The Impact of NIST Revision 5 on Cyber Threat Simulation
What’s New With NIST 800-53 and Penetration Testing?
In September of 2020, NIST released Revision 5 to SP 800-53. Now, a year later, the changes will take effect on September 23. A common theme throughout this new revision is real-world simulation becoming an expected cybersecurity best practice for U.S. federal government agencies and contractors.
The world of technology and cybersecurity is rapidly evolving. With new tactics and techniques uncovered every day, organizations need to strengthen the types of tests they employ.
Control Enhancements Related to Pen Test Best Practices
There are three revised controls – AT-2, CA-7, and CA-8 – that have to do with cyber simulation and penetration testing:
1. NIST AT-2: Literacy Awareness and Training
In NIST AT-2, there is narrative about training your employees by putting them through “practical exercises.” What do those practical exercises look like?
NIST’s enhancement narrative explains that social engineering exercises are the most practical way to educate and test your employees. Social engineering is the attempt of an ethical hacker trying to gain unauthorized access, collect information, and/or simulate the impact of opening a malicious email attachment or spear-phishing link.
Most organizations do not put their employees through interactive training. Instead, employees are asked to complete online modules with no practical exercises. To be trained on something, you need to have practiced it. Online module security training is great for educating employees, but that education needs to be incorporated with an applicable real-world scenario for the employee to practice. Think of it like a lecture and then homework. People need to exercise what they learn to be properly trained.
Are you tired of online modules not sticking with your employees? Practice makes perfect. Put them through real-world simulations to test their awareness.
2. NIST CA-7: Continuous Monitoring
The NIST CA-7 narrative emphasizes the importance of continuously monitoring threat trends. A suggested security best practice is the ongoing analysis of today’s common social engineering campaigns.
Once aware of their risk, organizations can then devise a plan to defend against them. They can create educational materials and testing scenarios that educate their employees on common attacks and then implement controls that defend against those sorts of advances.
Is your organization aware of today’s advanced threats and the targeted social engineering campaigns conducted by adversaries? Stay up-to-date and implement proactive controls to defend against today’s most common attacks.
3. NIST CA-8: Penetration Testing
NIST control CA-8 is to conduct penetration testing in a way that realistically simulates scenarios of an adversarial compromise. The enhancements on this control are that organizations should employ an independent pen testing firm, perform red team exercises, and conduct physical facility pen testing.
A best practice advised by NIST is for organizations to be sure that they are receiving a quality, real-world penetration test from a firm that has experience in current adversarial tactics, techniques, procedures, and tools. Most organizations don’t realize the harm in performing automated, monotonous tests. When it comes to the world’s real threats, adversaries use tactics and techniques that are unexpected and persistent. Organizations should hire penetration firms who have the expertise to simulate realistic attacks.
By conducting penetration testing, red team exercises, and physical facility testing, organizations can learn about their vulnerabilities and improve their processes to better secure their organization.
How Can These Revisions Help Your Org?
This catalog of security and privacy controls helps organizations protect operations and assets, individuals, other organizations, and the nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks (NIST).
Many of these controls were updated because cyber threats and breaches are evolving rapidly. Federal regulators want real-world simulations to become a routine part of governmental organizations’ cybersecurity efforts. This new revision gives organizations clear illustrations of what are now considered today’s best security practices.
Simulating real-world threat scenarios can help your organization gain better insight into your vulnerabilities and how to efficiently secure them. It is a proactive approach to security, helping prepare you for the inevitable.
Partner With an Expert
KirkpatrickPrice can partner with you on your journey to compliance with the new NIST Revision 5 standards. Our expert penetration testers and auditors know the ins and outs of cybersecurity, how to pursue compliance, and how to prepare for cyber threats.
NIST 800-53 Revision 5 has accelerated federal organizations to a more secure future. It is a helpful guide to what initiatives are necessary to properly prepare the government supply chain for the modern world’s advancing threats.
To view the NIST 800-53 Rev. 5 updated control catalog, click here.
To analyze the updates between Rev. 4 and Rev. 5, click here.