NIST recently updated its Special Publication 800-53, introducing a whole new dimension to what security awareness comprises. What do these new Security and Privacy Controls for Information Systems and Organizations mean for your Chicagoland business? Here's the skinny.
If you've been in infosec or IT for a while, you must be familiar with the National Institute of Standards and Technology (NIST). Or, you must have at least heard of NIST 800, heralded by many experts as the standard guideline for establishing robust security programs across all industries.
Well, in response to the alarmingly increasing Exchange Mass Hack rates, NIST recently revised its Special Publication 800-53 to redefine what security awareness constitutes.
To give us a better perspective, let's first look at what NIST 800-53 entails in general.
What Is NIST 800-53?
Initially, NIST was tasked with establishing security standards for federal agencies and their contractors only. However, due to the rapidly evolving cyber threat landscape, most of the agency's Standards have since been adopted by the private sector.
One of such Standards is NIST 800-53. It establishes guidelines for agencies and organizations to create reliable security systems and shield their networks from external interference.
The overall idea is that organizations should use FIPS Publication 199 to classify their information systems into various security categories. Once you've decided on the system's security objective (availability, confidentiality, or integrity), NIST 800-53 highlights the standards that will help you achieve these goals.
Note that NIST 800-53 does not recommend any specific software packages or applications. It leaves this decision to individual security stakeholders because of the understanding that information technology is continuously evolving.
Because of this rapid nature of the cybersecurity dynamics, even NIST is continually looking for ways to better its standards. The recent NIST 800-53 update is just one among the many adjustments we can expect.
Understanding The NIST SP 800-53 Update
The most striking adjustment to the NIST Special Publication 800-53 is the stipulation of simulated social engineering tests as a compliance requirement.
The update partly reads, “practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.”
This reinforces what frontline cybersecurity stakeholders have been advocating for the past several years — simulated cyberattacks are necessary and urgent in the war against cybercrime.
Even with the most elaborate security systems in place, an under-informed and ill-prepared staff will still leave your network vulnerable to hacks and breaches. Your employees are your first (and most susceptible) line of defense. That's why it's essential to prioritize behavior-based training in your security protocols.
So, let's delve into the NIST SP 800-53 update recommendations in detail:
- The Security Awareness Testing Exercise Should Be on “No-Notice”: Even though your users may expect to be tested, they shouldn't know the specifics of when or how you'll carry out the simulation exercise. If the test gets them unawares, they will treat it with the same seriousness they'd give to a real hack. This helps the security team get an accurate picture of the users' security awareness and preparedness levels.
- The Simulated Attacks Should Not Be One-Dimensional: Conventionally, most phishing tests only focus on users' vulnerability to clicking malicious links. The truth is that cyber attackers are advancing their game and devising new tricks by the day. That's why the NIST SP 800-53 publication recommends a multi-dimensional approach to simulated attacks. Besides testing on the ability to click infected links, also look into susceptibility to credential harvesting attempts, enabling macros, downloading malicious attachments, etc.
- The Exercise Should Include Highly Crafted Spear-Phishing Attacks: The present-day cyber actor will take their time to learn your systems before launching an attack. Sometimes, they will camp in your network for months for proper surveillance. When they finally decide to launch an onslaught, they shall have known every little vulnerability in your security system. That's what you should test for intricately planned and highly crafted hacks and breaches. And that's what the NIST SP 800-53 update is insisting on here.
Essentially, the new recommendations say that your security awareness training exercise should closely reflect real-life breach and hack scenarios. Only then can you accurately deduce your security posture and understand your threat levels.
Get Professional Help With NIST 800-53 Compliance
Thanks to the recent updates, NIST 800-53 is an excellent roadmap for developing and maintaining a good data security strategy. With a bit of guidance from an experienced team, it can go a long way in improving your cybersecurity posture.
Leading IT offers 24/7, all-inclusive, fast, and friendly technology and cybersecurity support for nonprofits, manufacturers, schools, accounting firms, religious organizations, government, and law offices with 10-200 employees across the Chicagoland area.