Five OSSTMM Security Areas

I heard about OSSTMM five or six years ago at Ariadnex for the first time. I didn’t learn anything about hacking at University. However, I wanted to learn more and more about security. Therefore, I studied for the CISA and CISM certifications. I got it! Today, I’m working as a teacher for IT Security courses. In addition, I work as an auditor on information security. When I work as an auditor, the ISO/IEC 27001 is the best standard for auditing policies, procedures and controls but if I have to test the company, OSSTMM is the best methodology.

OSSTMM has mainly five security areas. Human Security Testing is the first one. Employees are not used to working with a security mindset. They are working in their tasks. Most of the time, they don’t want to know anything about security. Therefore, a social engineering attack give you whatever. A social engineering attack is useful to get sensitive information. This first security area takes into account the personnel security awareness. However, I think social engineering attacks aren’t easy because we have to cheat people.

The second security area is Physical Security Testing. Have you ever steal something? Have you ever gone in a house where nobody told you to go in? This security area assesses access controls, security processes and physical locations. It’s amazing how the OSSTMM tell you equipment is important. “Equipment can range from rope to climb walls to SCUBA gear to travel under water”. I think physical security testing is also very difficult for most people because we’ll have to hide and not make noise for “stealing” sensitive information.

The Wireless Security Testing is the third security area. We are going to test the spectrum security (SPECSEC) thus we’ll have to be near locations. The objectives of this security area are physical and logical barrier testing. In addition, the spectrum security includes electronics security (ELSEC), signals security (SIGSEC) and emanations security (EMSEC). It’s also interesting how OSSTMM tell us we “need to be prepared for the possibility of accidental bodily harm from exposure to electromagnetic and microwave radiation”.

The fourth security area is Telecommunications Security Testing. This security area is within the electronics security (ELSEC) realm where we are going to analyse telecommunications over wires. What are the attack vectors we are going to test? PBX testing, voice mailbox testing, Voice over IP testing (VoIP), etc. We’ll have to know about digital and analog telecommunications.

Finally, the last and fifth security area is Data Networks Security Testing. This is my favourite one because we can attack computer systems and network systems. However, we have to do it with stealthy. We have to avoid disclosure of the tests by operators. It’s easier than the previous security areas and we don’t have to be near the target. Some engineers consider this area as “penetration testing”. Networking knowledge and security testing skills are required in this area for Analysts.

Best regards my friends. Keep reading and keep learning my friends!