Search Publications

Displaying 151 - 175 of 2840

Handout: Users Are Not Stupid: 6 Cybersecurity Pitfalls Overturned

January 30, 2023

Author(s)

Julie Haney, Susanne M. Furman

The cybersecurity community tends to focus and depend on technology to solve today's cybersecurity problems, often without taking into consideration the human element - the key individual and social factors impacting cybersecurity adoption. This handout

A review of machine learning-based zero-day attack detection: Challenges and future directions

January 15, 2023

Author(s)

Yang Guo

Zero-day attacks exploit unknown vulnerabilities so as to avoid being detected by cybersecurity detection tools. The studies Bilge and Dumitraş (2012), Google (0000) and Ponemon Sullivan Privacy Report (2020) show that zero-day attacks are wide spread and

Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

December 30, 2022

Author(s)

Athanasios Dimitriadis, Efstratios Lontzetidis, Boonserm Kulvatunyou, Nenad Ivezic, Dimitris Gritzalis, Ioannis Mavridis

Traditional attack detection approaches utilize predefined databases of known signatures about already-seen tools and malicious activities observed in past cyber-attacks to detect future attacks. More sophisticated approaches apply machine learning to

Attacks on ML Systems: From Security Risk Analysis to Attack Mitigation

December 16, 2022

Author(s)

Qingtian Zou, Lan Zhang, Anoop Singhal, Xiaoyan Sun, Peng Liu

The past several years have witnessed rapidly increasing use of machine learning (ML) systems in multiple industry sectors. Since risk analysis is one of the most essential parts of the real-world ML system protection practice, there is an urgent need to

Supply Chain Assurance: Validating the Integrity of Computing Devices

December 9, 2022

Author(s)

Nakia R. Grayson, Murugiah Souppaya, Andrew Regenscheid, Tim Polk, Christopher Brown, Karen Scarfone, Chelsea Deane

Product integrity and the ability to distinguish trustworthy products is a critical foundation of C-SCRM. Authoritative information regarding the provenance and integrity of components provides a strong basis for trust in a computing device whether it is a

Users Are Not Stupid: Six Cybersecurity Pitfalls Overturned (Purdue CERIAS Presentation)

December 7, 2022

Author(s)

Julie Haney

Whether you're implementing security policy or developing products, considering the human element is critical. Yet security professionals often fall victim to misconceptions and pitfalls that undermine users' ability to reach their full security potential

The Generation of Software Security Scoring Systems Leveraging Human Expert Opinion

November 18, 2022

Author(s)

Peter Mell

While the existence of many security elements can be measured (e.g., vulnerabilities, security controls, or privacy controls), it is challenging to measure their relative security impact. In the physical world we can often measure the impact of individual

Using Business Impact Analysis to Inform Risk Prioritization and Response

November 17, 2022

Author(s)

Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Greg Witte, Larry Feldman, Daniel Topper, Robert Gardner

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise

Engineering Trustworthy Secure Systems

November 16, 2022

Author(s)

Ronald S. Ross, Mark Winstead, Michael McEvilley

This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to

Measuring the Common Vulnerability Scoring System Base Score Equation

November 15, 2022

Author(s)

Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, Christopher Turner

This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ''base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information

Japanese Translation of Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (Cybersecurity Framework)

November 9, 2022

Author(s)

Kevin Stine, Matthew Barrett

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer

November 7, 2022

Author(s)

Michael Fahr Jr., Hunter Kippen, Andrew Kwong, Thinh Dang, Jacob Lichtinger, Dana Dachman-Soled, Daniel Genkin, Alexander Nelson, Ray Perlner, Arkady Yerukhimovich, Daniel Apon

In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is

Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN): Final Annotated Outline

November 3, 2022

Author(s)

James McCarthy, Joseph Brule, Dan Mamula, Karri Meldorf

The objective of this Cybersecurity Profile is to identify an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT)

Parenting the "Always Connected" Generation - Research Findings from NIST Youth Security & Privacy Research

October 25, 2022

Author(s)

Yee-Yin Choong

Kids are engaged in technology and online activities at younger ages than ever before. They are the "digital natives" – an always online and connected generation. Much cyber security research has focused on adults' perceptions and practices. But, what

Can You Spot a Phish

October 19, 2022

Author(s)

Shanee Dawkins, Jody Jacobs

This talk will cover findings from over 4 years of NIST phishing training data, highlighting user context as the key to phishing susceptibility. We will discuss the NIST Phish Scale, our research on why users click, and how it can help users spot a phish.