NIST Updates You Should Be Aware About

blog.knowbe4.comhubfssocial-suggested-imagesblog.knowbe4.comhubfsPerry_Carpenter_CartoonBy Perry Carpenter,  KnowBe4 Chief Evangelist and Strategy Officer. If you’ve been in IT or infosec for any length of time, you’ve probably heard of NIST (the National Institute of Standards and Technology). In fact, the NIST 800 series is widely heralded as the de facto “go to” resource for guidance running most aspects of a security program... including security awareness training.

NIST recently updated Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, adding some critical new language to the sections covering security awareness. Here’s the skinny.

The relevant language is within Section 3.2 (see page 60).

NIST Control Requirements

Notice that the updated NIST standard now includes providing frequent simulated social engineering testing. Specifically, their language states, “[p]ractical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear phishing attacks, malicious web links.”

This is a significant addition from NIST and is a formal recognition that phishing simulation vendors, like KnowBe4, are providing a much-needed security control. This behavior-based training is the key to building an effective last line of defense. So, let’s examine their recommendation in detail.

  1. NIST’s recommendation is that security awareness testing be “no-notice.” This means that, while users may be aware of the fact that they should expect to be tested, they are not notified about the specifics of the test. In other words, there isn’t an announcement saying, “Hey! Be prepared for the phishing test this week!”
  2. NIST is saying that the phishing tests should not be one-dimensional. It’s not just about being able to avoid clicking a link. They recommend testing to see if your people are vulnerable to credential harvesting attacks, downloading malicious attachments, enabling macros, and more.
  3. NIST adds that you should also include highly crafted spear phishing attacks. Any threat actor who is truly targeting your organization will take the time to do proper reconnaissance to build a potent attack. That’s what you are testing for. And that’s what NIST is recognizing here.

In short, NIST is saying that your simulated social engineering testing needs to reflect real world threats so that you have a true understanding of your susceptibility to such threats.

KnowBe4’s mission is to enable your employees to make smarter security decisions, every day. And we’ve been doing that for the past ten years through a combination of simulated social engineering testing, highly engaging content, and leading-edge automation. It is encouraging to see NIST’s formal recognition of the importance of simulated social engineering and we look forward to continuing to help our customers strengthen their last line of defense.

Request A Quote: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your quote for KnowBe4's security awareness training and simulated phishing platform and find out how affordable this is!

Get A Quote Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews