How NIST SP 800-115 Informs Information Security Practices

by Sarah Harvey / October 17th, 2019

What is NIST?

The National Institute of Standards and Technology, or NIST, is an organization that is part of the U.S. Department of Commerce and has the goal of being a leader in innovation and technology by providing fair standards and solutions.

The core competencies of NIST are measurement science, rigorous traceability, and development and use of standards. These core competencies influence the reliability of the information produced by the organization. As a giant in the industry, NIST has an opportunity to provide quality principles that can be used by organizations to develop secure information security practices and perform security testing.

NIST publishes documents that can be helpful in developing further strategies and methodologies that are used by information security specialists. NIST SP 800-115, the Technical Guide to Information Security Testing and Assessment, is one of these documents that is used in planning and designing proper security processes and procedures.

When it comes to penetration testing, NIST SP 800-115 is a valuable guide that can be used to influence the methodology pen testers use when testing for organizational vulnerabilities.

NIST Special Publication 800-115 and Penetration Testing

NIST SP 800-115 is an overview of the key elements of security testing. It isn’t a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies.

This guidance on NIST methodology includes:

Security Testing and Examination Overview
- Policies
- Roles
- Methodologies
- Techniques
Review Techniques
- Documentation Review
- Log Review
- Ruleset Review
- System Configuration Review
- Network Sniffing
- File Integrity Checking
Target Identification and Analysis Techniques
- Network Discovery
- Network Port and Service Identification
- Vulnerability Scanning
- Wireless Scanning
Target Vulnerability Validation Techniques
- Password Cracking
- Penetration Testing
- Social engineering
Security Assessment Planning
- Developing a Security Assessment Policy
- Prioritizing and Scheduling Assessments
- Selecting and Customizing Technical Testing and Examination Techniques
- Determining Logistics of the Assessment
- Developing the Assessment Plan
- Addressing Any Legal Considerations
Security Assessment Execution
- Coordination
- Assessment
- Analysis
- Data Handling
Post-Testing Activities
- Mitigation Recommendations
- Reporting
- Remediation

The detailed guidance provides necessary explanations for many major components of security testing. Because of NIST SP 800-115, your organization can trust qualified audit firms to perform security testing that complies with a set of guidelines that is accepted across the industry.

The NIST SP 800-115 guidance is useful in providing structure to information security testing, but it is not meant to be a substitute for proper security procedures and processes.

Instead, NIST SP 800-115 should be helpful in testing that your organization’s security controls are as secure as you expect them to be. For that reason, penetration testers gravitate to the principles taught in NIST SP 800-115 when developing their testing, as it gives clear guidance for seeking out vulnerabilities.

To learn how you can benefit from penetration testing in your organization, contact KirkpatrickPrice today!