TUCoPS :: HP Unsorted T :: b1a-1075.htm

The New ISO Hacking Standard
The New ISO Hacking Standard
The New ISO Hacking Standard

The security community may be interested in this:

The New ISO Hacking Standard

New York, May 17, 2010 -- The world=92s national standards bodies met 
again during April, this time in Malaka, Malaysia and they extended 
talks about the Open Source Security Testing Methodology Manual. This 
ultimate security guide, better known to security experts and hackers 
alike as the OSSTMM (spoken like =93awesome=94 but with a =93t=94), is a 
formal methodology for breaking any security and attacking anything 
the most thorough way possible. So why is the International Standards 
Organization talking about it?

Some national standards organizations like ANSI in the USA and UNINFO 
in Italy have had their eye on the OSSTMM for years. Others, like DIN 
in Germany, were only recently shown the benefits of the OSSTMM but 
then supported it immediately. Released for free in January 2001 by 
Pete Herzog as the underdog to the security industry=92s product-focused 
security advice, the manual achieved an instant cult following. The 
fact that OSSTMM is open to anyone for peer review and further 
research led to it growing from its initial 12 page release to its 
current size of 200. The international support community also grew to 
over 7000 members with dozens of research contributors dedicating 
their time to enhancing it. For testing security operations and 
devising tactics it has no equal. Its popularity and growth happened 
so fast that the non-profit organization ISECOM created the Open 
Methodology License (OML) asserting the OSSTMM as an open Trade Secret 
to assure it remained free, as in no price, as well as free from 
commercial and political influence. The OSSTMM seemed to have all the 
features of being the answer for securing the world except that it had 
never been formally recognized=85until now.

With such fanatical devotion from experts and the underground, the 
OSSTMM soon gained the attention of governments from city to state to 
national which is how it eventually got to the ISO. ISO is the acronym 
of the International Standards Organization. Headquartered in Geneva, 
Switzerland, ISO is the collection of people who create manuals 
standardizing all sorts of things like paper sizes (ISO 216), what 
determines a water-resistant watch (ISO 2281), how to properly conduct 
quality management (ISO 9001), the C programming language (ISO 9899), 
shoe sizes (ISO 9407), or what defines proper information security 
(ISO 27001 and 27002). However they currently have nothing on 
operational security, the means of assuring security for processes and 
systems in action. The only way that can be done is by attacking it 
every way possible, pushing the impossible, and see why and how the 
security breaks. That=92s exactly what the OSSTMM does.

During past ISO meetings, the Subcommittee 27, mostly known for its 
ISO/IEC 27000 family (Information Security Management System) and 
ISO/IEC 15408 (Common Criteria), already discussed the topic within 
different working groups (WG) with no clear outcome. Meanwhile, some 
ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph 
together with Aaron Brown in Germany, have become active participants 
in their respective ISO national bodies to help inform their ISO 
colleagues about the many benefits the OSSTMM could provide to various 
ISO standards. In Malaka, Dr. Guasconi, the national body 
representative of Italy=92s UNINFO, made significant progress on this 
front when he held a complete presentation to WG4 and WG3, the latter 
one being devoted to security evaluation criteria. WG3 then eventually 
expressed a formal interest in carving deeper into the security 
testing methodology topic, issuing and approving a resolution for 
starting a study period of one year. The base of this study period, 
which is the first step towards a standardization path, would be 
constituted by the OSSTMM 3 and all security experts from national 
bodies will freely contribute and comment on it. By the end of the 
study period it will be determined how ISO will receive OSSTMM 
contents in its family of security standards. As outlined in Malaka=92s 
presentation there are many standards that could benefit from a 
standard aligned with OSSTMM contents, such as 21827, 15408, 18045, 
19790 and, of course, 27001. Parts of OSSTMM concepts have already 
been posted as comments within the project for ISO 27008, which is 
dedicated to technical audits on security controls. It looks like this 
hacker=92s guide has really grown up.

The OSSTMM is currently in its third revision and still in Beta, 
therefore only available to team members, select reviewers, and 
federal government agencies that require it for drafting policy. This 
third version is a complete re-write of the methodology and has at its 
foundation the ever-elusive security and trust metrics. It required 6 
years of research and development to produce the perfect operational 
security metric, an algorithm which computes the Attack Surface of 
anything. In essence, it is a numerical scale to show how unprotected 
and exposed something currently is. This number is the basis required 
for making a proper trust assessment, another feature of the OSSTMM 3 
to do away with risk assessment in favor of a more factual metric 
using trust. Security professionals, military tacticians, and security 
researchers know that without knowing how exposed a target is, it=92s 
just not possible to say how likely a threat will cause damage and how 
much. But to know this requires a thorough security test which happens 
to be exactly what the OSSTMM provides.

To say the OSSTMM 3 is a very thorough methodology is an 
understatement. It currently has 12 chapters covering proper attack 
procedures, rules of engagement, proper analysis, critical security 
thinking, and trust metrics. It provides 17 modules like Visibility 
Audit, Trust Verification, Property Validation, and Competitive 
Intelligence Scouting, each which describes multiple attacks (called 
Tasks), for 5 different interaction types with a target (called 
Channels) organized by technical knowledge and equipment requirements 
as Human, Physical, Telecommunications, Data Networks, and Wireless. 
An example attack task under the Wireless Channel for Trust 
Verification states, =93Test and document the depth of requirements for 
access to wireless devices within the scope with the use of fraudulent 
credentials.=94 As if that wasn=92t already deep, it even waxes security 
philosophy with things like, =93Compliance requirements which enforce 
protection measures as a surrogate for responsibility are also a 
substitute for accountability,=94 and =93Fear doesn=92t motivate a person to 
find complacency any more than security motivates a person to find 

The OSSTMM may some day be officially recognized by national standards 
bodies. However until then, like an indie band with over 4 million 
downloads, the OSSTMM is not suffering from brand recognition. Still, 
to be an ISO standard is alluring to OSSTMM developers and fans alike. 
They know that to be there, they have proved that the OSSTMM 3 is 
needed, thorough, and important enough for leaders and policy makers 
to consider adopting.

If OSSTMM does become recognized by an international standards body, 
it would also help remove some of the vendor influence from current 
security laws where product focus often diminishes security and costs 
organizations more money. It would allow for the legal framework to 
focus on what is an acceptable attack surface rather than on which are 
accepted products. -Based on OSSTMM, government organizations could 
also determine which environmental controls are required for the 
infrastructure to prevent employees with a lack of security knowledge 
or focus from making bad security decisions as opposed to which brand 
of security awareness training will be need to be bought. It could 
also mean vendors would need to reach higher to surpass the bar set by 
the law instead of forcing the law to stoop down to what the vendor 
can provide.

People who want to support getting the OSSTMM 3 into the ISO family 
can contact ISECOM to help build up the best possible proposal and to 
support it through the November 2010 meeting in Berlin.

ISECOM is a non-profit, security research organization located in 
Barcelona, Spain and New York. With the mission to =93make sense of 
security=94 the organization produces the international standard for 
security testing as well as many other projects including trust 
analysis, home security, and teen cybersecurity awareness. All 
projects at ISECOM are completed the =93open source=94 way through 
collaboration and published for free at the ISECOM website 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH