OSSTMM Framework: Risk Analysis vs Security Analysis

Frameworks such as the OSSTMM, OWASP, and NSIT can be completely overwhelming and daunting for many reasons and that is why in today's newsletter we will begin going over a key component in the OSSTMM3.

From aspiring information security professionals to pen-testers, we hear it all the time that they find out what they are actually up against once they jump in and that it can be like hitting a stone wall. In this newsletter, I am hoping that this flow chart I recently made up and have publicly released can help those who are more systematic learners and find it difficult to discern wordy and complex literature. There are some important concepts to analysis that I want to discuss today and those are Risk Analysis vs Security Analysis.

It seems that it is often overlooked for a few reasons that have surfaced on my radar.

1. It is very complex and wordy.
2. it is not a sniper rifle approach to hacking or pen-testing like the OWASP is.
3. It is a systematic, mathematical, and scientific process.
4. It may not even read like a hacker or pen-tester book.

So what is the OSSTMM?

The OSSTMM (Open Source Security Testing Methodology Manual) is a framework used for security testing and assessment of information systems. OSSTMM version 3 (OSSTMM3) is the third iteration of this framework. It was developed by the Institute for Security and Open Methodologies (ISECOM) and is designed to provide a comprehensive approach to security testing and analysis.

OSSTMM3 focuses on the measurement and analysis of security controls, risk management, and vulnerabilities in various areas, including networks, applications, physical locations, and human factors. It provides guidelines, techniques, and methodologies for conducting security testing in a structured and systematic manner.

Key features of the OSSTMM3 framework include:

1. Seven analysis areas: OSSTMM3 divides security testing into seven primary analysis areas, which are Network Security, Human Security, Physical Security, Wireless Security, Telecommunications Security, Data Security, and VoIP Security. These areas cover a wide range of security aspects that need to be considered during testing.
2. Methodologies and techniques: OSSTMM3 provides specific methodologies and techniques for testing each analysis area. It offers detailed guidance on how to plan, execute, and report on security testing activities.
3. Security metrics: OSSTMM3 emphasizes the use of quantifiable security metrics to assess the effectiveness of security controls and measure the level of risk. It provides a set of metrics that can be used to evaluate various security aspects and prioritize areas for improvement.
4. Scenarios and tests: The framework includes predefined scenarios and tests that can be used as starting points for security testing. These scenarios cover different attack vectors and provide a structured approach to identifying vulnerabilities and weaknesses.
5. Open-source and community-driven: As the name suggests, OSSTMM is an open-source framework that encourages collaboration and contributions from the security community. This allows for continuous improvement and adaptation to evolving security challenges.

Overall, the OSSTMM3 framework provides a structured methodology and guidelines for conducting security testing and assessment. It aims to help organizations identify and mitigate security risks effectively, improve their security posture, and enhance the overall resilience of their information systems.

Chapter 3 focuses on Risk Analysis and Security Analysis, how the two compare, and what are the responsibilities in the process. This flow chart is a visual representation

"Risk analysis can use security analysis to come up with better, more accurate answers however security analysis cannot use risk analysis to improve accuracy. For this reason, we recommend trust analysis." OSSTMM3 Pg. 53.

Here is a last cherry from Chat GPT.

The OSSTMM (Open Source Security Testing Methodology Manual) framework encompasses both risk analysis and security analysis as part of its comprehensive approach to security testing. However, there are some distinctions between the two concepts within the context of OSSTMM.

1. Risk Analysis: OSSTMM incorporates risk analysis to identify and prioritize potential security risks and vulnerabilities. Risk analysis involves assessing the likelihood and impact of potential threats and vulnerabilities to determine their level of risk to an organization. It focuses on understanding the potential consequences of security weaknesses and helps in making informed decisions regarding risk mitigation strategies.

Within the OSSTMM framework, risk analysis involves evaluating the security posture of an organization by considering factors such as assets, threats, vulnerabilities, and impact. This analysis helps in prioritizing security testing activities and allocating resources effectively to address the most critical risks. OSSTMM provides guidance on conducting risk analysis and suggests various techniques and metrics measure and quantify risk levels.

1. Security Analysis: Security analysis, within the OSSTMM framework, refers to the process of assessing and evaluating the security controls and measures in place within an organization's information systems. It involves examining the effectiveness, adequacy, and proper implementation of security controls to determine their ability to protect against potential threats and vulnerabilities.

Security analysis focuses on evaluating various security aspects, such as network security, physical security, human security, data security, and more, as defined in the OSSTMM framework. It involves conducting detailed assessments, audits, and testing activities to identify weaknesses, vulnerabilities, and gaps in the existing security infrastructure.

The OSSTMM framework provides specific methodologies and techniques for security analysis within each analysis area. It outlines the steps to be followed, the tests to be performed, and the metrics to be used to assess the effectiveness of security controls and identify areas for improvement.

In summary, risk analysis and security analysis are complementary components within the OSSTMM framework. Risk analysis helps in prioritizing security testing efforts by identifying and quantifying potential risks, while security analysis focuses on evaluating the effectiveness of existing security controls and measures. Both aspects contribute to a comprehensive approach to security testing and assessment within the OSSTMM methodology.

Please correct me if I am wrong about anything here.

Thanks for all the support. Here is a link to the new Winki article.

https://commons.wikimedia.org/wiki/File:OSSTMM3_Framework.png

All Rights Reserved 2023 Point-2-Point Security