Below, you will find an overview of the Ducky Challenge and IT security information.
General information
| Processing of data: | europe-west1 (Belgium) | |
| Cloud Service Provider name: | Google Cloud Platform | |
| Country of origin of cloud Service Provider: | United States | |
| Service deployment | UK, Norway, Canada | |
| Nationality of personnel | British, French, Canadian, Norwegian | |
Support of potential features
| Supports authentication with centralized catalogue service | N/A |
| Supports MFA authentication | No |
| Supports role based authorization | No |
| Supports labelling and tagging of information classification level | No |
| Supports cryptography (network transmission, storage, disk) | No |
| Traceability audit of user and administrative actions is logged | N/A |
Support of different systems
| Supports latest operating systems available | Yes | We actively test our tool on Windows, macOS, Linux, Android and iOS |
| Supports running on the most common client device types and platforms | Yes | The tool can be used on smartphones, desktop, mac, etc. |
| Supports the most common web browsers | Yes | You can find the full list of the latest operating systems covered by our tool here |
Documentation
| Product and support documentation is available in English | Yes | As stated, product and support documentation is available in English |
| Can provide documentation of capacity and experience for relevant system and domain knowledge | Yes | |
| Has a structured and documented way of continuously working with and improving information security (ISMS) | Yes | We run a yearly penetration test of the product ; as a result, security documentation is being provided and worked upon |
| Personally identifiable information managed according to GDPR (Data Processing Agreements, Databehandleravtaler) | Yes | Privacy policy can be found here |
| Ducky is available for audit | Yes | If the need arises, yes. |
| Are the systems/services developed and deployed according to a Secure Development Life Cycle process (SDLC)? | Yes | We use an iterative, agile process, following CI/CD principles. As well as this, we use error handling software, and track the test coverage of our code |
| Delivered with an installation guide | Yes | The organization will be onboarded by Ducky via materials and human support |
| Delivered with an administrators guide | N/A | This is not relevant since no administrators are required to use the tool |
| Delivered with a users guide | Yes | Help articles are available to the users of the tool |
| Delivered with a troubleshooting guide | Yes | The users have access access to a support form if they are facing technical issues |
| Delivered with an integrations guide | N/A | This is not relevant since integration is not part of our offering |
| All business, product and support documentation are available in English | Yes | English versions are available |
Other types of support
| Supports user authentication through MS Active Directory and Azure AD | No | |
| Supports role-based user authorization through MS Active Directory and Azure AD | No | |
| Supports single sign-on through MS Active Directory and Azure AD | No | |
| Supports two-factor authentication | No | |
| Supports enforcement of password length, complexity, age and use of temporary passwords | Yes | Passwords have to be at least 8 characters long |
| Supports labelling and tagging of information classification level | No | |
| System does not monitor or disclose software usage to external parties | N/A | The app is not linked to any external parties |
| Supports role-based authorization (Applications that does not support authorization through AD or Azure AD) | N/A | There is no role-based functionality in the solution |
| Audit trail of who did what when | N/A | There is not such function in the app, so there is no need for such functionality |
| Supports log shipping to centralized SIEM | No | No, the app doesn't support it |
| Supports minimum FIPS 140-2 level 1 validated encryption (network transmission, storage, disk) | No | There is no company data transmitted or stored on the solution |
| Centralized management for de-centralized systems | No | Not a de-centralized system |
| Supports Windows 10 | Yes | It supports it |
| Supports Apple products (iOS, Mac) | Yes | It supports it |
| Supports Linux versions. (Redhat, Ubuntu etc.) | Yes | It supports it |
| Supports Android and IOS mobile devices | Yes | It supports it |
| Supports mainstream browsers (Firefox, MS Edge, Chrome) | Yes | It supports it |
| Fully functional without using Active X | Yes | Active X not necessary |
| Fully functional without using Java | Yes | Java not necessary |
| Supports Microsoft Systems Center for client distribution (CMS system) | No | |
| Fully functional without the need for 3rd party software to be downloaded and installed | Yes | No 3rd party software needs to be installed |
| Fully functional without using system administrator rights | Yes | No system administrators rights need to be used |
| Fully functional without special local firewall configurations | No | It might depend on the organization's security system |
| Fully functional without using public cloud services such as Dropbox, Google Drive and OneDrive | Yes | Such services are not needed to use the tool |
| Can operate through a VPN connection | Yes | VNP connection should not impact the use of the tool |
| Optimized for a world wide user base through potentially high latency, low bandwidth networks | Yes | As long as the internet connection is good, the users should not experience high latency |
| Support English as the user interface language, even on a foreign language OS install | Yes | The tool is available in English |
| Supports running in a Citrix environment | No | This is not part of the offering |
| Uses an encrypted communication protocol between client and server (Minimum FIPS-140-2-1) | N/A | Communication is encrypted using private keys between client and servers |
| Client logs to trace irregular system behaviour is available | No | This is not available. |
| No required exeptions for antivirus systems | Yes | Antivirus systems should not impact the use of the tool |
| Supports latest virtualized Windows | Yes | It supports it |
| Supports latest Linux / Unix | Yes | It supports it |
| Supports latest MS SQL | No | Runs in the cloud, no server needed |
| Supports latest IIS | No | Runs in the cloud, no server needed |
| Does not use or rely on local built-in user accounts | Yes | All access through cloud IAM |
| Does not require service accounts with administrative rights | Yes | It doesn't require srvice accounts with administrative rights |
| Supports Windows managed service accounts | No | Runs in the cloud, no server needed |
| Supports load balancing | No | Runs in the cloud, no server needed |
| Supports zero downtime upgrades | No | Runs in the cloud, no server needed |
| Supports zero downtime backup | No | Runs in the cloud, no server needed |
| Has built-in mechanisms for disaster recovery | No | Runs in the cloud, no server needed |
| Configurable built-in admin account name, if any | Yes | Configuration is available in the tool |
| Configurable built-in admin account password | Yes | Configuration is available in the tool |
| No locally stored passwords in configurations | Yes | Passwords are encrypted |
| Supports redundancy and fault tolerant configurations | N/A | Thia is not relevant |
| Documented required exeptions for antivirus systems | N/A | This is not relevant |
| Logs to trace system behaviour is available | Yes | When using the app, the users compete by loggin activities which leads to some behaviour tracking in the platform |
| Functionality to discover and trace irregular system behaviour is available | No |