[ISECOM-news] OSSTMM 3.0 in progress

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I'm stopping after another 14 hour day in front of the OSSTMM to only 
continue again tomorrow morning.  The problem is the huge volumes of 
data which needs to be properly classified and filtered into readable, 
usable, practical bites of testing methodology.  Even more so, 3.0 needs 
to tie together security metrics and all sections of the security 
presence (see graphic) to be a complete methodology.  That's one 
methodology for the entire, channel-agnostic, security presence.  That's 
something we didn't have before.

If you've tried the free security metrics software that I reviewed for 
CIOview and provided the OSSTMM and RAV methodologies for, you'd know 
how complexly intertwined all of this is.  It's because security testing 
is incredibly complex and on so many channels of delivery that so few 
people actually do it right.  The OSSTMM not only has to address that 
but to assure that it's understandable what needs to be done right and 
in non-specific terms, "how".  All we leave out in the end is "why". 
I'll let that get picked up in trainings like ISESTORM.  If you expect 
to use the OSSTMM, I highly recommend you reserve your seat now.  I 
don't think I'll have time to remark on all the comments people will 
have at the Open Source Security Exhibition and of course I'm going to 
want to see Vegas to so I don't want to be talking OSSTMM 24/7 like I 
usually do ;)

If I had to put a percentage on completion, I'd say 85% is done.  The 
last 15% though is like completing the first 15% of a puzzle.  For some 
idea of the complexity, here's the first module of the first channel, 
PERSONNEL:

------------
1 Personnel
The testing of this channel requires interaction with people in 
gatekeeper positions of information and physical property.

1.1	Posture Review
The initial study of the posture includes the laws, ethics, policies, 
industry regulations, and political culture which influence the security 
requirements for the scope.  This review  forms a matrix of which 
testing has been mapped but not constrained to.

1.1.1 	Policy.
Document organizational policy regarding security and privacy 
responsibilities of personnel in the scope.

1.1.2	Legislation.
Document regional and national legislation regarding the security and 
privacy requirements of the organization in the scope as well as that 
which includes the appropriate customers, partners, organizational 
branches, or resellers outside the scope.

1.1.3	Culture.
Document organizational culture in the scope towards security and 
privacy awareness, required and available personnel training, 
organizational hierarchy, and recognized trust interaction between 
employees.

1.1.4	Relationships.
Document the influential relationships between personnel from the 
organizational hierarchy from within the scope.

1.1.5	Regional Culture
Document the influence of regional and foreign cultures on social 
hierarchy in the environment in which the scope resides.

1.1.6	Economics
Document the influence of economics and pay scale on social status of 
personnel from both the perspective of personnel within the scope and 
that of the outside community on which the scope resides.
------------

That's just part 1 of 3 for setting up.  From there we have an average 
of 15 more modules of various size and 4 more channels to tie in together.

The problem is that security testing, penetration testing, ethical 
hacking or whatever you want to call it- it's just not simple.  So 
please be patient and I'm busting away at the keyboard daily to put this 
together finally.

I do want to thank all the people who have offered to help get this 
wrapped up and that I had to decline.  It would take too long to get 
anyone else in this deep and in that time I can just finish this up.

After the OSSTMM I have 1 more lesson to finish on Web Privacy at 
hackerhighschool so if anyone else wants to help, you can take that from 
me and give me a break :)

Good night!

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pe...@is...
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.