Addressing NIST SP 800 Security Controls Guidelines with Vulnerability Management
The NIST Special Publication (SP) 800 documents establish penetration testing as the preferred method for auditing security controls under the Federal Information Systems Management Act (FISMA), with which all federal agencies must comply. With this requirement, NIST recommends that agencies proactively test their network and IT defense mechanisms using assessment techniques that simulate the actions of real-world attacks. Recently, NIST guidelines specifically demand penetration testing that goes beyond the use of scanners to exploit vulnerabilities and demonstrate how security controls have been tested against the same types of multi-staged attacks that are being aimed at their assets on a daily basis.
Core Security solutions provide the most effective manner to test security defenses and demonstrate the required level of adherence to FISMA and the NIST SP 800 documents. By acquiring the ability to carry out regular, controlled and safe exploit simulations against a wide range of vectors – including networks, endpoints, web applications, end users, and wireless networks -- federal agencies will be able to provide explicit proof of their compliance, along with associated documentation, to GAO auditors as they carry out their annual e-security assessments.
Related information from NIST
- National Institute of Standards and Technology FISMA website
- NIST SP 800 Series Documents
- NIST Information Technology Lab Bulletins
Addressing NIST SP 800-39: “Guide for Applying the Risk Management Framework” with Core Insight
NIST SP 800-39, Guide for Applying the Risk Management Framework to Federal Information Systems, establishes a Risk Management Framework (RMF) that promotes the concept of near-real-time risk management through the implementation of a robust continuous monitoring process. The RMF encourages the use of automation and automated support tools — such as those offered by Core Insight. This allows for the collection of relevant information for senior leadership to use when making credible, risk-based decisions regarding their core missions and business functions.
According to NIST SP 800-39, commercially available automated tools “support situational awareness, or [maintain] awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes.” However, NIST also cites that those tools, as well as corresponding processes designed to generate risk data, are not being deployed in a timely fashion. As a result, system security assessments and authorizations are usually based on infrequently conducted vulnerability scans that test security controls at a single point in time – leaving security professionals unable to measure the real risk to systems between security control test cycles.
How Core Insight Helps
By automatically traversing exploitable web application, network and client-side weaknesses throughout your environment, Core Insight can reveal risks to your critical assets on a continuous basis. Unlike other security solutions, it does not scan for potential vulnerabilities, monitor for incidents, or model threats; it proactively uses the same offensive techniques that criminals employ to find and exploit weaknesses that expose critical assets to data breaches.
Core Insight enables you to:
- Continuously reassess the security of assets as new attack techniques surface, as new vulnerabilities are discovered, and infrastructure changes.
- Test the internal and external relationships between inter-connected IT systems.
- Determine remediation priorities to ensure that security improvements are aimed at addressing the most critical, true risks.
Addressing NIST SP 800-53: “Recommended Security Controls” with Core Security Solutions
NIST Special Publication (SP) 800-53 exists to “help ensure that appropriate security requirements and security controls are applied to all federal information and information systems.” Practically speaking, it is a guide to help government organizations prepare for and pass IT security audits performed under the Federal Information Security Management Act (FISMA).
SP 800-53 recommends a set of security controls that represents IT security best practices endorsed by the U.S. Department of Defense, Intelligence Community and Civil agencies to produce “the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.”
In revision 3 of the guideline, NIST further incorporated penetration testing as a key security control, stating it should be used to “improve the readiness of the organization [and] to improve the security state of the system and organization.” Core Insight and Core Impact Pro offer powerful, automated penetration testing capabilities for government red teams and security organizations.
How Core Security Solutions Help
Using Core Security’s test and measurement solutions, Core Insight and Core Impact Pro, security professionals proactively validate their security controls while revealing actual paths that attackers could take to expose critical assets.
Core Insight continuously replicates threats while seeking to compromise defined business assets through web, network and client-side channels. Core Insight helps security executives to benchmark and measure enterprise-wide security posture, verify actual business risks, and validate mandated security controls.
Core Impact Pro replicates attacks across web applications, network systems, endpoints, email users Wifi networks, and network devices. Users have granular control over the largest library of commercial-grade exploits available, plus a full complement of pre- and post-exploitation capabilities.
Addressing NIST SP 800-137: “Information Security Continuous Monitoring” with CORE Insight Enterprise
NIST SP 800-137 is designed to assist organizations in developing a continuous monitoring strategy and implementing a related program. It cites the following processes as “essential to organization-wide continuous monitoring:”
- Ongoing assessment of security controls (including system-specific, hybrid, common controls and PM controls) with assessment frequencies based on an organization-wide continuous monitoring strategy. (NIST Special Publication 800-137, page 10)
- Configuration management and change control processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes. (NIST Special Publication 800-137, page 10)
- Security impact analyses (SIA) on changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support. (NIST Special Publication 800-137, page 10)
- Security status reporting to organizational officials designed to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies. Considerations include organization relevant threat data. (NIST Special Publication 800-137, page 10)
Optimizing security metrics is deemed essential in NIST SP 800-137. “Metrics are measures that have been organized into meaningful information to support decision making. Metrics are developed for system-level data to make it meaningful in the context of mission/business or organizational risk management.” Therefore, it is critical to collect data in a way that most accurately pinpoints and validates actual risk with an IT environment.
How Core Insight Helps
Core Insight offers a security testing and measurement solution that enables you to continuously and proactively asses the security of your critical information assets – directly mapping to the guidance in NIST SP 800-137. By traversing exploitable web application, network and client-side weaknesses throughout your environment, Core Insight reveals exposed paths to systems, databases and data types. It delivers clear, definitive metrics for efficiently validating security controls and addressing data breach threats.
Core Insight addresses critical processes noted by SP 800-137 in the following ways:
Ongoing assessment of security controls
- Assesses IPS/IDS, firewalls and other defenses against real-world attack techniques
- Automated attack path planning, combined with real-world exploit-based testing, dynamically reveals paths that attackers and malicious insiders would use to access sensitive assets
- Proactively identifies weaknesses posing imminent risks
Configuration management and change control
- Able to run continuously to assess changing infrastructure against the latest threats
- Ensures that defensive technologies can protect against current threats
- Integrates with ticketing and change management systems for seamless vulnerability management
- Dynamically tests custom and COTS applications using the same techniques as attackers
- Can easily scale to repeatedly test environments with large numbers of targets
- Ensures that development resources can focus on addressing proven security issues
Security impact analyses
- Able to test (and retest) continuously to assess changing infrastructure against the latest threats
- Automated attack path planning, combined with real-world exploit-based testing, dynamically reveals paths that attackers and malicious insiders could use to access sensitive assets
- Assesses systems designated as critical and delivers proactive alerts regarding the latest threats and impacts to those systems
Security status reporting
- Conducts proactive, real-time assessments of assets identified as critical to the agency
- Assimilates data from multiple sources to validate potential threats as real
- Delivers data using terminology specific to your locations, mandates, data types, etc.
- Benchmarks security posture; tracks and demonstrates security standing over time