As part of an ongoing effort to keep you informed about our latest work, I would like to let you know about some recently published SEI technical reports and notes. These reports highlight the latest work of SEI technologists in Secure Java and Android Coding, Cybersecurity Capability Measurement, Managing Insider Threat, the CERT Resilience Management Model, Network Situational Awareness, and Security and Survivability. This post includes a listing of each report, author(s), and links where the published reports can be accessed on the SEI website.

Mobile SCALe: Rules and Analysis for Secure Java and Android Coding
By Lujo Bauer (Carnegie Mellon University, Department of Electrical and Computer Engineering), Lori Flynn, Limin Jia (Carnegie Mellon University, Department of Electrical and Computer Engineering), Will Klieber, Fred Long, Dean F. Sutherland, David Svoboda
This report describes Android secure coding rules, guidelines, and static analysis that were developed as part of the Mobile Source Code Analysis Laboratory (SCALe) project. The project aims to create a set of rules that can be checked (and potentially enforced) and to develop checkers for these rules. These efforts are intended to increase confidence in continued safe and secure operation of mobile devices and the networks on which they operate. The focus for this phase of the project is the Android platform for mobile devices. Work described in this report involved three activities: (1) preparing the Java Coding Guidelines book for publication, (2) developing Android secure coding rules for the Android section of the CERT Oracle Secure Coding Standard for Java wiki, and (3) developing software that does static analysis of a set of Android apps for data flows between them so that security leaks can be detected. The report also reviews relevant research to gain a better understanding of its causes and contributing factors, provides examples of UIT cases and the frequencies of UIT occurrences across several categories, and presents initial thinking on potential mitigation strategies and countermeasures. This research topic has largely been unrecognized, so a major goal of this study is to inform government and industry stakeholders about the problem and its potential causes and to guide investments toward the highest priority research and development requirements for countering UIT.
Download the PDF

Cloud Service Provider Methods for Managing Insider Threats: Analysis Phase I
By Greg Porter (Heinz College at Carnegie Mellon University)
In early 2013, researchers in the CERT® Insider Threat Center contacted commercial and government cloud service providers (CSPs) about participating in research to gain a preliminary understanding of implemented administrative and technical controls that they are using to identify and manage the threats posed by insiders. These CSP participants provided frank and meaningful insight about their insider threat management programs and enterprise security practices. This report contains the observations obtained from interviewing the CSP personnel who volunteered to participate as well as an analysis of CSP management of insider threat based on the information obtained in interviews, observations of implemented insider threat controls, and risk considerations.
Download the PDF

Advancing Cybersecurity Capability Measurement Using the CERT®-RMM Maturity Indicator Level Scale
By Matthew J. Butkovic, Richard A. Caralli
A maturity model is a set of characteristics, attributes, indicators, or patterns that represent progression and achievement in a particular domain or discipline. Maturity models typically have levels arranged in an evolutionary scale that defines measurable transitions from one level of maturity to another. The current version of the CERT® Resilience Management Model (CERT®-RMM v1V1.2) utilizes the maturity architecture (levels and descriptions) as provided in the Capability Maturity Model Integration (CMMI) constellation models to ensure consistency with CMMI. The spacing between maturity levels often causes CERT-RMM practitioners some difficulty. To address some of these issues, the CERT Division of Carnegie Mellon University's University's Software Engineering Institute did a comprehensive review of the existing specific and generic goals and practices in CERT-RMM to determine if a better scale could be developed to help users of the model show incremental improvement in maturity without breaking the original intent of the CMMI maturity levels. This technical note presents the results: the maturity indicator level scale, or CERT-RMM MIL scale.
Please note that current and future CMMI research, training, and information has been transitioned to the CMMI Institute, a wholly-owned subsidiary of Carnegie Mellon University.
Download the PDF

CERT® Resilience Management Model (CERT®-RMM) V1.1: NIST Special Publication 800-66 Crosswalk
By Lisa R. Young, Ma-Nyahn Kromah (SunGard Availability Services)
Organizations can use the CERT® Resilience Management Model (CERT®-RMM) V1.1, developed by the CERT Division of Carnegie Mellon University's University's Software Engineering Institute, to determine how their current practices can support their level of process maturity in areas of operational resilience (business continuity, disaster recovery, management and security planning, and IT operations and service delivery). This technical note is a follow-on to the CERT-RMM Code of Practice Crosswalk, Commercial Version 1.1 (CMU/SEI-2011-TN-012) and connects CERT-RMM process areas to NIST Special Publication 800-66 Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Download the PDF

Passive Detection of Misbehaving Name Servers
By Leigh B. Metcalf and Jonathan Spring
In the process of categorizing malicious domains, distinguishing between suspicious and benign name servers can allow the name servers themselves to be acted against. Name servers do not normally change internet protocol (IP) addresses frequently. Domains that do change IP addresses quickly or often are said to exhibit IP flux, which can allow services, such as web pages that deliver malicious content, to circumvent defenders' defenders' attempts to block their IP addresses. IP flux in a name server's server's domain may be a sign that the name server is suspicious. This report demonstrates that name-server flux exists and is ongoing. Furthermore, there are two types of data that can reveal IP flux in domain name system (DNS) servers: passively collected DNS messages and the contents of several large, top-level domains' domains' official zone files.
Download the PDF

Insider Threat Control: Using Plagiarism Detection Algorithms to Prevent Data Exfiltration in Near Real Time
By Todd Lewellen, George Silowash, and Daniel L. Costa
In organizations with access to the internet, the potential for data leakage is ever present. Data loss prevention is a difficult issue because exfiltration channels, such as modern webmail services, are readily available to insiders. An insider can paste text into a webmail message to bypass other controls. Therefore, monitoring must include the content of this communication. A data loss prevention control determines if the content in outgoing web requests is similar to the organization's organization's intellectual property, actively blocks suspicious requests, and logs these events. This technical note describes how a control can monitor web request traffic for text-based data exfiltration attempts and block them in real time. Using this control can help an organization protect text-based intellectual property, including source code repositories.
Download the PDF

Additional Resources

For the latest SEI technical reports and papers, please visit https://resources.sei.cmu.edu/library/.