Homeland Security Digital Library

SEARCH THE HSDL

Searching for terms: EXACT: "Scarfone, Karen" in: author

Results 1 - 30 (of 51) sorted by relevance sort by date

Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).

Guide for Cybersecurity Event Recovery

Show summary Open resource [pdf] (open full abstract)
From the abstract: "In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. This preparation enables rapid recovery from incidents when they occur and helps to minimize the impact on the organization and its constituents. Additionally, continually improving recovery planning by learning lessons from past events, including those of other organizations, helps to ensure the continuity of important mission functions. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning. It also provides an example scenario that demonstrates guidance and informative metrics that may be helpful for improving resilience of information systems."

National Institute of Standards and Technology (U.S.)

Bartock, Michael; Cichonski, Jeffrey; Souppaya, Murugiah . . .

2016-12
ITL Bulletin: Security for Enterprise Telework and Remote Access Solutions (June 2009)

Show summary Open resource [pdf] (open full abstract)
"Many people telework (also known as telecommuting), which is the ability for an organization's employees and contractors to perform work from locations other than the organization's facilities. Teleworkers use various client devices, such as desktop and laptop computers, cell phones, and personal digital assistants (PDAs), to read and send email, access Web sites, review and edit documents, and perform many other tasks. Most teleworkers use remote access, which is the ability for an organization's users to access its non-public computing resources from external locations other than the organization's facilities. The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its guidelines on telework and remote access to help organizations protect their IT systems and information from the security risks that accompany the use of telework and remote access technologies. The revised guidelines discuss the technology, the current security risks involved in its use, and the recommended security solutions."

National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Scarfone, Karen

2009-06
ITL Bulletin: Federal Desktop Core Configuration (FDCC): Improving Security for Windows Desktop Operating Systems [February 2008]

Show summary Open resource [pdf] (open full abstract)
"The Federal Desktop Core Configuration (FDCC) is a standard security configuration mandated by the Office of Management and Budget (OMB). The FDCC currently exists for the Microsoft Windows XP Professional™ and Windows Vista Enterprise™ operating systems. In March 2007, OMB issued policy guidance in a memorandum to all federal agencies and departments requiring that they develop plans to adopt the standard security configuration for their Windows XP Professional (using Service Pack 2) and Vista Enterprise-based systems by February 1, 2008. The goal of the FDCC is to help federal organizations improve their information security and reduce the information technology (IT) costs associated with securing their Windows operating systems. The FDCC was created by customizing existing security recommendations for Windows and Internet Explorer 7.0. Specifically, the Windows XP FDCC was based on Air Force customization of the Specialized Security-Limited Functionality (SSLF) recommendations in NIST Special Publication 800-68, 'Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist,' and Department of Defense (DoD) customization of the recommendations in the Microsoft Security Guide for Internet Explorer 7.0. The Windows Vista FDCC was based on DoD customization of the Microsoft Security Guides for Windows Vista and Internet Explorer 7.0. Microsoft's guide for Vista was produced through a collaborative effort with the Defense Information Systems Agency (DISA), the National Security Agency (NSA), and the Information Technology Laboratory of the National Institute of Standards and Technology (NIST)."

National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Radack, Shirley M.; Scarfone, Karen

2008-02
Guide to Bluetooth Security [Revision 2]

Show summary Open resource [pdf] (open full abstract)
From the Abstract: "Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and has been integrated into many types of business and consumer devices. This publication provides information on the security capabilities of Bluetooth and gives recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. The Bluetooth versions within the scope of this publication are versions 1.1, 1.2, 2.0 + Enhanced Data Rate (EDR), 2.1 + EDR, 3.0 + High Speed (HS), 4.0, 4.1, and 4.2. Versions 4.0 and later support the low energy feature of Bluetooth."

National Institute of Standards and Technology (U.S.)

Padgette, John; Chen, Lily; Scarfone, Karen . . .

2017-05
Application Container Security Guide

Show summary Open resource [pdf] (open full abstract)
"Application container technologies, also known as containers, are a form of operating system virtualization combined with application software packaging. Containers provide a portable, reusable, and automatable way to package and run applications. This publication explains the potential security concerns associated with the use of containers and provides recommendations for addressing these concerns."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Morello, John; Scarfone, Karen

2017-09
Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.0

Show summary Open resource [pdf] (open full abstract)
"The National Institute of Standards and Technology (NIST) produced this publication to facilitate the development of Security Content Automation Protocol (SCAP) tools and content. SCAP seeks to standardize system security management, promote interoperability of security products, and foster the use of standard expressions of security content. This technical specification describes the requirements and conventions that are to be employed to ensure the consistent and accurate exchange of SCAP content and the ability of the content to reliably operate on SCAP validated tools. This specification is technically oriented, and assumes that readers possess a basic understanding of system security. The use cases described in this document do not represent an exhaustive list of all possible applications of SCAP. This publication describes the details of how the elements of SCAP interoperate and defines SCAP Version 1.0 in terms of both its component specifications and the requirements for SCAP content."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Johnson, Christopher A.; Quinn, Stephen D. . . .

2009-11
Guide to Enterprise Password Management (Draft)

Show summary Open resource [pdf] (open full abstract)
"Passwords are used in many ways to protect data, systems, and networks. For example, passwords are used to authenticate users of operating systems and applications such as email, labor recording, and remote access. Passwords are also used to protect files and other stored information, such as password-protecting a single compressed file, a cryptographic key, or an encrypted hard drive. In addition, passwords are often used in less visible ways; for example, a biometric device may generate a password based on a fingerprint scan, and that password is then used for authentication. This publication provides recommendations for password management, which is the process of defining, implementing, and maintaining password policies throughout an enterprise. Effective password management reduces the risk of compromise of password-based authentication systems. Organizations need to protect the confidentiality, integrity, and availability of passwords so that all authorized users-and no unauthorized users-can use passwords successfully as needed. Integrity and availability should be ensured by typical data security controls, such as using access control lists to prevent attackers from overwriting passwords and having secured backups of password files. Ensuring the confidentiality of passwords is considerably more challenging and involves a number of security controls along with decisions involving the characteristics of the passwords themselves. For example, requiring that passwords be long and complex makes it less likely that attackers will guess or crack them, but it also makes the passwords harder for users to remember, and thus more likely to be stored insecurely."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Scarfone, Karen

2009-04
Guide to Enterprise Telework and Remote Access Security

Show summary Open resource [pdf] (open full abstract)
"Many organizations' employees and contractors use enterprise telework technologies to perform work from external locations. Most teleworkers use remote access technologies to interface with an organization's non-public computing resources. The nature of telework and remote access technologies-permitting access to protected resources from external networks and often external hosts as well-generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through remote access. All the components of telework and remote access solutions, including client devices, remote access servers, and internal resources accessed through remote access, should be secured against expected threats, as identified through threat models. Major security concerns include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts. This publication provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives advice on creating telework security policies."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Scarfone, Karen; Hoffman, Paul

2009-06
System and Network Security Acronyms and Abbreviations

Show summary Open resource [pdf] (open full abstract)
"This report contains a list of selected acronyms and abbreviations for system and network security terms with their generally accepted or preferred definitions. It is intended as a resource for Federal agencies and other users of system and network security publications. The capitalization, spelling, and definitions of acronyms and abbreviations frequently vary among publications. It is easy to understand why this happens. While some acronyms and abbreviations (e.g., WWW) have one universally recognized and understood definition within the domain of system and network security, others (e.g., IA, MAC) have multiple valid definitions depending upon the context in which they are used. Some acronyms bear little resemblance to their definitions, such as Modes of Operation Validation System for the Triple DES Algorithm (TMOVS). Others use unexpected capitalization or spelling (e.g., Electronic Business using eXtensible Markup Language [ebXML] and Organisation for Economic Co-operation and Development [OECD]). As a result, acronyms, abbreviations, and their definitions may be inaccurately or inconsistently defined by authors, perpetuating errors and confusing or misleading readers. This report is meant to help reduce these errors and confusion by providing the generally accepted or preferred definitions of a list of frequently used acronyms and abbreviations. The list does not include all system and network security terms, nor is it a compendium of every acronym and abbreviation found in system and network security documents published by NIST. Readers should refer to each document's list of acronyms and abbreviations (typically found in an appendix) for definitions applicable to that particular document."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Thompson, Victoria

2009-09
Guide to Bluetooth Security: Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
This special publication by the National Institute of Standards and Technology addresses bluetooth security in the context of overall computer network security. "Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth technology is used primarily to establish wireless personal area networks (WPAN), commonly referred to as ad hoc or peer-to-peer (P2P) networks. Bluetooth technology has been integrated into many types of business and consumer devices, including cellular phones, personal digital assistants (PDA), laptops, automobiles, printers, and headsets. This allows users to form ad hoc networks between a wide variety of devices to transfer voice and data. This document provides an overview of Bluetooth technology and discusses related security concerns. […] Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as denial of service attacks, eavesdropping, man-in-the-middle attacks, message modification, and resource misappropriation. They are also threatened by more specific Bluetooth-related attacks that target known vulnerabilities in Bluetooth implementations and specifications. Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized usage of Bluetooth devices and other systems or networks to which the devices are connected."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Padgette, John

2008-09
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (DRAFT)

Show summary Open resource [pdf] (open full abstract)
"Breaches of personally identifiable information (PII) have increased dramatically over the past few years and have resulted in the loss of millions of records. Breaches of PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or high costs to handle the breach. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, 'If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.' This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization's legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII."

National Institute of Standards and Technology (U.S.)

Grance, Tim; Scarfone, Karen; McCallister, Erika

2009-01
Guidelines on Firewalls and Firewall Policy

Show summary Open resource [pdf] (open full abstract)
"This document provides an overview of firewall technologies and discusses their security capabilities and relative advantages and disadvantages in detail. It also provides examples of where firewalls can be placed within networks, and the implications of deploying firewalls in particular locations. The document also makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions. This document does not cover technologies that are called 'firewalls' but primarily examine only application layer activity, not lower layers of network traffic. Technologies that focus on activity for a particular type of application, such as email firewalls that block email messages with suspicious content, are not covered in detail in this document."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Hoffman, Paul

2009-09
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

Show summary Open resource [pdf] (open full abstract)
"Breaches of personally identifiable information (PII) have increased dramatically over the past few years and have resulted in the loss of millions of records. Breaches of PII are hazardous to both individuals and organizations. Individual harms may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or high costs to handle the breach. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, 'If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.' This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization's legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII."

Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

McCallister, Erika; Grance, Tim; Scarfone, Karen

2010-04
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks

Show summary Open resource [pdf] (open full abstract)
From the Abstract: "The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices' lifecycles. This publication is the introductory document providing the foundation for a planned series of publications on more specific aspects of this topic."

National Institute of Standards and Technology (U.S.)

Boeckl, Katie; Fagan, Michael; Fisher, William . . .

2019-06
Guide to Computer Security Log Management: Recommendations of the National Institute of Standards and Technology [Draft April 2006]

Show summary Open resource [pdf] (open full abstract)
"This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. The guidance in this document covers several topics, including establishing a centralized log management infrastructure, and developing and performing robust log management processes at both the organization level and the individual system level. The document presents logging technologies from a high-level viewpoint, and it is not a step-by-step guide to implementing or using logging technologies."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Scarfone, Karen

2006-04
Guide to Computer and Network Data Analysis: Applying Forensic Techniques to Incident Response

Show summary Open resource [pdf] (open full abstract)
"This guide provides general recommendations for performing the data analysis process. It also provides detailed information on using the process with four major categories of data sources: files, operating systems, network traffic, and applications. The guide focuses on explaining the basic components and characteristics of data sources within each category, as well as techniques for the acquisition and examination of data from each category. The guide also provides recommendations for how multiple data sources can be used together to gain a better understanding of an event. The data analysis techniques and processes presented in this guide are based on principles of digital forensics. Forensic science is generally defined as the application of science to the law. Digital forensics, also known as computer and network forensics, has many definitions. Generally, digital forensics is considered to be the application of science to the identification, collection, analysis, and examination of digital evidence while preserving the integrity of the information and maintaining a strict chain of custody for the evidence. Computer and network data analysis is similar to digital forensics and uses many of the same techniques and tools, but data analysis does not necessarily include all of the actions necessary for preserving the integrity of all information collected, nor does it include keeping a chain of custody or other evidence preservation actions."

National Institute of Standards and Technology (U.S.)

Grance, Tim; Chevalier, Suzanne; Scarfone, Karen

2005-08
Guide to Intrusion Detection and Prevention Systems (IDPS): Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"This publication describes the characteristics of IDPS [intrusion detection and prevention systems] technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them. The types of IDPS technologies are differentiated primarily by the types of events that they monitor and the ways in which they are deployed. This publication discusses the following four types of IDPS technologies: Network-based; wireless, Network Behavior Analysis (NBA); and Host-Based."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Mell, Peter

2007-02
Guide to Malware Incident Prevention and Handling: Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or disrupting the victim. Malware has become the most significant external threat to most systems, causing widespread damage and disruption, and necessitating extensive recovery efforts within most organizations...This publication provides recommendations for improving an organization's malware incident prevention measures. It also gives extensive recommendations for enhancing an organization's existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. The recommendations address several major forms of malware, including viruses, worms, Trojan horses, malicious mobile code, blended attacks, spyware tracking cookies, and attacker tools such as backdoors and rootkits. The recommendations encompass various transmission mechanisms, including network services (e.g., e-mail, Web browsing, file sharing) and removable media."

National Institute of Standards and Technology (U.S.)

Mell, Peter; Nusbaum, Joseph; Scarfone, Karen

2005-11
Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers

Show summary Open resource [pdf] (open full abstract)
"The National Institute of Standards and Technology (NIST), with sponsorship from the Department of Homeland Security (DHS), has produced 'Security Configuration Checklists Program for IT Products: Guidance for Checklist Users and Developers' to facilitate the development and dissemination of security configuration checklists so that organizations and individual users can better secure their IT products. A security configuration checklist (sometimes called a lockdown or hardening guide or benchmark) is in its simplest form a series of instructions for configuring a product to a particular operational environment. It could also include templates or automated scripts and other procedures. Typically, checklists are created by IT vendors for their own products; however, checklists are also created by other organizations such as consortia, academia, and government agencies. The use of well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. Checklists may be particularly helpful to small organizations and individuals that have limited resources for securing their systems. This publication is intended for users and developers of IT product security configuration checklists. For checklist users, this document gives an overview of the NIST Checklist Program, explains how to retrieve checklists from NIST's repository, and provides general information about threat discussions and baseline technical security practices for associated operational environments."

National Institute of Standards and Technology (U.S.)

Wack, John P.; Souppaya, Murugiah; Scarfone, Karen

2005-05
Guide to Securing Legacy IEEE 802.11 Wireless Networks

Show summary Open resource [pdf] (open full abstract)
"Wireless local area networks (WLAN) are groups of wireless networking nodes within a limited geographic area, such as an office building or building campus, that are capable of radio communication. WLANs are usually implemented as extensions to existing wired local area networks (LAN) to provide enhanced user mobility and network access. The most widely implemented WLAN technologies are based on the IEEE 802.11 standard and its amendments. This document discusses the security of legacy IEEE 802.11 technologies-those that are not capable of using the IEEE 802.11i security standard. Organizations employing legacy IEEE 802.11 WLANs should be aware of the limited and weak security controls available to protect communications. Legacy WLANs are particularly susceptible to loss of confidentiality, integrity, and availability. Unauthorized users have access to well-documented security flaws and exploits that can easily compromise an organization's systems and information, corrupt the organization's data, consume network bandwidth, degrade network performance, launch attacks that prevent authorized users from accessing the network, or use the organization's resources to launch attacks on other networks. The National Institute of Standards and Technology (NIST) recommends that organizations with existing legacy IEEE 802.11 implementations develop and implement migration strategies to move to IEEE 802.11i-based security because of its superior capabilities."

National Institute of Standards and Technology (U.S.)

Scarfone, Karen; Dicoi, Derrick; Sexton, Matthew

2008-07
Guide to Industrial Control Systems (ICS) Security: Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"This document provides guidance for establishing secure industrial control systems (ICS). These ICS, which include supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) are often found in the industrial control sectors. ICS are typically used in industries such as electric, water, oil and gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods.) SCADA systems are generally used to control dispersed assets using centralized data acquisition and supervisory control. DCS are generally used to control production systems within a local area such as a factory using supervisory and regulatory control. PLCs are generally used for discrete control for specific applications and generally provide regulatory control. These control systems are critical to the operation of the U.S. critical infrastructures that are often highly interconnected and mutually dependent systems. It is important to note that approximately 90 percent of the nation's critical infrastructures are privately owned and operated. Federal agencies also operate many of the ICS mentioned above; other examples include air traffic control and materials handling (e.g., Postal Service mail handling.) This document provides an overview of these ICS and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the associated risks. Initially, ICS had little resemblance to traditional information technology (IT) systems in that ICS were isolated systems running proprietary control protocols using specialized hardware and software."

National Institute of Standards and Technology (U.S.)

Falco, Joe; Scarfone, Karen; Stouffer, Keith

2007-09
Technical Guide to Information Security Testing and Assessment: Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"This document is a guide to the basic technical aspects of conducting information security assessments. It presents technical testing and examination methods and techniques that an organization might use as part of an assessment, and offers insights to assessors on their execution and the potential impact they may have on systems and networks. For an assessment to be successful and have a positive impact on the security posture of a system (and ultimately the entire organization), elements beyond the execution of testing and examination must support the technical process. Suggestions for these activities-including a robust planning process, root cause analysis, and tailored reporting-are also presented in this guide. […] An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person-known as the assessment object) meets specific security objectives. Three types of assessment methods can be used to accomplish this-testing, examination, and interviewing. Testing is the process of exercising one or more assessment objects under specified conditions to compare actual and expected behaviors. Examination is the process of checking, inspecting, reviewing, observing, studying, or analyzing one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. Interviewing is the process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify the location of evidence. Assessment results are used to support the determination of security control effectiveness over time."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Scarfone, Karen; Cody, Amanda

2008-09
Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2: Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"The Security Content Automation Protocol (SCAP) is a suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement. Goals for the development of SCAP include standardizing system security management, promoting interoperability of security products, and fostering the use of standard expressions of security content. [...] This document provides the definitive technical specification for version 1.2 of the Security Content Automation Protocol (SCAP). SCAP (pronounced ess-cap) consists of a suite of specifications for standardizing the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. This document defines requirements for creating and processing SCAP source content. These requirements build on the requirements defined within the individual SCAP component specifications. Each new requirement pertains either to using multiple component specifications together or to further constraining one of the individual component specifications. The requirements within the individual component specifications are not repeated in this document; see those specifications to view their requirements."

Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Waltermire, David; Quinn, Stephen D.; Scarfone, Karen

2011-09
Guide to Bluetooth Security (Draft): Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"Bluetooth is an open standard for short-range radio frequency (RF) communication. Bluetooth technology is used primarily to establish wireless personal area networks (WPAN), commonly referred to as ad hoc or peer-to-peer (P2P) networks. Bluetooth technology has been integrated into many types of business and consumer devices, including cell phones, laptops, automobiles, printers, keyboards, mice, and headsets. This allows users to form ad hoc networks between a wide variety of devices to transfer voice and data. This document provides an overview of Bluetooth technology and discusses related security concerns. Several Bluetooth versions are currently in use in commercial devices. At the time of writing, Bluetooth 1.2 (adopted November 2003) and 2.0 + Enhanced Data Rate (EDR, adopted November 2004) are the most prevalent. Bluetooth 2.1 + EDR (adopted July 2007), which is quickly becoming the standard, provides significant security improvements for cryptographic key establishment in the form of Secure Simple Pairing (SSP). The most recent versions include Bluetooth 3.0 + High Speed (HS, adopted April 2009), which provides significant data rate improvements, and Bluetooth 4.0 Low Energy (LE, adopted June 2010), which supports smaller, resource-constrained devices and associated applications. This publication addresses the security of all these versions of Bluetooth. Bluetooth technology and associated devices are susceptible to general wireless networking threats, such as denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation. They are also threatened by more specific Bluetooth-related attacks that target known vulnerabilities in Bluetooth implementations and specifications. Attacks against improperly secured Bluetooth implementations can provide attackers with unauthorized access to sensitive information and unauthorized use of Bluetooth devices and other systems or networks to which the devices are connected."

Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Scarfone, Karen; Padgette, John

2011-09
Guidelines for Securing Wireless Local Area Networks (WLANs): Recommendations of the National Institute of Standards and Technology

Show summary Open resource [pdf] (open full abstract)
"A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. WLAN technologies are based on the IEEE 802.11 standard and its amendments. The fundamental components of an IEEE 802.11 WLAN (hereafter referred to as a 'WLAN' in this publication) are client devices, such as laptops and smartphones, and access points (APs), which logically connect client devices with a distribution system, typically the organization's wired network infrastructure. Some WLANs also use wireless switches, which act as intermediaries between APs and the distribution system. The security of each WLAN is heavily dependent on how well each WLAN component--including client devices, APs, and wireless switches--is secured throughout the WLAN lifecycle, from initial WLAN design and deployment through ongoing maintenance and monitoring. Unfortunately, WLANs are typically less secure than their wired counterparts for several reasons, including the ease of access to the WLAN and the weak security configurations often used for WLANs (to favor convenience over security). The purpose of this publication is to help organizations improve their WLAN security by providing recommendations for WLAN security configuration and monitoring. This publication supplements other NIST publications by consolidating and strengthening their key recommendations. Organizations should implement the following guidelines to improve the security of their WLANs."

Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Scarfone, Karen; Souppaya, Murugiah

2012-02
ITL Bulletin: Implementing Trusted Geolocation Services in the Cloud (February 2016)

Show summary Open resource [pdf] (open full abstract)
"Organizations that use Infrastructure as a Service (IaaS) cloud computing technologies sometimes need to take the geographic locations of cloud servers into account. For example, each country has its own laws regarding data security and privacy; some of these laws may require organizations to ensure that data on cloud servers remain within national borders. Enforcing geographic boundaries for IaaS cloud workloads requires new approaches. To address these challenges, the Information Technology Laboratory has released NIST Internal Report (NISTIR) 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication proposes the use of a hardware root of trust method for maintaining the integrity of geolocation information for cloud servers."

Information Technology Laboratory (National Institute of Standards and Technology)

Feldman, Larry; Scarfone, Karen; Bartock, Michael . . .

2016-02
Guide to Application Whitelisting

Show summary Open resource [pdf] (open full abstract)
"An application whitelist is a list of applications and application components that are authorized for use in an organization. Application whitelisting technologies use whitelists to control which applications are permitted to execute on a host. This helps to stop the execution of malware, unlicensed software, and other unauthorized software. This publication is intended to assist organizations in understanding the basics of application whitelisting. It also explains planning and implementation for whitelisting technologies throughout the security deployment lifecycle."

National Institute of Standards and Technology (U.S.)

Souppaya, Murugiah; Scarfone, Karen; Sedgewick, Adam

2015-11-05
ITL Bulletin: Securing Radio Frequency Identification (RFID) Systems [May 2007]

Show summary Open resource [pdf] (open full abstract)
"RFID [Radio Frequency Identification] is a form of automatic identification and data capture technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID technologies support a wide range of applications-everything from asset management and tracking to access control and automated payment. Each object that needs to be identified has a small electronic device known as an RFID tag affixed to it or embedded within it. Each tag has a unique identifier and may also have other features such as memory to store additional information about the object, environmental sensors, and security mechanisms. Devices known as RFID readers wirelessly communicate with the tags to identify the item connected to each tag and possibly read or update additional information stored on the tag. This communication can occur without optical line of sight. Every RFID system includes a radio frequency (RF) subsystem, which is composed of tags and readers. The RF subsystem performs identification and related transactions. In many RFID systems, the RF subsystem is supported by an enterprise subsystem, which contains computers running specialized software that can store, process, and analyze data acquired from RF subsystem transactions. […] The National Institute of Standards and Technology (NIST) Information Technology Laboratory recently published new guidelines on protecting RFID systems."

National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Scarfone, Karen

2007-05
ITL Bulletin: Securing Interactive and Automated Access Management Using Secure Shell (SSH) (January 2016)

Show summary Open resource [pdf] (open full abstract)
This document is the Information Technology Laboratory (ITL) Bulletin for January 2016 from the National Institute of Standards and Technology. From the Introduction: "ITL has released an important new guidance document on access management: NIST Internal Report (NISTIR) 7966, 'Security of Interactive and Automated Access Management Using Secure Shell (SSH)'. The SSH protocol provides a way to authenticate the identity of users and hosts before allowing them to execute commands on other hosts in either an interactive or an automated fashion. This access is necessary for many purposes, including file transfers, disaster recovery, privileged access management, software and patch management, and dynamic cloud provisioning. Unfortunately, the security of SSH key-based access is often overlooked by organizations, and misuse or compromise of SSH keys could lead to unauthorized access, often with high privileges. Therefore, organizations need to improve their management of SSH user keys, including key provisioning, termination, and monitoring. This publication provides the basics of SSH interactive and automated access management, focusing on explaining how organizations should manage their SSH keys."

National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Souppaya, Murugiah; Scarfone, Karen; Feldman, Larry

2016-01
ITL Bulletin: Stopping Malware and Unauthorized Software Through Application Whitelisting (December 2015)

Show summary Open resource [pdf] (open full abstract)
This document is the Information Technology Laboratory (ITL) Bulletin for December 2015 from the National Institute of Standards and Technology (NIST). From the Introduction: "NIST's Information Technology Laboratory has released a significant new guidance document, Special Publication (SP) 800-167, 'Guide to Application Whitelisting'. Application whitelisting technologies control which applications may be installed or executed on a computer. These technologies are most often used to detect and stop the execution of malware and other unauthorized software. Malware infections are frequently used to steal sensitive information from a user or an organization, and to tamper with the integrity and availability of computing systems. Unauthorized software can pose multiple problems. For example, it can introduce unmanaged, vulnerable software into the environment, which can then be used by attackers to exploit hosts and further compromise them. NIST Special Publication (SP) 800-167, 'Guide to Application Whitelisting', explains the basics of application whitelisting technologies and shows organizations how they can plan for, implement, and use these technologies successfully."

National Institute of Standards and Technology (U.S.); Information Technology Laboratory (National Institute of Standards and Technology). Computer Security Division

Sedgewick, Adam; Souppaya, Murugiah; Scarfone, Karen . . .

2015-12

1 2