Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Heorot.net.  Understand managerial tasks and responsibilities within the OSSTMM  Identify legal requirements and how the OSSTMM meets these.

Published byRobert Sherrill Modified over 9 years ago

Similar presentations

Presentation on theme: "Presented by Heorot.net.  Understand managerial tasks and responsibilities within the OSSTMM  Identify legal requirements and how the OSSTMM meets these."— Presentation transcript:

1 Presented by Heorot.net

2  Understand managerial tasks and responsibilities within the OSSTMM  Identify legal requirements and how the OSSTMM meets these requirements  Create Rules of Engagement  Become familiar with terminology  Understand what is “good security practices”  Create metrics

3  For Managers and Project Managers Document Scope Compliance Rules of Engagement Process Security Map Risk Assessment Security Metrics Heorot.net

4  Primary purpose: ○ “…to provide a scientific methodology for the accurate characterization of security through examination and correlation in a consistent and reliable way.”  Secondary purpose: ○ “provide guidelines which when followed will allow the auditor to perform a certified OSSTMM audit” Heorot.net

5  Requirements for Accreditation Signed by the tester/analyst Meet the reporting requirements Anonymized report ○ What was tested ○ What was not tested Heorot.net

6  Professional Certifications OPST - OSSTMM Professional Security Tester ○ http://www.opst.org OPSA - OSSTMM Professional Security Analyst ○ http://www.opsa.org OPSE - OSSTMM Professional Security Expert ○ http://www.opse.org OWSE - OSSTMM Wireless Security Expert ○ http://www.owse.org Heorot.net

7  Terminology – Security Test Types Blind Double Blind (Black Box) Grey Box Double Grey Box (White Box) Tandem Reversal Heorot.net

8  Terminology –Error Types Well-known terms ○ False Positive ○ False Negative ○ Human Error ○ Falsification ○ Sampling Error ○ Constraint Other Terms ○ Grey Positive ○ Grey Negative ○ Specter ○ Indiscretion ○ Entropy Error ○ Propagation Heorot.net

9  Legal Compliance U.S. Gramm-Leach-Bliley Act (GLBA) U.S. Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Others listed: ○ California Individual Privacy Senate Bill - SB1386 ○ USA Government Information Security Reform Act of 2000 section 3534(a)(1)(A) OCR HIPAA Privacy TA 164.502E.001, Business Associates [45 CFR §§ 160.103, 164.502(e), 164.514(e)] ○ OCR HIPAA Privacy TA 164.514E.001, Health-Related Communications and Marketing [45 CFR §§ ○ 164.501, 164.514(e)] ○ OCR HIPAA Privacy TA 164.502B.001, Minimum Necessary [45 CFR §§ 164.502(b), 164.514(d)] ○ OCR HIPAA Privacy TA 164.501.002, Payment [45 CFR 164.501] Heorot.net

10  Rules of Engagement (see page 19, OSSTMM) Do’s and Don'ts ○ Sales & Marketing ○ Assessment / Estimated Delivery ○ Contracts and Negotiations ○ *Scope Definition ○ *Test Plan ○ *Test Process ○ *Reporting *Required for successful completion of the PTE

11  Rules of Engagement (see page 19, OSSTMM) Do’s and Don'ts ○ Sales & Marketing ○ Assessment / Estimated Delivery ○ Contracts and Negotiations ○ *Scope Definition ○ *Test Plan ○ *Test Process ○ *Reporting *Required for successful completion of the PTE

12  Rules of Engagement ○ Scope Definition ○ Test Plan ○ Test Process ○ Reporting  Risk Assessment  Security Metrics Each topic is covered in separate video presentations.

13  What needs to be protected: People Culture information Processes Business Image Intellectual property Legal rights Intellectual capital

14  Four Categories of Concern: Safety Privacy Practicality Usability  “Perfect Security” Theoretical Personal note: “Need to meet business objectives”

15  Three areas of concern: Operations ○ Visibility, Trust, Access Controls ○ Authentication, Indemnification, Subjugation, Continuity, Resistance, Non-repudiation, Confidentiality, Privacy, Integrity, Alarm Limitations ○ Vulnerability, Weakness, Concern, Exposure, Anomaly

16 1. Count the values within each area Operations = number of targets Controls = number of instances Limitations = number of flaws 2. Create a delta for each In this case, a percentage for each 3. Obtain the “Actual Delta” ∆Op + ∆Con - ∆Lim = ∆Actual 4. Combine Hashes of all three area to obtain the “Risk Assessment Value” (RAV) http://www.isecom.org/research/ravs.shtml

17

18  Understand managerial tasks and responsibilities within the OSSTMM  Identify legal requirements and how the OSSTMM meets these requirements  Understand Rules of Engagement  Become familiar with terminology  Identify what is “good security practices”  Security metrics

Download ppt "Presented by Heorot.net.  Understand managerial tasks and responsibilities within the OSSTMM  Identify legal requirements and how the OSSTMM meets these."

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
IT Security Policy Framework

IT Security Policy Framework
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Criteria For Approval 45 CFR 46.111 25 CFR 56.111 Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.

Criteria For Approval 45 CFR CFR Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.

© 2014 ACA International. All Rights Reserved. Obtaining Optimum Compliance Performance Foundational Training on ACA’s Professional Practices Management.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)
Presented by Heorot.net.  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations.

Presented by Heorot.net.  Understand the need for a PenTest Methodology  Identify the most-used methodologies  Understand Advantages and Limitations.
Module 2 – PenTest Overview

Module 2 – PenTest Overview
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001 Presented to the ICGFM Annual Conference.

“Limiting electronic fraud through an Information Security Management System (ISMS): An Introduction to ISO 27001" Presented to the ICGFM Annual Conference.
Security Controls – What Works

Security Controls – What Works
ISO/IEC 27001 Winnie Chan BADM 559 Professor Shaw 12/15/2008.

ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
2 HIPAA, HITECH, and Medical Records. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records.

2 HIPAA, HITECH, and Medical Records. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Vulnerability Assessments

Vulnerability Assessments

Similar presentations

Ads by Google