Feeds

Open Source security manual and training for ethical hacking

Everywhere and nowhere

  • alert
  • submit to reddit

Top three mobile application threats

The Open Source Security Testing Methodology Manual (OSSTMM) has become an international open standard, according to its creator, Pete Herzog. It is used by large organizations like the U.S. Treasury Department, Home Depot, Verisign, and IBM, although Herzog says that he has a hard time getting entities that use the manual to talk much about it.

Herzog has been in professional security since 1997 when he got involved with IBM's Europe-based Emergency Response Service. Today he heads up the Institute for Security and Open Methodologies (ISECOM) in order to provide Open Source security tools and information via the Internet. Herzog also describes it as an open, non-profit think tank for developing new open standards and methodologies in security.

"The main problem I have is that nobody has to tell me if they use the OSSTMM," due to its Open Source nature, says Herzog. "I have been asked by a person at the U.S. Navy SPAWAR division about its inclusion in their Posture Assessment document. I also have also some comments from the U.S. Airforce and Army -- the biggest downloaders of the manual based on web traffic."

IBM's Ethical Hacking team has the OSSTMM in its knowledge database, says Herzog, and they are considering sponsoring a workshop based on the manual.

The Intense School, a company that provides "boot camp"-like IT certification courses, uses the manual in its Hacking Boot Camp, described as " program that brings together the hacker's mind and a professional security testing methodology-the OSSTMM."

"Overall, I have to say we are everywhere and nowhere," Herzog says. "We are still a small-time operation that mixes contributors with peer-reviewers and editors." In fact, even though people pop up with suggestions and contributions now and then, the entire operation is mostly a one man show, according to Herzog.

"I developed the manual, accepted feedback and commentary, opened it up for people to use it, and I update it. Some people submit more than others but it's still me who ends up doing all the work. I have a few editors who help fix it up but really the whole OSSTMM comes down to me including the submissions and doing the reseach and lab work to expand the missing areas."

Herzog says the OSSTMM was born after he scribbled some notes on a napkin during a train commute. "When I got off the train and met my wife, I told her I figured out something big. After I explained it to her we decided the best thing to do was to scratch together the idea and publish it on the Internet so everyone can use it. I had no idea how it would be received."

Now the manual is about to be released in a 3.0 version, and Herzog has developed a training course based on the OSSTMM.

"Since the manual only tells the what, when, and where of security testing," says Herzog, "the course will provide the how and why." Herzog created an international peer review of both the manual and the training materials. The course provides the information a "security testing professional must know to be a practical, resourceful ethical hacker and penetration tester," he adds.

Herzog's says his training will offer course materials for free, provided that would-be instructors attend a week-long "Train the Trainers" course that is designed to "ensure proper instruction."

"We create a partnership between all trainers, who openly share marketing and event materials with each other," says Herzog. "The fee for the course is to pay for the resources only - the trainer, network, tests, materials, and classroom - and to suport the Hacker High School program."

The Hacker High School program, also developed by Herzog, gives students access to a test network set up expressly to allow hacking attempts as a learning device. "The event teaches Internet legalities and ethics to high school students," says Herzog. "Basically, we applied the community effort of open source to training and it seems to be working."

Herzog says that the 3.0 version of the manual is to be released any day now, and a worldwide network of partners for administering the certification. For more information, visit the ISECOM website.

© Newsforge.com

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.