4 September, 2019
What is NIST Penetration Testing?
NIST (National Institute for Science & Technology) is a US Department of Commerce agency. Under the Federal Information Security Management Act of 2002 (FISMA), it is responsible for developing standards and guidelines for information security, including the prescription of minimum requirements for US federal information systems. Generally, the guidance documents published by NIST are more prescriptive than any other information security guidance.
In 2013, NIST published a Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53 Rev 4), and it has been revised four times so far with the last revision undertaken in 2015. This publication is open to be used by the nongovernmental organizations voluntarily.
The fourth revision provides a more holistic approach to an organization’s information security and risk management by prescribing a wide range of security controls for strengthening an organization’s information systems by improving their security and resiliency against cyber attacks. This revision also introduced the concept of overlays – a structured approach to implement security controls and design specialized security plans as required.
Some of the new features added in this revision include assumptions related to security controls, expanded guidance on controls, enhanced descriptions for security and privacy controls, etc.
Penetration Testing under NIST SP 800-53
This guidance document defines NIST’s pentest methodology in the Appendix B “penetration testing” section, in which assessors, typically working under a specific set of constraints, attempt to circumvent or defeat features of an information system. Further, there is a dedicated control for penetration testing as CA-8.
The control objective states that an organization must conduct penetration testing at a defined frequency on its information systems or system components. To implement this control, an organization can determine the frequency as well as the scope of the penetration testing exercises. In the Supplemental Guidance for this control, the phrase “penetration testing” is further explained.
Supplemental Guidance for CA-8: Penetration Testing
It is specified that penetration testing is a specialized type of assessment which is conducted on an organization’s information systems or its components for identifying vulnerabilities that could be exploited by the attackers.
A penetration testing exercise can be used to either validate the vulnerabilities detected or test the resiliency of an organization’s information systems. This exercise duplicates the steps taken by attackers to carry cyber attacks against organizations. The scope of a penetration test can include hardware, software, and firmware components of an organization’s information systems. A penetration test is generally associated with the tools, techniques, and procedures which are anticipated to be employed by the attackers. SA-12, which discusses Supply Chain Protection, is a related control to CA-8.
Control Enhancements for CA-8: Penetration Testing
CA-8(1): Independent Penetration Agent or Team
An organization should employ an independent penetration testing agent or team for performing penetration testing on its information systems or its components. Independent teams or agents can perform impartial penetration testing. Impartiality, here, means that independent teams or agents are free from any actual or perceived conflict of interest with respect to the development, operation, or management of the information systems which are covered under the scope of a penetration test.
CA-8(2): Red Team Exercises
CA-8(2) states that an organization should employ red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with the rules of engagement. Here, the organizations have been given a free hand to select the appropriate red team exercises and define the rules of engagement.
In Appendix B, a “red team exercise” has been defined as an exercise which reflects real-world conditions and it is conducted as a simulated adversarial attempt to compromise an organization’s information systems or business processes for providing a comprehensive and thorough assessment of the security capability of an organization and its information systems.,
In continuation with the above-given definition, the Supplemental Guidance further states that red team exercises can include technology-focused attacks such as interactions with hardware, software, firmware, and/or business processes, and social engineering attacks such as email interactions with employees, telephonic conversations, shoulder surfing, and personal conversations. Considering that penetration testing exercises are often conducted from a laboratory, red team exercises will help an organization by assessing its security maturity in real-world conditions. Also, these exercises can be used to improve security awareness and training programs along with evaluating the levels of effectiveness of security controls.