The security community may be interested in this:
The New ISO Hacking Standard
New York, May 17, 2010 -- The world’s national standards bodies met
again during April, this time in Malaka, Malaysia and they extended
talks about the Open Source Security Testing Methodology Manual. This
ultimate security guide, better known to security experts and hackers
alike as the OSSTMM (spoken like “awesome” but with a “t”), is a
formal methodology for breaking any security and attacking anything
the most thorough way possible. So why is the International Standards
Organization talking about it?
Some national standards organizations like ANSI in the USA and UNINFO
in Italy have had their eye on the OSSTMM for years. Others, like DIN
in Germany, were only recently shown the benefits of the OSSTMM but
then supported it immediately. Released for free in January 2001 by
Pete Herzog as the underdog to the security industry’s product-focused
security advice, the manual achieved an instant cult following. The
fact that OSSTMM is open to anyone for peer review and further
research led to it growing from its initial 12 page release to its
current size of 200. The international support community also grew to
over 7000 members with dozens of research contributors dedicating
their time to enhancing it. For testing security operations and
devising tactics it has no equal. Its popularity and growth happened
so fast that the non-profit organization ISECOM created the Open
Methodology License (OML) asserting the OSSTMM as an open Trade Secret
to assure it remained free, as in no price, as well as free from
commercial and political influence. The OSSTMM seemed to have all the
features of being the answer for securing the world except that it had
never been formally recognized…until now.
With such fanatical devotion from experts and the underground, the
OSSTMM soon gained the attention of governments from city to state to
national which is how it eventually got to the ISO. ISO is the acronym
of the International Standards Organization. Headquartered in Geneva,
Switzerland, ISO is the collection of people who create manuals
standardizing all sorts of things like paper sizes (ISO 216), what
determines a water-resistant watch (ISO 2281), how to properly conduct
quality management (ISO 9001), the C programming language (ISO 9899),
shoe sizes (ISO 9407), or what defines proper information security
(ISO 27001 and 27002). However they currently have nothing on
operational security, the means of assuring security for processes and
systems in action. The only way that can be done is by attacking it
every way possible, pushing the impossible, and see why and how the
security breaks. That’s exactly what the OSSTMM does.
During past ISO meetings, the Subcommittee 27, mostly known for its
ISO/IEC 27000 family (Information Security Management System) and
ISO/IEC 15408 (Common Criteria), already discussed the topic within
different working groups (WG) with no clear outcome. Meanwhile, some
ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph
together with Aaron Brown in Germany, have become active participants
in their respective ISO national bodies to help inform their ISO
colleagues about the many benefits the OSSTMM could provide to various
ISO standards. In Malaka, Dr. Guasconi, the national body
representative of Italy’s UNINFO, made significant progress on this
front when he held a complete presentation to WG4 and WG3, the latter
one being devoted to security evaluation criteria. WG3 then eventually
expressed a formal interest in carving deeper into the security
testing methodology topic, issuing and approving a resolution for
starting a study period of one year. The base of this study period,
which is the first step towards a standardization path, would be
constituted by the OSSTMM 3 and all security experts from national
bodies will freely contribute and comment on it. By the end of the
study period it will be determined how ISO will receive OSSTMM
contents in its family of security standards. As outlined in Malaka’s
presentation there are many standards that could benefit from a
standard aligned with OSSTMM contents, such as 21827, 15408, 18045,
19790 and, of course, 27001. Parts of OSSTMM concepts have already
been posted as comments within the project for ISO 27008, which is
dedicated to technical audits on security controls. It looks like this
hacker’s guide has really grown up.
The OSSTMM is currently in its third revision and still in Beta,
therefore only available to team members, select reviewers, and
federal government agencies that require it for drafting policy. This
third version is a complete re-write of the methodology and has at its
foundation the ever-elusive security and trust metrics. It required 6
years of research and development to produce the perfect operational
security metric, an algorithm which computes the Attack Surface of
anything. In essence, it is a numerical scale to show how unprotected
and exposed something currently is. This number is the basis required
for making a proper trust assessment, another feature of the OSSTMM 3
to do away with risk assessment in favor of a more factual metric
using trust. Security professionals, military tacticians, and security
researchers know that without knowing how exposed a target is, it’s
just not possible to say how likely a threat will cause damage and how
much. But to know this requires a thorough security test which happens
to be exactly what the OSSTMM provides.
To say the OSSTMM 3 is a very thorough methodology is an
understatement. It currently has 12 chapters covering proper attack
procedures, rules of engagement, proper analysis, critical security
thinking, and trust metrics. It provides 17 modules like Visibility
Audit, Trust Verification, Property Validation, and Competitive
Intelligence Scouting, each which describes multiple attacks (called
Tasks), for 5 different interaction types with a target (called
Channels) organized by technical knowledge and equipment requirements
as Human, Physical, Telecommunications, Data Networks, and Wireless.
An example attack task under the Wireless Channel for Trust
Verification states, “Test and document the depth of requirements for
access to wireless devices within the scope with the use of fraudulent
credentials.” As if that wasn’t already deep, it even waxes security
philosophy with things like, “Compliance requirements which enforce
protection measures as a surrogate for responsibility are also a
substitute for accountability,” and “Fear doesn’t motivate a person to
find complacency any more than security motivates a person to find
productivity.”
The OSSTMM may some day be officially recognized by national standards
bodies. However until then, like an indie band with over 4 million
downloads, the OSSTMM is not suffering from brand recognition. Still,
to be an ISO standard is alluring to OSSTMM developers and fans alike.
They know that to be there, they have proved that the OSSTMM 3 is
needed, thorough, and important enough for leaders and policy makers
to consider adopting.
If OSSTMM does become recognized by an international standards body,
it would also help remove some of the vendor influence from current
security laws where product focus often diminishes security and costs
organizations more money. It would allow for the legal framework to
focus on what is an acceptable attack surface rather than on which are
accepted products. -Based on OSSTMM, government organizations could
also determine which environmental controls are required for the
infrastructure to prevent employees with a lack of security knowledge
or focus from making bad security decisions as opposed to which brand
of security awareness training will be need to be bought. It could
also mean vendors would need to reach higher to surpass the bar set by
the law instead of forcing the law to stoop down to what the vendor
can provide.
People who want to support getting the OSSTMM 3 into the ISO family
can contact ISECOM to help build up the best possible proposal and to
support it through the November 2010 meeting in Berlin.
About ISECOM:
ISECOM is a non-profit, security research organization located in
Barcelona, Spain and New York. With the mission to “make sense of
security” the organization produces the international standard for
security testing as well as many other projects including trust
analysis, home security, and teen cybersecurity awareness. All
projects at ISECOM are completed the “open source” way through
collaboration and published for free at the ISECOM website
(www.isecom.org).
