12/26/13

An Introduction to OSSTMM Version 3

Search:

Front Page Blog Posts Resources Downloads Whitepapers Media Videos Whitepapers Visit SecurityWeek.Com Login Register for Free

An Introduction to OSSTMM Version 3

Thursday, July 15, 2010 Contributed By: Michael Menefee

Background As a security consultant, I've always looked for ways to increase consistency, efficiency and value when conducting security analysis on a client's network or business. Even more-so, over the years as I hired employees, I wanted a consistent approach across the board, where the same results could be realistically achieved regardless of the consultant performing the engagement. This would, of course, require both a data collection methodology as well as a reporting methodology in order to work properly. About 5 years ago (while searching for any existing methodologies), I stumbled across ISECOM and the Open Source Security Testing Methodology Manual (or OSSTMM, commonly pronounced "Awe-Stem"). It changed the way my company and I engaged with clients at every angle.
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 1/10

12/26/13

An Introduction to OSSTMM Version 3

At the time (late 2005), version 2 of the OSSTMM was available, having had its first successful revision since 2001 when it began. Although there were some really good approaches to various tasks performed during the assessment process: there was an actual methodology, an approach, a way of thinking differently that shone through the bits and pieces of those tasks, which jumped out and immediately appealed to me. Also, it was much more scientific and much less "experience-based" and subjective, as I had been used to. (Yes, after a decade of buzz-words, catch phrases and vendor technology pitches, its hard not to become tainted and personally biased in one's approach to assessing security.) At the time, I didn't quite grasp the whole concept though; nor was it clearly defined within version 2 (although a few more bits and pieces came to light with the release of version 2.2 in early 2006). Now, on the dawn of the much anticipated release of OSSTMM version 3 - and after having been given a chance at a "sneak peak" at some of the new Chapters and sections - the puzzle is complete for me, and there is something to be really excited about here. Of course, not everyone will agree, and there will be much debate, but I believe that if you take the time to really understand the intent of the OSSTMM, rather than the letter of specific testing modules, you will be better off for it -- regardless of your preference for the science vs. the art debate of security assessments and risk analysis.

In this article, I will attempt to explain the key concepts behind the OSSTMM, as explained in version 3, and as understood by me. Should my interpretation be wrong, I'm sure to stand corrected here :) What is the OSSTMM? In short, the OSSTMM is a mechanism used to determine the Operational Security ("OpSec") of a target scope. OpSec is defined as the combination of "separation and controls without limitations". It is essentially a measurement of protection between assets, using a formula with a method and approach to identifying and categorizing controls (security measures) and limitations (weaknesses or vulnerabilities). What is actually measured is the "Attack Surface" of a given target, with the goal of identifying deficiencies in the protection measures in place. What the OSSTMM is not, is a Risk Assessment methodology - rather it is a means for collecting and analyzing data to produce results sufficient to assist with risk-decisions. As "Risk" is a subjective concept (one person's opinion of it, differing from another's), the OSSTMM is a means to define and consistently measure the state of operational security so that decisions about risk can be made based on scientific data, rather than past experiences, product preference or other biased human inputs. Nor is the OSSTMM a "Threat Analysis" methodology; rather it assumes nothing about specific threats, only the Attack Surface, and attempts to identify and measure deficiencies (limitations) in the protection of assets. It is also very repeatable and can be used to measure progress (or the lack thereof) in the security operations of any organization.
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 2/10

12/26/13

An Introduction to OSSTMM Version 3

I've described this in very high-level concepts, I know - but keep all this in mind as we discuss the OSSTMM in more detail. And don't fear--if this is your first exposure to OSSTMM and you are accustomed to "Vulnerability Assessments", think of this as a beefed up version with a better action plan to boot. We'll be discussing the specifics with examples in later articles. Key Concepts I mentioned earlier that back in 2005 I noticed a glimmer of the overall intent of what the OSSTMM was and has now become. A few of the original concepts are still the foundation for the OSSTMM when used in the assessment process, but some more clearly defined concepts in the upcoming version allow the OSSTMM methodology to be used in assessing the security of all sorts of things. (One specific example that I hope to get translated into English one day soon, is an analysis of the bank in relation to the Ocean's Eleven movie. The OSSTMM was used to very clearly show the bank's lack of operational security in protecting their assets.). At any rate, here's a brief run-down of what I consider to the heart and soul of the OSSTMM 1. Rules of Engagement My favorite thing about my initial exposure to the OSSTMM was the Rules of Engagement section. This made the most immediate impact in the way myself, my consultants and my sales guys interacted with clients before, during and after the assessment process. The Rules of Engagement encompass about 50 individual points starting with the Sales and Marketing approach, all the way through final delivery of the report. I wont go into them all here, but these rules of engagement set the table (so to speak) for the overall approach and methodology, with a focus on Critical Security Thinking (another Key Concept) and an unbiased approach to the measurement of OpSec. For "vendor-agnostic" firms with no agenda to sell product or service after the fact, many of these concepts are no-brainers, some are not. My favorite is the forbidding of Fear Uncertainty and Doubt ("FUD") in the Sales and Marketing process...imagine that. Many of the rules are very specific to notification, permission, contracts and performing the actual assessment, but they show that there is something behind the curtains of this manual that differs from other methodologies. 2. Critical Security Thinking A new concept introduced in OSSTMM version 3 (although always there in the wings) is Critical Security Thinking. Critical Security Thinking is the practice of using logic and facts, vs opinion, experience or bias to form ideas about security (easier said than done you say? -- perhaps). My favorite example of Critical Security Thinking, as outlined in the OSSTMM is in analyzing the popular statements "If an attacker wants to get in bad enough, he will" and "there is no such thing as perfect security". I'm sure I've said (and know I've heard a thousand times) each of these statements, but neither of them are based on fact or logic, but on bias and opinion. According to the OSSTMM "The process of critical security thinking is dependent on the Analyst being able to discern true statements or at least recognize the degree of possible falsity or dynamic properties in a statement.
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 3/10

12/26/13

An Introduction to OSSTMM Version 3

One way to do this is to recognize the amount of trust you can have in a fact through the use of trust metrics". Oh, and this isn't just a high-level concept in version 3...there's a 6-step technique that assists with the process and ensures a consistent approach to Critical Security Thinking. One of my favorite ISECOM projects is Jack of All Trades, which is a series of exercises to get your brain thinking critically. The first (and easiest) example in the "Jack" exercises is defining 10 ways to turn the light off in a room containing a light bulb and a switch, then 10 ways to keep it on, then 10 ways to determine if it's on to begin with. Jack can be downloaded from http://www.isecom.org/projects/jack.shtml 3. Trust Analysis Another new concept in version 3 is that of Trust Analysis. This concept is what provides for the versatility of the OSSTMM's use in other areas of analysis outside of information security, and as it turns out, what was behind the OSSTMM all this time to begin with...this is what I was struggling to grasp. According to the OSSTMM, "As part of OpSec, trust is one part of a targets porosity. Where security is like a wall that separates threats from assets, trust is a hole in that wall. It is wherever the target accepts interaction from other targets within the scope. However, people tend to use improper or incomplete operational controls with their trusts like authentication that has been made with improper identification such as a voice over a telephone, a business card, or even just the assumption that because a person is in the room that they are authorized to be there. This opens people up to fraud and deceit. The use of additional controls are required to secure a trust, to assure its integrity and resilience." Although the OSSTMM goes into great detail describing the interactions between assets and their relation to trust with or without implementing certain controls (like Authentication), I will only say here that understanding this aspect of the OSSTMM is a game-changer, and -like other aspects of the OSSTMM- Trust Analysis comes down to a scientific formula using a set of 10 Trust Properties, which can be applied to almost every situation to create "Trust Rules" (which is better left explained in the new OSSTMM when it's released) As to how Trust Analysis applies directly to the Security Testing process, the OSSTMM goes on to say "Security tests will verify which operational trusts exist however the use of trust rules are required to know if they should exist. This is determined with the use of the Trust Rules during security testing." 4. Defense in Width The final Key Concept that I'll discuss in this article is "Defense in Width"...whether specifically defined in the OSSTMM v3 or not (I've only seen a couple of Chapters :) it's certainly implied from what I gather from associated presentation materials I've seen. This is another differentiator between the OSSTMM approach and others, and it's closely related to Critical Security Thinking. "Defense in Depth" is another buzz-word used so often over the past decade, that we've forgotten what it means. Nowadays, its heavily used by vendors and resellers to sell another piece of gear to sit somewhere in your network to protect against even another buzz-word. If you ask most people to define Defense in Depth, the answer would undoubtedly be "Multiple Layers of Defense, like an onion". The problem is that today's infrastructures in no way resemble an onion, so the approach is flawed in it's basic concept. The concept of Defense in Width involves applying multiple controls (10 to be exact) over each vector or
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 4/10

12/26/13

An Introduction to OSSTMM Version 3

interaction, rather than viewing an enterprise as being protected by single layers which can be "peeled back". The goal is to assess each asset (port, IP address, application, whatever the scope definition is) against the 10 controls defined in the OSSTMM, and measure the deficiency (OpSec). As Pete Herzog explains: "The biggest difference is that DiD (Defense in Depth) requires the cooperation of the users to assure security is maintained and DiW (Defense in Width) does not. DiD is like the Witness Protection Program for networks where there are some Authentication controls and a lot of Privacy or Confidentiality controls but really it depends on the Witness to follow the rules of the program to stay safe. DiW is like the prison system for networks. All interactions to and from the inside are heavily piled with multiple controls of different types as well as the interactions between the prisoners and the guards. You see really the entire 10 controls applied across nearly all interactions. And when you don't, well, that's how problems happen in prisons." Conclusion As you read this, keep in mind that each of the Key Concepts I discussed spans multiple pages and chapters within the OSSTMM v 3 and the above commentary is only meant to introduce the concepts that are very clearly defined in the manual itself. I myself am very exited about this new version and (as opposed to picking and choosing portions I like and use) this new version is a really comprehensive approach that we are already applying in our client engagements. In coming articles, I will discuss the OpSec metrics, controls, and other specific formulas and methods in more detail, and hope to do a decent job of summarizing the "gist" of the OSSTMM. For more information about ISECOM, visit www.isecom.org. For more information about the OSSTMM, visit www.osstmm.org More Share Share Share Share Share Share Share This! | Share Possibly Related Articles:

Security, Trust and How We Are Broken - SecTor 2010 GSA Final Rule Requires Vendor Proof of Security How to Deal With Insider Threats Assessing Risk II: Attack Modeling to Collect Data Improving Compliance Performance in Your Supply Chain
Views: Categories: 26214 Enterprise Security Security Awareness Security Training Vulnerabilities

Tags: Risk Assessments Security Audits OSSTMM ISECOM Post Rating I Like this! Comments:

www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html

5/10

12/26/13

An Introduction to OSSTMM Version 3

David C. Brown Nice review. Thank you. You should also point out that this approach might be useful; but until it is reviewed by a wider audience it is still speculation. Additionally, how many years has it been coming? Again, Thanks for the article. 3 years ago

Michael Menefee David, Thank-you for the comment. One of the up-coming articles we'll be publishing here will be an interview with a company that has been using the OSSTMM methodology for years, so we can hopefully gain some real-world perspective on the usefulness. Re: how long this has been coming, version 2.2 released back in 2006 was a pre-cursor to version 3, so it's been in the works for some time 3 years ago

Amine Mehablia Thank you for the article. I nevr used this approach even though i have known OSSTMM since the early version. Do you have any case study to share it with us, if possible. rgds 3 years ago

Michael Menefee @Amine, thanks for the comment. It will probably be a month or two before I have a case study that I can share here, but will do so when appropriate 3 years ago

Fred Williams I think I need a "Cliff Notes" version of OSSTMM! The one
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 6/10

12/26/13

An Introduction to OSSTMM Version 3

thing that immediately sticks out at me is the sheer size of the thing. The v.3 TOC lists nearly 200 pages (the TOC is 4 pages itself). As a newbie, it is a daunting task to try and go through and understand it without spending a few days. 3 years ago

Michael Menefee Fred, a thorough methodology such as this is going to be lengthy. I'll be breaking down details futher in coming posts, but since the OSSTMM addresses various aspects of security individually (ie. Network Security, Telecommunications, Wireless, etc) its bound to add some pages. Fortunately, grasping an understanding of the methodology doesnt require reading the full manual. 3 years ago

Fred Williams Thanks Mike! I'll be looking forward to your future posts and Pete's preso @ OWASP next month. 3 years ago

The Dude I always liked the idea behind the OSSTMM methodology, because it was always a good balance between theory & actual doing (that's where most IT-compliance stucks). If you really would like to get more (market) attention, I think you have to closely attach it to our ISO27xxx friends & NIST references. Also to get a broader audience, you need to have a simpler abstraction(like you have done earlier with the 'light' release), would think about like the 'Prioritized Approach for PCI DSS' - simple to understand the initial message to proceed further. Unfortunatley the subscription is to expensive (yes, I can imagine how much intellectual property is in there!!) and therefore as the usual Sec-Pro I use the good old NIST/CIS/OCTAVE/ISACA/SIG/guidelines. 3 years ago

Michael Menefee duder,

www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 7/10

12/26/13

An Introduction to OSSTMM Version 3

Thanks for the comment. I did want to point out that as soon as OSSTMMv3 is ready, it will be publicly available for free... you can check out the complete version 2.2 here: http://isecom.securenetltd.com/osstmm.en.2.2.pdf Some of the Version 3 methodoloy is in there. Many of the new concepts I discuss in this post. And I think there is some work being done to include some of the OSSTMM into ISO and NIST, but dont quote me :) 3 years ago

The Dude Thanks MM, look forward for v3! One last comment: it would be great if OSSTMM would be integrated in a simple documentation framework like verinice has done for the German IT-Grundschutz (http://www.verinice.org/). I personally would add your OSSTMM3 TOC to the dradis framework (http://dradisframework.org/) - very, very useful for any Security Tester to have a consistent template & framework tool (we all know how lazy testers are concerning documentation ;-). I use dradis & verinice on a regular base and can highly recommend! 3 years ago

Michael Menefee Dude, I hadn't checked out the dradis framework in a while, so thanks for the link;) I'm not sure of the applicability to adding the OSSTMM TOC to the framework, as the real point of the OSSTMM is in the methodology and critical security thinking. I think this is where prior versions of the OSSTMM failed (not failed completely but failed to be really succesful), as they read more like a pen testing manual with procedures and checklists and tools. Now, I'm still trying to get up to speed and where I need to be to completely understand version 3, but ISECOM (http://www.isecom.org) has used concepts from v3 over the past years to launch several of their other projects, which I am evaluating to get a better understanding of the methodology...

www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html

8/10

12/26/13

An Introduction to OSSTMM Version 3

Stay tuned 3 years ago

Pete Herzog Hi Dude, Hi Mike, First, great article, Mike! I wanted to point out that OSSTMM 3 doesn't really follow the same line as the ISO or NIST documents. A lot of it is new research that does take quite a turn from what's being done now in security. So the parallel isn't really there. However both ISO and NIST have access to the OSSTMM 3 draft and I've learned they are looking into integrating it into some of their newer documentation. OSSTMM 3 will be made freely and publicly available this year. And if you can't pay the subscription cost now, you can just contribute to any of the ISECOM projects and get access to it. 3 years ago You Must Register or Login to Comment The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use. Most Liked

Latest Member Comments "We want to implement devices that protect the network, detect any malicious activity on the network and help the recovery of the networ..." CISSP Reloaded Domain Three: Telecoms and Ne... Trista Jaylene on 12-24-2013 "I am also trying this..Would like to much obliged for imparting this with us...It merely works....http://www.flashpanel.com " Horizontal Password Guessing Attacks Part II... Troy David on 12-24-2013 "I found your blog very interesting to read. http://www.aerofixcycles.com " Hacking Your Way Through Airports and Hotels... Ashley Stewart on 12-21-2013 "Part of the law required card corporations to work in conjunction with the National Foundation for Credit Counseling to provide free as..."
www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html 9/10

12/26/13

An Introduction to OSSTMM Version 3

Target Data Breach: Millions of In-Store Cre... Helen Baker on 12-19-2013 Latest Posts Credit Unions: Target's Credit Card Breach Will Cost Consumers, Financial Industry Are You Playing Security Elf on the Shelf? Horizontal Password Guessing Attacks Part II Hacker Fully Compromises Cloud Server in Under Four Hours Improving SCADA System Security (Part 1) Security Researchers Join Forces in World's Largest Live "Bug Bash" Target Data Breach: Millions of In-Store Credit Cards Affected Using RRL to Prevent DNS Amplification Attacks Horizontal Password Guessing Attacks Part I Interesting but not Actionable Security Data - Should I Even Look? Home | Articles | Downloads | Blog Posts | Contact Us | Register for Free | About Us | Privacy Copyright 2009 - 2013 Wired Business Media. All Rights Reserved.

www.infosecisland.com/blogview/7797-An-Introduction-to-OSSTMM-Version-3.html

10/10