Use this form to search content on CSRC pages.
Conference: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications (TrustCom) Abstract: Data sent over the Internet can be monitored and manipulated by intermediate entities in the data path from the source to the destination. For unencrypted communications (and some encrypted communications with known weaknesses), eavesdropping and man-in-the-middle attacks are possible. For encrypted...
Conference: The 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) Abstract: Blockchain based cryptocurrencies are usually unmanaged, distributed, consensus-based systems in which no single entity has control. Managed cryptocurrencies can be implemented using private blockchains but are fundamentally different as the owners have complete control to do arbitrary activity with...
Journal: Computer (IEEE Computer) Abstract: Will our smart devices betray us? Can we trust our smart beds, pet feeders, and watches to maintain the level of privacy we want and expect? As the numbers of devices coming online reach staggering levels, serious questions must be raised about the level of cybertrust we can reasonably expect to hav...
Abstract: Healthcare providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many healthcare providers, mobile devices can introduce vulnerabilities in a healthcare organizatio...
Abstract: This bulletin summarizes the information found in NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information (CUI) which provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI se...
Journal: ACM Computing Surveys Abstract: Monitoring the “physics” of cyber-physical systems to detect attacks is a growing area of research. In its basic form, a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements to identify potentially false contro...
Abstract: To protect power generation, transmission, and distribution, energy companies need to control physical and logical access to their resources, including buildings, equipment, information technology (IT), and operational technology (OT). They must authenticate authorized individuals to the devices and...
Journal: IEEE IoT Newsletter Abstract: In this short article, we review an abbreviated list of trust challenges that we foresee as increased adoption transforms the IoT into another ubiquitous technology just as the Internet is. These challenges are in no specific order, and are by no means a full set.
Conference: IFIP Annual Conference on Data and Applications Security and Privacy Abstract: Cyber-defense and cyber-resilience techniques sometimes fail in defeating cyber-attacks. One of the primary causes is the ineffectiveness of business process impact assessment in the enterprise network. In this paper, we propose a new business process impact assessment method, which measures the imp...
Conference: IFIP Annual Conference on Data and Applications Security and Privacy Abstract: As today’s cloud providers strive to attract customers with better services and less downtime in a highly competitive market, they increasingly rely on remote administrators including those from third party providers for fulfilling regular maintenance tasks. In such a scenario, the privileges grante...
Abstract: This recommendation addresses the protection of symmetric keying material during a key establishment that uses symmetric-key cryptography for key distribution. The objective is to provide recommendations for reducing exposure to the unauthorized disclosure of the keying material and detecting its un...
Abstract: Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The prim...
Conference: The 30th International Conference on Software Engineering & Knowledge Engineering (SEKE 2018) Abstract: Rule-based systems are important in application domains such as artificial intelligence and business rule engines. When translated into an implementation, simple expressions in rules may map to a large body of code that requires testing. We show how rule-based systems may be tested efficiently, usin...
Abstract: This recommendation provides a technical guideline to use Personal Identity Verification (PIV) Cards in facility access; enabling federal agencies to operate as government-wide interoperable enterprises. These guidelines cover the risk-based strategy to select appropriate PIV authentication mechanis...
In: Handling and Exchanging Electronic Evidence Across Europe Abstract: This paper describes the evolution of a community-developed, standardized specification language for representing and exchanging information in the broadest possible range of cyber-investigation domains, including digital forensic science, incident response, and counter terrorism. A primary motivati...
Abstract: This bulletin summarizes the information found in NISTIR 8179: Criticality Analysis Process Model, which describes a structured method of prioritizing programs, systems, and components based on their importance to the goals of an organization and the impact that their inadequate operation or loss ma...
Journal: Journal of the National Institute of Standards and Technology Abstract: Baseline Tailor is an innovative web application for users of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Special Publication (SP) 800-53. Baseline Tailor makes the information in these widely referenced publications easily accessible to both security profes...
Abstract: The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This public...
Conference: 15th International Conference on Quantum Physics and Logic Abstract: Quantum self-testing addresses the following question: is it possible to verify the existence of a multipartite state even when one's measurement devices are completely untrusted? This problem has seen abundant activity in the last few years, particularly with the advent of parallel self-testing (i....
Journal: IT Professional Abstract: In the Internet of Things (IoT), what can we measure? The authors explore how the field of metrology might be applicable to the IoT.
Abstract: The Hypervisor platform is a collection of software modules that provides virtualization of hardware resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and application programs) called Virtual Machines (VMs) to be run on...
Journal: IEEE Systems Journal Abstract: We describe the initial process of eliciting requirements for an Internet-of-things (IoT) application involving a hospital emergency room. First, we discuss the process of modeling IoT systems through rich pictures and use cases. Then, we demonstrate how these can be used to model emergency room sys...
Abstract: This note was originally written under the name "On the Security of HMFEv" and was submitted to PQCrypto 2018. The author was informed by the referees of his oversight of an eprint work of the same name by Hashimoto, see eprint article /2017/689/, that completely breaks HMFEv, rendering the result o...
Abstract: This report responds to the May 11, 2017, Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That order directs the Secretary of Commerce and the Secretary of Homeland Security to: 1) Assess the scope and sufficiency of efforts to educate and train th...
Abstract: This report outlines a guide to government and private sector actions that would reduce the threat of botnets and similar cyberattacks. It responds to the May 11, 2017, Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. That order directed the Secreta...