Tuesday, August 26, 2003

ISECOM Provides "Non-Profit" Competition for SANS

I learned that a new edition of the Open Source Security Testing Methodology Manual was released Saturday. The OSSTMM is a consensus document whose objective is "to create one accepted method for performing a thorough security test." It is created by the Institute for Security and Open Methodologies, described here as "a non-profit organization which provides collective information and tools under the open source licenses for free public use. This information is provided via the Internet and through social venues and conferences." This sounds somewhat like SANS, who as recently as Oct 02 was called "a nonprofit security research and training group." I couldn't find any indication on the SANS web site of their non-profit status, and searches into archived pages for SANS, Escal, and "The Intranet Institute" didn't show anything confirming its non-profit status.


Just as SANS offers certifications, ISECOM offers the OSSTMM Professional Security Tester and the OSSTMM Professional Security Analyst. Not surprisingly, ISECOM offers classes to help students pass their certification tests. I was struck by the arrogance of this page from the OPSA course description:


"If all you want to do is pass an exam, we recommend the following:


  • Read the newest versions of the OSSTMM, OSSTMM Internal, and the BSTA Workbook.

  • Take a few MBA classes in business information and security.

  • Read books on intrusion detection, honeypots, secure programming, and anything else you can to see how attacks arrive.

  • Learn how to get what you need for security analysis off the Internet. Know where you can get the needed trend information, solutions, CVE info, hacks, exploits, etc. to do an OSSTMM security test.

  • Learn how TCP, UDP, ICMP, IP, RIP, OSPF, BGP and various application level protocols work like FTP, DNS, SNMP, BOOTP, HTTP, HTTPS, etc. and how to analyze them.

  • Learn how to analyze and categorize information leaks, privacy breaches, and competitive intelligence.

  • Learn where to look in the Security presence to find weaknesses and deficiencies.

  • Calculate risk assessment based on the current version of the OSSTMM.

  • Understand how to calculate and execute project plans while upholding proper legal and ethical testing.

  • Know how to follow the security tester's rules of engagement as per the most recent OSSTMM.

  • Work with an efficient red team either internal or as a consultancy to learn efficient teamwork and project requirements.

  • Read what you can about security policies and security architecture to be able to design secure network topographies with associated process controls.


Otherwise, you may be interested in the training course."


Wow! That sounds like a four year college degree. Wait -- this is all packed into a four day class? Who do these guys think they are?

No comments: