Search CSRC

Abstract: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control (ABAC) standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access c...

Journal: IT Professional Abstract: Security fatigue has been used to describe experiences with online security. This study identifies the affective manifestations resulting from decision fatigue and the role it plays in users' security decisions. A semistructured interview protocol was used to collect data (N = 40). Interview questio...

Abstract: This bulletin summarizes the information presented in NIST SP 800-183, Networks of 'Things'. This publication offers an underlying and foundational science to IoT based on the realization that IoT involves sensing, computing, communication, and actuation.

Abstract: As greater security control mechanisms are implemented at the point of sale, retailers in the U.S. may see a drastic increase in e-commerce fraud, similar to what has been widely observed in the United Kingdom and Europe following the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN techn...

Conference: IFIP WG 11.3 International Conference on Digital Forensics Abstract: Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additiona...

Abstract: On January 12-13, 2016 the National Institute of Standards and Technology’s (NIST) Applied Cybersecurity Division (ACD) hosted the “Applying Measurement Science in the Identity Ecosystem” workshop to discuss the application of measurement science to digital identity management. This document summari...

Abstract: Law enforcement vehicles often serve as mobile offices. In-vehicle laptops or other computer systems are used to access a wide range of software applications and databases hosted and operated by federal, state, and local agencies, with each typically requiring a different username and password. This...

Abstract: Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the larger picture. In order to fully address the threats presented by mobile devices, a wider view of the mobile security ecosystem is necessary. This document discusses the Mobile Threat Catalogue, whic...

In: Cloud Computing Security: Foundations and Challenges Abstract: This chapter discusses the essential security challenges and requirements for cloud consumers that intend to adopt cloud-based solutions for their information systems.

In: Cloud Computing Security: Foundations and Challenges Abstract: This chapter discusses the risk management for a cloud-based information system viewed from the cloud consumer perspective.

Conference: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC) Abstract: Empirical studies have shown that most software interaction faults involve one or two variables interacting, with progressively fewer triggered by three or more, and no failure has been reported involving more than six variables interacting. This paper introduces a model for the origin of this distr...

Journal: Computer (IEEE Computer) Abstract: Securing the Internet requires strong cryptography, which depends on good entropy for generating unpredictable keys. Entropy as a service provides entropy from a decentralized root of trust, scaling across diverse geopolitical locales and remaining trustworthy unless much of the collective is compro...

Conference: 2016 Human Factors and Ergonomics Society Annual Meeting Abstract: Although many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects the user experience during password rule comprehension, a necessary precursor to password generation. Our research begins to address this gap by focusing on users’...

Journal: Journal of Computer and System Sciences Abstract: Given a boolean n × n matrix A we consider arithmetic circuits for computing the transformation x ↦ Ax over different semirings. Namely, we study three circuit models: monotone OR-circuits, monotone SUM-circuits (addition of non-negative integers), and non-monotone XOR-circuits (addition modulo 2)....

Journal: Computer (IEEE Computer) Abstract: A panel of seven experts discusses the state of the practice of formal methods (FM) in software development, with a focus on FM's relevance to security. In a 1996 article, formal methods (FM) advocate Tony Hoare asked, "How Did Software Get So Reliable without Proof?"1 Twenty years later, in the sa...

Abstract: This document is part of a series intended to provide guidance to the Federal Government for using cryptography and NIST’s cryptographic standards to protect sensitive, but unclassified digitized information during transmission and while in storage. Special Publication (SP) 800-175A provides guidanc...

Abstract: Title III of the E-Government Act of 2002, entitled the Federal Information Security Management Act (FISMA) of 2002, requires NIST to prepare an annual public report on activities undertaken in the previous year, and planned for the coming year, to carry out responsibilities under this law. The prim...

Abstract: This bulletin summarized the information presented in NIST SP 800-156: Derived PIV Application and Data Model Test Guidelines and NIST SP 800-166: Representation of PIV Chain-of-Trust for Import and Export. These publications support Federal Information Processing Standard (FIPS) 201, Personal Ident...

Conference: IEEE 17th International Conference on Information Reuse and Integration (IEEE IRI2016) Abstract: Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties that access control should adhere to, access c...

Abstract: For many organizations, their employees, contractors, business partners, vendors, and/or others use enterprise telework or remote access technologies to perform work from external locations. All components of these technologies, including organization-issued and bring your own device (BYOD) client d...

Abstract: Many people telework, and they use a variety of devices, such as desktop and laptop computers, smartphones, and tablets, to read and send email, access websites, review and edit documents, and perform many other tasks. Each telework device is controlled by the organization, a third party (such as th...

Abstract: System primitives allow formalisms, reasoning, simulations, and reliability and security risk-tradeoffs to be formulated and argued. In this work, five core primitives belonging to most distributed systems are presented. These primitives apply well to systems with large amounts of data, scalability...

Abstract: There is a need for cybersecurity capabilities and features to protect the Nationwide Public Safety Broadband Network (NPSBN). However, cybersecurity requirements should not compromise the ability of first responders to complete their missions. In addition, the diversity of public safety disciplines...

Conference: 30th IFIP Conference on Data and Application Security and Privacy (DBSEC 2016) Abstract: Diversity as a security mechanism has received revived interest recently due to its potential for improving the resilience of software and networks against unknown attacks. Recent work shows diversity can be modeled and quantified as a security metric at the network level. However, such an effort do...

Abstract: This bulletin summarized the information presented in NISTIR 8060, "Guidelines for the Creation of Interoperable Software Identification (SWID) Tags".  The publication provides an overview of the capabilities and usage of SWID tags as part of a comprehensive software lifecycle.