ISO/IEC 27001 helps organizations prove that they have implemented best practices in their security and data protection programs. Office 365 has been verified to meet the rigorous set of physical, logical, process, and management controls defined by ISO 27001:2013. This also includes ISO 27018 Privacy controls in the most recent audit. [...]
NIST is a well-known foundation in the IT sector that created many standards and one of them is NIST penetration testing guidelines.
The US National Institute of Standards and Technology has created countless standards that everyone can relate to.
The definition of cloud is a well-known example of this. The description of NIST has been adopted by suppliers and customers. By now we don’t even know that most cloud terms come from that institute.
What is the difference between a Standard and a Framework?
First of all, the difference between a framework and a standard. A framework is a conceptual structure that provides insight into how the mutual components relate to each other.
Standards serve an entirely different purpose, namely standardization of best practices. In standards, you will therefore find concrete control measures that you can or want to comply with.
The Cybersecurity Framework (CSF) was developed by NIST. Under Obama, in 2013, NIST was given the task of developing a cybersecurity framework. And recently by Biden again. Some examples of security-related frameworks: NIST CSF, and COBIT.
NIST penetration testing methodology
The purpose of the guidelines NIST provided for penetration testing is to support organizations in planning and conducting these types of assessments and develop mitigation strategies for the findings.
The following phases shown in the diagram are the main phases for a NIST compliant penetration test.
The penetration test could be completed from several viewpoints. For example, external attacker or malicious insider.
These two viewpoints are commonly known as external and internal penetration testing, the external tests cover the exposure of systems to attacks from an external attacker.
This can include identifying public assets, domains, and IP addresses related to an organization and trying to break into them with techniques used by real hackers.
On the other hand, an internal penetration test covers an insider viewpoint where an attacker already has access to the internal network/systems and is trying to find a way to get access to other networks/systems or escalate her privileges by exploiting misconfigurations and vulnerabilities.
External and internal penetration testing types should be considered to comply with NIST penetration testing guidelines.
NIST also recommends doing security reviews in addition to the security testing, this is done by providing access for the security experts to documentation, systems, code, logs, firewalls, and IDS/IPS configuration.
This is usually done in what we call a white-box penetration test which allows the tester to passively review the security configurations and identify weaknesses that she can exploit.
This is not only supporting identifying weaknesses in a more efficient way but also improves the testing process as the tester will have more knowledge about the systems she is testing.
NIST penetration testing planning
NIST points out the criticality of planning to a successful security assessment, the planning phase is used to gather the information needed for assessment execution such as the assets to be assessed, the threats of interest against the assets, and to develop the assessment approach.
A NIST penetration testing project should include the following in the planning phase:
- team roles and responsibilities
- success factors
During the planning phase, rules of engagement are identified and management approval is obtained and documented.
Information gathering techniques
In NIST penetration testing guidelines, there is a full section on identification and information gathering techniques.
It starts with network discovery, recommending passive and active information gathering on the targets. It is very important during this phase to consider which techniques will succeed against firewalls and intrusion detection systems without drawing the attention of security administrators in a very stealthy manner.
The next step after identifying the targets, ports, and services running on them is vulnerability scanning, this can help identify outdated software versions, missing patches, and misconfigurations, and validate compliance with or deviations from an organization’s security policy.
This is done by identifying the operating systems and major software applications running on the hosts and matching them with information on known vulnerabilities stored in the scanners’ vulnerability databases.
Vulnerability scanners can:
- Check compliance with host application usage and security policies
- Provide information on targets for penetration testing
- Provide information on how to mitigate discovered vulnerabilities.
NIST guidelines do not stop at systems and network testing but go the additional step to cover wireless networks and Bluetooth. It is very important to cover all the possible ways for a hacker to attack an organization.
Vulnerability validation techniques
NIST recommends validating the information produced in the previous steps by multiple techniques.
It starts with password cracking where the tester starts to check if she could recover passwords from password hashes stored on a system or transmitted over the network.
Password cracking is performed on hashes that are either intercepted by a network sniffer while being transmitted across a network, or retrieved from the target system, which generally requires administrative level access on, or physical access to, the target system.
Once these hashes are obtained, an automated password cracker rapidly generates additional hashes until a match is found or the assessor halts the cracking attempt.
In addition to that, penetration testing techniques are used to validate vulnerabilities by replicating the possible identified attacks in previous phases and providing detailed proof of concept on how they were conducted.
Penetration testing often includes non-technical methods of attack such as physical security testing and social engineering, these attacks are out of the scope of NIST guidelines.
NIST penetration testing execution
The primary goals for the execution phase are to identify vulnerabilities and validate them when appropriate.
To summarize the execution or attack phase check the following diagram.
Focus on results
The objectives of a NIST penetration test are to identify:
- How well the system tolerates real world-style attack patterns
- The likely level of sophistication an attacker needs to successfully compromise the system
- Additional countermeasures that could mitigate threats against the system
- Defenders’ ability to detect attacks and respond appropriately.
Focus on getting the needed results in compliance with the techniques mentioned on this page and reach out to us if you need support in completing a NIST compliant penetration test.
The goal of a penetration test is to secure your organization and support your team in implementing the countermeasures needed to mitigate threats against your systems.
Make sure to have a proper vulnerability management process in place and to monitor the activities done during the penetration test engagement and identify ways that could help detect similar malicious activities.