Evolving Threats: The NIST Framework and Social Engineering Attacks

By March 31, 2021 Blog
NIST Framework
What is NIST?

Search for the National Institute of Standards and Technology in your favorite web browser. It’s a fascinating way to spend ten minutes. For 120 years, NIST has promoted innovation and industrial competitiveness in the United States. But what does a non-regulatory government laboratory devoted to measurements have to do with Cybersecurity?

Technology – whether it’s physical or virtual – doesn’t exist in a vacuum. Every piece of hardware and software is developed in concert with other technologies. Together, they fit into systems, which in turn are connected to countless other systems. When those systems aren’t reliable, interoperable, and secure, the consequences are potentially devastating.

To help protect both the private and public sectors, Executive Order 13636 directed NIST to create a Cybersecurity Framework back in February 2013. NIST has continuously updated the Framework in the subsequent years to stay as relevant as possible.

According to NIST, the “Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”

Although it may seem extremely complicated, the Framework has five key functions that are easy to understand: Identify, Protect, Detect, Respond, and Recover. Every other aspect of NIST’s Cybersecurity methodology is built on those five pillars. Focusing on these five areas assists is valuable because it brings clarity to an organization’s effort to manage of cyber risk and ultimately to make better risk management decisions.

NIST and Phish Testing

Companies that take Cybersecurity seriously invest time into understanding the NIST 800 series. It provides businesses with detailed guidance for developing and implementing their own security programs.

NIST recently added updated language to Special Publication 800-53 within Section 3.2:

“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.”

Simply put, NIST is endorsing the adoption of robust, ongoing training curriculums.

  • Hackers don’t rely on a single attack strategy, so training materials and testing approaches must address a variety of social engineering attacks.
  • “Practical exercises”, in other words, testing, should be no-notice. The goal is to demonstrate that your staffers have internalized the lessons and can apply them in real-world scenarios.
Next Steps

You don’t need to become a NIST Framework expert to protect your data. But you do need to act quickly to select a knowledgeable partner that can apply NIST’s best practices (or a comparable framework) to your organization.

What is TCG’s approach?

  • We perform comprehensive assessments for prospects and clients alike.
  • We walk the stakeholders through the good and the bad – identifying vulnerabilities and opportunities for efficiency gains.
  • Then we collaborate to create an IT roadmap that achieves their goals while prioritizing security and regulatory compliance.

If that sounds better than your current approach, let’s work together. Contact us today!

Leave a Reply