In this author’s estimation the true worth of this approach lies in the new “risk assessment values” (RAV) spreadsheet provided by the community. The spreadsheet is divided into the six operational areas and breaks down risk in each of these areas into a numerical value. All of these risk values are aggregated to provide an overall risk profile for the organization. Thus the OSSTMM provides an easy-to-use, consistent, and reliable process that leads you toward meaningful results that can be compared over time. I am always comfortable approaching management with the numbers produced from my OSSTMM tests and the RAV spreadsheet. Although based in Spain, the ISECOM organization provides global training courses and certifications. Just as the ISO 27001 and COBIT processes allow for test report validation, your OSSTMM reports may also receive certification.
A complete security testing toolbox
We’ve discussed the framework for conducting your penetration testing; now we move onto the basic toolbox for your testing. The tools below cover the information security, network, and wireless modules of the OSSTMM. You’ll need tools for testing servers and workstations, switches and routers, network protocols, wireless access points, Web servers, applications, and passwords, to name but a few. Because simple scanning does not meet the OSSTMM’s requirement for thoroughness, you’ll need exploit tools to verify potential vulnerabilities as well. My list of preferred tools is loosely based on the list of Top 100 Network Security Tools provided by Insecure.org. Compiled through a global poll of professional security testers, this list is reviewed and updated every two years, and I've come to rely on it as the basis for my personal toolbox.
The Sectools.org list shows whether the tool is either Linux/Unix or Windows based and whether it is open source or commercial software. When possible I like to use Windows tools. Don't get me wrong, I love Linux and use it all the time. I'm just lazy. If I don't have to switch between operating systems to conduct my testing, I'm happier. My management has an easier time understanding my reports if I can speak using an operating system they are familiar with.
Click for larger view.
Google is a great tool for finding all kinds of information on the Web -- including information that shouldn't be there. In the context of the information security portion of the OSSTMM process, Google is used for both the competitive intelligence and privacy scans of your assets. Johnny Long made this method famous with his Google Hacking Database (GHD).