Search Publications

Displaying 151 - 175 of 1521

Guidelines for Managing the Security of Mobile Devices in the Enterprise

May 17, 2023

Author(s)

Murugiah Souppaya, Gema Howell, Karen Scarfone, Joshua Franklin, Vincent Sritapan

Mobile devices were initially personal consumer communication devices, but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data. This publication assists organizations in managing and

Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness

April 25, 2023

Author(s)

Shanee Dawkins, Jody Jacobs

Orienting an entire organization toward sound security practices is an important, but non-trivial undertaking. A starting point for many organizations is to build a robust security awareness program, training employees to recognize and respond to security

To Everything There Is a Session: A Time to Listen, a Time to Read Multi-session CDs

April 21, 2023

Author(s)

Dianne Dietrich, Alexander Nelson

When the cost of CD burners dropped precipitously in the late 1990s, consumers had access to the CD-R, a format with far greater storage capacity than floppy disks. Multiple session standards allowed users the flexibility to add subsequent content to an

Users Are Not Stupid: Six Cyber Security Pitfalls Overturned

March 16, 2023

Author(s)

Julie Haney

The skilled and dedicated professionals who strive to improve cyber security may unwittingly fall victim to misconceptions and pitfalls that hold customers and users back from reaching their full potential of being active partners in security. These

Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide (Ukrainian Translation)

March 14, 2023

Author(s)

Amy Mahn, Jeffrey Marron, Stephen Quinn, Daniel Topper

Empirical Validation of Automated Vulnerability Curation and Characterization

February 28, 2023

Author(s)

Ahmet Okutan, Peter Mell, Medhi Mirakhorli, Igor Khokhlov, Joanna Santos, Danielle Gonzalez, Steven Simmons

Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This

Digital Twin-Based Cyber-Attack Detection Framework for Cyber-Physical Manufacturing Systems

February 23, 2023

Author(s)

Efe Balta, Michael Pease, James Moyne, Kira Barton, Dawn Tilbury

Smart manufacturing (SM) systems utilize run-time data to improve productivity via intelligent decision-making and analysis mechanisms on both machine and system levels. The increased adoption of cyber-physical systems in SM leads to the comprehensive

Discovery of digital forensic dataset characteristics with CASE-Corpora

February 13, 2023

Author(s)

Alexander Nelson, Eoghan Casey

The digital forensics community has generated training and reference data over the course of decades. However, significant challenges persist today in the usage pipeline for that data, from research problem formulation, through discovery of applicable

Bug, Fault, Error, or Weakness: Demystifying Software Security Vulnerabilities

February 1, 2023

Author(s)

Irena Bojanova, Carlos Eduardo Cardoso Galhardo

In this work, we define the notions of software bug, weakness, and vulnerability in the context of cybersecurity and elucidate their causal relations.

They're phishing for you: be the one that got away

February 1, 2023

Author(s)

Michael Galler

Cybersecurity has been a topic of increasing importance to the building services community for several years. While fully securing large and complex building systems can be complicated, some basic precautions can easily be applied to any system, and some

Handout: Users Are Not Stupid: 6 Cybersecurity Pitfalls Overturned

January 30, 2023

Author(s)

Julie Haney, Susanne M. Furman

The cybersecurity community tends to focus and depend on technology to solve today's cybersecurity problems, often without taking into consideration the human element - the key individual and social factors impacting cybersecurity adoption. This handout

A review of machine learning-based zero-day attack detection: Challenges and future directions

January 15, 2023

Author(s)

Yang Guo

Zero-day attacks exploit unknown vulnerabilities so as to avoid being detected by cybersecurity detection tools. The studies Bilge and Dumitraş (2012), Google (0000) and Ponemon Sullivan Privacy Report (2020) show that zero-day attacks are wide spread and

Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

December 30, 2022

Author(s)

Athanasios Dimitriadis, Efstratios Lontzetidis, Boonserm Kulvatunyou, Nenad Ivezic, Dimitris Gritzalis, Ioannis Mavridis

Traditional attack detection approaches utilize predefined databases of known signatures about already-seen tools and malicious activities observed in past cyber-attacks to detect future attacks. More sophisticated approaches apply machine learning to

Attacks on ML Systems: From Security Risk Analysis to Attack Mitigation

December 16, 2022

Author(s)

Qingtian Zou, Lan Zhang, Anoop Singhal, Xiaoyan Sun, Peng Liu

The past several years have witnessed rapidly increasing use of machine learning (ML) systems in multiple industry sectors. Since risk analysis is one of the most essential parts of the real-world ML system protection practice, there is an urgent need to

Supply Chain Assurance: Validating the Integrity of Computing Devices

December 9, 2022

Author(s)

Nakia R. Grayson, Murugiah Souppaya, Andrew Regenscheid, Tim Polk, Christopher Brown, Karen Scarfone, Chelsea Deane

Product integrity and the ability to distinguish trustworthy products is a critical foundation of C-SCRM. Authoritative information regarding the provenance and integrity of components provides a strong basis for trust in a computing device whether it is a

Purdue CERIAS Presentation: Users Are Not Stupid: Six Cybersecurity Pitfalls Overturned

December 7, 2022

Author(s)

Julie Haney

Whether you're implementing security policy or developing products, considering the human element is critical. Yet security professionals often fall victim to misconceptions and pitfalls that undermine users' ability to reach their full security potential

Making Semantic Structures Explicit: Developing and Evaluating Tools and Techniques to Support Understanding of Large Cybersecurity Corpora

December 1, 2022

Author(s)

Ira Monarch, Jacob Collard, Sangjin Shin, Eswaran Subrahmanian, Talapady N. Bhat, Ram Sriram

This report describes the adaptation, composition and use of natural language processing, machine learning and other computational tools to help make implicit informational structures in very large technical corpora explicit. The tools applied to the

The Generation of Software Security Scoring Systems Leveraging Human Expert Opinion

November 18, 2022

Author(s)

Peter Mell

While the existence of many security elements can be measured (e.g., vulnerabilities, security controls, or privacy controls), it is challenging to measure their relative security impact. In the physical world we can often measure the impact of individual

Using Business Impact Analysis to Inform Risk Prioritization and Response

November 17, 2022

Author(s)

Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Greg Witte, Larry Feldman, Daniel Topper, Robert Gardner

While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise

Engineering Trustworthy Secure Systems

November 16, 2022

Author(s)

Ronald S. Ross, Mark Winstead, Michael McEvilley

This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to

Measuring the Common Vulnerability Scoring System Base Score Equation

November 15, 2022

Author(s)

Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, Christopher Turner

This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ''base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information

Japanese Translation of Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (Cybersecurity Framework)

November 9, 2022

Author(s)

Kevin Stine, Matthew Barrett

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer

November 7, 2022

Author(s)

Michael Fahr Jr., Hunter Kippen, Andrew Kwong, Thinh Dang, Jacob Lichtinger, Dana Dachman-Soled, Daniel Genkin, Alexander Nelson, Ray Perlner, Arkady Yerukhimovich, Daniel Apon

In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is

Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN): Final Annotated Outline

November 3, 2022

Author(s)

James McCarthy, Joseph Brule, Dan Mamula, Karri Meldorf

The objective of this Cybersecurity Profile is to identify an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT)

Parenting the "Always Connected" Generation - Research Findings from NIST Youth Security & Privacy Research

October 25, 2022

Author(s)

Yee-Yin Choong

Kids are engaged in technology and online activities at younger ages than ever before. They are the "digital natives" – an always online and connected generation. Much cyber security research has focused on adults' perceptions and practices. But, what