Search CSRC

Abstract: The National Vulnerability Database (NVD), and its companion, the National Checklist Program (NCP), have provided a valuable and flexible set of services to users around the world since NVD was established in 2005. The NVD was established to provide a U.S. government repository of data about softwar...

Abstract: A password policy may seem formal in the sense that it is written in a legalistic language, giving the impression of a binding contract. However, such policies are informal in the logical sense that the policy statements are not written in a clear, unambiguous form. In password policy research at th...

Abstract: In order to protect power generation, transmission and distribution, energy companies need to be able to control physical and logical access to their resources, including buildings, equipment, information technology and industrial control systems (ICS). They must be able to authenticate the individu...

Abstract: This ITL Bulletin announces the release of the Preliminary Cybersecurity Framework and gives instructions for submitting comments.

Journal: Applied Mathematics & Information Sciences Abstract: On-off scheduling of systems that have the ability to sleep can be used to extend system idle periods and enable greater opportunities for energy savings from sleeping. In this paper, we achieve a theoretical understanding of the delay behavior of on-off scheduling as it may apply to communications...

Conference: 7th International Workshop on Critical Information Infrastructures Security (CRITIS 2012) Abstract: Prevention, detection and response are nowadays considered to be three priority topics for protecting critical infrastructures, such as energy control systems. Despite attempts to address these current issues, there is still a particular lack of investigation in these areas, and in particular in dyn...

Abstract: On September 5, 2013, ITL released Revision 2 of FIPS 201 (FIPS 201-2), Personal Identity Verification of Federal Employees and Contractors. The revision includes adaptations to changes in the environment and new technology since the first revision of the standard. FIPS 201-2 also provides clarifica...

Journal: IT Professional Abstract: Does your organization have systematic procedures to remove sensitive data from obsolete equipment, or do you use a somewhat ad hoc process for the cleanup and disposal of old gear? Careless disposal of data storage hardware has led to costly and embarrassing incidents for organizations that discove...

Conference: Ninth IFIP WG 11.9 International Conference on Digital Forensics Abstract: Evidence Graphs model network intrusion evidence and their dependencies, which helps network forensics analysts collate and visualize dependencies. In particular, probabilistic evidence graph provide a way to link probabilities associated with different attack paths with available evidence. Existing...

Conference: 2013 IEEE Conference on Communications and Network Security (CNS) Abstract: This paper discusses limitations in one of the most widely cited single source scan detection algorithms: threshold random walk (TRW). If an attacker knows that TRW is being employed, these limitations enable full circumvention allowing undetectable high speed full horizontal and vertical scanning o...

Conference: 2013 ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM 2013) Abstract: This poster presents some measures of combinatorial coverage that can be helpful in estimating residual risk related to insufficient testing of rare interactions, and a tool for computing these measures.

Journal: Journal of Computer Security Abstract: Quantifying security risk is an important and yet difficult task in enterprise network security management. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metr...

Abstract: The latest version of the ANSI/NIST-ITL standard was published in November 2011 (AN-2011). In addition to specifying Record Types in traditional encoding, the standard includes the specification of National Information Exchange Model (NIEM) Extensible Markup Language (XML) encoding and an associated...

Journal: Notes on Number Theory and Discrete Mathematics Abstract: In this article, we study the quartic Diophantine equation x^4+y^4-2z^4-2w^4=0. We find non-trivial integer solutions. Furthermore, we show that when a solution has been found, a series of other solutions can be derived. We do so using two different techniques. The first is a geometric method due to...

Abstract: The Domain Name System (DNS) is a distributed computing system that enables access to Internet resources by user-friendly domain names rather than IP addresses, by translating domain names to IP addresses and back. The DNS infrastructure is made up of computing and communication entities called Name...

Conference: Second International Workshop on Lightweight Cryptography for Security and Privacy (LightSec 2013) Abstract: Lightweight cryptography aims to provide sufficient security with low area/power/energy requirements for constrained devices. In this paper, we focus on the lightweight encryption algorithm specified and approved in NRS 009-6-7:2002 by Electricity Suppliers Liaison Committee to be used with tokens i...

Abstract: To interact with various services in the cloud and to store the data generated/processed by those services, several security capabilities are required. Based on a core set of features in the three common cloud services - Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software a...

Abstract:

Abstract: This ITL Bulletin summarizes a new ITL publication, NIST Special Publication 800- 83 Revision 1, Guide to Malware Incident Prevention and Handling for Desktops and Laptops,which gives receommendations for organizations to improve their malware incident prevention procedures.

Conference: 6th International Symposium on Resilient Control Systems (ISRCS) Abstract: This paper presents a preliminary design for a moving-target defense (MTD) for computer networks to combat an attacker's asymmetric advantage. The MTD system reasons over a set of abstract models that capture the network's configuration and its operational and security goals to select adaptations th...

Abstract: This Framework for Designing Cryptographic Key Management Systems (CKMS) contains topics that should be considered by a CKMS designer when developing a CKMS design specification. For each topic, there are one or more documentation requirements that need to be addressed by the design specification. T...

Abstract: This ITL Bulletin summarizes a new ITL publication, NIST Special Publication 800-40 Revision 3, Guide to Enterprise Patch Management Technologies, which gives recommendations for organizations to improve the effectiveness and efficiency of their patch management technologies.

Conference: 2013 International Conference on Security and Cryptography (SECRYPT) Abstract: Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the definition of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has...

Conference: 18th Australasian Conference on Information Security and Privacy (ACISP 2013) Abstract: Due to the symmetric padding used in the stream cipher Grain v1 and Grain-128, it is possible to find Key-IV pairs that generate shifted keystreams efficiently. Based on this observation, Lee et al. presented a chosen IV related Key attack on Grain v1 and Grain-128 at ACISP 2008. Later, the designer...

Abstract: Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating s...