Search CSRC

Abstract: The purpose of this document is to identify a baseline set of security controls and practices to support the secure issuance of certificates. This baseline was developed with publicly-trusted Certificate Authorities (CAs) in mind. These CAs, who issue the certificates used to secure websites using T...

Abstract: Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Mobile device forensics is an evolving specialty in the field of digital forensics. This guide attempts to bridge the gap by providing an in-depth lo...

Abstract: Small and medium-sized businesses (SMBs) represent 99.7 percent of all U.S. employers and are an important segment of the U.S. economy. These organizations, totaling more than 28.2 million, create over 60 percent of all new U.S. private-sector jobs and produce over 47 percent of the country's Gross...

Abstract: This Interagency Report provides guidance to individuals scoring IT vulnerabilities using the Common Vulnerability Scoring System (CVSS) Version 2.0 scoring metrics. The guidance in this document is the result of applying the CVSS specification to score over 50,000 vulnerabilities analyzed by the Na...

Conference: 11th International Workshop on Security in Information Systems (WOSIS 2014) Abstract: Constructing an efficient and accurate model from security events to determine an attack scenario for an enterprise network is challenging. In this paper, we discuss how to use evidence obtained from security events to construct an attack scenario and build an evidence graph. To achieve the accuracy...

Abstract: Passwords are the most prevalent method used by the public and private sectors for controlling user access to systems. Organizations establish security policies and password requirements on how users should generate and maintain their passwords, and use the passwords to authenticate and gain access...

Journal: IT Professional Abstract: The US National Institute of Standards and Technology's highly visible work in four key areas--cryptographic standards, role-based access control, identification card standards, and security automation--has and continues to shape computer and information security at both national and global levels....

Conference: Third International Workshop on Combinatorial Testing (IWCT 2014) Abstract: This poster gives an overview of methods for estimating fault detection effectiveness of a test set based on combinatorial coverage for a class of software.

Conference: Third International Workshop on Combinatorial Testing (IWCT 2014) Abstract: This poster gives an overview of the experience of eight pilot projects, over two years, applying combinatorial testing in a large aerospace organization. While results varied across the different pilot projects, overall it was estimated that CT would save roughly 20% of testing cost, with 20% - 50%...

Conference: Third International Workshop on Combinatorial Testing (IWCT 2014) Abstract: Some conflicting results have been reported on the comparison between t-way combinatorial testing and random testing. In this paper, we report a new study that applies t-way and random testing to the Siemens suite. In particular, we investigate the stability of the two techniques. We measure both co...

Abstract: Meeting security responsibilities and providing for the confidentiality, integrity, and availability of information in today's highly networked environment can be a difficult task. Each individual that owns, uses, relies on, or manages information and information technology (IT) systems must fully u...

Abstract: Attribute-Based Access Control (ABAC) is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or rela...

Abstract: Smart cards (smart identity tokens) are now being extensively deployed for identity verification for controlling access to Information Technology (IT) resources as well as physical resources. Depending upon the sensitivity of the resources and the risk of wrong identification, different authenticati...

Abstract: This NISTIR 7628 User's Guide is intended to provide an easy-to-understand approach that you can use to navigate the NISTIR 7628. While NISTIR 7628 covers many significant cybersecurity topics, this User's Guide is focused primarily on the application of NISTIR 7628 Volume 1 in the context of an org...

Abstract: Recognizing that the national and economic security of the United States depends on the resilience of critical infrastructure, President Obama issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. It directed NIST to work with stakeholders to develop a...

Abstract: This white paper provides an overview of NIST Special Publication (SP) 800-53, Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations, which was published April 30, 2013.

Abstract: The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats take advantage of the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security at risk. To better protect these...

Abstract: Users have developed various coping strategies for minimizing or avoiding the friction and burden associated with managing and using their portfolios of user IDs and passwords or personal identification numbers (PINs). Many try to use the same password (or different versions of the same password) ac...

Journal: IT Professional Abstract: Risk management is a common phrase when managing information, from the CISO to the programmer. We acknowledge that risk management is the identification, assessment and prioritization of risks and reflects how we manage uncertainty. These are some areas of risk that we have come to accept, their mit...

Journal: Computer (IEEE Computer) Abstract: This special issue presents papers that focus on important problems within the Software Testing community.

Journal: Computer (IEEE Computer) Abstract: The strength of cryptographic keys is an active challenge in academic research and industrial practice. In this paper we discuss the entropy as fundamentally important concept for generating hard-to-guess, i.e., strong, cryptographic keys and outline the difficulties in generating and estimating the...

Conference: 2013 International Conference on Social Computing (SocialCom) Abstract: Access control (AC) policies can be implemented based on different AC models, which are fundamentally composed by semantically independent AC rules in expressions of privilege assignments described by attributes of subjects/attributes, actions, objects/attributes, and environment variables of the pr...

Journal: IEEE Transactions on Dependable and Secure Computing Abstract: By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research on security metrics has been hindered by diffic...

Abstract: The Computer Security Division within ITL has recently provided a draft of Special Publication (SP) 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems, for public comment. NIST SP 800-152 is based on NIST SP 800-130, A Framework for Designing Cryptographic Key Management Syste...

Journal: IEEE Wireless Communications Abstract: When enabling handover between different radio interfaces (e.g., handover from 3G to Wi-Fi), reducing network access authentication latency and securing handover related signaling messages are major challenging problems, amongst many others. The IEEE 802 LAN/MAN Standards committee has recently fini...