[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <53B54212.6000802@isecom.org>
Date: Thu, 03 Jul 2014 13:44:18 +0200
From: Pete Herzog <lists@...com.org>
To: fulldisclosure@...lists.org
Subject: [FD] new pen-test tool!
Hi!
I have been working on a means for testing parties that we may not be
able to legally directly test yet gives a clear answer for decision
making. The idea was to use an interview like a pen-test to get
information from the subject like a tester would where "asking them"
was considered just one of the 4 means of getting information, treated
much like throwing packets to get system responses does in a pen test.
This allows you to get an idea of an attack surface of the target
before you even probe them for an attack. You can also find the weak
areas of trust to exploit. It also serves as an intro to a client's
security on the first meeting and enhances the final report.
The app has 2 parts - a trust metric and an attack surface metric (how
much you can trust them and how protected they are). Eventually this
will also combine into a final analysis. But until then...
You can try it out here:
http://archon.thewatchers.net/ISECOM/
*************
For those who want some more background about it:
The hardest part was to craft reasonable questions to answer in a
short list that didn't require much time or technical expertise. So it
is written for the office manager or similar to execute. It also meant
the questions had to be really loaded so as to answer multiple things
at once, both pro and con security/trust. I am still not satisfied
with the wording of the questions and I'm sure it may still have bugs
but we turned it from a document into a web app that allowed basic
clicking to get the answer.
Now the client had this to save in a file to revisit for annual vendor
reviews as well as for quarterly self-assessment of how they stand in
their own services and offerings. This app doesn't have that
functionality yet. They also wanted clear instructions on how to
improve the score if it was low (rudimentary analysis/resolution)
which this app also doesn't have yet.
So the Vendor Checklist uses the RAV scoring from OSSTMM 3 derived
from answers made in the checklist. The Trust Metric is a score based
on trust metrics from the same place. But both have had the OSSTMM 4
updates which include 2 new trust properties and changes in the
calculation of operational controls.
http://archon.thewatchers.net/ISECOM/
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete@...com.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
--
Pete Herzog - Managing Director - pete@...com.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.badpeopleproject.org
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists