Open Source Security Testing Methodology Manual
Professional Security Tester Seminar
Pete Herzog
•
Managing Director of ISECOM
Pete Herzog
•
Managing Director of
The Institute for Security and Open Methodologies
•
Creator of the
Open Source Security Testing Methodology Manual
•
Professor at La Salle URL
•
Professor at ESADE
Special Thanks
S21Sec
•
ISECOM Training Partner for the OPST and OPSA.
•
Ethical hacking provided by Jordi Andre.
•
Seminar assistance by Lydia Sorribes.
La Salle URL
•
Jaume Abella and Guiomar Corral.
•
ISECOM Training Sponsor.
•
ISECOM Hacker High School Sponsor.
•
Provides classrooms, infrastructure, and student
assistants.
Security Testing
• Vulnerability Scanning • Penetration Testing • Security Auditing • Security Scanning • Ethical Hacking • Posture Assessment • Risk Assessment Vulnerability Scanning Security Scanning Ethical Hacking Penetration Testing Security Auditing Posture Assessment & Security TestingRisk Assessment
The Security Testing Profession
What you know today prepares you for how you take tomorrow.•
Helpdesk Support Person
•
Statistician
•
Safety Officer
•
Trainer
•
Privacy Officer
• Network Architecture • Software Testing • Safety Inspection • Business Development • Operations Management • Legal Advisor • Privacy Advocate • Incident Management • Forensics • Disaster Recovery • Survivability • HackerWhat You Know
•
We will start this morning with a creative exercise to
think out of the box called “Jack of All Trades”.
•
The Jack exercises are used in the instruction of
new hires on security teams.
•
Each exercise is 4 questions about a scenario of
which you are a professional in a different field of
study each time. There are a total of 10 professions.
•
Some professions you will understand better than
others. That will influence the complexity of your
answers but not the variety.
Jack the Electrician
1. Turn the switch off. 2. Break the bulb. 3. Rip out the wiring.
4. Overload the electricity in the room. 5. Cut the electricity to the room.
6. Add a brighter light source to the room.
7. Wait until it dies on it’s own and don’t allow anyone to change it. 8. Ask someone to shut the light off.
9. Cover the bulb with a cloth. 10.Close your eyes.
•
Destruction of any part of the process chain effects
the end result.
•
Attacking the process (side attacks) is essential to
Shopping for Security
•
Do I need a security test?
•
How often do I need a security test?
•
Who should do the security test?
•
Is it better to have a consultant do it or train some
people to do it internally?
Sales and Marketing
•
The international rules for marketing and sales are
based on legalities, ethics, and security best
practices.
–
no promoting FUD (fear, uncertainty, and doubt)
• promote "freedom" instead- security grants mobility
–
no name dropping of clients
–
sell security and not yourself
• truth in security is essential- in the case where a client wants to purchase another service and security best practices requires a second, impartial testing team, it is important to tell the client that.
–
confidentiality is the key
Real World Security
•
Security to the non-security professional:
– Security has always been a part of life on Earth and it has had a long time to evolve.
– The concepts of security have often remained the same in theory and have just been reapplied with technology.
– The professional security tester must be able to identify where these security defences exist and how they parallel historical concepts.
– The historical security concepts also have a history of being
defeated and the history books are full of these attacks. Many of the popular ones have direct Internet influences:
• The Trojan horse as an attack against perimeter security.
• The battering ram used brute force to break through walls.
• Guerrilla warfare is a technique to make a small army appear big.
Historical Security
•
Historical security concepts include:
• The Great Wall
– the concept of the large, impenetrable wall often also served as high ground for scouts to watch for the enemy.
• The Guarded Doorway
– the concept of the single entryway which is watched by a trusted person with a weapon (or sign and alarm).
• Encryption and Obfuscation
– both common practices used together or separately to move information without fear of alerting or informing the enemy.
• Unique Stamps and Signatures
– a concept used by kings as they pressed a metal seal into specially colored hot wax.
• The DMZ
– the demilitarized zone is a concept of separating a conflict space with a neutral area between two enemy armies.
Historical Security
•
Historical security concepts include:
• The Illusion
– a technique to make a small army look big or a weak army appear strong in hopes of deterring the enemy
• The Honey Pot
– a trophy used to draw armies into areas where they are at a disadvantage.
• Containment
– a concept for holding and confining an unknown agent until the risk of contamination is most minimal.
• Peace
– the concept that neutrality provides security. A person with no enemies is a person with total security but a person with no friends has much to be wary of.
• Aggression
– the bully technique is a concept that having everyone fear your retaliation provides security from attack.
Historical Security
•
Historical security concepts include:
• Unavailability
– the concept that what isn't there isn't attackable
• Disinformation
– the technique of mixing truth with propaganda to enhance the effectiveness of all other security concepts.
• Defensive Layering
– the classic technique of combining security concepts and techniques for more effective security like in the Bastion Host
Modern Security
•
Historical concepts are often applied to securing
modern technology. Sometimes this works. Often
times this does not work.
•
To understand why the historical concepts don’t
always work, we need to understand the new
communication channels first.
•
We need to also understand the undertones of
society and the legal requirements for doing
business.
Privacy and Security
Business
Legalities of Testing
•
The security tester must understand and comply
with the following legal concepts:
– Non disclosure assures confidentiality monetarily.
– Uninvited “testing” is a criminal offense in various regions.
– Testing may only occur with written permission.
– Scanned and e-mailed documents are legal forms of contract.
– E-mail permission with proper headers are legally admissible
evidence. Legally admissible evidence however does not mean a legal defense.
– FAX documents are legal contracts in Europe, North America and Australia.
– Regional laws for the tester and the organization being tested both apply.
– Your company cannot protect your reputation. You are responsible for all your actions.
Ethics in Testing
•
The security tester must understand and comply
with the following ethical concepts:
– Distributed Denial of Service attacks are not to be tested over the Internet. The attacks will nearly always work and will affect all routers in between as well.
– Keep all tests, results, and clients confidential-- even in internal communication. This includes sales and marketing!
– Use encryption for sending all test information in client
communications and final test reports. The standards are PGP and GPG.
– Notify client at regular intervals of testing progress.
– Promote freedom not fear, uncertainty, and doubt to sell, market, or promote the profession.
– Know your tools, where they came from, how they work, and test them on a restricted test network before using them.
Playing by the Rules
•
This should first be clarified with the client before
the tester may begin any security testing:
– No unusual or major network changes during testing
– Notify only key people about the testing
– If necessary for privileged testing, they must provide 2 normal, remote user accounts.
– When performing a privileges test in a security test, first test blackbox and then test with privileges.
– No empty accounts!
• Any privileged accounts received must be working and contain the same "stuff" and configuration options as that of others.
– Provide internal mail account for testing
– Provide a public key for secure e-mail
– Provide the optimal and worst testing times
Client Notifications
•
Sec Tester must notify the client whenever:
–
Change of testing plan
–
Change of venue
–
Weekly updates
–
High risk findings
–
High risk tests will be run shortly
–
High traffic testing will occur shortly
–
Confirm and reconfirm meetings
–
Any testing problems have occurred (yours and theirs)
–
Access problems (account given to you doesn't work)
–
Sending the report shortly
Perfect Security
•
What is perfect security?
–
A utopia?
–
Boring?
–
Loss of job / income for security testers?
•
Understanding what security best practices are
allows a tester to model the network being tested
with the ideal.
Estimates and Assessment
•
Who?
•
Where?
•
Why?
•
What?
•
When?
•
How?
–
How Long?
–
How Much?
Mapping the Assessment
ISP DMZ ADMIN INTRANET Domain Registration NEWS SATELLITEOFFICE Note the traditional
Assessment Strategies
•
Scheduling Requirements
–
Basic port scanning rule of thumb (64k addresses):
– 2 days for a class C <= 12 hops over a 64k digital line
– Add an additional hour per class C for every hop over 12.
– More bandwidth will decrease scanning time proportionally.
– Does not count for systems protected by an active IDS or stateful firewall. Could double or quadruple the time required!
–
Complete OSSTMM testing rule of thumb:
» Complete OSSTMM testing includes port scanning as well.
– 3 man-weeks for 10 live systems in a class C <= 12 hops over 64k ISDN
– Add an additional 1/2 man hour per live system for every hop over 12.
– More bandwidth will decrease testing time proportionally up to 1Mb.
– Increasing the number of testers will decrease testing time proportionally. Analysis and reporting will become more complicated and take longer with more than 5 testers.
– Does not count for systems protected by an active IDS or stateful firewall. Could double or quadruple the time required!
time
man
hours
BREAK
Coffee, Questions, Chat,
and Wake Up.
Security Map
•
The security presence is all gateways into a
location.
•
The OSSTMM uses the security map as a visual
display of the security presence.
Physical Security
Communications
Security Wireless Security Internet Security
Process Security
Information Security
OSSTMM FAQ
•
Who uses it?
• There is no requirement for anyone to admit they use the OSSTMM and within best security practice not to say anything about your security practices.
•
How long has it been around?
• Since January 2000.
•
What is the peer-review process?
• Submissions come from anyone and everywhere. The submissions are edited into the OSSTMM RED. The Red is sent to the core group of peer reviewers. The final cut ends with ISECOM who makes last minute edits and publishes it for public peer review. Cycle starts again.
OSSTMM RED OSSTMM Public Release edit general public core
OSSTMM FAQ
•
Who writes it?
• Security experts, scientists, security testers, lawyers, and hackers.
• Youngest contributor is 15 years old.
•
Why is OSSTMM needed?
• A standard for methodical security testing.
• A guide for the security testing professional.
•
Isn’t it impossible to make a methodology for
something so complex, changing, and intricate as
the OSSTMM?
• It's not worth having goals which are easily obtained. ;)
• The basics of security testing change very slowly.
• The most current version OSSTMM is only good for a few years backward and forward at any given time.
OSSTMM FAQ
•
Aren't you just teaching hackers how to hack?
• A methodology teaches WHAT, WHICH, and WHEN.
• Hackers require HOW and WHY.
• Anyone who knows enough about security testing to do the OSSTMM already know how to hack.
•
Why use it as opposed to XYZ methodology?
• The OSSTMM attempts to include all laws and high-level methodologies in its low-level tests.
•
It's just not practical.
• Practical testing comes from how it is followed.
Making OSSTMM Certified Tests
•
As of OSSTMM 3.0, a security test checklist is
required to accompany all final reports.
•
This checklist will show modules and tasks
completed, not completed and not applicable.
•
The checklist will then be signed by the tester and
provided with the final test report to the client or
executive officer.
•
Reasons for the checklist are:
–
Serves as proof of thorough testing.
–
Makes a tester responsible for the test.
–
Makes a clear statement to the client or executive officer.
–
Provides a convenient overview.
Dynamics of Testing
•
The dynamics of security testing have changed
greatly since the first administrators tested their
own Internet security in the early 1990s with the
SATAN automated tool.
–
Customers have become “clients”.
• The term “customer” is used before contracts are signed, during sales meetings and during the assessment. You are ethically responsible for confidentiality of information you learn about the customer.
• The term “client” refers to the legal status of your obligation to your customer. After the contract is signed, your customer becomes a “client” and your ethical responsibility to confidentiality becomes a legal responsibility.
–
Security testing is now a legitimate profession.
–
The role of the security tester is no longer just security
testing.
Security Testing in Practice
•
In the security testing profession, certain
considerations must always be kept in mind:
• Solutions must be practical and realistic.
• Tests must be creative yet methodical.
• Analysis must be based on business justifications.
• Tests need to be properly assessed and risks properly identified.
• Tests will reveal internal processes and policies.
• Testing must comply to the various laws.
• Analysis must be completed in consideration of the various international and regional laws.
• The security tester must promote trust with the client.
• The determined risk must be measurable and quantifiable.
Technical Preparations
•
With a background in ethical and legal obligations,
the security tester is prepared to venture into the
technical side of testing. This is just one difference
between the security testing professional and the
hacker.
•
Technical preparations include:
–
Setting up the attack network
• Preparations for full packet sending and recovery abilities
• Avoiding firewall and NAT pitfalls
–
Access to security testing resources
• Finding the right tools and exploits
–
Setting up the attack server
• The management of confidential data
In Practice
•
You have seen:
–
Theory
–
Concepts
–
Nothing interesting, new, or mind-shattering
•
You will see:
–
A privacy review of the Disney website in action.
–
A live assessment in action while I talk about the security
test.
Disney Demo
•
Let’s look at the following questions:
–
What is the privacy policy for Walt Disney say?
–
What kinds of information does Disney claim to collect?
–
If we register an account at Disney as an adult, what kind
of information does Disney ask for? Is different for children.
–
Does the source code on the Disney Adult and Children's
registration forms say otherwise?
–
How is the information submitted to the organization?
Through what server? Encrypted? Held locally?
–
Does the account sign-up promote SPAM?
–
How does this compare with the privacy policy?
Goals for Security Test
•
Assess IT and Information Security Vulnerabilities
and Threats
–
the key being to assess what they are and if they are real
•
Recognize Security Best Practices
–
need a model of "secure and private" to compare to
•
Recognize the Business Risks
–
the info security risks for a search portal are very different
than that of a financial institution or health clinic.
•
Recognize Privacy Issues both Internal and External
–
privacy risks to customers, employees, and the company
•
Suggest / Implement Practical Security Solutions
Limits of Security Test
•
Loss of business
– down time during test, because of test maybe?
•
Wasted resources
– employee reactions to alarm states
•
False sense of Security
– it's not definitive since a successful test score does not mean perfect security
•
It is really superficial
– it means nothing if nothing gets fixed
•
Process failures
– can cause internal procedures to halt like patching and other administration tasks
Rules of Engagement
•
These are the OSSTMM 3.0 standard steps to
the security testing process:
1. Sales and Marketing
2. Assessment / Estimate Delivery 3. Dance of the mighty Contracts
• non disclosure • liabilities
• scope and deliverables
4. Providing Test Plan 5. Review the “rules” 6. Testing
– periodic management notification
7. Report Writing 8. Report Delivery 9. Workshop
What is Security Testing?
•
According to the
OSSTMM--–
a security test is only valid if it is:
• Quantifiable
– can be numerically measured
• Consistent and repeatable
– two testers would receive the same test results at the same time
• Valid beyond the "now" time frame
– lasts and remains valid longer than the wet ink on the report
• Based on merit of the tester and analyst not on brands
– it is based on smarts and not expensive tools
• Thorough
– a complete test where nothing is left untested from the scope
• Compliant to individual and local laws and the human right to privacy
Common Tests
•
Common Sec Tests EXPOSED!
–
Verification Testing
–
Periodic Testing
–
VPN Testing
–
Privilege Testing
–
Router / Firewall / IDS testing
–
DoS Testing
Verification Testing
• what is it?
– A single test to verify problems have been addressed with proper, working solutions.
• who should do it?
– Not the same team from the original test.
• how soon should it be done?
– It should be started no longer than 2 months after the initial test has completed or no more than 1 month after all fixes have been made. More than 3 months later and it's another full security test.
• how frequently can it be done?
– Twice. Once to verify changes. A second, small test of new or replaced systems.
• when is it not verification?
– When it's more than once. Then it's a periodic test.
Periodic Testing
• what is it?
– Regular weekly or monthly testing
• who should do it?
– The same team who conducts the initial test should designate a person for this weekly review.
• how soon should it be done?
– It should be started no longer than 2 months after the initial test has completed or no more than 1 month after all fixes have been made.
• how often can it be done?
– It can be done with a daily review of vulnerabilities and testing only weekly. 1 year is the maximum recommended time before having the whole team conduct another full test.
• how can I plan this best?
– Refer to the RAVs
VPN Testing
•
what is it?
– A test of the remote access VPN
•
how soon should it be done?
– It should be done after the black-box security test. Doing it before gives way too much information to allow for a reasonable test.
•
how often can it be done?
– As often as desired but these generally take time as they include internal systems enumeration which can get big and sometimes modem access which can go slowly.
•
what are some problems with VPN testing
• scope
• depth
• finding the VPN
• proprietary client software may be required
Privileged Testing
•
what is it?
– A test with login credentials like a normal, valid system user.
•
who should do it?
– The security testing team
•
what are the privileges?
– Two accounts are generally required to try moving data back in
forth or hijacking one from the other. Assets in the account like info or money should also be available to the testers.
•
how is it done?
– It's an application test with a foothold in the server
•
what should be included?
Firewall / IDS Testing
•
what is it?
– Generally a test where another system is placed inside the DMZ to respond or convey information during egress testing as well as access to the logs during the tests would be right here.
•
who should do it?
– Include your most knowledgeable firewall, router, or IDS admins in the team.
•
what do I need to start?
– A portable system to egress from the inside to the outside as well as monitor and log.
•
what should be included?
– All firewalls should be tested together and separately from the router if it screens. Include HIDs and NIDs in the IDS tests.
Denial of Service Testing
• what is it?
– A patience game- a process of firing an attack and waiting patiently for the admin to tell you if it worked.
• who should do it?
– The security testing team and include your most evil thinkers and late night people because this is rarely done during the day
• what do I need to start?
– An extra person onsite, a laptop, and a phone.
• how is it done?
– You need a person inside standing watch over the safety of all
machines, ready to reboot if necessary. Include a portable machine to monitor all the systems being attacked as well.
• what should be included?
–
specific information on risks in the contract
Containment Measures Testing
•
what is it?
– A test on the containment measures for trojans, dangerous
extensions, lamed viruses or eicar (fake virus) and spam passed through email or internal web browsing with scripts and applets.
•
who should do it?
– The most organized and meticulous person on the team
•
what do I need to start?
– Fake viruses, eicar text, e-mail, a web server, various compression algorithms, and a list of key words.
•
how is it done?
– From the outside to the inside, it's sent like an egression test
•
what should be included?
Web Application Testing
•
what is it?
– A test of the website as an application test which includes usability, security holes and weaknesses, performance testing, and software quality testing
•
who should do it?
– Add a software quality tester and performance tester to the team. A web developer with usability background is useful as well.
•
what do I need to start?
– Checklists and more checklists.
•
how is it done?
– Must be done in the real operating environment
•
what should be included?
Voluntary Results
•
Anything interesting?
•
Obvious Privacy Problems?
•
Obvious Security Problems?
•
Size of network?
•
Web components?
Need More Information?
•
ISECOM free consulting: www.isecom.org
•
Training:
–
OSSTMM Professional Security Tester
–
OSSTMM Professional Security Analyst
–
OSSTMM Professional Security Services
My last classes:
March 17
thand March 27
th•
Look for the OSSTMM 3.0
•
Look for the Business Security Testing and Analysis
Workbook
Questions?
•
If you have more questions on the OSSTMM or want
to dedicate time to the project, please write us at
•
More information is available at:
–
http://www.isecom.org/certification.htm
