Story continued from Page 1
Some readers might wonder what is OSSTMM concretely about. How does it work? How do you use it?
Pete Herzog: The OSSTMM is concretely about managing and controlling operational security. You can't manage what you can't measure. The OSSTMM gives the power of facts to see what's happening in the operational state of security and make adjustments in the right places as necessary. Some will say risk is a gambler's game and that knowing the operational state can't prevent a break-down (or break-in). That's not true. It is entirely possible to control the state of security and manage which loss controls and which protections you want where but only if you know what's exposed during all points of operations and from all vectors.
Using the OSSTMM is simple. You have a choice. You can get your audits or pen tests as you always have and just now fill in the OSSTMM Audit Report. While it may not be a thorough OSSTMM audit, it will show plainly what has and has not been tested and how. This is a good start to fill in the gaps. The second way is to read and apply the OSSTMM or hire certified OSSTMM auditors (those with their OPSA and OPST). As all OSSTMM audits need to accompany the audit report, you can't go wrong because you will always know exactly what you've gotten.
After five years you are going to release a new major version of the OSSTM Manual. What will we find inside version 3.0?
Pete Herzog: The biggest change is the methodology itself which has evolved from its "steps to security tests" premise which we started with to what is now a true methodology that provides scientific tests and factual measurements for operational security. OSSTMM 3.0 is very advanced in this regard with over 3 years of work into a factual metrics process and concentrated results that qualify as a type of up-time in regards to security. At first it was difficult for people to get used to because they see 99% as their concentrated metric and they get happy. But if you show them it's an uptime and in a year 1% downtime is actually 87.6 hours of downtime due to security problems then they are not so happy. Time is something we can more easily put a financial value on. However, as I said, that 99% does not strictly imply that much downtime as it's actually a metric concentrated (actually hashed) from about 9 different values, each a factual result of a security test. And we can use that 99% to compare security operations from day to day, quarterly, with other test reports even from other testers, and we can combine test results from different test types, channels, scopes, and vectors throughout an organization.
But probably the biggest change we made is to make the OSSTMM accessible to more people through "skins." First we standardized the glossary with ISM3 which itself has been designed to be very compatible and superior to the various, popular, security management standards. We made sure the tests were compatible with how things were done in OSSTMM 2.11 and improvements or necessary changes were logical transitions. Then we made an OSSTMM Audit report which focuses on not just what was tested but what was not and why. This allowed even something as simple as a vulnerability scan to qualify as an OSSTMM audit if it was provided with the OSSTMM Audit report. Then it becomes clear very fast what the metric is actually based on. The skins then evolved from the audit report. People wanted ways to apply the OSSTMM for specific compliance tests like SOX or HIPAA, to complement their ISO270001 audit, for specific industries like banking, or specific technologies like RFID testing. Skins are basically the OSSTMM reduced only to that which needs to be tested for that area and a partially filled in audit report with the specific, metric calculation information included.
Ultimately, what we want is that it's not just a methodology that only a seasoned IT veteran can apply to actually improve real security. We want one that even a typical military soldier can use to assure the physical security of a base or encampment with a metric that shows the weak or redundant security, as well as help field officers report the levels to their commanders to more closely manage day-to-day security operations even from a far-away war room. So you can see what a typical CEO, CIO, CISO, or CFO could do with that kind of fine-grained, security operations information. It would mean hands-on security management capabilities even for those with no formal security background.
Do you plan to develop any tool for OSSTMM users?
Pete Herzog: A project that has been running for a while, yet soon to be released, is a live LINUX distro to support our Hacker Highschool, Security Awareness for Teens project. The distro is based on Gentoo and will include everything needed to run all lessons. Dreamlab Technologies AG, the manager of the distro and a provider of ISECOM certification trainings, is also expanding it to support the OPST and OPSA certification classes.
We also have the Consensus project which is in cooperative development with La Salle University in Barcelona. It is a collection of systems designed to automate an OSSTMM test from multiple vectors like internal network, DMZ, internet-facing systems, and calculate the appropriate metrics. It sends all test data from all vectors to a central system which correlates the data with parsed logs for accurate metrics. Right now it's only a learning tool written in modules to see how much can be tested and how well we can use rules for correlation or even AI techniques. Finally, there are the OSSTMM skins if you count those specific checklists as tools.
Really there's so many more projects and tools in various stages of development that need project managers and support. We've come very far with what we have but more help is appreciated.