NIST updates security and privacy controls to recommend phishing simulations

  • 5 April 2021
  • 2 replies
NIST updates security and privacy controls to recommend phishing simulations
Userlevel 7
Badge +48

The National Institute of Standards and Technology (NIST) recently updated Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, with an important update regarding recommended security awareness training.

In summary, control enhancements were added recommending the use of phishing simulations as part of a comprehensive security program.

The specific language in NIST SP 800-53, Rev. 5, Section 5.3 (pg. 60) reads:

“Practical exercises include no-notice social engineering attempts to collect information, gain unauthorized access, or simulate the adverse impact of opening malicious email attachments or invoking, via spear-phishing attacks, malicious web links.”

The mention of “no-notice” is important. NIST is essentially noting that asking employees to spot the phishing attempt from a group of emails is very different than being able to refrain from taking the bait in real-world situations. Realistic phishing simulations are the only way to truly gauge an employee’s situational awareness day-to-day.

The inclusion of “spear phishing” also bears noting. Spear phishing is the practice of tailoring social engineering attacks to a specific target, as opposed to the wide-net attempts common years ago. This could include mining social media accounts and other publicly available information to strengthen a pretext.

Webroot’s customizable phishing templates enable this type of advanced attack to be easily created. Vaccine-related scams, for instance, are currently on the rise. Templates spoofing offers for vaccine appointments would certainly meet the description of a “practical exercise in literacy training.” Incorporating executive or vendor names or other publicly available information into the template creates a sophisticated spear phishing simulation that meets the new NIST guidance.

Webroot has always made every effort to ensure Webroot® Security Awareness Training covers topics recommended by NIST. Our content library is regularly updated based on the topics covered by NIST standards and revisions, and realistic phishing simulations are an area where we're ahead of the game.

Now, organizations that pride themselves on compliance with NIST standards will need to ensure that they're not just going through the motions when it comes to training employees on social engineering tactics. These NIST revisions clearly mean to call for the type of spontaneous, well-designed phishing attack workers are likely to encounter in the wild. Webroot Security Awareness Training empowers organizations to easily meet the new standard. 

Want more SAT content? Be sure to check out our SAT section on the community.

2 replies

Userlevel 4
Badge +8

Excellent to see that Webroot SAT is closely complying with NIST standards!

Userlevel 7
Badge +25

I particularly like the NIST no-notice phishing suggestion as an exercise for employees. And I agree with the previous comment, great to see Webroot closely monitoring standards bodies.