The Open Source Security Testing Methodology Manual
From Wikipedia, the free encyclopedia
This Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for a thorough security test, now referred to as an OSSTMM audit. An OSSTMM audit is an accurate measurement of security at an operational level, void of assumptions and anecdotal evidence. A proper methodology makes for a valid security measurement which is consistent and repeatable. An open methodology means that it is free from political and corporate agendas. An open source methodology allows for free dissemination of information and intellectual property. This is the OSSTMM, this manual. It is the collective development of a true security test and the computation of factual security metrics.
Started at the end of 2000, this manual quickly grew over the following years to encompass all security channels with the applied experience of thousands of reviewers. This manual had been originally housed under the domain ideahamster.org where it received a steady amount of traffic from contributors dubbed as ideahamsters. An “ideahamster” is the nickname for people who were spinning out new ideas like a hamster on a wheel. However, as this manual grew in popularity, the organization and its name were pressured to grow up as well. In November of 2002, ideahamster announced the name change to ISECOM which stood for the Institute for Security and Open Methodologies. By January 2003, ISECOM had been registered as a non-profit organization in Spain and in the United States of America and it officially served the public good. However, by 2005, this manual no longer just stood for a way of ethical hacking; it became a way to verify security was being done right at the operational level. As audits became mainstream, the application of a security test became truth-finding. Auditors reviewing operations found that “best practice” by definition was no longer best for everyone no matter how it looked on paper. In 2006, this manual became the standard for those who needed safety and security rather than just compliance to a regulation or legislation.
As the this manual grows in popularity it keeps its vendor-free, politically neutral values. This methodology has continued to provide straight, factual tests for factual answers. It includes information for project planning, quantifying results, and the rules of engagement for those who will perform the security audits. As a methodology you cannot learn from it how or why something should be tested however, what you can do is incorporate it into your auditing needs, harmonize it with existing laws and policies, and use it as the framework it is to assure a thorough security audit through all channels.
It is recommended you read through this manual once completely before putting it to practice. It aims to be a straight-forward tool for the implementation and documentation of a security test. Further assistance is available for those who need help in understanding and implementing this methodology at the ISECOM website.
The primary purpose of the OSSTMM is to provide a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. This manual is adaptable to most IS audits, penetration tests, ethical hacking, security assessments, vulnerability assessments, red-teaming, blue-teaming, posture assessments, war games, and security audits.
The secondary purpose is to provide guidelines which when followed will allow the auditor to perform a certified OSSTMM audit. These guidelines exist to assure the following:
1. The test has been conducted thoroughly.
2. The test includes all necessary channels.
3. The posture for the test includes compliance to the highest of civil rights.
4. The results are measurable in a quantifiable means.
5. The results received are consistent and repeatable.
6. The results contain only facts as derived from the tests themselves.
The ultimate goal is to set a standard in a security testing methodology which when used results in meeting factual, practical, and operational security requirements. The indirect result is creating a discipline that can act as a central point in all security tests regardless of the size of the organization, technology, or protection.
Analysis is often accompanied by solutions or consulting, of which neither is required in an OSSTMM Audit. Solutions are provided traditionally by default as a means of expressing the vulnerability or weakness and as a value-add to a security test. While it is considered default to provide solutions within a security report, never should it be considered mandatory as often times there are no proper solutions based on the limited view of business justification an auditor has of the client.
It is not every case where the auditor will have to deal with juxtapositions between an existing or necessary security mechanisms or processes and the intended or unintended act which will defeat it. However, at every point within the engagement, the auditor must report the factual current state of security with or without the explaining the means of improving it. More plainly, the auditor must at minimum, verify and quantify the current state of security, report any volatile issues within that current state, and report any of the processes which have caused those limitations of the applied controls and protections.
OSSTMM reporting therefore requires:
1. Date and time of test,
2. Duration of the test,
3. Auditors and analysts involved,
4. Test type,
5. Scope,
6. Index (method of target enumeration),
7. Channel tested,
8. Vector of the test,
9. Verified tests and metrics calculations of operational protection levels, loss controls, and security limitations,
10. All tests which have been made, not made, or only partially made and to what extent,
11. Any issues regarding the test and the validity of the results,
12. Test error margins,
13. The processes which influence the security limitations,
14. Any unknowns or anomalies.
Successful reporting of an OSSTMM audit shows an actual measurement of security and loss controls. Misrepresentation of results in reporting will lead to fraudulent verifications and the end effect of a different, actual security level. For this, the auditor must accept responsibility and hold limited liability for accuracy in reporting.
ISECOM, the caretakers of the manual, provide professional certifications for network security testers, OPST, network security analysts, OPSA and wireless security analysts, OWSE. These certifications require applied knowledge and skills to pass which better differentiates between those who can walk the walk and those who can only talk the talk. Both the OPST and OPSA have become requirements for many countries to provide government security tests, audits, and penetration tests. Unlike other certifications in the hacking genre, the certified Professional Security Testers and Analysts had to prove the ability to apply their skills efficiently and with exactness. This level of preciseness under time pressure means losing bad habits, working with formal methods, and applying formal verification to get factual results. For this reason, those who are OSSTMM certified are finding themselves more readily employed than those with other penetration testing certifications in many fields even outside of IT.
The OSSTMM has been re-developed into everything from security policies to lessons for High Schoolers. With its unique, straight-forward approach to fact finding, the OSSTMM is even being used to test business processes for weaknesses where fraud, money laundering, and other types of crime can penetrate.