In this chapter, we will look at a number of different references with respect to a testing methodology. In Chapter 1, Introducing Penetration Testing, we discussed an abstract methodology, but in this chapter, we will look into it in more detail. This is because now that we have set our initial target range environment for design, we want to look at a systematic process for our testing practice. Without a methodology in place, we fall into what is categorized as an ad hoc testing group, and this is something a professional tester should avoid; furthermore, without a plan in place we cannot cover a number of possible situations that can occur, such as scope creep and underestimating the task at hand. We will discuss the following topics:
This chapter will provide us with multiple testing methodologies so that we can make an intelligent and informed choice when we select or build one of our own testing methodologies.
The Open Source System Testing Methodology Manual (OSSTMM) was first created in 2001 by the Institute for Security and Open Methodologies (ISECOM). Many researchers from around the world participated in its creation. The ISECOM is a non-profit organization that maintains offices in Barcelona and New York.
The premise of the OSSTMM is that of verification. The OSSTMM is a peer-reviewed manual that provides a professional testing methodology and guidance. Also, as it is developed by a multitude of sources, the manual has an international flavor.
The OSSTMM is in constant development; you can download the latest release from http://www.isecom.org/research/osstmm.html.
At the time of writing, the current version of the OSSTMM is version 3, but there is a draft version 4 in review. It is a good idea to download both versions and review the differences and changes that are being made in the updated version. An example of the download page is shown in the following screenshot:
As the previous screenshot shows, you have to be a part of the ISECOM Gold or Platinum team to download the draft version of the manual.
After you have downloaded the image, open the manual. We will look at some portions of the manual and more importantly, the testing methodology. The first thing you will note in the manual is the statement about what the manual provides. Part of this important statement is quoted here:
"This manual provides test cases that result in verified facts. These facts provide actionable information that can measurably improve your operational security. By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions."
As the statement says, this manual provides a methodology and solution that works for our testing challenges. For our purpose, we will not go through the entire manual. It is our intent to introduce some of the different methodologies that exist in this chapter, and then let you do your research and adopt one. Alternatively, you can follow the recommended approach, that is, create your own methodology based on the parts and components of these and other methodologies you have researched.
The main item that is used when it comes to deploying a security test that follows the OSSTMM is the Security Test Audit Report (STAR). A sample of this is located at the end of the OSSTMM. Before we look at the report, we will discuss the components that the OSSTMM focuses on. One of the main things that the OSSTMM wants to make clear is that it is not a hacking book; it is a professional testing methodology that depends on the following:
As you review the OSSTMM, you will see that the primary purpose of the methodology is to provide a framework for a penetrating testing assignment. This framework provides us a number of different methodologies for our testing purposes. In fact, the manual can be used to support any testing environment we may find ourselves participating in.
The manual also has a second purpose, according to its creators, and this is to provide guidelines to complete a certified OSSTMM audit. The OSSTMM audit focuses on the following components:
As expected, the manual focuses on this certification for the OSSTMM process. You are welcome to research this if it is something that you want to accomplish. For the purpose of the book, we will only look at a number of different components of the methodology. At a length of 213 pages, it can take some time to review all of the material contained within the methodology if you choose to do so. The main point from the list of the components, which we will discuss here, is the fact that the results are consistent and repeatable. This is what we want to achieve in our testing, that is, it should be a repeatable process and no matter which test we attempt, the systematic process remains the same.
The OSSTMM's focus on operational security is achieved by looking at the security across a number of channels, those being human, physical, wireless, telecommunications, and data networks that can be accessed across any vector.
Before we discuss the channels, we will look at the main points to take away from the OSSTMM process. As you may recall, the OSSTMM provides a measurement of operational security. As the manual states, this operational security is the concept of separation and controls. Moreover, for a threat to be effective, it has to interact with the asset that it is trying to attack.
When you look at this, what the OSSTMM is saying is that we can have 100 percent security if we can achieve total separation between the threat and the asset! While this is something that we would love to achieve, it is not something that is possible with the majority of the networks and services that we have today. Therefore, we apply controls to mitigate and reduce the risk from providing access that could be leveraged with a threat. The OSSTMM breaks operational security into the following elements:
The Attack surface is the lack of specific separations and controls. The Vector is the direction of the interaction with the weakness discovered on the target, and finally, the Pen test security that balances security and controls with their operation and limitations. The manual goes on and defines a complete terminology, but this is beyond the scope of what we want to cover here.
Rather than looking at the details for each of these channels, we will review the details of one of them, and that is the wireless channel. We will discuss the components of spectrum security and define it as the security classification of Electronic Security (ELSEC), Signal Security (SIGSEC), and Emanations Security (EMSEC), which are defined as follows in the OSSTMM manual (https://dl.packetstormsecurity.net/papers/general/OSSTMM.3.pdf):
When testing wireless devices, there are a number of factors to consider. One of the most important factors is the safety of the tester. There are various electromagnetic and microwave radiation sources that can cause harm to hearing and sight. Therefore, it might be required that the analyst wears protective equipment when in the range of any sources that are measured at -12dB
and greater. Unfortunately, this is something that is often overlooked, but it is essential that the tester be protected within environments that could place them at risk. There are many potential dangers from close proximity to these types of sources. Consequently, outside antennas, ensure both the frequencies and the strength of the signals that are in the vicinity of the test site have been evaluated. A discussion of these protective measures is covered in great detail in the OSSTMM.
Now that the physical considerations have been briefly discussed, the next thing to discuss is the The Posture Review.
The Posture Review is defined by the following components:
The next thing we have is Logistics; this is defined as the preparation of the channel environment to help us prevent false positives and negatives that can cause inaccurate results. There are three things we will consider for our wireless testing, and they are as follows:
We are now ready for the next step in the testing, which is active detection verification.
This is the process where we determine what controls are in place; again, this assists us in reducing the number of false positives with our testing. It is important to note here that as testers, we want to explain to our clients that the more information they can provide us, the more we can do with regard to the testing. We could research all of the information as part of the test, but it provides us with a deeper understanding of the environment at the start of the test. This affords us the luxury of concentrating more on the details of the weaknesses and not the discovery process. There are two main things we want to review, and they are as follows:
As we review the methodology, we next encounter a Visibility Audit step. This is the process of enumeration and verification tests for personnel visibility.
The following explanations and definitions are from the OSSTMM; refer to http://www.isecom.org/research/osstmm.html for more information.
There are three areas we address according to the OSSTMM, and they are as follows:
The next thing we want to review is access verification. This is a test for the enumeration of access points to personnel within the scope. We examine the following:
We will next discuss trust verification; this step is the process of testing for the trust between personnel within the scope and access to information without the need for identification or authentication. This step of the testing refers to the following items:
Now that we have discussed the trust verification process, we will next look at the process of control verification. This consists of the following items:
Process verification is used to examine the maintenance of functional security awareness of personnel in established processes as defined in The Posture Review section. The components of this step are as follows:
Configuration verification is the step where we examine the ability to circumvent or disrupt functional security of assets. The items required for this step are the following:
Property validation examines the information and physical properties that may be illegal or unethical; this step consists of the following:
Segregation review is a test for appropriate separation of private and personal information from business information. The review consists of the following:
Exposure verification is the process of uncovering information that can lead to authenticated access, or allows access to multiple locations using the same authentication. The requirements for this step are as follow:
The competitive intelligence scouting test is for the scavenging property that can be analyzed as business intelligence; it is a type of marketing field used to identify the competition for a business. The requirements for this consist of the following:
Quarantine verification is the determination and measurement of the effective use of quarantine as it pertains to access to and within the target. The requirements for this are as follows:
The privileges audit test will investigate where credentials are supplied to the user and whether permission is granted for testing with those credentials. The requirements for this are as follows:
Survivability validation is the process of determining and measuring the resilience of the target within the scope of attempts to cause service failure. The requirements are as follows:
Alert and log review is a gap analysis between the performed activities to include the true depth of these activities as recorded from third-party methods. The requirements for this are as follows:
This concludes the wireless testing section of the OSSTMM. As you can see, this is quite an in-depth reference and one that is thorough and well recognized in the industry. While the OSSTMM is an excellent reference, most of us will use its components and not all of the required processes. The last thing we will cover from the OSSTMM is the STAR. The purpose of the STAR is to provide an executive summary of the information that states the attack surface of the targets with respect to the testing scope. You can find out more about this in Chapter 13, Building a Complete Cyber Range.
3.136.97.64