Questions tagged [standards]
The standards tag has no usage guidance.
78 questions
1
vote
1
answer
177
views
How often should one order a pentest?
I am trying to find explicit recommendations on the frequency of penetration testing, if possible in an industrial environment.
I looked in ISO/IEC 27001, NIST SP 800-115 but could not find any ...
- 121
0
votes
1
answer
98
views
What does a "?" mean in Common Product Enumeration (CPE)?
I looked at the documentation for cpe Naming Specification Version 2.3
http://csrc.nist.gov/publications/nistir/ir7695/NISTIR-7695-CPE-Naming.pdf
Specification says, "*" or "-" is ...
- 3
0
votes
1
answer
237
views
Key difference between DoS & DDoS [duplicate]
What are the key components that define them and what are the differences? are there any standard structure of it? I've looked at several papers, and some of them using as a same, and some of them are ...
- 3
2
votes
2
answers
134
views
Standards for Secure Products
I am interested in standardizations for secure design and development of products, especially towards operational technology / IoT / ICS. My understanding of information security management systems ...
- 91
6
votes
2
answers
2k
views
How do I decide which security framework is most suited to my organization?
There are many IT security frameworks/standards/regulations/etc to chose from, each with their own pros and cons. For example, IS0 27000 series, NIST CSF, NIST RMF, PCI-DSS, etc. My question is, is ...
- 673
1
vote
0
answers
111
views
Do you know of a reasonable study on MFA value as a function of the nature of the first factor? [closed]
Multi Factor Authentication is obviously a lifesaver for passwords, so things that can easily leak (peeking, guessing, stealing, ...). A second/third/... factor of another kind considerably reduces ...
- 9,096
0
votes
1
answer
148
views
Standard for "secure workstations" resisting screen grabs
In his talk "Keynote address: securing the individual" at authenticate2020 (around 23:44), Whit Diffie asks
"ever wonder why an app can come on and grab your whole screen? There's a ...
- 49
2
votes
0
answers
852
views
Sign according RSASSA-PKCS1-v1_5 standard
I'm totally lost with is standard RSASSA-PKCS1-v1_5.
I have commands that signs document and checks signature below.
openssl dgst -sha256 -sign private-key.pem -out aaa.txt.sha256 aaa.txt
openssl dgst ...
- 289
1
vote
0
answers
108
views
Is there a standard for fencing email domains to specific use cases?
To my knowledge, there's no common standard for sysadmins to publish trusted domains for specific use cases.
If it exists, I would presume that this might limit phishing attacks. Think of my question ...
- 195
9
votes
2
answers
4k
views
Is HTTP header Permissions-Policy worth using if no features are used?
From the spec at https://www.w3.org/TR/permissions-policy-1/ it seems there is no way to whitelist features with a default blacklist, and each feature must be individually disabled in every single ...
- 283
2
votes
1
answer
127
views
Security requirements for small tax software business
I have a client who does payroll and taxes and is looking for a web app to easily communicate and transfer tax related documents for clients. I would assume that the IRS or someone would have some ...
- 23
1
vote
1
answer
200
views
Cyber Essentials at a small business (20 employees) that keeps all business data within SaaS
Background
I've recently joined a rapidly growing small business (from 4 to 20 people in last 12 months) with a very DIY IT setup. It's fallen to me (I'm a developer so I just happen to be sitting ...
- 11
0
votes
1
answer
152
views
From a modular development standpoint, should a "firewall" do anything else than filtering ports?
From a modular development standpoint, should a "firewall" do anything else than filtering ports?
This leads me to further ask, have there been attempts to reform the terminology from "...
-1
votes
1
answer
158
views
ISO 27001 2013 version not being updated
Is there any reason why an information security standard such as ISO 27001 is not getting updated as Information Security field is constantly changing and also the requirements but its latest version ...
- 21
2
votes
1
answer
3k
views
What is the PKCS#7 detached signature format?
This website claims that (emphasis added):
In PKCS#7 SignedData, attached and detached formats are supported… In detached format, data that is signed is not embedded inside the SignedData package ...
1
vote
1
answer
1k
views
How to encode a public key in PKCS#8?
RFC5958 defines a set of enhancements to the PKCS#8 key serialization format, bumping the version field up to 1 and additionally permitting serialization of public keys for arbitrary asymmetric ...
0
votes
1
answer
353
views
What alternative standard for ISO 27001 can be used in Australia?
I am looking for alternatives, that are less strict and less time consuming, than ISO 27001. Australia is in the Commonwealth, so maybe Cyber Essentials Plus could work, but I do not know if that ...
0
votes
0
answers
93
views
Backendly preventing database injections on simple web forms [duplicate]
I have a simple PHP-HTML-CSS contact form which saves emails to a local email client's database (in my case, Roundcube's database, which is a standalone MySQL database, I think --- I haven't used the ...
0
votes
1
answer
324
views
Is there a standard about storing the password of a bank's website bank-account-management-account in a password vault?
Please assume that I use some FOSS, SaaS, public key && passwordized private key protected password vault program to primarily store passwords of websites I rarely use (such as Q&A ...
- 1
2
votes
1
answer
1k
views
What does a TPM have in common with smart cards?
The title really says it all. I'm starting to dig a little bit into computer security and from what I've watched or from what I have read in books or articles there's always a mention of basic smart ...
- 145
0
votes
0
answers
284
views
Is there a standard approach for serializing an RSA encrypted AES key alongside the AES payload itself?
Diffie-Hellman won't really work here, since only one side has a public key, one side has the private. It must be this way to prevent decryption when the data is at-rest on one of the sides before ...
- 101
1
vote
1
answer
759
views
Is it allowed to store billing address for merchants SAQ A merchants? (PCI DSS)
I know there are many limitations for data storing and processing by PCI DSS. Some of them are explained here. https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
But I can't find any ...
- 33
1
vote
1
answer
199
views
Is there a documented security standard that forbids or discourages rolling your own crypto?
Is there any security standard published by NIST or another reputed body in information security that explicitly forbids or discourages rolling your own crypto? If yes, would you please post the ...
- 968
0
votes
2
answers
703
views
IEEE 1363 is inactive-reserved, having been withdrawn on 2019-11-07 : what does this mean?
IEEE 1363-2000 - IEEE Standard Specifications for Public-Key Cryptography - has been withdrawn on 7th November 2019 and is now in inactive-reserved status. What does this mean? Why was it withdrawn? ...
- 518
0
votes
0
answers
123
views
Security standard that requires network cables to be visible for inspection
I recently worked for a customer that showed me that all their network cables are visible. Indeed, cables were never drawn inside walls, conduits or trunks. Instead, they were "hung" on poles close to ...
- 595
2
votes
1
answer
255
views
Is AES the recommended symmetric cipher for production level software?
I was considering developing an application level software for file encryption after stress testing many of my implementations of popular symmetric ciphers. I would love to support multiple ...
- 157
4
votes
3
answers
908
views
Friendly reminders for people who don't lock laptops
My bosses have tasked me with coming up with a kind of "friendly reminder" card that we can leave on the desks of folks where we see they've walked away without locking their workstation and we have ...
0
votes
0
answers
118
views
Are there any standards or guidelines tamper-evident devices can adhere to?
Tamper-Evident devices and measures are devices which in some way indicate that an event not intended by the developer or manufacturer has occurred. Examples of tamper-evident devices are stickers ...
user163495
0
votes
1
answer
150
views
Permissions API [closed]
We are about to develop an integration with an old system which is still live . Due to technical issues it is not possible to augment the data from the old system using the browser so we are going to ...
- 103
0
votes
0
answers
182
views
Security and distro list naming convention in AAD
Most naming convention standards for Active Directory I have come across so far have security groups starting with an underscore to allow the equivalent distribution list to be user-friendly.
I am ...
- 103
2
votes
1
answer
217
views
Kerberos over http documentation
The NTLM over HTTP documentation can be found here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ntht/f09cf6e1-529e-403b-a8a5-7368ee096a6a
Where is the Kerberos over HTTP official ...
- 103
0
votes
1
answer
617
views
Is there a technical security standard for internet facing test environments?
We have a number of test environments that are permanently internet facing to accommodate external and automated testers with dynamic IP addresses. While we regularly check the servers for security ...
- 1,224
3
votes
2
answers
2k
views
Is Blowfish validated against any standards?
OWASP ASVS 3.0 V7.7 states the following:
Verify that cryptographic algorithms used by the application have been validated against FIPS 140-2 or an equivalent standard.
Blowfish is not included in ...
- 33
0
votes
0
answers
109
views
Was ISO 17799:2005 the first ISO standard to introduce risk management?
I'm doing research into ISO 17799:2005, more specifically its policies related to risk management and its involvement on risk management in the wider IT sector, but I can't find out the answer to:
...
2
votes
1
answer
2k
views
What is a Security Guideline and how does it stand in relation with Standards, Policies, Procedures?
I'm currently working on the definitions-section of a paper. Therefore I have to define the term "Guideline" and how its relationship to other terms (Standards, Policies, Procedures) looks like.
...
- 23
0
votes
1
answer
967
views
What's the relation between a Security Framework & Standards, Guidelines, Procedures and Policies?
I'm currently writing a paper about security standards. Therefore several terms have to be defined before I can actually start. The problem is that in every resource the term "Framework" is somehow ...
- 23
0
votes
2
answers
312
views
Software Signing Standards
Is there a software signing certificates standard, officially or by popularity?
As I understand the SSL/TLS/https certificates rules are specified by the RFCs. Mixed use of servers and clients from ...
- 165
1
vote
2
answers
709
views
Why are email clients prevented from seeing the envelope?
Being able to compare the envelope values against the header field values is potentially useful for detecting fraudulent (e.g. spoofed) mail.
However, email servers, when receiving mail over SMTP, ...
- 2,081
2
votes
2
answers
736
views
Are there currently any standards for Homomorphic encryption?
I am curious if there are any released standards for homomorphic encryption, or computing on encrypted data. Perhaps by NIST, ANSI, or ISO. If not, are there any that are under development right now? ...
- 158
4
votes
2
answers
2k
views
How do I measure compliance to Information security policies?
I work in an organisation with 3 levels as far as information security is concerned. I'm sitting at level two where we develop policies and also assist with the standards. One of the most difficult ...
- 51
0
votes
1
answer
2k
views
What should be the life time for SMS OTP?
I've tried to find such a standard that mention the lifetime of SME OTP, however, NIST is no longer recommended using SMS OTP due to the risk involved.
Regardless of the security concerns, I still ...
- 35
0
votes
3
answers
1k
views
When should TouchID/Fingerprint log-in expire?
I couldn't find such a standard which mention about TouchID or fingerprint log in expiration date.
Suppose I have an application and allow users to log in using the fingerprint. I would like to know ...
- 35
0
votes
1
answer
122
views
Trustable Sources For Security Algorithms and Standards?
I am learner of cryptographic algorithms and security standards. I usually Google it to understand the basics of the algorithm or the protocol, and to find an implementation of a protocol. However I ...
- 507
4
votes
1
answer
1k
views
How to find CAPEC items related to a CVE
Vulnerabilities with a CVE usually also have a CWE associated with them, but almost never CAPEC. CWE's site also only very rarely points to related CAPEC items.
Is there a way to find a CVE's ...
- 175
1
vote
1
answer
110
views
Can I describe the PDF's certificate-based signatures using W3C's DSIG Core?
Can I map the specialized specifications of PDF's certificate-based signatures into the [XML DSIG Core] standard?
I'm imagining PDF as an "XML file analog", to be mapped into the W3C's ecosystem.
......
- 129
1
vote
1
answer
362
views
Is there a standard checksum for verifying multipart key fragments?
We will have a symmetric key arriving in three component parts. Once all parts arrive, the key custodians will get together for a ceremony where each enters their part of the key into a secured ...
- 34.7k
2
votes
2
answers
281
views
What security standards apply to physical security for an infosec office
I'm looking for actual specific standards that apply to physical access control for Information Security office space. Long story short, our building manager wants an open office concept, and in order ...
- 21
-1
votes
1
answer
156
views
Standards and Guidelines Pro/Con Anti Malware programs
For a whitepaper about anti-malware products used in combination with (server side) applications and infrastructure components (database server) I am looking for standards, guidelines and codified ...
- 983
1
vote
0
answers
154
views
Privacy terminology: Online privacy vs Internet Privacy vs Digital Privacy
While, to my eyes, Digital Privacy is the broader term ( anything digital whether online or not), I have seen all 3 used interchangeably (i.e: link vs title). Also, despite having different entries in ...
- 39
2
votes
2
answers
470
views
Cryptography best practices standard [closed]
I have been searching some standards about cryptography best practices. I have found some articles and books but no official standard.
Do cryptography best practices standard exist?
