NIST 800-115

NIST 800-115

logo

Summary

NIST Special Publication 800-115 is an overview of the key elements of security testing. It directs organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. The version used in this section is NIST 800-115 September 2008.

Definitions

Definition Requirements
3_2. Log review 075. Record exceptional events in logs
322. Avoid excessive logging
376. Register severity level
377. Store logs based on valid regulation
3_4. System configuration review 062. Define standard configurations
3_5. Network sniffing 033. Restrict administrative access
181. Transmit data using secure protocols
255. Allow access only to the necessary ports
3_6. File integrity checking 040. Compare file format and extension
178. Use digital signatures
320. Avoid client-side control enforcement
4_2. Network port and service identification 237. Ascertain human interaction
266. Disable insecure functionalities
327. Set a rate limit
4_4. Wireless scanning 181. Transmit data using secure protocols
249. Locate access points
4_4_1. Passive wireless scanning 154. Eliminate backdoors
253. Restrict network access
254. Change SSID name
5_1. Password cracking 127. Store hashed passwords
130. Limit password lifespan
132. Passphrases with at least 4 words
133. Passwords with at least 20 characters
139. Set minimum OTP length
332. Prevent the use of breached passwords
333. Store salt values separately
6_6. Legal considerations 331. Guarantee legal compliance
7_4_1. Data collection 365. Avoid exposing technical information
7_4_3. Data transmission 181. Transmit data using secure protocols
7_4_4. Data destruction 183. Delete sensitive data securely
360. Remove unnecessary sensitive information
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.