The New ISO Hacking Standard
The security community may be interested in this:
The New ISO Hacking Standard
New York, May 17, 2010 -- The world=92s national standards bodies met=20
again during April, this time in Malaka, Malaysia and they extended=20
talks about the Open Source Security Testing Methodology Manual. This=20
ultimate security guide, better known to security experts and hackers=20
alike as the OSSTMM (spoken like =93awesome=94 but with a =93t=94), is a =
formal methodology for breaking any security and attacking anything=20
the most thorough way possible. So why is the International Standards=20
Organization talking about it?
Some national standards organizations like ANSI in the USA and UNINFO=20
in Italy have had their eye on the OSSTMM for years. Others, like DIN=20
in Germany, were only recently shown the benefits of the OSSTMM but=20
then supported it immediately. Released for free in January 2001 by=20
Pete Herzog as the underdog to the security industry=92s product-focused =
security advice, the manual achieved an instant cult following. The=20
fact that OSSTMM is open to anyone for peer review and further=20
research led to it growing from its initial 12 page release to its=20
current size of 200. The international support community also grew to=20
over 7000 members with dozens of research contributors dedicating=20
their time to enhancing it. For testing security operations and=20
devising tactics it has no equal. Its popularity and growth happened=20
so fast that the non-profit organization ISECOM created the Open=20
Methodology License (OML) asserting the OSSTMM as an open Trade Secret=20
to assure it remained free, as in no price, as well as free from=20
commercial and political influence. The OSSTMM seemed to have all the=20
features of being the answer for securing the world except that it had=20
never been formally recognized=85until now.
With such fanatical devotion from experts and the underground, the=20
OSSTMM soon gained the attention of governments from city to state to=20
national which is how it eventually got to the ISO. ISO is the acronym=20
of the International Standards Organization. Headquartered in Geneva,=20
Switzerland, ISO is the collection of people who create manuals=20
standardizing all sorts of things like paper sizes (ISO 216), what=20
determines a water-resistant watch (ISO 2281), how to properly conduct=20
quality management (ISO 9001), the C programming language (ISO 9899),=20
shoe sizes (ISO 9407), or what defines proper information security=20
(ISO 27001 and 27002). However they currently have nothing on=20
operational security, the means of assuring security for processes and=20
systems in action. The only way that can be done is by attacking it=20
every way possible, pushing the impossible, and see why and how the=20
security breaks. That=92s exactly what the OSSTMM does.
During past ISO meetings, the Subcommittee 27, mostly known for its=20
ISO/IEC 27000 family (Information Security Management System) and=20
ISO/IEC 15408 (Common Criteria), already discussed the topic within=20
different working groups (WG) with no clear outcome. Meanwhile, some=20
ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph=20
together with Aaron Brown in Germany, have become active participants=20
in their respective ISO national bodies to help inform their ISO=20
colleagues about the many benefits the OSSTMM could provide to various=20
ISO standards. In Malaka, Dr. Guasconi, the national body=20
representative of Italy=92s UNINFO, made significant progress on this=20
front when he held a complete presentation to WG4 and WG3, the latter=20
one being devoted to security evaluation criteria. WG3 then eventually=20
expressed a formal interest in carving deeper into the security=20
testing methodology topic, issuing and approving a resolution for=20
starting a study period of one year. The base of this study period,=20
which is the first step towards a standardization path, would be=20
constituted by the OSSTMM 3 and all security experts from national=20
bodies will freely contribute and comment on it. By the end of the=20
study period it will be determined how ISO will receive OSSTMM=20
contents in its family of security standards. As outlined in Malaka=92s=20
presentation there are many standards that could benefit from a=20
standard aligned with OSSTMM contents, such as 21827, 15408, 18045,=20
19790 and, of course, 27001. Parts of OSSTMM concepts have already=20
been posted as comments within the project for ISO 27008, which is=20
dedicated to technical audits on security controls. It looks like this=20
hacker=92s guide has really grown up.
The OSSTMM is currently in its third revision and still in Beta,=20
therefore only available to team members, select reviewers, and=20
federal government agencies that require it for drafting policy. This=20
third version is a complete re-write of the methodology and has at its=20
foundation the ever-elusive security and trust metrics. It required 6=20
years of research and development to produce the perfect operational=20
security metric, an algorithm which computes the Attack Surface of=20
anything. In essence, it is a numerical scale to show how unprotected=20
and exposed something currently is. This number is the basis required=20
for making a proper trust assessment, another feature of the OSSTMM 3=20
to do away with risk assessment in favor of a more factual metric=20
using trust. Security professionals, military tacticians, and security=20
researchers know that without knowing how exposed a target is, it=92s=20
just not possible to say how likely a threat will cause damage and how=20
much. But to know this requires a thorough security test which happens=20
to be exactly what the OSSTMM provides.
To say the OSSTMM 3 is a very thorough methodology is an=20
understatement. It currently has 12 chapters covering proper attack=20
procedures, rules of engagement, proper analysis, critical security=20
thinking, and trust metrics. It provides 17 modules like Visibility=20
Audit, Trust Verification, Property Validation, and Competitive=20
Intelligence Scouting, each which describes multiple attacks (called=20
Tasks), for 5 different interaction types with a target (called=20
Channels) organized by technical knowledge and equipment requirements=20
as Human, Physical, Telecommunications, Data Networks, and Wireless.=20
An example attack task under the Wireless Channel for Trust=20
Verification states, =93Test and document the depth of requirements for=20
access to wireless devices within the scope with the use of fraudulent=20
credentials.=94 As if that wasn=92t already deep, it even waxes security =
philosophy with things like, =93Compliance requirements which enforce=20
protection measures as a surrogate for responsibility are also a=20
substitute for accountability,=94 and =93Fear doesn=92t motivate a person=
to=20
find complacency any more than security motivates a person to find=20
productivity.=94
The OSSTMM may some day be officially recognized by national standards=20
bodies. However until then, like an indie band with over 4 million=20
downloads, the OSSTMM is not suffering from brand recognition. Still,=20
to be an ISO standard is alluring to OSSTMM developers and fans alike.=20
They know that to be there, they have proved that the OSSTMM 3 is=20
needed, thorough, and important enough for leaders and policy makers=20
to consider adopting.
If OSSTMM does become recognized by an international standards body,=20
it would also help remove some of the vendor influence from current=20
security laws where product focus often diminishes security and costs=20
organizations more money. It would allow for the legal framework to=20
focus on what is an acceptable attack surface rather than on which are=20
accepted products. -Based on OSSTMM, government organizations could=20
also determine which environmental controls are required for the=20
infrastructure to prevent employees with a lack of security knowledge=20
or focus from making bad security decisions as opposed to which brand=20
of security awareness training will be need to be bought. It could=20
also mean vendors would need to reach higher to surpass the bar set by=20
the law instead of forcing the law to stoop down to what the vendor=20
can provide.
People who want to support getting the OSSTMM 3 into the ISO family=20
can contact ISECOM to help build up the best possible proposal and to=20
support it through the November 2010 meeting in Berlin.
About ISECOM:
ISECOM is a non-profit, security research organization located in=20
Barcelona, Spain and New York. With the mission to =93make sense of=20
security=94 the organization produces the international standard for=20
security testing as well as many other projects including trust=20
analysis, home security, and teen cybersecurity awareness. All=20
projects at ISECOM are completed the =93open source=94 way through=20
collaboration and published for free at the ISECOM website=20
(www.isecom.org).
討論串 (同標題文章)