1 OSSTMM in Detail Name of the Student Course Title Lecturer’s Name Institution Assignment due date 2 OSSTMM in Detail The aim of penetration testing, also known as pen testing is ensuring that organization’s IT vulnerabilities are found and the organization secures the network. The penetration systems use the same processes, techniques and tools in finding the vulnerabilities similar to attackers thereby creating a simulated attack through the computer system to identify strengths and vulnerabilities. There are different methodologies use in pentesting which aim at authenticity and coverage of all important aspects. They include; Information System Security Assessment Framework (ISSAF), National Institute of Standards and Technology (NIST), Open Web Application Security Project (OWASP) and Open-Source Security Testing Methodology Manual (OSSTMM). Each methodology has different frameworks of performing the tests and thus they lead to different results. OSSTMM is one the most recognized and widely used standards of penetration testing. It relies on a scientific approach and research to penetration testing which provides a manual which organizations can use to conduct viable and accurate assessment. Thus, the research will delve into the discussion of OSSTMM to ensure better understanding of the penetration methodology. OSSTMM was initially introduced in 2000 and is subject to review after a period to ensure upto date information and structures to prevent attacks. The methodology manual is maintained by the Institute for Security and Open Methodologies (ISECOM). Currently, ISECOM released version 3.0 formed in 2010 which is available on its website (https://www.isecom.org/) for downloading in pdf format (Knapp & Langill, 2015). OSSTMM has had three versions and it is currently proceeding to the 4th version which has been under review since 2015 towards 2019. The 1st version was in 2001 which involved 7 categories followed by the second version in 2003 which had ten categories. The current version under use 3 is the 3rd version which has been restructured to five sections. OSSTMM uses a peer reviewed structure that allows the development of a scientific framework that is published under Open Source licenses. The importance of OSSTMM is that despite offering a methodology for conducting penetration tests, it provides a manual that ensure essential evaluation of the systems in meeting the industry and regulatory requirements when corporate assets use them. Thus, individuals can harmonize the methodology with their existing policies and laws which allow the framework to conform to the structure for a thorough security audit which does not violate the policies and laws (Wilhelm, 2013). There are three significant factors which involve the use of OSSTMM in reducing the attack surface to make a system more secure. The use of OSSTMM in the surface is essential in identifying the vulnerabilities and menaces which affect the security structure and level and hence need penetration testing for rectification. The three major factors to consider include porosity, control and limitation which the organization conducting penetration testing through OSSTMM must consider beforehand. Porosity is the first factor which involves the separation grade between the attacker and the system (Fiaschetti et al., 2015). Porosity operates through three key parameters including complexity which involves the critical aspects and the structure of the system architecture which needs to be prevented from failure. Also, porosity involves “trust” which involves the free interaction relationship between the system and its components. Finally, there is access which includes the various areas which interaction can occur. Damage potential and effort are the two variables which affect operation security that affects porosity of the system. Control is the second factor in the OSSTMM metrics and it implies to the means through which an organization can use to reduce porosity. Control is the means to reduce or influence the 4 threats and effects when there is an occurrence of interaction thereby reducing porosity. Controls are categorized into two clusters. The first cluster involves the “interactive controls” which have a direct influence on trust, access and complexity interactions (Fiaschetti et al., 2015). These include indemnification, authentication, resilience, continuity and subjugation. The second cluster of controls include the “Process controls” which are for creating a defensive process that protect the assets due to threats presence. They include confidentiality, non-repudiation, alarm, integrity and privacy. Through the process and cluster controls, there are three variables which an organization can quantify the control’s effect which include True Control (TC), Missing Control (MC), and Loss Control (LC). The variables are crucial in determining True Coverage and Missing Coverage. The third key factor which must be considered in using OSSTMM methodology is limitation which represents the less capability of the available protection mechanisms of the system in working efficiently. Thus, limitation involves the collection of weaknesses and vulnerabilities including any problem which may threaten the ability of the controls in working efficiently. There are five limitation classification s which include vulnerability which is an error or flaw that denies or allows access to authorized and unauthorized individuals respectively (Fiaschetti et al., 2015). Also, there is weakness, which involves an errors that disrupts the five interactivity controls, concern which affects the process controls, exposure and anomaly. The summation of the limitation of the system provides information essential for the integration of OSSTMM and thus the implementors of the penetration test can evaluate the compromise that exists and thus assisting in providing structures to prevent the porosity of the system. The operations of OSSTMM are through five major channels as the 3rd version of OSSTMM states. These include; wireless security testing, telecommunications security testing, 5 data networks security testing, physical security testing, and physical security testing. The human security testing is the first channel which majorly targets the operating personnel within the framework of the system which in some cases is considered social engineering (Herzog, 2010). It ensures gap measurement and personal security awareness testing to the appropriate formulated security standard as the regional legislation, company policy and industry regulations state. Thus, there will be multiple methods and tools to ensure that any suspicions raised on personnel tests are raised to ensure the existence of individuals with critical thinking and diligent people skills. There are several considerations to ensure a high quality and safe test which include; plause deniability, human rights, In personam, and Incommunicado (Herzog, 2010). In the process of conducting human security testing there are several aspects which the OSSTMM manual requires including visibility audit which includes personnel enumeration and access identification, access verification that includes access process, authentication, and authority. Also, there is trust verification that includes misdirection, phishing, fraud, misrepresentation, resource abuse and in Terrorem. In addition, human security testing aspect covers controls verification, process verification, training verification, segregation review, exposure verification, property validation, logistics, posture review including other aspects. Each aspect must be effectively evaluated to ensure proper security penetration system application on human security through OSSTMM. The second aspect includes physical security testing which involves material security collection within the physical boundaries which limit the 3D space of human interaction. The channel requires non-communicative interaction that includes interaction with the analyst within the targets. The aim of security testing in the channel is testing logical and physical barrier testing with the gap between the existing structure to the required standard based on regional legislation, industry regulations and company policy (Herzog, 2010). Similar to the other 6 security system channels, there are considerations for a quality and safe test which include Ecce hora, Conatus, Magister pecuarius, abuse of discretion, plausible deniability, and Sui generis. In addition, the security system channel will go through the 17 aspects from posture review to alert and log review which will ensure effective analysis of every aspect of physical security system channel. The third channel involves Wireless Security Testing which include emanations security, signals security and electronics security. Thus, any information derived through analysis of noncommunications electromagnetic radiations which attempts to access unauthorized access is denied. Signals security aims at protecting unauthorized access and jamming for wireless communications while emanations security prevent the information disclosure of machine emanations when there is interception and analysis of information. In the channel, the analyst is required to have sufficient security and protection from any forms of radiation including electromagnetic power sources. There are two major considerations; In personam and Ignorantia legis neminem excusat (Herzog, 2010). The fourth channel is telecommunications security testing which involves classifying material security within the electronic security areas that is within the boundaries of over wires telecommunications. The considerations include property rights and Ignorantia legis neminem excusat. The fifth aspect involves Data Networks Security Testing which requires the use of existing operation safeguards on data communication network which are essential for property access. Through process and signature, the end operators and artificial intelligence during testing can identify on-going attacks. Also, similar to the previous channel, the considerations include property rights and Ignorantia legis neminem excusat. All the five channels follow the structure of the 17 aspects from posture review to alert and log review. 7 After the discussion on the five major channels associated with OSSTMM, understanding the testing types associated with the penetration testing method is essential. The general testing types regardless of the penetration type include white-box testing, black-box testing, and graybox testing thus, they apply to OSSTMM. However, there are specific testing types for OSSTMM penetration methodology which involve blind, double blind, gray-box, double-gray box, tandem and reversal (Vernersson, 2010). Blind involves testing where the tester has no prior knowledge of the system and it also known as role-playing or ethical hacking. The double-blind test also referred to as black-box audit involves tests conducted where the tester has no prior knowledge of the scope or pertaining the subject and it is essential in understanding the resilient of the target under attacks from unknown variables. The gray-box attack involves the auditor engages the target while fully knowing the channels but less knowledge on its defenses which is essential for internal system self-assessment (Vernersson, 2010). The double gray-box or the white-box audit is where the target has information on the depth, breadth and span of the audit with information on tests not given. The test aims at efficiency. Fifthly, the tandem test which is also called the crystal-box-audit, has the all details of the upcoming test to be performed for the target which aims at understanding the preparedness of the target to an attack. Finally, reversal or red team exercise is the last testing type for OSSTMM which involves giving all information to the target but not stating when the audit process will take place. It also aims at testing how prepared the target is incase of an attack. In addition, there are different test modules for the penetration tests which are critical in the subject of detailed information on the penetration methodologies. In Open Source Security Testing Methodology Manual, there are four test modules which are essential in understanding the test type. Understanding the design and operation of the modules is critical since they assist 8 the analyst in scheduling the details of the audit in phases. It depends on the requirements of the audit, business thoroughness and time allotment. The four phases in OSSTMM include induction phase, interaction phase, inquest phase and intervention phase (Herzog, 2010). The induction phase, as the name suggest is the first phase in the procedure which involves understanding the scope, audit requirements and the constraints. These involve the first three major aspect including posture review, logistics, and active detection verification. The second phase of interaction stage involves the target interacting with assets which is key in defining the scope. It involves visibility audit, access verification, trust verification and control verification modules. Inquest phase is the third phase which involves where the analysts uncovers the various segments of detriment or value caused by mismanaged or misplaced information win the security auditing (Herzog, 2010). In the phase, the modules include process verification, training verification, property validation, exposure verification, segregation review and competitive intelligence scouting. Finally, the fourth phase involves the intervention phase which involves tests on the resources in the scope which the target requires. Thus, the resources can be starved, overloaded, switched or change to disrupt or cause penetration. The modules included involve privileges audit, service continuity, quarantine verification, and alert and log review or the end survey. The distribution of the four phases allows effective evaluation and structure of the process. The detailed information reveals the major aspects which constitute OSSTMM. Thus, it is essential to determine the positive aspects or benefits associated with OSSTMM. First, use of OSSTMM methodology leads to accurate security measurement due to reduction in occurrence in false positives and negatives. Secondly, the methodology allows thorough assessment since there individuals or the organization can aggregate the results in a reliable, quantifiable and consistent manner. Thirdly, the process has the four interconnected phases named above which 9 are positive towards obtaining, assessing and verifying information regarding the target subject or environment. These prevent complications and inefficient procedure in the process. Fourthly, the methodology involves the use of the Security Test Audit Report (STAR) which can be an important tool to management in testing objectives, output, and risk assessment values from each test phase. In retrospect, there are different penetration testing methodologies. However, OSSTMM is on of the widely known and used penetration test methodology. OSSTMM relies on a scientific approach and research to penetration testing which provides a manual which organizations can use to conduct viable and accurate assessment. Since its introduction in 2000, it has had three versions with the 1st in 2001, 2nd version in 2003 and currently in use, the 3rd version. However, the latest version is under review to formulate the 4th version. There are three major factors to consider when using OSSTMM in ensuring the reduction of the penetration of the threats including porosity, control and limitation. Also, there are five major channels for the penetration testing which include wireless security testing, telecommunications security testing, data networks security testing, physical security testing, and physical security testing. The methodology has blind, double blind, gray-box, double-gray box, tandem and reversal testing types. Finally, the methodology has different phases namely the induction, interaction, inquest and intervention phases which distribute the modules effective for collection, analysis and recording of information. 10 References Fiaschetti, A., Morgagni, A., Panfili, M., Lanna, A., & Mignanti, S. (2015). Attack-surface metrics, osstmm and common criteria based approach to “composable security” in complex systems. WSEAS Transactions on Systems, 14, 187-202. https://www.researchgate.net/publication/308621019_AttackSurface_metrics_OSSTMM_and_Common_Criteria_based_approach_to_Composable_S ecurity_in_Complex_Systems Herzog, P. (2010). OSSTMM 3 – The Open Source Security Testing Methodology Manual: Contemporary Security Testing and Analysis. ISECOM. https://www.isecom.org/OSSTMM.3.pdf Knapp, E. D., & Langill, J. (2015). Standards and Regulations. Industrial Network Security. Sciencedirect. https://www.sciencedirect.com/science/article/pii/B9780124201149000137 Vernersson, S. (2010). Penetration testing in a web application environment. http://www.divaportal.org/smash/get/diva2:356502/fulltext01.pdf Wilhelm, T. (2013). Professional penetration testing: Creating and learning in a hacking lab. Newnes. https://www.sciencedirect.com/science/article/pii/B9781597494250000105