Items Tagged with "OSSTMM"


Do Reverse Proxies Provide Real Security?

September 25, 2012

We used the OSSTMM 3 so we could measure the Attack Surface. Even though, measuring the Attack Surface with RAVs seems complicated at first, it is actually pretty straight-forward once you understand the concepts. The results of this research can be found in this paper...

Comments  (0)


What They Don't Teach You in "Thinking Like the Enemy" Classes

March 06, 2012 Added by:Pete Herzog

The enemy is not homogenous. Just like there is not just one foreign language, there is not one type of enemy. Among those enemy attackers, not all think alike. Even those joined together under a common mission or goal, there is often division in how to accomplish that goal...

Comments  (2)


Broken Trust Part 2: Applying the Approach to Dropbox

October 03, 2011 Added by:Enno Rey

After having introduced the basic elements of the concepts of trust, control and confidence in a previous post on the RSA breach, today I’ll try to strengthen your understanding of these ideas - and maybe even my own as well - by applying them to another candidate: Dropbox...

Comments  (2)


Do You Always Need to Install Software Updates?

September 12, 2011 Added by:Cor Rosielle

Whether it is necessary to install an available patch or not is an individual assessment for each company. To determine whether or not this is sensible, we can not blindly and without thinking install any available update. No, to determine that we must use use our brains. Ouch...

Comments  (5)


Auditing: Remote Access Security in 2011

August 15, 2011 Added by:Enno Rey

When the standards were written, endpoints were supposed to be mostly company managed Windows systems. In the meantime most organizations face an unmanaged mess composed of a growing number of smartphones and tablets, some company managed, while some are predominantly free floating...

Comments  (0)


The ABZs of Cybersecurity

July 09, 2011 Added by:Pete Herzog

The points made in this article reflect the research findings outlined in the OSSTMM 3: operational security controls, security and trust metrics, and the Moebius Defense security model where environmental protection precedes security awareness. You can find OSSTMM research at the ISECOM website...

Comments  (1)


Understanding Trust Audit Methodology

June 21, 2011 Added by:Cor Rosielle

Approaching operational trust intuitively is similar as solving security problems intuitively. Unfortunately most of what we understand about trust is based on experience, how it makes us feel. Therefore we are often not able to quantify the amount of trust...

Comments  (0)


Broken Trust Part 1: Reflections on RSA's SecurID

June 20, 2011 Added by:Enno Rey

If you have been wondering “why do my guts tell me we shouldn’t trust these guys anymore?” this post might serve as a contribution to answering this question in a structured way. Furthermore, the intent was to provide some introduction to the wonderful world of trust, control and confidence...

Comments  (0)


How to Pen Test Crazy

June 20, 2011 Added by:Pete Herzog

So who verifies security operations? Not the penetration tester. Not the ethical hacker. Not anymore. Sadly, unfortunately they've been marginalized to running scanners and eliminating false positives and negatives. They have been marginalized into near extinction...

Comments  (2)


The "Lots of Sex" Risk and Security Project

March 16, 2011 Added by:Pete Herzog

Routines make us predictable which, becomes our flaw. The problem with "patching" these flaws is that they are design features which are the product of being human. In addressing those flaws we will also ruin many of the good things about people which make them creative, social, and productive...

Comments  (8)


First Annual (Possibly Semi-Annual) OSSTMM Forum

March 02, 2011 Added by:Rod MacPherson

OSSTMM is very high level, and the thing that everyone seems to be in agreement on is the need for applied OSSTMM documents outlining how it can be applied to different realms, such as web applications, computer networks, system hardening, etc...

Comments  (4)


Getting Off the Patch

January 10, 2011 Added by:Pete Herzog

Patching is just one small part of the solution that includes Anti-virus, firewalls, intrusion detection systems, strong authentication, encryption, physical locks, disabling of scripting languages, reduced personal information on social networks,as part of a healthy lifestyle solution...

Comments  (13)


The OSSTMM - What I Like About It

December 17, 2010 Added by:Enno Rey

One can read the OSSTMM (at least) two ways: as a manual for performing security testing or as a “whole philosophy of approaching [information] security”. I did the latter and will comment on it in a two-part post, covering the things I liked first and taking a more critical perspective on some portions in the second. Here we go with the first, in an unordered manner:

Comments  (0)


Making Security Suck Less

December 15, 2010 Added by:Pete Herzog

And so it begins. Some important changes to the current security model necessary to actually improve security have been now made available to the public in the form of OSSTMM 3. Maybe this isn't "the" answer but it's a new road to take us off this rugged path and bring us much farther with much less troubles. If you've read it you'll know that taking on this new model will require big changes in h...

Comments  (21)


OSSTMMv3 is Released

December 15, 2010 Added by:Infosec Island Admin

How long have I waited for the version three of the Open Source Security Testing Methodology Manual to be released! You don’t even know what I am talking about? Then let me explain. The OSSTMM is a methodology for testing and measuring operational information security. The OSSTMM is developed by the Institute for Security and Open Methodologies - ISECOM, whose co-director is Pete Herzog. Pete’...

Comments  (0)


Security Benefit and Operational Impact or the "Illusion of Infinite Resources"

December 14, 2010 Added by:Enno Rey

When taking security decisions of whatever kind (e.g. for/against a certain control) one should always consider two main parameters: the security benefit of some action (“how much do we gain with regard to security/to risk reduction?”) and the operational impact or effort (“how much does it cost us opex-wise?”).

Comments  (0)

Page « < 1 - 2 - 3 > »