Skip to main content

Is a bad lock on a door better than no lock at all?

 


bad lock image


Bad controls can increase the attack surface significantly, compared to not having controls at all.


A minimal physical barrier might offer a sliver of deterrence, poorly implemented security controls can significantly increase the attack surface compared to having no controls at all.


This is because flawed controls can introduce new vulnerabilities and provide a false sense of security, making systems more susceptible to exploitation.


Poorly implemented authentication might introduce bypass vulnerabilities, effectively opening up access points that wouldn't exist without it.


A flawed encryption mechanism could provide a false sense of data protection while actually being easily broken, making sensitive information more readily available to attackers than if it were unencrypted but its vulnerability was known.


I've seen companies that implemented an encryption mechanism, believing they had addressed security. The critical oversight was that their chosen encryption method was already compromised and insecure.


The Open Source Security Testing Methodology Manual (OSSTMM) is specifically designed to address these complexities by providing a comprehensive framework for identifying and assessing all potential attack vectors, including those created by inadequate security measures.


The OSSTMM offers several key benefits for conducting thorough and effective penetration testing:


Comprehensive and Standardized Approach: The OSSTMM provides a structured and well-defined methodology that covers various aspects of security testing,


This ensures a consistent and comprehensive approach to identifying vulnerabilities across different domains.


The OSSTMM is the most highly regarded penetration testing methodology for security assessment in all domains, from physical to network to operational security.


As of 2025, it is still one of the most comprehensive methodologies available for any organization looking to perform a holistic security audit.


Security Metrics: OSSTMM comes with metrics on how the security is doing, and it provides organizations with a benchmark for measuring performance in comparison with their security posture.


Security testing throughout the end-to-end level: OSSTMM will test all aspects of the organization's security, from the physical infrastructure to the digital assets, to ensure that no vulnerabilities remain unaccounted for.



Real-World Scenarios: OSSTMM promotes system testing against real-world attack scenarios, simulating how a malicious actor may target the organization.



Independence: OSSTMM is independent testing that allows an unbiased assessment of penetration testing based strictly on an organization's security needs.


For businesses that are in search for a full security audit, I recommend OSSTMM methodology to provide all-around approaches to finding vulnerabilities in multiple systems and attack vectors.


Focus on All Attack Vectors: Unlike some penetration testing approaches that might focus solely on technical vulnerabilities, the OSSTMM emphasizes the importance of evaluating all potential attack vectors.


This includes human factors, physical security weaknesses, and procedural flaws, providing a more realistic assessment of an organization's overall security posture.


Clear Metrics and Reporting: The OSSTMM defines specific metrics and reporting guidelines, allowing for clear and quantifiable results. This helps stakeholders understand the identified risks and prioritize remediation efforts effectively. The structured reporting also facilitates comparisons across different tests and over time.


Emphasis on Legal and Ethical Considerations: The framework stresses the importance of conducting penetration testing in a legal and ethical manner, with proper authorization and adherence to relevant regulations. This helps testers operate responsibly and avoid unintended consequences.


Open and Adaptable: As an open-source framework, the OSSTMM is transparent and can be adapted to specific organizational needs and testing scenarios. This flexibility allows testers to tailor their approach while still adhering to a robust methodology.


Holistic Security Understanding: OSSTMM gives penetration testers a deeper understanding of the interconnectedness of different security controls and how weaknesses in one area can be exploited to compromise others. This holistic perspective leads to more insightful findings and recommendations.


Improved Communication: The standardized terminology and structure of the OSSTMM facilitate clearer communication between penetration testers and the organization being tested. This ensures that findings are understood and acted upon effectively.


In essence, the OSSTMM provides a very deep and structured blueprint for penetration testing, therefore the assessments go beyond surface-level vulnerabilities and dive into the underlying weaknesses that could truly compromise an organization's security.


It helps testers think like attackers and identify all potential pathways to exploitation, including those inadvertently created by flawed security controls.


For organizations truly committed to a robust security posture, embracing the OSSTMM's comprehensive framework is a critical step.



Phoenix


Comments

Post a Comment

Popular posts from this blog

Beyond the Pentest: Why We Do What We Do

  “We had a two-week pentest. They gave us a 40-page report. We fixed the high-severity issues. Are we secure now?” This is a line I’ve heard far too many times from CISOs and security leads and I always give them the same answer: No, you’re not secure. Not even close. I’m a penetration tester, but not the kind you’re used to. Let me explain. The Old Red vs Blue Paradigm Is Dead We’re no longer living in a world where attackers show up, hit your network hard for a few days, and disappear. Real adversaries stay there and observe you for months. Even for Years . They don’t follow rules of engagement. They evolve. They study you. And they compromise you slowly. The traditional red team-blue team separation, and the "2-week pentest, fix top 5 CVEs" checklist approach? It’s outdated. It gives a false sense of security . We don’t play by those rules at Gl1tch | Risk. Offensive Security as a Service – A Different Approach In our practice, we go beyond traditional penetration testing...
Post a Comment
Read more

Entering Password Protected Windows Computer without the Password

 If you have a windows laptop and you don’t know the password for some reason (!) (Maybe it’s not yours ?) and want to login without entering the password, here’s a simple way to hack it without being too technical. You just need to bypass the password protection. I didn’t try this method on other windows versions, you can give it a try but for windows 10 and windows 11 it works perfectly fine. (You need an empty physical pen drive to bypass) Step 1: Download Hiren Boot ISO file: https://www.hirensbootcd.org/ Step 2: Mount the iso file to your USB (You will lose all of the data) You can use RUFUS to do this. I will skip this step. Step 3: Start the windows computer you want to bypass the password, and open the BIOS menu. Depends on the manufacturer the BIOS menu can be opened with F12, ESC or Delete buttons from the keyboard during system boot. Step 4: Select the USB from BIOS menu to boot. Step 5: It will open live os, similar to a windows environment but it’s not… We will use ...
Post a Comment
Read more

Stop the Scammers. Detection of Homoglyph Attack Attempt using KQL (Kusto Query Language)!

  Phishing attempts are getting sneakier, often leveraging homoglyph attacks or unusual characters to trick employees. I put together a simple but effective query to scan for new users created with "weird" characters in the email domain that indicates a potential sign of a spoofed or malicious account creation attempt. KQL Breakdown: This query scans 7 days of CloudAppEvents for the `Create user.` action, then checks the new user's email domain for any non-ASCII characters (characters outside the standard English keyboard set: $\text{U+0000}$ to $\text{U+007F}$) . This is a great starting point for spotting internationalized domain name (IDN) abuse or other sophisticated L3 attacks. CloudAppEvents | where TimeGenerated > ago(7d) | where ActionType == "Create user." | extend Email = tostring(parse_json(RawEventData).EmailAddress) | extend Domain = tostring(split(Email,"@")[1]) | where Domain matches regex @"[^\u0000-\u007F]" | project Ti...
Post a Comment
Read more