3.1 References & Standards
The following organisations, publications and/or standards have been used for the source of references in this document:
- 3GPP (3rd Generation Partnership Project)
- CSA (Cloud Security Alliance)
- DoD (US Department of Defense)
- ENISA (European Union Agency for Network and Information Security)
- ETSI (European Telecommunications Standards Institute)
- EU (European Union)
- FIPS (US Federal Information Processing Standard)
- GSMA (GSM Association)
- IETF (Internet Engineering Task Force)
- IoTSF (Internet of Things Security Foundation)
- ISO (International Standard Organisation)
- JTAG (Joint Test Action Group)
- NCSC (UK National Cyber Security Centre)
- NIST (US National Institute of Standards and Technology)
- OWASP (Open Web Application Security Project)
The following references are used in this document:
-
NIST Special Publication SP800-57 Part 3 Revision 1” NIST Special Publication 800 – 57 Part 3 Revision 1 Recommendation for Key Management Part 3: Application – Specific Key Management Guidance” January 2015 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
-
NIST Special Publication 800-131A Revision 1 ”Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” November 2015
-
NIST Special Publication 800-90A Revision 1 “Recommendation for Random Number Generation Using Deterministic Random Bit Generators” June 2015 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
-
Special Publication 800-22 Revision 1a “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications” April 2010 https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=906762
-
FIPS PUB 140-2, Security Requirements for Cryptographic Modules, May 2001. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
-
Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model September 2012 Version 3.1 CCMB-2012-09-001 CCMB-2012-09-003 https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R4_marked_changes.pdf
-
Common Criteria for Information Technology Security Evaluation Part 2: Security functional components September 2012 Version 3.1 Revision 4 CCMB-2012-09-002 https://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf
-
Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components September 2012 Version 3.1 Revision 4 https://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R4.pdf
-
Draft Framework for Cyber-Physical Systems; NIST; October 2016 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-201.pdf
-
UK Government advice on Password Guidance, Simplifying your approach, CESG and CPNI Sept 2015: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf
-
DoDI-8500.2 IA Controls: http://www.dote.osd.mil/tempguide/index.html
-
NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Special Publication 800-122, NIST, April 2010: http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
-
Key definitions of the Data Protection Act, ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions
-
Overview of the General Data Protection Regulations (GDPR), ICO: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr
-
TS-0003 Annex J (normative): List of Privacy Attributes and Clause 11 Privacy Protection Architecture using Privacy Policy Manager (PPM) https://www.onem2m.org/technicalpublished-specifications
-
Example of IoT application ID registry and possible privacy profile registry https://www.onem2m.org/images/ppt/TP-2017-0200-AppID_Registry_A_Foundation_for_Trusted_Interoperability.pdf
-
3GPP TS33.117. Catalogue of general security assurance requirements produced by ESTI https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2928
-
Cloud Security Alliance, Cloud Security Alliance is a not-for-profit organization promoting best practices for security assurance within Cloud Computing https://cloudsecurityalliance.org
-
IoTSF Vulnerability Disclosure Guidelines can be found https://iotsecurityfoundation.org/best-practice-guidelines
-
NIST National Institute of Standards and Technology www.nist.gov
-
NIST Cyber Security Framework https://www.nist.gov/cyberframework
-
Octave, programming language https://www.gnu.org/software/octave/
-
UK Cyber Essentials: UK government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks https://www.cyberaware.gov.uk/cyberessentials
-
UK Government Cloud Security Principles is for consumers and providers using cloud services https://www.gov.uk/government/publications/cloud-service-security-principles/cloud-service-security-principles
-
IETF – RFC2119 “Key words for use in RFCs to Indicate Requirement Levels” https://www.ietf.org/rfc/rfc2119.txt
-
NIST SP800-63b Revision 1” NIST Special Publication 800-63B Digital Identity Guidelines Authentication and Lifecycle Management” June 2017 https://pages.nist.gov/800-63-3/sp800-63b.html
-
ENISA “Algorithms, Key Sizes and Parameters Report – 2013” https://www.enisa.europa.eu/publications/algorithms-key-sizes-and-parameters-report
-
IETF RFC7525 “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” https://tools.ietf.org/html/rfc7525
-
SSL Labs “SSL-and-TLS-Deployment-Best-Practices” 31 March 2017 https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
-
OWASP “Transport Layer Protection Cheat Sheet ” https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
-
OWASP Certificate and Public Key Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
-
NIST Special Publication 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations” – SC-5 Denial of Service Protection https://nvd.nist.gov/800-53/Rev4/control/SC-5
-
NIST 800-53, Revision 4, “Security Controls and Assessment Procedures for Federal Information Systems and Organizations” - SI10 Information Input Validation https://nvd.nist.gov/800-53/Rev4/control/SI-10
-
NIST Special Publication 800–167 “Guide to Application Whitelisting” http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
-
NIST SP 800-37 Rev. 1 “Guide for Applying the Risk Management Framework to Federal Information Systems: a Security Life Cycle Approach Risk Management Framework” https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final or Octave from ENISA
-
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546
-
Supply Chain of Trust by Hayden Povey of Secure Thingz and the IoTSF http://www.newelectronics.co.uk/article-images/152099/P18-19.pdf
-
Static Code Analysis Tools https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
-
Bluetooth Numeric Comparison https://csrc.nist.gov/publications/detail/sp/800-121/rev-1/archive/2012-06-11 page 14
-
UK Government Cyber security risk assessment guidance https://www.ncsc.gov.uk/guidance/risk-management-collection
-
NIST Special Publication 800-30 guidance for conducting risk assessments https://www.nist.gov/publications/guide-conducting-risk-assessments
-
EU ENISA guidance of Cyber Security Risk Management https://www.enisa.europa.eu/topics/threat-risk-management/risk-management
-
Security Policy ISO/IEC Standards for Vulnerability Disclosures ISO/IEC 29147 and ISO/IEC 30111 http://standards.iso.org/ittf/PubliclyAvailableStandards/c045170_ISO_IEC_29147_2014.zip and https://www.iso.org/standard/53231.html
-
Enhanced Privacy standard for Anonymous Signatures ISO/IEC20008 https://www.iso.org/standard/57018.html
-
IoTSF Best Practice Guidelines for Connected Consumer Products V1.1 https://www.iotsecurityfoundation.org/best-practice-guidelines/#ConnectedConsumerProducts includes at time of publication individual guidelines for the following topics:
A. Classification of data
B. Physical security
C. Device secure boot
D. Secure operating system
E. Application security
F. Credential management
G. Encryption
H. Network connections
J. Securing software updates
K. Logging
L. Software update policy
-
CIA Triad has no original source, but for more info visit: https://www.techrepublic.com/blog/it-security/the-cia-triad
-
Examples of security vulnerability advisory programs: https://www.us-cert.gov/report and https://ics-cert.us-cert.gov/ICS-CERT-Vulnerability-Disclosure-Policy
-
Example of memory sanitisation:
SEI CERT C Coding Standard Recommendation MEM03-C: “Clear sensitive information stored in reusable resources” https://wiki.sei.cmu.edu/confluence/display/c/MEM03-C.+Clear+sensitive+information+stored+in+reusable+resources
ISO/IEC TR 24772:2013 “Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use” “Sensitive Information Uncleared Before Use” https://www.iso.org/standard/61457.html
Other references:
MITRE CWE-226 “Sensitive Information Uncleared Before Release” https://cwe.mitre.org/data/definitions/226.html
CWE-244 “Improper Clearing of Heap Memory Before Release ('Heap Inspection')” https://cwe.mitre.org/data/definitions/244.html
-
NCSC password guidance https://www.ncsc.gov.uk/guidance/password-collection
-
Privacy Impact Assessment advice can be found at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/ and https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf
-
NCSC guidance on TLS management https://www.ncsc.gov.uk/guidance/tls-external-facing-services
-
WPA - Wi-Fi Protected Access is the name given to wireless security standard IEEE 802.11i-2004 https://standards.ieee.org/standard/802_11i-2004.html
-
The ETSI Technical Committee on Cybersecurity EN 303 645 version 2.1.1 “CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements” June 2020, , a standard for cybersecurity in the Internet of Things that establishes a security baseline for internet-connected consumer products and provides a basis for future IoT certification schemes. https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf
-
NIST 8259A “IoT Device Cybersecurity Capability Core Baseline” May 2020 https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259A.pdf