Star 3

Download as pdf or txt
Download as pdf or txt
You are on page 1of 9

Security Test Audit Report

OSSTMM 3.0 Security Verification Certification


OSSTMM.ORG - ISECOM.ORG

Report ID Lead Auditor Scope and Index Channels

Date Test Date Duration Vectors Test Type

I am responsible for the information within this report and have personally verified that all information herein is factual and true.

SIGNATURE

COMPANY STAMP/SEAL

OPST Certification # OPERATIONAL SECURITY VALUES Visibility Access Trust LIMITATIONS VALUES Vulnerability Weakness Concern Exposure Anomaly OpSec Limitations

OPSA Certification # CONTROLS VALUES Authentication Indemnification Resilience Subjugation Continuity Non-Repudiation Confidentiality Privacy Integrity Alarm True Controls Security

True Protection

Actual Security

OVERVIEW
This Open Source Security Testing Methodology Manual provides a methodology for a thorough security test. A security test is an accurate measurement of security at an operational level, void of assumptions and anecdotal evidence. A proper methodology makes for a valid security measurement that is consistent and repeatable.

ABOUT ISECOM
ISECOM, the creator and maintainer of the OSSTMM, is an independent, non-profit security research organization and certification authority defined by the principles of open collaboration and transparency.

RELATED TERMS AND DEFINITIONS


This report may refer to words and terms that may be construed with other intents or meanings. This is especially true within international translations. This report attempts to use standard terms and definitions as found in the OSSTMM 3 vocabulary, which has been based on NCSC-TG-004 (Teal Green Book) from the US Department of Defense where applicable.

PURPOSE
The primary purpose of this Audit Report is to provide a standard reporting scheme based on a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way. The secondary purpose is to provide guidelines which when followed will allow the auditor to provide a certified OSSTMM audit.

PROCESS
This Audit Report must accompany the full security test report document that provides evidence of the test and the results as defined in the statement of work between the testing organization and the client.

VALIDITY
For this OSSTMM Audit Report to be valid, it must be filled out clearly, properly, and completely. The OSSTMM Audit Report must be signed by the lead or responsible tester or analyst and accompany include the stamp of the company which holds the contract or sub-contract of the test. This audit report must show under COMPLETION STATUS which Channel and the associated Modules and Tasks have been tested to completion, not tested to completion, and which tests were not applicable and why. A report which documents that only specific parts of the Channel test have been completed due to time constraints, project problems, or customer refusal may still be recognized as an official OSSTMM audit if accompanied by this report clearly showing the deficiencies and the reasons for those deficiencies.

CERTIFICATION
OSSTMM certification is the assurance of an organizations security according to the thorough tests within the OSSTMM standard and is available per vector and channel for organizations or parts of organizations that maintain a rav level of a minimum of 90% validated yearly from an independent third-party auditor. Validation of security tests or quarterly metrics is subject to the ISECOM validation requirements to assure consistency and integrity.

1.
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8

POSTURE REVIEW
TASK Identified business objectives and markets. Identified legislation and regulations applicable to the targets in the scope. Identified business policies. Identified business and industry ethics policies. Identified operation cultures and norms. Identified operation times and flows applicable to the targets in the scope. Identified all necessary Channels for this scope. Identified all Vectors for this scope. COMMENTS COMPLETION STATUS

2.
2.1 2.2 2.3 2.4

LOGISTICS
TASK Applied testing safety measures. Determined and accounted for test instabilities. Determined and accounted for downtime in scope. Determined and accounted for test pace according to the test environment and the security presence. COMMENTS COMPLETION STATUS

3.
3.1 3.2 3.3 3.4

ACTIVE DETECTION VERIFICATION TASK


Determined and accounted for interferences. Tested with both interferences active and inactive. Determined restrictions imposed on tests. Verified detection rules and predictability.

COMMENTS

COMPLETION STATUS

4.
4.1 4.2

VISIBILITY AUDIT
TASK Determined targets through all enumeration tasks. Determined new targets by researching known targets. COMMENTS COMPLETION STATUS

5.
5.1 5.2 5.3 5.4 5.5 5.6

ACCESS VERIFICATION TASK


Verified interactions with access points to all targets in the scope. Determined type of interaction for all access points. Determined source of interaction defined as a service or process. Verified depth of access. Verified known security limitations of discovered access points. Searched for novel circumvention techniques and security limitations of discovered access points.

COMMENTS

COMPLETION STATUS

6.
6.1

TRUST VERIFICATION
TASK Determined interactions that rely on other interactions to complete the test interaction according to the tasks. Determined targets with trust relationships to other targets in the scope to complete interactions. Determined targets with trust relationships to other targets outside the scope to complete interactions. Verified known security limitations of discovered trusts between the trusts. Verified known security limitations of discovered trusts between targets in the scope and the trusted interactions. Searched for novel circumvention techniques and security limitations of discovered trusts. COMMENTS COMPLETION STATUS

6.2

6.3

6.4 6.5

6.6

7.
7.1 7.2 7.3 7.4 7.5 7.6 7.7

CONTROLS VERIFICATION TASK


Verified controls for Non-Repudiation functioning according to all tasks. Verified controls for Confidentiality functioning according to all tasks. Verified controls for Privacy functioning according to all tasks. Verified controls for Integrity functioning according to all tasks. Verified controls for Alarm functioning according to all tasks. Verified known security limitations of all controls Class B categories. Searched for novel circumvention techniques and security limitations of all controls Class B categories.

COMMENTS

COMPLETION STATUS

8.
8.1 8.2 8.3

PROCESS VERIFICATION TASK


Determined all processes controlling the action of interactivity with each access. Verified the interaction operates within the confines of the determined process. Verified the interaction operates within the confines of the security policy for such interactions. Determined the gap between the operations of interactions and the requirements of posture from the Posture Review. Verified known security limitations of discovered processes. Searched for novel circumvention techniques and security limitations of discovered processes.

COMMENTS

COMPLETION STATUS

8.4

8.5 8.6

9.
9.1

CONFIGURATION AND TRAINING VERIFICATION TASK


Verified configuration/training requirements according to the posture in the Posture Review. Verified the application of appropriate security mechanisms as defined in the Posture Review. Verified the functionality and security limitations within the configurations/training for the targets in the scope. Searched for novel circumvention techniques and security limitations within configurations/training.

COMMENTS

COMPLETION STATUS

9.2

9.3

9.4

10.
10.1

PROPERTY VALIDATION TASK


Determined the amount and type of unlicensed intellectual property distributed within the scope. Verify the amount and type of unlicensed intellectual property available for sale/trade with the seller originating within the scope.

COMMENTS

COMPLETION STATUS

10.2

11.
11.1

SEGREGATION REVIEW TASK


Determined the amount and location of private information as defined in the Posture Review available through the targets. Determined the type of private information as defined in the Posture Review available within the scope. Verified the relationship between publicly accessible information outside the target detailing private or confidential information defined in the Posture Review and the scope. Verified the accessibility of public accesses within the target to people with disabilities.

COMMENTS

COMPLETION STATUS

11.2

11.3

11.4

12.
12.1

EXPOSURE VERIFICATION TASK


Searched for available targets through publicly available sources outside of the scope. Searched for available organizational assets as defined in the Posture Review through publicly available sources outside of the scope. Determined access, visibility, trust, and controls information available publicly within the targets. Determined a profile of the organizations channel infrastructure for all channels tested through publicly available information within the targets. Determined a profile of the organizations channel infrastructure for all channels tested through publicly available information outside the scope.

COMMENTS

COMPLETION STATUS

12.2

12.3

12.4

12.5

13.
13.1

COMPETITIVE INTELLIGENCE SCOUTING TASK


Determined the business environment of partners, suppliers, workers, and market through publicly available information on targets within the scope. Determined the business environment of partners, vendors, distributors, suppliers, workers, and market through publicly available information outside the scope. Determined the organizational environment through publicly available information on targets within the scope. Determined the organizational environment through publicly available information outside the scope.

COMMENTS

COMPLETION STATUS

13.2

13.3

13.4

14.
14.1 14.2

QUARANTINE VERIFICATION TASK


Verified quarantine methods for interactions to the targets in the scope. Verified quarantine methods for interactions from the targets to other targets outside the scope. Verified length of time of quarantine. Verified quarantine process from receive to release. Verified known security limitations of discovered quarantines. Searched for novel circumvention techniques and security limitations of discovered quarantines.

COMMENTS

COMPLETION STATUS

14.3 14.4 14.5 14.6

15.
15.1 15.2 15.3 15.4 15.5 15.6

PRIVILEGES AUDIT
TASK Verified the means of legitimately obtaining privileges for all authenticated interactions. Verified the use of fraudulent identification to obtain privileges. Verified the means of circumventing authentication requirements. Verified the means of taking non-public authentication privileges. Verified the means hijacking other authentication privileges. Verified known security limitations of discovered authentication mechanisms to escalate privileges. Searched for novel circumvention techniques and security limitations of discovered authentication mechanisms to escalate privileges. Determined depth of all discovered authentication privileges. Determined re-usability of all discovered authentication privileges on the authentication mechanisms on all targets. Verified requirements towards obtaining authentication privileges for discriminatory practices according to the Posture Review. Verified means towards obtaining authentication privileges for discriminatory practices for people with disabilities. COMMENTS COMPLETION STATUS

15.7

15.8 15.9

15.10

15.11

16.
16.1

SURVIVABILITY VALIDATION AND SERVICE CONTINUITY TASK COMMENTS


Determined measures applicable to disrupt or stop service continuity to and from the targets. Verified continuity processes and safety mechanisms active for the targets. Verified known security limitations of discovered safety and service continuity processes and mechanisms. Searched for novel circumvention techniques and security limitations of discovered safety and service continuity processes and mechanisms.

COMPLETION STATUS

16.2 16.3

16.4

17.
17.1 17.2

END SURVEY, ALERT AND LOG REVIEW TASK


Verified methods for recording and alerting interactions to the targets in the scope. Verified methods for recording and alerting interactions from the targets to other targets outside the scope. Verified speed of recording and alerting. Verified persistence of recording and alerting. Verified integrity of recording and alerting. Verified distribution process of recording and alerting. Verified known security limitations of discovered recording and alerting methods. Searched for novel circumvention techniques and security limitations of discovered recording and alerting methods.

COMMENTS

COMPLETION STATUS

17.3 17.4 17.5 17.6 17.7 17.8

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy