Proactive security: The Opensource Security Testing Methodology Manual (OSSTMM) from ISECOM
DSS_ITSEC
749 views
46 slides
Nov 27, 2018
Slide 1 of 46
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
About This Presentation
Raoul Chiesa https://dssitsec.eu
Slide Content
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
ProactiveSecurity:
the OpensourceSecurity Testing Methodology Manual
(OSSTMM) from ISECOM
Raoul «Nobody» Chiesa
ISECOM Board of Directors
FoundingPartner, President, Security Brokers SCpA
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
ProactiveSecurity:
the OpensourceSecurity Testing Methodology Manual
(OSSTMM) from ISECOM
Raoul «Nobody» Chiesa
ISECOM Board of Directors
FoundingPartner, President, Security Brokers SCpA
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Disclaimer
●Theinformationcontainedwithinthispresentationdonotinfringe
onanyintellectualpropertynordoesitcontaintoolsorrecipethat
couldbeinbreachwithknownlaws.
●ThestatisticaldatapresentedbelongstotheHackersProfiling
ProjectbyUNICRIandISECOM.
●Quotedtrademarksbelongstoregisteredowners.
●Theviewsexpressedarethoseoftheauthor(s)andspeaker(s)and
donotnecessaryreflecttheviewsofUNICRIorothersUnited
Nationsagenciesandinstitutes,northeviewofENISAanditsPSG
(PermanentStakeholdersGroup),neitherSecurityBrokers,its
AssociatesandAssociatedCompanies,andTechnicalPartners.
●Contentsofthispresentationcannotbequotedorreproduced.
DSS ITSEC Conference-Riga, October25th, 2018
Disclaimer
●Theinformationcontainedwithinthispresentationdonotinfringe
onanyintellectualpropertynordoesitcontaintoolsorrecipethat
couldbeinbreachwithknownlaws.
●ThestatisticaldatapresentedbelongstotheHackersProfiling
ProjectbyUNICRIandISECOM.
●Quotedtrademarksbelongstoregisteredowners.
●Theviewsexpressedarethoseoftheauthor(s)andspeaker(s)and
donotnecessaryreflecttheviewsofUNICRIorothersUnited
Nationsagenciesandinstitutes,northeviewofENISAanditsPSG
(PermanentStakeholdersGroup),neitherSecurityBrokers,its
AssociatesandAssociatedCompanies,andTechnicalPartners.
●Contentsofthispresentationcannotbequotedorreproduced.
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Agenda
Introductions
ISECOM
The OSSTMM
OSSTMM goingISO/IEC (alongwith NIST)
Contacts, Q&A
Agenda
DSS ITSEC Conference-Riga, October25th, 2018
Agenda
Introductions
ISECOM
The OSSTMM
OSSTMM goingISO/IEC (alongwith NIST)
Contacts, Q&A
Agenda
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Introductions
DSS ITSEC Conference-Riga, October25th, 2018
Introductions
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
The speaker
President, Founder, The Security Brokers
Principal, SWASCAN
IndipendentSpecial Senior Advisor on Cybercrime @ UNICRI
(United Nations Interregional Crime & Justice Research Institute)
FormerPSG Member, ENISA(PermanentStakeholdersGroup @
EuropeanUnion Network & Information Security Agency)
Founder, @ CLUSIT (Italian Information Security Association)
SteeringCommittee, AIP/OPSI, Privacy & Security Observatory
Board of Directors, ISECOM
Board of Directors, OWASPItalianChapter
Cultural Attachè. ScientificCommittee, APWGEuropeanChapter
Board Member, AIIC (ItalianAssociationof Critical Infrastructures)
Supporter atvarioussecurity communities
DSS ITSEC Conference-Riga, October25th, 2018
The speaker
President, Founder, The Security Brokers
Principal, SWASCAN
IndipendentSpecial Senior Advisor on Cybercrime @ UNICRI
(United Nations Interregional Crime & Justice Research Institute)
FormerPSG Member, ENISA(PermanentStakeholdersGroup @
EuropeanUnion Network & Information Security Agency)
Founder, @ CLUSIT (Italian Information Security Association)
SteeringCommittee, AIP/OPSI, Privacy & Security Observatory
Board of Directors, ISECOM
Board of Directors, OWASPItalianChapter
Cultural Attachè. ScientificCommittee, APWGEuropeanChapter
Board Member, AIIC (ItalianAssociationof Critical Infrastructures)
Supporter atvarioussecurity communities
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
ISECOM
Institute for SECurity and Open Methodologies
Originally a «security Think-Tank» (IdeaHamster, Est. 2000)
Established on January 2001, founded by Pete Herzog
Non-Profit Organization (C503) registered in the USA and EU with
headquarters in New York Cityand Barcellona (Spain)
Open Source Community registered OSI
Developping many Open Source projects (i.e. HPP, HHS, BPB –see
later)
Coordinates the Certification of the Security Personnel
DSS ITSEC Conference-Riga, October25th, 2018
ISECOM
Institute for SECurity and Open Methodologies
Originally a «security Think-Tank» (IdeaHamster, Est. 2000)
Established on January 2001, founded by Pete Herzog
Non-Profit Organization (C503) registered in the USA and EU with
headquarters in New York Cityand Barcellona (Spain)
Open Source Community registered OSI
Developping many Open Source projects (i.e. HPP, HHS, BPB –see
later)
Coordinates the Certification of the Security Personnel
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
The ISECOM Mission
Our Mission:
To provide global, practical, useable security knowledge and
knowledge-tools to solve problems caused by insecurity,
privacy violations, ethical violations, and poor safety
measures.
Our Audience:
Corporations and Organizations (OSSTMM, Security Metrics,
HPP)
Professionals and quasi-professionals (Rules of Engagement,
HPP)
College students (Academic Alliance Program)
Teens and pre-teens (Hacker High School, Bad People Project)
DSS ITSEC Conference-Riga, October25th, 2018
The ISECOM Mission
Our Mission:
To provide global, practical, useable security knowledge and
knowledge-tools to solve problems caused by insecurity,
privacy violations, ethical violations, and poor safety
measures.
Our Audience:
Corporations and Organizations (OSSTMM, Security Metrics,
HPP)
Professionals and quasi-professionals (Rules of Engagement,
HPP)
College students (Academic Alliance Program)
Teens and pre-teens (Hacker High School, Bad People Project)
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
The ISECOM Projects
OSSTMM–The Open Source Security Testing
Methodology Manual
RAVs –The Security Metrics
BIT–Business Integrity Testing Methodology Manual
OPRP–Open Protocol Resource Project
SIPES–Security Incident Policy Enforcement System
SPSMM–The Secure Programming Standards Methodology Manual
STICK–Software Testing Checklist
ISM 3.0–Information Security Maturity Model
HHS –Hacker High School
HPP–Hacker’s Profiling Project
BPB–The Bad People Project
DSS ITSEC Conference-Riga, October25th, 2018
The ISECOM Projects
OSSTMM–The Open Source Security Testing
Methodology Manual
RAVs –The Security Metrics
BIT–Business Integrity Testing Methodology Manual
OPRP–Open Protocol Resource Project
SIPES–Security Incident Policy Enforcement System
SPSMM–The Secure Programming Standards Methodology Manual
STICK–Software Testing Checklist
ISM 3.0–Information Security Maturity Model
HHS –Hacker High School
HPP–Hacker’s Profiling Project
BPB–The Bad People Project
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: introduction
Our chief projectis the OSSTMM.
The Open Source Security Testing Methodology Manual
+ 8.000.000 downloads worldwide
Originally designed by Pete Herzog for IBM ISS Force (1998)
It become an Open Source project in 2000 (December 18
th
)
IT’S FREE! (http://www.osstmm.org for download)
The OSSTMM is a methodology for testing security systems for everything,
from guards and locked doors to mobile communication towers and
satellites.
It just WORKS!
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: introduction
Our chief projectis the OSSTMM.
The Open Source Security Testing Methodology Manual
+ 8.000.000 downloads worldwide
Originally designed by Pete Herzog for IBM ISS Force (1998)
It become an Open Source project in 2000 (December 18
th
)
IT’S FREE! (http://www.osstmm.org for download)
The OSSTMM is a methodology for testing security systems for everything,
from guards and locked doors to mobile communication towers and
satellites.
It just WORKS!
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: details
An International Standard for Security Testingand Security Analysis
A methodologybasedon a scientificapproach
A resourcein orderto be reallymeasurethe OperationalSecurity
A way to totallyreducefalse positivesand false negatives(forget
«VulnerabilityAssessments!!)
A concrete processto be functionaland reallysecure
An Ethicscode with clearly-definedRulesof Engagement
Releasedon December14°, 2010, asitsthirdrelease (OSSTMM 3.0)
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: details
An International Standard for Security Testingand Security Analysis
A methodologybasedon a scientificapproach
A resourcein orderto be reallymeasurethe OperationalSecurity
A way to totallyreducefalse positivesand false negatives(forget
«VulnerabilityAssessments!!)
A concrete processto be functionaland reallysecure
An Ethicscode with clearly-definedRulesof Engagement
Releasedon December14°, 2010, asitsthirdrelease (OSSTMM 3.0)
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is
an open standard methodology for performing security tests. Since
it’s inception in January 2001, the OSSTMM has become the most
widely used, peer-reviewed, comprehensive security testing
methodology in existence. While other methodologies and best
practices attack security testing from a 50,000 foot view, the OSSTMM
focuses on the technical details of exactly which items need to be
tested, what to do during a security test, and when different types of
security tests should be performed. The OSSTMM provides testing
methodologies for the following six security areas: Information
Security, Process Security, Internet Technology Security,
Communications Security, Wireless Security, and Physical Security.
The Open Source Security Testing
Methodology Manual
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM
The Open Source Security Testing Methodology Manual (OSSTMM) is
an open standard methodology for performing security tests. Since
it’s inception in January 2001, the OSSTMM has become the most
widely used, peer-reviewed, comprehensive security testing
methodology in existence. While other methodologies and best
practices attack security testing from a 50,000 foot view, the OSSTMM
focuses on the technical details of exactly which items need to be
tested, what to do during a security test, and when different types of
security tests should be performed. The OSSTMM provides testing
methodologies for the following six security areas: Information
Security, Process Security, Internet Technology Security,
Communications Security, Wireless Security, and Physical Security.
The Open Source Security Testing
Methodology Manual
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: howitworks
The OSSTMM isan internationalmethodologyfocusedon Proactive Security Testings, developed
by ISECOM (Institutefor Security and Open Methodologies, USA): the output can be repeated,
comparedand evaluatedin a numericalmanner(RAVs).
The OSSTMM definesrulesand guidelines, aswellasthe RAVs(technicalrisklevel)
The OSSTMM doesn’tsubstitutethe RiskAnalysis field, butworkson the processthatcreatesits
results:
Open Source project, +200 contributorsworldwide, free use of the methodology
Works on apparals, infrastructures, single targets
Cross-standard: IP(v4/V6), xSTN(PSTN, ISDN), X.25, mobile, Wireless (IEEE 802.11*, Bluetooth,
Zigbee, ….)
Adoptedby governative and private organizationsallaroundthe world
Modular logic: 6 operatingareas(modules)
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM: howitworks
The OSSTMM isan internationalmethodologyfocusedon Proactive Security Testings, developed
by ISECOM (Institutefor Security and Open Methodologies, USA): the output can be repeated,
comparedand evaluatedin a numericalmanner(RAVs).
The OSSTMM definesrulesand guidelines, aswellasthe RAVs(technicalrisklevel)
The OSSTMM doesn’tsubstitutethe RiskAnalysis field, butworkson the processthatcreatesits
results:
Open Source project, +200 contributorsworldwide, free use of the methodology
Works on apparals, infrastructures, single targets
Cross-standard: IP(v4/V6), xSTN(PSTN, ISDN), X.25, mobile, Wireless (IEEE 802.11*, Bluetooth,
Zigbee, ….)
Adoptedby governative and private organizationsallaroundthe world
Modular logic: 6 operatingareas(modules)
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Security Testing: the “standard” approach
DSS ITSEC Conference-Riga, October25th, 2018
Security Testing: the “standard” approach
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0): the modules
Physical
Security
Communications
Security
Internet
Security
Wireless
Security
Process
Security
(Social
Engineering
)
Information
Security
•Internet Security
•Information Security
•Physical Security
•Communications Security
•Wireless Security
•Process Security
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0): the modules
Physical
Security
Communications
Security
Internet
Security
Wireless
Security
Process
Security
(Social
Engineering
)
Information
Security
•Internet Security
•Information Security
•Physical Security
•Communications Security
•Wireless Security
•Process Security
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0): operatingareas
Internet Security
•Network Surveying
•Port Scanning
•Services Identification
•System Identification
•Vulnerability Research and Verification
•Internet Application Testing
•Router Testing
•Trusted Systems Testing
•Firewall Testing
•Intrusion Detection System Testing
•Containment Measures Testing
•Password Cracking
•Denial of Service Testing
Information Security
•Competitive Intelligence Scouting
•Privacy Review
•Document Grinding
Social Engineering(Process Security)
•Request Testing
•Guided Suggestion Testing
•Trusted Persons Testing
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0): operatingareas
Internet Security
•Network Surveying
•Port Scanning
•Services Identification
•System Identification
•Vulnerability Research and Verification
•Internet Application Testing
•Router Testing
•Trusted Systems Testing
•Firewall Testing
•Intrusion Detection System Testing
•Containment Measures Testing
•Password Cracking
•Denial of Service Testing
Information Security
•Competitive Intelligence Scouting
•Privacy Review
•Document Grinding
Social Engineering(Process Security)
•Request Testing
•Guided Suggestion Testing
•Trusted Persons Testing
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0):operatingareas(2)
Wireless Security
•Wireless Networks Testing
•Cordless Communications Testing
•Privacy Review
•Infrared Systems Testing
Communications Security
•PBX Testing
•Voicemail Testing
•FAX review
•Modem Testing
Physical Security
•Access Control Testings
•Perimeter Review
•Monitoring Review
•Alarm Response Review
•Location Review
•Environment Review
DSS ITSEC Conference-Riga, October25th, 2018
(sinceOSSTMM 2.0):operatingareas(2)
Wireless Security
•Wireless Networks Testing
•Cordless Communications Testing
•Privacy Review
•Infrared Systems Testing
Communications Security
•PBX Testing
•Voicemail Testing
•FAX review
•Modem Testing
Physical Security
•Access Control Testings
•Perimeter Review
•Monitoring Review
•Alarm Response Review
•Location Review
•Environment Review
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Security Testing: the OSSTMM approach
DSS ITSEC Conference-Riga, October25th, 2018
Security Testing: the OSSTMM approach
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Physical Security
Wireless
Information
Security
OSSTMM 3.0: Attack Channels(paths)
Each channel foreseen a set of
verifications, which allows you to
verify ALL of the relevant aspects to
your security goals, such as:
Data Networks:
•Network Surveying
•Port Scanning
•Services Identification
•System Identification
•Vulnerability Research & Verification
•Internet Application Testing
•Router Testing
•Trusted Systems Testing
•Firewall Testing
•Intrusion Detection System Testing
•Containment Measures Testing
•Password Cracking
•Denial of Service Testing
DSS ITSEC Conference-Riga, October25th, 2018
Physical Security
Wireless
Information
Security
OSSTMM 3.0: Attack Channels(paths)
Each channel foreseen a set of
verifications, which allows you to
verify ALL of the relevant aspects to
your security goals, such as:
Data Networks:
•Network Surveying
•Port Scanning
•Services Identification
•System Identification
•Vulnerability Research & Verification
•Internet Application Testing
•Router Testing
•Trusted Systems Testing
•Firewall Testing
•Intrusion Detection System Testing
•Containment Measures Testing
•Password Cracking
•Denial of Service Testing
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
The OSSTMM 3.0
Download itfrom
www.osstmm.org
Designedfor e-book readers
and double-sidedprinting
(welove the earth)
211 pages
Open Source: Creative
Commons3.0 Attribution
Non-commercial derives
2010
DSS ITSEC Conference-Riga, October25th, 2018
The OSSTMM 3.0
Download itfrom
www.osstmm.org
Designedfor e-book readers
and double-sidedprinting
(welove the earth)
211 pages
Open Source: Creative
Commons3.0 Attribution
Non-commercial derives
2010
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Lotsof peoplehelpingthe ISECOM community!
DSS ITSEC Conference-Riga, October25th, 2018
Lotsof peoplehelpingthe ISECOM community!
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
The OSSTMM 4.0
Under peer-reviewsinceJune12,
2013
YES I know, weare slow
Join the peerreviewteam (help
us!)
Becomea ISECOM supporter
(Gold, Silver, Bronze) and getit
Wait‘tillit’llgetpublic
255 pages
Open Source: Creative Commons
3.1 AttributionNon-commercial
derives2013
DSS ITSEC Conference-Riga, October25th, 2018
The OSSTMM 4.0
Under peer-reviewsinceJune12,
2013
YES I know, weare slow
Join the peerreviewteam (help
us!)
Becomea ISECOM supporter
(Gold, Silver, Bronze) and getit
Wait‘tillit’llgetpublic
255 pages
Open Source: Creative Commons
3.1 AttributionNon-commercial
derives2013
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM going ISO….
(The new ISO “Hacking Standard”)
On May 2010, ISO International Committee requested ISECOM to supply deep details in
order to start a process that will incorporate the OSSTMM into a new ISO standard for
Security Testing.
Here’s extracts from the official ISECOM disclosure:
“SomenationalstandardsorganizationslikeANSIintheUSAandUNINFOinItalyhavehadtheir
eyeontheOSSTMMforyears.Others,likeDINinGermany,wereonlyrecentlyshownthebenefits
oftheOSSTMMbutthensupporteditimmediately.
ReleasedforfreeinJanuary2001byPeteHerzogastheunderdogtothesecurityindustry’s
product-focusedsecurityadvice,themanualachievedaninstantcultfollowing.Thefactthat
OSSTMMisopentoanyoneforpeerreviewandfurtherresearchledtoitgrowingfromitsinitial
12pagereleasetoitscurrentsizeof200.
Theinternationalsupportcommunityalsogrewtoover7000memberswithdozensofresearch
contributorsdedicatingtheirtimetoenhancingit.Fortestingsecurityoperationsanddevising
tacticsithasnoequal.Itspopularityandgrowthhappenedsofastthatthenon-profit
organizationISECOMcreatedtheOpenMethodologyLicense(OML)assertingtheOSSTMMasan
openTradeSecrettoassureitremainedfree,asinnoprice,aswellasfreefromcommercialand
politicalinfluence.TheOSSTMMseemedtohaveallthefeaturesofbeingtheanswerforsecuring
theworldexceptthatithadneverbeenformallyrecognized…untilnow.”
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM going ISO….
(The new ISO “Hacking Standard”)
On May 2010, ISO International Committee requested ISECOM to supply deep details in
order to start a process that will incorporate the OSSTMM into a new ISO standard for
Security Testing.
Here’s extracts from the official ISECOM disclosure:
“SomenationalstandardsorganizationslikeANSIintheUSAandUNINFOinItalyhavehadtheir
eyeontheOSSTMMforyears.Others,likeDINinGermany,wereonlyrecentlyshownthebenefits
oftheOSSTMMbutthensupporteditimmediately.
ReleasedforfreeinJanuary2001byPeteHerzogastheunderdogtothesecurityindustry’s
product-focusedsecurityadvice,themanualachievedaninstantcultfollowing.Thefactthat
OSSTMMisopentoanyoneforpeerreviewandfurtherresearchledtoitgrowingfromitsinitial
12pagereleasetoitscurrentsizeof200.
Theinternationalsupportcommunityalsogrewtoover7000memberswithdozensofresearch
contributorsdedicatingtheirtimetoenhancingit.Fortestingsecurityoperationsanddevising
tacticsithasnoequal.Itspopularityandgrowthhappenedsofastthatthenon-profit
organizationISECOMcreatedtheOpenMethodologyLicense(OML)assertingtheOSSTMMasan
openTradeSecrettoassureitremainedfree,asinnoprice,aswellasfreefromcommercialand
politicalinfluence.TheOSSTMMseemedtohaveallthefeaturesofbeingtheanswerforsecuring
theworldexceptthatithadneverbeenformallyrecognized…untilnow.”
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Mixing all together: different views and approaches, from ISO/IEC to
OSSTMM and NIST
The next section will highlight how ISECOM is closely working with
ISO/IEC Committee and NIST Board of Directors in order to build a new,
shared methodology for Security Testing and Product’s Security
Evaluation.
You will recognize many of the aspects we’ve spoken about today, into a
“big picture”.
All of the following process was supposed to be completed by 2015: this
means we are already knew what was coming next.
Then the tasks got VERY time-consuming… it’s 2018 now and we are still
working on this
All the following slides belong to ISECOM and ISO/IEC JTC1/SC27 Working
Group (see next slide)
DSS ITSEC Conference-Riga, October25th, 2018
Mixing all together: different views and approaches, from ISO/IEC to
OSSTMM and NIST
The next section will highlight how ISECOM is closely working with
ISO/IEC Committee and NIST Board of Directors in order to build a new,
shared methodology for Security Testing and Product’s Security
Evaluation.
You will recognize many of the aspects we’ve spoken about today, into a
“big picture”.
All of the following process was supposed to be completed by 2015: this
means we are already knew what was coming next.
Then the tasks got VERY time-consuming… it’s 2018 now and we are still
working on this
All the following slides belong to ISECOM and ISO/IEC JTC1/SC27 Working
Group (see next slide)
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
DSS ITSEC Conference-Riga, October25th, 2018
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
2019 or 2020
DSS ITSEC Conference-Riga, October25th, 2018
2019 or 2020
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Conclusions
DSS ITSEC Conference-Riga, October25th, 2018
Conclusions
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
End of story
Now that we have all this useful
information, it would be nice to do
something with it. (Actually, it can be
emotionally fulfilling just to get the
information. This is usually only true,
however, if you have the social life of a
glass of water.)
Unix Programmer's Manual.
DSS ITSEC Conference-Riga, October25th, 2018
End of story
Now that we have all this useful
information, it would be nice to do
something with it. (Actually, it can be
emotionally fulfilling just to get the
information. This is usually only true,
however, if you have the social life of a
glass of water.)
Unix Programmer's Manual.
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Links
www.isecom.org
www.osstmm.org
www.opsa.org
www.opst.org
www.opse.org
www.owse.org
www.hackerhighschool.org
www.iso.org
www.pcisecuritystandards.org
attrition.org/dataloss
DSS ITSEC Conference-Riga, October25th, 2018
Links
www.isecom.org
www.osstmm.org
www.opsa.org
www.opst.org
www.opse.org
www.owse.org
www.hackerhighschool.org
www.iso.org
www.pcisecuritystandards.org
attrition.org/dataloss
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
Contacts, Q&A
Needanything, gotdoubts, wannaaskme
something?
[email protected]
Thanksfor yourattention!QUESTIONS?
DSS ITSEC Conference-Riga, October25th, 2018
Contacts, Q&A
Needanything, gotdoubts, wannaaskme
something?
[email protected]
Thanksfor yourattention!QUESTIONS?
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
EXTRA MATERIAL
DSS ITSEC Conference-Riga, October25th, 2018
EXTRA MATERIAL
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM Compliance
•Legislation. Compliance with legislation isin accordance
to region where the legislation can be enforced. The
strength and commitment to the legislation comes from
its popularity and previously successful legal arguments
and appropriately set and just enforcement measures.
Failure to comply to legislation may lead to criminal
charges.
•Regulation. Compliance to regulation is in accordance to
the industry or within the group where the regulation
can be enforced. Failure to comply with regulations most
often leads to dismissal from the group, a loss of
privileges, a monetary fine, civil charges, and in some
cases where legislation exists to support the regulatory
body, criminal chargescan be made.
•Policy. Compliance to policy is in accordance to the
business or organization where the regulation can be
enforced. Failure to comply with policy most often leads
to dismissal from the organization, a loss of privileges, a
monetary fine, civil charges, and in some cases where
legislation exists to support the policy makers, criminal
chargescan be made.
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM Compliance
•Legislation. Compliance with legislation isin accordance
to region where the legislation can be enforced. The
strength and commitment to the legislation comes from
its popularity and previously successful legal arguments
and appropriately set and just enforcement measures.
Failure to comply to legislation may lead to criminal
charges.
•Regulation. Compliance to regulation is in accordance to
the industry or within the group where the regulation
can be enforced. Failure to comply with regulations most
often leads to dismissal from the group, a loss of
privileges, a monetary fine, civil charges, and in some
cases where legislation exists to support the regulatory
body, criminal chargescan be made.
•Policy. Compliance to policy is in accordance to the
business or organization where the regulation can be
enforced. Failure to comply with policy most often leads
to dismissal from the organization, a loss of privileges, a
monetary fine, civil charges, and in some cases where
legislation exists to support the policy makers, criminal
chargescan be made.
© 2015-2018 Raoul Chiesa & Security Brokers Società Cooperativa per Azioni
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM for Audits
Provides Quantitative and Realistic Security
Metrics
Improves any Risk Assessment or Risk
Management Methodology
ISO 17799 / BS 7799 -> ISO/IEC 27001
Marion / Méhari(Risk Analysis methodology)
Provides calendaring of security tests based on
natural degradation of security
Quantifies operational and actual risk types
Manages spending effectiveness
DSS ITSEC Conference-Riga, October25th, 2018
OSSTMM for Audits
Provides Quantitative and Realistic Security
Metrics
Improves any Risk Assessment or Risk
Management Methodology
ISO 17799 / BS 7799 -> ISO/IEC 27001
Marion / Méhari(Risk Analysis methodology)
Provides calendaring of security tests based on
natural degradation of security
Quantifies operational and actual risk types
Manages spending effectiveness
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 749
- Slides 46
- Age 2562 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
29 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
30 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
28 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
31 views