What are the most common authentication methods?
To authenticate users, security teams have a range of options available. Note, however, that a combination of methods is the best and safest approach.
Karen (Scarfone) Kent's Publications
Welcome! This site has links to all of my online publications. Sign up to get a weekly email update when I release something new.
Shadow code: The hidden threat for enterprise IT
The shadow code running in your web apps could be a ticking time bomb. Learn more about the cybersecurity risks of shadow code and how to protect your enterprise.
NIST Special Publication (SP) 1800-40 (Draft), Automation of the NIST Cryptographic Module Validation Program
Draft NIST SP 1800-40, Automation of the NIST Cryptographic Module Validation Program, to demonstrate how structured test evidence, standardized submission protocols, and modernized computing infrastructure can streamline the submission and review process.
Next-generation firewall buyer's guide for CISOs
NGFWs are crucial tools for modern security operations, but CISOs need to understand the often complex deployment, maintenance and budgeting implications.
10 enterprise secure remote access best practices
Remote access is a critical necessity in today's work-from-anywhere environment. It's also incredibly risky. But there are ways to protect assets and combat potential attacks.
Top vulnerability scanning tools for security teams
Use these vulnerability scanning tools to find weaknesses and potential exploits in web applications, IT and cloud infrastructure, IoT devices and more.
5G Network Security Design Principles: Applying 5G Cybersecurity and Privacy Capabilities
This white paper describes the network infrastructure design principles that commercial and private 5G network operators can use to improve cybersecurity and privacy. Such a network infrastructure isolates types of 5G network traffic from each other: data plane, control plane, and operation and maintenance (O&M) traffic.
No SUPI-Based Paging: Applying 5G Cybersecurity and Privacy Capabilities
This white paper provides an overview of “no Subscription Permanent Identifier (SUPI) based paging,” a 5G capability for protecting users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G standards protect subscriber confidentiality by using a temporary identity (ID) instead of SUPI for the paging protocol, and explicitly define when the temporary ID must be reallocated (refreshed).
Reallocation of Temporary Identities: Applying 5G Cybersecurity and Privacy Capabilities
This white paper describes how 5G standards have enhanced the implementation guideline to protect subscriber identities (IDs), specifically how the network reallocates temporary IDs to protect users from being identified and located by an attacker. Unlike previous generations of cellular systems, new requirements in 5G explicitly define when the temporary ID must be reallocated (refreshed).
Using Hardware-Enabled Security to Ensure 5G System Platform Integrity: Applying 5G Cybersecurity and Privacy Capabilities
This white paper provides an overview and an example of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure. It discusses security threats within computing environments and how leveraging hardware roots of trust (HRoT) and remote attestation can help mitigate specific threats.
Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI): Applying 5G Cybersecurity and Privacy Capabilities
This white paper describes how Subscription Concealed Identifier (SUCI) protection can be enabled in 5G networks. SUCI protection is defined by 5G standards as an optional security capability for operator deployments. By enabling SUCI on their 5G networks and subscriber SIMs, and configuring SUCI to use a non-null encryption cipher scheme, 5G network operators can provide their customers with the advantages of SUCI’s protections.
Applying 5G Cybersecurity and Privacy Capabilities: Introduction to the White Paper Series
This document introduces the white paper series titled Applying 5G Cybersecurity and Privacy Capabilities. Each paper in the series includes implementation guidelines and testbed-derived implementation findings for an individual technical cybersecurity- or privacy-supporting capability available in 5G systems or their supporting infrastructures.
Automation of the NIST Cryptographic Module Validation Program: September 2024 Status Report
NIST has undertaken the Automated Cryptographic Module Validation Project (ACMVP) to support improvement in the efficiency and timeliness of CMVP operations and processes. The goal is to demonstrate a suite of automated tools that would permit organizations to perform testing of their cryptographic products according to the requirements of FIPS 140-3, then directly report the results to NIST using appropriate protocols. This is a status report of progress made so far with the ACMVP and the planned next steps for the project.
Comparison of 5 top next-generation firewall vendors
This article outlines key features and capabilities that CISOs and security decision-makers should consider when evaluating modern NGFWs and examines five top firewall options.
How to reduce false positive alerts and increase cybersecurity
False positives in cybersecurity detection tools drain resources and distract from real threats. Once CISOs understand the root causes of false positives, they can implement strategies to reduce them.
How to Perform a Data Risk Assessment, Step by Step
Let's dig into what a data risk assessment is and how to perform one.
How to evaluate NGFW products to strengthen cybersecurity
Next-generation firewalls are critical tools in today's evolving threat landscape. Learn how to evaluate and select an NGFW that will bolster your company's cybersecurity posture.
Data Classification Practices
This guide, Data Classification Practices, demonstrates how organizations can discover, identify, and label unstructured data using data classification practices.
10 Types of Information Security Threats for IT Teams
Cybersecurity teams must be mindful at all times of the current threats their organization faces. While it's impossible to thwart every threat, stopping as many as possible and quickly detecting when they occur are both critical for reducing damage. Here are 10 types of threats that cybersecurity teams should focus on.
Top open source and commercial threat intelligence feeds
Let's take a closer look at cybersecurity threat intelligence feeds and highlight some leading options -- both open source and commercial.
5 deepfake detection tools to protect enterprise users
Let's look at five of the top tools that CISOs can use today to detect deepfake videos entering their organizations.
NIST's Secure Software Development Framework (SSDF) 1.2
The content updates from SSDF 1.1 to 1.2 are relatively small, but the changes in format and layout are significant, which makes it arduous to do a side-by-side comparison. To aid you in seeing what’s changed, we’ve created an annotated version. It highlights new content in green and changed content in orange (except for references). Each highlighted instance of changed content also has a callout box with the old text and the new text.
Five takeaways from NIST SP 800-70 update
To help public comment reviewers and anyone else interested in the details of the changes, we’ve done a side-by-side comparison of the revisions and identified the five most significant takeaways.
How to Create an Incident Response Playbook
Here's a look at what incident response playbooks accomplish, why they are important and how to use them.
Load More