Designed for e-book readers or double-sided printing. OSSTMM 3 – The Open Source Security Testing Methodology Manual This manual provides test cases that result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions. Creative Commons 3.0 Attribution-Non-Commercial-NoDerivs 2010, ISECOM, www.isecom.org, www.osstmm.org Official OSSTMM Certifications: www.opsa.org, www.opst.org, www.opse.org, www.owse.org, www.trustanalyst.org 1 OSSTMM 3 – The Open Source Security Testing Methodology Manual Instructions This is a methodology to test the operational security of physical locations, human interactions, and all forms of communications such as wireless, wired, analog, and digital. Those who want to jump right into testing while using it may find the following quick-start information helpful. Quick Start To start making an OSSTMM test you will need to track what you test (the targets), how you test them (the parts of the targets tested and not the tools or techniques used), the types of controls discovered, and what you did not test (targets and parts of the targets). Then you may conduct the test as you are accustomed to with the objective of being able to answer the questions in the Security Test Audit Report (STAR) available at the end of this manual or as its own document. The STAR gives the specific test information on the state of the scope for the benefits of having a clear statement of the security metrics and details for comparisons with previous security tests or industry test averages. More details on the required information for the STAR is available throughout this manual and can be referenced as needed. As you may see, taking this approach means that very little time is required in addition to a standard test and the formalization of the report. It has been reported that this methodology actually reduces testing and reporting time due to the efficiencies introduced into the process. There should be no time or financial reason to avoid using the OSSTMM and no unreasonable restrictions are made to the tester. Upgrading from Older Versions If you are familiar with the OSSTMM 2.x series then you will find that the methodology has completely changed. The new rav provides a factual attack surface metric that is much more accurate for measuring the susceptibility to attacks. There are many other changes and enhancements as well but the primary focus has been to move away from solution-based testing which assumes specific security solutions will be found in a scope and are required for security (like a firewall). Another change you may notice is that there is now a single security testing methodology for all channels: Human, Physical, Wireless, Telecommunications, and Data Networks. The rav information from 2.x to 3.0 is incompatible. Those with early 3.0 draft rav (prior to RC 12) will require that the values be re-calculated using this final attack surface calculation which is available as a spreadsheet calculator at http://www.isecom.org/ravs. Previous OSSTMM security metrics measured risk with degradation however this version does not. Instead, the focus now is on a metric for the attack surface (the exposure) of a target or scope. This allows for a factual metric that has no bias or opinion like risk does. Our intention is to eventually eliminate the use of risk in areas of security which have no set price value of an asset (like with people, personal privacy, and even fluctuating markets) in favor of trust metrics which are based completely on facts. Much of the terminology has changed in this version to provide a professional definition of that which can actually be created or developed. This is most notable in definitions for security and safety which take more specific and concrete meanings for operations within. Since so much has changed from previous versions, as this is a completely re-written methodology, we recommend you read through it once before using it. Further help is available at http://www.isecom.org. Courses to help you make thorough and proper security tests, systems, and processes are available through ISECOM and will help you get the most of the OSSTMM. Creative Commons 3.0 Attribution-Non-Commercial-NoDerivs 2010, ISECOM, www.isecom.org, www.osstmm.org 2 Official OSSTMM Certifications: www.opsa.org, www.opst.org, www.opse.org, www.owse.org, www.trustanalyst.org OSSTMM 3 – The Open Source Security Testing Methodology Manual Version Information The current version of the Open Source Security Testing Methodology Manual (OSSTMM) is 3.02. This version of the OSSTMM ends the 2.x series. All OSSTMM versions prior to 3.0 including 3.0 release candidates (RC versions) are now obsolete. The original version was published on Monday, December 18, 2000. This current version is published on Tuesday, December 14, 2010. About this Project This project is maintained by the Institute for Security and Open Methodologies (ISECOM), developed in an open community, and subjected to peer and cross-disciplinary review. This project, like all ISECOM projects, is free from commercial and political influence. Financing for all ISECOM projects is provided through partnerships, subscriptions, certifications, licensing, and case-study-based research. ISECOM is a registered non-profit organization and established in New York, USA and in Catalonia, Spain. Local Support Regional ISECOM offices may be available in your area for language and business support. Find the ISECOM Partner in your area at http://www.isecom.org/tp. Community Support Reader evaluation of this document, suggestions for improvements, and results of its application for further study are required for further development. Contact us at http://www.isecom.org to offer research support, review, and editing assistance. Print Edition The print edition of this manual is available for purchase at the ISECOM website. Creative Commons 3.0 Attribution-Non-Commercial-NoDerivs 2010, ISECOM, www.isecom.org, www.osstmm.org Official OSSTMM Certifications: www.opsa.org, www.opst.org, www.opse.org, www.owse.org, www.trustanalyst.org 3 OSSTMM 3 – The Open Source Security Testing Methodology Manual Restrictions Any information contained within this document may not be modified or sold without the express consent of ISECOM. Commercial selling of this document or the information within this document, including the methodology applied within a tool, software, or checklist may NOT be provided without explicit permission from ISECOM. This research document is free to read, free to re-distribute non-commercially, and free to quote or apply in academic or commercial research, and free to use or apply in the following commercial engagements: testing, education, consulting, and research. This manual is licensed to ISECOM under Creative Commons 3.0 Attribution-NonCommercial-NoDerivs and the Open Methodology License 3.0. The ISECOM logo is an official Trademark and may not be used or reproduced commercially without consent from ISECOM. The OSSTMM hummingbird graphic is copyright Marta Barceló Jordan, licensed to ISECOM and may not be used or reproduced commercially without permission. As a collaborative, open project, the OSSTMM is not to be distributed by any means for which there is commercial gain either by itself or as part of a collection. As a standard, there may be only one, official version of the OSSTMM at any time and that version is not to be altered or forked in any way which will cause confusion as to the purpose of the original methodology. Therefore, no derivation of the OSSTMM is allowed. As a methodology, the OSSTMM is protected under the Open Methodology License 3.0 which applies the protection as that granted to Trade Secrets. However, where a Trade Secret requires sufficient effort requirements to retain a secret, the OML requires that the user make sufficient effort to be as transparent as possible about the application of the methodology. Therefore, use and application of the OSSTMM is considered as acceptance of the responsibility of the user to meet the requirements in the OML. There are no commercial restrictions on the use or application of the methodology within the OSSTMM. The OML is available at the end of this manual and at http://www.isecom.org/oml. Any and all licensing questions or requests should be directed to ISECOM. Creative Commons 3.0 Attribution-Non-Commercial-NoDerivs 2010, ISECOM, www.isecom.org, www.osstmm.org 4 Official OSSTMM Certifications: www.opsa.org, www.opst.org, www.opse.org, www.owse.org, www.trustanalyst.org OSSTMM 3 – The Open Source Security Testing Methodology Manual Primary Developers • ISECOM ◦ Marta Barceló, Director, ISECOM Board Member ◦ Pete Herzog, Director, OSSTMM Project Lead, ISECOM Board Member Primary Contributors The following people are listed alphabetically by company. Each has been a substantial influence to the development of this OSSTMM. @Mediaservice.net, Italy ISECOM, USA Raoul Chiesa, ISECOM Board Member Robert E. Lee, ISECOM Board Member Marco Ivaldi Fabio Guasconi GCP Global, Mexico Fabrizio Sensibile Francisco Puente adMERITia GmbH, Germany KCT Data, Inc., USA Heiko Rudolph, ISECOM Board Member Kim Truett, ISECOM Board Member Aaron Brown La Salle URL, Spain Bell Canada, Canada Jaume Abella, ISECOM Board Member Rick Mitchell Lab106 & Outpost24,