Skip main navigation
Home / IT & Computer Science / Cyber Security / Ethical Hacking: An Introduction / NIST SP800-115

NIST SP800-115

NIST's technical guide.
© Coventry University. CC BY-NC 4.0

The Technical Guide to Information Security Testing and Assessment (also known by the catchy title NIST SP800-115) was published by the National Institute of Standard and Technology (NIST) in 2008.

It provides a relatively high-level overview for designing, implementing and maintaining technical information security test and examination processes and procedures. It is aimed at supporting organisations in planning and executing tests in finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements.

The guide describes three main methods of assessment:

  • Testing – executing technical tests on the target networks and systems
  • Examination – the main non-technical assessment process of checking, inspecting, reviewing, observing, studying or analysing
  • Interviews – another non-technical assessment method described as a process of conducting discussions with individuals or groups within an organisation to facilitate understanding, achieve clarification, or identify the location of evidence

Want to keep
learning?

This content is taken from
Coventry University online course,

Ethical Hacking: An Introduction

View Course

NIST SP800-115 divides a security assessment project into three phases:

  • Planning covers the initial stages of the project, such as information gathering, asset identification and threat modelling
  • Execution mainly focuses on finding system, network and organisational process vulnerabilities
  • Post-execution covers the assessment of the vulnerabilities found earlier, and their impact

The reason we have included this methodology in our list is that it provides a good discussion on the non-technical examination of the security posture of an organisation.

There are cases where we cannot simulate the target systems realistically enough and running full simulated attacks on the live production’s systems is not an option either, eg in critical infrastructure, medical environments, etc. In those environments, being able to run a non-technical examination is particularly important. This approach is also useful when verifying compliance with required standards and policies.

Reference

National Institute of Standard and Technology (2008) NIST SP800-115 [online] available from https://csrc.nist.gov/publications/detail/sp/800-115/final [11 April 2019]

© Coventry University. CC BY-NC 4.0

Want to keep learning?

This content is taken from Coventry University online course
Ethical Hacking: An Introduction
View Course
See other articles from this course
This article is from the online course:

Ethical Hacking: An Introduction

Created by
Join Now
This article is from the free online

Ethical Hacking: An Introduction

Created by
Join Now
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Register to receive updates

  • Create an account to receive our newsletter, course recommendations and promotions.

    Register for free