Karen Scarfone

Scarfone Cybersecurity, Clifton, Virginia, United States

Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such tha...

Organizations often struggle to capture the necessary functional capabilities for each cloud-based solution adopted for their information systems. Identifying, defining, selecting, and prioritizing these functional capabilities and the security components that implement and enforce them is surprisingly challenging. This article explains recent deve...

This chapter discusses tools and techniques to manage software patches and vulnerabilities. Vulnerabilities are flaws that can be exploited by a malicious entity to gain greater access or privileges than it is authorized to have on a computer system. Patches are additional pieces of code developed to address problems in software. Patches correct se...

Access control (AC) policies can be implemented based on different AC models, which are fundamentally composed by semantically independent AC rules in expressions of privilege assignments described by attributes of subjects/attributes, actions, objects/attributes, and environment variables of the protected systems. Incorrect implementations of AC p...

The abundance of mobile software applications (apps) has created a security challenge. These apps are widely available across all platforms for little to no cost and are often created by small companies and less-experienced programmers. The lack of development standards and best practices exposes the mobile device to potential attacks. This article...

A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area, such as an office building, that exchange data through radio communications. WLAN technologies are based on the IEEE 802.11 standard and its amendments.1 The fundamental components of an IEEE 802.11 WLAN (hereafter referred to as a "WLAN...

Bluetooth is an open standard for short-range radio frequency communication. Bluetooth technology is used primarily to establish wireless personal area networks (WPANs), and it has been integrated into many types of business and consumer devices. This publication provides information on the security capabilities of Bluetooth technologies and gives...

Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. An intrusion detection system (IDS) is software that a...

The Common Vulnerability Scoring System (CVSS) is a specification for measuring the relative severity of software vulnerabilities. Finalized in 2007, CVSS version 2 was designed to address deficiencies found during analysis and use of the original CVSS version. This paper analyzes how effectively CVSS version 2 addresses these deficiencies and what...

The goal of cyber security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. A cyber security standard defines both functional and assurance requirements within a product, system, process, or technology environment. Well-developed cyber security standards enable consistency among pr...

Metrics are tools to facilitate decision making and improve performance and accountability. Measures are quantifiable, observable, and are objective data supporting metrics. Operators can use metrics to apply corrective actions and improve performance. Regulatory, financial, and organizational factors drive the requirement to measure IT security pe...

This paper proposes a framework for measuring the vulnerability of individual hosts based on current and historical operational data for vulnerabilities and attacks. Previous approaches have not been scalable because they relied on complex manually constructed models, and most approaches have examined software flaws only, not other vulnerabilities...

The best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted for use with a different type of vulnerability: security configuration settings. We have identif...

The Common Vulnerability Scoring System is an emerging standard for scoring the impact of vulnerabilities. The results of an analysis of the scoring system and that of an experiment scoring a large set of vulnerabilities using the standard are presented. Although the scoring system was found to be useful, it contains a variety of deficiencies that...

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis...

Many researchers have tackled the architecture and requirements aspects of grid security, concentrating on the authentication or authorization mediation instead of authorization techniques, especially the topic of policy combination. Policy combination is an essential requirement of grid, not only because of the required remote (or global) vs. loca...