i spy. the world of info security from the known to the unknown
DESCRIPTION
Presentación en la que participamos junto con Pete Herzog, Director del ISECOM, durante los I Juegos Fractales de la Vila de Gràcia celebrados en el CSOA de Les Naus. En ella se presentan aspectos sobre la nueva versión del OSSTMM (Open Source Security Testing Methodology Manual), liderada por Pete Herzog y en la que colaboran expertos en seguridad de todo el mundo, entre los que se encuentran miembros del equipo técnico de Internet Security Auditors. Además se presentó el proyecto de la Hacker High School de este año, apadrinada por La Salle y en la que colabora Internet Security Auditors en España y Mediaservice desde Italia, además de muchas otras personas que colaboran de forma desinteresada.TRANSCRIPT
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
I SpyThe World of Info Security from the known to the unknown.
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Security
3. PhysicalSecurity
4. CommunicationsSecurity
6. Internet Security
5. Wireless Security
1. ProcessSecurity
2. InformationSecurity
There is no such thing as security based on stolen entropy.
The universe is made of information which contains matterand energy.
Is security a manifest of information or is it about energy?
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
OSSTMMI am a scientist.I am a researcher.I am a detective.I am a scholar.I am a spy.I am a watchdog.I am a hacker.
Data Collection
Competitive Intelligence
Scouting
Exploit Research and
Verification
Posture Review
System Service
Verification
Privacy Review
Document Grinding
Internet Application
TestingRouting
Denial of Service Testing
Trusted Systems Testing
Password Cracking
Access Control Testing
Containment Measures Testing
Alert and Log Review
Security Policy Review
Verification Testing
Logistics and Controls
Network Surveying
Intrusion Detection Review
Survivability Review
Privileged Service Testing
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Finite Knowledge LimitsWhat is the most detail, dirt, and nasty little secret I can find out by looking at the big picture?
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Business Intelligence1. Map and measure the directory structure of the web servers2. Map the measure the directory structure of the FTP servers3. Examine the WHOIS database for business services relating to registered host names4. Determine the IT cost of the Internet infrastructure based on OS, Applications, and
Hardware.5. Determine the cost of support infrastructure based on regional salary requirements for IT
professionals, job postings, number of personnel, published resumes, and responsibilities.6. Measure the buzz (feedback) of the organization based on newsgroups, web boards, and
industry feedback sites7. Record the number of products being sold electronically (for download)8. Record the number of products found in P2P sources, wares sites, available cracks up to
specific versions, and documentation both internal and third party about the products9. Identify the business partners10. Identify the customers from organizations to industry sectors11. Verify the clarity and ease of use of the merchandise purchasing process12. Verify the clarity and ease of use for merchandise return policy and process13. Verify that all agreements made over the Internet from digital signature to pressing a button
which signifies acceptance of an end-user agreement can be repudiated immediately and for up to 7 days.
When I look deep inside myself, I
see yourweaknesses.
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Privacy ReviewPolicy
1. Identify public privacy policy
2. Identify web-based forms
3. Identify database type and location for storing data
4. Identify data collected by the organization
5. Identify storage location of data
15. Identify fictionalized persons, organizations, institutions with real persons.
16. Identify persons or organizations portrayed in a negative manner.
17. Identify persons, organizations, or materials which as themselves or of a likeness thereof which is used for commercial reasons as in web sites or advertisements.
18. Identify information about employees persons, organizations, or materials which contain private information.
While nobody is watching you, I see you studying
us.
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Invisible InformationElectromagnetic Radiation (EMR) Testing802.11 Wireless Networks testingBluetooth Networks TestingWireless Input Device TestingWireless Handheld TestingCordless Communications TestingWireless Surveillance Device TestingWireless Transaction Device TestingRFID TestingInfrared Testing
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Info Security for the FutureElectromagnetic and High Frequency Firewalls
• Invisible fences work for dogs and cats and not they work for information!
All Frequency Intrusion Detection• Am I being bugged? • Is that your satellite relay coming through my home?
Smart Electromagnetic Containment Measure Materials• Your radio waves are being monitored for my health.
Copyright 2002 - 2003 - Pete Herzog, Institute for Security and Open Methodologies (ISECOM)
Processing the MassesStandards and Methodologies
• Do it right the first time.
Practical Security Conferences for Professionals• Spit out the bad practices• Suck in the good ones
Hacker Highschool for Teens
• From asocial to watchdog in just a few weeks!