Domain: isecom.org
Stories and comments across the archive that link to isecom.org.
Comments · 12
-
OSSTMM
For much more detail and depth about these kinds of topics, see the free OSSTMM. (Scroll down to the bottom of the page.)
-
Did someone slip the ideahamsters some booze?From their "about us" page (emphasis mine):
Founded originally as the Ideahamster Organization for generating security-centric inventions for the open source community, we continue to provide collective information and tools under the open licenses under the Open Source Initiative and the Open Methodology License for free public dissemination. Our main technical team members are still known as "ideahamsters" which is a term used to describe a person who is always providing creative and new ideas.
Wow. Just, wow. So is this an organization started and run by twelve year old wanna-be hackers? -
Now with more link-y goodness
The Open Source Security Testing Methodology Manual is here. -
There are open security methodologies and tools!Sheez, post something of importance, and get a bunch of smart ass flack.
If you are looking for a proven open standard methodology for performing security tests, then Open Source Security Testing Methodology Manual (OSSTMM) is the way to go.
In addition, there is the linux distro of Trinux, which includes most of the common linux open source security auditing tools.
-
RE: Security testing methodology
-
CEH vs OPST (from pen-test)For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. I also have made lasting relationships from the classmates, students, and instructors that I've met over the years. All of these mean a lot more to me than the "e-i-e-i-o" at the end of my name.
I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.
The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".
While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.
-
CEH vs OPST (from pen-test)For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. I also have made lasting relationships from the classmates, students, and instructors that I've met over the years. All of these mean a lot more to me than the "e-i-e-i-o" at the end of my name.
I gravitated towards ISECOM's OPST/OPSA classes because they fill a role I felt was missing in the security class space. Many non-vendor specific security classes have a very narrow tools based focus. While I agree that knowing how to use your tools in a test is important, I feel knowing why and when to use them is far more important. Knowing the politics involved in testing, going over internationally accepted testing practices, and reviewing regional and national legal regulations are just as much part of the job. These things are not merely important, but are required to be successful in your role as a security tester. In addition to the intensely technical aspects of the testing process, this is what the OPST represents; the "professional" side of security testing. Also, the ISECOM classes teach from ISECOM's Open Source Security Testing Methodology Manual (OSSTMM) which provides a much needed methodical framework to bring a scientific method style to the chaotic world of security testing.
The CEH class represents the other kind of class. One that is "flashy", "fun", "exciting", but not overly useful to the serious professional. While I have a lot of respect for Clément (one of the instructors for Intense School), I have very little respect for any organization that markets "hacker" classes. This includes the so-called ethical hacking, applied hacking, exposed hacking, grandmother hacking, squirrel hacking, super-duper 3y3 4m 31337 hacking, or any other fancy way of saying "Learn how to think and act like the bad guys".
While choosing where to spend your time and money, consider the community you are aligning with. If you look at ISACA, SANS, ISC2, ISECOM, etc.. they all have a true dedication to security and the betterment of the global information security community. Contrast the value of being affiliated (via education/certification) with any of those organizations over a piece of paper and a cd of toys.
-
re: metasploit
Metasploit is similar to Core Impact.
I'll gladly add this to my tools, without any cash outlay.
Want more security tools? -
Tough Crowd.
What you'll find is people really defend to the death what they think is security based on how much they *really* know which you'll find is usually about the level of what they read in Computerworld magazine. Even the self-proclaimed experts. You are best off doing what you can, even if it's just scanners, but realize it's not exactly a definitive or even realistic test of security. But it is something and worth doing. Remember to keep it practical and most of all, make sure you can measure it. One problem with a lot of these scanners and semi tests is that they give you some arbitrary high-medium-low talk. Try to put real numbers in there so you can actually measure risk. For more details on practical testing with risk measurement is in the Open Source Security Testing Methodology Manual and a lot of information over at the Institute for Security and Open Methodologies. Inform yourself better and with ISECOM you can at least know it's a lot of information from many many security people (800+) giving peer review.
-
Good Companion Reading...
While this book does an excellent job in detailing how to implement a solid security environment, it falls short of providing how to test the security of an environment.
There is an open source project methodology that would be a great additional read for the purpose of testing the security of your environment. Go check out the Open Source Security Testing Methodology Manual (OSSTMM). They just released the 2.1 version of it as described here. -
My educational plans:
I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting. -
How I will do it:
I'm an undergraduate student going towards a CS. After I graduate I plan to get a master's from an educational institution reccomended by the NSA. Keep in mind that some schools on this list have better programs than others. Georgia Tech has a highly technical program while Carnegie Mellon has a great organizational program. Both schools deal with all topics, just to different degrees. I have heard the argument that experience is better than education. In my opinion, both are important.
If you are looking for a less formal learning experience, you could check out DEFCON, which is an annual conference for hackers. There are also other more formal conferences which costs lots more. (ApacheCon, DallasCon etc.)
If you are looking for a thorough documentation, you could check the Open Source Security Testing Methodology Manual . Network and other computer security topics are extremely important and very important and interresting.