[ISN] Open Source security manual and training for ethical hacking

From: InfoSec News (isnat_private)
Date: Fri Feb 21 2003 - 02:56:10 PST

  • Next message: InfoSec News: "[ISN] XP Hole Plagues All Similar Apps"

    By Tina Gasperson
    Source Security Testing Methodology Manual (OSSTMM) has become an
    international open standard, according to its creator, Pete Herzog. It
    is used by large organizations like the U.S. Treasury Department, Home
    Depot, Verisign, and IBM, although Herzog says that he has a hard time
    getting entities that use the manual to talk much about it.
    Herzog has been in professional security since 1997 when he got
    involved with IBM's Europe-based Emergency Response Service. Today he
    heads up the Institute for Security and Open Methodologies (ISECOM) in
    order to provide Open Source security tools and information via the
    Internet. Herzog also describes it as an open, non-profit think tank
    for developing new open standards and methodologies in security.
    "The main problem I have is that nobody has to tell me if they use the
    OSSTMM," due to its Open Source nature, says Herzog. "I have been
    asked by a person at the U.S. Navy SPAWAR division about its inclusion
    in their Posture Assessment document. I also have also some comments
    from the U.S. Airforce and Army -- the biggest downloaders of the
    manual based on web traffic."
    IBM's Ethical Hacking team has the OSSTMM in its knowledge database,
    says Herzog, and they are considering sponsoring a workshop based on
    the manual.
    The Intense School, a company that provides "boot camp"-like IT
    certification courses, uses the manual in its Hacking Boot Camp,
    described as " program that brings together the hacker's mind and a
    professional security testing methodology-the OSSTMM."
    "Overall, I have to say we are everywhere and nowhere," Herzog says.  
    "We are still a small-time operation that mixes contributors with
    peer-reviewers and editors." In fact, even though people pop up with
    suggestions and contributions now and then, the entire operation is
    mostly a one man show, according to Herzog.
    "I developed the manual, accepted feedback and commentary, opened it
    up for people to use it, and I update it. Some people submit more than
    others but it's still me who ends up doing all the work. I have a few
    editors who help fix it up but really the whole OSSTMM comes down to
    me including the submissions and doing the reseach and lab work to
    expand the missing areas."
    Herzog says the OSSTMM was born after he scribbled some notes on a
    napkin during a train commute. "When I got off the train and met my
    wife, I told her I figured out something big. After I explained it to
    her we decided the best thing to do was to scratch together the idea
    and publish it on the Internet so everyone can use it. I had no idea
    how it would be received."
    Now the manual is about to be released in a 3.0 version, and Herzog
    has developed a training course based on the OSSTMM.
    "Since the manual only tells the what, when, and where of security
    testing," says Herzog, "the course will provide the how and why."  
    Herzog created an international peer review of both the manual and the
    training materials. The course provides the information a "security
    testing professional must know to be a practical, resourceful ethical
    hacker and penetration tester," he adds.
    Herzog's says his training will offer course materials for free,
    provided that would-be instructors attend a week-long "Train the
    Trainers" course that is designed to "ensure proper instruction."
    "We create a partnership between all trainers, who openly share
    marketing and event materials with each other," says Herzog. "The fee
    for the course is to pay for the resources only - the trainer,
    network, tests, materials, and classroom - and to suport the Hacker
    High School program."
    The Hacker High School program, also developed by Herzog, gives
    students access to a test network set up expressly to allow hacking
    attempts as a learning device. "The event teaches Internet legalities
    and ethics to high school students," says Herzog. "Basically, we
    applied the community effort of open source to training and it seems
    to be working."
    Herzog says that the 3.0 version of the manual is to be released any
    day now, and a worldwide network of partners for administering the
    certification. For more information, visit the ISECOM website
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 05:18:00 PST