U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology

Cybersecurity and privacy

Search Publications

Search Title, Abstract, Conference, Citation, Keyword or Author
  • Published Date
Displaying 501 - 525 of 1521

Measuring and Improving the Effectiveness of Defense-in-Depth Postures

January 26, 2017
Author(s)
Peter M. Mell, James Shook, Richard Harang
Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is

Dramatically Reducing Software Vulnerabilities

January 18, 2017
Author(s)
Paul E. Black, Larry Feldman, Gregory A. Witte
This bulletin summarized the information presented in NISTIR 8151: Dramatically Reducing Software Vulnerabilities: Report to the White House Office of Science and Technology Policy. The publication starts by describing well known security risks and

An Introduction to Privacy Engineering and Risk Management in Federal Information Systems

January 5, 2017
Author(s)
Sean W. Brooks, Michael E. Garcia, Naomi B. Lefkovitz, Suzanne Lightman, Ellen M. Nadeau
This document provides an introduction to the concepts of privacy engineering and risk management for federal information systems. These concepts establish the basis for a common vocabulary to facilitate better understanding and communication of privacy

The Emergence of DANE Trusted Email for Supply Chain Management

January 3, 2017
Author(s)
Scott Rose, Joseph Gersch, Daniel Massey
Supply chain management is critically dependent on trusted email with authentication systems that work on a global scale. Solutions to date have not adequately addressed the issues of email forgery, confidentiality, and sender authenticity. The IETF DANE

Threat Modeling for Cloud Data Center Infrastructures

December 29, 2016
Author(s)
Nawaf Alhebaishi, Lingyu Wang, Sushil Jajodia, Anoop Singhal
Cloud computing has undergone rapid expansion throughout the last decade. Many companies and organizations have made the transition from traditional data centers to the cloud due to its flexibility and lower cost. However, traditional data centers are

Guide for Cybersecurity Event Recovery

December 22, 2016
Author(s)
Michael Bartock, Jeffrey Cichonski, Murugiah Souppaya, Matthew C. Smith, Gregory Witte, Karen Scarfone
In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide

Rethinking Security through Systems Security Engineering

December 21, 2016
Author(s)
Ronald S. Ross, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-160: Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The publication addresses the engineering-driven

General Methods for Access Control Policy Verification

December 19, 2016
Author(s)
Chung Tong Hu, David R. Kuhn
Access control systems are among the most critical of computer security components. Faulty policies, misconfigurations, or flaws in software implementations can result in serious vulnerabilities. To formally and precisely capture the security properties

MyData API Patterns: OAuth

December 8, 2016
Author(s)
Martin Burns, David A. Wollman
The My Data initiatives are part of the Administration's efforts to empower Americans with secure access to their own personal data, and to increase citizens' access to private-sector data-based applications and services. With its focus on personal data

A Secure Multicast Group Management and Key Distribution in IEEE 802.21

December 5, 2016
Author(s)
Yoshikazu Hanatani, Naoki Ogura, Yoshihiro Ohba, Lidong Chen, Subir Das
Controlling a large number of devices such as sensors and smart end points, is always a challenge where scalability and security are indispensa-ble. This is even more critical when it comes to configuration updates to a large number of such devices when

Survey and New Directions for Physics-Based Attack Detection in Control Systems

November 21, 2016
Author(s)
David Urbina, Jairo Giraldo, Alvaro Cardenas, Junia Valente, Mustafa Faisal, Niles O. Tippenhauer, Justin Ruths, Rick Candell, Heinrik Sandberg
Monitoring the "physics" of control systems to detect attacks is a growing area of research. In its basic form a security monitor creates time-series models of sensor readings for an industrial control system and identifies anomalies in these measurements

Small Business Information Security: The Fundamentals

November 3, 2016
Author(s)
Patricia R. Toth, Celia Paulsen
NIST developed this NISTIR as a reference guideline for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.

Defeating Buffer Overflow: One of the Most Trivial and Dangerous Bugs of All!

October 31, 2016
Author(s)
Paul E. Black, Irena Bojanova
The C programming language was invented over 40 years ago. It is infamous for buffer overflows. We have learned a lot about computer science, language design, and software engineering since then. As it is unlikely that we will stop using C any time soon

Limiting The Impact of Stealthy Attacks on Industrial Control Systems

October 28, 2016
Author(s)
David Urbina, Alvaro Cardenas, Niles O. Tippenhauer, Junia Valente, Mustafa Faisal, Justin Ruths, Rick Candell, Heinrik Sandberg
While attacks on information systems have for most practical purposes binary outcomes information was manipulated/eavesdropped, or not), attacks manipulating the sensor or control signals of Industrial Control Systems (ICS) can be tuned by the attacker to

Secure and usable enterprise authentication: Lessons from the Field

October 26, 2016
Author(s)
Mary F. Theofanos, Simson L. Garfinkel, Yee-Yin Choong
There are now more than 5.4 million Personal Identity Verification (PIV) and Common Access Card (CAC) identity cards deployed to US government employees and contractors. These cards are widely used to gain physical access to federal facilities, but their

Making Email Trustworthy

October 24, 2016
Author(s)
Scott W. Rose, Larry Feldman, Gregory A. Witte
This bulletin summarizes the information presented in NIST SP 800-177: Trustworthy Email. This publication gives recommendations and guidelines for enhancing trust in email. This guideline applies to federal IT systems and will also be useful for any small

The Bugs Framework (BF): A Structured Approach to Express Bugs

October 13, 2016
Author(s)
Irena Bojanova, Paul E. Black, Yaacov Yesha, Yan Wu
To achieve higher levels of assurance for digital systems, we need to answer questions such as, does this software have bugs of these critical classes? Do these two tools generally find the same set of bugs, or different, complimentary sets? Can we
Was this page helpful?