GuestSSID butnoisolationclosetspaghetti>50%passwordscrackedUnidentifiedPCIrequirementsWhitelisteddomains inemail filterNoSPFrecordMinimalGroupPolicyManualBackupspasswordspreadsheetNo driveencryptionNooffsitebackupsStaleObjectsolder than1yearNoMFAcrackedadminpasswordNoDMZWindowsXPDefaultadmincredentialsDefaultSNMPWritevalueShares with"Everyone,Full Control"Computersnot joinedto Domain"We'venever hadanincident."AdobeFlashPasswordsneverexpirePlain textpassworddiscoveredin shareExternalRDPTelnetInappropriteFirewallrules (notRDP)Windows7Usersare localadminsNo DRPlanNo IRPlanNoEDR"We justuseWindowsDefender"UnpatchedExchange"We're assecure aswe canbe."Teamviewer/ VNCUnlicensedhardwareor software"We updatewhen thereareproblems"WindowsServer2003/2008NoDKIM /DMARCDNSloggingnotenabledNo truenetworksegmentationIndividualpermissionsin sharesWirelessPSK olderthan 2yearsNoSecurityAwarenessTrainingGuestSSID butnoisolationclosetspaghetti>50%passwordscrackedUnidentifiedPCIrequirementsWhitelisteddomains inemail filterNoSPFrecordMinimalGroupPolicyManualBackupspasswordspreadsheetNo driveencryptionNooffsitebackupsStaleObjectsolder than1yearNoMFAcrackedadminpasswordNoDMZWindowsXPDefaultadmincredentialsDefaultSNMPWritevalueShares with"Everyone,Full Control"Computersnot joinedto Domain"We'venever hadanincident."AdobeFlashPasswordsneverexpirePlain textpassworddiscoveredin shareExternalRDPTelnetInappropriteFirewallrules (notRDP)Windows7Usersare localadminsNo DRPlanNo IRPlanNoEDR"We justuseWindowsDefender"UnpatchedExchange"We're assecure aswe canbe."Teamviewer/ VNCUnlicensedhardwareor software"We updatewhen thereareproblems"WindowsServer2003/2008NoDKIM /DMARCDNSloggingnotenabledNo truenetworksegmentationIndividualpermissionsin sharesWirelessPSK olderthan 2yearsNoSecurityAwarenessTraining

Risk Assessment Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  1. Guest SSID but no isolation
  2. closet spaghetti
  3. >50% passwords cracked
  4. Unidentified PCI requirements
  5. Whitelisted domains in email filter
  6. No SPF record
  7. Minimal Group Policy
  8. Manual Backups
  9. password spreadsheet
  10. No drive encryption
  11. No offsite backups
  12. Stale Objects older than 1year
  13. No MFA
  14. cracked admin password
  15. No DMZ
  16. Windows XP
  17. Default admin credentials
  18. Default SNMP Write value
  19. Shares with "Everyone, Full Control"
  20. Computers not joined to Domain
  21. "We've never had an incident."
  22. Adobe Flash
  23. Passwords never expire
  24. Plain text password discovered in share
  25. External RDP
  26. Telnet
  27. Inapproprite Firewall rules (not RDP)
  28. Windows 7
  29. Users are local admins
  30. No DR Plan
  31. No IR Plan
  32. No EDR
  33. "We just use Windows Defender"
  34. Unpatched Exchange
  35. "We're as secure as we can be."
  36. Teamviewer / VNC
  37. Unlicensed hardware or software
  38. "We update when there are problems"
  39. Windows Server 2003/2008
  40. No DKIM / DMARC
  41. DNS logging not enabled
  42. No true network segmentation
  43. Individual permissions in shares
  44. Wireless PSK older than 2 years
  45. No Security Awareness Training