Domain: osstmm.org
Stories and comments across the archive that link to osstmm.org.
Stories · 7
-
Hacker High School Starts to Spread
thelordx writes "Hacker High School, an initiative from the non-profit Institute for Security and Open Methodology, pioneers of the OSSTMM have received some media coverage for their Hacker High School Program. It's a license-free open-source program that provides security and privacy-awareness teaching materials to teachers. Here's the link to the BBC stream and article about the project." -
HackNotes Network Security Portable Reference
Blaine Hilton contributes this review of the Network Security Portable Reference, part of Osborne's "HackNotes" series. He writes "This book is best suited as an introductory overview to network security. Very little is covered in-depth. However, the book touches on pretty much the whole breadth of security topics. For people that are experienced with computer/network security topics, this book can be used to round out that knowledge and find weak areas." The rest of his review follows. Hack Notes Network Security Portable Reference author Mike Horton and Clinton Mugge pages 228 publisher Osborne rating 9 reviewer Blaine Hilton ISBN 0072227834 summary A concise overview of network securityIt may sound like a problem that the book doesn't give all of the details, but if it did there is no way it could be a "Portable Reference". My favorite feature of the book is its small size. I can easily keep it in my laptop bag and reference it as needed. I can then use that as a springboard to look up more information such as man pages. It is important to understand though that one will not become a network security expert after reading this book alone.
The book starts off talking about the Asset and Risk Based INFOSEC Lifecycle Model (ARBIL). This is something that I've heard many times before, but the drawing of the process helped engrain that concept. It also visually demonstrates how security is not just a one-time activity, but a continual process that just keeps going. You analyze the system, find the weaknesses, fix them, and then start over again. In the same fashion the book covers the SMIRA risk assessment process in a highly graphic way.
The Network Security Portable Reference is for people who have access to and are very familiar with both *nix systems and Windows. Depending on what tool or commands they are using both systems are used throughout the references. The book gives a list of tools they think you need, and basically say go to the site to learn about it. If you want detailed information on how to use these tools then this is not the book for you.
The book goes over different security aspects for *nix and Windows machines, it also talks about how the network itself can be compromised, including wired networks, and wireless. The authors also go over web applications and older technology such as phone PBX systems.
The assessment checklist at the end of the book provides a great check to determine your network security baseline and see what areas need work. Along with the assessment checklist there is a list of best practices. However, they are in the front of the book and while I can vaguely understand the difference, it seems to me that they should be together. As I believe when auditing a network you would check if best practices were implemented along with the rest of the checklist.
Another odd layout issue in the book is what they call the Reference Center. This is an area in the middle of the book, with a separate numbering system and the first page in the table of contents. There is no mention as to what this Reference Center is until you flip through the book and find the blue pages in the middle that begin with page rc1.
As I've mentioned before this book is a great springboard that will help point you in the right direction for information. One of the ways the authors do this is by having a Reference Center in the middle of the book and quite a few appendixes in the back of the book, there is also an index which is helpful for quick look ups.
When doing consulting work I've found that using the checklist in this book is a great way to begin looking at a company's network security. I have used this on two networks so far and have found it helpful, it is much better then trying to remember to check everything that you can think of at any particular moment. I have also found the Open Source Security Testing Methodology Manual to be quite thorough.
You can purchase HackNotes Network Security Portable Reference from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page. -
Wireless Security Testing Manual Available
the_pete writes "The new OSSTMM WIRELESS 2.9 has gone live at www.osstmm.org and includes tests for most things wireless from RFID tags to 802.11 networks and back to Bluetooth. We began separating out the sections from the OSSTMM 2.1 because the 3.0 draft was looking big and we found most people used it to test specific areas. So we threw together all the notes we had so far for the Wireless Testing Section and formatted it nicely. It's not quite 3.0 but it's getting there. And if there's a wireless device we don't cover you can always contribute your ideas, skills, and knowledge." -
Wireless Security Testing Manual Available
the_pete writes "The new OSSTMM WIRELESS 2.9 has gone live at www.osstmm.org and includes tests for most things wireless from RFID tags to 802.11 networks and back to Bluetooth. We began separating out the sections from the OSSTMM 2.1 because the 3.0 draft was looking big and we found most people used it to test specific areas. So we threw together all the notes we had so far for the Wireless Testing Section and formatted it nicely. It's not quite 3.0 but it's getting there. And if there's a wireless device we don't cover you can always contribute your ideas, skills, and knowledge." -
OSSTMM 2.1 Released
Pete Herzog writes "Once again, we have officially released another OSSTMM! After over a year and a half we have improved the OSSTMM (Open Source Security Testing Methodology Manual)."As we worked on packaging the 2.1 release, we all saw so much more that we wanted to put in. However we decided to put out a strong framework so following releases can come more quickly and more often and we wouldn't have to keep changing the formatting. OSSTMM 2.1 includes a lot of new stuff for those who do or require security testing. I am very happy with the updates to the manual on a whole and it's worth seeing the changes for this incremental upgrade. The following changes are included: readability, document structure, all 6 methodologies have been updated, updated law compliancies and best practices, rules of engagement structure, rules of thumb for security testers and project planning, ISECOM rules of ethics, and RAVs. You can download it directly from www.osstmm.org." -
OSSTMM 2.1 Released
Pete Herzog writes "Once again, we have officially released another OSSTMM! After over a year and a half we have improved the OSSTMM (Open Source Security Testing Methodology Manual)."As we worked on packaging the 2.1 release, we all saw so much more that we wanted to put in. However we decided to put out a strong framework so following releases can come more quickly and more often and we wouldn't have to keep changing the formatting. OSSTMM 2.1 includes a lot of new stuff for those who do or require security testing. I am very happy with the updates to the manual on a whole and it's worth seeing the changes for this incremental upgrade. The following changes are included: readability, document structure, all 6 methodologies have been updated, updated law compliancies and best practices, rules of engagement structure, rules of thumb for security testers and project planning, ISECOM rules of ethics, and RAVs. You can download it directly from www.osstmm.org." -
Open Source Security Testing
dr_labrat writes: "Most penetration testing companies use "proprietary" methodologies to audit their customer's networks. The Open Source Security Testing Methodology Manual (pronounced: Osstum) now gives reputable companies the opportunity to use a peer reviewed standard, and be compared to a wider community! It's just made it to version 2 and is gathering popularity."