Thursday, February 18, 2016

OSSTMM (Open Source Security Testing Methodology Manual)

OSSTMM (Open Source Security Testing Methodology Manual)

What is OSSTMM?
The abbreviation of OSSTMM is Open Source Security Testing Methodology Manual. It was developed by the Pete Herzog and distributed by the Institute for Security and Open Methodologies (ISECOM). It is a document for improving the quality of enterprise security as well as the methodology and strategy of testers. It includes various information gathering templates.
It is one of the International Standard for Internet Security and Testing.  It is an open source, standardized methodology where anyone adds, cut, open anything from anywhere on the Internet and also make complaint about the vulnerabilities. This type of methodology depends on the scientific methods where operational and financially security measures.  Basically, OSSTMM is a set of rules and regulations for the Penetration Testing, Ethical Hacking, and Information Security Analysis which involves tools for testing. It also includes automated vulnerability testing tools. Here, standard sets in testing methodology either manually or automatic where operational security requirements conformed. The result of testing creates the discipline which it acts as a central point in the whole security tests which regards the size of the network, type of the system or the Internet applications. It is used in the various sectors such as Financial Institutions, Navy and Air force, Security Market’s Players (Vendors, Freelancers, Consultation companies, etc.), Telecommunication and Financial Operators and many more.

Domains Covers in OSSTMM:

·      Information Security:  The security is the major term in the computer system and network. Many computer systems have secured with access limitations. It is very important how to protect the important assets (system, network, applications, data, etc.) from the attackers. This is the major area in the field of OSSTMM because this deals with important keys.
·      Process Security: The process security deals under the operation control in which if any threats exists or in running process, then it protects the assets rather than influencing from the third-party. It includes Non-repudiation, Confidentiality, Integrity, Privacy and Alarm.
·     Internet Technology Security: It is used for protecting the Smart Meters. It includes Network Surveying, Port Scanning, Services Identification, System Identification, Vulnerability Research and Verification, Internet Application Testing, Router Testing, Trusted Systems Testing, Firewall Testing, Intrusion Detection System Testing, Containment Measures Testing, Password Cracking, Denial of Service Testing, Security Policy Review.
·   Communication Security: It emphasis on the communication infrastructure which includes Posture Review, PBX Review, Voicemail Testing, Fax Testing, Modern Survey, Remote Access Control Testing, VoIP Testing, X.25 Packet Switched Networks Testing.
·      Wireless Security: It describes what wireless technologies used by the organization. It involves Electromagnetic Radiation Testing, 802.11 Wireless Network Testing, Bluetooth Testing, Wireless Input device Testing, Wireless Handheld Testing, Wireless Surveillance Device testing, Cordless Communication Testing, Wireless transaction Device testing, RFID Testing, Infrared Testing, Privacy Review. It also regulates rules and guidelines. For example, if company adopts Bluetooth Technology, then first thing requires that organization have Wireless Technology or not.
·      Physical Security: It determines the access controls of target. It monitors the controls in place of compromising the attacks. It also determines how to defeat them.

OSSTMM Test Phases:
There are 7 test phases which are as follows:
1.      Discovery: It analyzes and acquires the existing system testimonials.
2.      Enumeration Verification: It tests the Operating System, configuration and services with the system document.
3.      Vulnerability Research and Verification: It done and analyzes by the Penetration testing.
4.      Integrating Testing: Check the Integrity of all the results.
5.      Security Mapping: It maps the measured security of the results of systems and services.
6.      Risk Assessment Value: If any loopholes found, then classifies the risk and measures the risk assessment value (RAV).
7.      Reporting: Maps the results and recommend it.

Point Process of OSSTMM:
There are three types of interactions in the OSSTMM: Porosity, Four Point Process (FPP), and Echo Process.
Porosity means you need to know how to protect yourself or attack on the target, while FPP means need to know in deep by monitoring and watching the activities. Echo Process is a very basic form of analysis in which discovering and learning things by interacting directly to it. It requires access interaction on the target level and monitoring the reactions. It is a cause-and –effect type of verification.
The point process performs in four ways, that’s why it is known as Four Point Process (FPP). Induction: Determine the target from its environment, how it behaves in that environment, if the target is not influenced by its environment, and then what happen. Inquest: What signals does the target give off? Investigate the tracks or indicators of the signals because in general the system or process leaves the signature of interactions with its environment. Interaction: What happen when poking takes place? It calls for echo tests include expected and unexpected interactions with the target to trigger responses.  Intervention: How far it bends before it breaks? The target needs interrupting resources to understand the extremes under which it can continue operating.
The classes are the official label which is used in the security industry, government and military fields. Basically, classes define the area of study, investigation and operation. The Channels are the way to interact with the assets. There are three types of classes which is useful for hackers to attack on it i.e. Physical Security (PHYSSEC), Spectrum Security (SPECSEC) and Communication Security (COMSEC), it further divided into five channels. PHYSSEC contains two channels:  Human and Physical Channel, SPECSEC contains one channel: Wireless Channel and SPECSEC contain two channels i.e. Telecommunications and Data Network Channels.

OSSTMM Compliance:
The compliance is not to specify the operational security requirement, also specifies the use of OSSTMM testing time on the periodic basis to fulfill the control requirement drafted as a result trust assessment which scopes the minimum number of control requirement to achieve the complaint, not requires secure state. The documentation includes business processes, narratives, trust assessment, risk assessments, signed off design tests, operational audits, attestations, etc. With the help of OSSTMM, the result is understandable and verifies the level of quality. It is designed to allow the analyst to view and understand the safety and security. By this type of Methodologies, any compliance has the production of the evidence of governance within the business process of security.

Official Link:


Sunday, June 29, 2014

White Hat Hacking - Whitebook for Ethical Hackers and Security Professionals

White Hat Hacking Tutorial - Be a Security Professional Learn from anywhere anytime,

Description

Whitebook is a growing community of White Hat Hackers or so Called the Security Professionals, We Begin with tutorials and Techniques to become a Security Professional and Later Will Grow as a Community where with jobs updates, Project updates, Support and every thing related to Cyber Security to our user.
You can become a whitehat Hacker or Say a Security Professional by learning from our WhiteBook Tutorials, It Contains following Topics:

1) Hacking Basics - Introduction to Hacking, Basic Concept of IT, Concept of Security, Introduction to Networking, Foot Printing.

2) Common Hacking Tuts - Google Hacking Database, windows Hacking and Security, Linux Hacking and Security, Virus, Worms and Trojans, DOS and DDOS, Sniffers, Network Hacking, Social Engineering, Physical Security, Cryptography and Stenography, WI-FI hacking, FireWall and IDS/IPS.

3) Vulnerabilities - Vulnerability Scanning, Vulnerability Research, Web Penetration Testing, Network Penetration Testing, Server Penetration Testing and More Coming Soon,

4) Security Standards ( Beta) - Security Standards and Principles, OWSAP Top 10 Vulnerability, OSSTMM, SANS TOP 25 Vulnerabilities. ( Note: at Present We are Just Giving an Overview in this module, We will be Soon Updating the Details)

5) Exploits And Exploitation - Assembly Language, Exploit Writing, Buffer Overflow, Reverse Engineering, Exploit Frameworks

6) BackTrack - Introduction to BackTrack, BackTrack Methodology, Information Gathering, Vulnerability Assessment, Exploitation Using BT.

7) Advance Tools - Acunetix, IBM App Scanner, Net Sparker, Vega, Burp Suite, W3AF, OWASP ZED Proxy, Aarachini, NMAP, Maltego, Dark Comet, WireShark.

8) Cyber Forensics - Hacking Incidents, Doing Forensics, Data Recovery and Analysis, Understanding Anti Forensics, Cyber Crime Investigations ( Note: at Present We are Just Giving an Overview in this Module, We will be Soon Updating the Details)

9) Security Management - Information Security Management, Policies and Documentations

10) Tips and Tricks - Facebook hacking, Tips and Tricks, Mobile Tips and Tricks, List Sites You should not Scan.

Security is a vast field and have several verticals, if you need and other tutorials or have suggestions, We would love to here it. We will Grow with the Best Tutorials and Content,
We are also Looking for Enthusiast Professionals, who can Join part time to Contribute to this Growing Community.

Disclaimers: The Information Provided on this Application is to be used for educational purpose only. The Website/Application Creator is in no way responsible for misuse of the information provided. All the Information in this Whitebook Application is meant to help the reader develop a Professional Security Attitude in order to prevent the attacks Discussed. In no way should you use the information to cause any kind of damage directly or indirectly. You Implement the information given at your own Risk.