedadminpasswordNoSPFrecordPlain textpassworddiscoveredin shareclosetspaghettiWindows7NoDMZNoDKIM /DMARCIndividualpermissionsin sharesNo driveencryptionpasswordspreadsheetUnlicensedhardwareor softwareNo IRPlan"We updatewhen thereareproblems""We're assecure aswe canbe."Computersnot joinedto DomainWirelessPSK olderthan 2yearsUsersare localadminsNo truenetworksegmentation"We'venever hadanincident."Whitelisteddomains inemail filterPasswordsneverexpireNoSecurityAwarenessTrainingInappropriteFirewallrules (notRDP)DefaultadmincredentialsTelnetTeamviewer/ VNC>50%passwordscrackedWindowsXPExternalRDPNoEDRUnidentifiedPCIrequirementsNooffsitebackupsGuestSSID butnoisolationDefaultSNMPWritevalueShares with"Everyone,Full Control"MinimalGroupPolicyNo DRPlanManualBackupsNoMFAWindowsServer2003/2008DNSloggingnotenabledStaleObjectsolder than1yearUnpatchedExchange"We justuseWindowsDefender"AdobeFlashcrackedadminpasswordNoSPFrecordPlain textpassworddiscoveredin shareclosetspaghettiWindows7NoDMZNoDKIM /DMARCIndividualpermissionsin sharesNo driveencryptionpasswordspreadsheetUnlicensedhardwareor softwareNo IRPlan"We updatewhen thereareproblems""We're assecure aswe canbe."Computersnot joinedto DomainWirelessPSK olderthan 2yearsUsersare localadminsNo truenetworksegmentation"We'venever hadanincident."Whitelisteddomains inemail filterPasswordsneverexpireNoSecurityAwarenessTrainingInappropriteFirewallrules (notRDP)DefaultadmincredentialsTelnetTeamviewer/ VNC>50%passwordscrackedWindowsXPExternalRDPNoEDRUnidentifiedPCIrequirements

Risk Assessment Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  1. No offsite backups
  2. Guest SSID but no isolation
  3. Default SNMP Write value
  4. Shares with "Everyone, Full Control"
  5. Minimal Group Policy
  6. No DR Plan
  7. Manual Backups
  8. No MFA
  9. Windows Server 2003/2008
  10. DNS logging not enabled
  11. Stale Objects older than 1year
  12. Unpatched Exchange
  13. "We just use Windows Defender"
  14. Adobe Flash
  15. cracked admin password
  16. No SPF record
  17. Plain text password discovered in share
  18. closet spaghetti
  19. Windows 7
  20. No DMZ
  21. No DKIM / DMARC
  22. Individual permissions in shares
  23. No drive encryption
  24. password spreadsheet
  25. Unlicensed hardware or software
  26. No IR Plan
  27. "We update when there are problems"
  28. "We're as secure as we can be."
  29. Computers not joined to Domain
  30. Wireless PSK older than 2 years
  31. Users are local admins
  32. No true network segmentation
  33. "We've never had an incident."
  34. Whitelisted domains in email filter
  35. Passwords never expire
  36. No Security Awareness Training
  37. Inapproprite Firewall rules (not RDP)
  38. Default admin credentials
  39. Telnet
  40. Teamviewer / VNC
  41. >50% passwords cracked
  42. Windows XP
  43. External RDP
  44. No EDR
  45. Unidentified PCI requirements