Regular Security Assessments Part of New Cyber Resilience Guidelines
The National Institute of Standards and Technology (NIST) has released the first-ever revision to its flagship cyber resiliency guidelines, with a host of new recommendations to help organizations defend themselves from increasingly sophisticated cyberattacks such as advanced persistent threats (APTs). Among recommendations in the 264-page document published on Aug. 5 is the regular use of network security assessments to maintain “situational awareness” of potential threats to networks and dependent systems.
NIST officials said the new guidelines come partly in response to a dramatic increase in stealthy APT attacks that linger in networks for months or even years, taking control of systems and harvesting data and credentials. The agency said the recommendations mark a shift away from traditional perimeter-based security and toward an “inside out” strategy of defending systems from within.
Assessments play an essential role in this shift. They are designed to help organizations evaluate their security posture from the perspective of a would-be attacker. Information gathered in the assessment process will help identify potential risks and vulnerabilities and serve as the basis for an organization-wide remediation and incident-response plan.
The NIST’s Cyber Security Framework establishes common standards, guidelines and best practices for assessing security. No two assessments are alike, but the process typically includes four distinct types of testing:
Posture Assessment. This is an important first step in the process, designed to provide a high-level view of existing security controls. It should include a thorough inventory of all IT assets, including all on-premises, cloud, mobile and third-party assets, as well as a detailed record of all security controls that are in place. Additionally, the assessment team will conduct interviews with business executives and other key stakeholders to assess the business value of specific applications and data to ensure that mission-critical systems have the highest levels of security.
Vulnerability Assessment. The objective of this test is to develop a comprehensive list of system vulnerabilities. Typically, auditors will use a variety of automated tools to conduct internal and external network scans in order to identify specific vulnerabilities. They will provide a detailed report that describes the found vulnerabilities, how they might be exploited by hackers, and what kind of damage could result if they are exploited.
Penetration Test. Penetration tests, or pen tests, are ethical hacking exercises in which authorized security professionals launch simulated attacks on your network to let you know how would-be attackers would likely exploit any vulnerabilities. Testers often begin by using social engineering, Internet research and other techniques to gather information, then probe the network for vulnerabilities before launching a variety of exploits to see how much damage they can cause. Once the test is complete, they’ll clean up and provide a detailed report about their findings.
Red Teaming. Red team operations are also ethical hacking exercises, but they are designed to test your organization’s detection and response capabilities. Most emulate an APT by attempting to defeat specific controls and using stealth to move through the network. Additionally, red teams operate in stealth mode — unlike in pen testing, your IT team gets no advance warning. Red teams will use any means possible, including social engineering techniques, to breach access systems and access data without being discovered.
All four tests serve to help organizations boost their overall security, with a particular focus on threats that have already gotten past perimeter defenses. SSD can assist you with these tests as part of our comprehensive managed IT program. Contact us to learn how assessments can help you achieve cyber resilience.