Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
FOCUS
WHAT IS OSSTMM
4 POINTS PROCESS
CHANNELS
OSSTMM COMPLIANCE
Policy
Compliance to policy is in accordance to the business or organization where
the regulation can be enforced. Failure to comply with policy most often leads to dismissal from the organization, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the policy makers, criminal charges can be made.
Regulation
Compliance to regulation is in accordance to the industry or within the group
where the regulation can be enforced. Failure to comply with regulations most often leads to dismissal from the group, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the regulatory body, criminal charges can be made.
Legislation
Compliance with legislation is in accordance to region where the legislation can
be enforced. The strength and commitment to the legislation comes from its popularity and previously successful legal arguments and appropriately set and just enforcement measures. Failure to comply to legislation may lead to criminal charges.
RAVs
The RAVs are the OSSTMM Risk Assessment
Values. A RAV is the computation of security operations, controls, and limitations which represents the current state of protection.
RAVs
Operational Security (OPSEC) The lack of security one must have to be interactive, useful, public, open, or available defined by combination of visibility, trust and access Controls Impact and loss reduction controls 5 Class A controls which control interactions 5 Class B controls which control processes Limitations The current state of perceived and known limits for channels, operations, and controls as verified within the audit
RAVs METHOD
loss controls, and security limitations All tests which have been made, not made, or only partially made and to what extent Any issues regarding the test and the validity of the results Test error margins The processes which influence the security limitations Any unknowns or anomalies
Why STAR
Allows comparisons with historical tests, between
departments, and other organizations. Allows for deeper, big picture testing where multiple vectors combine to one STAR. Provides a tailored metric to verify new vulnerabilities against without exploiting them. Provides a means to calculate security change from new products before integrating them into your network.