Scribd Logo
Carica

Benvenuto in Scribd!

  • OSSTMM (OPEN SOURCE SECURITY TESTING METHADOLOGY MANUAL

    Caricato da

    Kuros4ki
    165 visualizzazioni16 pagine
    This document discusses the Open Source Security Testing Methodology Manual (OSSTMM). It provides an overview of what OSSTMM is, what's new in the latest version, and how it uses a 4 point process and risk assessment values (RAVs) to evaluate security controls, operations, and limitations. Test results are documented in a Security Test and Audit Report (STAR) to allow for comparisons over time and between organizations. Compliance with OSSTMM helps ensure adherence to relevant policies, regulations, and legislation.

    Descrizione originale:

    Titolo originale

    Osstmm (Open Source Security Testing Methdology

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PPTX, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This document discusses the Open Source Security Testing Methodology Manual (OSSTMM). It provides an overview of what OSSTMM is, what's new in the latest version, and how it uses a 4 point process and risk assessment values (RAVs) to evaluate security controls, operations, and limitations. Test results are documented in a Security Test and Audit Report (STAR) to allow for comparisons over time and between organizations. Compliance with OSSTMM helps ensure adherence to relevant policies, regulations, and legislation.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPTX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    165 visualizzazioni16 pagine

    OSSTMM (OPEN SOURCE SECURITY TESTING METHADOLOGY MANUAL

    Caricato da

    Kuros4ki
    This document discusses the Open Source Security Testing Methodology Manual (OSSTMM). It provides an overview of what OSSTMM is, what's new in the latest version, and how it uses a 4 point process and risk assessment values (RAVs) to evaluate security controls, operations, and limitations. Test results are documented in a Security Test and Audit Report (STAR) to allow for comparisons over time and between organizations. Compliance with OSSTMM helps ensure adherence to relevant policies, regulations, and legislation.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PPTX, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 16

    OSSTMM (OPEN SOURCE SECURITY TESTING METHADOLOGY MANUAL)

    MUHAMMAD SHAZWAAN B ZAINUDDIN (52261110169) NORHAMIZAH BT

    FOCUS

    WHAT IS OSSTMM

    WHATS NEW IN OSSTMM 3

    LONG TERM RESEARCH

    4 POINTS PROCESS

    CHANNELS

    OSSTMM COMPLIANCE
    Policy
    Compliance to policy is in accordance to the business or organization where

    the regulation can be enforced. Failure to comply with policy most often leads to dismissal from the organization, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the policy makers, criminal charges can be made.

    Regulation
    Compliance to regulation is in accordance to the industry or within the group

    where the regulation can be enforced. Failure to comply with regulations most often leads to dismissal from the group, a loss of privileges, a monetary fine, civil charges, and in some cases where legislation exists to support the regulatory body, criminal charges can be made.

    Legislation
    Compliance with legislation is in accordance to region where the legislation can

    be enforced. The strength and commitment to the legislation comes from its popularity and previously successful legal arguments and appropriately set and just enforcement measures. Failure to comply to legislation may lead to criminal charges.

    RAVs
    The RAVs are the OSSTMM Risk Assessment

    Values. A RAV is the computation of security operations, controls, and limitations which represents the current state of protection.

    How RAVs Work


    The RAV is designed to rate the effectiveness of your controls for your porosity. The RAV is different from historical measurements because just that one value should tell you how protected something is. Therefore this is a comparative measurement regardless of size of the scope.

    RAVs
    Operational Security (OPSEC) The lack of security one must have to be interactive, useful, public, open, or available defined by combination of visibility, trust and access Controls Impact and loss reduction controls 5 Class A controls which control interactions 5 Class B controls which control processes Limitations The current state of perceived and known limits for channels, operations, and controls as verified within the audit

    Combined to produce Actual Security value (0-100)

    RAVs METHOD

    Security Test and Audit Report (STAR)


    Date and time of test Duration of the test

    Testers and analysts involved


    Test type Scope Index (method of target enumeration) Channel tested

    Vector of the test


    Verified tests and metrics calculations of operational protection levels,

    loss controls, and security limitations All tests which have been made, not made, or only partially made and to what extent Any issues regarding the test and the validity of the results Test error margins The processes which influence the security limitations Any unknowns or anomalies

    Why STAR
    Allows comparisons with historical tests, between

    departments, and other organizations. Allows for deeper, big picture testing where multiple vectors combine to one STAR. Provides a tailored metric to verify new vulnerabilities against without exploiting them. Provides a means to calculate security change from new products before integrating them into your network.

    Potrebbero piacerti anche