ITL Newsletter for July - August 2018




information technology laboratory



Picture credit: Shutterstock


With a world-class measurement and testing laboratory encompassing a wide range of areas of computer science, mathematics, statistics, and systems engineering, NIST’s cybersecurity program supports its overall mission to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and related technology through research and development in ways that enhance economic security and improve our quality of life. 

The need for cybersecurity standards and best practices that address interoperability, usability and privacy continues to be critical for the nation. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges. 





Industry leaders discuss cybersecurity concerns around the Internet of Things and the role NIST can play to help secure our future. (Picture credit: Shutterstock)




Experts at recognizing faces often play a crucial role in criminal cases. A photo from a security camera can mean prison or freedom for a defendant—and testimony from highly trained forensic face examiners informs the jury whether that image actually depicts the accused. Just how good are facial recognition experts? Would artificial intelligence help? (Picture credit: Shutterstock)

A study appearing this week in the Proceedings of the National Academy of Sciences has brought answers. In work that combines forensic science with psychology and computer vision research, a team of scientists from the National Institute of Standards and Technology (NIST) and three universities has tested the accuracy of professional face identifiers, providing at least one revelation that surprised even the researchers: Trained human beings perform best with a computer as a partner, not another person.




Digital evidence includes data on computers and mobile devices, including audio, video, and image files as well as software and hardware. Digital evidence can be a part of investigating most crimes, since material relevant to the crime may be recorded in digital form. Methods for securely acquiring, storing and analyzing digital evidence quickly and efficiently are critical. ITL promotes the efficient and effective use of computer technology to investigate crimes.





Applied and Computational Mathematics Division

Ronald Boisvert, Chief

Mathematical models are how we express our understanding of the world. They are essential for interpreting the results of scientific experiments, as well as in the design of products from airplanes to cell phones. New and challenging mathematical problems arise every day at a research lab like NIST. The Applied and Computational Mathematics Division (ACMD) provides leadership and expertise in the use of applied mathematics and scientific computing to solve such problems. As a part of this work, we develop mathematical and computational techniques and tools which have wide application in science and technology. The use of such state-of-the-art techniques and carefully validated tools helps build trust in measurement science and scientific computing, both essential for industrial innovation.



Davina Pruitt-Mentle

Congratulations to Dr. Davina Pruitt-Mentle for receiving the 2018 Government Leadership of the Year Award. Pruitt-Mentle has spent over 20 years researching and coordinating cybersecurity education programs. She joined the National Initiative for Cybersecurity Education at NIST as the Lead for Academic Engagement in 2015 where she leads a variety of programs including National Cybersecurity Career Awareness Week, the NICE K12 Cybersecurity Education Conference, the NICE Working Group K12 Subgroup, and more. Pruitt-Mentle was presented with this award during the Awards Dinner at the 22nd Colloquium or Information Systems Security Education Conference on Tuesday, June 12, 2018, in New Orleans, Louisiana. 


Assessing Security Requirements for Controlled Unclassified Information (NIST Special Publication 800-171A)
The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations. This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The assessment procedures are flexible and can be customized to the needs of the organizations and the assessors conducting the assessments. Security assessments can be conducted as self-assessments; independent, third-party assessments; or government-sponsored assessments and can be applied with various degrees of rigor, based on customer-defined depth and coverage attributes. The findings and evidence produced during the security assessments can facilitate risk-based decisions by organizations related to the CUI requirements.

Cloud Computing Service Metrics Description (NIST Special Publication 500-307)
With cloud computing in the mainstream, there is a preponderance of cloud based services in the market and the choices for consumers increase daily. However, comparing the service offerings between cloud service providers is not a straightforward exercise. As part of the decision-making framework for moving to the cloud, having data on measurable capabilities, for example - quality of service, availability and reliability, give the cloud service customer the tools and opportunity to make informed choices and to gain an understanding of the service being delivered. A metric provides knowledge about characteristics of a cloud property through both its definition (e.g., expression, unit, rules) and the values resulting from the measurement of the property. This document proposes concepts and a model to represent cloud service metrics. This model represents the information needed to understand a targeted cloud property and which constraints should be applied during measurement.

Forensic Latent Fingerprint Preprocessing Assessment (NISTIR 8215)
This report provides a brief introduction into fingerprint preprocessing, discussion regarding the experimental design, structure, and contents of the latent fingerprint image database, and details of  proposed preprocessing efficacy metrics.

Juliet 1.3 Test Suite: Changes From 1.2 (NIST Technical Note 1995)
The Juliet test suite is a systematic set of thousands of small test programs in C/C++ and Java exhibiting over 100 classes of errors, such as buffer overflow, OS injection, hardcoded password, absolute path traversal, NULL pointer de-reference, uncaught exception, deadlock, and missing release of resource. These test programs should be helpful in determining capabilities of software assurance tools, particularly static analyzers, in Unix, Microsoft Windows, and other environments. Juliet was developed by the National Security Agency's Center for Assured Software and first released in December 2010. It has been enhanced twice since then. Version 1.2 was released in May 2013 with a total of 86,864 test cases. Released in October 2017, version 1.3 fixes about two dozen systematic problems in version 1.2 and adds tests for pre- and post-increment and -decrement operators. This technical note details the changes from version 1.2 to 1.3. This note also lists the systematic problems that we know remain in Juliet 1.3.

Nail to Nail Fingerprint Challenge: Prize Analysis (NISTIR 8210)
In September 2017, the Intelligence Advanced Research Projects Activity held a fingerprint data collection as part of the Nail to Nail Fingerprint Challenge. Participating Challengers deployed devices designed to collect an image of the full nail to nail surface area of a fingerprint – equivalent to a rolled fingerprint – from an unacclimated user without assistance from a trained device operator. Images captured from these devices were searched against a set of traditionally- captured operator-assisted rolled fingerprints. Thousands of latent fingerprints were also searched against the images.

NIST Special Database 300: Uncompressed Plain and Rolled Images from Fingerprint Cards (NIST Technical Note 1993)
A new collection of legacy inked rolled and plain fingerprint card scans are being released to the public. The cards were scanned at three resolutions in the 8 bit grayscale colorspace. The data is available as lossless images for free.

Quick Start Guide for Populating Mobile Test Devices (NIST Special Publication 800-202)
This guide provides procedures for documenting and populating various data elements typically found within the contents of a mobile device, e.g., mobile phone, tablet, etc. The guide discusses techniques and considerations for preparing the internal memory of a mobile device for use in testing a mobile forensic tool.

Platform Firmware Resiliency Guidelines (NIST Special Publication 800-193)This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The technical guidelines in this document promote resiliency in the platform by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. Implementers, including Original Equipment Manufacturers (OEMs) and component/device suppliers, can use these guidelines to build stronger security mechanisms into platforms. System administrators, security professionals, and users can use this document to guide procurement strategies and priorities for future systems.

Security Recommendations for Server-based Hypervisor Platforms (NIST Special Publication 800-125rev1)
The Hypervisor platform is a collection of software modules that provides virtualization of hardware resources (such as CPU, Memory, Network and Storage) and thus enables multiple computing stacks (made of an operating system (OS) and application programs) called Virtual Machines (VMs) to be run on a single physical host. In addition, it may have the functionality to define a network within the single physical host (called virtual network) to enable communication among the VMs resident on that host as well as with physical and virtual machines outside the host. With all this functionality, the hypervisor has the responsibility to mediate access to physical resources, provide run time isolation among resident VMs and enable a virtual network that provides security-preserving communication flow among the VMs and between the VMs and the external network. The architecture of a hypervisor can be classified in different ways. The security recommendations in this document relate to ensuring the secure execution of baseline functions of the hypervisor and are therefore agnostic to the hypervisor architecture. Further, the recommendations are in the context of a hypervisor deployed for server virtualization and not for other use cases such as embedded systems and desktops. Recommendations for secure configuration of a virtual network are dealt with in a separate NIST document (Special Publication 800-125B).

‘Software  Science’  revisited: rationalizing  Halstead’s  system  using dimensionless  units (NIST Technical Note 1990)
The set of software metrics introduced by Maurice H. Halstead in the 1970s has seen much scrutiny and not infrequent criticism. This article takes a fresh look at these metrics using quantity calculus (the algebra of units) and a new approach to dimensionless units. In this way, it is possible to assign units to the major Halstead metrics in a manner that is logically consistent. However, Halstead's repurposing of counts of software attributes as counts of unobservable mental events leads to a less plausible, more confusing set of metrics for coding effort than for software attributes.





Considerations for Managing IOT Cybersecurity and Privacy Risks Workshop




2018 Configurable Data Curation System Annual Convention




Named Data Networking Community Meeting 2018


for more events click on calendar