Visible to the public Biblio

Filters: Keyword is security  [Clear All Filters]
2021-10-27
Derek Johnson.  2019.  NSA official: 'Dumb' software supply chain attacks still prevalent. The Business of Federal Technology. 2021

While much of the discussion around supply chain security has focused on the parts, components and gear that make up an organization's physical IT assets, a growing number of experts are making the case that vulnerabilities in the software supply chain may represent the larger cybersecurity threat over the long haul.

Katie Arrington.  2019.  Securing the Supply Chain.

We need risk management solutions to assess, measure, and mitigate risk in real-time across multi-tier partner and supplier networks to achieve our goal of cost, schedule and performance, as they are only effective in a secure environment.

2021-10-26
[Anonymous].  2009.  Securely Taking on New Executable Software Of Uncertain Provenance.

STONESOUP develops and demonstrates comprehensive, automated techniques that allow end users to securely execute software without basing risk mitigations on characteristics of provenance that have a dubious relationship to security. Existing techniques to find and remove software vulnerabilities are costly, labor-intensive, and time-consuming. Many risk management decisions are therefore based on qualitative and subjective assessments of the software suppliers' trustworthiness. STONESOUP develops software analysis, confinement, and diversification techniques so that non-experts can transform questionable software into more secure versions without changing the behavior of the programs.

2021-10-22
[Anonymous].  2011.  Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust.

This paper introduces Microsoft’s perspective on supply chain risk and the relationship of such risk to global trade in ICT products. It reviews the considerations that lead governments to express concerns about supply chain security and discusses the implications of some approaches to “solving the problem.” It points out the importance of having national approaches to supply chain risk management that are risk-based, transparent, flexible and reciprocal or standards-based.

[Anonymous].  2021.  Protecting Americans’ Sensitive Data From Foreign Adversaries . 86(111)

It is appropriate to elaborate upon measures to address the national emergency with respect to the information and communications technology and services supply chain that was declared in Executive Order 13873 of May 15, 2019 (Securing the Information and Communications Technology and Services Supply Chain). Specifically, the increased use in the United States of certain connected software applications designed, developed, manufactured, or supplied by persons owned or controlled by, or subject to the jurisdiction or direction of, a foreign adversary, which the Secretary of Commerce acting pursuant to Executive Order 13873 has defined to include the People’s Republic of China, among others, continues to threaten the national security, foreign policy, and economy of the United States. The Federal Government should evaluate these threats through rigorous, evidence-based analysis and should address any unacceptable or undue risks consistent with overall national security, foreign policy, and economic objectives, including the preservation and demonstration of America’s core values and fundamental freedoms.”

[Anonymous].  2021.  Security Measures for “EO-Critical Software” Use.

Publishing guidance that outlines security measures for critical software use – including applying practices of least privilege, network segmentation, and proper configuration – is one of NIST’s assignments to enhance the security of the software supply chain called for by a May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028).”

[Anonymous].  2017.  Digital supply chain security. 2021
2019-09-13
N. Soule, B. Simidchieva, F. Yaman, R. Watro, J. Loyall, M. Atighetchi, M. Carvalho, D. Last, D. Myers, B. Flatley.  2015.  Quantifying & minimizing attack surfaces containing moving target defenses. 2015 Resilience Week (RWS). :1-6.

The cyber security exposure of resilient systems is frequently described as an attack surface. A larger surface area indicates increased exposure to threats and a higher risk of compromise. Ad-hoc addition of dynamic proactive defenses to distributed systems may inadvertently increase the attack surface. This can lead to cyber friendly fire, a condition in which adding superfluous or incorrectly configured cyber defenses unintentionally reduces security and harms mission effectiveness. Examples of cyber friendly fire include defenses which themselves expose vulnerabilities (e.g., through an unsecured admin tool), unknown interaction effects between existing and new defenses causing brittleness or unavailability, and new defenses which may provide security benefits, but cause a significant performance impact leading to mission failure through timeliness violations. This paper describes a prototype service capability for creating semantic models of attack surfaces and using those models to (1) automatically quantify and compare cost and security metrics across multiple surfaces, covering both system and defense aspects, and (2) automatically identify opportunities for minimizing attack surfaces, e.g., by removing interactions that are not required for successful mission execution.

2019-09-09
C. Wang, Z. Lu.  2018.  Cyber Deception: Overview and the Road Ahead. IEEE Security Privacy. 16:80-85.

Since the concept of deception for cybersecurity was introduced decades ago, several primitive systems, such as honeypots, have been attempted. More recently, research on adaptive cyber defense techniques has gained momentum. The new research interests in this area motivate us to provide a high-level overview of cyber deception. We analyze potential strategies of cyber deception and its unique aspects. We discuss the research challenges of creating effective cyber deception-based techniques and identify future research directions.

E. Peterson.  2016.  Dagger: Modeling and visualization for mission impact situation awareness. MILCOM 2016 - 2016 IEEE Military Communications Conference. :25-30.

Dagger is a modeling and visualization framework that addresses the challenge of representing knowledge and information for decision-makers, enabling them to better comprehend the operational context of network security data. It allows users to answer critical questions such as “Given that I care about mission X, is there any reason I should be worried about what is going on in cyberspace?” or “If this system fails, will I still be able to accomplish my mission?”.

2018-08-06
B. Biggio, g. fumera, P. Russu, L. Didaci, F. Roli.  2015.  Adversarial Biometric Recognition : A review on biometric system security from the adversarial machine-learning perspective. IEEE Signal Processing Magazine. 32:31-41.

In this article, we review previous work on biometric security under a recent framework proposed in the field of adversarial machine learning. This allows us to highlight novel insights on the security of biometric systems when operating in the presence of intelligent and adaptive attackers that manipulate data to compromise normal system operation. We show how this framework enables the categorization of known and novel vulnerabilities of biometric recognition systems, along with the corresponding attacks, countermeasures, and defense mechanisms. We report two application examples, respectively showing how to fabricate a more effective face spoofing attack, and how to counter an attack that exploits an unknown vulnerability of an adaptive face-recognition system to compromise its face templates.