From: Pete H. <pe...@is...> - 2004-08-31 22:17:10
|
Hi, I'm stopping after another 14 hour day in front of the OSSTMM to only continue again tomorrow morning. The problem is the huge volumes of data which needs to be properly classified and filtered into readable, usable, practical bites of testing methodology. Even more so, 3.0 needs to tie together security metrics and all sections of the security presence (see graphic) to be a complete methodology. That's one methodology for the entire, channel-agnostic, security presence. That's something we didn't have before. If you've tried the free security metrics software that I reviewed for CIOview and provided the OSSTMM and RAV methodologies for, you'd know how complexly intertwined all of this is. It's because security testing is incredibly complex and on so many channels of delivery that so few people actually do it right. The OSSTMM not only has to address that but to assure that it's understandable what needs to be done right and in non-specific terms, "how". All we leave out in the end is "why". I'll let that get picked up in trainings like ISESTORM. If you expect to use the OSSTMM, I highly recommend you reserve your seat now. I don't think I'll have time to remark on all the comments people will have at the Open Source Security Exhibition and of course I'm going to want to see Vegas to so I don't want to be talking OSSTMM 24/7 like I usually do ;) If I had to put a percentage on completion, I'd say 85% is done. The last 15% though is like completing the first 15% of a puzzle. For some idea of the complexity, here's the first module of the first channel, PERSONNEL: ------------ 1 Personnel The testing of this channel requires interaction with people in gatekeeper positions of information and physical property. 1.1 Posture Review The initial study of the posture includes the laws, ethics, policies, industry regulations, and political culture which influence the security requirements for the scope. This review forms a matrix of which testing has been mapped but not constrained to. 1.1.1 Policy. Document organizational policy regarding security and privacy responsibilities of personnel in the scope. 1.1.2 Legislation. Document regional and national legislation regarding the security and privacy requirements of the organization in the scope as well as that which includes the appropriate customers, partners, organizational branches, or resellers outside the scope. 1.1.3 Culture. Document organizational culture in the scope towards security and privacy awareness, required and available personnel training, organizational hierarchy, and recognized trust interaction between employees. 1.1.4 Relationships. Document the influential relationships between personnel from the organizational hierarchy from within the scope. 1.1.5 Regional Culture Document the influence of regional and foreign cultures on social hierarchy in the environment in which the scope resides. 1.1.6 Economics Document the influence of economics and pay scale on social status of personnel from both the perspective of personnel within the scope and that of the outside community on which the scope resides. ------------ That's just part 1 of 3 for setting up. From there we have an average of 15 more modules of various size and 4 more channels to tie in together. The problem is that security testing, penetration testing, ethical hacking or whatever you want to call it- it's just not simple. So please be patient and I'm busting away at the keyboard daily to put this together finally. I do want to thank all the people who have offered to help get this wrapped up and that I had to decline. It would take too long to get anyone else in this deep and in that time I can just finish this up. After the OSSTMM I have 1 more lesson to finish on Web Privacy at hackerhighschool so if anyone else wants to help, you can take that from me and give me a break :) Good night! Sincerely, -pete. -- Pete Herzog - Managing Director - pe...@is... ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. |