HOME ABOUT US NEWS TEAM PARTNERING TRAINING EVENTS MEDIA KIT CONTACT
  TEAM ACCESS
     Silver Access
     Gold Access
     Researcher Access
  ASSOCIATIONS 
     Affiliates
     Auditors
     Training Partners
  RESEARCH
     Business Integrity
     Child Security and Safety 
     Networking Protocols
     Security Auditing
     Security Metrics
     Teen Security Awareness
     Trusted Computing
     Security Models
     Security Tools
     Secure Programming
  CERTIFICATION 
     Security Analyst
     Security Expert
     Security Tester
     Wireless Security Analyst
     Security Awareness Instructor
     Companies & Products
  VERIFICATION
     Certified People
     Certified Companies
     Certified Products

 

 NEWS 

April 1st, 2008 OSSTMM 3 Release Candidate 14.6 
released to Gold Team and OSSTMM 3 RC14  to Silver Team.


Past, Present, and Future of Security (Condensed) - by Pete Herzog

I've seen the whole "Security 2.0" phrase get thrown around too much lately. It does make me think about the trends in a big picture sort of way and want to let others start thinking about it as well. Maybe it's something you, as a security auditor/administrator/engineer/manager, etc. have thought about as well.

Being entrenched in ISECOM, one thing I do get to see a great deal of is the new thing when it comes to security. Or at least what someone calls the new thing. Although it's mostly marketing and hype and has no more substance than a kid's Saturday morning commercial in December. So what about Security 2.0? What does it mean?

When they talk about Security 2.0 they talk about it as a Data Network thing. That means it has nothing to do with non-computer things. That already limits our scope. But what if it doesn't? Let's say the current Security 2.0 talk is really just all marketing hoopla. So if we can look at Security scaling in a big picture way and see that as technologies intersect, cross channels, and become part of us humans, so should the scaling grow to encompass it, what do we have?

In that case, as far as I can tell, we almost started Security 3.0 now and will hit Security 4.0 sometime just before 2015. So what's the scale?

Security 1.0
This was security focused on permission and mainly a copy of the techniques in the physical security world. Security 1.0 brought about firewalls which say which packets may come and go, antivirus and IDS/IPS which says what files may come and stay, encryption and passwords which only lets the right person with the right keys be part of the party, access control lists of every type: white, black, role, geography, and network and security monitoring (NOC/SOC).

Security 2.0
This happened around 1998. There was a lot of flash, a lot of marketing, a lot of promises, and a lot of criminals making some serious money off the fact that the majority of security folk were still stuck in the 1.0 mentality and the rest were foolishly embracing the new stuff. Like when I tell people I can turn invisible when they're not looking, Security 2.0 only had effectiveness in areas that didn't actually secure anything, like auditing. Yes, Security 2.0 is all about compliance and the audit. It gave us many ways to make sure something was secure but the means were mostly poor. Much of the compliance focused on applying Security 1.0 solutions and the audits were about the knowledge of the auditor, the thoroughness of the monitoring system, and the skill of the lawyer. I wish I could say that we are out of this epoch already but it appears most of the world is still acting like the child who doesn't want to leave the park.

Security 3.0
I think the hackers will be the first to make the move to Security 3.0 because it's more fun here. Following closely behind them will be the home user demographic who is tired of being the last to know everything. There's a lot of old-timers already here and you'll recognize them by their aluminum foil hats and badges of heresy. Yes, that's right, it turns out those people may have been right all along about one thing: what you don't know can kill you. Security 3.0 should be the age of enlightenment. We shed our Security 2.0 ways and some will find we're fighting the stuff that's hitting us way too close to home. Security 3.0 means defending Data Networks across the other 4 Channels as well (Physical, Wireless, Telecommunications, and Human Security) as the lines have so deeply blurred. We have to worry as much about what's attacking our perimeter secured desktop while we surf as we worry about the DRM-drenched CD we buy and play on our computers or the attacks to the phone we share pictures with while storing them on the back-end networks. The previously considered "nut jobs" (which I believe is the psychiatric professional word
for this nation of people with their EM radiation readers, magnetic field testers, air quality, CO2, RADON, etc. testers) will be able to distribute their wares and stories to many more people because even if they don't know if that stuff can really kill us, they'll want to know how much of it there is!

Eventually when compliance will become a form of policy more akin to diplomacy (how can what you want to do work to the level of safety we want) than like the current form like economic sanctions (buy this or you will be fined) we will be ready to transition to Security 4.0.

Security 4.0
We may begin to see the trend grow towards here as early as 2009. While I can't predict the real outcome, I can sniff the trends and see that we will enter Security 4.0 with a serious reduction in crime across data networks. The data network channel will blend with all other channels very seamlessly and we will come to accept that humans are the worst thing for security and perhaps should only have a limited role. Therefore, subjugation controls will be predominant where our options are provided although almost limitless in number like toys in a giant sandbox but it will still be just a sandbox. We will have security handed to us like medicine is today or even bullets- where we don't have to have the dangers of making it ourselves. Only hobbyists will still be making their own security (and probably having a lot of fun and success doing it). But everything will be confined to a finite set of options and be ready and secure so out of the box where it connects to a limited set of other things that are just as secure. No more connecting just anything to anything (except for the hobbyists of course).

Unfortunately Security 4.0 could turn out to be like Security 2.0 where Subjugation is changed to Solutions so many big companies can spend bags of old money marketing garbage at hulking proportions to make bags of new money on it from the masses. Or it could further our need for information like in 3.0 and our concerns for health, self-sustaining technologies, and the environment and ecology we choose to adapt to. So it could be the Ecological era of Security. Really the difference between us security people and a health/environmental inspector is certainly not the tools they use. That should tell us something. Security has always been about survival and testing survivability/sustainability is part of the natural progression. If we don't screw it up by focusing on the easy-to-use push-button solution stuff like with did with 2.0, it can be a golden era. If we don't, it'll be like Security 2.0 all over again.

I'm interested in hearing from others: where you think we are currently as far as security goes and where you think security is going?
 

 NEWS 

October 12th 2007: OSSTMM 3 RC 14.5  released to Gold Team and OSSTMM 3 RC13.5  to Silver Team.

June 1st 2007 - OSSTMM 3 Review - posted by Pete Herzog
First, you'll be all happy to know that on late Wednesday evening, the final missing section of the OSSTMM 3 was finished- Physical Security Testing.  That is Release Candidate 13. And RC15 is mapped as the final version which we can then fully release. So we're oh so very close!


What's missing then?

RC14 will be with a full review of the OSSTMM as a whole to fix comprehensiveness, grammar, spelling, mathematical formulas, tables, list contributors, and any or all missing tests from each section.  Mostly, we want to make any changes here and now if need be.  Mostly, since a huge effort has been made to make the OSSTMM as easy to understand and use as possible we want to make sure that it is so.

RC15 will be the finished version - all parts put together with the fully improved flow, comprehensiveness, and design.

Along the way, we have been publicly releasing parts to get peer review and community feedback.  We have updated OSSTMM 2.0 all along to include much of the finalized research that would still fit with the 2.x methodology. RC12 which has the greatest amount of changes will be released later today to the broad group of Beta testers and Silver Team members. The newest release - RC13 will also be released later today to Alpha testers, ISECOM Licensed Auditors, and Gold Team Members.  So Alpha and Beta testers, you know who you are, we need all reviews by Wednesday next week to make it into RC14.

Publicly we are releasing the RC13 security metrics forms and calculation sheets at http://www.isecom.org/ravs.  This the stuff I showed off at FOSDEM this year and you can watch the video to see me talk about it at http://video.fosdem.org/2007/FOSDEM2007-SecurityTesting.ogg (You can see it with VLC (www.vlc.org) or get more details on how to see it are at http://fosdem.org/2007/media/video).  We would appreciate any feedback you can provide by next Wednesday regarding the metrics so we can get it into RC14.

Thanks!

HACKER HIGHSCHOOL

www.hackerhighschool.org
The principles of hacking should be taught in schools, said Pete Herzog. It is the principles they need to learn to avoid from being victims on the Internet.

Herzog runs Hacker Highschool, a program to teach kids and teens security awareness and critical, Internet research skills. The program contains free security and privacy awareness teaching materials and back-end support for teachers of accredited elementary, junior high, and high schools. There are 12 workbooks, all available in Spanish and English. These are lessons that challenge teens to be as resourceful as hackers, including safe Internet use, web privacy, using the Internet for research, avoiding viruses and Trojans, legalities and ethics, and more.

This program has been developed to complement existing student course work or as part of after-school and club activities. [ Read More ]

HHS Teacher Certification Training

If you are interested in teaching the Hacker Highschool program to kids or teens you really should consider being an HHS certified teacher. The HHST is a modern, professional certification which assures applicable knowledge, skills, ethics, approach, and responsibility for teaching minors. [ Read More ] 

 		  

SUBSCRIBE TO ISECOM NEWS
 
VIEW ALL MAILING LISTS

Join the ISECOM GOLD or SILVER TEAM

  

 

 

 

ISECOM is an open, collaborative, non-profit, scientific, security research organization registered in Catalunya, Spain.  All research here has been performed without commercial or partisan influence.  Contact us directly to be a security researcher on the ISECOM team.

Disclaimer:  While all documents on this site are available under Copyleft and the Open Methodology License, do check the licenses within each tool or document prior to copying, modifying, or distribution for any individually stated requirements.  Additionally, all research is provided here for information purposes only and ISECOM is not responsible for any misuse.


www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
www.opse.org - www.opst.org - www.opsa.org - www.owse.org
  If you have any comments, questions, or to note broken links on this website contact the Webmaster.