OSSTMM 3

M. Sc. Aldo Valdez Alvarado

Higher University of San Andrés
Computer Science Degree
Analysis and Design of Systems
Information
aldo_valdez@[Link]
arvaldez@[Link]

RESUMEN
This article presents an introduction to the Manual of the
2.2 Types of tests
Security tests can encompass all forms and types,
Open Methodology for Security Testing in its Version 3,
that range from intrusion to guided auditing. The OSSTMM
de facto standard in the conduct of security audits.
it includes six types of tests.
Shielding or Ethical Hacking.
Keywords Double shielding, Black Box audit or Tests of
OSSTMM, ISECOM, Security, Test, Intrusion. Penetration.
From Gray Box.
1. INTRODUCTION From Double Gray Box.
The OSSTMM stands for 'Open Source Security' Tandem or Sequential Test.
Testing Methodology Manual Inverse
"Security Testing Open" as it was named
officially subversion in Spanish, is one of the standards 2.3 Scope or competence
most comprehensive and commonly used professionals when it comes to The scope must encompass all operational safety, and
review the security of systems from the internet. to commit to the different areas or channels as described by the
Created in 2001 by Pete Herzog, Executive Director of ISECOM manual, and it is observed in the following table:
(Institute for Security and Open Methodologies), and the result of
uninterrupted effort of more than one hundred and fifty collaborators Canal Section Descripción
directors, who brings together the community of professionals in Human All those
security as a whole, contributed with knowledge, committed to
experience and review hours of this project. Physical Security the organization
This manual also includes compliance with standards and Physical Tangible objects
best practices such as those established in NIST, ISO 27001– from the organization
27002 and ITIL among others, which makes it one of the most manuals. Data networks Systems
complete regarding the application of tests to the security of the electronics and networks
information in the institutions. Security of the of data.
Below is version 3 of this manual, which communications TelecommunicationsCommunications
it presents many improvements some from version 2.2, digital y
particularly related to risk management and others analogous.
related to the improved use of some tests and Security of Communications Signs
expanded. Specter wireless Electromagnetic
electromagnetic employees.
2. OSSTMM 3
Table 1. Scope of the Manual
2.1 Purpose
Its main purpose is to provide a scientific methodology.
to examine the organization, conducting tests on the
2.4 Modules
The flow of this OSSTMM manual begins with determining the
security from the inside out.
target situation, this situation is determined by culture,
A second purpose is to provide guides for the systems auditor,
rules, norms, regulations, legislation and policies defined in
intended for the certification of the organization regarding the
This. The methodology proposes a hierarchical model of Channels,
ISECOM requirements.
Modules and Tasks, where the vectors are simply the lines
The document provides a series of specific descriptions for the
of analysis pointing to each of the channels.
development of an operational security test on all the
The modules are specific areas of each channel, being able to
channels including physical, human, telecommunications aspects,
find activities that are on the border between two
wireless media, data networks, and any other description
channels.
derivative of a real metric.
2.5 General Scheme the privilege audit, the validation of survivability,
The general scheme of the security testing process review of alerts and records
present the following phases:
Regulatory Phase. The direction of the
3. CONCLUSIONES
As observed in the Manual for the Open Testing Methodology
tests, the auditor understands the requirements, the scope and
of Security, has a very complete schematic structure for
the limitations of the audit. In this phase it is considered:
the security analysis, in organizations, both by experts
the posture of the review, the logistics, and the detection
in IT security, as well as security auditors..
verification activation.
Definition Phase. The scope of the application is defined. 4. BIBLIOGRAPHY
The foundation of security tests requires knowledge DragoJAR. OSSTMM. Manual of the Open Methodology
the scope and the area in relation to the objectives and Security Testing [online]. [Available at:]
assets. In this phase, the visibility of the [Link]
audit, the verification of accesses, of trust, of [Link]. [Fecha de búsqueda:]
controls. May 2013.
Information Phase. The auditor is discovering
information, where the intention is to discover the bad Garcia, L. OSSTMM Methodology [online]. [Available at:]
information management. In this phase, the [Link]
verification of processes, configuration, validation [Link]. [Fecha de búsqueda:] Mayo de 2013.
of property, a review of segregation and of [3] Gregg, M. Certified Ethical Hacker. 2006. Que Publishing.
exhibition, an exploration of Intelligence USA.
Competitive. Herzog, P. OSTMM 3 The Open Source Security Testing
Interactive Phase of Control Testing. These are Methodology Manual. 2010. ISECOM.
they focus on penetration and disturbance. It is because
regulate the final phase of the security tests, and this one does not Racciati, H. OSSTMM 3. An Introduction [online].
It can be done while the others have not been done. [Available in:][Link] [Date
In this phase, the verification of the quarantine is considered. Search:] May 2013.