Who's Online
There are currently, 103 guest(s) and 12 member(s) that are online.
You are Anonymous user. You can register for free by clicking here
Training Classes Calendar
|  |
The Möbius Defense, the end of Defense in Depth
Posted by boss on Thursday, 18 June 2009 @ 15:59:29 EDT (1031 reads)
Topic OSSTMM
cdupuis writes "Hi,
Our new partner in the Netherlands, Lab106 (aka Outpost24), invited me out to present some our research at the Amsterdam Black Hats event.
I focused the main presentation on Anti-Guerrilla Warfare tactics, why defense in depth doesn't work, and the new Möbius Defense along with graphics the NEW attack visualization technology we are now using.
The presentation is now available here but unfortunately there is no video of me giving the talk which might be more enlightening. However, I did do a radio/podcast interview with the company Madison Ghurka who runs the event there so as soon as that's available you can hear me defend it.
http://www.isecom.org/events/The_Mobius_Defense.pdf
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org "
OSSTMM V3.0 Introduction Video
Posted by boss on Thursday, 28 February 2008 @ 09:48:38 EST (3973 reads)
Topic OSSTMM
cdupuis writes " NOTE FROM CLEMENT:This is one video that you have to watch. Pete is presenting his latest version of the OSSTMM and as usual he's presentation a clear view of what people perceive security is but the truth is sometimes surprising. Do watch the video and I am sure you will learn a lot and it might even change the way you look at security in the future. Here is the announcement:
Hi,
A video walk-through and explanation of the new security testing methodology, OSSTMM 3, which I did recently has been created by Dreamlab (www.dreamlab.net).
The video covers a walk-through of the most important factors of OSSTMM 3 and a little bit about aluminum foil hats. So if you are interested in the new methodology, completely re-written and re-structured from the ground up, check out the video.
The full OSSTMM 3 will still be released publicly and for free as soon as we can get it out but all development has completed for this version and only editing of the document is left. We hope to make this the easiest and most beneficial OSSTMM to use for everyone. We want a manual professionals can use but also to give to their clients as something very readable and informative.
You can get see the video and download the presentation, "The Vision of the OSSTMM" at:
http://www.dreamlab.net/news/review-osstmm-evening-talk-with-pete-herzog
Or the following links:
For all that missed out on the event Dreamlab provides you with the keynote slides and video as well as further downloadable information concerning the new RAV:
Keynote Video: Flash (low)/ MPEG4 (medium)OSSTMM 3.0 Security Test Audit Report (STAR): Excel/ OpenOfficeOSSTMM 3.0 RAV Calculation Sheet: Excel/ OpenOffice
Also, ISECOM is looking for training partners and trainers.
Anyone interested in being a training partner should contact us because we have the next Train the Trainer class coming up March 31st - April 2nd in Barcelona where it's sunny and warm ;)
Trainers are taught the newest ISECOM research and even the terrible truth about security (you can see the video for details about that).
Let us know if you have any questions.
Sincerely,
-pete.
-- Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org "
The OSSTMM 2.2 has been released
Posted by boss on Monday, 18 December 2006 @ 21:49:56 EST (1212 reads)
Topic OSSTMM
Anonymous writes "NOTE FROM CLEMENT:
An unexpected gift came in from ISECOM: Version 2.2 of the OSSTMM has been released. This new version has been greatly expanded and is a prelude to Version 3.0 that is soon to be released
HERE IS THE ANNOUNCEMENT:
The OSSTMM 2.2 (Open Source Security Testing Methodology Manual) is the latest release for auditors, penetration testers, ethical hackers, and the like.
With OSSTMM 3.0 still in peer review and undergoing many edits for clarity, ISECOM decided to update the current 2.11 with the reviewed research to make immediate and necessary improvements to the current security testing standard.
The improvements are based on new research like Error Types committed during tests and Test Types which breaks down black box, white box, and gray box tests into 6 categories.
The biggest addition however is the security metrics which allow for a realistic calculation of security operations. The manual is also much cleaner to make it more presentable for those who like to present it to their executive management or even their customers.
Get your copy at: http://www.isecom.org/osstmm/ (look at the bottom of page)
"
Patching is Flawed
Posted by boss on Tuesday, 30 May 2006 @ 07:47:07 EDT (1362 reads)
Topic OSSTMM
NOTE FROM CLEMENT: Here is an extract from the ISECOM mailing list (see info at bottom of this message). My friend Pete Herzog discuss the process of patching and some of the misconceptions attached to it. I invite you to read the great article from Mary Ann at the URL below as well. Patching is just another item in the recipe and not the ONE item that makes your system secure. http://news.com.com/Oracle+exec+hits+out+at+patch+mentality/2100-7355_3-6077349.html?tag=nl HERE ARE PETE'S COMMENTS: Mary Ann is a person that I have crossed paths with a few times at 2 degrees of separation. We have talked on the phone once but I can't really remember much of the conversation. I just know she was interested in collaborating with ISECOM. Anyway, she had a talk regarding patching. You can read about it there. And yes, it's exactly what we've been saying for years. Patching does not work! It's something you do to enhance security not be security. Think of it like enhancing functionality or speed of a product. A patch should improve something but the underlining effectiveness of security should be there already. And if it works, don't fix it! This is another misconception that patches MUST be installed in a timely manner. Not true! There are many other controls that can be taken and should be taken above patching for the sake of confidentiality, availability, trust, and integrity (CATI). (Yes the joke is that we are better off if only we can assure the "CATIness" of a process.) Since we can't expect the software we buy to be functionally secure from the get go, we need to address it as if it will never be. Once we do that, we can ignore patching altogether except when it provides enhancements that improve efficiency or save money. -pete. Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
ISESTORM 2006 is just around the corner -- See you there
Posted by boss on Wednesday, 08 March 2006 @ 08:18:11 EST (1127 reads)
Topic OSSTMM
cdupuis writes "Hi,
Well, ISESTORM is just around the corner! April 1-8!
If you have time for sec training then this is the one to hit! It's a little different than what you're used to seeing because this is about applying the knowledge that these security certifications promote. Knowing how to apply knowledge is a sharp business weapon that nobody can take from you. ISESTORM is probably the best money you can spend on security training. It's OPSA, OPST, BS7799/ISO27001, and CISSP interwoven with industry speakers and other security regulations and methodologies like ISM3, HIPAA, SOX, and more.
See details at: http://www.isestorm.org
Other events:
I will be in London doing the keynote at the International Conference on Global e-Security, 20-22 April 2006. I will also most likely be joining our training partner, IRM PLC for a seminar thereafter. I'd be happy to see any of you while there so please talk to either organization about the details.
No word back yet from Linuxtag but I will hopefully be speaking there on the start of May on our new Open Trusted Computing project as part of the OpenTC consortium.
We are looking to host some Hacker Highschool seminars and meetings in the Oregon area as a preliminary. I'd like to know if there are any teachers interested in working out the details to get this going in their schools as a way of working together through the red tape. It's so important that students get science skills that foster creativity, critical thinking, skepticism, and attention to details not to mention learning to protect themselves online. That's why we want to work with some teachers to learn from them as to what works best to help you get this into the classrooms. If you know any Oregon teachers or can reach some please forward them this mail.
Sincerely,
-pete.
Pete Herzog - Managing Director - pete@isecom.org
ISECOM - Institute for Security and Open Methodologies
http://www.isestorm.org
"
Beat the Feb 15th deadline - Register for ISESTORM now
Posted by boss on Monday, 30 January 2006 @ 12:27:11 EST (1246 reads)
Topic OSSTMM
cdupuis writes "Hi,
Anyone interested in the very unique and very powerful security training at ISESTORM will want to sign up before Feb. 15th. and enter to win either the Shon Harris CISSP® Solution - worth $1200US or the Shon Harris' CISSP® Video Seminar - worth $600US to enhance their learning from the event.
Shon has been great about donating these two solutions for us to give away. As you may know, Shon is an icon in the field of security and very well known for her CISSP preparation guides and training.
Regardless of which areas of security you are already certified in, the global application of knowledge from the CISSP CBK, BS 7799 / ISO 27001 Lead Auditor, and the OPSA/OPST level of knowledge from the OSSTMM within a small time footprint is a big opportunity that happens only once per year.
ISESTORM attendees are international and come from government, banking, defense, large corporations, independent consultants, and small business owners. They comprise of many fields like auditors, analysts, developers, and CIOs. They are extremely happy with their attendance.
And most of all, you'll be taking part of the ISECOM experience!
http://www.isestorm.org
Register today or at least before the 15th! You will not regret it!
Sincerely,
-pete.
"
ISESTORM 2006 a must attend security conference
Posted by boss on Wednesday, 04 January 2006 @ 19:23:41 EST (1208 reads)
Topic OSSTMM
Anonymous writes "NOTE FROM CLEMENT:
Isestorm is a conference you do not want to miss. It is organized by ISECOM the organization that maintain and produce the OSSTMM and other leading security effort to help the community.
It is always a fantastic training event where you can get world class training while networking with other security professionals. I will be taking part again this year and will deliver the whole CISSP training. I sincerely hope to see you there. It is the best value you can get for your money and Barcelona is a great city to visit as well :-).
Do visit http://www.isecom.org/isestorm/ for all the details.
APRIL 1 TO 8, 2006 - BARCELONA
The third
ISESTORM training will be held in
Barcelona at
La Salle-URL
University. ISESTORM is
the premium security training lab for
ISECOM.
-
6 days of global, concentrated,
and thorough security training,
- 3 industry certification exams
plus preparation training for the CISSP,
- OPSA
-
BS 7799/ ISO 27000 – Auditor
- OPST
-
Industry-respected trainers
and speakers with subject matter expertise to present practical
knowledge and real-world experiences,
-
A perfect learning
environment in a modern, spacious class room in the university's new
building,
-
All-inclusive: breakfast, a
healthy and complete lunch, and a full-day of in-between-meal snacks
and beverages.
-
All attendees will receive a
study package with various books and materials to complement the
course.
-
Register before February 15th and
enter the drawing where one lucky person will win
The Shon Harris CISSP®
Solution and the
runner up will win the
Shon Harris' CISSP® Video Seminar
sponsored by Logical Security.
Within
those 6 days you will work interactively among other professionals to
learn and practice for the CISSP exam, the OPSA exam, and the
BS 7799/ ISO 27000 – Auditor
exam. You may even find time to
enjoy the beautiful city of Barcelona, an international, cultural center
point for Europe. The CISSP exam is NOT offered at the conference, students can take the exam on their own at their preferred location.
"
New Methodology on Compromise Detection being deveveloped
Posted by boss on Tuesday, 13 September 2005 @ 22:58:08 EDT (1421 reads)
Topic OSSTMM
Hi,
We have just begun a new project - the Open Methodology for Compromise Detection - and we're looking for volunteers to help.
Joanna Rutkowska will be managing the project which focuses on a methodology for uncovering malware and rootkits on Windows systems to set a standard both for those who need to investigate and clean systems as well as developers creating tools to assist or automate this process.
Check out more about the project and the outline at http://www.isecom.org/projects/omcd.shtml.
Then volunteers can contact us at omcd[at]isecom.org to get involved in addressing this.
Those interested in covering other OSes, let us know.
Sincerely,
-pete.
--
The OSSTMM 3.0 FROM ISECOM
Posted by cdupuis on Saturday, 30 July 2005 @ 00:00:00 EDT (1550 reads)
Topic OSSTMM
Hi,
Well, the work has been going into 3.0 and I wanted to let you know the status with this mini-FAQ:
1. Why is the OSSTMM 3.0 taking so long?
In a word: research. Every little thing needs to be researched and verified. The introduction of the metrics to 3.0 meant a complete re-write of the manual. Now the metrics are stable and operational but for every change previously, it had ripple effects through the entire manual. Mix that in with multiple new legislations, technologies, and the improved techniques we improve in ISECOM labs and you have a LOT of work. We will change the submission and editing process for sure with the next version as this has been too much work for our team to maintain.
2. Will OSSTMM 3.0 be really that much better/different than the publicly available 2.1?
Yes. But a very big Yes. The metrics alone make a huge difference.
RAVs have been completely re-developed so they make sense and work correctly and without bias. The biggest improvements will mean consistent operations monitoring for compliance and gap analysis as well as the ability to pre-determine security changes with the introduction of new people, servers, services, to the scope for everything from making sure you're putting in the right security solution to justifying costs.
3. Why are current OPST and OPSA trainings labeled as OSSTMM 3.0?
We update the training materials and the trainers to be prepared for OSSTMM 3.0 as we make significant updates towards new releases. The 3.0 release has been fundamentally researched and verified for nearly a year and those fundamentals become course material and techniques. Regular re-trainings are held for trainers in Barcelona so, for example, attending the July 25th OPSA at Las Vegas as Blackhat or the Aug. 1st.
OPST in the UK will have the latest OSSTMM info available (3.0 RC 6). If you haven't had a chance to take either the OPST or OPSA, learning why and how a structured test methodology can improve your efficiency and effectiveness as a tester, analyst, and organization. See http://www.isecom.org/schedule.shtml for more info.
4. Where can I get more info on 3.0?
This list of course, the ISECOM Discussion list, either the OPST or OPSA classes and any of our OSSTMM trainers or by subscribing to the gold and silver teams. I hate to get all PBS on you people but it's resources that keep these projects like the OSSTMM going and the classes you take, the certifications, the subscriptions, all help to keep this an open, independent non-profit. We will remain open and never have our projects sponsored by government or commercial entities. Free public access to our projects and if you include the service# that's getting a lot for your money.
5. When will 3.0 be released?
I know we have estimated this wrong often but I am shooting for this month. You can help us get there.
Sincerely,
-pete.
Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
OPSA training for the FBI and government folks
Posted by cdupuis on Tuesday, 05 July 2005 @ 20:45:40 EDT (1118 reads)
Topic OSSTMM
Free OPSA training for US Government employee
Posted by cdupuis on Wednesday, 22 June 2005 @ 12:09:56 EDT (1110 reads)
Topic OSSTMM
NOTE FROM CLEMENT:
This class was filled within a few hours of being announced. Hopefully this type of FREE event will repeat itself in the future.
Hi,
OPSA Training - Washington D.C., June 29-30 Hosted on site, so must be a government employee or contractor and must have security clearance to attend.? And it's free.
In light of the problems that various U.S. Government departments are having with security, an OSSTMM Professional Security Analyst in-depth training class has been sponsored for government employees and contractors for next week.? It is the same intensive OPSA held at Blackhat Las Vegas, held by the same training instructors, and just as heavy on the info.
It's an eye-opener for anyone working in the IT field.? And it's free.
Registration ends this Friday.? The OPSA exam will be offered at the end of the class for those who choose to take it (at standard price).
Seating is VERY limited.? Please contact info'at'isecom.org for registration details.
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete'at'isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
Hacker High School
Posted by cdupuis on Friday, 08 April 2005 @ 12:12:46 EDT (950 reads)
Topic OSSTMM
NOTE FROM CLEMENT:
A great article today on BBC about ISECOM hacker high school program.? The program is really great for kids, they get to satisfy some of their learning thrist about the whole world of the hacker scene and they learn within a controlled environment how these attacks are allowed to take place and they can better protect themselves, their parents computer, and realize that it is NOT fun for anyone to be hacked and it is against the law to abuse other people computer resources.
Hacker High
April 7th 2005 |
 The conventional approach to fighting hacking is for authorities to ban it and punish anything that looks, sounds or smells like it. But forbidden fruits are often the most tempting, and measures designed to halt the hacker's hand can often seem to hackers themselves like a sporting challenge. David Reid reports from the Spanish city of Barcelona, where the battle against hacking has taken a liberal turn.
Barcelona is home to an innovative new project designed to combat hacking. The same department at the University of La Salle that churns out some of the best of Barcelona's designers is also home to the Hacker's High School.
The scheme is not the devil's workshop it might sound but, say its organisers, aims to tackle a modern day taboo. Likening current attitudes to hacking to old repressed notions of sex, they say many are doing it but few are talking about it.
 Pete Herzog, Managing Director ISECOM: "If you go back fifty years ago what was sex education? Sex education was 'sex is out there, don't do it, you'll get diseases'.
We have the same situation now. We can't really tell you what hacking is. You'll get worms in your Email box all the time. Somebody will probably put trojans on your computer. Something will happen. You'll see it, but everyone who is doing this is doing it illegally, they're bad.
We can't really tell you what it is. We can't define it, but if you do it you'll go to jail. "
 The programme was set up by ISECOM, The Institute for Security and Open Methodologies, a non-profit computer security outfit that wants to make students streetwise to the hostile neighbourhood the Internet can often be. Kids from local high schools get a sort of digital self-defence class, giving teens the moves to tackle fraud, identity theft and attacks on their systems.
Pete Herzog: "We are taking kids who will see this kind of illegal activity, and showing them how it is done, what's happening, so they can understand it as a technical concept; but also, what is their computer doing, how can it be cleaned up, why is this taking over their system, why is their privacy being invaded?"
The A to Z of hacking includes modules in ports and protocols, malware, digital forensics and E-mail security and privacy, which shows how to send an Email that looks like it comes from someone else.
 Xavier Cadenas, teacher: "The students should be able to distinguish if the user who sent them an Email is a known person and they are who they claim to be; if the Email is legal or not legal. They should always be suspicious and not believe everything they see."
Naturally enough the school doesn't want the kids hacking into real systems. To test their skills ISECOM set up four phantom servers for the students to test out.
 Juame Abella, Hacker High School: "If they want to hack we give them a controlled area where they can hack. One of the things we want to improve is to get them to give feedback to the teacher about what they did and how they did it.
We want to teach them hacking, to be hackers, but ethical hackers, good hackers, knowing what they do and what the limits are."
The school believes there could be jobs out there for this new breed of ethical hacker. They hope the best of the crop passing through Hackers High School will eventually join university IT students vying for jobs in one of the computer industry's biggest growth areas: security |
ISESTORM featured in a report from Euronews
Posted by cdupuis on Tuesday, 30 November 2004 @ 16:15:52 EST (1665 reads)
Topic OSSTMM
Bias-Free Security Testing
Posted by cdupuis on Wednesday, 03 November 2004 @ 17:55:31 EST (1185 reads)
Topic OSSTMM
Anonymous writes "New security-risk management tools bridge the security/business gap
by Mathew Schwartz
11/3/2004
Why protect $500 worth of data with a $5,000 firewall?
Security risk management means surrounding the highest-value assets with the best security, and according less protection to less-valuable assets. With unlimited resources, security spending wouldn?t matter. This being the real world, however, security experts recommend better protecting what attackers actually want to steal.
One way to assess the effectiveness of a risk management program is by using the Open Source Security Testing Methodology Manual (OSSTMM), released by the Institute for Security and Open Methodologies (ISECOM). In a nutshell, the OSSTMM is the only open-source tool available for bias-free security testing. Its users range from U.S. government agencies to large enterprises, including the Volkswagen Group?s Spanish IT subsidiary, Gedas Iberia.
Conducting an OSSTMM test ?takes four to eight hours and you do some security measurements, and you get some answers, and the answers are factual?the machine responded or didn?t respond, the port was open or not. There?s no risk assessment, because there?s no opinion to it,? says Pete Herzog, managing director of ISECOM.
Instead of just making a list of which security tools are in place, the OSSTMM requires auditors to test security tool effectiveness. ?We don?t care if you have a firewall. What we care is what?s accessible,? says Herzog. So the test first measures operational security. ?If you?re doing business, you have to have certain things open, such as Web ports,? notes Herzog. Auditors simply count every potential risk vector, from accessible databases to Web applications.
Then there?s testing of actual security, which takes into consideration loss controls. ?For example, a Web port could be open, but you have authentication or encryption. [Well] they aren?t actually secured, but there are loss controls, so data can?t be stolen or modified along the way.? In other words, someone might steal a database, but if it?s encrypted, ?loss control says it would cost you more money and resources than the value of what you stole.?
The end result is a bias-free assessment of an organization?s security, as well as guidance on how to adjust it. ?In the end, you not only have accurate benchmarks, but you can also verify if the percentage of what you spend on new security measures actually can be justified by increasing security or loss controls to the right assets at the right cost,? he says. The OSSTMM test is also a snapshot of an organization?s security, useful for measuring future progress.
While version three of the OSSTMM, which refines the testing process, is due for release shortly, with ISECOM?s blessing, a company called CIOview has already implemented it into a recently released tool for conducting security audits called SecurityNOW.
Click HERE to read the whole story online or Click on Read More... below to read it locally? "
SecurityNow!
Posted by cdupuis on Tuesday, 14 September 2004 @ 01:00:00 EDT (1894 reads)
Topic OSSTMM
CCCure.Org announces Support of SecurityNOW!
Software Increases Auditor Productivity and Financial Transparency for IT Security?
Florida, (September 14, 2004) ? (CCCure.Org) in conjunction with CIOview and ISECOM, announce the availability of SecurityNOW! software for IT security professionals.? SecurityNOW! provides organizations an OSSTMM-based software product that ensures they can:
?
o??????? Perform an objective assessment of their security
o??????? Generate a Risk Assessment Value (RAV)
o??????? Determine the financial cost of an organizations current security presence
o??????? See the ROSI on as many as 5 new security initiatives
o??????? Directly input the results of a security audit or one of several port and vulnerability detection scanners
o??????? Automatically generate a report of their current security situation and the financial implications of additional security investments
?
SecurityNOW! Availability
?
The SecurityNOW! Professional version offers the added benefit of integration with several port and vulnerability detection scanners and automatically generates an OSSTMM certified report.? As a result, the Professional version is geared toward consultants, trained security auditors and IT professionals.? SecurityNOW! Professional is available for $3,995 for a 12-month license at the CIOview Corp. web site (www.cioview.com). ?
?
About CIOview
?
CIOview is the industry standard provider of software products that configure, cost and compare technology solutions, so that IT professionals make better purchasing decisions.? Used by more than 80% of Fortune 100 companies, CIOview is the standard for comparing value of IT solutions.
?
About ISECOM
?
ISECOM is an open-source collaborative community dedicated to providing practical security awareness, research, certification and business integrity.? ISECOM oversees the development of the OSSTMM, an international standard methodology and best practices for security risk assessment.? The OSSTMM is the most widely adopted approach worldwide to assessing the security of a company?s computer systems.
|
|
Login here
Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.
Today's Big Story
There isn't a Biggest Story for Today, yet.
Past Articles
| Thursday, September 02 | | · | ISECOM has released ISM3 (Information Security Management Maturity Model) |
| Friday, June 25 | | · | 2nd ISESTORM Conference in Las Vegas |
| Wednesday, June 09 | | · | New paper on the OSSTMM 3.0 and the need for security |
| Monday, March 01 | | · | OSSTMM Version 3 to be introduced at ISECOM |
| Sunday, December 07 | | · | 100 professionals, 10 days, 3 certifications, only at 1 place: ISESTORM |
| Wednesday, October 29 | | · | OSSTMM - New manual has been released |
| Monday, August 25 | | · | OSSTMM 2.1 HAS BEEN RELEASED |
| Wednesday, January 22 | | · | OPST Training in English - OSSTMM Professional Security Tester |
| Sunday, September 08 | | · | Request for Directors and Regional Representatives |
|
Main Library Area 
COBIT© Standard 
MS in information systems security
See David's Report 
