NIST 800-53 - Penetration Test
Selkirk Cyber offers Penetration Tests to meet the requirements of NIST SP 800-53 standards. Specifically, CA-8 which involves an Independent Penetration Testing Agent or Team who performs penetration testing.
NIST 800-53 is a baseline for security controls and standards, which when leveraged can be a powerful mechanism to manage cybersecurity risk. A penetration test will simulate the actions of adversaries who's goal is to launch cyber attacks in order to gain access to your information systems. This control, CA-8(1) has been assigned a high-impact control baseline by NIST.
Selkirk Cyber's NIST Pentest Process
Scoping
Typically our general timeframe to conduct a NIST 800-53 Pentest for US small businesses is 2 to 3 weeks, then an additional 1 week for the report to be delivered. In-scope systems or system components can be internal, external or both. In-scope systems will depend on where the NIST 800-53 controls are being implemented, which can vary business to business (e.g. on only public facing systems and the systems connected to them). We can always discuss which systems would be reasonable to include in-scope, based on network configuration or business needs if there are any questions.
Rules of Engagement
Selkirk Cyber will also provide a baseline of the Rules of Engagement (RoE) which outline Tactics Techniques and Procedures (TTP's) that will be used and NOT be used during the pentest. Some of the TTP's that are off-limits will be Denial of Service attacks or dropping any type of malware on systems. The RoE can be talked over to include additional rules such as scanning production systems during off-hours or not conducting certain TTP's against a set of systems to reduce the risk of system down time.
Pentesting
Once the in-scope items are provided, we'll get a date and timeframe set, then begin testing. Selkirk Cyber will predominantly conduct the pentest off-hours during the week, as well as weekends. Penetration Testers are all qualified US citizens and will never be outsourced to a foreign country.
Reporting
After the penetration test is complete, a custom report will be generated which includes details of each vulnerability finding, including the severity, a Proof of Concept (PoC) detailing the discovery and exploitation process, along with any mitigations and countermeasures. Re-testing can also be requested once mitigations have been implemented.
Get Started
Our end product will enhance your ability to prioritize risk, based off of identified vulnerabilitiy findings. The pentest will ultimately prevent malicious actors from accessing your systems which will in turn prevent any major security incidents, and help with additional compliance regulations.
Specializing in security, we offer competetive pricing and a more tactical approach to network security than the big box IT service providers. These providers typically don't specialize in security and may outsource the tasks to foreign entities. If you'd like to utilize our NIST 800-53 Pentesting service please contact us to get started.