Home page logo

pen-test logo Penetration Testing mailing list archives

Re: RE: OSSTMM how good is it?
From: stevearmstrong () logicallysecure com
Date: 18 May 2006 10:37:54 -0000

Weird, I trust IS1 more than CRAMM, if for no other reason than all the info is on one page and not spread through 
pages of data entry and meaningless figures.  
How do you use generate your equivalent of the Accreditation Doc Set? How do you document your risks etc as CRAMM 
output is more SSP and SyOps stuff which is way in the past (memo 5 went out about 98/99).  
I am assuming you are working under mps in which case the OSSTMM will not gain you anything more officially as it is 
not recognised, and if your accreditor doesn't trust the hmg method of assessing residual risk then what do they trust?

OSSTMM is a good methodology but I think you may be adding another layer to a problem.  If your threat identification 
process is conducted correctly (with either IS1 or 2) then you will have the key attack vectors identified.  Either by 
using attacking groups from IS1 or by looking at domain based security attack vectors against the data islands (IS2).  
After this you should be able to identify key area for focused and detailed testing the results of which will allow you 
to 'put to bed' those vectors.  

However, and I may be wrong here, you aren't getting this kind of indicators of areas to test because of the type of 
output CRAMM generates.
It honestly sounds like your accreditor is all screwed up!  And to be honest (speaking as both a former tester and 
accreditor) you need direction from them as to what kind of output they want for testing.  OSSTMM is thorough and will 
uncover problems with your system (complexity and tester skill permitting), but you cannot just point a team at a 
network and as 'go do a OSSTMM test on that network/system' as it is too generic.  

To satisfy a good accreditor, targeted testing at high risk or vulnerable points is required.  If you gave me a OSSTMM 
test on a network I would accept it but it would only be a starting point for further testing and therefore probably 
overkill.  Without a good process to identify the correct risks,  time and effort are being wasted.

Just my 2p

Steve A


UK IT Security Forum - www.logicallysecure.com/forum


This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]