Search CSRC

Abstract: This bulletin summarizes the information presented in NIST SP 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The publication addresses the engineering-driven perspective and actions necessary to develop more de...

Conference: 2015 Annual Meeting of the Human Factors and Ergonomics Society Abstract: Passwords are tightly interwoven with the digital fabric of our current society. Unfortunately, passwords that provide better security generally tend to be more complex, both in length and composition. Complex passwords are problematic both cognitively and motorically, leading to both memory and mot...

Abstract: De-identification is a process that is applied to a dataset to reduce the risk of linking information revealed in the dataset to specific individuals. Government agencies can use de-identification to reduce the privacy risk associated with collecting, processing, archiving, distributing or publishin...

Journal: Innovations in Systems and Software Engineering Abstract: A key issue in testing is how many tests are needed for a required level of coverage or fault detection. Estimates are often based on error rates in initial testing, or on code coverage. For example, tests may be run until a desired level of statement or branch coverage is achieved. Combinatorial me...

Journal: IT Professional Abstract: With the C programming language comes buffer overflows. Because it is unlikely that the use of C will stop any time soon, the authors present some ways to deal with buffer overflows—both how to detect and prevent them.

Abstract: The call for a dramatic reduction in software vulnerability is heard from multiple sources, recently from the February 2016 Federal Cybersecurity Research and Development Strategic Plan. This plan starts by describing well known risks: current systems perform increasingly vital tasks and are widely...

Abstract: Mobile platforms offer a significant operational advantage to public safety stakeholders by giving them access to mission critical information and services while deployed in the field, during training and exercises, or participating in day-to-day business and preparations during non-emergency period...

Abstract: Monitoring the “physics” of control systems to detect attacks is a growing area of research. In its basic form a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements in order to identify potentially false contr...

Abstract: This bulletin summarizes the information presented in NIST SP 800-178: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications. The publication describes Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC), and then compar...

Abstract: The NIST workshop on Software Measures and Metrics to Reduce Security Vulnerabilities (SwMM-RSV) was held on 12 July 2016. The goal of this workshop was to gather ideas on how the Federal Government can identify, improve, package, deliver, or boost the use of software measures and metrics to signifi...

Abstract: NIST developed this interagency report as a reference guideline about cybersecurity for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.

Conference: 3rd International Conference on Research in Security Standardisation (SSR 2016) Abstract: Controlling a large number of devices such as sensors and smart end points, is always a challenge where scalability and security are indispensable. This is even more important when it comes to periodic configuration updates to a large number of such devices belonging to one or more groups. One solut...

Journal: User Experience Magazine Abstract: This article outlines our experience as a multi-disciplinary team studying user perceptions of and experiences with cybersecurity. We trace our journey from mutual skepticism, to understanding, to acceptance using illustrations from our data. We also discuss our learning along the way—including the...

Journal: IEEE Software Abstract: As new and exciting healthcare applications arise that use smart technologies, the Internet of Things, data analytics, and other technologies, a critical problem is emerging: the potential loss of caring. Although these exciting technologies have improved patient care by allowing for better assessme...

Conference: 8th ACM Computer and Communications Security International Workshop on Managing Insider Security Threats (MIST '16) Abstract: The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of in...

Conference: 9th International Symposium on Foundations and Practice of Security (FPS 2016) Abstract: Cloud computing has undergone rapid expansion throughout the last decade. Many companies and organizations have made the transition from traditional data centers to the cloud due to its flexibility and lower cost. However, traditional data centers are still being relied upon by those who are less ce...

Journal: IEEE Security & Privacy Abstract: More than 5.4 million Personal Identity Verification (PIV) and Common Access Cards (CAC) have been deployed to US government employees and contractors. These cards allow physical access to federal facilities, but their use to authenticate logical access to government information systems is uneven, w...

Conference: 9th International Symposium on Foundations and Practice of Security (FPS 2016) Abstract: Network intrusion detection is broadly divided into signature and anomaly detection. The former identifies patterns associated with known attacks and the latter attempts to learn a ‘normal’ pattern of activity and alerts when behaviors outside of those norms is detected. The n-gram methodology has a...

Conference: 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16) Abstract: While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Att...

Abstract: This bulletin summarizes the information presented in NIST SP 800-177, Trustworthy Email. This publication gives recommendations and guidelines for enhancing trust in email. This guideline applies to federal IT systems and will also be useful for any small or medium sized organizations.

Journal: Computer (IEEE) Abstract: Combinatorial methods can make software security testing much more efficient and effective than conventional approaches.

Conference: IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS 2016) Abstract: We consider Boolean circuits over the full binary basis. We prove a (3+1/86)n-o(n) lower bound on the size of such a circuit for an explicitly defined predicate, namely an affine disperser for sublinear dimension. This improves the 3n-o(n) bound of Norbert Blum (1984).The proof is based on the gate...

Abstract: This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data.

Journal: INTEGERS: The electronic journal of combinatorial number theory Abstract: Working over the field Q(t), Kihara constructed an elliptic curve with torsion group Z/4Z and five independent rational points, showing the rank is at least five. Following his approach, we give a new infinite family of elliptic curves with torsion group Z/4Z and rank at least five. This matches the...

Abstract: Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Cyber threat information includes indicators of compromise; tactics, techniques, and procedures used by threat actors; suggested actions to detect, contain, or prevent a...