OSSTMM (Open Source Security Testing Methodology Manual)

OSSTMM (Open Source Security Testing Methodology Manual)

What is OSSTMM?

The abbreviation of OSSTMM is Open Source Security Testing Methodology Manual. It was developed by the Pete Herzog and distributed by the Institute for Security and Open Methodologies (ISECOM). It is a document for improving the quality of enterprise security as well as the methodology and strategy of testers. It includes various information gathering templates.

It is one of the International Standard for Internet Security and Testing.  It is an open source, standardized methodology where anyone adds, cut, open anything from anywhere on the Internet and also make complaint about the vulnerabilities. This type of methodology depends on the scientific methods where operational and financially security measures.  Basically, OSSTMM is a set of rules and regulations for the Penetration Testing, Ethical Hacking, and Information Security Analysis which involves tools for testing. It also includes automated vulnerability testing tools. Here, standard sets in testing methodology either manually or automatic where operational security requirements conformed. The result of testing creates the discipline which it acts as a central point in the whole security tests which regards the size of the network, type of the system or the Internet applications. It is used in the various sectors such as Financial Institutions, Navy and Air force, Security Market’s Players (Vendors, Freelancers, Consultation companies, etc.), Telecommunication and Financial Operators and many more.

Domains Covers in OSSTMM:

·      Information Security:  The security is the major term in the computer system and network. Many computer systems have secured with access limitations. It is very important how to protect the important assets (system, network, applications, data, etc.) from the attackers. This is the major area in the field of OSSTMM because this deals with important keys.

·      Process Security: The process security deals under the operation control in which if any threats exists or in running process, then it protects the assets rather than influencing from the third-party. It includes Non-repudiation, Confidentiality, Integrity, Privacy and Alarm.

·     Internet Technology Security: It is used for protecting the Smart Meters. It includes Network Surveying, Port Scanning, Services Identification, System Identification, Vulnerability Research and Verification, Internet Application Testing, Router Testing, Trusted Systems Testing, Firewall Testing, Intrusion Detection System Testing, Containment Measures Testing, Password Cracking, Denial of Service Testing, Security Policy Review.

·   Communication Security: It emphasis on the communication infrastructure which includes Posture Review, PBX Review, Voicemail Testing, Fax Testing, Modern Survey, Remote Access Control Testing, VoIP Testing, X.25 Packet Switched Networks Testing.

·      Wireless Security: It describes what wireless technologies used by the organization. It involves Electromagnetic Radiation Testing, 802.11 Wireless Network Testing, Bluetooth Testing, Wireless Input device Testing, Wireless Handheld Testing, Wireless Surveillance Device testing, Cordless Communication Testing, Wireless transaction Device testing, RFID Testing, Infrared Testing, Privacy Review. It also regulates rules and guidelines. For example, if company adopts Bluetooth Technology, then first thing requires that organization have Wireless Technology or not.

·      Physical Security: It determines the access controls of target. It monitors the controls in place of compromising the attacks. It also determines how to defeat them.

OSSTMM Test Phases:

There are 7 test phases which are as follows:

1.      Discovery: It analyzes and acquires the existing system testimonials.

2.      Enumeration Verification: It tests the Operating System, configuration and services with the system document.

3.      Vulnerability Research and Verification: It done and analyzes by the Penetration testing.

4.      Integrating Testing: Check the Integrity of all the results.

5.      Security Mapping: It maps the measured security of the results of systems and services.

6.      Risk Assessment Value: If any loopholes found, then classifies the risk and measures the risk assessment value (RAV).

7.      Reporting: Maps the results and recommend it.

Point Process of OSSTMM:

There are three types of interactions in the OSSTMM: Porosity, Four Point Process (FPP), and Echo Process.

Porosity means you need to know how to protect yourself or attack on the target, while FPP means need to know in deep by monitoring and watching the activities. Echo Process is a very basic form of analysis in which discovering and learning things by interacting directly to it. It requires access interaction on the target level and monitoring the reactions. It is a cause-and –effect type of verification.

The point process performs in four ways, that’s why it is known as Four Point Process (FPP). Induction: Determine the target from its environment, how it behaves in that environment, if the target is not influenced by its environment, and then what happen. Inquest: What signals does the target give off? Investigate the tracks or indicators of the signals because in general the system or process leaves the signature of interactions with its environment. Interaction: What happen when poking takes place? It calls for echo tests include expected and unexpected interactions with the target to trigger responses.  Intervention: How far it bends before it breaks? The target needs interrupting resources to understand the extremes under which it can continue operating.

The classes are the official label which is used in the security industry, government and military fields. Basically, classes define the area of study, investigation and operation. The Channels are the way to interact with the assets. There are three types of classes which is useful for hackers to attack on it i.e. Physical Security (PHYSSEC), Spectrum Security (SPECSEC) and Communication Security (COMSEC), it further divided into five channels. PHYSSEC contains two channels:  Human and Physical Channel, SPECSEC contains one channel: Wireless Channel and SPECSEC contain two channels i.e. Telecommunications and Data Network Channels.

OSSTMM Compliance:

The compliance is not to specify the operational security requirement, also specifies the use of OSSTMM testing time on the periodic basis to fulfill the control requirement drafted as a result trust assessment which scopes the minimum number of control requirement to achieve the complaint, not requires secure state. The documentation includes business processes, narratives, trust assessment, risk assessments, signed off design tests, operational audits, attestations, etc. With the help of OSSTMM, the result is understandable and verifies the level of quality. It is designed to allow the analyst to view and understand the safety and security. By this type of Methodologies, any compliance has the production of the evidence of governance within the business process of security.

Official Link:

http://www.isecom.org/

Countermeasures against Social Engineering

Countermeasures against Social Engineering

In my Article published in PenTest Magazine I have discussed the Social Engineering as most Dangerous Weapon used by Hackers. In this Blog Post will Learn the Countermeasures against Social Engineering.

Social Engineering : According to Wiki “Social Engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.”Social Engineering is not a new thing at all it’s the art of lie and to get confidential information to access/Hacked into System.

Social Engineering attacks are one of the hardest threats to defend against because they invole the human element.

à Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

àDo not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.

àDo not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

àDon't send sensitive information over the Internet before checking a website's security (see Protecting Your Privacy for more information).

à Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

àIf you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

Other Important Points are :

           IT Security and other Units

Physical and IT security personnel often have an uneasy and distant relationship, even in institutions where they share a common node of the management tree.

•     IT personnel should at least understand the need for physical controls and have some involvement in the physical securing of IT equipment, especially when sophisticated technical controls such as handheld authentication devices are employed.

•     Non-IT security people need at least a basic understanding of how IT hardware hangs together in order to appreciate where the weakness are: not only in terms of sabotage, theft and espionage, but even in terms of accidental damage. In many cases, they’ll be the first line of defence against breaches of the physical perimeter.

General Education

General users should not be expected to become security experts. Indeed, it’s unrealistic to expect them to be particularly IT-literate beyond the requirements of their work. This makes the quality of the educational and other resources available to them particularly important, not only in terms of accuracy and pertinence, but also accessibility. Training and first-line documentation should be as brief and clear as possible, but more detailed resources should be available and known to be available. In particular, such documentation should make as few assumptions as possible about the technical knowledge of the reader: unfortunately, this is not always consistent with the equally pressing requirement that it should be as short as possible.

 Risk Analysis

I hope I’ve convinced you that social engineering is a significant threat. However, it’s seriously under-documented, and committing major resources to deal with a threat many people have never heard of or considered is not always easy. This paper gives some background, but useful statistics are scarce: I can’t point you to a survey which tells you how much a year social engineering costs the ‘average’ organization. Statistics on security breaches in general are easier to come by, but they don’t tell you how much use individual intruders made of social engineering, so you have to approach it from the other end: gathering information on how vulnerable you are to this threat, and what measures are available to counter it.

 Security Policies and Insurance Policies

Security is a cost centre. Like fire insurance, it’s a large expense set against the risk of an attack which may never come, though with social engineering it’s probably truer to say that such attacks are frequent, but not necessarily recognised as such. Security policies aren’t popular: they take time to put together properly and are of no practical use without a realistic educational program to back them up.

Hope this will be helpful for your organisation and for you to stay away from Social Engineers.

Elites Hub - Unique Concept of Training

Few Years ago when i was taking Training from Private Institution I came to know there are hundreds of Institutes available who are into providing Training on the Same Subjects in Market but no Institute or Company was providing the best guiding Training and Path oriented Training to students they are just making profit out of student's Fees, I met Aakash and Shridhar in November 2012 He told me about the Project Elites Hub on First Half I was easily convinced by him as this was the idea and project specially designed for the bright future of Students . Let me Introduced this Project here in detail.


We have the most Unique Training Programmes we also aim to provide in World Class Training at India as we believe in Research, Quality, Excellence, Imagination and developing self assessment in learning with Path Oriented Knowledge at Elites Hub. Our Course Includes Industry and Academic Tasks and Research Papers topics made and designed by Team of Experts.

We are Elites, the best in our categories, providing unique training programs under one roof, i.e. creating a Hub for Professionals. More specifically we breed professionalism into the bloods of our trainees and thus we say we are breeding professionalism.

We Provide Training on following

A) Web Development
B) Mobile Application
C) Cyber Security
D) Embedded/Robotics

Best Feature from our side :

A) Office Infrastructure
B) R&D Center
C) Accommodation
D) Meals
E) Weekend Outing

for more info and to get enroll to Study under Experts of Industries mail us now on contact@eliteshub.com or call on +919824435293 or login to - http://www.eliteshub.com