WEBVTT 1 00:00:00.000 --> 00:00:03.279 All right, strap in everyone, let's take a deep dive 2 00:00:03.520 --> 00:00:11.640 into this open Source Security Testing Methodology Manual THEMM. Yeah, STMM, 3 00:00:11.679 --> 00:00:14.000 that's a mouthful. It is kind of like a security 4 00:00:14.039 --> 00:00:16.879 decoder ring, right, I mean, the thing is dense. Yeah, 5 00:00:16.879 --> 00:00:18.879 but don't worry. We're going to break it down. Make 6 00:00:18.920 --> 00:00:22.600 it makes sense. You shared some concerns about I think 7 00:00:22.640 --> 00:00:26.120 it was mentioned a specific detail from listener source material 8 00:00:26.280 --> 00:00:31.359 related to security, right, and the OSSTMM. It can actually 9 00:00:31.679 --> 00:00:33.679 help you understand that stuff a little better. 10 00:00:33.840 --> 00:00:37.520 Absolutely. It's put together by security testers for security testers, 11 00:00:37.560 --> 00:00:39.000 real world stuff, real world. 12 00:00:38.880 --> 00:00:42.719 Stuff, so less theory, more like in the trenches kind 13 00:00:42.719 --> 00:00:43.119 of stuff. 14 00:00:43.200 --> 00:00:45.000 Yeah, that's how security works in the real world. 15 00:00:45.079 --> 00:00:47.159 That's good. That's good. So one of the first things 16 00:00:47.200 --> 00:00:49.359 that kind of jumps out at you, you know, going 17 00:00:49.399 --> 00:00:55.719 through the OSSTMM, is this focus on operational security op sec. Yeah, 18 00:00:56.039 --> 00:00:57.799 what exactly does that mean? I mean, is an all 19 00:00:57.840 --> 00:00:59.600 security operational? In some way? 20 00:01:00.119 --> 00:01:02.399 I think the OSSTM and really draws a line. 21 00:01:02.479 --> 00:01:02.840 Okay. 22 00:01:03.159 --> 00:01:05.200 You know a lot of times security is presented like 23 00:01:05.239 --> 00:01:09.959 this wall, solid wall between your assets, your data and 24 00:01:10.000 --> 00:01:14.719 the bad guys. Okay, but in reality that wall is 25 00:01:14.719 --> 00:01:18.439 full of holes. Ah, okay, and the OSS TMN calls 26 00:01:18.480 --> 00:01:22.959 those holes trusts, trust and optic. It's all about, you know, 27 00:01:23.040 --> 00:01:25.959 looking at those trusts, figuring out how strong they are, 28 00:01:26.000 --> 00:01:27.640 figuring out if they're actually holding up. 29 00:01:27.840 --> 00:01:30.680 So instead of just assuming things are secure, you've got 30 00:01:30.719 --> 00:01:33.519 to really look closer at those trusts exactly and see 31 00:01:33.519 --> 00:01:34.879 if they're actually doing their job. 32 00:01:35.159 --> 00:01:37.519 Yeah, you're trusting something to do what it says it's 33 00:01:37.560 --> 00:01:37.959 going to do. 34 00:01:38.120 --> 00:01:40.680 Okay, Okay, can you give me like a real world example, 35 00:01:40.760 --> 00:01:43.519 like what would a trust look like in the real world? 36 00:01:43.959 --> 00:01:46.879 I mean, even something you mentioned in your notes, like 37 00:01:47.079 --> 00:01:51.120 relying on a specific piece of software for your business. Yeah, 38 00:01:51.200 --> 00:01:54.640 you know, that's a trust. You're trusting that software to 39 00:01:54.799 --> 00:01:57.359 do what it's supposed to do and to do it securely. 40 00:01:57.959 --> 00:02:01.480 But what if that software has vulnerabilities? Oh what if 41 00:02:01.480 --> 00:02:03.920 the company behind that software has you know, kind of 42 00:02:03.959 --> 00:02:07.920 shady security practices, that trust becomes a weak point. 43 00:02:08.120 --> 00:02:11.280 Okay, Yeah, that makes sense. So opsec is really pushing 44 00:02:11.319 --> 00:02:15.280 you to look beyond the surface question those assumptions. 45 00:02:15.479 --> 00:02:16.080 Absolutely. 46 00:02:16.159 --> 00:02:20.120 So how does the OSTMM actually help you do that? Like, 47 00:02:20.199 --> 00:02:23.159 how do you assess these trusts and figure out where 48 00:02:23.199 --> 00:02:24.039 you're vulnerable? 49 00:02:24.199 --> 00:02:27.800 That's where this idea of the four point process comes in. Okay, 50 00:02:27.800 --> 00:02:29.759 because a lot of security assessments are kind of like 51 00:02:30.120 --> 00:02:33.080 yelling into a cave and waiting for the echo. You're 52 00:02:33.080 --> 00:02:36.639 only getting this very limited perspective, right, and the OSSTMM 53 00:02:36.680 --> 00:02:38.599 says that's not good enough. You've got to get up 54 00:02:38.599 --> 00:02:40.319 close and personal with your security. 55 00:02:40.400 --> 00:02:43.159 Okay, So less like superficial checks, more like a deep 56 00:02:43.199 --> 00:02:45.280 dive into how things are working. 57 00:02:45.400 --> 00:02:46.960 Yeah, how are things actually functioning? 58 00:02:47.400 --> 00:02:49.800 Okay? I like that, I like that, But how does 59 00:02:49.840 --> 00:02:51.960 this four point process actually work? 60 00:02:52.560 --> 00:02:56.599 It breaks it down into these four stages. Okay, in quest, intervention, induction, 61 00:02:56.960 --> 00:02:57.560 and interaction. 62 00:02:57.759 --> 00:02:59.759 Wow, okay, break those down for me. 63 00:03:00.240 --> 00:03:03.680 So inquest is all about gathering information you really want 64 00:03:03.680 --> 00:03:06.680 to understand the system you're trying to secure. Intervention is 65 00:03:06.719 --> 00:03:09.000 where you actually simulate real world attacks. 66 00:03:09.319 --> 00:03:11.479 Oh so you're actually like trying to break things. 67 00:03:11.599 --> 00:03:13.919 You're trying to see how your security holds up under pressure. 68 00:03:14.039 --> 00:03:15.280 Okay, now it's getting real. 69 00:03:16.280 --> 00:03:19.879 Then you have induction, where you're analyzing all the data 70 00:03:19.879 --> 00:03:22.560 that you've gathered, figuring out what it means. And then 71 00:03:22.599 --> 00:03:26.599 finally there's interaction, which is really understanding how people and 72 00:03:27.280 --> 00:03:32.919 processes impact security. Like you mentioned reference a security related 73 00:03:33.039 --> 00:03:36.800 human element detail from the listener's source material. Right, that 74 00:03:36.919 --> 00:03:38.639 fits right into this interaction piece. 75 00:03:39.039 --> 00:03:41.479 Okay, So this four point process is giving you this 76 00:03:41.680 --> 00:03:44.879 much more in depth view of your security. It's not 77 00:03:45.039 --> 00:03:48.159 just about finding the holes. It's about understanding. 78 00:03:47.639 --> 00:03:51.520 The whole systems, understanding every dingy inside and out exactly. 79 00:03:51.639 --> 00:03:55.960 Yeah. And out of that process comes something called the RAF. 80 00:03:55.319 --> 00:03:58.159 The RAF it's like your security scorecard. 81 00:03:58.199 --> 00:04:00.520 Okay, hold on, we can't just breeze pass the RAV. 82 00:04:00.919 --> 00:04:03.479 You compared it to a credit score for security. 83 00:04:03.560 --> 00:04:06.840 Yeah, it's a way to measure how exposed are you, 84 00:04:07.639 --> 00:04:09.319 how good is your security posture? 85 00:04:09.400 --> 00:04:12.639 All right, but how is it actually calculated? And what 86 00:04:12.879 --> 00:04:14.560 does that number actually tell you? 87 00:04:14.960 --> 00:04:18.199 So think of it like this. A RAVE of one 88 00:04:18.279 --> 00:04:23.279 hundred is perfect balance, everything is working perfectly. Oh, your controls, 89 00:04:24.040 --> 00:04:26.879 you know, they're aligned with your operations. Anything less than 90 00:04:26.920 --> 00:04:30.319 one hundred, that means you've got gaps, gaps, there are 91 00:04:30.360 --> 00:04:31.879 areas where you're more vulnerable. 92 00:04:31.959 --> 00:04:34.040 So the lower the RAVE, the more work I need 93 00:04:34.079 --> 00:04:34.279 to do. 94 00:04:34.480 --> 00:04:36.680 Yeah, basically I'm getting the picture. 95 00:04:36.920 --> 00:04:39.199 What I find interesting is that you said this can 96 00:04:39.240 --> 00:04:42.160 be applied to anything, right, You know, a massive data center, 97 00:04:42.399 --> 00:04:45.720 a small business, even your own home. Exactly how is 98 00:04:45.759 --> 00:04:48.959 that possible? How can one score apply to all these 99 00:04:49.000 --> 00:04:50.120 different situations? 100 00:04:50.480 --> 00:04:54.879 Because the RAV isn't tied to specific technology or specific systems, 101 00:04:55.279 --> 00:04:58.240 it's really a framework for understanding how well your security 102 00:04:58.319 --> 00:05:00.199 is working compared to what you need. 103 00:05:00.399 --> 00:05:01.720 Okay, relative to your needs. 104 00:05:01.800 --> 00:05:03.879 Yeah, so you could look at the RAV of your 105 00:05:03.879 --> 00:05:07.360 home network, you know, and think about how strong are 106 00:05:07.399 --> 00:05:10.600 your passwords? Is your Wi Fi secure? Do you leave 107 00:05:10.639 --> 00:05:11.639 your front door unlocked? 108 00:05:11.839 --> 00:05:14.199 Okay, So it's not just about the tech, it's about 109 00:05:14.199 --> 00:05:15.519 the whole picture. 110 00:05:15.839 --> 00:05:18.600 Yeah, every habits and all that, it all plays a part. 111 00:05:18.720 --> 00:05:21.879 Okay, this is really making me rethink my own security habits, 112 00:05:21.879 --> 00:05:25.360 I'll be honest. Now, another big concept in the OSSTMM 113 00:05:25.439 --> 00:05:28.519 is trust. Right, but it's not the kind of like 114 00:05:29.120 --> 00:05:31.399 touchy feely trust we usually talk about. 115 00:05:31.480 --> 00:05:34.199 Right, We're not talking about feelings here, Okay. This is 116 00:05:34.240 --> 00:05:40.199 about the OSSTMN breaks down trust into ten quantifiable properties. 117 00:05:40.240 --> 00:05:40.920 Ten properties. 118 00:05:41.000 --> 00:05:44.600 Yeah. It's taking something fuzzy, something subjective, ye, and turning 119 00:05:44.639 --> 00:05:47.279 it into something you can actually measure and analyze. 120 00:05:47.639 --> 00:05:50.560 Okay, Okay, so we're taking these vague ideas and making 121 00:05:50.600 --> 00:05:54.560 them concrete exactly. But ten properties. That sounds a little overwhelming. 122 00:05:54.639 --> 00:05:55.519 It's a lot to take in. 123 00:05:55.600 --> 00:05:57.160 Can you give me an example, like, how do these 124 00:05:57.199 --> 00:05:59.160 properties play out in the real world. 125 00:05:59.279 --> 00:06:01.879 So let's go back to that software company. Okay, you're 126 00:06:01.879 --> 00:06:05.600 trusting them with your data, maybe even your business operations, 127 00:06:06.160 --> 00:06:08.480 but how do you know if that trust is well placed? 128 00:06:08.800 --> 00:06:08.959 Right? 129 00:06:09.040 --> 00:06:09.480 Good point. 130 00:06:09.639 --> 00:06:12.360 So one of the trust properties is transparency. 131 00:06:12.439 --> 00:06:13.920 Transparency, Okay, is. 132 00:06:13.879 --> 00:06:17.680 The company open about their security practices? Do they have 133 00:06:17.720 --> 00:06:22.439 a privacy policy that you can actually understand? Another property 134 00:06:22.600 --> 00:06:26.240 is competence. Competence, have they actually built secure software in 135 00:06:26.279 --> 00:06:28.800 the past, you know, do they have a track record 136 00:06:28.800 --> 00:06:32.160 of not getting breached? All of these things play into 137 00:06:32.240 --> 00:06:33.879 whether or not a company is trustworthy. 138 00:06:33.959 --> 00:06:36.120 So you're looking at these properties, you're building a more 139 00:06:36.120 --> 00:06:38.879 informed picture of whether this company is actually worthy of 140 00:06:38.920 --> 00:06:39.560 your trust. 141 00:06:39.720 --> 00:06:41.600 Absolutely, this is wow. 142 00:06:41.639 --> 00:06:45.040 This is really making me rethink how I approach trust 143 00:06:45.560 --> 00:06:47.000 in all areas of my life. 144 00:06:46.920 --> 00:06:48.120 A different way of thinking about it. 145 00:06:48.279 --> 00:06:52.319 Yeah. Yeah, And we haven't even touched on the ostmm's 146 00:06:52.560 --> 00:06:56.639 deep dive into the five security channels five five we 147 00:06:56.720 --> 00:07:00.439 got human security, physical security, wireless. 148 00:07:00.000 --> 00:07:03.800 Security, telecommunications again in a network security YEP, that's all five. 149 00:07:03.959 --> 00:07:06.079 Okay, So we got op SEC, we got this four 150 00:07:06.120 --> 00:07:10.240 point process, we got RAVS. Now you're telling me there's 151 00:07:10.399 --> 00:07:12.439 five security channels to consider. 152 00:07:12.879 --> 00:07:15.199 It's a lot, but it's all connected. We got to 153 00:07:15.240 --> 00:07:17.959 unpack those absolutely. Where do we even start, Well, let's 154 00:07:17.959 --> 00:07:20.959 start with human security h U M SEC, DOM SCC 155 00:07:21.160 --> 00:07:23.639 Yeah okay, since we were just talking about the human element. 156 00:07:23.399 --> 00:07:25.680 Okay, Yeah, this is where it gets really interesting. Goes 157 00:07:25.720 --> 00:07:27.160 beyond just the technical stuff. 158 00:07:27.199 --> 00:07:29.639 It's not just about bits and bytes right right, It's 159 00:07:29.680 --> 00:07:32.959 about psychology, social factors. 160 00:07:33.439 --> 00:07:37.240 So it's understanding how people actually behave yeah, how they 161 00:07:37.319 --> 00:07:41.000 make decisions, and how those decisions can actually like impact 162 00:07:41.040 --> 00:07:42.800 security exactly. Okay. 163 00:07:42.879 --> 00:07:46.800 Remember that software company we were talking about. Yeah, HTMSEC 164 00:07:47.480 --> 00:07:51.800 would consider things like what's their internal security culture? Like, oh, okay, 165 00:07:52.360 --> 00:07:55.160 do the employees actually understand security? Right? 166 00:07:55.279 --> 00:07:55.519 Right? 167 00:07:55.600 --> 00:07:57.319 You know, do they follow the best practices? 168 00:07:57.399 --> 00:07:57.800 They care? 169 00:07:58.120 --> 00:07:59.319 Do they care? Exactly? 170 00:07:59.399 --> 00:07:59.600 Yeah? 171 00:08:00.040 --> 00:08:03.360 Also looks at social engineering, okay, you know, are they 172 00:08:03.480 --> 00:08:07.480 vulnerable to phishing scams or other things that try to 173 00:08:07.519 --> 00:08:08.519 manipulate people? 174 00:08:09.240 --> 00:08:12.759 You know, I mentioned in my notes that I was 175 00:08:12.759 --> 00:08:16.639 a little worried about mention a specific detail from listeners 176 00:08:16.680 --> 00:08:21.680 source material related to human element of security, right. 177 00:08:21.560 --> 00:08:25.279 And the OSS TMM gives you a framework to think 178 00:08:25.319 --> 00:08:29.959 about those very concerns and actually figure out some strategies 179 00:08:29.959 --> 00:08:30.600 to address them. 180 00:08:30.600 --> 00:08:32.000 Okay, that's reassuring. 181 00:08:32.120 --> 00:08:33.600 All right, let's shift gears a little bit. 182 00:08:33.639 --> 00:08:37.480 Okay, let's talk about physical security fiochy s se al. 183 00:08:37.559 --> 00:08:39.960 Right. This is all about those you know, tangible. 184 00:08:39.480 --> 00:08:41.600 Barriers, the stuff you can actually touch. 185 00:08:41.720 --> 00:08:44.840 Yeah, the locks, the fences, the cameras, yeah, the guards, 186 00:08:44.879 --> 00:08:45.159 all of that. 187 00:08:45.240 --> 00:08:48.759 Okay, So, like the classic security measures, how does the 188 00:08:48.799 --> 00:08:51.039 OSTMM approach this differently? 189 00:08:51.240 --> 00:08:53.919 Well, it really makes you think like an attacker, Okay, 190 00:08:54.039 --> 00:08:57.440 you know, forces you to consider all the weaknesses in 191 00:08:57.480 --> 00:08:58.600 your physical defenses. 192 00:08:58.720 --> 00:09:01.879 It's the stuff you might overloko if you're not thinking carefully. 193 00:09:02.120 --> 00:09:04.480 Yeah, Because it's not just about having a lock on 194 00:09:04.519 --> 00:09:07.600 the door. It's about how easy would it be for 195 00:09:07.639 --> 00:09:08.159 someone to. 196 00:09:08.120 --> 00:09:10.840 Pick that lock right, or just break the door down. 197 00:09:10.720 --> 00:09:13.240 Exactly or find another way in. Yeah, you mentioned in 198 00:09:13.240 --> 00:09:16.200 your notes that you mentioned a specific detail from Listener's 199 00:09:16.240 --> 00:09:20.240 source material related to physical security. Yeah, so the Oasis 200 00:09:20.320 --> 00:09:23.039 TMM would say, Okay, how easy would it be for 201 00:09:23.120 --> 00:09:27.240 someone to like tailgate you tailgate right? Or are there 202 00:09:27.279 --> 00:09:30.320 any blind spots in your security camera coverage. 203 00:09:30.360 --> 00:09:32.679 Okay, yeah, this is kind of making me nervous now 204 00:09:32.759 --> 00:09:35.799 a little bit, right, but better to know now than later, right, Oh? Absolutely, 205 00:09:36.000 --> 00:09:39.279 all right, So let's talk about wireless security spec SIIC 206 00:09:39.840 --> 00:09:43.080 spec SEC. Okay, this one seems super relevant these days. 207 00:09:43.120 --> 00:09:45.600 Oh yeah, everyone's on Wi Fi, right, my dog's on 208 00:09:45.639 --> 00:09:45.960 Wi Fi. 209 00:09:46.120 --> 00:09:49.279 But spec SC isn't just about your home WiFi. Okay, 210 00:09:49.399 --> 00:09:54.159 we're talking about Bluetooth RFID tags, even things like microwave ovens. 211 00:09:54.840 --> 00:09:57.240 Hold on microwave oven. 212 00:09:57.080 --> 00:09:58.200 They EMIT signals. 213 00:09:58.320 --> 00:10:01.000 So my kitchen appliances are a security risks, maybe at 214 00:10:01.000 --> 00:10:04.840 your microwave specifically, But the point is SPETS recognizes that 215 00:10:05.320 --> 00:10:08.559 wireless signals are everywhere they are, yeah. 216 00:10:08.200 --> 00:10:10.519 And those signals can be vulnerable. Oh you know, someone 217 00:10:10.519 --> 00:10:12.879 could be eavesdropping. There could be interference. 218 00:10:12.960 --> 00:10:15.600 So it's not just about having a strong Wi Fi password. 219 00:10:15.720 --> 00:10:19.200 It's about the bigger picture. Okay, yeah, have broader risks 220 00:10:19.240 --> 00:10:20.600 of wireless technology. 221 00:10:20.720 --> 00:10:23.360 I see a pattern here. The os STMM is all 222 00:10:23.399 --> 00:10:28.879 about thinking holistically absolutely. Okay, what about telecommunications security? 223 00:10:29.279 --> 00:10:32.039 Come s e come se Okay, this one might seem 224 00:10:32.080 --> 00:10:34.519 a little outdated, right, yeah, but it's all about those 225 00:10:34.559 --> 00:10:38.639 systems we sometimes forget about, okay, phone lines, voicemail, even 226 00:10:38.679 --> 00:10:39.399 fax machines. 227 00:10:39.559 --> 00:10:41.879 Oh right, they can still be vulnerable. 228 00:10:41.960 --> 00:10:45.080 Fax machines. I totally forgot about those. We're so focused 229 00:10:45.080 --> 00:10:49.320 on our computers and our networks. But these other communication channels, yeah, 230 00:10:49.320 --> 00:10:51.519 they could be weak points too, Exactly. 231 00:10:51.799 --> 00:10:53.639 You got to think about all of it, okay. And 232 00:10:53.679 --> 00:10:57.440 then finally there's data network security. Okay, this is probably 233 00:10:57.440 --> 00:11:00.440 what most people think of when they hear cybersecurity. Yeah, 234 00:11:00.480 --> 00:11:04.120 the main event, right, all about securing the networks, the servers, the. 235 00:11:04.120 --> 00:11:09.600 Data, So firewalls, intrusion detection, encryption, all that stuff. 236 00:11:09.679 --> 00:11:09.960 All that. 237 00:11:10.080 --> 00:11:15.120 Yeah, okay, but what makes the ostmm's approach to this different. 238 00:11:15.159 --> 00:11:17.440 I mean, it seems like everyone's got a cybersecurity solution 239 00:11:17.480 --> 00:11:18.000 these days. 240 00:11:18.559 --> 00:11:21.879 The OSSTMM doesn't just tell you what to do. It 241 00:11:21.919 --> 00:11:23.840 teaches you how to think about security. 242 00:11:24.000 --> 00:11:24.279 Okay. 243 00:11:24.879 --> 00:11:29.440 It's a methodology, a framework for actually assessing your network, 244 00:11:29.600 --> 00:11:32.679 got it, understanding the risks, and then figuring out what 245 00:11:32.759 --> 00:11:33.600 controls you need. 246 00:11:33.720 --> 00:11:35.919 So it's like giving you the knowledge to be your 247 00:11:35.960 --> 00:11:37.519 own security expert. 248 00:11:37.639 --> 00:11:40.879 Exactly. You take control, okay, instead of just blindly following 249 00:11:40.919 --> 00:11:41.919 someone else's checklist. 250 00:11:42.000 --> 00:11:46.039 I like that taking control. That's good. This has been Wow, 251 00:11:46.120 --> 00:11:47.200 this has been an eye opener. 252 00:11:47.240 --> 00:11:48.279 There's a lot to take in. 253 00:11:48.559 --> 00:11:51.360 Yeah. I thought I was pretty good with security, you know, 254 00:11:51.559 --> 00:11:54.759 strong passwords, anti virus. I thought I was all set right, 255 00:11:55.039 --> 00:11:57.279 But there's so much more to consider. 256 00:11:57.480 --> 00:11:58.679 It's a whole world out there. 257 00:11:58.759 --> 00:12:01.679 Yeah. Yeah, it is, and we've only scratched the surface, 258 00:12:02.039 --> 00:12:04.480 just the beginning. So there are seventeen modules in the 259 00:12:04.480 --> 00:12:07.120 OSSTMS seventeen Yeah, okay, So that's where the rubber meets 260 00:12:07.159 --> 00:12:07.440 the road. 261 00:12:07.559 --> 00:12:08.679 That's where it gets practical. 262 00:12:08.840 --> 00:12:11.559 Okay. So you take all this information and then you 263 00:12:11.600 --> 00:12:12.840 actually turn it into action. 264 00:12:13.120 --> 00:12:16.200 Yeah. The modules are like your toolbox Okay, for actually 265 00:12:16.279 --> 00:12:17.639 implementing these principles. 266 00:12:17.679 --> 00:12:18.919 Gotcha. So like a mix a match. 267 00:12:19.000 --> 00:12:21.480 Yeah, you can choose which modules make sense for your situation. 268 00:12:21.919 --> 00:12:25.639 Customized security checkout exactly. Okay, I like that. I like that. So, 269 00:12:25.799 --> 00:12:30.000 for example, you mentioned the compliance verification module that helps 270 00:12:30.039 --> 00:12:33.440 you make sure you're meeting all the legal and industry 271 00:12:33.480 --> 00:12:36.000 standards and knowing the rules right right, which is a 272 00:12:36.039 --> 00:12:36.639 big one for me. 273 00:12:36.919 --> 00:12:40.080 Yeah, you mentioned that you were concerned about reference a 274 00:12:40.159 --> 00:12:43.519 compliance related detail from the listener's source material. 275 00:12:43.279 --> 00:12:45.039 Exactly, got to make sure I'm taking all the. 276 00:12:45.000 --> 00:12:49.919 Right boxes, right. But the OSSTMM goes beyond just ticking boxes. 277 00:12:50.039 --> 00:12:50.360 Okay. 278 00:12:50.399 --> 00:12:55.279 Good. It's about understanding why those regulations exist and then 279 00:12:55.320 --> 00:12:59.320 achieving real security, not just compliance for compliance's. 280 00:12:58.679 --> 00:13:00.399 Sake, right, because at the end of the day, it's 281 00:13:00.399 --> 00:13:02.080 about actually being secure. 282 00:13:02.480 --> 00:13:03.080 Absolutely. 283 00:13:03.120 --> 00:13:06.440 Okay. So another example, Let's say I'm worried about the 284 00:13:06.440 --> 00:13:09.759 physical security of my home office, which i am. Yeah, 285 00:13:09.840 --> 00:13:11.120 you mentioned that in my notes I did. 286 00:13:11.200 --> 00:13:15.279 Yeah. So the OSSTMM has this module called Physical Security 287 00:13:15.360 --> 00:13:19.360 Verification okay, and it walks you through this process of 288 00:13:19.440 --> 00:13:23.840 assessing your vulnerabilities. 289 00:13:23.039 --> 00:13:25.480 Like are there any easy access points? 290 00:13:25.720 --> 00:13:26.120 Exact? 291 00:13:26.200 --> 00:13:29.879 Could someone tamper with my equipment? Or my cameras actually 292 00:13:29.960 --> 00:13:31.080 pointed in the right direction? 293 00:13:31.279 --> 00:13:32.240 All good questions. 294 00:13:32.320 --> 00:13:35.000 Okay. So it's like having a security expert looking over 295 00:13:35.039 --> 00:13:35.879 your shoulder. 296 00:13:35.559 --> 00:13:37.200 Yeah, pointing out the things you might miss. 297 00:13:37.399 --> 00:13:40.639 Yeah. Yeah. But it's not just about finding the problems, 298 00:13:40.639 --> 00:13:41.919 it's about fixing them too. 299 00:13:42.360 --> 00:13:47.679 Absolutely. Each module gives you recommendations best practices okay, and 300 00:13:47.720 --> 00:13:50.120 then it takes it even a step further with this 301 00:13:50.120 --> 00:13:51.919 thing called characterizing results. 302 00:13:52.120 --> 00:13:53.960 Characterizing results, what's that? 303 00:13:54.320 --> 00:13:56.960 So you've done your security test. You found some issues, 304 00:13:57.399 --> 00:13:59.120 but now you've got to figure out what did those 305 00:13:59.159 --> 00:14:03.399 results actually mean. It's not just oh we found a vulnerability, 306 00:14:03.519 --> 00:14:07.960 it's how serious is this vulnerability? How likely is it 307 00:14:08.000 --> 00:14:10.720 that someone's going to try to exploit it? Right? 308 00:14:10.919 --> 00:14:13.519 And if they do exploit it, what's the impact going 309 00:14:13.559 --> 00:14:13.759 to be? 310 00:14:13.960 --> 00:14:17.519 So you're putting the findings into context exactly, prioritizing the risks, 311 00:14:17.679 --> 00:14:20.679 got it? Not just finding every little problem but figuring 312 00:14:20.679 --> 00:14:22.240 out which problems are the biggest. 313 00:14:22.480 --> 00:14:24.080 You got to focus on the big ones first. 314 00:14:24.279 --> 00:14:26.559 Yeah, that makes sense. Yeah, this is one of the 315 00:14:26.559 --> 00:14:29.519 things that makes the OSSTMM so powerful. 316 00:14:29.720 --> 00:14:30.080 Yeah. 317 00:14:30.159 --> 00:14:34.919 It helps you make informed decisions about security based on evidence, 318 00:14:35.480 --> 00:14:36.200 not just fear. 319 00:14:36.320 --> 00:14:37.200 You're not just guessing. 320 00:14:37.360 --> 00:14:40.279 Okay, but let's be real, a lot of this sounds 321 00:14:40.279 --> 00:14:41.080 pretty technical. 322 00:14:41.200 --> 00:14:41.960 It is. Yeah. 323 00:14:42.159 --> 00:14:46.320 Is the OSSTMM really something that the average person can 324 00:14:46.480 --> 00:14:49.799 use or is this just for you know, the security pros. 325 00:14:49.919 --> 00:14:51.519 That's one of the great things about it. 326 00:14:51.559 --> 00:14:51.759 Okay. 327 00:14:51.759 --> 00:14:54.799 It's designed to be accessible, Okay, no matter what your 328 00:14:54.799 --> 00:14:56.039 technical skill level is. 329 00:14:56.200 --> 00:14:56.519 Okay. 330 00:14:56.639 --> 00:15:00.600 It uses clear language, real world examples to explain these 331 00:15:00.639 --> 00:15:01.960 complicated concepts. 332 00:15:02.360 --> 00:15:04.639 So even if I'm not a security expert. I can 333 00:15:04.720 --> 00:15:08.559 still use this to improve my security absolutely. Okay. That's 334 00:15:08.600 --> 00:15:10.799 good to hear. And in fact, one of the core 335 00:15:10.879 --> 00:15:15.080 principles of the OSSTMM is that security should be a 336 00:15:15.159 --> 00:15:18.480 collaborative effort. Okay, it's not just about one person. 337 00:15:18.279 --> 00:15:20.240 Or one team, right, We're all in this together. 338 00:15:20.320 --> 00:15:23.159 Everyone needs to work together, okay, to make things more 339 00:15:23.200 --> 00:15:24.159 secure for everyone. 340 00:15:24.240 --> 00:15:28.159 That's reassuring, right, Yeah. Yeah, I gotta admit I'm still 341 00:15:28.159 --> 00:15:29.559 a little intimidated by all this. 342 00:15:30.320 --> 00:15:30.840 I get it. 343 00:15:30.840 --> 00:15:32.000 It's a lot to take it. 344 00:15:32.080 --> 00:15:34.679 Yeah, it's a dense document. Yeah, there's a lot to. 345 00:15:34.679 --> 00:15:37.240 Learn, but I don't need to master every detail. 346 00:15:37.639 --> 00:15:40.919 You don't have to know everything, Okay, even just understanding 347 00:15:40.919 --> 00:15:44.759 the basic principles and applying a few the key concepts 348 00:15:45.039 --> 00:15:46.279 that can make a huge difference. 349 00:15:46.399 --> 00:15:49.080 Okay, that's good to hear. Right, Yeah, yeah, but let's 350 00:15:49.120 --> 00:15:53.799 not sugarcoat it, Okay. Implementing the OSSTMM. It takes work. 351 00:15:54.120 --> 00:15:54.440 It does. 352 00:15:54.519 --> 00:15:56.720 Yeah, it's not just reading the manual and calling it 353 00:15:56.759 --> 00:16:00.000 a day. It's not magic, no, No, it takes effort, 354 00:16:00.039 --> 00:16:01.279 it takes commitment. 355 00:16:01.000 --> 00:16:03.879 It takes a willingness to actually change how you think 356 00:16:03.919 --> 00:16:08.720 about security. But the rewards are worth it. The OSSTMM 357 00:16:08.799 --> 00:16:12.679 can help you build a more secure organization, protect your 358 00:16:12.840 --> 00:16:16.440 valuable assets, and it can even give you a competitive edge. 359 00:16:16.559 --> 00:16:18.960 Okay, all right, I'm sold. I'm ready to dive in 360 00:16:19.200 --> 00:16:21.159 good But where do I even begin? 361 00:16:21.639 --> 00:16:24.919 Well, the OSSTMM has this thing called a posture review. 362 00:16:25.360 --> 00:16:27.720 It's the first step, and that's where you gather all 363 00:16:27.720 --> 00:16:31.600 the information about your organization. What are your assets, what's 364 00:16:31.639 --> 00:16:32.960 your security environment like? 365 00:16:33.039 --> 00:16:36.080 So you're taking stock of the current situation exactly. 366 00:16:36.080 --> 00:16:38.639 You got to know where you're starting from before you 367 00:16:38.639 --> 00:16:39.720 can figure out where you're going. 368 00:16:39.799 --> 00:16:43.799 Okay, I get that. What happens after the posture review? 369 00:16:43.879 --> 00:16:46.039 When does the actual testing start. 370 00:16:46.360 --> 00:16:48.159 That's where the logistics phase comes in. 371 00:16:48.279 --> 00:16:49.440 Logistics, Okay, this. 372 00:16:49.360 --> 00:16:53.000 Is where you plan and prepare for the assessment. You're 373 00:16:53.039 --> 00:16:57.000 defining the scope, You're picking the target systems and networks. 374 00:16:57.399 --> 00:16:59.240 You're choosing your tools and techniques. 375 00:16:59.320 --> 00:17:01.480 So it's like creating a battle plan exactly. 376 00:17:01.639 --> 00:17:04.599 Okay, you've got to have a plan. Good logistics are 377 00:17:04.680 --> 00:17:07.680 key to making sure the assessment is done thoroughly and efficiently. 378 00:17:07.880 --> 00:17:11.440 Makes sense. Okay, So we've got the posture review, We've 379 00:17:11.440 --> 00:17:15.680 got the logistics phase, right, what's next? In the OSSTMM 380 00:17:15.759 --> 00:17:16.759 methodology flow. 381 00:17:17.200 --> 00:17:19.839 Next comes the active detection verification phase. 382 00:17:19.960 --> 00:17:21.640 Okay, active detection. 383 00:17:21.519 --> 00:17:24.799 This is where you're actually testing your security. You know, 384 00:17:24.880 --> 00:17:27.640 how good are you're monitoring and detecting capabilities? 385 00:17:27.720 --> 00:17:29.599 So are my alarms actually working? 386 00:17:29.799 --> 00:17:32.480 Yeah? And are you actually paying attention to those alarms? Right? 387 00:17:32.599 --> 00:17:32.839 Right? 388 00:17:32.920 --> 00:17:37.200 This involved things like testing your intrusion detection systems okay, 389 00:17:37.400 --> 00:17:41.079 looking at your security logs, seeing if you're analyzing them properly, 390 00:17:41.799 --> 00:17:45.039 even simulating incidents to see how quickly you can respond. 391 00:17:45.240 --> 00:17:48.119 So it's about being proactive at testing things before an 392 00:17:48.119 --> 00:17:51.440 actual attack happens exactly. Okay, that makes sense. But what 393 00:17:51.519 --> 00:17:55.240 if we discover during this phase that our detection capabilities 394 00:17:55.400 --> 00:17:57.519 they're just not up to snuff. What happens? 395 00:17:57.599 --> 00:18:01.079 Then that's where the OSSTMMS recommendations come in. 396 00:18:01.160 --> 00:18:01.559 Okay. 397 00:18:01.680 --> 00:18:05.240 It gives you guidance on how to actually improve your security. 398 00:18:04.519 --> 00:18:05.440 Based on the findings. 399 00:18:05.480 --> 00:18:06.839 Yeah, based on what you've learned. 400 00:18:07.039 --> 00:18:07.279 Okay. 401 00:18:07.400 --> 00:18:11.880