Use this form to search content on CSRC pages.
Abstract: Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it can also become a source of vulnerability for...
Abstract: This bulletin summarizes the contents of NIST Special Publication 800-44, Version 2, Guidelines on Securing Public Web Servers. The publication details the steps that organizations should take to plan, install, and maintain secure Web server software and their underlying operating systems. The bulle...
Abstract: This report specifies the data model and Extensible Markup Language (XML) representation for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specifi...
Abstract: Radio frequency identification (RFID) is a form of automatic identification and data capture technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods and animals. RFID techn...
Abstract: This bulletin summarizes the recommendations developed by NIST to assist organizations in establishing and maintaining robust security for wireless local area networks (WLAN) using the new security features that were developed for IEEE 802.11i. Topics covered in the bulletin include a description of...
Abstract: This publication seeks to assist organizations in understanding the risks of RFID technology and security measures to mitigate those risks. It provides practical, real-world advice on how to initiate, design, implement and operate RFID systems in a manner that mitigates security and privacy risks. T...
Abstract: This document specifies the data model and XML representation for the Extensible Configuration Checklist Description Format (XCCDF). An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information...
Abstract: Access control is perhaps the most basic aspect of computer security. Nearly all applications that deal with financial, privacy, safety, or defense include some form of access control. In many systems access control takes the form of a simple password mechanism, but many require more sophisticated a...
Abstract: This document specifies the PIV data model, Application Programming Interface (API), and card interface requirements necessary to comply with the mandated use cases, as defined in Section 6 of FIPS 201 and further elaborated in Section 1.7 below, for interoperability across deployments or agencies....
Abstract: IPsec is a framework of open standards for ensuring private communications over public networks. It has become the most common network layer security control, typically used to create a virtual private network (VPN). A VPN is a virtual network, built on top of existing physical networks, that can pr...
Abstract: This document provides guidance on creating a security patch and vulnerability management program and testing the effectiveness of that program. The primary audience is security managers who are responsible for designing and implementing the program. However, this document also contains information...
Abstract: This document specifies the data model and XML representation for the Extensible Configuration Checklist Description Format. An XCCDF document is a structured collection of security configuration rules for some set of target systems. The XCCDF specification is designed to support information interch...
Conference: 3rd European Conference on Information Warfare and Security Abstract: Understanding the principles of knowledge based authentication (KBA) and developing metrics that can be applied to KBA systems will improve information system security. This paper reviews the basics of KBA systems including some environments that KBA can support.
Abstract: The use of mobile handheld devices, such as Personal Digital Assistants (PDAs) and tablet computers, within the workplace is expanding rapidly. These devices are no longer viewed as coveted gadgets for early technology adopters, but instead have become indispensable tools that offer competitive busi...
Abstract: The document is intended to assist the users and system administrators of Windows 2000 Professional systems in configuring their hosts by providing configuration templates and security checklists. The guide provides detailed information about the security features of Win2K Pro, security configuratio...
Abstract: [For the latest information on vulnerabilities, see the National Vulnerability Database, nvd.nist.gov]The NIST computer security division has created a searchable index containing 700 of the most important computer vulnerabilities. This index, called the ICAT Metabase, enables your security personne...
Abstract: [For the latest information on vulnerabilities, see the National Vulnerability Database, nvd.nist.gov] It seems that every week, computer security organizations are issuing press releases concerning the latest hacker attack. Some sound dangerous, like the Killer Resume, or mysterious like the Mstrea...
Conference: Fourth ACM Workshop on Role-Based Access Control (RBAC '99) Abstract: The Role Based Access Control (RBAC) model and mechanism have proven to be useful and effective. This is clear from the many RBAC implementations in commercial products. However, there are many common examples where access decisions must include other factors, in particular, relationships between en...
Conference: Third ACM Workshop on Role-Based Access Control (RBAC '98) Abstract: Role based access control (RBAC) is attracting increasing attention as a security mechanism for both commercial and many military systems. This paper shows how RBAC can be implemented using the mechanisms available on traditional multi-level security systems that implement information flow policies....
Abstract: The use of software in the health care industry is becoming of increasing importance. One of the major roadblocks to efficient health care is the fact that important information is distributed across many sites. These sites can be located across a significant area. The problem is to provide a unifor...
Abstract: This document provides an overview of the Internet and security-related problems. It then provides an overview of firewall components and the general reasoning behind firewall usage. Several types of network access policies are described, as well as technical implementations of those policies. Lastl...
Abstract: Connection to the Internet provides users and organizations quick and easy access to information, data, software, and discussion groups on every subject imaginable. Access to information on the Internet has become easier and more efficient since the appearance of the mosaic application. This client...
Conference: Privacy and Security Research Group Workshop on Network and Distributed System Security Abstract: The Advanced Smartcard Access Control System (ASACS) was developed by the National Institute of Standards and Technology in conjunction with Datakey and Trusted Information Systems. The system includes a smartcard with public key capabilities and a portable reader/writer with computational capabilit...
Abstract: Computer security "incidents" occur with alarming frequency. The incidents range from direct attacks by both hackers and insiders to automated attacks such as network worms. Weak system controls are frequently cited as the cause, but many of these incidents are the result of improper use of existing...
Abstract: This National Institute of Standards and Technology Interagency Report (NISTIR) presents the Simplified Risk Analysis Guidelines developed by the U.S. Department of Justice, Justice Management Division, Security and Emergency Planning Staff, ADP/Telecommunications Group. The National Institute of St...