Question

Within the OSSTMM, the five Limitation classifications are:

Vulnerability is the flaw or error that:
denies access to assets for authorized people or processes
allows for privileged access to assets to unauthorized people or processes
allows unauthorized people or processes to hide assets or themselves within the scope
Weakness is the flaw or error that disrupts, reduces, abuses, or nullifies specifically the effects of the five interactivity controls: authentication, indemnification, resilience, subjugation, and continuity.
Concern is the flaw or error that disrupts, reduces, abuses, or nullifies the effects of the flow or execution of the five process controls: non-repudiation, confidentiality, privacy, integrity, and alarm.
Exposure is an unjustifiable action, flaw, or error that provides direct or indirect visibility of targets or assets within the chosen scope channel.
Anomaly is any unidentifiable or unknown element that has not been controlled and cannot be accounted for in normal operations.
As the CISO, you were presented with a penetration testing report with the following results:
SQL injection in a web services application
A flaw in the web services application that allows an attacker to overwrite memory space in order to gain access (i.e., buffer overflow)
The bank is using weak encryption on its wireless access point within the facility.
The back door of the bank is propped open so employees who smoke can enter and exit for breaks.
The incident response plan is current, but it will be 2 years old in 6 weeks.
The bank’s financial application allows unlimited unsuccessful login attempts.
Create a 1- to 2–page table that lists the issues identified in the penetration test, the classification according to OSSTMM, and in which of the five channels (human, physical, wireless, telecommunications, data networks) the issue occurred.

Answer 1

The penetration testing report identifies issues such as SQL injections and buffer overflows, classified as vulnerabilities occurring within the data networks channel. Weak encryption and unlimited login attempts are weaknesses, with the former in the wireless channel and the latter in the data networks.

Step-by-step explanation:

Penetration Testing Findings Classification

As the CISO evaluating a penetration testing report, I would organize the findings into a structured format aligning with the OSSTMM (Open Source Security Testing Methodology Manual) limitation classifications and identify the channels in which the issues have been detected. Below is a table that lists the identified issues from the report, their respective classifications, and the channels they belong to:

Issue IdentifiedOSSTMM ClassificationChannelSQL injection in a web services applicationVulnerability

Data NetworksBuffer overflow in web services applicationVulnerability

Data NetworksWeak encryption on wireless access pointWeakness

WirelessBack door of the bank propped openExposure

PhysicalOutdated incident response planConcernData NetworksUnlimited unsuccessful login attempts on financial applicationWeaknessData Networks

Each issue is classified into one of the five OSSTMM limitations: vulnerability, weakness, exposure, concern, and anomaly; and is further specified as occurring within human, physical, wireless, telecommunications, or data network channels.