The New ISO Hacking Standard
New York, May 17, 2010 -- The world’s national standards bodies met again during April, this time in Malaka, Malaysia and they extended talks about the Open Source Security Testing Methodology Manual. This ultimate security guide, better known to security experts and hackers alike as the OSSTMM (spoken like “awesome” but with a “t”), is a formal methodology for breaking any security and attacking anything the most thorough way possible. So why is the International Standards Organization talking about it?
Some national standards organizations like ANSI in the USA and UNINFO in Italy have had their eye on the OSSTMM for years. Others, like DIN in Germany, were only recently shown the benefits of the OSSTMM but then supported it immediately. Released for free in January 2001 by Pete Herzog as the underdog to the security industry’s product-focused security advice, the manual achieved an instant cult following. The fact that OSSTMM is open to anyone for peer review and further research led to it growing from its initial 12 page release to its current size of 200. The international support community also grew to over 7000 members with dozens of research contributors dedicating their time to enhancing it. For testing security operations and devising tactics it has no equal. Its popularity and growth happened so fast that the non-profit organization ISECOM created the Open Methodology License (OML) asserting the OSSTMM as an open Trade Secret to assure it remained free, as in no price, as well as free from commercial and political influence. The OSSTMM seemed to have all the features of being the answer for securing the world except that it had never been formally recognized…until now.
With such fanatical devotion from experts and the underground, the OSSTMM soon gained the attention of governments from city to state to national which is how it eventually got to the ISO. ISO is the acronym of the International Standards Organization. Headquartered in Geneva, Switzerland, ISO is the collection of people who create manuals standardizing all sorts of things like paper sizes (ISO 216), what determines a water-resistant watch (ISO 2281), how to properly conduct quality management (ISO 9001), the C programming language (ISO 9899), shoe sizes (ISO 9407), or what defines proper information security (ISO 27001 and 27002). However they currently have nothing on operational security, the means of assuring security for processes and systems in action. The only way that can be done is by attacking it every way possible, pushing the impossible, and see why and how the security breaks. That’s exactly what the OSSTMM does.
During past ISO meetings, the Subcommittee 27, mostly known for its ISO/IEC 27000 family (Information Security Management System) and ISO/IEC 15408 (Common Criteria), already discussed the topic within different working groups (WG) with no clear outcome. Meanwhile, some ISECOM members, like Dr. Fabio Guasconi in Italy and Heiko Rudolph together with Aaron Brown in Germany, have become active participants in their respective ISO national bodies to help inform their ISO colleagues about the many benefits the OSSTMM could provide to various ISO standards. In Malaka, Dr. Guasconi, the national body representative of Italy’s UNINFO, made significant progress on this front when he held a complete presentation to WG4 and WG3, the latter one being devoted to security evaluation criteria. WG3 then eventually expressed a formal interest in carving deeper into the security testing methodology topic, issuing and approving a resolution for starting a study period of one year. The base of this study period, which is the first step towards a standardization path, would be constituted by the OSSTMM 3 and all security experts from national bodies will freely contribute and comment on it. By the end of the study period it will be determined how ISO will receive OSSTMM contents in its family of security standards. As outlined in Malaka’s presentation there are many standards that could benefit from a standard aligned with OSSTMM contents, such as 21827, 15408, 18045, 19790 and, of course, 27001. Parts of OSSTMM concepts have already been posted as comments within the project for ISO 27008, which is dedicated to technical audits on security controls. It looks like this hacker’s guide has really grown up.
The OSSTMM is currently in its third revision and still in Beta, therefore only available to team members, select reviewers, and federal government agencies that require it for drafting policy. This third version is a complete re-write of the methodology and has at its foundation the ever-elusive security and trust metrics. It required 6 years of research and development to produce the perfect operational security metric, an algorithm which computes the Attack Surface of anything. In essence, it is a numerical scale to show how unprotected and exposed something currently is. This number is the basis required for making a proper trust assessment, another feature of the OSSTMM 3 to do away with risk assessment in favor of a more factual metric using trust. Security professionals, military tacticians, and security researchers know that without knowing how exposed a target is, it’s just not possible to say how likely a threat will cause damage and how much. But to know this requires a thorough security test which happens to be exactly what the OSSTMM provides.
To say the OSSTMM 3 is a very thorough methodology is an understatement. It currently has 12 chapters covering proper attack procedures, rules of engagement, proper analysis, critical security thinking, and trust metrics. It provides 17 modules like Visibility Audit, Trust Verification, Property Validation, and Competitive Intelligence Scouting, each which describes multiple attacks (called Tasks), for 5 different interaction types with a target (called Channels) organized by technical knowledge and equipment requirements as Human, Physical, Telecommunications, Data Networks, and Wireless. An example attack task under the Wireless Channel for Trust Verification states, “Test and document the depth of requirements for access to wireless devices within the scope with the use of fraudulent credentials.” As if that wasn’t already deep, it even waxes security philosophy with things like, “Compliance requirements which enforce protection measures as a surrogate for responsibility are also a substitute for accountability,” and “Fear doesn’t motivate a person to find complacency any more than security motivates a person to find productivity.”
The OSSTMM may some day be officially recognized by national standards bodies. However until then, like an indie band with over 4 million downloads, the OSSTMM is not suffering from brand recognition. Still, to be an ISO standard is alluring to OSSTMM developers and fans alike. They know that to be there, they have proved that the OSSTMM 3 is needed, thorough, and important enough for leaders and policy makers to consider adopting.
If OSSTMM does become recognized by an international standards body, it would also help remove some of the vendor influence from current security laws where product focus often diminishes security and costs organizations more money. It would allow for the legal framework to focus on what is an acceptable attack surface rather than on which are accepted products. Based on the OSSTMM, government organizations could also determine which environmental controls are required for the infrastructure to prevent employees with a lack of security knowledge or focus from making bad security decisions as opposed to which brand of security awareness training will be need to be bought. It could also mean vendors would need to reach higher to surpass the bar set by the law instead of forcing the law to stoop down to what the vendor can provide.
People who want to support getting the OSSTMM 3 into the ISO family can contact ISECOM to help build up the best possible proposal and to support it through the November 2010 meeting in Berlin.