Open Source Security Testing Methodology Manual (OSSTMM)

The Open Source Security Testing Methodology Manual (OSSTMM) is peer-reviewed and maintained by the Institute for Security and Open Methodologies (ISECOM).

It has been primarily developed as a security auditing methodology assessing against regulatory and industry requirements. It is not meant to be used as a standalone methodology but rather to serve as a basis for developing one which is tailored towards the required regulations and frameworks.

OSSTMM Rules of Engagement

This section is quite comprehensive and one of the more useful parts of the methodology. At the beginning of a pen-testing project, OSSTMM recommends a set of activities in producing the documents covering the following:

• Project scope
• Confidentiality and non-disclosure assurance
• Emergency contact information
• Statement of work change process
• Test plan
• Test process
• Reporting standards

Some other (non-technical) documents which are not covered by OSSTMM could include:

• Procurement
• Project risk identification
• Qualitative and quantitative risk analysis
• Human resources
• Cost estimates and controls

OSSTMM Channels

OSSTMM test cases cover most of the 10 security domains identified by the International Information System Security Certification Consortium (ISC)². They are divided into five channels (alternatively called sections or security areas):

1. Human Security

This focuses on assessing personnel security awareness levels and the effectiveness of the security training in the organisation. The methods discussed revolve around social engineering attacks and assessing the level of exposure of sensitive information about the organisation and its employees.

2. Physical Security

Assesses access controls, security processes and physical locations such as buildings, perimeters and military bases.

3. Wireless Communications

Covers different forms of wireless which can be intercepted or disrupted, including Wi-Fi networks, RFID and so on.

4. Telecommunications

Covers the different communication channels in the organisation, including VoIP, PBX and voicemail.

5. Data Networks

This is the channel which focuses on computer and network security and describes the following activities:

• Network surveying
• Identification
• Access process
• Service identification
• Authentication
• Spoofing
• Phishing
• Resource abuse

OSSTMM uses the concept of modules, defining them as a set of processes or phases which are applicable for each channel. The modules are described at the relatively high level and the implementation of each module in the different channels will be specific to the actual domain, technical and regulatory constraints.

The four modules defined by OSSTMM are:

Phase I: Regulatory

• Posture review – review relevant regulatory and legislative frameworks and standards
• Logistics – identify any physical and technical constraints to the processes in the channel
• Active detection verification – evaluate interaction detection and response

Phase II: Definitions

• Visibility audit – assess the visibility of information, systems and processes relevant to the target
• Access verification – assess access points to the target
• Trust verification – assess trust relationship between the systems (or between people)
• Control verification – assess controls to maintain confidentiality, integrity, privacy and non-repudiation within the systems

Phase III: Information Phase

• Process verification – review the security processes of the organisation
• Configuration verification – evaluate the processes under various security level conditions
• Property validation – examine the physical or intellectual property available at the organisation
• Segregation review – determine the levels of personal information leaks
• Exposure review – evaluate sensitive information exposure
• Competitive intelligence – determine information leaks which could aid competitors

Phase IV: Interactive Controls Test Phase

• Quarantive verification – evaluate the effectiveness of quarantine functions on the target
• Privileges audit – review effectiveness of authorisation and potential impact of unauthorised privilege escalation
• Survivability validation – assess systems resilience and recovery
• Alerts and logs review – review audit activities in ensuring reliable events trail

OSSTMM focuses on which items need to be tested, what to do before, during and after a security test, and how to measure the results. One particularly useful part of OSSTMM is that it has a section covering international best practices, laws, regulations and ethical standards.

Reference

_{Institute for Security and Open Methodologies (2010) Open Source Security Testing Methodology Manual (OSSTMM) [online] available from https://www.isecom.org/OSSTMM.3.pdf [1 May 2020]}