In this chapter, we will look at a number of different references with respect to a testing methodology. In Chapter 1, Introducing Penetration Testing, we discussed an abstract methodology, but in this chapter, we will look into it in more detail. This is because now that we have set our initial target range environment for design, we want to look at a systematic process for our testing practice. Without a methodology in place, we fall into what is categorized as an ad hoc testing group, and this is something a professional tester should avoid; furthermore, without a plan in place we cannot cover a number of possible situations that can occur, such as scope creep and underestimating the task at hand. We will discuss the following topics:
- Open Source System Testing Methodology Manual (OSSTMM)
- CHECK
- NIST SP-800-115
- Offensive security
- Other methodologies
- Customization
This chapter will provide us with multiple testing methodologies so that we can make an intelligent and informed choice when we select or build one of our own testing methodologies.
The Open Source System Testing Methodology Manual (OSSTMM) was first created in 2001 by the Institute for Security and Open Methodologies (ISECOM). Many researchers from around the world participated in its creation. The ISECOM is a non-profit organization that maintains offices in Barcelona and New York.
The premise of the OSSTMM is that of verification. The OSSTMM is a peer-reviewed manual that provides a professional testing methodology and guidance. Also, as it is developed by a multitude of sources, the manual has an international flavor.
The OSSTMM is in constant development; you can download the latest release from http://www.isecom.org/research/osstmm.html.
At the time of writing, the current version of the OSSTMM is version 3, but there is a draft version 4 in review. It is a good idea to download both versions and review the differences and changes that are being made in the updated version. An example of the download page is shown in the following screenshot:
As the previous screenshot shows, you have to be a part of the ISECOM Gold or Platinum team to download the draft version of the manual.
After you have downloaded the image, open the manual. We will look at some portions of the manual and more importantly, the testing methodology. The first thing you will note in the manual is the statement about what the manual provides. Part of this important statement is quoted here:
"This manual provides test cases that result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions."
As the statement says, this manual provides a methodology and solution that works for our testing challenges. For our purpose, we will not go through the entire manual. It is our intent to introduce some of the different methodologies that exist in this chapter, and then let you do your research and adopt one. Alternatively, you can follow the recommended approach, that is, create your own methodology based on the parts and components of these and other methodologies you have researched.
The main item that is used when it comes to deploying a security test that follows the OSSTMM is the Security Test Audit Report (STAR). A sample of this is located at the end of the OSSTMM. Before we look at the report, we will discuss the components that the OSSTMM focuses on. One of the main things that the OSSTMM wants to make clear is that it is not a hacking book; it is a professional testing methodology that depends on the following:
- Types of targets that you want to test
- How you are going to test them
- The types of controls discovered
As you review the OSSTMM, you will see that the primary purpose of the methodology is to provide a framework for a penetrating testing assignment. This framework provides us a number of different methodologies for our testing purposes. In fact, the manual can be used to support any testing environment we may find ourselves participating in.
The manual also has a second purpose, according to its creators, and this is to provide guidelines to complete a certified OSSTMM audit. The OSSTMM audit focuses on the following components:
- The test was conducted thoroughly
- The test included all the necessary channels
- The posture for the test complied with law
- The results are measurable in a quantifiable way
- The results are consistent and repeatable
- The results contain only facts derived from the tests
As expected, the manual focuses on this certification for the OSSTMM process. You are welcome to research this if it is something that you want to accomplish. For the purpose of the book, we will only look at a number of different components of the methodology. At a length of 213 pages, it can take some time to review all of the material contained within the methodology if you choose to do so. The main point from the list of the components, which we will discuss here, is the fact that the results are consistent and repeatable. This is what we want to achieve in our testing, that is, it should be a repeatable process and no matter which test we attempt, the systematic process remains the same.
The OSSTMM's focus on operational security is achieved by looking at the security across a number of channels, those being human, physical, wireless, telecommunications, and data networks that can be accessed across any vector.
Before we discuss the channels, we will look at the main points to take away from the OSSTMM process. As you may recall, the OSSTMM provides a measurement of operational security. As the manual states, this operational security is the concept of separation and controls. Moreover, for a threat to be effective, it has to interact with the asset that it is trying to attack.
When you look at this, what the OSSTMM is saying is that we can have 100 percent security if we can achieve total separation between the threat and the asset! While this is something that we would love to achieve, it is not something that is possible with the majority of the networks and services that we have today. Therefore, we apply controls to mitigate and reduce the risk from providing access that could be leveraged with a threat. The OSSTMM breaks operational security into the following elements:
- Attack surface
- Vector
- Pen test security
The Attack surface is the lack of specific separations and controls. The Vector is the direction of the interaction with the weakness discovered on the target, and finally, the Pen test security that balances security and controls with their operation and limitations. The manual goes on and defines a complete terminology, but this is beyond the scope of what we want to cover here.
Rather than looking at the details for each of these channels, we will review the details of one of them, and that is the wireless channel. We will discuss the components of spectrum security and define it as the security classification of Electronic Security (ELSEC), Signal Security (SIGSEC), and Emanations Security (EMSEC), which are defined as follows in the OSSTMM manual (https://dl.packetstormsecurity.net/papers/general/OSSTMM.3.pdf):
- ELSEC: Taking into account the possibility of electromagnetic sources
- SIGSEC: This section will cover the challenges of a medium of air that can be, and often is, flooded or jammed
- EMSEC: This deals with the electromagnetic emanations that can be leaked from wireless devices
When testing wireless devices, there are a number of factors to consider. One of the most important factors is the safety of the tester. There are various electromagnetic and microwave radiation sources that can cause harm to hearing and sight. Therefore, it might be required that the analyst wears protective equipment when in the range of any sources that are measured at -12dB and greater. Unfortunately, this is something that is often overlooked, but it is essential that the tester be protected within environments that could place them at risk. There are many potential dangers from close proximity to these types of sources. Consequently, outside antennas, ensure both the frequencies and the strength of the signals that are in the vicinity of the test site have been evaluated. A discussion of these protective measures is covered in great detail in the OSSTMM.
Now that the physical considerations have been briefly discussed, the next thing to discuss is the The Posture Review.
The Posture Review is defined by the following components:
- Policy: Review and document the policies, contracts, and Service Level Agreements (SLAs)
- Legislation: Review and document the legislation for national and industry regulations
- Culture: Review and document the organizational security culture
- Age: Review and document the age of the systems, software, and required services
- Fragile artifacts: Review and document system, software, and services that require special handling
The next thing we have is Logistics; this is defined as the preparation of the channel environment to help us prevent false positives and negatives that can cause inaccurate results. There are three things we will consider for our wireless testing, and they are as follows:
- Communication equipment: We want to ensure any emissions from all sources are charted prior to and during the testing. For reference, the attack on this is known as Van Eck phreaking. For a succinct explanation of this, refer to http://www.techopedia.com/definition/16167/van-eck-phreaking.
- Communications: This tests which protocols are being used throughout the transmission medium.
- Time: This is the time frame to carry out the testing. For example, we are allowed to test for 24 hours, or else there are specific time frames for testing.
We are now ready for the next step in the testing, which is active detection verification.
This is the process where we determine what controls are in place; again, this assists us in reducing the number of false positives with our testing. It is important to note here that as testers, we want to explain to our clients that the more information they can provide us, the more we can do with regard to the testing. We could research all of the information as part of the test, but it provides us with a deeper understanding of the environment at the start of the test. This affords us the luxury of concentrating more on the details of the weaknesses and not the discovery process. There are two main things we want to review, and they are as follows:
- Channel monitoring: This looks at the controls that are in place for intrusion monitoring and signal tampering
- Channel moderating: This determines whether the controls that provide a potential block or jam of signals are in place and looks for unauthorized activities
As we review the methodology, we next encounter a Visibility Audit step. This is the process of enumeration and verification tests for personnel visibility.
Tip
The following explanations and definitions are from the OSSTMM; refer to http://www.isecom.org/research/osstmm.html for more information.
There are three areas we address according to the OSSTMM, and they are as follows:
- Interception: Locate the access control and perimeter security and the ability to intercept or interfere with the wireless channels
- Passive signal detection: Determine the frequencies and signals that can leak in or out of the tested area using a number of different antennas
- Active signal detection: Examine the source trigger responses, such as Radio Frequency Identification (RFID), within the target area
The next thing we want to review is access verification. This is a test for the enumeration of access points to personnel within the scope. We examine the following:
- Evaluate administrative access to wireless devices: Determine if access points are turned off when not in use
- Evaluate device configuration: Test and document, using antenna analysis, that the wireless devices are set to the lowest possible power setting to maintain sufficient operation that will keep transmissions within a defined boundary
- Evaluate configuration, authentication, and encryption of wireless networks: Verify that the access point Service Set Identifier (SSID) has been changed from the default and the administration interface is not set with the default password
- Authentication: Enumerate and test for inadequacies in authentication and authorization methods
- Access control: Evaluate access controls, perimeter security, and ability to intercept or interfere with communications
We will next discuss trust verification; this step is the process of testing for the trust between personnel within the scope and access to information without the need for identification or authentication. This step of the testing refers to the following items:
- Misrepresentation: Test and document the authentication method of the clients
- Fraud: Test and document the number of requirements to access wireless devices with fraudulent credentials
- Resource abuse: Test and document the number of requirements to send data outside of a known and trusted source without any established credentials
- Blind trust: Test and document connections to a false or compromised receiver
Now that we have discussed the trust verification process, we will next look at the process of control verification. This consists of the following items:
- Non-repudiation: Enumerate and test to properly identify and log the access or interactions to specific properties as a challenge
- Confidentiality: Enumerate and test the use of the dampening equipment to reduce the transmission of electromagnetic signals as well as the controls in place for the protection of wireless transmissions
- Privacy: Determine the level of physical access controls in place to protect devices
- Integrity: Determine that data can only be access modified by authorized users and ensure that adequate encryption is in place
Process verification is used to examine the maintenance of functional security awareness of personnel in established processes as defined in The Posture Review section. The components of this step are as follows:
- Baseline: Examine and document the baseline configuration to ensure the security stance is inline with the security policy
- Proper shielding: Examine and determine that proper shielding is in place to block wireless signals
- Due diligence: Map and verify the gaps between practice and requirements
- Indemnification: Document and enumerate that targets and services are insured for theft or damages
Configuration verification is the step where we examine the ability to circumvent or disrupt functional security of assets. The items required for this step are the following:
- Common configuration errors: Perform brute force attacks against access points to determine the strength of passwords. Verify whether the passwords used are complex and consist of a number of different character types.
- Configuration controls: Examine controls and validate configuration according to the security policy.
- Evaluate and test wiring and emissions: Verify that all wiring feeds in and out of shielded facilities.
Property validation examines the information and physical properties that may be illegal or unethical; this step consists of the following:
- Sharing: Verify the extent to which property is shared between personnel, be it intentionally or unintentionally through mismanagement of licenses, resources, or negligence
- Rogue wireless transceivers: Perform a complete inventory of all devices and verify that an organization has an adequate security policy that addresses the use of wireless technology
Segregation review is a test for appropriate separation of private and personal information from business information. The review consists of the following:
- Privacy containment mapping: Map private information such as what, how, and where information is stored and over which channels it is communicated
- Disclosure: Examine and document the types of disclosure of private information
- Limitations: Examine and document the gateways and alternative channels to people with physical limitations with respect to that channel
Exposure verification is the process of uncovering information that can lead to authenticated access, or allows access to multiple locations using the same authentication. The requirements for this step are as follow:
- Exposure mapping: Enumerate and map personnel information regarding the organization as well as any information that is implicitly stored and classified as sensitive
- Profiling: Examine and verify using a variety of antennas if wireless signals with device information are extending beyond the required boundaries
The competitive intelligence scouting test is for the scavenging property that can be analyzed as business intelligence; it is a type of marketing field used to identify the competition for a business. The requirements for this consist of the following:
- Business Grinding: Map targets from within the scope by analyzing the passive and active emanations as well as what, how, and where the information is stored and communicated
- Business Environment: Explore and document business details to include the alliances, partners, major customers, vendors, and distributors
- Organizational Environment: Examine and document the disclosures of business property on the operations process
Quarantine verification is the determination and measurement of the effective use of quarantine as it pertains to access to and within the target. The requirements for this are as follows:
- Containment process identification: Identify and examine quarantine methods and processes at the target in all channels for aggressive contacts
- Containment levels: Verify the state of containment to include the length of time and all channels where interactions have quarantine methods
The privileges audit test will investigate where credentials are supplied to the user and whether permission is granted for testing with those credentials. The requirements for this are as follows:
- Identification: Examine and document the process to obtain identification through both legitimate and fraudulent means
- Authorization: Verify the use of fraudulent authorization to gain privileges
- Escalation: Verify and map the access to information through the privileges of a normal user and attempt to gain higher privileges
- Subjugation: Enumerate and test for inadequacies from all channels it uses or from where it enables controls
Survivability validation is the process of determining and measuring the resilience of the target within the scope of attempts to cause service failure. The requirements are as follows:
- Continuity: Enumerate and test for access delays and service response times
- Resilience: Map and document the process of disconnecting channels from a security breach
Alert and log review is a gap analysis between the performed activities to include the true depth of these activities as recorded from third-party methods. The requirements for this are as follows:
- Alarm: Verify and enumerate the warning systems
- Storage and retrieval: Document and verify unprivileged access to alarm, log, and storage locations
This concludes the wireless testing section of the OSSTMM. As you can see, this is quite an in-depth reference and one that is thorough and well recognized in the industry. While the OSSTMM is an excellent reference, most of us will use its components and not all of the required processes. The last thing we will cover from the OSSTMM is the STAR. The purpose of the STAR is to provide an executive summary of the information that states the attack surface of the targets with respect to the testing scope. You can find out more about this in Chapter 13, Building a Complete Cyber Range.