OSSTMM (Open Source Security Testing Methodology Manual)
What is OSSTMM?
The
abbreviation of OSSTMM is Open Source Security Testing Methodology Manual. It was developed by the Pete
Herzog and distributed by the Institute
for Security and Open Methodologies (ISECOM). It is a document for improving
the quality of enterprise security as well as the methodology and strategy of
testers. It includes various information gathering templates.
It
is one of the International Standard for Internet Security and Testing. It is an open source, standardized methodology
where anyone adds, cut, open anything from anywhere on the Internet and also make
complaint about the vulnerabilities. This type of methodology depends on the
scientific methods where operational and financially security measures. Basically, OSSTMM is a set of rules and
regulations for the Penetration Testing, Ethical Hacking, and Information
Security Analysis which involves tools for testing. It also includes automated
vulnerability testing tools. Here, standard sets in testing methodology either
manually or automatic where operational security requirements conformed. The
result of testing creates the discipline which it acts as a central point in
the whole security tests which regards the size of the network, type of the
system or the Internet applications. It is used in the various sectors such as
Financial Institutions, Navy and Air force, Security Market’s Players (Vendors,
Freelancers, Consultation companies, etc.), Telecommunication and Financial
Operators and many more.
Domains Covers in OSSTMM:
·
Information
Security: The
security is the major term in the computer system and network. Many computer
systems have secured with access limitations. It is very important how to
protect the important assets (system, network, applications, data, etc.) from
the attackers. This is the major area in the field of OSSTMM because this deals
with important keys.
·
Process
Security: The process security deals under the operation
control in which if any threats exists or in running process, then it protects
the assets rather than influencing from the third-party. It includes
Non-repudiation, Confidentiality, Integrity, Privacy and Alarm.
· Internet Technology Security: It
is used for protecting the Smart Meters. It includes Network Surveying, Port
Scanning, Services Identification, System Identification, Vulnerability
Research and Verification, Internet Application Testing, Router Testing,
Trusted Systems Testing, Firewall Testing, Intrusion Detection System Testing,
Containment Measures Testing, Password Cracking, Denial of Service Testing,
Security Policy Review.
· Communication Security: It
emphasis on the communication infrastructure which includes Posture Review, PBX
Review, Voicemail Testing, Fax Testing, Modern Survey, Remote Access Control
Testing, VoIP Testing, X.25 Packet Switched Networks Testing.
·
Wireless
Security: It describes what wireless technologies used
by the organization. It involves Electromagnetic Radiation Testing, 802.11
Wireless Network Testing, Bluetooth Testing, Wireless Input device Testing,
Wireless Handheld Testing, Wireless Surveillance Device testing, Cordless
Communication Testing, Wireless transaction Device testing, RFID Testing,
Infrared Testing, Privacy Review. It also regulates rules and guidelines. For
example, if company adopts Bluetooth Technology, then first thing requires that
organization have Wireless Technology or not.
· Physical Security: It
determines the access controls of target. It monitors the controls in place of
compromising the attacks. It also determines how to defeat them.
OSSTMM
Test Phases:
There are 7 test
phases which are as follows:
1.
Discovery:
It analyzes and acquires the existing system testimonials.
2.
Enumeration
Verification: It tests the Operating System,
configuration and services with the system document.
3.
Vulnerability
Research and Verification: It done and analyzes by the
Penetration testing.
4.
Integrating
Testing: Check the Integrity of all the results.
5.
Security
Mapping: It maps the measured security of the results
of systems and services.
6.
Risk
Assessment Value: If any loopholes found, then
classifies the risk and measures the risk assessment value (RAV).
7.
Reporting:
Maps the results and recommend it.
Point Process of OSSTMM:
There
are three types of interactions in the OSSTMM: Porosity, Four Point Process
(FPP), and Echo Process.
Porosity
means you need to know how to protect yourself or attack on the target, while FPP
means need to know in deep by monitoring and watching the activities. Echo
Process is a very basic form of analysis in which discovering and learning
things by interacting directly to it. It requires access interaction on the
target level and monitoring the reactions. It is a cause-and –effect type of
verification.
The
point process performs in four ways, that’s why it is known as Four Point
Process (FPP). Induction: Determine the target from its environment, how
it behaves in that environment, if the target is not influenced by its
environment, and then what happen. Inquest: What signals does the target
give off? Investigate the tracks or indicators of the signals because in
general the system or process leaves the signature of interactions with its
environment. Interaction: What happen when poking takes place? It calls
for echo tests include expected and unexpected interactions with the target to
trigger responses. Intervention:
How far it bends before it breaks? The target needs interrupting resources to
understand the extremes under which it can continue operating.
The
classes are the official label which is used in the security industry,
government and military fields. Basically, classes define the area of study,
investigation and operation. The Channels are the way to interact with the
assets. There are three types of classes which is useful for hackers to attack
on it i.e. Physical Security (PHYSSEC),
Spectrum Security (SPECSEC) and Communication Security (COMSEC), it further
divided into five channels. PHYSSEC contains two channels: Human and Physical Channel, SPECSEC
contains one channel: Wireless Channel and SPECSEC contain
two channels i.e. Telecommunications and Data Network Channels.
OSSTMM Compliance:
The
compliance is not to specify the operational security requirement, also
specifies the use of OSSTMM testing time on the periodic basis to fulfill the
control requirement drafted as a result trust assessment which scopes the
minimum number of control requirement to achieve the complaint, not requires secure
state. The documentation includes business processes, narratives, trust
assessment, risk assessments, signed off design tests, operational audits,
attestations, etc. With the help of OSSTMM, the result is understandable and
verifies the level of quality. It is designed to allow the analyst to view and
understand the safety and security. By this type of Methodologies, any
compliance has the production of the evidence of governance within the business
process of security.
Official Link: