Search Publications

Displaying 426 - 450 of 1521

A Software Assurance Reference Dataset: Thousands of Programs With Known Bugs

April 16, 2018

Author(s)

Paul E. Black

The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs. The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injection, cross-site

Framework for Improving Critical Infrastructure Cybersecurity Version 1.1

April 16, 2018

Author(s)

Matthew P. Barrett

This publication describes a voluntary risk management framework ("the Framework") that consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Framework's prioritized, flexible, and cost-effective approach helps to

HFERP -- A New Multivariate Encryption Scheme

April 1, 2018

Author(s)

Yashuhiko Ikematsu, Ray Perlner, Daniel Smith-Tone, Tsuyoshi Takagi, Jeremy Vates

In 2016, Yasuda et al.presented a new multivariate encryption technique based on the Square and Rainbow primitives and utilizing the plus modifier that they called SRP. The scheme achieved a smaller blow-up factor between the plaintext space and ciphertext

Safeguards for Securing Virtualized Servers

March 27, 2018

Author(s)

Ramaswamy Chandramouli, Larry Feldman, Gregory A. Witte

This bulletin summarizes the information found in NIST SP 800-125A: Security Recommendations for Hypervisor Deployment on Servers, which provides technical guidelines regarding the secure execution of baseline functions of the hypervisor and are therefore

Testing IoT Systems

March 26, 2018

Author(s)

Jeffrey M. Voas, David R. Kuhn, Phil Laplante

The ability to test systems that are based on the underlying products and services commonly referred to as the Internet of 'things' (IoT) is discussed. The role of a static metric that can be applied to design, architectures, hardware, 'things', and

Surviving Unpatchable Vulnerabilities through Multi-Option Network Hardening

March 23, 2018

Author(s)

Daniel Borbor, Lingyu Wang, Sushil Jajodia, Anoop Singhal

The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities,and how to improve the network's resilience against potentially unknown vulnerabilities. To

A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control Lists

March 21, 2018

Author(s)

David F. Ferraiolo, Serban I. Gavrila, Gopi Katwala

We describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control List

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [including updates as of 3-21-2018]

March 21, 2018

Author(s)

Ronald S. Ross, Michael McEvilley, Janet C. Oren

With the continuing frequency, intensity, and adverse consequences of cyber-attacks, disruptions, hazards, and other threats to federal, state, and local governments, the military, businesses, and the critical infrastructure, the need for trustworthy

Could the Internet of Things Be Used to Enhance Student Nurses Experiences in a Disaster Simulation?

February 27, 2018

Author(s)

Jeffrey M. Voas, Phillip Laplante, Nancy Laplante

The Internet of Things (IoT) promises to create many opportunities for enhancing human lives, particularly, in healthcare. In this paper we illustrate how an IoT enabled tracking system can help in a special kind of healthcare setting, that is, in the case

Securing Tomorrow's Information through Post-Quantum Cryptography

February 27, 2018

Author(s)

Dustin Moody, Larry Feldman, Gregory A. Witte

In recent years, there has been a substantial amount of research on quantum computers - machines that exploit quantum mechanical phenomena to solve mathematical problems that are difficult or intractable for conventional computers. If large-scale quantum

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [including updates as of 02-20-2018]

February 20, 2018

Author(s)

Ronald S. Ross, Patrick Viscuso, Gary Guissanie, Kelley L. Dempsey, Mark Riddle

[Superseded by SP 800-171 Rev. 1 (December 2016, updated 06/07/2018): https://doi.org/10.6028/NIST.SP.800-171r1] The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount

The Technical Specification for the Security Content Automation Protocol (SCAP) Version 1.3

February 14, 2018

Author(s)

David A. Waltermire, Stephen D. Quinn, Harold Booth, Karen Scarfone, Dragos Prisaca

The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This publication, along

Guidance for Improving LTE-based Mobile Communications Security

January 30, 2018

Author(s)

Jeffrey Cichonski, Joshua M. Franklin, Michael Bartock, Larry Feldman, Greg Witte

This bulletin summarizes the information found in NIST SP 800-187: Guide to LTE Securtiy, which serves as a guide to the fundamentals of how LTE networks operate and explores the LTE security architecture.

Security Recommendations for Hypervisor Deployment on Servers

January 23, 2018

Author(s)

Ramaswamy Chandramouli

The Hypervisor is a collection of software modules that provides virtualization of hardware resources (such as CPU/GPU, Memory, Network and Storage) and thus enables multiple computing stacks (basically made of an OS and Application programs) called

Domain Name System-Based Electronic Mail Security

January 15, 2018

Author(s)

Scott W. Rose, Karen M. Waltermire, Santos Jha, Chinedum Irrechukwu, William C. Barker

This document describes a security platform for trustworthy email exchanges across organizational boundaries. The project includes reliable authentication of mail servers, digital signature and encryption of email, and binding cryptographic key

Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes

January 12, 2018

Author(s)

Paul A. Grassi, Ryan Galluzzo, Ellen M. Nadeau, Naomi Lefkovitz, Abhiraj T. Dinh

Developing Trust Frameworks to Support Identity Federations

January 12, 2018

Author(s)

David M. Temoshok, Christine Abruzzi

Bad security metrics: the problem and its solution

January 4, 2018

Author(s)

David W. Flater

It is generally acknowledged that few security metrics have the level of predictive validity that their uses require, but neither the nature of the problem nor the steps needed to avoid it have been fully characterized. This article examines both questions

Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems [including updates as of 1-03-2018]

January 3, 2018

Author(s)

Ronald S. Ross, Michael McEvilley, Janet C. Oren

Cryptography Classes in Bugs Framework (BF): Encryption Bugs (ENC), Verification Bugs (VRF), and Key Management Bugs (KMN)

December 25, 2017

Author(s)

Irena Bojanova, Paul E. Black, Yaacov Yesha

Abstract—Accurate, precise, and unambiguous definitions of software weaknesses (bugs) and clear descriptions of software vulnerabilities are vital for building the foundations of cybersecurity. The Bugs Framework (BF) comprises rigorous definitions and

Internet of Things (IoT) Cybersecurity Colloquium

December 22, 2017

Author(s)

Benjamin M. Piccarreta, Katerina N. Megas, Danna G. O'Rourke

This report provides an overview of the topics discussed at the Internet of Things (IoT) Cybersecurity Colloquium hosted on NISTs campus in Gaithersburg, Maryland on October 19, 2017. It summarizes key takeaways from the presentations and discussions

A Layered Graphical Model for Mission Attack Impact Analysis

December 21, 2017

Author(s)

Changwei Liu, Anoop Singhal, Duminda Wijesekera

In this paper, we describe a layered graphical model to analyze the mission impacts of attacks for forensic investigation. Our model has three layers: the upper layer models operational tasks and their dependencies; the middle layer reconstructs attack

Guide to LTE Security

December 21, 2017

Author(s)

Jeffrey A. Cichonski, Joshua M. Franklin, Michael J. Bartock

Cellular technology plays an increasingly large role in society as it has become the primary portal to the internet for a large segment of the population. One of the main drivers making this change possible is the deployment of 4th generation (4G) Long

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [including updates as of 11-28-2017]

November 28, 2017

Author(s)

Ronald S. Ross, Patrick Viscuso, Gary Guissanie, Kelley L. Dempsey, Mark Riddle

[Superseded by SP 800-171 Rev. 1 (December 2016, updated 02/20/2018): https://doi.org/10.6028/NIST.SP.800-171r1] The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount

Challenges to Automating Security Configuration Checklists in Manufacturing Environments

November 21, 2017

Author(s)

Joshua Lubell, Timothy A. Zimmerman

Information technology is essential for today's manufacturing systems, making them more vulnerable to cybersecurity threats than ever before. This paper discusses the challenge of developing automatable configuration checklists for the manufacturing