The Vision of the OSSTMM

Transcription

1 The Vision of the OSSTMM A species that thrives on innovation means that the rules are made to be broken. For every guideline that reigns in action and behavior, new research and new technology disrupts those rules and sometimes makes them moot. So those who live by the checklist die by the checklist. /

2 Me: Pete Herzog Role: Managing Director of ISECOM Leading Roles: ISECOM, OSSTMM, SCARE, Hacker Highschool, etc. Mission: To make sense of security. Philosophy: Security is a science. Second Most Terrible Truth Known about Security: Aluminum foil hats do help. 2

3 Short Answers 1. What is the OSSTMM? 2. Why did it need 4 years to make? 3. What is the big secret about the aluminum foil hat? 4. How does the OSSTMM comply with existing norms and regulations? 5. Does perfect security exist? 3

4 LONG ANSWER #1 What is the OSSTMM? 4

5 What is the OSSTMM? Open Source Security Testing Methodology Manual An international standard for security testing and analysis. A methodology based on the scientific method. A means for measuring operational security subjectively and even financially. A means for substantially reducing false positives and false negatives. A concrete process for being functionally and thoroughly secure. 5

6 What is new in OSSTMM 3? Categorizing security into calculable components (clear definitions) Security metrics (RAVs) Test errors, test types, vulnerability classifications, process classifications, integrity, trust manipulation, and audit methods. No best practices or re-hashed research here - all original and verified research. Greatly advanced tests. All new methodology: 6

7 7

8 LONG ANSWER #2 Why did it need 4 years to make? 8

9 Definitions To help us better understand each other: Security Something which protects an asset from a threat. Safety Move from the threat. Eliminate the threat. Convert the threat. Something which controls the access, process, interactivity, or impact of a threat to an asset. Be among the threat safely. 9

10 4 Points Process 2. INQUEST investigate emanations 3. INTERACTION trigger responses 4. INTERVENTION changing resource interactions 1. INDUCTION establish facts about the environment 10

11 Components of the Methodology Scope Channel Index (quantity) Vector (perspective) Vector Index COMSEC SPECSEC Target PHYSSEC Channel Scope 11

12 Channels 12

13 OSSTMM 3 Test Types Blind War Gaming, Role Play Double Blind Penetration Testing Gray Box Often a Self Assessment Double Gray Box Also a White Box Audit Tandem Also a Crystal Box Audit Reversal Red Team Exercise Common Test Methods 13

14 LONG ANSWER #3 1.What about the aluminum foil hat? 14

15 Auditor Precautions 15

16 LONG ANSWER #4 1.How does the OSSTMM comply with 2.existing norms and regulations? 16

17 OSSTMM Compliance Legislation. Compliance with legislation is in accordance to region where the legislation can be enforced. The strength and commitment to the legislation comes from its popularity and previously successful legal arguments and appropriately set and just enforcement measures. Failure to comply to legislation may lead to criminal charges. Regulation. Compliance to regulation is in accordance to the industry or within the group where the regulation can be enforced. Failure to comply with regulations most often leads to dismissal from the group, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the regulatory body, criminal charges can be made. Policy. Compliance to policy is in accordance to the business or organization where the regulation can be enforced. Failure to comply with policy most often leads to dismissal from the organization, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the policy makers, criminal charges can be made. 17

18 Where is Security at? Security 1.0 Physical Security-like focus for all channels. Security 2.0 Solution-based Compliance and Audit focus Security 3.0 Multi-Channel Security Security 4.0 Eco-Security or more Solution-based madness??? 18

19 LONG ANSWER #5 Does perfect security exist? 19

20 20

21 How RAVs Work If I could count all the cells in your body... And classify them to a simple scheme... And tell the difference between working and nonworking cells... I can't tell how tall you are or how fat... I can tell how well your cells do their job and how well you work as an organism... How you fit in with your environment... Which cells you need more of and which you have too much of... And tell you which cells need to be watched. 21

22 Risk Assessment Values (RAV s) Operational Security (OPSEC) The lack of security one must have to be interactive, useful, public, open, or available Defined by combination of visibility, trust and access Controls Impact and loss reduction controls 5 Class A controls which control interactions 5 Class B controls which control processes Limitations The current state of perceived and known limits for channels, operations, and controls as verified within the audit Combined to produce Actual Security value (0-100) 22

23 Measurement Issues For example, when is a table a table? It is a table due to the function of a table, No part of that function as a table is untrue such that as a bowed or round surface which could make it non-functional as a table. 23

24 Practical Measurements Measuring the cubic meters of house appears simple enough because we can grasp the concept of a house, how it functions, and when it does not function as a house. Or can we? Is the concept universal? Does it matter? 24

25 Operational Security (OpSec) Because we are concerned with how security works. We don't care what you have. We care how it functions. OpSec is about protection: Visibility Access Trust 25

26 Safety Controls INTERACTIVE (Class A) Authentication Authorization Identification Indemnification Resilience Subjugation PROCESS (Class B) Non-repudiation Confidentiality Privacy Integrity Alarm Continuity 26

27 Limitations by Number 27

28 The RAV Method Category Operational Security Loss Controls Security Limitations Class A Class B Input Visibility Access Trust Authentication Indemnification Resistance Subjugation Continuity Non-Repudiation Confidentiality Privacy Integrity Alarm Vulnerability Weakness Concern Exposure Anomaly The Risk Assessment Value is derived from three categories defined within the scope: Operational Security Loss Controls Security Limitations. First aggregate and associate all of our input information into the appropriate categories for each input variable 28

29 Quantification We count our OPSEC and our Controls and our Limitations. 29

30 The Balancing Act 10 CONTROLS NULLIFIES 1 OPSEC 30

31 Quantifying Limitations Each Limitation's value is dependent upon defined OpSec and Control values. 31

32 Change Control Quantify to find the delta. This tells you the change which would occur if you placed this network in another network. 32

33 Security Test and Audit Report (STAR) Date and time of test Duration of the test Testers and analysts involved Test type Scope Index (method of target enumeration) Channel tested Vector of the test Verified tests and metrics calculations of operational protection levels, loss controls, and security limitations All tests which have been made, not made, or only partially made and to what extent Any issues regarding the test and the validity of the results Test error margins The processes which influence the security limitations Any unknowns or anomalies 33

34 Why STAR? Allows comparisons with historical tests, between departments, and other organizations. Allows for deeper, big picture testing where multiple vectors combine to one STAR. Provides a tailored metric to verify new vulnerabilities against without exploiting them. Provides a means to calculate security change from new products before integrating them into your network. Allows calculation of ROI. 34

35 MORE INFO? Need aluminum foil hats?