If you’re starting with implementing security, you’d find it helpful if you had a place to start instead of planning everything from scratch. If you have already implemented security, you’d find it helpful if you had a reference to check if your implementations are enough or how to get better. There are a lot of frameworks and standards that can be of help for both of these needs. In this post, we’ll discuss one of those - NIST SP 800-115.
We’ll start by understanding what NIST is. Then we’ll talk a bit about the NIST cybersecurity framework and who it is for. Finally, we’ll get to NIST SP 800-115 and discuss in brief what this publication covers.
The National Institute of Standards and Technology (NIST) is a physical science laboratory, part of the U.S. Department of Commerce. This institute provides measurements, standards, and guidelines for businesses of all sizes in various technologies and domains such as Chemistry, Climate, Health, Information Technology, and many more. So where does NIST come into the picture in Cybersecurity?
Of all the domains NIST covers, Cybersecurity is one of the most critical. NIST provides a cybersecurity framework that includes a set of guidelines to improve the security of an organization. This framework helps organizations plan their security strategy and provides guidelines and best practices to identify and mitigate security issues.
Let’s take a quick look at the NIST cybersecurity framework.
The NIST cybersecurity framework breaks down security into 5 major aspects (aka core functions):
This function has to do with identifying all the assets of an organization that come under the scope of security implementation. In order to implement/improve security, it’s crucial to identify all the areas that you need to cover. You need to identify all the physical and software assets, environments, existing security implementations, regulatory and compliance requirements, threats, risks, data, and employees and employee groups.
This is where the security implementations occur. After identifying all the areas, you start building defenses against internal and external threats. This function includes training employees, identity management, access control, data security, vulnerability and patch management, maintenance, etc.
No matter how much security you implement, no organization is 100% secure. Therefore you need a system to learn of any incident that might happen.
Detection mostly has to do with using strong monitoring and alerting systems. You need to monitor anomalies behavior, security-critical activities, unauthorized actions, etc. When detected, you need to audit if these activities are expected and take necessary actions.
This and the following function come into play when things go wrong. Before anything else, you need a response plan for when things go wrong. You need to create this plan in advance, define processes, and train employees. When an incident takes place, inform the stakeholders, and contain the attack so that its impact is to a minimum. Use the learnings from the incident to further improve security.
Similar to a response plan, you also need to create a recovery plan and define processes. The goal of this function is to get back things to normal as soon as possible after a cyber incident.
Now that we’ve understood what the NIST cybersecurity framework is about, let’s understand who it is for.
The guidelines that NIST provides act as best practices but it’s not mandatory for every organization to implement them. Therefore, there are 2 questions to be answered.
The first question is to understand who NIST is for and who can use it. As mentioned earlier, the NIST framework provides best practices and it is for businesses of all sizes and various domains. In short, it’s for everyone. Every organization can use NIST guidelines to improve its security.
The second question addresses the entities that MUST adhere to it. It’s mandatory for all federal agencies to comply with the NIST guidelines. In addition to it, contractors working with federal agencies also have to comply with it. Otherwise, they are at risk of losing their contracts.
Some guidelines from NIST are more suitable for certain industries and some are more suitable for certain approaches to improving security. Let’s look into one such specific publication - the NIST SP 800-115.
Security assessment, testing, and security examination are important for 2 main reasons:
As important as these processes are, it’s also crucial how well you execute them. To help with this, NIST Special Publications 800-115 provides technical guidelines for testing and assessment of security.
NIST 800-115 is broken down into multiple chapters covering different aspects of security testing:
This section sets a foundation for security testing and planning. As per NIST SP 800-115, security assessment should consist of the following phases at least:
The standard also defines 3 types of assessment methods.
Testing: Comparing actual behavior with expected behavior.
Examination: Checking, inspecting, reviewing, observing, studying, or analyzing an object to improve understanding of it.
Interview: Discuss with employees of the organization in groups or individually to get clarification.
This section addresses various review techniques such as reviewing documentation, logs, ruleset, and configurations. Additionally, it mentions network sniffing which can be used to identify and analyze targets. And finally, it talks about file integrity checks to check if any system files or critical files have been tampered with.
This section addresses identifying ports, services, and systems in the network. The next step is to identify any security weaknesses in them. The techniques covered in this section are:
This section talks about confirming the existence of a vulnerability and understanding the impact if the vulnerability is exploited. It covers technical weaknesses as well as weaknesses due to lack of awareness and training:
If you don’t plan security assessment planned well, you can end up wasting your resources and still not have achieved what you had in mind. This section is all about how to plan your security assessment process. It provides guidance for:
Execution is what follows after planning and is important for assessors to follow the plan efficiently. If there is a reason to deviate from the plan, the situation should be reviewed to make a decision. This section provides guidelines to execute security assessment smoothly and covers:
As the name suggests, this is what happens after testing. In this phase, the data gathered is converted into action points. Post-testing activities aim at gathering the findings from the previous section and creating a plan to mitigate found vulnerabilities. NIST provides guidelines for the following post-testing activities:
In order to make the best use of the techniques mentioned in NIST SP 800-15, you should have baselines set and the assessor should be trained enough. NIST also mentioned certain baseline skill sets for each of these techniques that one can use.
NIST is one of the most popular places to go to for standards and guidelines. In this post, we covered one such publication that provides guidelines for security assessment and testing - NIST SP 800-115. This standard helps in planning and executing your security testing better and in an efficient manner.
We went about knowing a bit about NIST and its cybersecurity framework. However, the meat of the post was a brief look into the aspects NIST SP 800-115 covers:
There are different approaches you can take for testing. If you’re interested in exploring more, you might want to check out Penetration Testing as a Service.