Uploaded by Mwawana Stanley

OSSTMM in Detail

advertisement
1
OSSTMM in Detail
Name of the Student
Course Title
Lecturer’s Name
Institution
Assignment due date
2
OSSTMM in Detail
The aim of penetration testing, also known as pen testing is ensuring that organization’s
IT vulnerabilities are found and the organization secures the network. The penetration systems
use the same processes, techniques and tools in finding the vulnerabilities similar to attackers
thereby creating a simulated attack through the computer system to identify strengths and
vulnerabilities. There are different methodologies use in pentesting which aim at authenticity and
coverage of all important aspects. They include; Information System Security Assessment
Framework (ISSAF), National Institute of Standards and Technology (NIST), Open Web
Application Security Project (OWASP) and Open-Source Security Testing Methodology Manual
(OSSTMM). Each methodology has different frameworks of performing the tests and thus they
lead to different results. OSSTMM is one the most recognized and widely used standards of
penetration testing. It relies on a scientific approach and research to penetration testing which
provides a manual which organizations can use to conduct viable and accurate assessment. Thus,
the research will delve into the discussion of OSSTMM to ensure better understanding of the
penetration methodology.
OSSTMM was initially introduced in 2000 and is subject to review after a period to
ensure upto date information and structures to prevent attacks. The methodology manual is
maintained by the Institute for Security and Open Methodologies (ISECOM). Currently,
ISECOM released version 3.0 formed in 2010 which is available on its website
(https://www.isecom.org/) for downloading in pdf format (Knapp & Langill, 2015). OSSTMM
has had three versions and it is currently proceeding to the 4th version which has been under
review since 2015 towards 2019. The 1st version was in 2001 which involved 7 categories
followed by the second version in 2003 which had ten categories. The current version under use
3
is the 3rd version which has been restructured to five sections. OSSTMM uses a peer reviewed
structure that allows the development of a scientific framework that is published under Open
Source licenses. The importance of OSSTMM is that despite offering a methodology for
conducting penetration tests, it provides a manual that ensure essential evaluation of the systems
in meeting the industry and regulatory requirements when corporate assets use them. Thus,
individuals can harmonize the methodology with their existing policies and laws which allow the
framework to conform to the structure for a thorough security audit which does not violate the
policies and laws (Wilhelm, 2013).
There are three significant factors which involve the use of OSSTMM in reducing the
attack surface to make a system more secure. The use of OSSTMM in the surface is essential in
identifying the vulnerabilities and menaces which affect the security structure and level and
hence need penetration testing for rectification. The three major factors to consider include
porosity, control and limitation which the organization conducting penetration testing through
OSSTMM must consider beforehand. Porosity is the first factor which involves the separation
grade between the attacker and the system (Fiaschetti et al., 2015). Porosity operates through
three key parameters including complexity which involves the critical aspects and the structure
of the system architecture which needs to be prevented from failure. Also, porosity involves
“trust” which involves the free interaction relationship between the system and its components.
Finally, there is access which includes the various areas which interaction can occur. Damage
potential and effort are the two variables which affect operation security that affects porosity of
the system.
Control is the second factor in the OSSTMM metrics and it implies to the means through
which an organization can use to reduce porosity. Control is the means to reduce or influence the
4
threats and effects when there is an occurrence of interaction thereby reducing porosity. Controls
are categorized into two clusters. The first cluster involves the “interactive controls” which have
a direct influence on trust, access and complexity interactions (Fiaschetti et al., 2015). These
include indemnification, authentication, resilience, continuity and subjugation. The second
cluster of controls include the “Process controls” which are for creating a defensive process that
protect the assets due to threats presence. They include confidentiality, non-repudiation, alarm,
integrity and privacy. Through the process and cluster controls, there are three variables which
an organization can quantify the control’s effect which include True Control (TC), Missing
Control (MC), and Loss Control (LC). The variables are crucial in determining True Coverage
and Missing Coverage.
The third key factor which must be considered in using OSSTMM methodology is
limitation which represents the less capability of the available protection mechanisms of the
system in working efficiently. Thus, limitation involves the collection of weaknesses and
vulnerabilities including any problem which may threaten the ability of the controls in working
efficiently. There are five limitation classification s which include vulnerability which is an error
or flaw that denies or allows access to authorized and unauthorized individuals respectively
(Fiaschetti et al., 2015). Also, there is weakness, which involves an errors that disrupts the five
interactivity controls, concern which affects the process controls, exposure and anomaly. The
summation of the limitation of the system provides information essential for the integration of
OSSTMM and thus the implementors of the penetration test can evaluate the compromise that
exists and thus assisting in providing structures to prevent the porosity of the system.
The operations of OSSTMM are through five major channels as the 3rd version of
OSSTMM states. These include; wireless security testing, telecommunications security testing,
5
data networks security testing, physical security testing, and physical security testing. The human
security testing is the first channel which majorly targets the operating personnel within the
framework of the system which in some cases is considered social engineering (Herzog, 2010). It
ensures gap measurement and personal security awareness testing to the appropriate formulated
security standard as the regional legislation, company policy and industry regulations state. Thus,
there will be multiple methods and tools to ensure that any suspicions raised on personnel tests
are raised to ensure the existence of individuals with critical thinking and diligent people skills.
There are several considerations to ensure a high quality and safe test which include; plause
deniability, human rights, In personam, and Incommunicado (Herzog, 2010). In the process of
conducting human security testing there are several aspects which the OSSTMM manual requires
including visibility audit which includes personnel enumeration and access identification, access
verification that includes access process, authentication, and authority. Also, there is trust
verification that includes misdirection, phishing, fraud, misrepresentation, resource abuse and in
Terrorem. In addition, human security testing aspect covers controls verification, process
verification, training verification, segregation review, exposure verification, property validation,
logistics, posture review including other aspects. Each aspect must be effectively evaluated to
ensure proper security penetration system application on human security through OSSTMM.
The second aspect includes physical security testing which involves material security
collection within the physical boundaries which limit the 3D space of human interaction. The
channel requires non-communicative interaction that includes interaction with the analyst within
the targets. The aim of security testing in the channel is testing logical and physical barrier
testing with the gap between the existing structure to the required standard based on regional
legislation, industry regulations and company policy (Herzog, 2010). Similar to the other
6
security system channels, there are considerations for a quality and safe test which include Ecce
hora, Conatus, Magister pecuarius, abuse of discretion, plausible deniability, and Sui generis. In
addition, the security system channel will go through the 17 aspects from posture review to alert
and log review which will ensure effective analysis of every aspect of physical security system
channel.
The third channel involves Wireless Security Testing which include emanations security,
signals security and electronics security. Thus, any information derived through analysis of noncommunications electromagnetic radiations which attempts to access unauthorized access is
denied. Signals security aims at protecting unauthorized access and jamming for wireless
communications while emanations security prevent the information disclosure of machine
emanations when there is interception and analysis of information. In the channel, the analyst is
required to have sufficient security and protection from any forms of radiation including
electromagnetic power sources. There are two major considerations; In personam and Ignorantia
legis neminem excusat (Herzog, 2010). The fourth channel is telecommunications security
testing which involves classifying material security within the electronic security areas that is
within the boundaries of over wires telecommunications. The considerations include property
rights and Ignorantia legis neminem excusat. The fifth aspect involves Data Networks Security
Testing which requires the use of existing operation safeguards on data communication network
which are essential for property access. Through process and signature, the end operators and
artificial intelligence during testing can identify on-going attacks. Also, similar to the previous
channel, the considerations include property rights and Ignorantia legis neminem excusat. All the
five channels follow the structure of the 17 aspects from posture review to alert and log review.
7
After the discussion on the five major channels associated with OSSTMM, understanding
the testing types associated with the penetration testing method is essential. The general testing
types regardless of the penetration type include white-box testing, black-box testing, and graybox testing thus, they apply to OSSTMM. However, there are specific testing types for
OSSTMM penetration methodology which involve blind, double blind, gray-box, double-gray
box, tandem and reversal (Vernersson, 2010). Blind involves testing where the tester has no prior
knowledge of the system and it also known as role-playing or ethical hacking. The double-blind
test also referred to as black-box audit involves tests conducted where the tester has no prior
knowledge of the scope or pertaining the subject and it is essential in understanding the resilient
of the target under attacks from unknown variables. The gray-box attack involves the auditor
engages the target while fully knowing the channels but less knowledge on its defenses which is
essential for internal system self-assessment (Vernersson, 2010). The double gray-box or the
white-box audit is where the target has information on the depth, breadth and span of the audit
with information on tests not given. The test aims at efficiency. Fifthly, the tandem test which is
also called the crystal-box-audit, has the all details of the upcoming test to be performed for the
target which aims at understanding the preparedness of the target to an attack. Finally, reversal or
red team exercise is the last testing type for OSSTMM which involves giving all information to
the target but not stating when the audit process will take place. It also aims at testing how
prepared the target is incase of an attack.
In addition, there are different test modules for the penetration tests which are critical in
the subject of detailed information on the penetration methodologies. In Open Source Security
Testing Methodology Manual, there are four test modules which are essential in understanding
the test type. Understanding the design and operation of the modules is critical since they assist
8
the analyst in scheduling the details of the audit in phases. It depends on the requirements of the
audit, business thoroughness and time allotment. The four phases in OSSTMM include induction
phase, interaction phase, inquest phase and intervention phase (Herzog, 2010). The induction
phase, as the name suggest is the first phase in the procedure which involves understanding the
scope, audit requirements and the constraints. These involve the first three major aspect
including posture review, logistics, and active detection verification. The second phase of
interaction stage involves the target interacting with assets which is key in defining the scope. It
involves visibility audit, access verification, trust verification and control verification modules.
Inquest phase is the third phase which involves where the analysts uncovers the various segments
of detriment or value caused by mismanaged or misplaced information win the security auditing
(Herzog, 2010). In the phase, the modules include process verification, training verification,
property validation, exposure verification, segregation review and competitive intelligence
scouting. Finally, the fourth phase involves the intervention phase which involves tests on the
resources in the scope which the target requires. Thus, the resources can be starved, overloaded,
switched or change to disrupt or cause penetration. The modules included involve privileges
audit, service continuity, quarantine verification, and alert and log review or the end survey. The
distribution of the four phases allows effective evaluation and structure of the process.
The detailed information reveals the major aspects which constitute OSSTMM. Thus, it is
essential to determine the positive aspects or benefits associated with OSSTMM. First, use of
OSSTMM methodology leads to accurate security measurement due to reduction in occurrence
in false positives and negatives. Secondly, the methodology allows thorough assessment since
there individuals or the organization can aggregate the results in a reliable, quantifiable and
consistent manner. Thirdly, the process has the four interconnected phases named above which
9
are positive towards obtaining, assessing and verifying information regarding the target subject
or environment. These prevent complications and inefficient procedure in the process. Fourthly,
the methodology involves the use of the Security Test Audit Report (STAR) which can be an
important tool to management in testing objectives, output, and risk assessment values from each
test phase.
In retrospect, there are different penetration testing methodologies. However, OSSTMM
is on of the widely known and used penetration test methodology. OSSTMM relies on a
scientific approach and research to penetration testing which provides a manual which
organizations can use to conduct viable and accurate assessment. Since its introduction in 2000,
it has had three versions with the 1st in 2001, 2nd version in 2003 and currently in use, the 3rd
version. However, the latest version is under review to formulate the 4th version. There are three
major factors to consider when using OSSTMM in ensuring the reduction of the penetration of
the threats including porosity, control and limitation. Also, there are five major channels for the
penetration testing which include wireless security testing, telecommunications security testing,
data networks security testing, physical security testing, and physical security testing. The
methodology has blind, double blind, gray-box, double-gray box, tandem and reversal testing
types. Finally, the methodology has different phases namely the induction, interaction, inquest
and intervention phases which distribute the modules effective for collection, analysis and
recording of information.
10
References
Fiaschetti, A., Morgagni, A., Panfili, M., Lanna, A., & Mignanti, S. (2015). Attack-surface
metrics, osstmm and common criteria based approach to “composable security” in
complex systems. WSEAS Transactions on Systems, 14, 187-202.
https://www.researchgate.net/publication/308621019_AttackSurface_metrics_OSSTMM_and_Common_Criteria_based_approach_to_Composable_S
ecurity_in_Complex_Systems
Herzog, P. (2010). OSSTMM 3 – The Open Source Security Testing Methodology Manual:
Contemporary Security Testing and Analysis. ISECOM.
https://www.isecom.org/OSSTMM.3.pdf
Knapp, E. D., & Langill, J. (2015). Standards and Regulations. Industrial Network Security.
Sciencedirect.
https://www.sciencedirect.com/science/article/pii/B9780124201149000137
Vernersson, S. (2010). Penetration testing in a web application environment. http://www.divaportal.org/smash/get/diva2:356502/fulltext01.pdf
Wilhelm, T. (2013). Professional penetration testing: Creating and learning in a hacking lab.
Newnes. https://www.sciencedirect.com/science/article/pii/B9781597494250000105
Download