Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Karen Scarfone (Ctr)

Displaying 101 - 125 of 147

Technical Guide to Information Security Testing and Assessment

September 30, 2008

Author(s)

Murugiah P. Souppaya, Karen A. Scarfone

The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing

Guide to Industrial Control Systems (ICS) Security (final draft)

September 2, 2008

Author(s)

Keith A. Stouffer, Joseph A. Falco, Karen A. Scarfone

[Superseded by NIST SP 800-82 (June 2011): http://www.nist.gov/manuscript-publication-search.cfm? pub_id=907249] The purpose of this document is to provide guidance for securing industrial control systems (ICS), including supervisory control and data

Evidence-Based, Good Enough, and Open

August 4, 2008

Author(s)

Karen A. Scarfone

One of the holy grail questions in computer security is how secure are my organization systems? This paper describes our new approach to answering this question. This approach is distinguished from previous efforts in three ways: 1) uses evidence-based

Guide to General Server Security

July 25, 2008

Author(s)

Karen A. Scarfone, Wayne Jansen, Miles C. Tracy

The purpose of this document is to assist organizations in understanding the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function. The document

Guide to Securing Legacy IEEE 802.11 Wireless Networks

July 25, 2008

Author(s)

Karen A. Scarfone, Derrick Dicoi, Matt Sexton, Cyrus Tibbs

The purpose of this document is to provide guidance to organizations in securing their legacy Institute of Electrical and Electronics Engineers (IEEE) 802.11 wireless local area networks (WLAN) that cannot use IEEE 802.11i. The document provides an

A Framework for Measuring the Vulnerability of Hosts

June 30, 2008

Author(s)

Karen A. Scarfone, Timothy Grance

This paper proposes a framework for measuring the vulnerability of individual hosts based on current and historical operational data for vulnerabilities and attacks. Previous approaches have not been scalable because they relied on complex manually

Computer Security Incident Handling Guide

March 7, 2008

Author(s)

Karen A. Scarfone, Timothy Grance, Kelly Masone

[Superseded by SP 800-61 Rev. 2 (August 2012): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=911736] Computer security incident response has become an important component of information technology (IT) programs. Security-related threats have

Guidelines on Active Content and Mobile Code

March 7, 2008

Author(s)

Wayne Jansen, Theodore Winograd, Karen A. Scarfone

Active content technologies allow code, in the form of a script, macro, or other kind of portable instruction representation, to execute when the document is rendered. Like any technology, active content can be used to deliver essential services, but it

Decentralized Trust Domain Management in Multiple Grid Environments

November 25, 2007

Author(s)

Chung Tong Hu, Karen A. Scarfone, David F. Ferraiolo

Trust domain management for the global access of a grid is managed under centralized schema for most of the current grid architectures, which are designed based on the concept that there is only one grid for every grid member, therefore requiring central

Guide to Storage Encryption Technologies for End User Devices

November 15, 2007

Author(s)

Karen A. Scarfone, Murugiah P. Souppaya, Matt Sexton

Many threats against end user devices, such as desktop and laptop computers, smart phones, personal digital assistants, and removable media, could cause information stored on the devices to be accessed by unauthorized parties. To prevent such disclosures

User's Guide to Securing External Devices for Telework and Remote Access

November 1, 2007

Author(s)

Karen A. Scarfone, Murugiah P. Souppaya

[Superseded by NIST SP 800-114 Rev. 1 (July 2016): http://www.nist.gov/manuscript-publication-search.cfm?pub_id=921407] This publication helps teleworkers secure the external devices they use for telework, such as personally owned and privately owned

Guidelines on Securing Public Web Servers

October 9, 2007

Author(s)

Miles C. Tracy, Wayne Jansen, Karen A. Scarfone, Theodore Winograd

Web servers are often the most targeted and attacked hosts on organizations' networks. As a result, it is essential to secure Web servers and the network infrastructure that supports them. This document is intended to assist organizations in installing

Improving the Common Vulnerability Scoring System

September 28, 2007

Author(s)

Peter M. Mell, Karen A. Scarfone

The Common Vulnerability Scoring System is an emerging standard for scoring the impact of vulnerabilities. This paper presents the results of our analysis of the scoring system and the results of our experiment scoring a large set of vulnerabilities using