Open Source Security Testing Methodology Manual (OSS TMM)

 3.1 Explain concepts related to attack methodology frameworks.

📘CompTIA CySA+ (CS0-003)

The Open Source Security Testing Methodology Manual (OSSTMM) is a formal security testing framework used to measure and analyze the security of systems, networks, and environments.

It provides a standard way to perform security testing so results are:

  • Accurate
  • Repeatable
  • Measurable

OSSTMM is widely used by security professionals to test defenses and identify weaknesses in IT environments.

1. Purpose of OSSTMM

The main goal of OSSTMM is to:

  • Identify security weaknesses (vulnerabilities)
  • Measure how secure a system really is
  • Provide a scientific and consistent testing process
  • Reduce guesswork in security testing

Unlike some frameworks, OSSTMM focuses on facts and measurable results, not opinions.

2. Key Features of OSSTMM

a. Standardized Testing

OSSTMM provides a step-by-step method to test security.

This ensures:

  • Different testers get similar results
  • Testing is consistent across environments

b. Quantitative Results (Metrics-Based)

OSSTMM uses measurable values instead of vague descriptions.

For example:

  • Instead of saying “security is weak”
  • It gives a numerical value showing how secure or exposed a system is

c. Focus on Operational Security

OSSTMM evaluates real-world security controls, such as:

  • Firewalls
  • Authentication systems
  • Network configurations
  • Physical access controls

d. Comprehensive Coverage

OSSTMM does not only test networks. It covers:

  • Digital systems
  • Human interaction
  • Physical security
  • Wireless environments

3. OSSTMM Testing Scope (Five Channels)

OSSTMM organizes testing into five main areas (channels):

1. Human Security

Focuses on how people interact with systems.

Includes:

  • Social engineering risks
  • Password handling
  • User awareness

IT Example:
Testing whether employees share passwords or fall for phishing emails.

2. Physical Security

Focuses on physical access to systems.

Includes:

  • Data center access
  • Hardware protection
  • Surveillance systems

IT Example:
Checking if unauthorized users can enter a server room.

3. Wireless Security

Focuses on wireless communication.

Includes:

  • Wi-Fi networks
  • Bluetooth
  • RF communications

IT Example:
Testing if a wireless network allows unauthorized connections.

4. Telecommunications (Telecom)

Focuses on voice and communication systems.

Includes:

  • VoIP systems
  • PBX systems

IT Example:
Testing if attackers can access or manipulate VoIP calls.

5. Data Networks

Focuses on traditional IT networks.

Includes:

  • Servers
  • Routers
  • Firewalls
  • Applications

IT Example:
Scanning servers to detect open ports and vulnerabilities.

4. OSSTMM Concepts You Must Know for Exam

a. Attack Surface

The attack surface is all the possible points where an attacker can try to enter a system.

Examples:

  • Open ports
  • Login pages
  • APIs

OSSTMM helps identify and measure this surface.

b. Trust Analysis

OSSTMM evaluates trust relationships between systems.

Example:

  • One server trusting another without proper validation

Too much trust = higher risk.

c. Controls

Controls are security protections in place.

Examples:

  • Authentication
  • Encryption
  • Access control

OSSTMM checks:

  • Whether controls exist
  • Whether they are effective

d. Limitations

These are restrictions in testing, such as:

  • Time limits
  • Scope restrictions
  • Legal boundaries

Important for defining what can and cannot be tested.

e. Visibility

Visibility means how much of the system is exposed.

  • High visibility → easier for attackers to see targets
  • Low visibility → harder to detect systems

5. RAV (Risk Assessment Values)

One of the most important OSSTMM concepts for exams.

What is RAV?

RAV (Risk Assessment Value) is a numerical score that represents the level of security.

  • Higher RAV → Better security
  • Lower RAV → More risk

How RAV is Calculated

RAV considers:

  • Controls (security measures in place)
  • Limitations (testing constraints)
  • Exposure (visible attack surface)

Why RAV is Important

  • Provides objective measurement
  • Helps compare systems
  • Helps prioritize security improvements

6. Types of Security Tests in OSSTMM

a. Passive Testing

No direct interaction with the system.

Examples:

  • Monitoring traffic
  • Collecting public information

Purpose: Avoid detection

b. Active Testing

Direct interaction with systems.

Examples:

  • Port scanning
  • Vulnerability scanning

Purpose: Identify weaknesses

c. Intrusive Testing

Attempts to exploit vulnerabilities.

Examples:

  • Gaining unauthorized access
  • Testing privilege escalation

Purpose: Confirm real risks

7. OSSTMM Testing Process (Simplified)

Step 1: Define Scope

  • Identify systems to test
  • Set boundaries

Step 2: Gather Information

  • Identify IP addresses
  • Discover services
  • Map network

Step 3: Analyze Exposure

  • Identify open ports
  • Detect vulnerabilities

Step 4: Test Security Controls

  • Authentication
  • Access control
  • Encryption

Step 5: Perform Attack Simulation

  • Attempt exploitation
  • Validate weaknesses

Step 6: Calculate Results (RAV)

  • Measure security level

Step 7: Reporting

  • Document findings
  • Provide recommendations

8. OSSTMM vs Other Frameworks (Exam Tip)

OSSTMM vs Penetration Testing

  • OSSTMM = Methodology (structured approach)
  • Penetration testing = Activity (actual testing)

OSSTMM vs Vulnerability Scanning

  • OSSTMM = Full security analysis
  • Scanning = Only finding known weaknesses

OSSTMM vs Other Frameworks

  • Focuses on measurement and metrics
  • More scientific and data-driven
  • Covers human + physical + technical security

9. Advantages of OSSTMM

  • Standardized testing approach
  • Measurable results (RAV)
  • Comprehensive coverage
  • Reduces bias and guesswork

10. Limitations of OSSTMM

  • Can be complex for beginners
  • Requires skilled testers
  • Time-consuming
  • Not always fully automated

11. Key Exam Points (Must Remember)

  • OSSTMM is a security testing methodology
  • Uses metrics (RAV) instead of opinions
  • Covers 5 channels:
    • Human
    • Physical
    • Wireless
    • Telecom
    • Data networks
  • Focuses on:
    • Attack surface
    • Controls
    • Trust
    • Visibility
  • Includes:
    • Passive, active, and intrusive testing

Final Summary

OSSTMM is a structured and measurable framework used to test and evaluate security across multiple areas of an IT environment. It focuses on real-world exposure, security controls, and risk measurement, making it highly useful for identifying weaknesses and improving overall security posture.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by