The New ISO Hacking Standard

New York, May 17, 2010 -- The world’s national standards bodies met again during April, this time in Malaka, Malaysia and they extended talks about the Open Source Security Testing Methodology Manual. This ultimate security guide, better known to security experts and hackers alike as the OSSTMM (spoken like “awesome” but with a “t”), is a formal methodology for breaking any security and attacking anything the most thorough way possible. So why is the International Standards Organization talking about it?

Some national standards organizations like ANSI in the USA and UNINFO in Italy have had their eye on the OSSTMM for years. Others, like DIN in Germany, were only recently shown the benefits of the OSSTMM but then supported it immediately. Released for free in January 2001 by Pete Herzog as the underdog to the security industry’s product-focused security advice, the manual achieved an instant cult following. The fact that OSSTMM is open to anyone for peer review and further research led to it growing from its initial 12 page release to its current size of 200. The international support community also grew to over 7000 members with dozens of research contributors dedicating their time to enhancing it. For testing security operations and devising tactics it has no equal. Its popularity and growth happened so fast that the non-profit organization ISECOM created the Open Methodology License (OML) asserting the OSSTMM as an open Trade Secret to assure it remained free, as in no price, as well as free from commercial and political influence. The OSSTMM seemed to have all the features of being the answer for securing the world except that it had never been formally recognized…until now.

With such fanatical devotion from experts and the underground, the OSSTMM soon gained the attention of governments from city to state to national which is how it eventually got to the ISO. ISO is the acronym of the International Standards Organization. Headquartered in Geneva, Switzerland, ISO is the collection of people who create manuals standardizing all sorts of things like paper sizes (ISO 216), what determines a water-resistant watch (ISO 2281), how to properly conduct quality management (ISO 9001), the C programming language (ISO 9899), shoe sizes (ISO 9407), or what defines proper information security (ISO 27001 and 27002). However they currently have nothing on operational security, the means of assuring security for processes and systems in action. The only way that can be done is by attacking it every way possible, pushing the impossible, and see why and how the security breaks. That’s exactly what the OSSTMM does.

During past ISO meetings, the Subcommittee 27, mostly known for its ISO/IEC 27000 family (Information Security Management System) and ISO/IEC 15408 (Common Criteria), already discussed the topic within different working groups (WG) with no clear outcome. Meanwhile, some ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph together with Aaron Brown in Germany, have become active participants in their respective ISO national bodies to help inform their ISO colleagues about the many benefits the OSSTMM could provide to various ISO standards. In Malaka, Dr. Guasconi, the national body representative of Italy’s UNINFO, made significant progress on this front when he held a complete presentation to WG4 and WG3, the latter one being devoted to security evaluation criteria. WG3 then eventually expressed a formal interest in carving deeper into the security testing methodology topic, issuing and approving a resolution for starting a study period of one year. The base of this study period, which is the first step towards a standardization path, would be constituted by the OSSTMM 3 and all security experts from national bodies will freely contribute and comment on it. By the end of the study period it will be determined how ISO will receive OSSTMM contents in its family of security standards. As outlined in Malaka’s presentation there are many standards that could benefit from a standard aligned with OSSTMM contents, such as 21827, 15408, 18045, 19790 and, of course, 27001. Parts of OSSTMM concepts have already been posted as comments within the project for ISO 27008, which is dedicated to technical audits on security controls. It looks like this hacker’s guide has really grown up.

The OSSTMM is currently in its third revision and still in Beta, therefore only available to team members, select reviewers, and federal government agencies that require it for drafting policy. This third version is a complete re-write of the methodology and has at its foundation the ever-elusive security and trust metrics. It required 6 years of research and development to produce the perfect operational security metric, an algorithm which computes the Attack Surface of anything. In essence, it is a numerical scale to show how unprotected and exposed something currently is. This number is the basis required for making a proper trust assessment, another feature of the OSSTMM 3 to do away with risk assessment in favor of a more factual metric using trust. Security professionals, military tacticians, and security researchers know that without knowing how exposed a target is, it’s just not possible to say how likely a threat will cause damage and how much. But to know this requires a thorough security test which happens to be exactly what the OSSTMM provides.

Read more: Isecom

Posted via email from jasper22's posterous