Below, you will find an overview of the Ducky Challenge and IT security information.
General information
| Processing of data: | europe-west1 (Belgium) |
| Cloud Service Provider name: | Google Cloud Platform |
| Country of origin of cloud Service Provider: | United States |
| Service deployment | UK, Norway, Canada |
| Nationality of personnel | British, French, Canadian, Norwegian |
Support of potential features
| Supports authentication with centralized catalogue service | N/A |
| Supports MFA authentication | No |
| Supports role based authorization | No |
| Supports labelling and tagging of information classification level | No |
| Supports cryptography (network transmission, storage, disk) | No |
| Traceability audit of user and administrative actions is logged | N/A |
Support of different systems
| Supports latest operating systems available | We actively test our tool on Windows, macOS, Linux, Android and iOS |
| Supports running on the most common client device types and platforms | The tool can be used on smartphones, desktop, mac, etc. |
| Supports the most common web browsers | You can find the full list of the latest operating systems covered by our tool here |
Documentation
| Product and support documentation is available in English | As stated, product and support documentation is available in English |
| Can provide documentation of capacity and experience for relevant system and domain knowledge | |
| Has a structured and documented way of continuously working with and improving information security (ISMS) | We run a yearly penetration test of the product ; as a result, security documentation is being provided and worked upon |
| Personally identifiable information managed according to GDPR (Data Processing Agreements, Databehandleravtaler) | Privacy policy can be found here |
| Ducky is available for audit | If the need arises, yes. |
| Are the systems/services developed and deployed according to a Secure Development Life Cycle process (SDLC)? | We use an iterative, agile process, following CI/CD principles. As well as this, we use error handling software, and track the test coverage of our code |
| Delivered with an installation guide | The organization will be onboarded by Ducky via materials and human support |
| Delivered with an administrators guide | This is not relevant since no administrators are required to use the tool |
| Delivered with a users guide | Help articles are available to the users of the tool |
| Delivered with a troubleshooting guide | The users have access access to a support form if they are facing technical issues |
| Delivered with an integrations guide | This is not relevant since integration is not part of our offering |
| All business, product and support documentation are available in English | English versions are available |
Other types of support
| Supports user authentication through MS Active Directory and Azure AD | |
| Supports role-based user authorization through MS Active Directory and Azure AD | |
| Supports single sign-on through MS Active Directory and Azure AD | |
| Supports two-factor authentication | |
| Supports enforcement of password length, complexity, age and use of temporary passwords | Passwords have to be at least 8 characters long |
| Supports labelling and tagging of information classification level | |
| System does not monitor or disclose software usage to external parties | The app is not linked to any external parties |
| Supports role-based authorization (Applications that does not support authorization through AD or Azure AD) | There is no role-based functionality in the solution |
| Audit trail of who did what when | There is not such function in the app, so there is no need for such functionality |
| Supports log shipping to centralized SIEM | No, the app doesn't support it |
| Supports minimum FIPS 140-2 level 1 validated encryption (network transmission, storage, disk) | There is no company data transmitted or stored on the solution |
| Centralized management for de-centralized systems | Not a de-centralized system |
| Supports Windows 10 | It supports it |
| Supports Apple products (iOS, Mac) | It supports it |
| Supports Linux versions. (Redhat, Ubuntu etc.) | It supports it |
| Supports Android and IOS mobile devices | It supports it |
| Supports mainstream browsers (Firefox, MS Edge, Chrome) | It supports it |
| Fully functional without using Active X | Active X not necessary |
| Fully functional without using Java | Java not necessary |
| Supports Microsoft Systems Center for client distribution (CMS system) | |
| Fully functional without the need for 3rd party software to be downloaded and installed | No 3rd party software needs to be installed |
| Fully functional without using system administrator rights | No system administrators rights need to be used |
| Fully functional without special local firewall configurations | It might depend on the organization's security system |
| Fully functional without using public cloud services such as Dropbox, Google Drive and OneDrive | Such services are not needed to use the tool |
| Can operate through a VPN connection | VNP connection should not impact the use of the tool |
| Optimized for a world wide user base through potentially high latency, low bandwidth networks | As long as the internet connection is good, the users should not experience high latency |
| Support English as the user interface language, even on a foreign language OS install | The tool is available in English |
| Supports running in a Citrix environment | This is not part of the offering |
| Uses an encrypted communication protocol between client and server (Minimum FIPS-140-2-1) | Communication is encrypted using private keys between client and servers |
| Client logs to trace irregular system behaviour is available | This is not available. |
| No required exceptions for antivirus systems | Antivirus systems should not impact the use of the tool |
| Supports latest virtualized Windows | It supports it |
| Supports latest Linux / Unix | It supports it |
| Supports latest MS SQL | Runs in the cloud, no server needed |
| Supports latest IIS | Runs in the cloud, no server needed |
| Does not use or rely on local built-in user accounts | All access through cloud IAM |
| Does not require service accounts with administrative rights | It doesn't require srvice accounts with administrative rights |
| Supports Windows managed service accounts | Runs in the cloud, no server needed |
| Supports load balancing | Runs in the cloud, no server needed |
| Supports zero downtime upgrades | Runs in the cloud, no server needed |
| Supports zero downtime backup | Runs in the cloud, no server needed |
| Has built-in mechanisms for disaster recovery | Runs in the cloud, no server needed |
| Configurable built-in admin account name, if any | Configuration is available in the tool |
| Configurable built-in admin account password | Configuration is available in the tool |
| No locally stored passwords in configurations | Passwords are encrypted |
| Supports redundancy and fault tolerant configurations | This is not relevant |
| Documented required exceptions for antivirus systems | This is not relevant |
| Logs to trace system behaviour is available | When using the app, the users compete by loggin activities which leads to some behaviour tracking in the platform |
| Functionality to discover and trace irregular system behaviour is available |