Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications

NIST Authors in Bold

Displaying 51 - 75 of 1416

User Perceptions and Experiences with Smart Home Updates

May 22, 2023
Susanne M. Furman, Julie Haney
Updates may be one of the few tools consumers have to mitigate security and privacy vulnerabilities in smart home devices. However, little research has been undertaken to understand users' perceptions and experiences with smart home updates. To address

Guidelines for Managing the Security of Mobile Devices in the Enterprise

May 17, 2023
Murugiah Souppaya, Gema Howell, Karen Scarfone, Joshua Franklin, Vincent Sritapan
Mobile devices were initially personal consumer communication devices, but they are now permanent fixtures in enterprises and are used to access modern networks and systems to process sensitive data. This publication assists organizations in managing and

Phishing With a Net: The NIST Phish Scale and Cybersecurity Awareness

April 25, 2023
Shanee Dawkins, Jody Jacobs
Orienting an entire organization toward sound security practices is an important, but non-trivial undertaking. A starting point for many organizations is to build a robust security awareness program, training employees to recognize and respond to security

Users Are Not Stupid: Six Cyber Security Pitfalls Overturned

March 16, 2023
Julie Haney
The skilled and dedicated professionals who strive to improve cyber security may unwittingly fall victim to misconceptions and pitfalls that hold customers and users back from reaching their full potential of being active partners in security. These

Empirical Validation of Automated Vulnerability Curation and Characterization

February 23, 2023
Ahmet Okutan, Peter Mell, Medhi Mirakhorli, Igor Khokhlov, Joanna Santos, Danielle Gonzalez, Steven Simmons
Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This

They're phishing for you: be the one that got away

February 1, 2023
Michael Galler
Cybersecurity has been a topic of increasing importance to the building services community for several years. While fully securing large and complex building systems can be complicated, some basic precautions can easily be applied to any system, and some

Handout: Users Are Not Stupid: 6 Cybersecurity Pitfalls Overturned

January 30, 2023
Julie Haney, Susanne M. Furman
The cybersecurity community tends to focus and depend on technology to solve today's cybersecurity problems, often without taking into consideration the human element - the key individual and social factors impacting cybersecurity adoption. This handout

Fronesis: Digital Forensics-Based Early Detection of Ongoing Cyber-Attacks

December 30, 2022
Athanasios Dimitriadis, Efstratios Lontzetidis, Boonserm Kulvatunyou, Nenad Ivezic, Dimitris Gritzalis, Ioannis Mavridis
Traditional attack detection approaches utilize predefined databases of known signatures about already-seen tools and malicious activities observed in past cyber-attacks to detect future attacks. More sophisticated approaches apply machine learning to

Attacks on ML Systems: From Security Risk Analysis to Attack Mitigation

December 16, 2022
Qingtian Zou, Lan Zhang, Anoop Singhal, Xiaoyan Sun, Peng Liu
The past several years have witnessed rapidly increasing use of machine learning (ML) systems in multiple industry sectors. Since risk analysis is one of the most essential parts of the real-world ML system protection practice, there is an urgent need to

Supply Chain Assurance: Validating the Integrity of Computing Devices

December 9, 2022
Nakia R. Grayson, Murugiah Souppaya, Andrew Regenscheid, Tim Polk, Christopher Brown, Karen Scarfone, Chelsea Deane
Product integrity and the ability to distinguish trustworthy products is a critical foundation of C-SCRM. Authoritative information regarding the provenance and integrity of components provides a strong basis for trust in a computing device whether it is a

Using Business Impact Analysis to Inform Risk Prioritization and Response

November 17, 2022
Stephen Quinn, Nahla Ivy, Julie Chua, Matthew Barrett, Greg Witte, Larry Feldman, Daniel Topper, Robert Gardner
While business impact analysis (BIA) has historically been used to determine availability requirements for business continuity, the process can be extended to provide a broad understanding of the potential impacts of any type of loss on the enterprise

Engineering Trustworthy Secure Systems

November 16, 2022
Ronald S. Ross, Mark Winstead, Michael McEvilley
This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. Such principles, concepts, activities, and tasks can be effectively applied within systems engineering efforts to

Measuring the Common Vulnerability Scoring System Base Score Equation

November 15, 2022
Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, Christopher Turner
This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ''base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information

When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer

November 7, 2022
Michael Fahr Jr., Hunter Kippen, Andrew Kwong, Thinh Dang, Jacob Lichtinger, Dana Dachman-Soled, Daniel Genkin, Alexander Nelson, Ray Perlner, Arkady Yerukhimovich, Daniel Apon
In this work, we recover the private key material of the FrodoKEM key exchange mechanism as submitted to the NIST PQC standardization process. The new mechanism that allows for this is a Rowhammer-assisted poisoning of the FrodoKEM KeyGen process. That is
Displaying 51 - 75 of 1416