| An Experience Using System Dynamics to Facilitate an Insider Threat Workshop |
0000-00-00 |
Moore, Andrew
Cappelli, Dawn
Trzeciak, Randall |
This paper describes the MERIT3 model as well as the development and evolution of the insider threat workshop based on this model. |
Paper |
|
| Report to the President’s Commission on Critical Infrastructure Protection |
1997-01-01 |
Ellis, James
Fisher, David
Longstaff, Thomas |
This report identifies threats to and vulnerabilities of the Internet and estimates the cascade effect that a successful, sustained attack on the Internet would have on critical national ... |
Paper |
|
| A Common Language for Computer Security Incidents |
1998-10-01 |
Howard, John
Longstaff, Thomas
|
The Common Language Project developed a minimum set of high-level terms, structured as a taxonomy, to enable individuals and organizations to gather, exchange, and compare information ... |
Paper |
|
| A Case Study in Survivable Network System Analysis |
1998-10-14 |
Ellison, R.
Linger, R.
Longstaff, T |
The Survivable Network Analysis (SNA) method builds on the Information Security Evaluation previously developed by permitting assessment of survivability strategies at the architecture ... |
Paper |
|
| rlogin(1): The Untold Story |
1998-12-17 |
Rogers, Lawrence, R.
|
This report presents analysis results of the well-known defect in the rlogin program. It discusses the coding defect in detail, three mitigation strategies devised to remedy the defect, ... |
Paper |
|
| Intelligency Analysis for Internet Security |
1999-01-01 |
Williams, Phil
Dunlevy, Casey
Shimealll, Tim |
One of the problems in cyberspace is that the offense seems to have significant advantages over defense. Strategic intelligence for threats to Internet security is a tool. Intelligence ... |
Paper |
|
| Survivable Network Systems: An Emerging Discipline |
1999-05-01 |
Ellison, R.J.; Fisher, D.A.
Linger, R.C.; Lipson, H.F.
Longstaff, T.L.; Mead, N.R. |
Survivability techniques and practices help assure that a system that must operate in an unbounded network is robust when under attack and that essential services will survive attacks ... |
Paper |
|
| Survivable Network System Analysis: A Case Study |
1999-06-26 |
Ellison, Robert J.
Linger, Richard C.
Longstaff, Thomas |
This case study summarizes application of the Survivable Network Analysis method to a subsystem of a large-scale, distributed healthcare system. |
Paper |
|
| Life Cycle Models for Survivable Systems |
2000-01-01 |
Linger, Rick
|
This presentation provides an overview of system survivability concepts and their affects on various aspects of the system development life cycle. |
Presentation |
|
| Models of Information Security Analysis |
2000-01-01 |
CERT
|
Analysis techniques help identify trends in attacks on the internet over both time and locations, along with attack tool development and related trends. |
Presentation |
|
| State of the Practice of Intrusion Detection Technologies |
2000-02-22 |
Allen, Julia
Christie, Alan
Fithen, William |
Because most deployed computer systems are vulnerable to an ever increasing threat of attack, intrusion detection (ID) is a rapidly developing field. Intrusion detection is an important ... |
Paper |
|
| Survivable Systems Analysis Method |
2000-09-01 |
Mead, Nancy
|
The four-step Survivable Systems Analysis Method provides a means for organizations to understand survivability in the context of their operating systems. SSA helps identify risks to ... |
Paper |
|
| A Simulation Model for Managing Survivability of Networked Information Systems |
2000-12-01 |
Moitra, Soumyo D.
Konda, Suresh L.
|
Simulation models can help evaluate the tradeoffs between the cost of defense mechanisms for networked systems and the resulting expected survivability after a network attack. |
Paper |
|
| The Survivability of Network Systems: An Empirical Analysis |
2000-12-01 |
Moitra, Soumyo D.
Konda, Suresh L.
|
Results from an extended analysis of CERT Coordination Center's incident data (from 1988 to 1995) are applied to simulate attacks and their impacts on network sites. |
Paper |
|
| Survivability — A New Technical and Business Perspective on Security |
2000-12-08 |
Lipson, Howard F.
Fisher, David A.
|
Traditional security solutions are not sufficient to deal with the modern security problems associated with highly distributed mission-critical systems, which have neither central administrative ... |
Paper |
|
| Survivable Network Analysis Method |
2000-12-12 |
Mead, Nancy R.
Ellison, Robert J.
Linger, Richard C. |
The four-step Survivable Network Analysis (SNA) method guides stakeholders through an analysis process intended to improve system survivability when a system is threatened. This method ... |
Paper |
|
| Survivable Network Analysis Method Tutorial |
2000-12-21 |
CERT Coordination Center
|
This presentation provides a tutorial on the Survivable Network Analysis (SNA) Method. It provides background on suvivability issues and the affect of the changing systems environment, ... |
Presentation |
|
| Survivability: Protecting Your Critical Systems |
2001-01-01 |
Ellison, Robert; Fisher; David
Linger, Richard; Lipson, Howard
Longstaff, Thomas; Mead, Nancy |
A survivability approach helps assure that a system that must operate in an unbounded network can deliver essential services and maintain essential properties despite intrusions. This ... |
Paper |
|
| Results of the Security in ActiveX Workshop |
2001-01-03 |
Bellovin, Steven M.
Cohen, Cory
Havrilla, Jeffrey |
In August of 2000, the CERT Coordination Center hosted a workshop in Pittsburgh, Pennsylvania, for twenty invited experts to address security issues related to ActiveX controls. The ... |
Paper |
|
| The Survivable Network Analysis Method: Assessing Survivability of Critical Systems |
2001-01-08 |
CERT Coordination Center
|
This presentation provides an overview of the Survivable Network Analysis Method, which can be used to assess the survivability of mission-critical systems. |
Presentation |
|
| An Inroduction to the OCTAVE Method |
2001-01-30 |
Alberts, Christopher
Dorofee, Audrey
|
OCTAVE defines the essential components of a context-driven infomation security risk evaluation that enables organzations to make decisions based on risks to the enterprise's critical ... |
Paper |
|
| Study of the Interdependencies within the Banking and Finance Infrastructure for Survivability Research |
2001-03-29 |
Chen, Yen-Ming
|
This paper examines how EASEL (Emergent Algorithms Simulation Environment and Language) serves as a useful tool for testing the survivability of the banking and finance infrastructure. |
Paper |
|
| Architectural Refinement for the Design of Survivable Systems |
2001-10-01 |
Ellison, Robert J.
Moore, Andrew P.
|
Systematically refining an enterprise system architecture to resist, recognize, and recover from deliberate, malicious attacks requires a process that applies reusable design primitives ... |
Paper |
|
| Trends in Denial of Service Attack Technology |
2001-10-01 |
Houle, Kevin
Weaver, George
Long, Neil |
Highlights trends in the deployment, use, and
impact of DoS attack technology based on intruder activity and attack tools
reported to and analyzed by the CERT/CC. |
Paper |
|
| OCTAVE Catalog of Practices, Version 2.0 |
2001-11-08 |
Alberts, Christopher J.
Dorofee, Audrey J.
Allen, Julia H. |
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Method enables organizations to identify the risks to their most important assets and build mitigation ... |
Paper |
|
| Foundations for Survivable System Development: Service Traces, Intrusion Traces, and Evaluation Models |
2001-11-16 |
Linger, Richard C.
Moore, Andrew P.
|
Survivability addresses explicit requirements for restricted modes of system operation that preserve mission-critical essential services in adverse operational
environments. Survivability ... |
Paper |
|
| Cross-Site Scripting Vulnerabilities |
2001-11-30 |
Rafail, Jason
|
This document describes cross-site scripting vulnerabilities. |
Paper |
|
| OCTAVE Criteria, Version 2.0 |
2001-12-01 |
Alberts, Christopher J.
Dorofee, Audrey J.
|
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method enables organizations to understand and address their information security risks. OCTAVE is led ... |
Paper |
|
| Can We Ever Build Survivable Systems from COTS Components? |
2001-12-01 |
Lipson, Howard
Mead, Nancy
Moore, Andrew |
This paper describes a risk-mitigation framework for deciding when and how COTS |
Paper |
|
| Foundations for Survivable Systems Engineering |
2002-01-01 |
Ellison, Robert
Lipson, Howard
Mead, Nancy; Moore, Andrew |
The complexity of today's large-scale networked systems increases their vulnerability to intrusion, compromise, and failure. We are addressing the survivability of these systems by ... |
Paper |
|
| Cyberterrorism |
2002-01-01 |
Shimeall, Tim
|
Cyberterror is the deliberate destruction, disruption, or distortion of digital data or information flows with widespread effect for political, religious, or ideological reasons. Threats ... |
Presentation |
|
| Organized Crime and Cyber-Crime: Implications for Business |
2002-01-01 |
Williams, Phil
|
An overview that explains why the internet is attractive to criminals and criminal organizations, identifies trends that explore how organized crime and cyber-crime overlap, identifies ... |
Paper |
|
| Countering Cyber War |
2002-02-01 |
Shimeall, Timothy
Williams, Phil
Dunlevy, Casey |
Defense planning must incorporate the virtual world to limit physical damage in the real world. |
Paper |
|
| C4 Software Technology Reference Guide — A Prototype |
2002-02-05 |
Bray, Michael
Brune, Kimberly
Fisher, David |
This reference guide includes the latest available
information on approximately 60 software technologies. This prototype generally emphasizes software technology of importance to the ... |
Paper |
|
| Overview of Attack Trends |
2002-02-20 |
|
This paper provides a brief overview of recent attack trends that affect the ability of organizations to use the Internet safely. These trends indicate that organizations relying on ... |
Paper |
|
| Survivable Network Systems: An Emerging Discipline |
2002-03-05 |
Ellison, R.
Fisher, D.
Linger, R. |
This report describes the survivability approach to helping
assure that a system that must operate in an unbounded network is
robust in the presence of attack and will survive attacks ... |
Paper |
|
| Using PGP to Verify Digital Signatures |
2002-03-19 |
Hernan, Shawn
Pesante, Linda
|
Pretty Good Privacy (PGP) is a computer program that uses mathematical algorithms to encrypt files and protect them from unauthorized access. It is also used to digitally sign and verify ... |
Paper |
|
| A Brief Tour of the Simple Network Management |
2002-06-10 |
CERT Coordination Center
|
An overview of Simple Network Management Protocol (SNMP) that touches on network configuration, network monitoring, and security implications. |
Paper |
|
| Information Survivability: Required Shifts in Perspective |
2002-07-01 |
Allen, Julia
Sledge, Carol
|
Organizations today are part of an interconnected, globally networked environment. To improve survivability, organizations must shift their focus from a more information security-centric ... |
Paper |
|
| Foundations for Survivable Systems Engineering |
2002-07-01 |
Ellison, Robert
Linger, Richard
Lipson, Howard |
This article, originally published in CROSSTALK The Journal of Defense Software Engineering, examines how CERT is addressing the survivability of complex, large-scale networked systems ... |
Paper |
|
| Securing an Internet Name Server |
2002-08-01 |
Householder, Allen
King, Brian
|
The goal of this document is to discuss general name server security. |
Paper |
|
| Secure Infrastructure Design |
2002-08-12 |
Zimmerman, Scott C.
|
This paper describes the fundamental components of infrastructure design, provides an overview of risk management concepts, and illustrates samples of network topologies. |
Paper |
|
| Flow-Service-Quality (FSQ) Engineering: Foundations for Network System Analysis and Development |
2002-10-02 |
Linger, Richard C.
Pleszkoch, Mark G.
Walton, Gwendolyn |
Flow-Service-Quality (FSQ) engineering is an emerging technology for management, acquisition, analysis, development, evolution, and operation of large-scale, network-centric systems. ... |
Paper |
|
| Life-Cycle Models for Survivable Systems |
2002-10-25 |
Linger, Richard C.
Lipson, Howard F.
McHugh, John |
Today’s large-scale, highly distributed, networked systems improve the efficiency and effectiveness of organizations by permitting whole new levels of organizational integration. However, ... |
Paper |
|
| Trustworthy Refinement through Intrusion-Aware Design |
2002-11-05 |
Ellison, Robert J.
Moore, Andrew P.
|
A system model called trustworthy refinement through intrusion-aware design (TRIAD) enables information system engineers to use known and hypothesized attack patterns to iteratively ... |
Paper |
|
| Emergent Algorithms: A New Method for Enhancing Survivability in Unbounded Systems |
2002-11-12 |
Fisher, David A.
Lipson, Howard F.
|
Traditional security approaches are not sufficient to protect highly distributed information systems operating in unbounded networks. Emergent algorithms are an approach to solving ... |
Paper |
|
| Systematic Generation of Stochastic Diversity as an Intrusion Barrier in Survivable Systems Software |
2002-11-12 |
Linger, Richarc C.
|
Survivable systems software must exhibit high resistance to intrusion. A process of stochastic diversification can help increase resistance through random obscuration of survivable ... |
Paper |
|
| CSIRT Services |
2002-11-26 |
CERT/CC
|
Experience has shown that there is often confusion about the names used for CSIRT services. This document presents a list of services and their definitions; the list provides a common ... |
Paper |
|
| Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues |
2002-12-02 |
Lipson, Howard F.
|
The anonymity enjoyed by today’s cyberattackers poses a grave threat to the global information society, the progress of an information-based international economy, and the advancement ... |
Paper |
|
| Outsourcing Managed Security Services |
2003-01-27 |
Allen, Julia
Gabbard, Derek
May, Christopher |
Outsourcing selected managed security services (MSS) by forming a partnership with a Managed Security Service Provider (MSSP) is often a good solution for transferring information security ... |
Paper |
|
| Network Survivability Analysis Using Easel |
2003-02-06 |
Christie, Alan M.
|
A description of how to develop statistically valid networks for analysis and apply them to the simulation of virus propagation; also illustrates the construction of network topologies ... |
Paper |
|
| Applying FSQ Engineering Foundations to Automated Calculation of Program Behavior |
2003-02-14 |
Linger, Richard C.
|
Flow-Service-Quality (FSQ) engineering enables complex, network-centric system analysis and development. FSQ Flow Structures treat the control structures of programs as rules, or implementations, ... |
Paper |
|
| Handbook for Computer Security Incident Response Teams (CSIRTs), Version 2 |
2003-04-01 |
West-Brown, Moira
Stikvoort, Don
Kossakowski, Kalus-Peter |
A guide to provide assistance to newly forming Computer Security Incident Response Teams (CSIRTs). Includes information on how to effectively form and operate a CSIRT and gain recognition ... |
Paper |
|
| Trustworthy Refinement through Intrusion-Aware Design (TRIAD) |
2003-05-12 |
Ellison, Robert J.
Moore, Andrew P.
|
Trustworthy refinement through intrusion-aware design (TRIAD), an intrusion-aware design model, helps information system decision-makers formulate and maintain a coherent, justifiable, ... |
Paper |
|
| International Liability Issues for Software Quality |
2003-07-23 |
Mead, Nancy R.
|
U.S. policy and efforts to create cyber security policy worldwide are affected by international law related to cybercrime, international information security standards, and software ... |
Paper |
|
| Introduction to the OCTAVE Approach |
2003-08-01 |
Alberts, Christopher
Dorofee, Audrey
Stevens, James; Woody, Carol |
OCTAVE and OCTAVE-S are approaches for managing information security risks at the enterprise level. This paper describes the methods and helps readers determine which method is best ... |
Paper |
|
| Protection of Critical Infrastructures: A New Perspective |
2003-09-01 |
Dunlevy, Casey
|
We can no longer separate physical security from cyber security. Critical infrastructures face threats of physical attacks with cyber components and cyber attacks with physical components. ... |
Presentation |
|
| Requirements Engineering for Survivable Systems |
2003-09-19 |
Mead, Nancy R.
|
Survivability requirements engineering provides the guidelines for designing systems that are able to complete their mission in a timely manner, even if significant portions are compromised ... |
Paper |
|
| Locality: A new Paradigm for Thinking About Normal Behavior and Outsider Threat |
2003-09-22 |
Gates, Carrie
McHugh, John
|
This paper suggests locality as a unifying concept for understanding the normal behavior of benign users of computer systems. It suggests this unifying paradigm will support the detection ... |
Paper |
|
| CERT Research Annual Report 2003 |
2003-10-31 |
|
The CERT Research group works to identify and eliminate shortcomings in security and survivability engineering methods. This report is for the period ending September 30, 2003. |
Paper |
|
| State of the Practice of Computer Security Incident Response Teams (CSIRTs) |
2003-11-24 |
Killcrece, Georgia
Kossakowski, Klaus-Peter
Ruefle, Robin |
The CERT CSIRT Development Team helps organizations build their own computer security incident response teams (CSIRTs) and also helps existing teams enhance their effectiveness. The ... |
Paper |
|
| Principles of Survivability and Information Assurance |
2004-01-01 |
Rogers, Lawrence R.
|
This paper summarizes the 10 principles of survivability and information assurance. These principles are the foundation for CERT's Survivability and Information Assurance (SIA) Curriculum. |
Paper |
|
| Information Assurance in Small Organizations |
2004-01-01 |
Dorofee, Audrey
Alberts, Christopher
Woody, Carol |
How smaller organizations can approach information security risk management. |
Presentation |
|
| Organizational Models for Computer Security Incident Response Teams (CSIRTs) |
2004-02-03 |
Killcrece, Georgia
Kossakowski, Klaus-Peter
Ruefle, Robin |
This handbook describes different organizational models for implementing incident handling capabilities, including each model’s advantages and disadvantages and the kinds of incident ... |
Paper |
|
| Considering Operational Security Risks During System Development |
2004-03-12 |
Alberts, Christopher
Dorofee, Audrey
Woody, Carol |
This presentation examines CERT's Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE was developed to help manage security risks in the operational ... |
Presentation |
|
| OCTAVE Threat Profiles |
2004-03-27 |
Alberts, Christopher
Dorofee, Audrey
|
This paper focuses on how to document the threats to the organization’s critical assets by creating a threat profile. |
Paper |
|
| Advanced Information Assurance Handbook |
2004-04-06 |
May, Chris
Baker, Marie
Gabbard, David |
This handbook is for technical staff members charged with administering and securing information systems and networks. It reviews some best practices for securing host systems and covers ... |
Paper |
|
| Which Best Practices are Best for Me? |
2004-04-19 |
CERT
|
This presentation introduces an alternative way for you and your organization to think about information security best practices and to provide you with an approach for evaluating and ... |
Presentation |
|
| Applying Critical Success Factors to Information Security Planning |
2004-04-19 |
Carallia, Richard A.
Wilson, William R.
|
This presentation introduces the concept of critical success factors, illustrates the use of critical success factors as a foundation for security management, and provides real-world ... |
Presentation |
|
| SQUARE Project: System Quality Requirements Engineering |
2004-04-27 |
CERT
|
This brief provides an overview of CERT's research related to the System Quality Requirements Engineering (SQUARE). It touches on the problems SQUARE addresses, CERT's research approach, ... |
Paper |
|
| Building a Practical Framework for Enterprise-Wide Security Management |
2004-05-03 |
Allen, Julia H.
|
This presentation describes the challenge of an enterprise-wide, proactive, and controls- and process-based approach to security management that addresses impact, not just threat and ... |
Paper |
|
| Quality Attribute Workshops (QAWs), Third Edition |
2004-05-17 |
Barbacci, Mario R.
Ellison, Robert
Lattanze, Anthony J. |
The Quality Attribute Workshop (QAW) is a facilitated method that engages system stakeholders early in the life cycle to discover the driving quality attributes of a software-intensive ... |
Paper |
|
| Maturing Your Approach to "Security Management" |
2004-05-18 |
Caralli, Richard A.
Wilson, William R.
|
This presentation highlights challenges for security managment, security approach roadblocks, new perspectives on the problem of security management, and how to mature your security ... |
Presentation |
|
| Preparing RIR Allocation Data for Network Security Analysis Tasks |
2004-05-19 |
Trammell, Brian
|
Actors in incident and traffic analysis data are expressed by IP address. Analysis operations categorize events at higher
levels of abstraction. This presentation discusses bridging ... |
Presentation |
|
| Survivable Functional Units: Balancing an Enterprise’s Mission and Technology |
2004-05-21 |
Rogers, Lawrence R.
|
Computer systems and network infrastructure components are playing an increasingly larger role in support of an enterprise’s ability to process information fulfill its customers’ needs. ... |
Paper |
|
| OCTAVE Overview |
2004-06-01 |
CERT
|
OCTAVE is a risk-based strategic assesment and planning technique for enterprise security. |
Presentation |
|
| Staffing Your Computer Security Incident Response Team - What Basic Skills Are Needed? |
2004-06-01 |
CERT/CC
|
This skill summary identifies a set of basic skills that CSIRT incident handlers should have. These skills enable them to respond to incidents, perform analysis tasks, and communicate ... |
Paper |
|
| Creating a Financial Institution CSIRT: A Case Study |
2004-06-01 |
CERT/CC
|
This case study documents lessons learned by a financial institution (referred to in the paper as AFI) as they developed and implemented both a plan to address security concerns and ... |
Paper |
|
| Steps for Creating National CSIRTs |
2004-07-01 |
Killcrece, Georgia
|
This paper provides an overview of the Computer Security Incident Rese Team (CSIRT) concept. It describes the basic steps for building a CSIRT. |
Paper |
|
| The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management |
2004-07-05 |
Caralli, Richard A.
Stevens, James F.
Willke, Bradford J, Wilson, William R. |
This report describes the critical success factor method and presents the Survivable Enterprise Management team's theories and experience in applying it to enterprise security management. |
Paper |
|
| The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management |
2004-07-08 |
Caralli, Richard A.
|
The critical success factor method is a means for identifying important elements of success for enterprise security management. |
Paper |
|
| An Empirical Analysis of Target-Resident DoS Filters |
2004-07-15 |
Collins, Michael
Reiter, Michael K.
|
This paper provides an empirical analysis of several proposals for end-system traffic filtering during denial-of-service attacks. It uses traffic recorded at the border of a large network, ... |
Paper |
|
| Rethinking Risk Management |
2004-07-22 |
Alberts, Christopher
Dorofee, Audrey
|
This presentation examines whether state-of-the-practice risk assessments accurately characterize the security risks confronting healthcare organizations. |
Presentation |
|
| Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector |
2004-08-23 |
Randazzo, Marisa Reddy
Keeney, Michelle
Kowalski, Eileen |
This report details an aggregated case study analysis examining insider incidents within the banking and finance sector. Subsequent reports from the analysis will examine insider activity ... |
Paper |
|
| 2004 E-CrimeWatch Survey, Summary of Findings |
2004-09-13 |
|
The 2004 E-Crime Watch survey was conducted by CSO magazine in cooperation with the United States Secret Service & Carnegie Mellon University Software Engineering Institute’s CERT® ... |
Paper |
|
| CERT Research Annual Report 2004 |
2004-10-11 |
|
The CERT Research group works to identify and eliminate shortcomings in security and survivability engineering methods. This research report is on the period ending September 30, 2004. |
Paper |
|
| Defining Incident Management Processes for CSIRTs: A Work in Progress |
2004-10-29 |
Alberts, Chris
Dorofee, Audrey
Killcrece, Georgia |
This report presents a prototype best practice model for performing incident management processes and functions. It defines the model through five high-level incident management processes: ... |
Paper |
|
| Insider Threat: Real Data on a Real Problem |
2004-11-09 |
Cappelli, Dawn
Keeney, Michelle
|
Includes background on the e-Crime Watch Survey and the Insider Threat Study; the purpose of which was to develop information to help private industry, government and law enforcement ... |
Presentation |
|
| SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies |
2004-11-19 |
Xie, Nick (Ning)
Mead, Nancy R.
|
This SEI Technical Note describes a general framework for hierarchical cost/benefit analysis aimed at providing acceptable estimations for small companies in their information security ... |
Paper |
|
| Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System |
2004-12-01 |
Chen, Peter
Dean, Marjon
Ojoko-Adams, Don |
This SEI Special Report report exemplifies the use of the Systems Quality Requirements Engineering (SQUARE) methodology in the development of an asset management application. |
Paper |
|
| Managing for Enterprise Security |
2004-12-16 |
Caralli, Richard
Allen, Julia
Stevens, James; Willke, Bradford; Wilson, William |
This report presents the interim results of work done by members of the Networked Systems Survivability Program at the Software Engineering Institute in exploring issues of Enterprise ... |
Paper |
|
| Best Practices for Secure Coding (CoBaSSA 2005) |
2005-01-01 |
Seacord, Robert
|
This presentation on secure coding focuses on strings, common string manipulation errors, and mitigation strategies. |
Presentation |
|
| Secure Coding in C and C++: A Look at Common Vulnerabilities |
2005-01-01 |
Seacord, Robert
Rafail, Jason
|
Common vulnerabilities can be avoided through secure coding practices. This presentation focuses on strings and integers. |
Presentation |
|
| Simulating Insider Cyber-Threat Risks: A Model-Based Case and a Case-Based Model |
2005-01-01 |
Capelli, Dawn
Ellison, Robert
Lipson, Howard; Shimeall, Tim |
A simulation uses an organization that needs to protect itself against both insider and outsider attacks. In describing the model, we begin by depicting the defenders’ cognitive and ... |
Paper |
|
| Managing for Enterprise Security |
2005-01-25 |
Caralli, Richard A.
|
This report presents the interim results of work done by members of the Networked Systems Survivability Program at the SEI in exploring enterprise security issues. The authors offer ... |
Paper |
|
| Security and Survivability Reasoning Frameworks and Architectural Design Tactics |
2005-02-01 |
Ellison, Robert J.
Moore, Andrew P.
Bass, Len |
The SEI approach to investigating disciplined software architecture design includes a collection of “quality attribute reasoning frameworks.” These frameworks take into account both ... |
Paper |
|
| System Quality Requirements Engineering (SQUARE): Case Study on Asset Management System, Phase II |
2005-05-31 |
Gordon, Dan
Stehney, Ted
Wattas, Neha |
This report describes the second phase of an application of the System Quality Requirements Engineering (SQUARE) Methodology developed by the Software Engineering Institute’s Networked ... |
Paper |
|
| Information Asset Profiling |
2005-06-01 |
Stevens, James F.
Caralli, Richard A.
Willke, Bradford J. |
Information Asset Profiling is a documented and repeatable process for developing consistent asset profiles. |
Paper |
|
| Report on Annual Regional Information Assurance Symposia |
2005-06-27 |
Sledge, Carol A.
|
The Networked Systems Survivability Program seeks to transition information assurance and information security courseware to institutions of higher education within the United States, ... |
Paper |
|
| Governing for Enterprise Security |
2005-07-11 |
Allen, Julia
|
This technical report examines governance thinking, principles, and approaches and applies them to the subject of enterprise security. Its primary intent is to increase awareness and ... |
Paper |
|
| Building Information Assurance Educational Capacity: Pilot Efforts to Date |
2005-09-28 |
Sledge, Carol A.
|
This report describes efforts to increase the capacity of higher education institutions to teach information assurance and information security. |
Paper |
|
| Spyware |
2005-09-29 |
Hackworth, Aaron
|
This paper examines the use of spyware in illicit activities. It provides an overview of spyware, examples of some common threats, and policies and practices to defend against spyware ... |
Paper |
|
| First Responders Guide to Computer Forensics: Advanced Topics |
2005-10-10 |
Nolan, Richard
Baker, Marie
Branson, Jake |
This handbook describes advanced methodologies, tools, and procedures for applying computer forensics when performing routine log file reviews, network alert verifications, and other ... |
Paper |
|
| Trustworthy Integration: Challenges for the Practitioner |
2005-10-17 |
Ellison, Robert J.
|
This note summarizes the technical issues associated with the assembly
of a networked information system. |
Paper |
|
| Phishing Trends |
2005-11-01 |
Milletary, Jason
|
Phishing, the act of stealing personal information via the internet for the purpose of committing financial fraud, has become a significant criminal activity on the internet. It negatively ... |
Paper |
|
| Focus on Resiliency: A Process-Oriented Approach to Security |
2005-11-18 |
Caralli, Rich
Stevens, James
|
This presentation was originally made at the 32nd Annual CSI Conference and Exhibition. It introduces the concept of enterprise resiliency and approaches to achieving it. |
Presentation |
|
| Security Quality Requirements Engineering (SQUARE) Methodology |
2005-11-30 |
Mead, Nancy R.
Hough, Eric D.
Stehney, Theodore R. |
This report presents the Security Quality Requirements Engineering (SQUARE) Methodology for eliciting and prioritizing security requirements in software development projects. |
Paper |
|
| The Impact of Function Extraction Technology on Next-Generation Software Engineering |
2005-12-12 |
Hevner, Alan R.
Linger, Richard C.
Collins, Rosann W. |
Function extraction (FX) technology has the potential for transformational impact across the software engineering life cycle, from specification and design to implementation, testing, ... |
Paper |
|
| The CERT Function Extraction Experiment: Quantifying FX Impact on Software |
2005-12-20 |
Collins, Rosann W.
Walton, Gwendolyn H.
Hevner, Alan R. |
Function Extraction (FX) is a new, theory-based technology for automated calculation of the functional behavior of software. This report describes the results of a controlled experiment ... |
Paper |
|
| Requirements for the Format for INcident information Exchange (FINE) |
2005-12-21 |
Danyliw, Roman
Demchenko, Yuri
Ohno, Hiroyuki |
The purpose of the Format for Incident information Exchange (FINE) is to facilitate the exchange of incident information among Computer Security Incident Response Teams (CSIRTs) and ... |
Paper |
|
| Insider Threats in the SDLC: Lessons Learned From Actual Incidents of Fraud, Theft of Sensitive Information, and IT Sabotage |
2006-01-01 |
Cappelli, Dawn M.
Trzeciak, Randall F.
Moore, Andrew P. |
|
Presentation |
|
| Securing Your Web Browser |
2006-01-23 |
Dormann, Will
Rafail, Jason
|
This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works ... |
Paper |
|
| Secure Coding in C and C++ |
2006-02-06 |
Seacord, Robert
|
Common coding errors are a principal cause of software vulnerabilities. By using secure coding practices, developers can avoid creating vulnerable code. |
Presentation |
|
| Creating a Computer Security Incident Response Team: A Process for Getting Started |
2006-02-27 |
CERT/CC
|
This paper gives an overview of the steps that should be taken when planning and implementing a computer security incident response team (CSIRT). It is one of a series on the issues ... |
Paper |
|
| Securing Networks Systematically - The SKiP Method |
2006-03-24 |
CERT Coordination Center
|
This paper provides a brief overview of the Security Knowledge in Practice Method of network security. |
Paper |
|
| Sustaining Operational Resiliency: A Process Improvement Approach to Security Management |
2006-04-01 |
Caralli, Richard
Stevens, James
Wallen, Charles M. (Financial Services Technology Consortium); Wilson, William R. |
This technical note describes our continuing research into helping organizations control and improve operational resiliency by refocusing their security, business continuity, and IT ... |
Paper |
|
| Detecting Scans at the ISP Level |
2006-04-01 |
McNutt, Josh;
Gates, Carrie; Kellner, Mark;
Kadane, Joseph B. |
Presents a scan-detection approach that performs an ongoing, incremental analysis of flow-level data regarding traffic inbound to a network. |
Paper |
|
| CERT Research Annual Report 2005 |
2006-04-11 |
|
The CERT Research group works to identify and eliminate shortcomings in security and survivability engineering methods. This report is on the period ending September 30, 2005. |
Paper |
|
| Correlations Between Quiescent Ports in Network Flows |
2006-04-14 |
McNutt, Josh;
De Shon Marcus
|
This paper introduces a method for detecting the onset of anomalous port-specific activity. |
Paper |
|
| A Model for Opportunistic Network Exploits: The Case of P2P Worms |
2006-05-10 |
Collins, Michael P.
Gates, Carrie
Kataria, Gaurav |
This paper tests the hypothesis that opportunistic attackers will develop attacks against services that have the largest number of users. |
Paper |
|
| More Netflow Tools: For Performance and Security |
2006-05-17 |
Gates, Carrie
Collins, Michael
Duggan, Michael |
This paper presents a suite of tools for network traffic collection and analysis based on Cisco NetFlow. |
Paper |
|
| Sets, Bags, and Rock and Roll: Analyzing Large Data Sets of Network Data |
2006-05-17 |
McHugh, John
|
This paper introduces a new conceptual framework, based on sets of IP addresses, to monitor and analyze traffic on high-speed networks. |
Paper |
|
| Applying OCTAVE: Practitioners Report |
2006-06-02 |
Woody, Carol
|
OCTAVE® is sufficiently flexible for organizations to address unique and highly contextual needs through tailoring. |
Paper |
|
| Specifications for Managed Strings |
2006-06-07 |
Burch, Hal
Long, Fred
Seacord, Robert |
The managed string library provides mechanisms to eliminate or mitigate problems with manipulating strings and to improve system security. |
Paper |
|
| Sustaining Operational Resiliency: A Process Improvement Approach to Security Management |
2006-06-13 |
Caralli, Richard
|
Enterprise risk management programs rely on ‘point solutions’ and ‘hardening’ instead of layered approaches like defense in depth. Risk management models have not kept pace with these ... |
Presentation |
|
| Finding Peer-To-Peer File-Sharing Using Coarse Network Behaviors |
2006-07-01 |
Collins, Michael P.
Reiter, Michael K.
|
This paper describes a set of tests to identify masqueraded peer-to-peer file-sharing based on traffic summaries (flows). |
Paper |
|
| Vulnerability Response Decision Support (DSS) |
2006-07-02 |
Manion, Art
|
This presentation examines how a Decision Support System (DSS) can help manage the influx of computer vulnerabilities for analysis. |
Presentation |
|
| Vulnerability Discovery: Bridging the Gap Between Analysis and Engineering |
2006-07-05 |
|
Vulnerability discovery is a process used to uncover and fix types of software defects with security impacts when present in information systems. |
Presentation |
|
| Creation of a National Response Team: A Case Study of Q-CERT |
2006-07-06 |
al-Ali, Rashid
Andrews, Archie
Lewis, Michael |
This presentation focuses on the work of establishing Q-CERT as a national CSIRT for Qatar. |
Presentation |
|
| Secure Coding Initiative |
2006-07-07 |
Plakosh, Dan
|
Among the goals of this initiative are to establish standard secure coding practices and educate software developers. |
Presentation |
|
| Management and Education of the Risk of Insider Threat (MERIT): System Dynamics Modeling of Computer System Sabotage |
2006-07-14 |
Cappelli, Dawn M.
Desai, Akesh G.
Moore, Andrew P. |
This paper describes the MERIT insider threat model and simulation results. |
Paper |
|
| Survivability and Information Assurance Curriculum (SIA) |
2006-08-01 |
|
The SIA Curriculum is designed to teach system and network administrators about information assurance. |
Presentation |
|
| Cross-Certification: Bridging the Gaps between Disconnected Hierarchies |
2006-08-14 |
|
This presentation emphasizes the benefits of cross-certification and the future of Public Key Infrastructure (PKI). |
Presentation |
|
| Coordination of Control System Vulnerabilities |
2006-08-21 |
Gennari, Jeff
|
This presentation gives a brief overview of control systems and the coordination process used by CERT to monitor computer vulnerabilities. |
Presentation |
|
| Secure Coding in C++: Integers |
2006-09-13 |
Seacord, Robert
|
This presentation highlights integer-related vulnerabilities in C++ and mitigation strategies. |
Presentation |
|
| Secure Coding in C++: Strings |
2006-09-14 |
Seacord, Robert C.
|
This presentation highlights common errors using NTBS, common errors using basic_string, string vulnerabilities, and mitigation strategies. |
Presentation |
|
| Operational Resiliency Management - An Introduction to the Resliency Engineering Framework |
2006-09-20 |
Caralli, Richard
Wallen, Charles
|
Resiliency...More than a buzzword. This presentation defines resiliency and shows how resiliency models can serve as a roadmap for managing the consistent delivery of products and services. |
Presentation |
|
| Defense in Depth: Foundations for Secure and Resilient IT Enterprises |
2006-09-21 |
May, Christopher
Hammerstein, Josh
Mattson, Jeff |
This curriculum is for students, from system administrators to CIOs, interested in how technical assurance issues affect their entire organizations. |
Paper |
|
| Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks |
2006-10-10 |
Lipson, Howard
|
It is essential that significant risk management resources be devoted to the ongoing evolution of any mission-critical system. |
Paper |
|
| Resiliency Engineering Framework - Project Update |
2006-10-11 |
White, David
Wallen, Charles
|
Resiliency... More than a buzzword. |
Presentation |
|
| Podcast: Why Leaders Should Care About Security |
2006-10-17 |
Allen, Julia
Pollak, William
|
Leaders need to be security conscious and to treat adequate security as a non-negotiable requirement of being in business. |
Media |
|
| Podcast: The ROI of Security |
2006-10-17 |
Losi, Stephanie
Allen, Julia
|
ROI is a useful tool because it enables comparison among investments in a consistent way. |
Media |
|
| Podcast: Proactive Remedies for Rising Threats |
2006-10-17 |
Lindner, Martin
Losi, Stephanie
Allen, Julia |
Threats to information security are increasingly stealthy, but they are on the rise and must be mitigated through sound policy and strategy. |
Media |
|
| Podcast: Compliance vs. Buy-In |
2006-10-17 |
Allen, Julia
Losi, Stephanie
|
Integrating security into standard business operating processes and procedures is more effective than treating security as a compliance exercise. |
Media |
|
| Action List for Developing a Computer Security Incident Response Team (CSIRT) |
2006-10-18 |
|
This is an overview of actions to take and topics to address when implementing a computer security incident response team. |
Paper |
|
| Information Assurance: Building Educational Capacity |
2006-10-25 |
Sledge, Carol A.
|
This report describes efforts to increase the capacity of higher education institutions to teach information assurance and information security. |
Paper |
|
| Podcast: CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERT |
2006-10-31 |
Pethia, Richard
Allen, Julia
|
Learn more about the past, present, and future of CERT and Pethia's view of the Internet security landscape. |
Media |
|
| Focus on Resiliency: A Process Improvement Approach to Security |
2006-11-06 |
Caralli, Richard
Young, Lisa
|
This presentation covers an evolving view of security, operational resiliency, embracing a process view, and the resiliency engineering framework. |
Presentation |
|
| A Risk Mitigation Model: Lessons Learned From Actual Insider Sabotage |
2006-11-07 |
Cappelli, Dawn
Moore, Andrew
Shaw, Eric |
A personal, organizational psycological perspective to insider threat. Includes information from CERT and PEREREC insider threat research. |
Presentation |
|
| Podcast: The Security 'X' Factor |
2006-11-14 |
Kim, Gene
Losi, Stephanie
|
In a recent survey of organizations' security posture, one factor separated high performers from the rest of the pack: change management. |
Media |
|
| The CERT Survivability and Information Assurance Curriculum |
2006-11-15 |
Rogers, Lawrence R.
|
This presentation introduces and highlights the Survivability and Information Assurance (SIA) Curriculum. |
Presentation |
|
| Podcast: Protecting Against Insider Threat |
2006-11-28 |
Cappelli, Dawn
Allen, Julia
|
The threat of attack from insiders is real and substantial. Insiders have a significant advantage over others who might want to harm an organization. |
Media |
|
| Podcast: Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for Technology |
2006-12-12 |
Longstaff, Tom
Allen, Julia
|
Evolving business models have challenging implications, with security threats become more covert and technologies facilitate information migration. |
Media |
|
| Comparing Insider IT Sabotage and Espionage: A Model-Based Analysis |
2006-12-18 |
Band, Stephen R.
Cappelli, Dawn M.
Fischer, Lynn F. |
This report examines factors thought to contribute to at least two forms of insider trust betrayal: sabotage of critical IT systems and espionage. |
Paper |
|
| Podcast: Inside Defense-in-Depth |
2006-12-19 |
Rush, Kristopher
Losi, Stephanie
|
Defense-in-Depth is one path toward enterprise resilience — the ability to withstand threats and failures. |
Media |
|
| Podcast: Building Staff Competence in Security |
2007-01-09 |
Laswell, Barbara
Allen, Julia
|
Practical specifications and guidelines now exist that define knowledge, skills, and competencies for staff members in a range of security positions. |
Media |
|
| Botnets as a Vehicle for Online Crime |
2007-01-22 |
Ianelli, Nicholas
Hackworth, Aaron
|
Botnets are collections of computers infected with malicious code that can be controlled remotely. We discuss bot malware and operator motivations. |
Paper |
|
| Podcast: Privacy: The Slow Tipping Point |
2007-01-23 |
Acquisti, Alessandro
Losi, Stephanie
|
A trend toward more data disclosure, as seen in online social networks, may be causing users to become desensitized to privacy breaches in general. |
Media |
|
| Podcast: Assuring Mission Success in Complex Environments |
2007-02-06 |
Alberts, Christopher
Allen, Julia
|
Analysis tools are needed for assessing complex organizational and technological issues that are well beyond traditional approaches. |
Media |
|
| Podcast: Crisis Communications During a Security Incident |
2007-02-20 |
Kimberland, Kelly
Losi, Stephanie
|
Business leaders need to be prepared to communicate with the media and their staff during a high-profile security incident or crisis. |
Media |
|
| CERT Resiliency Engineering Framework |
2007-03-01 |
White, David
|
A new environment in which business continuity& security must be increasingly effective & efficient. |
Presentation |
|
| Podcast: A New Look at the Business of IT Education |
2007-03-06 |
Rogers, Larry
Losi, Stephanie
|
System administrators need business savvy in addition to technical skills, and IT training courses must try to keep pace with this trend. |
Media |
|
| Podcast: The Legal Side of Global Security |
2007-03-20 |
Westby, Jodi
Losi, Stephanie
|
Business leaders, including legal counsel, need to understand how to tackle complex security issues for a global enterprise. |
Media |
|
| Focus on Resiliency: A Process Improvement Approach to Security |
2007-03-27 |
Young, Lisa
|
The goal of security is to contribute to attaining and sustaining operational resiliency. |
Presentation |
|
| Incident Management Capability Metrics Version 0.1 |
2007-04-01 |
Dorofee; Audrey
Killcrece; Georgia
Ruefle, Robin; Zajicek, Mark |
The metrics presented in this document provide a benchmark for incident management practices. |
Paper |
|
| Podcast: The Real Secrets of Incident Management |
2007-04-03 |
Killcrece, Georgia
Ruefle, Robin
|
Incident management is not just about technical response. It is a cross-enterprise effort that requires good communication and informed risk management. |
Media |
|
| CERT Research Annual Report 2006 |
2007-04-05 |
|
The primary goals of the CERT Program are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage ... |
Paper |
|
| Podcast: Computer Forensics for Business Leaders: A Primer |
2007-04-17 |
Nolan, Richard
Losi, Stephanie
|
Computer forensics is often overlooked when planning an incident response strategy; however, it is a critical part of incident response, and business leaders need to understand how ... |
Media |
|
| CERT Research Annual Report 2006 |
2007-04-19 |
|
The CERT Research group works to identify and eliminate shortcomings in security and survivability engineering methods. This report is on the period ending September 30, 2006. |
Paper |
|
| Introducing the CERT Resiliency Engineering Framework: Improving the Security and Sustainability Processes |
2007-05-01 |
Caralli, Richard A.
Stevens, James F.
Wallen, Charles M. |
This report explores the transformation of the disciplines of security and business continuity into organizationally driven processes designed to support and sustain operational resiliency. |
Paper |
|
| Introducing OCTAVE Allegro: Improving the InformatProcess |
2007-05-01 |
Caralli, Richard A.
Stevens, James F.
Young, Lisa R. |
This technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. |
Paper |
|
| Podcast: The Value of De-Identified Personal Data |
2007-05-15 |
Ganow, Scot
Hubbard, Mike
Losi, Stephanie |
As the legal compliance landscape grows increasingly complex, de-identification can help organizations share data more securely.
|
Media |
|
| Podcast: IT Infrastructure: Tips for Navigating Tough Spots |
2007-05-29 |
Huth, Steve
Kalinowski, Steve
|
Organizations occasionally may need to redefine their IT infrastructures – but to succeed, they must be prepared to handle tricky situations. |
Media |
|
| Podcast: Convergence: Integrating Physical and IT Security |
2007-06-12 |
Allen, Julia
Crowell, Bill
Contos, Brian |
Deploying common solutions for physical and IT security is a cost-effective way to reduce risk and save money. |
Media |
|
| Podcast: Getting Real About Security Governance |
2007-06-26 |
Allen, Julia
Losi, Stephanie
|
Enterprise security governance is not just a vague idea – it can be achieved by implementing a defined, repeatable process with specific activities. |
Media |
|
| Podcast: Using Standards to Build an Information Security Program |
2007-07-10 |
Wilson, Bill
Allen, Julia
|
Business leaders can use international standards to create a business- and risk-based information security program. |
Media |
|
| The Use of Malware Analysis in Support of Law Enforcement |
2007-07-11 |
Ianelli, Nicholas
Kinder, Ross
Roylo, Christian |
This paper provides insights on how law enforcement can use malware analysis to obtain clues and further investigation of computer-based crimes. |
Paper |
|
| Podcast: Real-World Security for Business Leaders |
2007-07-24 |
Fusco, Pamela
Pollak, William
|
Security is not an option – but it may be time to start viewing it as a business enabler, rather than just a cost of doing business. |
Media |
|
| Reducing Security Costs with Standard Configurations: US Government Initiatives |
2007-08-07 |
Kreitner, Clint
Allen, Julia
|
Information security costs can be significantly reduced by enforcing standard configurations for widely deployed systems. |
Media |
|
| Training Through CERT's Secure Coding Initiative |
2007-08-07 |
Seacord, Robert
West, Sharon
|
|
Media |
|
| Podcast: Tackling Security at the National Level: A Resource for Leaders |
2007-08-21 |
Carpenter, Jeff
Allen, Julia
|
Business leaders can use national CSIRTs (Computer Security Incident Response Teams) as a key resource when dealing with incidents with a national or worldwide scope. |
Media |
|
| Podcast: Dual Perspectives: A CIO's and CISO's Take on Security |
2007-09-04 |
Morrison, Patty
Boni, Bill
Allen, Julia |
Given that you can't secure everything, managing security risk to a "commercially reasonable degree" can lead to the best possible solution. |
Media |
|
| Videocast: Secure Coding Initiative: Standards |
2007-09-07 |
Seacord, Robert
West, Sharon
|
|
Media |
|
| 2007 E-Crime Watch Survey |
2007-09-11 |
|
The 4th annual E-Crime Watch Survey has been released by CERT, the US Secret Service, CSO Magazine, and Microsoft. |
Paper |
|
| Ranged Integers for the C Programming Language |
2007-09-13 |
Gennari, Jeff
Hedrick, Shaun
Long, Fred |
This report describes an extension to the C programming language to introduce the notion of ranged integers, that is, integer types with a defined range of values.
|
Paper |
|
| Podcast: The Human Side of Security Trade-Offs |
2007-09-18 |
Newby, Greg
Losi, Stephanie
|
It's easy to think of security as a collection of technologies and tools - but people are the real key to any security effort. |
Media |
|
| Predicting Future Botnet Addresses with Uncleanliness |
2007-09-20 |
Collins, Michael
Shimeall, Timothy
Faber, Sidney |
The increased use of botnets as an attack tool and the
awareness attackers have of blocking lists leads to the
question of whether we can effectively predict future bot
locations. |
Paper |
|
| Podcast: Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity |
2007-10-02 |
Young, Lisa
Allen, Julia
|
By taking a holistic view of business resilience – similar in many ways to classical engineering – business leaders can help their operations stand up to known and unknown threats. |
Media |
|
| Fishing for Phishes: Applying Capture-Recapture Methods |
2007-10-04 |
Weaver, Rhiannon
Collins, M. Patrick
|
This paper examines the extent of phishing activity on the Internet
via capture-recapture analysis of two major phishing site
reports. |
Paper |
|
| Videocast: Secure Coding Initiative: Project |
2007-10-09 |
Seacord, Robert
West, Sharon
|
|
Media |
|
| Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs |
2007-10-15 |
Collins, Michael
|
Presents a novel method for detecting hit-list worms using
protocol graphs. |
Paper |
|
| Business Resilience: A More Compelling Argument for Information Security |
2007-10-16 |
Dynes, Scott
Losi, Stephanie
|
A business resilience argument can bridge the communication gap that often exists between information security officers and business leaders. |
Media |
|
| Podcast: Computer Forensics for Business Leaders: Building Robust Policies and Processes |
2007-10-30 |
Waits, Cal
Losi, Stephanie
|
Business leaders can play a key role in computer forensics by establishing strong policies and proactively testing to ensure those policies work in tough situations. |
Media |
|
| Podcast: The Path from Information Security Risk Assessment to Compliance |
2007-11-13 |
Wilson, Bill
Allen, Julia
|
Information security risk assessment, performed in concert with operational risk management, can contribute to compliance as an outcome. |
Media |
|
| Podcast: What Business Leaders Can Expect from Security Degree Programs |
2007-11-27 |
Beggs, Sean
Losi, Stephanie
|
Information security degree programs are proliferating – but what do they really offer business leaders who are seeking knowledgeable employees? |
Media |
|
| Podcast: Internal Audit's Role in Information Security: An Introduction |
2007-12-10 |
Swanson, Dan
Allen, Julia
|
Internal Audit can serve a key role in putting an effective information security program in place, and keeping it there. |
Media |
|
| Podcast: Information Compliance: A Growing Challenge for Business Leaders |
2008-01-08 |
Smedinghoff, Tom
Allen, Julia
|
Directors and senior executives are personally accountable for protecting information entrusted to their care. |
Media |
|
| Podcast: Inadvertent Data Disclosure on Peer-to-Peer Networks |
2008-01-22 |
Johnson, M. Eric
Dynes, Scott
Allen, Julia |
Peer-to-peer networks are being used today to unintentionally disclose government, commercial, and personal information. |
Media |
|
| Podcast: Building a Security Metrics Program |
2008-02-05 |
Nichols, Betsy
Allen, Julia
|
Selecting and reporting meaningful security metrics depend on picking topics of great interest, defining the business context, and having access to sound data. |
Media |
|
| Podcast: Tackling the Growing Botnet Threat |
2008-02-19 |
Ianelli, Nicholas
Allen, Julia
|
Business leaders need to understand the risks to their organizations caused by the proliferation of botnets. |
Media |
|
| Podcast: Insider Threat and the Software Development Life Cycle |
2008-03-04 |
Cappelli, Dawn
Allen, Julia
|
Significant insider threat vulnerabilities can be introduced (and mitigated) during all phases of the software development life cycle. |
Media |
|
| 2007 CERT Research Annual Report |
2008-03-06 |
|
CERT is developing theoretical foundations and engineering methods to help ensure the security of critical systems and networks. This annual report describes progress in CERT research ... |
Paper |
|
| Podcast: Initiating a Security Metrics Program - Key Points to Consider |
2008-03-18 |
Merrell, Sam
Allen, Julia
|
A sound security metrics program is grounded in selecting data that is relevant to consumers and collecting it from repeatable processes. |
Media |
|
| Incident Management Mission Diagnostic Method, Version 1.0 |
2008-03-28 |
Dorofee, Audrey
Killcrece, Georgia
Ruefle, Robin |
This report presents a risk-based approach for determining the potential for success of an organization's incident management capability. |
Paper |
|
| Podcast: Protecting Information Privacy - How To and Lessons Learned |
2008-04-01 |
Hargraves, Kim
Allen, Julia
|
Aligning with business objectives, integrating with enterprise risks, and collaborating with stakeholders are key to ensuring information privacy. |
Media |
|
| Podcast: Using Benchmarks to Make Better Security Decisions |
2008-04-15 |
Nichols, Betsy
Allen, Julia
|
Benchmark results can be used to compare with peers, drive performance, and help determine how much security is enough. |
Media |
|
| Combating the Insider Cyber Threat |
2008-04-18 |
Moore, Andrew
Cappelli, Dawn
|
The penetration of US national security by foreign
agents as well as American citizens is a historical
and current reality that’s a persistent and increasing
phenomenon. |
Paper |
|
| Podcast: Getting in Front of Social Engineering |
2008-04-29 |
Hinson, Gary
Allen, Julia
|
Helping your staff learn how to identify social engineering attempts is the first step in thwarting them. |
Media |
|
| Incorporating Security Quality Requirements Engineering (SQUARE) into |
2008-05-01 |
Mead, Nancy
Viswanathan, Venkatesh
Padmanabhan, Deepa |
This report describes how SQUARE can be incorporated in standard life-cycle models for security-critical projects. |
Paper |
|
| Podcast: Connecting the Dots Between IT Operations and Security |
2008-05-13 |
Allen, Julia
Kim, Gene
|
High performing organizations effectively integrate information security controls into mainstream IT operational processes. |
Media |
|
| Podcast: Becoming a Smart Buyer of Software |
2008-06-10 |
Gallagher, Brian
Allen, Julia
|
Managing software that is developed by an outside organization can be more challenging than building it yourself. |
Media |
|
| Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing |
2008-06-27 |
Dormann, Will
Plakosh, Dan
|
This paper examines effective techniques for fuzz testing ActiveX controls using the Dranzer tool developed at CERT. |
Paper |
|
| Vulnerability Response Decision Assistance |
2008-07-11 |
Burch, Hal
Manion, Art
Ito, Yuri |
VRDA (Vulnerability Response Decision Assistance) allows organizations to leverage the analysis effort at other organizations and to structure decision-making. |
Paper |
|
| Computer Forensics: Results of Live Response Inquiry vs. Memory Image Analysis |
2008-08-04 |
Waits, Cal
Nolan, Rich
Rogers, Larry |
This paper presents a live response scenario and compares various approaches and tools used to capture and analyze evidence from computer memory. |
Paper |
|
| Podcast: Getting to a Useful Set of Security Metrics |
2008-09-02 |
Kreitner, Clint
Allen, Julia
|
Well-defined metrics are essential to determine which security practices are worth the investment. |
Media |
|
| Podcast: Security Risk Assessment Using OCTAVE Allegro |
2008-09-16 |
Young, Lisa
Allen, Julia
|
OCTAVE Allegro provides a streamlined assessment method that focuses on risks to information used by critical business services. |
Media |
|
| Podcast: Developing Secure Software: Universities as Supply Chain Partners |
2008-09-30 |
Davidson, Mary Ann
Allen, Julia
|
Integrating security into university curricula is one of the key solutions to developing more secure software. |
Media |
|
| Podcast: Virtual Communities: Risks and Opportunities |
2008-10-14 |
Wolynski, Jan
Allen, Julia
|
When considering whether to conduct business in online, virtual communities, business leaders need to evaluate risks and opportunities. |
Media |
|
| Podcast: Concrete Steps for Implementing an Information Security Program |
2008-10-28 |
Bayuk, Jennifer
Allen, Julia
|
A sustainable security program is based on business-aligned strategy, policy, awareness, implementation, monitoring, and remediation. |
Media |
|
| CERT Resiliency Engineering Framework (REF) Outline |
2008-11-11 |
Resiliency Engineering Framework Team
|
This document provides a brief overview of the CERT Resiliency Engineering Framework (REF), including purpose statements, goals, and specific practices for each capability area. |
Paper |
|
| Podcast: Integrating Security Incident Response and e-Discovery |
2008-11-11 |
Matthews, David
Allen, Julia
|
Responding to an e-discovery request involves many of the same steps and roles as responding to a security incident. |
Media |
|
| Podcast: Using High Fidelity, Online Training to Stay Sharp |
2008-11-25 |
Wrubel, James
Allen, Julia
|
Virtual training environments can deliver high quality content to security professionals on-demand, anywhere, anytime. |
Media |
|
| Podcast: Climate Change - Implications for Information Technology and Security |
2008-12-09 |
Power, Richard
Allen, Julia
|
Climate change requires new strategies for dealing with traditional IT and information security risks. |
Media |
|
| Podcast: Leveraging Security Policies and Procedures for Electronic Evidence Discovery |
2009-01-06 |
Christiansen, John
Allen, Julia
|
Being able to effectively respond to e-discovery requests depends on well-defined, enacted policies, procedures, and processes. |
Media |
|
| Podcast: Tackling Tough Challenges - Insights from CERT's Director Rich Pethia |
2009-01-20 |
Pethia, Rich
Allen, Julia
|
Rich Pethia reflects on CERT’s 20-year history and discusses how he is positioning the program to tackle future IT and security challenges. |
Media |
|
| Common Sense Guide to Prevention and Detection of Insider Threats, Version 3.1 |
2009-01-28 |
Cappelli, Dawn
Moore, Andrew
Trzeciak, Randall |
This guide examines the insider threat problem in terms of insider psychology and organizational culture, policies, practices, and technology. |
Paper |
|
| Podcast: An Alternative to Risk Management for Information and Software Security |
2009-02-03 |
Chess, Brian
Allen, Julia
|
Standards, compliance, and process are more effective than risk management for ensuring an adequate level of information and software security. |
Media |
|
| Podcast: Better Incident Respons Through Scenario Based Training |
2009-02-17 |
May, Chris
Allen, Julia
|
Teams are better prepared to respond to incidents if realistic, hands-on training is part of their normal routine. |
Media |
|
| Spotlight On: Malicious Insiders with Ties to the Internet Underground Community |
2009-03-01 |
Michael Hanley
Andrew P. Moore
Dawn M. Cappelli, Randall F. Trzeciak |
This article focuses on insider threat cases in which the insider had relationships with the internet underground community. |
Paper |
|
| Podcast: Security: A Key Enabler of Business Innovation |
2009-03-03 |
Cloutier, Roland
Allen, Julia
|
Making security strategic to business innovation involves seven strategies and calculating risk-reward based on risk appetite. |
Media |
|
| 2008 CERT Research Annual Report |
2009-03-06 |
Software Engineering Institute
|
This report describes progress in CERT research projects in 2008 and opportunities for collaboration. |
Paper |
|
| Podcast: Mainstreaming Secure Coding Practices |
2009-03-17 |
Seacord, Robert
Allen, Julia
|
Requiring secure coding practices when building or buying software can dramatically reduce vulnerabilities. |
Media |
|
| Podcast: An Experience-Based Maturity Model for Software Security |
2009-03-31 |
McGraw, Gary
Allen, Julia
|
Observed practice, represented as a maturity model, can serve as a basis for developing more secure software. |
Media |
|
| Spotlight On: Programming Techniques Used as an Insider Attack Tool |
2009-04-06 |
Cappelli, Dawn
Caron, Tom
Trzeciak, Randall F. |
This report is the first in a new quarterly series, Spotlight On, published by the CERT insider threat team and
funded by CyLab. Each report will focus on a specific area of concern ... |
Paper |
|
| Podcast: Cyber Security, Safety, and Ethics for the Net Generation |
2009-04-14 |
Petersen, Rodney
Allen, Julia
|
Capitalizing on the cultural norms of the Net Generation is essential when developing security awareness programs. |
Media |
|
| Insider Threat Vulnerability Assessment |
2009-04-21 |
|
The insider threat vulnerability assessment enables organizations to gain a better
understanding of insider threat and an enhanced ability to assess and manage associated
risks. |
Paper |
|
| Making the Business Case for Software Assurance |
2009-04-30 |
Mead, Nancy R.
Allen, Julia H.
et al. |
This report provides guidance for making the business case for building software assurance into software products during each software development life-cycle activity. |
Paper |
|
| Podcast: Is There Value in Identifying Software Security 'Never Events'? |
2009-05-05 |
Charette, Robert
Allen, Julia
|
Now may be the time to examine our responsibilities when developing software with known, preventable errors – along with some possible consequences. |
Media |
|
| Podcast: More Targeted, Sophisticated Attacks: Where to Pay Attention |
2009-05-26 |
Lindner, Marty
Allen, Julia
|
Business leaders need to take action to better mitigate sophisticated social engineering attacks. |
Media |
|
| Podcast: The Upside and Downside of Security in the Cloud |
2009-06-16 |
Mather, Tim
Allen, Julia
|
When considering cloud services, business leaders need to weigh the economic benefits ag |
Media |
|
| Podcast: Rethinking Risk Management |
2009-07-07 |
Alberts, Chris
Allen, Julia
|
Business leaders need new approaches to address multi-enterprise, systems of systems risks across the life cycle and supply chain.
|
Media |
|
| As-if Infinitely Ranged Integer Model |
2009-07-17 |
David Keaton
Thomas Plum
Robert C. Seacord |
This paper presents a model for automating the elimination of integer overflow and truncation in C and C++ programming code. |
Paper |
|
| Insider Theft of Intellectual Property for Business Advantage: A Preliminary Model |
2009-07-20 |
Andrew P. Moore
Dawn M. Cappelli
Thomas C. Caron, Eric Shaw, Randall F. Trzeciak |
This paper provides observations about and a preliminary system dynamics model of one class of insider crime based on empirical data. |
Paper |
|
| Podcast: Analyzing Internet Traffic for Better Cyber Situational Awareness |
2009-07-28 |
Gabbard, Derek
|
Automation, innovation, reaction, and expansion are the foundation for obtaining meaningful network traffic intelligence in today’s extended enterprise. |
Media |
|
| Podcast: Mitigating Insider Threat: New and Improved Practices |
2009-08-18 |
Cappelli, Dawn
Trzeciak, Randy
Moore, Andy |
Preventing and detecting insider threat is greatly improved by implementing 16 best practices based on 282 cases. |
Media |
|
| Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework |
2009-08-25 |
Manion, Art
et al.
|
This paper examines the effectiveness of VRDA in terms of how well it predicts responses. |
Paper |
|
| VRDA Prioritizing Vulnerability Response Efforts |
2009-09-02 |
Manion, Art
|
Describes concepts for prioritizing vulnerability response efforts. |
Presentation |
|
| Podcast: The Smart Grid: Managing Electrical Power Distribution and Use |
2009-09-29 |
Stevens, James
Allen, Julia
|
The smart grid is the use of digital technology to modernize the power grid, which comes with some new privacy and security challenges.
|
Media |
|
| Secure Design Patterns |
2009-10-23 |
Dougherty, Chad
Sayre, Kirk
Seacord, Robert |
Describes a set of secure design patterns, which are descriptions or templates describing a general solution to a security problem that can be applied in many different situations. |
Paper |
|
