Project: Advanced Cybersecurity Risk Assessment Checklist

What is the “Advanced Cybersecurity Risk Assessment Checklist” (ACRAC)?

ACRAC allows any organisation to assess a status quo of their cybersecurity.

It’s a thorough, and constantly updated checklist to reduce common cyber threats organisations are confronted with.

Its goal is to raise awareness for vulnerabilities, thereby neutralising a majority of threat vectors an organisation sees itself confronted with, and making cyber security risks manageable. 

Once the checklist is completed, the results can be converted to action items to reduce the risks of cyber incidents to an organisation, and to mitigate common vulnerabilities.

Contribute to ACRAC?

The project is open source and anyone is encouraged to contribute ideas to the project. Until a platform is found, please join us and share ideas on our Discord Server:

Download ACRAC?

Creative Commons License
ACRAC Advanced Cybersecurity Risk Assessment Checklist by Lars G. A. Hilse is licensed under a Creative Commons Attribution 4.0 International License.

Version: 20190131.1

Download the latest ACRAC as PDF

SHA256: 025d5584fdf246f20e8d8da39cbd7d4b550d24767c3cd4b684e30acbdfee0cfc

Download the latest ACRAC as XLSX

SHA256: 657358656ea58b46e966d224ec05ab875f4807d27894471a575f4060b7e8ba10

Need older or more specialised versions? Join the server mentioned above and ask us.


In 2018 I was asked to brief the European Parliament about the risks of cyberterrorism. In talks after the public hearing there was a desire for a checklist of sorts. One that would allow an organisation to at least assess a status of where they are from a cybersecurity perspective.

What ensued was a painstaking search for something out there… yet there was nothing that wasn’t a sales pitch by some company.

All publicly available information was then merged into, and spiced up into ACRAC, the Advanced Cybersecurity Risk Assessment Checklist.

Removable media control, Endpoint security and The Problem of transportability of data

One of the major problems in the digital age is the transportability of data. Even large quantities of files and papers can be moved on a device smaller than a coin. Therefore, removable media control is one of the essential things to include into your cyber security risk assessment.

One of the countermeasures was the tendency of endpoint security; meaning, that computers and servers were locked down in such a way that files cannot be copied to mobile devices and taking out of the office.

Approximately 10 years Ago I served on a project in which the lack of endpoint security lead to significant damage of the company. The client was a large law firm with the global footprint, and had repeatedly become victims of extortion of employees who were pressed into retreating sensitive data from the organization’s systems.

What we ended up doing was not only implementing an end point security scheme but went one step further and made the general moving files much more difficult, without limiting business operations.

Our solution was to make files available on The company server without making them copyable by any element. Obviously, 100% security could never be guaranteed but the point of the operation was that the possibilities of extracting a file in sensitive information from the corporate server was much more difficult.

Specifically this meant that files which were shared with employees are third-party assets were opened in a browser and could only be sent via link. The link within open the file for review, but classified files could not be downloaded, copied, or otherwise removed from the system.

While this didn’t entirely solve the problem, it took the edge off, and made it possible for the technical personnel to sleep a bit more comfortably.

Cyber insurance versus insurance companies

Getting cyber insurance cover is easy.

Getting cyber insurance coverage that is adequate and up to speed to current threats: totally different story.

Currently, very conservative and traditional insurance companies are trying to deliver top-of-the-line products; mostly to customers who don’t need them.

So what’s up with that?

While ago, I tried to sign an e-commerce business with an insurance company that appeared to be very advanced in signing cyber insurance contracts.

During the negotiations however, it turns out that they generally ruled out e-commerce businesses.

The main argument was that an e-commerce business could fall victim to a denial of service attack.

My counter argument was that any conventional business could burn down, and still they wrote insurance policies for the buildings of this client.

I went on to argue that denial of service attack’s are easily mitigated through various means; the most important one of which is a content distribution network.

Still, the insurance company wouldn’t budge.

Having close connections inside the insurance company I went ahead and looked at their exclusion list. And it was terrifying!

I ended up working with them to reduce the general exclusions, and softened up some of their strict policies towards certain types of businesses. And now, they are doing tremendously well and signing up risks, which are manageable.

Finding your next employer on the dark web?

Obviously free from state sanctioned pension plans, and otherwise inhibiting characteristics, I recently stumbled upon job advertisements on several marketplaces on the dark web during an investigation.

Probably the most interesting, and first job advertisement was that by liberty market who were looking for a French speaking content “cleaner”.

And they are increasing in number.

Wear this trend originates, and how the specifics are of such an employment leaves to be discovered.

Fact is: the dark web is the most dynamic ecosystem on the planet; currently. All of the business conducted there in requires a lot of ingenuity, Good designers, and even more so very good security experts.

About John Cryan and the nonsense of the cashless society

In his speech at the world economic forum in Davos The former Deutsche bank CEO was one of many to support the quest to rid the world of cash.

Again, he stands in a long line of defenders of this practice.

And while it is true that a large quantity of crime is being committed on the back of cash, the alternative is much more Grimm.

I work together with a variety Of crisis response companies Who reacts to cases of kidnapping and ransom, extortion, and similar risks.

Unanimously these companies I work with sai dad’s paying a kidnapper in conventional currency is one of the most promising factors to retrieve the loot, and to trace the assets back to an individual or organization.

So his cash were taken out of the equation entirely, criminals would resort to alternatives.

In the recent past, and increasing amount of kidnapping around some cases have been changed in appearance by the perpetrators requesting bitcoin and other crypto currency’s in favor of dollars, euros, and other conventional currencies.

The problem is that crypto currency is in general very difficult to trace.

If done right a bitcoin can be in obfuscated that it will never be able to be traced.

The dark web would not be the dark web if it hadn’t invented algorithms to support these types of obfuscation.

Once these have been utilized, criminals often take their new and washed with calling to introduce them to an offshore casino there by entirely eliminating any trace that the crypto currency, which is now conventional currency, was used in a crime.

Mitigating sophisticated phishing attacks

Phishing has always been a rather difficult issue to solve.

I’ve spent countless hours trying to create programs to successfully keep employees from opening suspicious emails, believe me!

The new generation of phishing, however, is even more complex and the threat is even more difficult to mitigate.

In the most recent cases I worked on, the email sent to the victim was either announced or followed up by a phone call from a seemingl legitimate source.

Thereby, the victim was dooped into opening the attachment to infect the system/network, and there is pretty much no training that will help to reduce that risk.

One of the issues we began working on was to have existing contacts confirm their identity through an IM. Of course this only works if the source is internal, and/or the source is available on an IM service.

Stay safe folks! These new attacks are devious with potentially devastating consequences, essentially with no one to blame.

The case of the spying paper shredder

When you think of spies, you never think of a harmless paper shredder.

A few years back, and one of my most meaningful contracts, was to find out and stuff a leak inside and organization with offices six of the seven continents.

I have been introduced to the company through a mutual connection between myself and the chief executive of the organization a question.

Aforementioned CEO was dissatisfied with the work of my predecessors. These had conducted extensive analyses in the organization; but all by the book.

The result was: the leak was still there or not fixed even some $3.5 million later.

The mutual connection I mentioned earlier got a hold of this information and was so Milyer with my out-of-the-box thinking and introduced us through an email upon which I was hired to conduct another analysis to find out where the leak was and to submit a proposal on how to stuff it.

I spent the next next weeks on planes traveling to pretty much all of their facilities and offices around the globe.

Very quickly managed to isolate the office where the leak originated. So for the next weeks I was in that office conducting research as to how the sensitive information got out of the office and into the hands of the competition.

We conducted everything from radio frequency and analysis to exclude the possibility that the information was sent out of the building to the obvious suspects being a leak in the IT infrastructure and even to suspecting certain Individuals in the organization.

None of this yielded any results turning the excitement from the beginning and to somewhat have a frustrating project.

Some weeks later I was sitting in a conference room at 2 AM chewing on a piece of stale pizza that was left over from dinner, while playing carousel with an office chair I was sitting in.

Every time I made a turn a paper shredder caught my attention with the red LED on top.

One of our desperate measures was too exchange parts of the furniture, artwork, and office equipment. This pull through to replacing parts of the coffee canisters placed in that specific meeting room. What we had not taken into consideration previously was the old style of information extraction.

This organization was still rather paper heavy and a lot of the meeting notes were taken on paper; and parts of them disposed through conventional means.

No I was curious to find out whether or not this paper shredder was the culprit. And so 230 in the morning I went to the janitor of the building and asked him for a screwdriver and other tools; if you want to know that you’re right, he wants and village at that moment!

I opened the case of the paper shredder, disconnected it from the power supply, and as I opened it I saw a perfectly integrated scanner which snapped scans of every piece of paper from both sides before it was destroyed. It’s took me two or three closer looks to find it, and the contraption was brilliantly engineered have to agree where strips were fit it inside so that no light of the scanning process what escape the housing.

Bottom line: the competitor in question went through a lot of trouble to place this device. The cost of engineering it was quite extensive: further, the reason the information was not discovered by the radio frequency analysis is that the middleman of the competitor and bribed One of the cleaning ladies to replace a USB key if they had inserted into the machine on a weekly basis.

So you see: not even are we safe from paper shredders anymore.

The most complex case of CEO Fraud… yet; and how to mitigate it.

CEO fraud was probably one of the most devious forms of cyber crime. Above that, it is the highest form of social engineering.

Do you know that feeling when you get to a project and you’re thinking: how in the hell could this have happened?

Recently happened to me in the form that I was called, and sitting in a helicopter being airlifted to a midsized organization in which The most complex case of the CEO Friday I’ve seen today it had happened.

In short: the perpetrators head injected malware into the email server of the organization, thereby being able to monitor both the CEOs and the CFO$ mailboxes permanently.

The CEO was about to contact to deal with an organization in London, and all of his itinerary was in his mailbox; even The telephone number of his hotel.

Long before this happened, the perpetrators had hired someone with a similar voice to that of the CEO, and above that spoke his native language. The CEO used Voice Memos frequently, which allowed the perpetrators to also copy a style of speaking.

The CEO arrived in London, and the deal did not come to fruition. However, the perpetrators called the CFO and the organization, and the impersonator they had hired claimed that the deal had in fact been signed.

The impersonator then gave the CFO the bank details upon which DCF I will execute the transfer of €25 million.

Upon the CEOs returned to the organization into the office A day later to see if I congratulated him to the deal closure.

The CEO then replied that the deal had not been closed, and the things started to unravel

The damage turned out mildly, and we put the necessary precautions and methodology is in place so that the kids like that can never repeat again; at least not with this organization.

Why it’s a good idea to isolate EOL applications/software with insufficient patches, and how to do it

Software and applications are the Achilles’ heel of the information technology; when they reach end of life which is inevitable, or when they are not updated in high enough frequency, protocol suggests to stop using them altogether.

However, a lot of applications are mission critical for an organization.

In this case, and as I have seen and applied in the wild, one of the ways to continue using them is to isolate them from the rest of the network.

Isolating specific pieces of software or applications from the rest of your IT environment is by running them inside dedicated virtual machines there by cutting them off from most of the rest of the network.

Why you don’t want your RJ 45 sockets available in the wild

A few weeks ago I had friends visiting from Thailand. Being the good host I try to be I took them to see several A few weeks ago I had friends visit from Thailand. Being the good host I try I took them on a variety of sightseeing tours; one of them was inevitably to one of the castle switch around here.

While we were strolling through the facility I couldn’t help but see a wire running throughout the complex, which obviously didn’t exist back in the 1800s.

Lo and behold it was a network cable.

This network cable was not only connected to the sprinkler system and the fire alarms, the exit signs and alarm system; it was also the same cable that ran to the cashier. Meaning, that the entire network infrastructure was exposed to interception.

Technically, it would be possible to separate the cable and install a device which will give you permanent access to the network.

As if this wasn’t bad enough, I found at least half a dozen RJ 45 sockets throughout the complex which would have made my work even easier; had I been a criminal.

It’s important to understand that these sockets were at locations where I would have been undisturbed four hours.

After this startling experience I kept my eyes open for rogue RJ 45 sockets in the wild.

A few days after the visit I mentioned, I had to go to a public and ministration building: and what was the first thing that smiled at me? Right! Another rogue RJ-45 socket.

Now, unless you have very specific MAC address filtering in place, rogue sockets will allow criminals to get a very good scan of your organization. If the access to systems is limited to, even then would it be possible to conduct a scan of the network, Which would reveal devices that are vulnerable, and allow for penetration of the network through that device.

Well this may seem obvious to a lot of us, they’re obviously a lot of people out there in our profession that do not take such Warnerville it is as a given fact.

Therefore, I dedicated an entire part of my cyber security risk assessment checklist to not only wrote RJ-45 sockets in the wild, but also to their placement, the mapping of the placement in case someone tampers with the box, and a variety of other issues.

Contact me if you’d like to get a copy of my checklist for your work.

European Parliament: Special Committee on Terrorism > Brief by Lars Hilse on the risks of Cyber Terrorism

European Parliament Lars Hilse Cyber Terrorism

In July 2018, I was invited to provide a briefing to the Special Committee on Terrorism of the European Parliament about the risks of cyber terrorism on critical infrastructure and public spaces.

The trip to Brussels was exciting and insightful, a lot of interesting questions mostly after the taping of the session which you can see above.

If you want the slide-deck of my presentation, please email me.