Teamviewer/ VNCNo DRPlanNoSPFrecordWindows7crackedadminpasswordTelnetDefaultadmincredentialsWhitelisteddomains inemail filterNoDMZComputersnot joinedto DomainGuestSSID butnoisolationIndividualpermissionsin sharesWindowsXPPasswordsneverexpire"We updatewhen thereareproblems">50%passwordscracked"We're assecure aswe canbe."AdobeFlashNoSecurityAwarenessTrainingNo IRPlanUnpatchedExchangeUnidentifiedPCIrequirementsUsersare localadminsManualBackupsUnlicensedhardwareor softwareInappropriteFirewallrules (notRDP)"We justuseWindowsDefender"NoEDRNoDKIM /DMARCMinimalGroupPolicyStaleObjectsolder than1yearWindowsServer2003/2008DNSloggingnotenabledWirelessPSK olderthan 2yearsNo truenetworksegmentationclosetspaghettiDefaultSNMPWritevalueNo driveencryptionShares with"Everyone,Full Control"passwordspreadsheetNoMFAExternalRDP"We'venever hadanincident."Plain textpassworddiscoveredin shareNooffsitebackupsTeamviewer/ VNCNo DRPlanNoSPFrecordWindows7crackedadminpasswordTelnetDefaultadmincredentialsWhitelisteddomains inemail filterNoDMZComputersnot joinedto DomainGuestSSID butnoisolationIndividualpermissionsin sharesWindowsXPPasswordsneverexpire"We updatewhen thereareproblems">50%passwordscracked"We're assecure aswe canbe."AdobeFlashNoSecurityAwarenessTrainingNo IRPlanUnpatchedExchangeUnidentifiedPCIrequirementsUsersare localadminsManualBackupsUnlicensedhardwareor softwareInappropriteFirewallrules (notRDP)"We justuseWindowsDefender"NoEDRNoDKIM /DMARCMinimalGroupPolicyStaleObjectsolder than1yearWindowsServer2003/2008DNSloggingnotenabledWirelessPSK olderthan 2yearsNo truenetworksegmentationclosetspaghettiDefaultSNMPWritevalueNo driveencryptionShares with"Everyone,Full Control"passwordspreadsheetNoMFAExternalRDP"We'venever hadanincident."Plain textpassworddiscoveredin shareNooffsitebackups

Risk Assessment Bingo - Call List

(Print) Use this randomly generated list as your call list when playing the game. There is no need to say the BINGO column name. Place some kind of mark (like an X, a checkmark, a dot, tally mark, etc) on each cell as you announce it, to keep track. You can also cut out each item, place them in a bag and pull words from the bag.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
  1. Teamviewer / VNC
  2. No DR Plan
  3. No SPF record
  4. Windows 7
  5. cracked admin password
  6. Telnet
  7. Default admin credentials
  8. Whitelisted domains in email filter
  9. No DMZ
  10. Computers not joined to Domain
  11. Guest SSID but no isolation
  12. Individual permissions in shares
  13. Windows XP
  14. Passwords never expire
  15. "We update when there are problems"
  16. >50% passwords cracked
  17. "We're as secure as we can be."
  18. Adobe Flash
  19. No Security Awareness Training
  20. No IR Plan
  21. Unpatched Exchange
  22. Unidentified PCI requirements
  23. Users are local admins
  24. Manual Backups
  25. Unlicensed hardware or software
  26. Inapproprite Firewall rules (not RDP)
  27. "We just use Windows Defender"
  28. No EDR
  29. No DKIM / DMARC
  30. Minimal Group Policy
  31. Stale Objects older than 1year
  32. Windows Server 2003/2008
  33. DNS logging not enabled
  34. Wireless PSK older than 2 years
  35. No true network segmentation
  36. closet spaghetti
  37. Default SNMP Write value
  38. No drive encryption
  39. Shares with "Everyone, Full Control"
  40. password spreadsheet
  41. No MFA
  42. External RDP
  43. "We've never had an incident."
  44. Plain text password discovered in share
  45. No offsite backups