Re: The New ISO Hacking Standard

[Simon Kilvington <s.kilvington () eris qinetiq com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pete,

        if this becomes an ISO standard will it still be available for free, or
will you need to pay to get copies of it like you do for other ISO
standards? Also, once the ISO standard is defined, how will new open
source contributions be incorporated?


Pete Herzog wrote:
> The security community may be interested in this:
>
> The New ISO Hacking Standard
>
> New York, May 17, 2010 -- The world’s national standards bodies met
> again during April, this time in Malaka, Malaysia and they extended
> talks about the Open Source Security Testing Methodology Manual. This
> ultimate security guide, better known to security experts and hackers
> alike as the OSSTMM (spoken like “awesome” but with a “t”), is a formal
> methodology for breaking any security and attacking anything the most
> thorough way possible. So why is the International Standards
> Organization talking about it?
>
> Some national standards organizations like ANSI in the USA and UNINFO in
> Italy have had their eye on the OSSTMM for years. Others, like DIN in
> Germany, were only recently shown the benefits of the OSSTMM but then
> supported it immediately. Released for free in January 2001 by Pete
> Herzog as the underdog to the security industry’s product-focused
> security advice, the manual achieved an instant cult following. The fact
> that OSSTMM is open to anyone for peer review and further research led
> to it growing from its initial 12 page release to its current size of
> 200. The international support community also grew to over 7000 members
> with dozens of research contributors dedicating their time to enhancing
> it. For testing security operations and devising tactics it has no
> equal. Its popularity and growth happened so fast that the non-profit
> organization ISECOM created the Open Methodology License (OML) asserting
> the OSSTMM as an open Trade Secret to assure it remained free, as in no
> price, as well as free from commercial and political influence. The
> OSSTMM seemed to have all the features of being the answer for securing
> the world except that it had never been formally recognized…until now.
>
> With such fanatical devotion from experts and the underground, the
> OSSTMM soon gained the attention of governments from city to state to
> national which is how it eventually got to the ISO. ISO is the acronym
> of the International Standards Organization. Headquartered in Geneva,
> Switzerland, ISO is the collection of people who create manuals
> standardizing all sorts of things like paper sizes (ISO 216), what
> determines a water-resistant watch (ISO 2281), how to properly conduct
> quality management (ISO 9001), the C programming language (ISO 9899),
> shoe sizes (ISO 9407), or what defines proper information security (ISO
> 27001 and 27002). However they currently have nothing on operational
> security, the means of assuring security for processes and systems in
> action. The only way that can be done is by attacking it every way
> possible, pushing the impossible, and see why and how the security
> breaks. That’s exactly what the OSSTMM does.
>
> During past ISO meetings, the Subcommittee 27, mostly known for its
> ISO/IEC 27000 family (Information Security Management System) and
> ISO/IEC 15408 (Common Criteria), already discussed the topic within
> different working groups (WG) with no clear outcome. Meanwhile, some
> ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph
> together with Aaron Brown in Germany, have become active participants in
> their respective ISO national bodies to help inform their ISO colleagues
> about the many benefits the OSSTMM could provide to various ISO
> standards. In Malaka, Dr. Guasconi, the national body representative of
> Italy’s UNINFO, made significant progress on this front when he held a
> complete presentation to WG4 and WG3, the latter one being devoted to
> security evaluation criteria. WG3 then eventually expressed a formal
> interest in carving deeper into the security testing methodology topic,
> issuing and approving a resolution for starting a study period of one
> year. The base of this study period, which is the first step towards a
> standardization path, would be constituted by the OSSTMM 3 and all
> security experts from national bodies will freely contribute and comment
> on it. By the end of the study period it will be determined how ISO will
> receive OSSTMM contents in its family of security standards. As outlined
> in Malaka’s presentation there are many standards that could benefit
> from a standard aligned with OSSTMM contents, such as 21827, 15408,
> 18045, 19790 and, of course, 27001. Parts of OSSTMM concepts have
> already been posted as comments within the project for ISO 27008, which
> is dedicated to technical audits on security controls. It looks like
> this hacker’s guide has really grown up.
>
> The OSSTMM is currently in its third revision and still in Beta,
> therefore only available to team members, select reviewers, and federal
> government agencies that require it for drafting policy. This third
> version is a complete re-write of the methodology and has at its
> foundation the ever-elusive security and trust metrics. It required 6
> years of research and development to produce the perfect operational
> security metric, an algorithm which computes the Attack Surface of
> anything. In essence, it is a numerical scale to show how unprotected
> and exposed something currently is. This number is the basis required
> for making a proper trust assessment, another feature of the OSSTMM 3 to
> do away with risk assessment in favor of a more factual metric using
> trust. Security professionals, military tacticians, and security
> researchers know that without knowing how exposed a target is, it’s just
> not possible to say how likely a threat will cause damage and how much.
> But to know this requires a thorough security test which happens to be
> exactly what the OSSTMM provides.
>
> To say the OSSTMM 3 is a very thorough methodology is an understatement.
> It currently has 12 chapters covering proper attack procedures, rules of
> engagement, proper analysis, critical security thinking, and trust
> metrics. It provides 17 modules like Visibility Audit, Trust
> Verification, Property Validation, and Competitive Intelligence
> Scouting, each which describes multiple attacks (called Tasks), for 5
> different interaction types with a target (called Channels) organized by
> technical knowledge and equipment requirements as Human, Physical,
> Telecommunications, Data Networks, and Wireless. An example attack task
> under the Wireless Channel for Trust Verification states, “Test and
> document the depth of requirements for access to wireless devices within
> the scope with the use of fraudulent credentials.” As if that wasn’t
> already deep, it even waxes security philosophy with things like,
> “Compliance requirements which enforce protection measures as a
> surrogate for responsibility are also a substitute for accountability,”
> and “Fear doesn’t motivate a person to find complacency any more than
> security motivates a person to find productivity.”
>
> The OSSTMM may some day be officially recognized by national standards
> bodies. However until then, like an indie band with over 4 million
> downloads, the OSSTMM is not suffering from brand recognition. Still, to
> be an ISO standard is alluring to OSSTMM developers and fans alike. They
> know that to be there, they have proved that the OSSTMM 3 is needed,
> thorough, and important enough for leaders and policy makers to consider
> adopting.
>
> If OSSTMM does become recognized by an international standards body, it
> would also help remove some of the vendor influence from current
> security laws where product focus often diminishes security and costs
> organizations more money. It would allow for the legal framework to
> focus on what is an acceptable attack surface rather than on which are
> accepted products. -Based on OSSTMM, government organizations could also
> determine which environmental controls are required for the
> infrastructure to prevent employees with a lack of security knowledge or
> focus from making bad security decisions as opposed to which brand of
> security awareness training will be need to be bought. It could also
> mean vendors would need to reach higher to surpass the bar set by the
> law instead of forcing the law to stoop down to what the vendor can
> provide.
>
> People who want to support getting the OSSTMM 3 into the ISO family can
> contact ISECOM to help build up the best possible proposal and to
> support it through the November 2010 meeting in Berlin.
>
> About ISECOM:
> ISECOM is a non-profit, security research organization located in
> Barcelona, Spain and New York. With the mission to “make sense of
> security” the organization produces the international standard for
> security testing as well as many other projects including trust
> analysis, home security, and teen cybersecurity awareness. All projects
> at ISECOM are completed the “open source” way through collaboration and
> published for free at the ISECOM website (www.isecom.org).

- --
Simon Kilvington


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkv1AhUACgkQmt9ZifioJSyZlACePjUdXMyLkni921iGuJcUtx5v
/HcAnjjSMgd6FMzzjM5qK+VZs6nK1Kby
=ZZcK
-----END PGP SIGNATURE-----