The OSSTMM (Open Source Security Testing Methodology Manual) is a standardized methodology for security testing and analysis. It was developed by Pete Herzog and provides templates and guidelines for tasks like penetration testing, ethical hacking, and assessing vulnerabilities. The OSSTMM covers various domains of security including information security, process security, internet technology security, communication security, wireless security, and physical security. It outlines a 7-phase testing process of discovery, enumeration, vulnerability analysis, integration testing, security mapping, risk assessment, and reporting. Interactions with systems can include porosity, a four-point process, and echo processes to trigger responses for analysis.
OSSTMM Guide to Open Source Security Testing Methodology Manual
1. OSSTMM (Open Source Security Testing Methodology Manual)
What is OSSTMM?
The abbreviation of OSSTMM is Open Source Security Testing Methodology Manual. It was
developed by the Pete Herzog and distributed by the Institute for Security and Open
Methodologies (ISECOM). It is a document for improving the quality of enterprise security as
well as the methodology and strategy of testers. It includes various information gathering
templates.
It is one of the International Standard for Internet Security and Testing. It is an open source,
standardized methodology where anyone adds, cut, open anything from anywhere on the
Internet and also make complaint about the vulnerabilities. This type of methodology depends
on the scientific methods where operational and financially security measures. Basically,
OSSTMM is a set of rules and regulations for the Penetration Testing, Ethical Hacking, and
Information Security Analysis which involves tools for testing. It also includes automated
vulnerability testing tools. Here, standard sets in testing methodology either manually or
automatic where operational security requirements conformed. The result of testing creates
the discipline which it acts as a central point in the whole security tests which regards the size
of the network, type of the system or the Internet applications. It is used in the various sectors
such as Financial Institutions, Navy and Air force, Security Market’s Players (Vendors,
Freelancers, Consultation companies, etc.), Telecommunication and Financial Operators and
many more.
Domains Covers in OSSTMM:
Information Security: The security is the major term in the computer system and network.
Many computer systems have secured with access limitations. It is very important how to
protect the important assets (system, network, applications, data, etc.) from the attackers.
This is the major area in the field of OSSTMM because this deals with important keys.
Process Security: The process security deals under the operation control in which if any
threats exists or in running process, then it protects the assets rather than influencing from
the third-party. It includes Non-repudiation, Confidentiality, Integrity, Privacy and Alarm.
Internet Technology Security: It is used for protecting the Smart Meters. It includes Network
Surveying, Port Scanning, Services Identification, System Identification, Vulnerability
Research and Verification, Internet Application Testing, Router Testing, Trusted Systems
Testing, Firewall Testing, Intrusion Detection System Testing, Containment Measures Testing,
Password Cracking, Denial of Service Testing, Security Policy Review.
Communication Security: It emphasis on the communication infrastructure which includes
Posture Review, PBX Review, Voicemail Testing, Fax Testing, Modern Survey, Remote Access
Control Testing, VoIP Testing, X.25 Packet Switched Networks Testing.
Wireless Security: It describes what wireless technologies used by the organization. It
involves Electromagnetic Radiation Testing, 802.11 Wireless Network Testing, Bluetooth
2. Testing, Wireless Input device Testing, Wireless Handheld Testing, Wireless Surveillance
Device testing, Cordless Communication Testing, Wireless transaction Device testing, RFID
Testing, Infrared Testing, Privacy Review. It also regulates rules and guidelines. For example,
if company adopts Bluetooth Technology, then first thing requires that organization have
Wireless Technology or not.
Physical Security: It determines the access controls of target. It monitors the controls in
place of compromising the attacks. It also determines how to defeat them.
OSSTMM Test Phases:
There are 7 test phases which are as follows:
1. Discovery: It analyzes and acquires the existing system testimonials.
2. Enumeration Verification: It tests the Operating System, configuration and services with
the system document.
3. Vulnerability Research and Verification: It done and analyzes by the Penetration
testing.
4. Integrating Testing: Check the Integrity of all the results.
5. Security Mapping: It maps the measured security of the results of systems and services.
6. Risk Assessment Value: If any loopholes found, then classifies the risk and measures the
risk assessment value (RAV).
7. Reporting: Maps the results and recommend it.
Point Process of OSSTMM:
There are three types of interactions in the OSSTMM: Porosity, Four Point Process (FPP), and
Echo Process.
Porosity means you need to know
how to protect yourself or attack on
the target, while FPP means need to
know in deep by monitoring and
watching the activities. Echo Process is
a very basic form of analysis in which
discovering and learning things by
interacting directly to it. It requires
access interaction on the target level
and monitoring the reactions. It is a
cause-and –effect type of verification.
The point process performs in four
ways, that’s why it is known as Four
Point Process (FPP). Induction:
Determine the target from its
environment, how it behaves in that
environment, if the target is not
3. influenced by its environment, and then
what happen. Inquest: What signals does
the target give off? Investigate the tracks
or indicators of the signals because in
general the system or process leaves the
signature of interactions with its
environment. Interaction: What happen
when poking takes place? It calls for echo
tests include expected and unexpected
interactions with the target to trigger
responses. Intervention: How far it
bends before it breaks? The target needs interrupting resources to understand the extremes
under which it can continue operating.
The classes are the official label which is used in the security industry, government and military
fields. Basically, classes define the area of study, investigation and operation. The Channels are
the way to interact with the assets. There are three types of classes which is useful for hackers
to attack on it i.e. Physical Security (PHYSSEC), Spectrum Security (SPECSEC) and
Communication Security (COMSEC), it further divided into five channels. PHYSSEC contains two
channels: Human and Physical Channel, SPECSEC contains one channel: Wireless Channel and
SPECSEC contain two channels i.e. Telecommunications and Data Network Channels.
OSSTMM Compliance:
The compliance is not to specify the
operational security requirement, also
specifies the use of OSSTMM testing time
on the periodic basis to fulfill the control
requirement drafted as a result trust
assessment which scopes the minimum
number of control requirement to achieve
the complaint, not requires secure state.
The documentation includes business
processes, narratives, trust assessment, risk
assessments, signed off design tests,
operational audits, attestations, etc. With
the help of OSSTMM, the result is
understandable and verifies the level of quality. It is designed to allow the analyst to view and
understand the safety and security. By this type of Methodologies, any compliance has the
production of the evidence of governance within the business process of security.
BY Falgun Rathod | Cyber Security Consultant
Official Link: http://www.isecom.org/