About Fiducia X
Fiducia X is a company that focuses on accelerating our clients’ business performance by providing IT support services related to their information architecture and business processes.
The core business of Fiducia X is to provide trust. Trust that information architecture is efficient, secure and operable, trust that business processes provide the crucial management information for which they are designed. That’s also where the name comes from – translated liberally from Latin – fiducia means trust or confidence. The X comes from our office address, the Latin number for 10 is X.
Fiducia X was founded on January 1st, 2011.
Methodologies
Fiducia X employs various methodologies specific to the services offered.
OPEN SOURCE SECURITY TESTING METHODOLOGY MANUAL (OSSTMM)
Fiducia X uses the Open Source Security Testing Methodology Manual (OSSTMM) as the preferred methodology for security audits and adheres to it strictly where relevant.
The OSSTMM is a peer-reviewed methodology for performing security tests and metrics.
More about the OSSTMM...
“Fact does not come from the grand leaps of discovery but rather from the small, careful steps of verification. That is the premise of the Open Source Security Testing Methodology Manual also known as the OSSTMM (pronounced as “awstem”). It is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve your operational security.By using the OSSTMM you no longer have to rely on general best practices, anecdotal evidence, or superstitions because you will have verified information specific to your needs on which to base your security decisions. One way to assure a security analysis has value is to know it has been done thoroughly, efficiently, and accurately. For that you need to use a formal methodology. The OSSTMM aims to be it.
The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.
What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship. This interconnectedness requires interactions. Some interactions are passive and some are not. Some interactions are symbiotic while others are parasitic. Some interactions are controlled by one side of the relationship while others are controlled by both. We may try to control what we can’t trust but even then some controls are flawed or superfluous, which is harmful to at least one side of the relationship, if not both.
What we want is that our controls balance perfectly with the interactions we want or need. So when we test operations we get the big picture of all our relationships, coming and going. We get to see the interconnectedness of the operations in fine detail and we get to map out what makes us, our business, and our operations what they are and can be.
Why test operations? Unfortunately, not everything works as configured. Not everyone behaves as trained. Additionally, more and more things are built from pre-fabricated constructs of materials, or source code from pre-defined libraries, or as in the case for training people, from pre-existing experiences. The new builders are only aware of what they put together and not how the pre-fabricated parts work in a new environment with new variables and in new ways. Therefore the truth of configuration and training is in the resulting operations. Nothing can tell us more about how we can fulfill objectives or follow a strategic vision than how we do what we are doing now. And that knowledge allows us to control what interactions we want. That’s why we need to test operations.”
– Pete Herzog, Co-Founder & Managing Director ISECOM
If you would like to learn more about the OSSTMM, check out their website.
OSSTMM PROFESSIONAL SECURITY TESTER ACCREDITED CERTIFICATION (OPST)
All security testers and analysts employed by Fiducia X on projects and assignments are OPST certified.
The OPST is a certification of applied knowledge designed to improve the work done as a professional security tester. This is an important certification for those who want or need to prove they can walk the walk in security testing, the discipline which covers network auditing, ethical hacking, web application testing, intranet application testing and penetration testing.
More about OPST...
The certificate requires mastering the application of the following security testing skills:
- Rules of Engagement
The ability to apply the rules of engagement, as outlined in the latest version of the OSSTMM, to various scenarios.- Assessment
The ability to properly and legally determine the target scope through public services, determine types of hosting, service providers, peering partners, and any active intrusion detection or service redundancy implementations.- Logistics
The ability to quickly assess flaws or limitations in the network between the tester and the target, gage appropriate testing speed and efficiency, decipher network and service protection techniques and loss controls. The ability to quickly and scientifically develop new test types and evaluations to assess uncalculated test responses and anomalies.- Enumeration
The ability to accurately and efficiently send and receive packets of any type in the myriad of ways required by the OSSTMM. The ability to use any appropriate packet tool while understanding the functioning of the tool and its limitations. The ability to recognize enumeration techniques, flaws, and fallacies.- Application
The ability to operate within established loss controls (ie. ssl encryption, load balancing, port forwarding, NAT, etc.) to identify services, applications, and protocols. The ability to properly and independently choose the appropriate tool and protocol for each test.- Identification
The ability to correctly and accurately identify operating system types and versions through packet and service data correlation with and without the use of fingerprinting tools. The ability to discover unknowns and satisfactorily explain anomalies in a scientific manner.- Verification
The ability to apply scientific methodology to the process of vulnerability and weakness identification and verification for an accurate determination of security limitations. The ability to map known exploits to services. The ability to discover exploits of known vulnerabilities for verification. The ability to classify new security limitations appropriately.
OSSTMM PROFESSIONAL SECURITY Analyst ACCREDITED CERTIFICATION (OPSA)
All security analysts employed by Fiducia X on projects and assignments are OPSA certified.
The OPSA is a certification of applied knowledge designed to improve the work done as a professional security analyst. This is an important certification for those who want or need to prove they can walk the walk in data network security analysis, the discipline which covers critical security evaluations and decision-making required in both technical and management fields.
Also, it is a critical, eye-opening class for CISOs, CIOs, CSOs, security auditors, system forensics examiners, network engineers, system and network administrators, developers, network architects, security analysts, and truly anyone who works in IT from systems to networks.
Michael Barbier has gained this certificate with a seal of excellence.
More about OPSA...The certificate requires mastering the application of the following security testing skills:
- Rules of Engagement
The ability to apply the rules of engagement, as outlined in the latest version of the OSSTMM, to various scenarios.- Assessment
The ability to properly determine the appropriate and legal/regulatory compliant data network security required according to environment, vectors, and channel according to the OSSTMM.- Logistics
The ability to discern forged, incomplete, or poorly collected security information from logs and reports. The ability to quickly assess logs and reports for tampered data, anomalies, flaws or limitations in the network between the tester and the target, calculate measurements on network and service protection techniques and loss controls. The ability to quickly and scientifically design new test types and evaluations to assess uncalculated test responses and anomalies.- Metrics
The ability to accurately calculate and measure scope, protection, and loss controls according to the OSSTMM. The ability to analyze enumeration techniques and discern flaws and fallacies which hinder a thorough test. The ability to build event cases based on flawed, limited, or incomplete data.- Correlation
The ability to correctly and accurately correlate information, differentiate legitimate from forced patterns, substantially minimize bias, and satisfactorily explain anomalies in a scientific manner.- Verification
The ability to discern legitimacy in security by applying scientific critical thinking skills. The ability to discern anecdotal evidence sources from factual sources. The ability to discern that which is necessary publicly available information from that which should remain private.- Application
The ability to analyze required or existing loss controls (ie. encryption, redundancy, authorization banners, protocol types, etc.) according to services, applications, and protocols from logs, reports, and off the wire. The ability to identify the strength of a security application according to operation and environment.- Reporting
The ability to classify new security limitations appropriately. The ability to create an OSSTMM Audit Report.
INTERNATIONAL PROJECT MANAGEMENT ASSOCIATION C-LEVEL CERTIFIED PROJECT MANAGER
When participating in project management or consultancy assignments, Fiducia X employs an IPMA C-Level Certified Project Manager.
IPMA is an international Federal, umbrella organisation for national project management associations from 55 countries. IPMA represents their Member Associations on the global level. IPMA plays a leading role in the development and promotion of the project management profession, providing standards and guidelines for the work of a wide range of project management talent through the IPMA Competence Baseline (ICB®).
IPMA C-Level Project Managers have spent three of the past six years in a responsible leadership position in the management of projects.
FIDUCIA X SUPPORTS THE OPEN WEB APPLICATION SECURITY PROJECT (OWASP)
Fiducia X wholeheartedly supports the OWASP project and adheres to OWASP best practices and guidelines wherever possible and applicable.
The Open Web Application Security Project (OWASP) is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software. OWASP’s mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks.
If you would like to learn more about the OWASP project, check out their website.