security testing - dia.uniroma3.itpizzonia/ssir0708/study/securitytesting.pdf · © 2008 open...

Upload: phambao

Post on 06-Oct-2018

217 views

Category:

Documents

0 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Security TestingLuigi Gangitano

[email protected]

mailto:[email protected]

Page 2: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Il processo di sicurezza

Page 3: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Terminologia• Vulnerability scanning (automatico, Nessus)

• Security Scanning (VS e analisi professionale)

• Penetration Testing (esiste almeno un varco?)

• Risk Assessment (sulla carta)

• Security Auditing (verifica delle misure di sicurezza)

• Ethical Hacking (PT multipli, a tempo)

• Security Testing

OSSTMM• Open Source Security Testing Methodology Manual

• Standard de-facto del Security Testing

• Processo di revisione del manuale OpenSource

• Copre tutte le fasi del progetto di verifica della sicurezza, dalle indicazioni sul marketing al formato dei documenti di progetto

• Certificazioni (Tester, Analyst, Expert)

• Diverse revisioni disponibili (la più aggiornata è a pagamento)

• http://www.isecom.org

http://www.isecom.org

Page 5: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

OSSTMM• Copre tutte le aree della sicurezza delle informazioni

Process Security

Information Physical Security Security

Internet

Technology

Page 6: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

OSSTMM• 6 Moduli:

• Sicurezza delle informazioni

• Sicurezza dei processi

• Sicurezza delle tecnologie Internet

• Sicurezza delle comunicazioni

• Sicurezza dei canali Wireless

• Sicurezza Fisica

• Per ciascun modulo sono indicate diverse attività

• Tutte le attività di un modulo devono essere svolte

Page 7: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Metodologia

• Definizione dello stato dell’arte della sicurezza per l’ambiente oggetto di analisi

• Raccolta di informazioni

• Esecuzione dei test di sicurezza

• Misurazione dei risultati (attraverso RA, distanza dallo stato dell’arte)

• Documentazione dei risultati

Page 8: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Un esempio

Page 9: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Dettaglio di un test• Definizione dei risultati attesi

• Eventuali vulnerabilità

• Elenco delle politiche non rispettate

• Elenco dei metodi utilizzati per i test

• Dati raccolti durante i test

• Esecuzione delle procedure indicate nel test

• Attraverso l’uso di strumenti automatici

• Attraverso la verifica manuale dello stato dei sistemi

Page 10: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Report

Page 11: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Aree di analisi

• Security testing non è solo nmap + nessus

• Sicurezza fisica (accessi, controlli, allarmi, CCTV)

• Sicurezza delle comunicazioni (PBX, Wardialing)

• Sicurezza dei canali Wireless

• 802.11*, Bluetooth, DECT, RFID, IR, Tempest

• Social Engeneering

• Richieste informazioni, inviti, impersonamento

Page 12: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Pre-requisiti

• Accordi commerciali

• Definizione dei limiti delle verifiche

• Definizione della durata dei test

• Non Disclosure Agreement

Page 13: Security Testing - dia.uniroma3.itpizzonia/ssir0708/study/SecurityTesting.pdf · © 2008 Open Consulting OSSTMM • Open Source Security Testing Methodology Manual • Standard de-facto

Diversi livelli di ST

• Blind, Double blind

• Gray box, Double gray box

• Tandem

• Reversal

Using Debian GNU/Linux - dia.uniroma3.itwgehrke/docs/AfsWs2006.pdfUsing Debian GNU/Linux Dr. Wolfgang A. Gehrke ... Linux distributions ... parallel, distributed, grid computing; new

PECB Certified Lead Ethical Hackeras the Penetration Testing Execution Standard (PTES) and the Open Source Security Testing Methodology Manual (OSSTMM). Moreover, you will also gain

A Fedora Security Lab Presentation · and the OSSTMM Security Lab Thorough, Safe and Secure Joerg Simon [email protected]

Contact information - Roma Tre Universitycritis08.dia.uniroma3.it/pdf/CRITIS_08_28.pdf · CRITIS 2008, Rome, Italy, October 13-15, 2008 CESI RICERCA 2 Evaluations Architectures Power

Hacking con Kali Linux - Alonso Caballero Quezada / ReYDeSreydes.com/archivos/Kali_Linux_v2_ReYDeS.pdf · • Open Source Security Testing Methodology Manual (OSSTMM) ... • Technical

Emanuel Weitschek [email protected]€¦ · BIOMEDICAL DATA MANAGEMENT AND ANALYSIS Emanuel Weitschek [email protected] . 2/71 Outline • Growth of biological data • DNA

Test de Intrusión: Metodologías OSSTMM e ISSAF...– Incluye análisis de túneles VPN, AS400, LOTUS, etc. OSSTMM es más amigable: – Auditoría alineada con objetivos concretos

Fedora Osstmm Secspinv2

NETWORK PENTRATION TESTING CY C E B N E R A TRUST & A S … · OSSTMM SANS ISO27001 PTES PCI DSS NIS T SP800 - 115 Appr oac h Scope Of the security Assessment, Number of Internal

OSSTMM 2.2. - Security Scienceosstmm-2.2).pdf · OSSTMM 2.2. - The Open Source Security Testing Methodology Manual 13 December 2006 4 CC Creative Commons 2.5 Attribution-NonCommercial-NoDerivs

Enterprise Big Data Platforms - dia.uniroma3.ittorlone/bigdata/A1-platforms.pdf · Enterprise Big Data Platforms +Big Data research @ Roma Tre Antonio Maccioni [email protected]

Module 2, Part 1 The OSSTMM

Module 2, Part 2 The OSSTMM for Managers

A Design Methodology for Computer Security Testing … fine terzo... · A Design Methodology for Computer Security Testing Marco Ramilli . Arts, Crafts and Sciences ... OSSTMM . …

Database Optimization Techniques for Semantic Queriessebd2015.dia.uniroma3.it/pdf/manolescu.pdf · I. Manolescu Semantic Query Optimization SEBD 2015, Gaeta 16 / 73 RDF data model

prof. Andrea Gasparri - IEEE TRANSACTIONS ON ...gasparri.dia.uniroma3.it/pdf/GasparriTIM12014.pdfTre,” Rome 00146, Italy (e-mail: [email protected]). E. Garone is with the

Attack-Surface metrics, OSSTMM and Common Criteria based ... · Attack-Surface metrics, OSSTMM and Common Criteria based approach to “Composable Security” in Complex Systems

Open Source Security Testing Methodology Manual - OSSTMM 2 · ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM Professional Security Analyst (OPSA) certification

ControlNet Parretti Emanuele - dia.uniroma3.it · che indica l’indirizzo di rete per il recapito • General Connection ID (3 bytes), contenente un numero utilizzato per identificare

Security Audit Certificate - eWON · Audit process: OSSTMM & OWASP ... communication channel Test type: Double gray box Security Audit Certificate Audit modules: ... (Security Test

The Startup Ecosystem: a Quick Toursebd2015.dia.uniroma3.it/pdf/merialdo.pdf · The Startup Ecosystem: a Quick Tour Paolo Merialdo [email protected] Uniroma3 – InnovAction

By Andre Gironda - OWASP · • OSSTMM – Open-Source Security Testing Methodology Manual – For pen-testers – OSSTMM v3 – Book: Annotated OSSTMM • You have to wait until

Automazione Industriale Scheduling Flow-Shop and Job-Shop a.a. 2005/2006 Ing. M. Ciavotta E-mail: [email protected] Dipartimento di Elettrotecnica

INFORMATICA GRAFICA – SSD ING-INF/05 - dia.uniroma3.itscorzell/didattica2008/ppt/15_cap6_renderingg... · INFORMATICA GRAFICA ... Commissione Internazionale ... e di due componenti

Open-Source Security Testing Methodology Manual · Open-Source Security Testing Methodology Manual Created by Pete Herzog current version: osstmm.2.0 release candidate 6 notes: …

RISK ANALYSIS Approfondimenti - isticom.it · OSSTMM – Open Source Security Testing Methodology Manual 96 PRA – Psychological Risk Assessment 99 RAF - Risk Analyis Facility 102

Getting benefits of OWASP ASVS at initial phases · •OWASP Testing Guide •OSSTMM •... OWASP ASVS •PCI DSS mapping •MITRE CWE •OWASP Top 10 •… 11 From PCI DSS to OWASP

Centralized Enterprise Management of Penetration Testing ... Enterprise - Whitepa… · Methodology Manual (OSSTMM) and others. The use of these methodologies provides consistency

IT systems - TÜV SÜD · assessment report recommending any remedial action ... carry out an on-site audit, and/ ... OSSTMM (Open Source

Stability of a distributed generation network using the ...critis08.dia.uniroma3.it/pdf/CRITIS_08_3.pdf · Stability of a distributed generation network using the Kuramoto models

Macro-level Scheduling of ETL Workﬂowsqdb2011.dia.uniroma3.it/participants/program/p1-KARAGIANNIS.pdf · Macro-level Scheduling of ETL Workﬂows Anastasios Karagiannis University

OSSTMM V 2 - H2HC 14ª Edição · OSSTMM A little of history: The OSSTMM was created with intention of only citing norms and methodologies for the security community, but, as

Open Source Security Testing Methodology Manual - OSSTMM 2.1

co_87_lazzini_fabio_intro.pdf - [MIDES] Forgesforges.forumpa.it/assets/Speeches/20313/co_87_lazzini_fabio_intro.pdf · > OSSTMM Professional Security Tester (OPST) > OWASP Web Security

Case study “STET” - isaca.org€¦ · OSSTMM version 3.0 . 10.10.2014 - Trento - ISACA VENICE Chapter 28 Case study “STET