Search CSRC

Conference: 8th ACM Computer and Communications Security International Workshop on Managing Insider Security Threats (MIST '16) Abstract: The American National Standards Organization has standardized an access control approach, Next Generation Access Control (NGAC), that enables simultaneous instantiation of multiple access control policies. For large complex enterprises this is critical to limiting the legally authorized access of in...

Conference: 9th International Symposium on Foundations and Practice of Security (FPS 2016) Abstract: Cloud computing has undergone rapid expansion throughout the last decade. Many companies and organizations have made the transition from traditional data centers to the cloud due to its flexibility and lower cost. However, traditional data centers are still being relied upon by those who are less ce...

Journal: IEEE Security & Privacy Abstract: More than 5.4 million Personal Identity Verification (PIV) and Common Access Cards (CAC) have been deployed to US government employees and contractors. These cards allow physical access to federal facilities, but their use to authenticate logical access to government information systems is uneven, w...

Conference: 9th International Symposium on Foundations and Practice of Security (FPS 2016) Abstract: Network intrusion detection is broadly divided into signature and anomaly detection. The former identifies patterns associated with known attacks and the latter attempts to learn a ‘normal’ pattern of activity and alerts when behaviors outside of those norms is detected. The n-gram methodology has a...

Conference: 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16) Abstract: While attacks on information systems have for most practical purposes binary outcomes (information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to cause a continuous spectrum in damages. Att...

Abstract: This bulletin summarizes the information presented in NIST SP 800-177, Trustworthy Email. This publication gives recommendations and guidelines for enhancing trust in email. This guideline applies to federal IT systems and will also be useful for any small or medium sized organizations.

Journal: Computer (IEEE) Abstract: Combinatorial methods can make software security testing much more efficient and effective than conventional approaches.

Conference: IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS 2016) Abstract: We consider Boolean circuits over the full binary basis. We prove a (3+1/86)n-o(n) lower bound on the size of such a circuit for an explicitly defined predicate, namely an affine disperser for sublinear dimension. This improves the 3n-o(n) bound of Norbert Blum (1984).The proof is based on the gate...

Abstract: This Recommendation specifies a message authentication code (MAC) algorithm based on a symmetric key block cipher. This block cipher-based MAC algorithm, called CMAC, may be used to provide assurance of the authenticity and, hence, the integrity of binary data.

Journal: INTEGERS: The electronic journal of combinatorial number theory Abstract: Working over the field Q(t), Kihara constructed an elliptic curve with torsion group Z/4Z and five independent rational points, showing the rank is at least five. Following his approach, we give a new infinite family of elliptic curves with torsion group Z/4Z and rank at least five. This matches the...

Abstract: Cyber threat information is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Cyber threat information includes indicators of compromise; tactics, techniques, and procedures used by threat actors; suggested actions to detect, contain, or prevent a...

Abstract: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC) are very different attribute based access control (ABAC) standards with similar goals and objectives. An objective of both is to provide a standardized way for expressing and enforcing vastly diverse access c...

Journal: IT Professional Abstract: Security fatigue has been used to describe experiences with online security. This study identifies the affective manifestations resulting from decision fatigue and the role it plays in users' security decisions. A semistructured interview protocol was used to collect data (N = 40). Interview questio...

Abstract: This bulletin summarizes the information presented in NIST SP 800-183, Networks of 'Things'. This publication offers an underlying and foundational science to IoT based on the realization that IoT involves sensing, computing, communication, and actuation.

Abstract: As greater security control mechanisms are implemented at the point of sale, retailers in the U.S. may see a drastic increase in e-commerce fraud, similar to what has been widely observed in the United Kingdom and Europe following the rollout of Europay, MasterCard, and Visa (EMV) chip-and-PIN techn...

Conference: IFIP WG 11.3 International Conference on Digital Forensics Abstract: Modern-day attackers use sophisticated multi-stage and/or multi-host attack techniques and anti-forensic tools to cover their attack traces. Due to the limitations of current intrusion detection systems and forensic analysis tools, evidence often has false positive errors or is incomplete. Additiona...

Abstract: On January 12-13, 2016 the National Institute of Standards and Technology’s (NIST) Applied Cybersecurity Division (ACD) hosted the “Applying Measurement Science in the Identity Ecosystem” workshop to discuss the application of measurement science to digital identity management. This document summari...

Abstract: Law enforcement vehicles often serve as mobile offices. In-vehicle laptops or other computer systems are used to access a wide range of software applications and databases hosted and operated by federal, state, and local agencies, with each typically requiring a different username and password. This...

Abstract: Mobile devices pose a unique set of threats, yet typical enterprise protections fail to address the larger picture. In order to fully address the threats presented by mobile devices, a wider view of the mobile security ecosystem is necessary. This document discusses the Mobile Threat Catalogue, whic...

In: Cloud Computing Security: Foundations and Challenges Abstract: This chapter discusses the essential security challenges and requirements for cloud consumers that intend to adopt cloud-based solutions for their information systems.

In: Cloud Computing Security: Foundations and Challenges Abstract: This chapter discusses the risk management for a cloud-based information system viewed from the cloud consumer perspective.

Conference: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC) Abstract: Empirical studies have shown that most software interaction faults involve one or two variables interacting, with progressively fewer triggered by three or more, and no failure has been reported involving more than six variables interacting. This paper introduces a model for the origin of this distr...

Journal: Computer (IEEE Computer) Abstract: Securing the Internet requires strong cryptography, which depends on good entropy for generating unpredictable keys. Entropy as a service provides entropy from a decentralized root of trust, scaling across diverse geopolitical locales and remaining trustworthy unless much of the collective is compro...

Conference: 2016 Human Factors and Ergonomics Society Annual Meeting Abstract: Although many aspects of passwords have been studied, no research to date has systematically examined how ambiguous terminology affects the user experience during password rule comprehension, a necessary precursor to password generation. Our research begins to address this gap by focusing on users’...

Journal: Journal of Computer and System Sciences Abstract: Given a boolean n × n matrix A we consider arithmetic circuits for computing the transformation x ↦ Ax over different semirings. Namely, we study three circuit models: monotone OR-circuits, monotone SUM-circuits (addition of non-negative integers), and non-monotone XOR-circuits (addition modulo 2)....