Certified Ethical Hacker Module 01 : Introduction To Ethical Hacking

CIA Triad

CIA Triad is used to avoid theft, tempering and destruction of the system.  

  • Confidentiality : Keeping system and data safe from being accessed, seen, read to anyone who is not authorized to do so. Information is accessible only to the authorized person.  
  • Integrity : TRUSTWORTHINESS of DATA and RESOURCES. Integrity is the assurance that the information is trustworthy and accurate.
  • Availability : System or data is available and accessible when required by authorized users.

In addition other properties are :-  

  • Authenticity : Authenticity is assurance that a message, transaction, or other exchange of information is from the source it claims to be from. Authenticity involves proof of identity.
  • Accountability (Auditing) : Refers to the ability to trace back the actions to the entity that is responsible for them. Keep tracking of everything like who’s been logging in, when are they logging in, who is accessing this data.
  • Non-Repudiation : It is an assurance that someone cannot deny the validity of something. It provides the proof of origin, authenticity and integrity of data. It provides assurance to the sender that its message was delivered, as well as proof of the senders identity to the recipient.  

Security, Functionality and Usability balance

There is an inter dependency between these three attributes. When security goes up, usability and functionality come down. Any organization should balance between these three qualities to arrive at a balanced information system.

Types of Hackers

  • Black Hat : Hackers that seek to perform malicious activities for financial gains.  
  • Gray Hat : Hackers that perform good or bad activities but do not have the permission of the organization they are hacking against.
  • White Hat : They are also called Ethical hackers. They use their skills to improve security by exposing vulnerabilities before malicious hackers.  
  • Script Kiddie / Skids : Unskilled individual who uses malicious scripts or programs, such as a web shell, developed by others to attack computer systems and networks and deface websites.
  • State-Sponsored Hacker : Hacker that is hired by a government or entity related. They are also known as APT (Advance Persistence Threat) hackers.
  • Hacktivist : Someone who hacks for a cause or political agenda.
  • Cyberterrorist – Motivated by religious or political beliefs to create fear or disruption.  

Hacking Vocabulary

  • Hack value : Perceived value or worth of a target as seen by the attacker.  
  • Vulnerability : A system flaw, weakness on the system (on design, implementation etc) that can be exploited by an attacker.  
  • Threat : Exploits a vulnerability.
  • Exploit : Exploits are a method or a piece of code which takes advantage of a security flaw or vulnerability to gain access to the system.  
  • Payload : A payload is a piece of code that executes when hackers exploit a vulnerability.  
  • Zero-Day Vulnerability : A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit.  
  • Daisy Chaining / Pivoting : It involves gaining access to a network and /or computer and then using the same information to gain access to multiple networks and computers that contains desirable information.
  • Doxxing : Publishing PII about an individual, usually with a malicious intent.  
  • Enterprise Information Security Architecture (EISA) – determines the structure and behavior of organization’s information systems through processes, requirements, principles and models.  

Threat Categories

Network Threats

  • Information gathering
  • Sniffing and eavesdropping
  • DNS/ARP Poisoning
  • MITM (Man-in-the-Middle Attack)
  • DoS/DDoS
  • Password-based attacks
  • Firewall and IDS attack
  • Session Hijacking

Host Threats

  • Password cracking
  • Malware attacks
  • Footprinting
  • Profiling
  • Arbitrary code execution
  • Backdoor access
  • Privilege Escalation
  • Code Execution

Application Threats

  • Injection Attacks
  • Improper data/input validation
  • Improper error handling and exception management
  • Hidden-field manipulation
  • Broken session management
  • Cryptography issues
  • SQL injection
  • Phishing
  • Buffer Overflow
  • Information disclosure
  • Security Misconfigurations

Attack Vectors

Path by which a hacker can gain access to a host in order to deliver a payload or malicious outcome.  

  • APT (Advanced Persistent Threats) : An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period; Typically uses zero day attacks.  
  • Cloud computing / Cloud based technologies : Flaw in one client’s application cloud allow attacker to access other client’s data.  
  • Viruses, worms, and malware : Viruses and worms are the most prevalent networking threat that are capable of infecting a network within seconds.  
  • Ransomware : Restricts access to the computer system’s files and folders and demands an online ransom payment to the attacker in order to remove the restrictions.  
  • Mobile Device threats  
  • Botnets : Huge network of compromised systems used by an intruder to perform various network attacks.  
  • Insider attacks : Disgruntled employee can damage assets from inside. Huge network of compromised hosts. (used for DDoS).  
  • Phishing attacks  
  • Web Application Threats : Attacks like SQL injection, XSS (Cross-site scripting) etc.  
  • IoT Threats  

Attack Types

1. Operating System  

Attacks targeting OS flaws or security issues inside such as guest accounts or default passwords. Vectors like Buffer overflows, Protocol Implementations, software defects, patch levels, authentication schemes.  

2. Application Level  

Attacks on programming code and software logic. Vectors like Buffer overflows, Bugs, XSS, DoS, SQL Injection, MitM.  

3. Misconfiguration  

Attack takes advantage of systems that are misconfigured due to improper configuration or default configuration. Examples: Improper permissions of SQL users; Access-list permit all.  

4. Shrink-Wrap Code

Act of exploiting holes in unpatched or poorly-configured software. Examples: Software defect in version 1.0; defect in example CGI scripts; Default passwords.  



Common Vulnerability Scoring System places numerical score based on severity. The common vulnerability scoring system (CVSS) provides manufacturers a way to assess the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. CVSS can then be translated into a qualitative representation, such as low, medium, high or critical, to help organizations in their vulnerability management processes.  

CVSS Rating on different versions :

  • CVSS 2.0 : Low (0.0 – 3.9), Medium (4.0 – 6.9), High (7 – 10)    
  • CVSS 3.0 : None(0.0), Low (0.1 – 3.9), Medium (4.0 – 6.9), High (7.0 – 8.9), Critical (9 – 10)  


CVE stands for Common Vulnerabilities and Exposures. It is a publicly available and free to use list or directory of standardized identifiers for common software vulnerabilities and exposures.  

CVE ID : CVE IDs gives users a reliable way to recognize unique vulnerabilities and coordinate the development of security tools and solution. A CVE ID is assigned before a security advisory is made public. Its common for vendors to keep security flaws secret until a fix has been developed and tested. This reduces opportunities for attackers to exploit unpatched flaws.  

Once made public, A CVE entry includes the CVE ID (in the format “CVE-2019-123456”) a brief description of security vulnerability or exposure, and reference, which can include links to vulnerability reports and advisories.  


  • National Vulnerability Database.
  • A US government repository of standards based vulnerability management.    
  • Data represented using SCAP (Security Content Automation Protocol).  
  • These data enable the automation of vulnerability management, security measurement and compliance.  


  • Common Weakness enumerations.  
  • A category system for software vulnerabilities and weaknesses.  
  • It has over 600 categories of weaknesses, which enable CWE to be effectively employed by the community as a baseline for weakness identification, mitigation and prevention efforts.

Vulnerability Categories

  • Misconfiguration : Improperly configuring a service or application.  
  • Default installation : Failure to change settings in an application that come by default.  
  • Buffer overflow : Code execution flaw.  
  • Missing patches : Systems that have not been patched.
  • Design flaws : Flaws inherent to system design such as encryption and data validation.  
  • Operating System Flaws : Flaws specific to each OS.  
  • Default passwords : Leaving default passwords that come with system/application.

Pen Test Phases (CEH)

  • Pre-Attack Phase : Reconnaissance and data-gathering.  
  • Attack Phase : Attempts to penetrate the network and execute attacks.  
  • Post-Attack Phase : Cleanup to return a system to the pre-attack condition and deliver reports.    

The Five Stages of Ethical Hacking

1. Reconnaissance

Gathering evidence about targets; There are two types of Recon:

  • Passive Reconnaissance: Gain information about targeted computers and networks without direct interaction with the systems. e.g: Google Search, Public records, New releases, Social Media, Wardrive scanning networks around.  
  • Active Reconnaissance: Envolve direct interaction with the target. For example make a phone call to the target, Job interview; tools like Nmap, Nessus, OpenVAS, Nikto and Metasploit can be considered as Active Recon.  

2. Scanning & Enumeration  

Obtaining more in-depth information about targets. e.g: Network Scanning, Port Scanning, Which versions of services are running.

3. Gaining Access  

Attacks are leveled in order to gain access to a system. e.g: Can be done locally (offline), over a LAN or over the internet. e.g(2): Spoofing to exploit the system by pretending to be a legitimate user or different systems, they can send a data packet containing a bug to the target system in order to exploit a vulnerability. Can be done using many techniques like command injection, buffer overflow, DoS, brute forcing credentials, social engineering, misconfigurations etc.

4. Maintaining Access  

Items put in place to ensure future access. e.g: Rookit, Trojan, Backdoor can be used.    

5. Covering Tracks

Steps taken to conceal success and intrusion; Not be noticed. e.g: Clear the logs; Obfuscate trojans or malicious backdoors programs.  

Cyber Kill Chain

There are 7 distinct steps in cyber kill chain

1. Reconnaissnace : The attacker collects data about the target and the tactics for the attack. This includes harvesting email addresses and gathering other information. Automated scanners are used by intruders to find points of vulnerability in the system. This includes scanning firewalls, intrusion prevention systems, etc to get a point of entry for the attack.  

2. Weaponization :  Attackers develop malware by leveraging security vulnerabilities (exploits). Attackers engineer malware based on their needs and the intention of the attack. This process also involves attackers trying to reduce the chances of getting detected by the security solutions that the organization has in place.  

3. Delivery :  The attacker delivers the weaponized malware via a phishing email or some other medium. The most common delivery vectors for weaponized payloads include websites, removable disks, and emails. This is the most important stage where the attack can be stopped by the security teams.  

4. Exploitation :  The malicious code is delivered into the organization’s system. The perimeter is breached here. And the attackers get the opportunity to exploit the organization’s systems by installing tools, running scripts, and modifying security certificates. Most often, an application or the operating system’s vulnerabilities are targeted. Examples of exploitation attacks can be scripting, dynamic data exchange, and local job scheduling, privilege escalation etc. Attackers gain access to privileged accounts and attempt brute force attacks, search for credentials, and change permissions to take over the control.  

5. Installation :  A backdoor or remote access trojan is installed by the malware that provides access to the intruder. This is also another important stage where the attack can be stopped using systems such as HIPS (Host-based Intrusion Prevention System).  

6. Command and Control :  Attacker creates a command and control channel to communicate and pass data back and forth.  

7. Action on Object :  The attacker finally extracts the data from the system. The objective involves gathering, encrypting, and extracting confidential information from the organization’s environment.

Three Types of Active Defense

  • Annoyance : Involves tracking a hacker and leading him into a fake server, wasting his time — and making him easy to detect.  
  • Attribution : Identify an attacker; Uses tools to trace the source of an attack back to a specific location, or even an individual hacker.
  • Attack : That is most controversial. To “hack back,” a company accesses an alleged hacker’s computer to delete its data or even to take revenge. Both of these steps are considered illegal.  

Information Assurance (IA)

Refers to the assurance of the Integrity, Availability, confidentiality, and authenticity of information and information systems during usage, processing, storage and transmission of information.  

Processes that help achieving IA:  

  • Developing local policy, process, and guidance.
  • Designing network and user authentication strategy.
  • Identifying network vulnerabilities and threats (Vulnerability assessments outline the security posture of the network).
  • Identifying problems and resource requirements.
  • Creating plan for identified resource requirements.
  • Applying appropriate IA controls.
  • Performing C&A (Certification and Accreditation) process of information systems helps to trace vulnerabilities, and implement safety measures.    
  • Providing information assurance training to all personnel in federal and private org.  

Information Security Management Program

Combination of policies, processes, procedures, standards, and guidelines to establish the required level of information security.

  • Designed to ensure the business operates in a state of reduced risk.  
  • It encompasses all organizational and operational processes and participants relevant to information security.  

IA focus on risk assessment, mitigation side of things; InfoSec focus on actually implementing security measures to safeguard systems.

Enterprise Information Security Architecture

Enterprise Information Security Architecture or EISA is a set of requirements, process, principles, and models that determines the structure and behavior of an organization’s information systems.  

Goals of EISA:

  • Help in monitoring and detecting network behaviors  
  • Detect and recover from security breaches  
  • Prioritizing resources of an organization  
  • Help to perform risk assessment of an organization’s IT assets.  
  • Cost prospective when incorporated in security provisions such as incident response, disaster recovery, event correlation, etc.  

Physical Security Controls

  • Preventive control: Deters the actor from performing the threat. e.g: Fence, Server Locks, Mantraps, etc.  
  • Detective control: Recognizes an actor’s threat. e.g: Background check, CCTV.    
  • Deterrent control: Deters the actor from attempting the threat. e.g: Warning Sign.  
  • Recovery: Mitigates the impact of a manifested threat. e.g: Backups.  
  • Compensating control: Provides alternative fixes to any of the above functions.  

Most of security controls are preventive phase controls.

Defense in Depth

  • Defense in Depth allows for the implementation of security controls at different layers for the whole IT system.  
  • Multiple layers of security controls; Provides redundancy in the event of a control failure.  
  • The Layers are :  

Types of Security Controls  

PhysicalGuards, lights, cameras, fire extinguishers, flood protection
AdministrativeTraining awareness, policies, procedures and guidelines to infosec
TechnicalIDS/IPS, Firewall, Encryption, Smart cards, Access control lists
Preventativeauthentication, alarm bells
Detectiveaudits, backups
Correctiverestore operations

Managing the Risk

Risk can be defined as a probability of the occurrence of a threat or an event that may damage, or cause loss or have other negative impact either from internal or external liabilities.

Risk matrix  

A risk matrix is used during risk assessment to define the level of risk by considering the category of probability or likelihood against the category of consequence severity.

This is a simple mechanism to increase visibility of risks and assist management decision making.

Risk Management  

Is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Phases of Risk Management  

  • Risk Identification : Identifies the sources, causes, consequences of the internal and external risks.  
  • Risk Assessment : Assesses the org. risk and provides an estimate on the likelihood and impact of the risk.  
  • Risk Treatment : Selects and implements appropriate controls on the identified risks.  
  • Risk Tracking : Ensures appropriate control are implemented to handle risks and identifies the chance of a new risk occurring.
  • Risk Review : Evaluates the performance of the implemented risk management strategies. 

Threat Modeling

Is a risk assessment approach for analyzing the security of an application by capturing, organizing and analyzing all the information that affects the security of an application.

1. Identify Objectives : Helps to determine how much effort needs to be put on subsequent steps.  

2. Application Overview : Identify the components, data flows, and trust boundaries.    

3. Decompose Application : Find more relevant details on threats.  

4. Identify Threats : Identify threats relevant to your control scenario and context using the information obtained in steps 2 and 3.  

5. Identify Vulnerabilities : Identify weaknesses related to the threats found using vulnerability categories.

Security Policies

1. Policies – High-level statements about protecting information; Business rules to safeguard CIA triad; Security Policies can be applied on Users, Systems, Partners, Networks, and Providers. Common Security Policies examples:

  • Password Policy : Meet the password complexity requirements. e.g: Minimum 8 char length, upper and lower case and alphanumerical.  
  • Wireless Security Policy
  • AUP (Acceptable Use-Policy) : How to properly use company’s assets. e.g: “Do’s and Dont’s” with company’s computer.  
  • Data Retention Policy : e.g: Keep the data for X time.
  • Access Control Policies : e.g: Accessing servers; Firewalls.  

2. Procedures : Set of details steps to accomplish a goal; Instructions for implementation

3. Guidelines : Advice on actions given a situation; Recommended, not mandatory

Security Policy Examples  

  • Access Control Policy : This defines the resources being protected and the rules that control access to them.  
  • Remote Access Policy : This defines who can have remote access and defines access medium and remote access security controls.    
  • Firewall Management Policy : This defines access, management and monitoring of firewalls in an organization.  
  • Network Connection Policy : This defines who can install new resources on the network, approve the installation of new devices, document network changes etc.  
  • Password Policy : This defines guidelines for using strong password protection on available resources.  
  • User Account Policy : This defines the account creation process, authority, rights and responsibility of user accounts.  
  • Information Protection Policy : This defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted from storage media etc.  
  • Special Access Policy : This defines the terms and conditions of granting special access to system resources.  
  • Email Security Policy : This policy is designed to govern the proper usage of corporate email.  
  • Acceptable Use Policy : This defines the acceptable use of system resources.  

Security Policy Types  

1. Promiscuous Policy – This policy usually has no restrictions on usage of system resources.  

2. Permissive Policy – This policy begins wide open and only know dangerous services/attacks or behaviors are blocked. This type of policy has to be updated regularly to stay effective.  

3. Prudent Policy – This policy provides maximum security while allowing known but necessary dangers. This type of policy will block all services and only safe/necessary services are enabled individually. Everything is logged.  

4. Paranoid Policy – This policy forbids everything. No Internet connection or severely restricted Internet usage is allowed.    

Security Policy Creation Steps  

  1. Perform a Risk Assessment
  2. Use security Standards and Frameworks as guide
  3. Get Management and Staff input
  4. Enforce the policy. Use penalties for non-compliance
  5. Publish final draft to entire org.
  6. Have all staff read/sign that they understood policy
  7. Employ tools to help enforce policy
  8. Staff training
  9. Review and update regularly

Incident Management Process

An incident is an event that could lead to loss of, or disruption to, an organization’s operations, services or functions.

Incident management is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.

  1. Preparation: Select people, assign rules, define tools to handle the incident.
  2. Detection & Analysis: Determine an incident has ocurred (IDS, SIEM, AV, Someone reporting, etc).
  3. Classification and Prioritization
  4. Notification: Identify minor and major incident; who and how to notify an incident.
  5. Containment: Limit the damage; Isolate hosts; Contact system owners.
  6. Forensic Investigation: Investigate the root cause of the incident using forensic tools; System logs, real-time memory, network device logs, application logs, etc;
  7. Eradicate & Recovery: Remove the cause of incident; Patch if needed. Recovery: get back into production; Monitor affected systems.
  8. Post-incident Activities: Document what happened and why; Transfer knowledge.

Incident Response Team Duties

  1. Managing security issues by taking a proactive approach towards the customer’s security vulnerabilities.
  2. Developing or reviewing processes and procedures that must be followed.
  3. Managing the response to an incident and ensuring that all procedures are followed correctly in order to minimize and control the damage.
  4. Identifying and analyzing what has happened during an incident, including impact and threat.
  5. Providing a single point of contact for reporting seucirty incidents and issues.
  6. Reviewing changes in legal and regulatory requirements to ensure that all processes and procedures are valid.
  7. Reviewing existing controls and recommending steps and technologies to prevent future incidents.
  8. Establishing relationship with local law enforcement agency, gov. agencies, key partners and suppliers.

Security Information and Event Management

SEIM Collects data points from network, including log files, traffic captures, SNMP messages, and so on, from every host on the network. SIEM can collect all this data into one centralized location and correlate it for analysis to look for security and performance issues, as well negative trends all in real time.

  • Aggregation : Collecting data from disparate sources and organizing the data into a single format. Any device within a SIEM system that collects data is called collector or an aggregator.
  • Correlation : Is the logic that looks at data from disparate sources and can make determinations about events taking place on your network. (Could be in-band or out-of-band, depending on the placement of the NIDS/NIPS).
    • Alerts – For notification if something goes bad.
    • Triggering – Exceeding thresholds.
  • Normalization : Will actually create multiple tables / organize in such a way that the data can become more efficient and allows our analysis and reports tools to work better.
  • WORM : Write Once Read Many: The concept being is that log files are precious, and a lot of times you might want to look at them in an archival way, so that we can use optical media like WORM drives to store them.

Most Popular SIEM Tools:

Identity and Access Management

Identification, Authentication, Authorization, and Accounting work together to manage assets securely.

  1. Identification : The information on credentials identifies the user. Example: Your name, username, ID number, employee number, SSN etc.
  2. Authentication : “Prove you are the legitimate User”. – Should always be done with Multifactor Authentication! Authentication Factors:
    1. Something you know (e.g. – password)
    2. Something you have (e.g. – smart card)
    3. Something you are (e.g. – fingerprint)
    4. Something you do (e.g. – android pattern; manual signature)
    5. Somewhere you are (e.g. – geolocation)

Multi-factor authentication generally uses two of this examples (e.g. – Something you Know(1) and Something you Have(2), never on same category

  1. Authorization concepts : What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    1. Permissions: Applied to resources.
    2. Rights / Privileges: Assign at system level.
    3. Authorization strategies: Least privileged, Separation of Duties.
  2. Accounting : Trace an Action to a Subjects Identity. Prove who/what a given action was performed by (non-repudiation); Logging.

Access Controls Models  

  • Mandatory Access Control (MAC) :
    • Every object gets a label
      • Confidential, secret, top secret, etc
    • The administrator decides who gets access to what security level; Users cannot change these settings
    • Used on old systems (e.g. Top Secret Gov. information)
  • Discretionary Access Control (DAC) :
    • Used in most OS
    • Owner of the data defines access
    • Very flexible access control; Very weak security
  • Role-based Access Control (RBAC) :
    • Access to resources is defines by a set of rules defined by a role in your organization/job function (Manager, Director etc)
    • Administrators provide access based on the role of the user
      • Rights are gained implicity instead of explicity
    • In Windows, use Groups to provide role-based access control
      • e.g. Admin Groups –> Rights and Perms,
      • Sales Group –> Rights and Perms

Access is defined by ACL, Access Control List. Implicity deny prevents access unless specifically permitted.

Data Loss Prevention

Data Loss Prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data. Organizations use DLP to protect and secure their data and comply with regulations.

  • The DLP term refers to defending organizations against both data loss and data leakage prevention.

Organizations typically use DLP to :

  • Protect Personally Identifiable Information (PII) and comply with relevant regulations
  • Protect Intellectual Property critical for the organization
  • Achieve data visibility in large organizations
  • Secure mobile workforce and enforce security in Bring Your Own Device (BYOD) environments
  • Secure data on remote cloud systems

Data Backup

Data backup plays a crucial role in maintaining business continuity by helping org. recover from IT disasters, security breaches, application failures, human error, etc.

All regulatory compliance such as COBIT, SSAE, SOCII, PCI-DSS, HIPPA, SOX, FINRA, FISMA, GDPR, etc. require business to maintain data backups of critical data for specified duration.

Backup Strategies

  1. Identifying the critical business data
  2. Selecting the backup media
  3. Selecting a backup technology
  4. Selecting the appropriate RAID levels
  5. Selecting an appropriate backup method

Backup methods

  1. Cold backup :
  • Empty site, no hardware, no data, no people
  • It takes weeks to bring online
  • Basic office spaces (e.g building, chairs, AC…)
  • No operational equipment
  • Cheapest recovery site
  1. Warm backup :
  • Somewhere between cold and hot – Just enough to get going (Big room with rack space, you bring the hardware)
  • Hardware is ready and waiting – you bring the software and data
  • It takes days to bring online
  • Operational equipment but little or no data
  1. Hot backup :
  • Exact replica of production systems
  • Applications and software are constantly updated
  • Flip a switch and everyting moves
  • It take hours to bring online
  • Real-time synchronization
  • Almost all data ready to go – often just a quick update
  • Very expensive

Penetration Test – Basics

A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.

Not to be confused with a vulnerability assessment.

  • Clearly defined, full scale test of security controls
  • Phases
    • Preparation – Contracts and team determined
    • Assessment – All hacking phases (reconnaissance, scanning, attacks, etc.)
    • Post-Assessment – Reports & conclusions
  • Types
    • Black Box – Done without any knowledge of the system or network.
    • White Box – When the attacker have complete knowledge of the system provided by the owner/target.
    • Gray Box – When the attacker has some knowledge of the system and/or network

Law Categories

  • Criminal – Laws that protect public safety and usually have jail time attached.
  • Civil – Private rights and remedies.
  • Common – Laws that are based on societal customs.

Laws and Standards

OSSTM Compliance

“Open Source Security Testing Methodology Manual” maintained by ISECOM , defines three types of compliance.

  • Legislative – Deals with government regulations (Such as SOX and HIPAA).
  • Contractual – Deals with industry / group requirement (Such as PCI DSS).
  • Standards based – Deals with practices that must be followed by members of a given group/organization (Such as ITIL ,ISO and OSSTMM itself).

OSSTM Controls

  • OSSTM Class A – Interactive Controls
    • Authentication – Provides for identification and authorization based on credentials.
    • Indemnification – Provided contractual protection against loss or damages.
    • Subjugation – Ensures that interactions occur according to processes defined by the asset owner.
    • Continuity – Maintains interactivity with assets if corruption of failure occurs.
    • Resilience – Protects assets from corruption and failure.
  • OSSTM Class B – Process Controls
    • Non-repudiation – Prevents participants from denying its actions
    • Confidentiality – Ensures that only participants know of an asset
    • Privacy – Ensures that only participants have access to the asset
    • Integrity – Ensures that only participants know when assets and processes change
    • Alarm – Notifies participants when interactions occur


“Payment Card Industry Data Security Standard” Standard for organizations handling Credit Cards, ATM cards and other POS cards.

ISO 27001

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system.

ISO 27002 AND 17799

Based on BS799 but focuses on security objectives and provides security controls based on industry best practice.


“Health Insurance Portability and Accountability Act” a law that set’s privacy standards to protect patient medical records and health information shared between doctors, hospitals and insurance providers.


“Sarbanes-Oxley Act” Law that requires publicly traded companies to submit to independent audits and to properly disclose financial information.


“The Digital Millennium Copyright Act” is a 1998 United States copyright law that implements two 1996 treaties of the World Intellectual Property Organization. It criminalizes production and dissemination of technology, devices, or services intended to circumvent measures that control access to copyrighted works.


“Federal Information Security Modernization Ac Of 2002” A law updated in 2004 to codify the authority of the Department of Homeland Security with regard to implementation of information security policies. (For GOV. agencies)


Catalogs security and privacy controls for federal information systems, created to help implementation of FISMA.


“Federal Information Technology Acquisition Reform Act” A 2013 bill that was intended to change the framework that determines how the US GOV purchases technology.


“Control Object for Information and Related Technology” IT Governance framework and toolset, created by ISACA and ITGI


“U.S Gramm-Leach-Bliley Act” Law that protects the confidentiality and integrity of personal information that is collected by financial institutions.


“Computer Security Incident Response Team” CSIRT provided a single point of contact when reporting computer security incidents


“Information Technology Infrastructure Library” – An operational framework developed in the ’80s that standardizes IT management procedures

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.