Overview

The links below are to resources provided by the US Federal Government that are related to cybersecurity and comprise regulations, rules, commentary, engineering resources, and databases & statistics on security incidents. This article is updated frequently.

Where to start:

Online Security Incidents

The CVE database was launched by MITRE as a community effort in 1999, and the U.S. National Vulnerability Database (NVD) was launched by NIST in 2005. The CVE database feeds into the NVD.

Acronyms to know:

CNA (CVE Numbering Authority)

CVE (Common Vulnerabilities and Exposures) - these are security holes, typically in software, that have been both discovered and reported.

CWE (Commen Weakness Enumeration): common software and hardware security weaknesses

CVE Distribution Over Time *Source: Nist.gov [updated May 17, 2020]

Related Links:

MITRE's CVE Database and Information "MITRE is a private, not-for-profit corporation"

NIST's National Vulnerability Database NVD Database including feeds visualizations , and search

United States Computer Emergency Readiness Team: US-CERT Reporting of security incidents, threats and reports

US-CERT provides weekly summaries of new vulnerabilities in the form of bulletins

NSF Cybersecurity Special Report

NIST Cybersecurity Framework "The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk."

NIST Privacy Framework

As described in this fact sheet, NIST has developed a framework for organizations to identify & manage privacy risk and protect privacy while implementing products and services.

The framework includes a core set of documents:

NIST also supports a related Privacy Engineering Program.

Recent Federal CyberSecurity Publications and Alerts

June 2020

NIST has released Revision 2 of its Recommendation for Cryptographic Key Generation. This Recommendation discusses the generation of the keys to be managed and used by an approved cryptographic algorithm. Both symmetric and asymmetric cryptography are discussed along with methods to distribute and replace keys.

May 2020

NIST has updated Part 1 of its Recommendation for Key Management. This new version includes the following: Definitions of security services and the algorithms and key types that may be employed for cryptographic services Specification of the protection that each key type provides Discussion about the functions & issues involved in key management

FBI warn of Chinese Targeting of COVID-19 Research Organizations. Healthcare, pharmaceutical and research sectors working on COVID-19 are the prime targets of this activity. Attack methods include: Phishing, using the subject of coronavirus or COVID-19 as a lure Malware distribution, using coronavirus- or COVID-19- themed lures Registration of new domain names containing wording related to coronavirus or COVID-19 Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure.



Chinese Cyber Attacks

Various nations have accused the Chinese government of cyber attacks and theft against service / cloud providers and their customers. Below is a listing of resources for more information on this subject that also includes information for IT professionals to determine if they or the sites they maintain are being targeted.

Related:

North Korea Hidden Cobra: recent North Korean malicious Cyber Activity

Russian Government Grizzly Steppe: recent Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

Filing an Internet Crime Complaint with the FBI

Do you know about the IC3? It's the Internet Crime Complaint Center. IC3's mission is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated criminal activity.

Follow this link to report an Internet crime to the FBI. Examples of crimes you can report include an email bomb threat and ransomware.

CALEA (Communications Assistance for Law Enforcement Act)

Note that CALEA is basically a wire tap provision in the law that applies to virtually all equipment and services in the network that enables the Federal Government to monitor the communications of individuals.

From the FCC's CALEA website:

"CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation. It requires that telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information. Communications services and facilities utilizing Circuit Mode equipment, packet mode equipment, facilities-based broadband Internet access providers and providers of interconnected Voice over Internet Protocol (VoIP) service are all subject to CALEA. These compliance requirements include wireless services, routing and soft switched services, and internet-based telecommunications present in applications used by telecommunications devices."

The question seems to still remain whether the CALEA wire tap provision does or will apply to customer premises equipment (e.g, home and business routers, phones, PCs, etc.)

Note that the much heralded Obama-era Net Neutrality (Open Internet Order) discusses CALEA and does not preclude its provisions from customer premises equipment. You can read it here

FIPS (Federal Information Processing Standards) and CMVP (Cryptographic Module Validation Program)

FIPS is a term commonly applied to the security level of cryptographic-related software and systems.

FIPS 140-2: Security Requirements for Cryptographic Modules "specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments."

NIST's Cryptographic Module Validation Program "validates cryptographic modules to Federal Information Processing Standards (FIPS)140-1, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. FIPS 140-2, Security Requirements for Cryptographic Modules, was released on May 25, 2001 and supersedes FIPS 140-1." % include "line_divider.html" %}

FIPS updates by NIST

Post-Quantum Cryptography (PQC)

"For many years it has been known that both the integer factorization problem, upon which RSA is based, and the elliptic curve discrete logarithm problem (ECDLP), upon which ECC is based, can be solved in polynomial time by a quantum computer." [Koblitz and Menezes]

From csrc.nist.gov: " If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use. This would seriously compromise the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography ... is to develop cryptographic systems that are secure against both quantum and classical computers..."

NIST Post-Quantum Cryptography Standardization

NSA and CSS Commercial National Security Algorithm Suite and Quantum Computing FAQ

Status Report on the First Round of the NIST Post-Quantum Cryptography Standardization Process

Other Related Government Links

More Acronyms