Question

Select either OSSTMM, PTES, or ATT&CK and explain the importance of using a formal testing methodology. Clearly define what occurs in each phase of your selection and the significance of each phase.

Answer 1

Question:

Explain the importance of using a formal testing methodology like OSSTMM. Clearly define what occurs in each phase of your selection and the significance of each phase.

Answer:

OSSTMM stands for Open Source Security Testing Methodology Manual. It is a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM) which is an open, security research community providing tools, original resources, and certifications in the field of security.

                The need of OSSTMM was to provide a scientific methodology for the accurate characterization of Operational Security (OpSec) through examination and correlation of test results in a consistent and reliable way. Almost any audit type, including penetration tests, ethical hacking, security assessments, vulnerability assessments, red-teaming, blue teaming, and so forth can be tested using this manual. This manual is designed for factual security verification and presentation of metrics on a professional level. It can also be used as a security research document. Operational Security (OpSec) is a combination of separation and controls. Under OpSec, for an effective threat, there must be a direct or indirect association with the asset. One way of separating the threat from the asset is to avoid a possible interaction. In this way we can have total (100%) security, as the threat and asset are completely separated from each other. Another way is the safety of the asset which is provided by the controls that we put on the asset or the degree to which we lessen the impact of the threat.

                OSSTMM provides guidance on how to test the operational security of five channels so that organizations can understand the full extent of their security and determine how well their security processes function. It is about what your operations do, and not just what they are supposed to do. These five channels include:

1) Human Security Testing: This channel covers the involvement of people, primarily the operating personnel within their target scope of framework. While some services consider this as “social engineering”, the true requirement of security testing in this channel is personnel security awareness testing and gap measurement to the required security standard outlined in industrial regulations, company policy or regional legislation. The analyst is required to have multiple methods and tools for the completion of some tasks to ensure that suspicion is not raised among personnel and tests are not made invalid due to early discovery. It may also be required to limit test subjects to one per department or any other boundary.

2) Physical Security Testing: This channel covers the interaction of Analyst within his/her proximity of the targets. This is a classification of the material security within the physical realm which is within the limits of human-interactive space. While some services consider this as “breaking and entering”, the true compliance objective of security testing in this channel is physical and logical barrier testing and gap measurement to the required security standard as outlined in company policy, industry regulations, or regional legislation. The Analyst is required to have multiple tools and methods for the completion of some tasks to assure that suspicion is not raised among personnel and tests are not made invalid due to an early discovery. It may also be required to limit test subjects to one per department. Analysts also need to be prepared for the possibility of accidental bodily harm from conventional barriers and weapons, interactions with animals, subjection to harmful bacteria, viruses, and fungi, exposure to electromagnetic and microwave radiation, especially which can permanently damage hearing or sight, and poisonous or corrosive chemical agents in any form.

3) Wireless Security Testing: This channel covers the interaction of the Analyst within his/her proximity range of the targets. While some services consider this simply as “scanning”, the true compliance objectives of security testing in this channel are physical and logical barrier testing and gap measurement to the required security standard outlined in industry regulations, company policy or regional legislation. The Analyst is required to have adequate protection from electromagnetic power sources and other forms of radiation. Analysts also need to be prepared for the possibility of accidental bodily harm from exposure to electromagnetic and microwave radiation, especially that which can permanently damage hearing or sight. Proper equipment should give warnings when within range of Electromagnetic and Microwave radiation from -12dB and greater. Specific frequencies may affect any implanted medical devices, cause vertigo, headaches, stomach cramps, diarrhea, and other discomforts on both an emotional and physical level.

4) Telecommunication Security Testing: This channel covers the interaction of the Analyst with his/her targets. While some services consider this simply as “phreaking”, the true compliance objective of security testing in this channel is logical barrier testing and gap measurement against the required security standard as outlined in industry regulations, company policy or regional legislation. The Analyst is required to have multiple tools and methods for the completion of some tasks to assure that suspicion is not raised among personnel by continual and sequential ringing of phones and that tests are not made invalid due to an early discovery. Analysts also need to be prepared for working with both digital and analog telecommunications equipment, sound frequency analyzers, and within information networks providing regional content through local phone providers.

5) Data Networks Security Testing: This channel covers the involvement of computer systems, primarily the operating networks within his/her target scope or framework. While some organizations consider this simply as “penetration testing”, the true compliance objective of security testing in this channel is system interaction and operational quality testing with gap measurements to the required security standard outlined in industry regulations, company policy or regional legislation. During this testing, end operators and artificial intelligence can recognize on-going attacks both by process and signature. For this reason, the Analyst is required to have a sufficient variety of methods to avoid disclosure of the tests or work with the operators to assure that where security fails and where it succeeds is brought to light. Tests which focus only on the discovery of new problems leave room for fixes and not designs for future improvements.