NEWS and VIEWS
=====================================================================================
Vol I, Number IV	January 1999
=====================================================================================

From the Executive Board Chair

As this issue of the FISSEA News and Views newsletter goes to press I am nearing the end of my term as Chair of the Executive Board. (Believe me, the older you get the faster the time flies!) It has been a good year, and with the superb help of the executive board members and the continual support provided by the Computer Security Division of the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST), we have accomplished what we set out to do.

This is issue Number IV of Volume I, completing the goal of producing a quarterly newsletter in the months of April, July, October (actually September this past year so we would have copies available at the National Information Systems Security Conference), and January. This newsletter would not exist without the support and articles provided by the Executive Board members, the articles submitted by other members, and, of course, without the great can-do attitude and support of the NIST staff in the ITL .

Right around the corner is the annual conference, which this year has been expanded to a full three days of regular presentations, and an additional day for the seminar covering the Common body of Knowledge topics included in the examination to become a Certified Information Systems Security Professional (CISSP). This conference is the highlight of the FISSEA year. Ann Brown, the Conference Director, her able assistants, and all the other board members have done a great job of putting this conference together.

A new FISSEA membership roster has been compiled through the efforts of our NIST support folks, and we believe this is a much more current representation of those involved in computer security training, and awareness activities. We are very near the 300 mark for membership. Peggy Himes, who has taken over some of the chores Mark Wilson handled in the past (Mark has been inundated with work addressing PDD-63 issues for the Department of Commerce), has been very helpful to us also, and I hope her support for FISSEA will continue.

Again, the NIST support team, in this case Patrick O'Reilly, has created a great web site for FISSEA (go to http://csrc.nist.gov/organizations/fissea.html) which continues to expand and be a valuable reference tool. (Isn't it neat how you can click on a web link right from within the Conference Schedule?!) Patrick continues to maintain this site for us and add new touches.

So, I've been fortunate to have such a good group of folks to work with! I am also very appreciative of the guidance and support provided by my friends at NIST. I look forward to the next FISSEA year during which it will become an even stronger organization that can be counted upon as a resource for all computer security training and awareness practitioners.

Philip L. Sibert, CISSP
U. S. Department of Energy

Comments From the 1999 FISSEA Conference Coordinator

For someone who doesn't write those annual Holiday Letters or even send those Season's Greetings cards, this is hard for me to do. However, I want to sincerely THANK the FISSEA conference attendees last year who elected me to the 1998 FISSEA Board! It has been a delight and privilege to meet regularly with the FISSEA 'team' and I highly recommend the experience to anyone who would consider running for election at the March 9-12, 1999, conference!

We have had outstanding support from all the NIST employees, and I know they have plenty of other things to do! Editor, don't let me forget any of their names!: Mark Wilson, Peggy Himes, Patrice Boulanger, Patrick O'Reilly, Lori Phillips, and most of all, our illustrious fellow board-member, Dr. Fran Nielsen!! THANK YOU, all!!

The NIST people came to the FISSEA Board meetings when they could, but most importantly they volunteered for tasks and completed said tasks in-between meetings. FISSEA is looking REAL GOOD on the web! I've never had such an easy time coordinating a conference! It wasn't just the conference committee of Caren Williams, Pauline Bowen and myself, it was the Board Chair, the Newsletter Editor, and in fact the NIST staff and the whole FISSEA Board who took things upon themselves to make this next conference four days long and quite possibly the best one yet.

There are a couple of new facets to the FISSEA Conference this year. Conference attendees may obtain Free Tickets for friends, co-workers, or supervisors who are interested in attending Congresswoman Connie Morella's Keynote speech and for the dynamic, dramatic demonstration by D*I*C*E*man (*Defensive *Information to *Counter *Espionage) on Tuesday 9:00-10:30 am. Ray Semko, a.k.a. DICEman, is an ex-CIA agent who not only lived an exciting life, but makes life exciting for his audiences, too. You will want to bring friends!

It is January 1999, and time to make resolutions. Resolve to attend the FISSEA Conference. You won't be sorry!

Ann L. Brown
Conference Coordinator, 1999

FISSEA Posting Member List to Web
By John Ippolito

The FISSEA Board has proposed posting the membership list to the Internet. The membership list would be accessible through the WEB page currently maintained by NIST. The information posted would be limited to name, address, telephone number, and e-mail address, information generally available through other published sources. Publishing the membership list will facilitate communication among FISSEA members.

Before the membership list is posted, the Board decided that each member should have the option to have some or all of their information withheld. If you would like some or all of your information withheld, please send an e-mail to peggy.himes@nist.gov with a subject of "FISSEA Listing Information". If you do not have access to E-Mail, you may phone Newsletter Editor Louis Numkin on 301-415-5906.

Please be specific as to what information you would like eliminated from the FISSEA Internet membership list (e.g., all or address, telephone, and/or e-mail). Restricting information from the Internet membership list will have no impact on distribution of FISSEA materials.

Katzke Moves On
By Dennis Steinauer

Dr. Stuart Katzke, after more than twenty-three years at the National Institute of Standards and Technology (NIST), has moved to the National Security Agency (NSA) to assume the post of Chief Scientist, Information Assurance Solutions ("V") Group. During his tenure at NIST, Stu established and led the Computer Security program as well as personally heading several key projects. These included initiatives in risk analysis, and security evaluation criteria.

As U.S. sponsor representative to the international Common Criteria project, Stu spearheaded the establishment of the first international mutual recognition agreements for security product evaluations. This was a major breakthrough that promises to expand markets and reduce costs for U.S. security product developers. Due to his leadership and technical contributions, NIST is one of the world's most widely recognized and respected computer security authorities.

As chief of the Computer Security Division, Stu distinguished himself and NIST through his management abilities, technical involvement, and personal integrity. He will be missed at NIST. Fortunately, his talents will not be lost to the wider computer security community.

FISSEA Newsletter Editor's Column
By Louis Numkin

This has been a great year to be on the Executive Board. As I promised during the last conference, it has been a challenge to also be the Editor charged with bringing a recently dormant publication back to life. But, thanks to Phil's prodding and submissions by the Exec Board, members, and friends of FISSEA, this is our fourth issue. I sincerely hope you have found it to be worthwhile as a reader and security educator. A newsletter can not be done by one person. So, thank you for all of your submissions and support. My hope is that what bricks we have laid (as in our front page banner), will be continued and improved by the next Exec Board.

Now, for my column:

Found an interesting Courtland Milloy article in the 24JAN99 Metro section of the Washington Post, entitled "A Family's High-Tech Success Story." The tale is of a 12-year old boy named Bob Tengen, a student at St Ann's Academy in Northwest Washington, DC. Though only in 7th grade, he has just passed the Novell Certified Netware Administrator test and is studying to gain the Microsoft equivalent. What is it that caused this child to pursue this course of study while so young?

His parents immigrated from the Cameroon in West Africa in the early '80's and believed that education was the key to the future. They each worked hard - Father as a hotel bellman - Mother as a National Guard Military Police Officer. They each earned their college degrees - Father in Accounting from Southeastern University - Mother from the University of the District of Columbia. Together, they have instilled this strong ethic in each of their children, Franklin (17), Namulah (9), and Bob. I will follow Bob as did Milloy, since he is the computer whiz kid.

"By most accounts, black people are about to become road kill on the information superhighway." quotes Milloy, but not this lad. Bob's parents have supported his desire for computer education to the point of permitting him to attend the 8:30am to 5pm Novell classes on Saturdays where all other students are adults. The part of Bob's story which I wish to herald is that he did not let the Urban League's State of Black America report which "warned of a potential 'digital divide' crisis" that is expected to affect future blacks, nor the Vanderbilt University study from last year's Science magazine which demonstrated "white students use the World Wide Web far more than black students." For Bob, "the most important policy came from his parents: he had to do his schoolwork." In return, they worked hard to assist him in achieving his goals.

Wearing an overcoat for warmth, Bob works on a PC in this family's unheated basement. This child is seeking a solid technological future. "He hopes to become a doctor and computer technician - and play basketball." Yes, he is a normal 12-year old... who is after your job!

We as members of an organization dedicated to education should take a page out of Bob's plan. He is not permitting anything to deter him from succeeding in his efforts to improve his understanding of computers and the technological world around him. You must take every opportunity to turn experiences and analogous situations into learning. Learning is the ingestion of "knowledge or skill acquired by instruction or study," or so says my Webster's Collegiate (Tenth Edition) Dictionary. Do you remember last year's radio advertisements from an accounting temporary help firm, where the punch line was "Bob can do it?" Can you?

Last year I coordinated an essay competition for 6th and 7th graders at Ridgeview Middle School in Gaithersburg, MD. The topic was the same as the presentations I had just given to the students, "Computer Ethics." Many good essays were submitted but let me quote just one from 6th grader Graham McSweeney: "I try not to do unethical things, but sometimes it is hard to do the right thing with all the temptations that form. Doing this essay taught me that if you do ethical things, that good consequences come. If you do bad things and don't get caught, your guilt will annoy you until you confess. I hope ten years from now that no unethical things will be happening in the world. If that happens, then this world will be more enjoyable for all people."

So, fellow FISSEA members, this is your Newsletter Editor encouraging you to learn a lesson from the youth. You CAN make this computer world much better through education. Find your own examples, everywhere, and employ them in your presentations to help hone your points. Because, Bob and Graham need a secure computing world in which to thrive. As a motto, FISSEA has long used Christa McAuliffe's inspiring words: "I touch the future, I teach."

CISA: Certified Information Systems Auditor
By K Rudolph, Native Intelligence

CISA stands for Certified Information Systems Auditor. The CISA program, established in 1978, is sponsored by the Information Systems Audit and Control Association (ISACA). CISA is an internationally recognized designation for IS audit, control, and security professionals.

As with most professional certifications, possessing the CISA designation offers benefits, such as:

• A competitive advantage in the job market - CISA certification may help secure a promotion or a new position by distinguishing the CISA from other candidates. Organizations often express a preference for hiring certified people.
• Demonstration that the holder is self-motivated and made the extra effort to pass a voluntary test. In addition to a feeling of accomplishment, people who take the exam have the opportunity to measure themselves against the body of knowledge of their profession.
• Credibility - CISA certification reassures employers that the individuals with the certification have demonstrated proficiency in sought-after skills. For those new to IS audit, CISA certification adds credibility.
• Worldwide recognition - which may contribute to success in the global marketplace - the CISA certification program is recognized and accepted worldwide.

Becoming a CISA

To achieve the CISA designation, candidates must fulfill three requirements:

1. Pass the CISA Examination.
2. Follow the Information Systems Audit and Control Foundation's Code of Professional Ethics, which is included in the Candidate's Guide to the CISA Examination given to registered candidates.
3. Have at least five years professional information systems auditing, control, or security experience. Substitutions and waivers include:

One year of IS audit, control or security experience may be substituted for one year of audit experience, one year of information systems experience, or an Associate's degree (60 semester college credits).

A Bachelor's degree (120 semester college credits) may be substituted for two years of IS audit, control or security experience.

Two years experience as a full-time university instructor in a related field (computer science, accounting, IS auditing) may be substituted for one year of IS audit, control or security experience. There is no maximum limitation.

Experience requirements must be met within 10 years prior to applying for certification or within five years from the date of passing the exam. Work experience will be verified with employers.

Anyone can take the CISA Exam prior to meeting the experience requirements; however, the CISA designation is not granted until all requirements are met.

Staying a CISA

To maintain certification, a CISA must:

• Earn and report a minimum of 20 hours of continuing education credits per year;
• Earn and report a minimum of 120 hours of continuing education credits within a fixed three-year period;
• Follow the ISACF's Code of Professional Ethics; and
• Pay an annual maintenance fee.

CISA Exam Information

The CISA exam is given once per year (in 1999 it will be held on Saturday, June 12) in 56 countries and nine languages -- Dutch, English, French, German, Hebrew, Italian, Japanese, Korean, and Spanish. Locations in or near the Baltimore-Washington Metropolitan Area are Baltimore, MD; Washington, DC; and Richmond, Virginia. The exam lasts four hours and consists of 200 multiple-choice questions. The five domains that appear in the exam are:

• Generally accepted IS audit standards, statements, and practices and IS security and control practices;
• IS strategies, policies and procedures, management practices, and organizational structures;
• IS processes, including hardware and software platforms, network and telecommunication infrastructure operational practices, use of IS resources and business processes;
• Logical, physical, environmental, data validation, processing and balancing controls and the business continuity planning and testing process; and
• IS development, acquisition, and maintenance.

To pass the exam requires a score of 75 percent. Results are mailed to candidates approximately ten weeks after the test date.

The cost of the exam for registrations received before March 1, 1999 is: $295 for ISACA members and $385 for non-members. Final registrations must be received by April 1, 1999 and cost $325 for ISACA members and $425 for non-members.

The first few years of the CISA program, CISAs could be certified without taking an exam. In 1981, 659 candidates took the exam and 417 (60%) passed. In 1998, 4338 candidates sat for the exam and 2350 (54%) passed. Since 1981, 38,650 exams have been taken, with 20,753 (or 54%) passing. Currently there are 12,194 CISAs throughout the world, and although I am not presently one of them, I took and passed the exam in 1988 and in 1993. Somehow I never found the time to meet the continuing education requirements - taking the exam again seemed to require less time. My approach is not widely followed. According to the ISACA, for the past five years, more than 93 percent of all CISAs have remained certified.

To let potential candidates see what the exam is like, 25 sample questions are published on the ISACA's website at http://www.isaca.org/examsamp.htm. Those who answer the sample questions receive immediate feedback with their score, percent correct, and detailed explanations of the answers. With no preparation, I scored an encouraging 84% on the sample questions, tempting me to consider taking the exam again. After all, the third time's the charm, right?

Preparing for the CISA® Exam

The ISACA offers several study aids and review courses. The one I found most useful is the CISA Review Questions, Answers & Explanations Manual. This guide contains 200 sample questions that cover the five technical domains. Questions are in two formats: sorted by domain and arranged as a sample test. Questions are similar to the types of questions that have appeared on the examination and include an explanation of the correct answers.

For more information, contact the CISA Examination Registrar by telephone (847) 253-1545; fax (847) 253-1443 or e-mail certification@isaca.org.

Certified Information Systems Security Professional (CISSP)
By Pauline Bowen

It has long been determined that computer security practitioners need a means of professionalism. By the mid-1980s a number of professional societies in North America concluded that a certification process attesting to the qualifications of information security personnel would enhance credibility of the computer security profession.

Because of the cooperative efforts of these societies, the International Information Systems Security Certification Consortium or (ISC)2, was established in mid-1989 as an independent, non-profit corporation whose sole charter is to develop and administer a certification program for information security practitioners.

(ISC)2, working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). The IS security test domains are: 1) Access Control Systems & Methodology, 2) Cryptography, 3) Business Continuity & Disaster Recovery Planning, 4) Security Architecture and Models, 5) Law, Investigations and Ethics, 6) Security Management Practices, 7) {Computer} Operations Security, 8) Application & Systems Development, 9) Telecommunications & Network Security, and 10) Physical Security.

What does professional certification mean to you?

Certification will give you an edge that will help you achieve your career goals and objectives as an information systems security professional. The benefits of a professional certification include "acceptance as a recognized expert; improved job opportunities, promotability and mobility; and industry recognition -the self satisfaction that comes from measuring up to a distinctive and broadly accepted professional and ethical standard."

The certificate is a public acknowledgment that the professional has devoted herself or himself primarily to the field of information security or a closely related field, and passed a rigorous examination that encompasses all major elements of the industry's widely accepted and recognized information systems security Common Body of Knowledge.

If you would like to learn more about the CISSP, the FISSEA 1999 Annual conference will include a one-day seminar that can help you prepare for the CISSP Certification Examination. See our FISSEA web page at http://csrc.nist.gov/organizations/fissea.html or visit the (ISC)2 web page at http://www.isc2.org/.

The upcoming 1999 exam for the Baltimore - Washington area is Saturday, March 27, 1999. If you attend the FISSEA annual conference March 12, 1999, you will be more prepared, after application and qualification, to take the CISSP exam.

Training Guidelines, What's the Next Step?
By John Ippolito

The Information Technology (IT) security training guidelines were issued as NIST Special Publication 800-16. Since they have been issued, a number of people have been asking, "What is the next step?" This is a good question. While distilling the IT security training guidance into a single document ultimately required a small group of individuals, effective use of the guidelines will require cooperation of the whole community. Training materials will need to be classified according to the training requirements matrix and users will need to evaluate material to ensure that it is properly classified. This is and will always be an ongoing effort as materials continue to be developed and threats, vulnerabilities, and technology change.

Initially, developers should classify the materials they develop according to the training matrix. As people use these materials, their assessments as to materials utility and classification would be recorded and made available. This process would assure that materials are properly classified relative to the training matrix. Further, it would make available a body of training materials targeted to organizational roles and responsibilities.

The GITS Board has funded an activity that is intended to serve as the catalyst for the development, classification, and dissemination of IT security training material. This activity is the development of an IT security training website by NIST. The website is intended to provide a:

• link between the training matrix cells and the basic knowledge, skills, and abilities associated with those cells;
• reference and/or repository of training materials that have been classified according to the training matrix; and
• mechanism for collection of user feedback regarding the training materials.

Making the website useful, however, will require cooperation of the whole IT security-training community (materials developers and users). There is a need to provide:

• material abstracts with training matrix classifications for posting, and
• their feedback regarding the utility of training materials for specific organizational roles.

This will help NIST to organize training materials we feel are useful, classify them according to the training matrix, and include our assessment of the materials we have used as the answer to the next step question.

Anyone having materials they would like to see posted on the NIST website should contact Gary Stoneburner at gary.stoneburner@nist.gov.

FISSEA's History
By Peggy Himes

The Federal Information Systems Security Educators' Association (FISSEA) is a volunteer organization for federal information systems security professionals, contractors of federal agencies and faculty members of accredited educational institutions. The concept of such an organization originated in 1984 at a meeting held in the Fort Meade Officers' Club. Over the years interest in computer security awareness, training, and education grew.

In 1989, the National Security Telecommunications and Information Systems Security Committee (NSTISSC) Subcommittee on Automated Information Systems Security (SAISS) approved the charter for the "EDUCATORS." NSA's Larry Martin, Harold Segal, and Horace Peele were founding members of the working group. Later, when the group was formalized in direct support of the Education, Training and Awareness Working Group of AIS, the Educator's Subgroup became known as National Computer Security Educators (NCSE). During this time, the organization was under the sponsorship of the National Security Agency.

The enactment of P.L. 100-235 (the Computer Security Act of 1987) was a motivating factor for moving the sponsorship of FISSEA from NSA to NIST as classified and unclassified information was divided between the two agencies. In 1991, the name, National Computer Security Educators (NCSE), was changed to the Federal Information Systems Security Educators' Association (FISSEA). Emphasis was placed on the federal community, but membership and interests also included academic institutions and others interested in computer security education.

To name names, early Executive Board members from 1991-1993 included Jon Arneson, Joan Capel-Pohly, Patricia Ciuffreda, James Colburn, Richard Costello, Barbara Cuffie, Dorothea de Zafra, Joseph Easley, Kathie Everhart, Duane Fagg, Janet Jelen, Delmar Kerr, Charles Kellerman, Ray Letter, Geoffrey Lewis, Vic Maconachy, Victor Marshall, Harold McConnell, Dennis Poindexter, Roger Quane, Gary Smith, Lauresa Stillwell, Althea Whieldon.

The first NCSE seminar was held in 1989 with the theme: Trainer's response to the training requirements of the Computer Security Act of 1987. The NCSE seminars have evolved into an annual FISSEA conference. A complete listing of past conference themes can be found on the FISSEA website.

At the conference each year, an award is presented to a candidate selected as Educator of the Year, honoring distinguished accomplishments in information systems security training programs. The first award, given in 1991, was presented to Gary W. Smith. Other recipients include: Vic Maconachy (1992), Corey Schou (1993), Lt. Col. E. C. Chambers (1994), Gale Warshawsky (1995), and Joan Pohly (1996). The 1997 Educator of the Year was awarded to a group of individuals: Dorothea de Zafra, John Ippolito, Sadie Pitcher, and John Tressler. The 1998 EOY Award will be presented at the March conference. The FISSEA website has information on nominating a candidate for the Educator of the Year award. The deadline for submitting nominations is February 19, 1999.

Today, FISSEA is growing and thriving. Its program of work remains focused on computer security education, a more vitally important agenda now than in 1984 when FISSEA was conceived. FISSEA's 290 members are encouraged to participate in the annual conference, to serve on task groups, to contribute to the newsletter, to network with other members, and to foster the goals of FISSEA in their own organizations. Then, we will have more good news to write in the next chapter of FISSEA's history.

Siber' Space Snippets
By Philip L. Sibert, CISSP

What do we learn each day? If you don't learn something new each day, the day is wasted! I believe that statement. What I learned the other day is that no matter how hard we try, we're never going to remove risk from our daily lives, regardless of what technology we put it place. The Y2K issue proves this. Some of the smartest people worked on those legacy computer systems and applications that are the basis for the "the Y2K problem". Some of the smartest programmers and technicians are working on solutions to "tha PROBLEM". But, there is still the risk that all will NOT go well. Now, we have to learn how to cope with the myriad of problems that will confront us, AND with the Y2K excuses offered when things don't work, even if they aren't the least bit related! (Someone/something has to be the scapegoat!) Risk management is an everyday function for me. How about you?

Did you ever wonder what the best thing was before sliced bread?

In this issue you will read articles about the Certified Information Systems Auditor (CISA) and the Certified Information Systems Security Professional (CISSP). There are references to various resource web pages in the articles. In the CISA article a web page is referenced that will take you to a model curriculum for both undergraduate and graduate degrees in the audit field. Take a few minutes to explore the referenced web pages.

Is there another word for synonym?

FISSEA needs the younger generation to step forward and take the reins for this organization. Please consider running for the Executive Board and participating more actively in the coming year. If that's not your mettle, surely you can write, so why not express some views or tell some success stories in this newsletter.

What are you doing in your organization about implementing PDD 63? Now here's an awareness and training issue that needs to be incorporated into your organizations computer security program. The "white paper", found at http://www.ciao.gov/paper598.pdf, Presidential Decision Directive 63, states in Section VIII. Tasks, item #6 Education and Awareness: There shall be Vulnerability and Awareness Education Programs within both the government and private sector to sensitize people regarding the importance of security and to train them in security standards, particularly regarding cyber systems. (Is this much different from the requirements for awareness and training found in the Computer Security Act of 1987?) Don't undertake new initiatives or create new programs if what you have can be modified to the needs of today.

Can vegetarians eat animal crackers?

Are you aware of Executive Order 13111? On January 12, 1999, President Clinton signed Executive Order 13111, "Using Technology to Improve Training Opportunities for Federal Government Employees". This is an initiative to increase training and make resources and information more readily available for Federal employees. I would recommend each of you approach your department or agency lead on this initiative and propose that computer security/information protection be designated as the subject area of training that will be used to demonstrate opportunities in technology-based training (see Sec. 4. Duties of Specific Agencies, paragraph (d)). Coincidentally, this EO also (in Sec 4. (a) (2)) states that the Task Force shall "ensure that qualification standards for civil service positions, where appropriate, reflect standard industry certification practices." I've reformatted this document and have made it available in pdf format on my web page at: http://cio.doe.gov/ucsp/. After you get past the warning banner just click on Program Documents and look for Executive Order 13111. You can also obtain a copy of this Executive Order via the Internet through the National Archives and Records Administration web site at the following url: http://www.access.gpo.gov/nara/nara005.html, or go to http://www.access.gpo.gov/su_docs/dbsearch.html and search the data base for Executive Orders.

Give a man (or for that matter anyone) a fish and you feed him for a day; teach him to use the Net and he won't bother you for weeks.

(Little "sayings" are contributions from various folks - I don't claim authorship!)

Trainia (training trivia)
Seminars, Book Reviews, Tools and Assorted Items
From the Editor, Louis Numkin

Editor's Disclaimer: FISSEA does not recommend nor warrant any of the items in the following list. This information is provided as a service which you may or may not choose to read/use. FISSEA receives no benefit from displaying these items in its newsletter. Items may be abbreviated or synopsized to save space, but the intent of the original authors/contributors will not have changed and their names (including addresses and/or web sites), if known, are noted. Comments are attributed to the reviewer/submitter and are not those of FISSEA, its officers, or membership. This is simply an exchange of information on topics of interest to FISSEA members and friends. FISSEA encourages the sharing of information and if you have knowledge of something which might aide someone else, or any comments on an included item, please forward it to LMN@NRC.GOV. Thanks...

==============================

We'll start this month with some humor. Native Intelligence's K Rudolph (kaie@erols.com) forwarded this piece on Windows 2000:

"Microsoft announced today that the official release date for the new Windows 2000 operating system will be delayed until the second quarter of 1901."

==============================

This was submitted to ISN by Jay D. Dyson of NASA.

Peter Gutmann (pgut001@cs.auckland.ac.nz), from Auckland, New Zealand, has just released his godzilla crypto tutorial, totaling 509 slides in eight parts, of which the first seven are the tutorial itself and the eighth is extra material which covers crypto politics. It's available from http://www.cs.auckland.ac.nz/~pgut001/tutorial/.

"The tutorial is done at a reasonably high level, there are about two dozen books which cover things like DES encryption done at the bit-flipping level so I haven't bothered going down to this level at all. Instead I cover encryption protocols, weaknesses, applications, and other crypto security-related material" wrote Peter.

"There are some parts I'm not totally happy with: SPKI is somewhat difficult to explain and I'm looking at redoing that, the section which covers TACACS and related stuff is a bit vague, and part eight needs a bit of cleaning up. If anyone has suggestions, things I've missed, or corrections, please let me know."

==============================

Mich Kabay from the International Computer Security Association sent me the following note:

I have placed some ZIP files containing some of my college courses on information security, data communications and quality assurance on line at http://www.icsa.net/library/research/educational_material.shtml and anyone is welcome to download and use them. All the ZIP files include course overviews and the DataComm and QA ZIP files contain student quizzes as well.
Mich (mkabay@compuserve.com)

==============================

Mark Wilson (mwilson@ntia.doc.gov) wrote:

Here's the URL for the text to the President's speech this morning (22JAN99) on CIP. http://www.whitehouse.gov/WH/New/html/19990122-7214.html

==============================

Fred Cohen (fc@all.net) sent the following note:

In "The Cracking Game," we teach defenders about attack and defense techniques by having them try to tell us how they would crack into a variety of different sorts of systems and having various defensive things happen to them along the way. It is also a lot of fun and somewhat of a challenge. Just select it from the "Would you like to play a game?" Menu (at http://all.net) and press Go. Please note that the game is still under development and your comments will be greatly appreciated.

and another item from Fred Cohen:

The "Network Security Simulator" is intended for design, attack, and defense analysis for computer networks, but it may also be of some interest from a gaming viewpoint. It has just been added to the games menu at http://all.net/ . Just select "Network Security Simulator", from the menus, press go, and see the results. Press "reload" to simulate again - with different results, of course. Your comments again will be appreciated.

Also please note that the trailing colon (:) has now been removed from the port number in the URLs so browser and firewalls that don't handle the http specification properly may have substantially reduced errors.

==============================

Courtesy of the ISN:

1999 National Information Systems Security Conference {Originally From: "Ed Borodkin" borodkin@constitution.ncsc.mil} The National Information Systems Security Conference (NISSC) welcomes papers, panels, and tutorials on all topics related to information systems security. Our audience represents a broad range of information security interests spanning government, industry, commercial, and academic communities. Papers and panel discussions typically cover:
* research and development for secure products and systems, presenting the latest thinking and directions;
* electronic commerce;
* legal issues such as privacy, ethics, investigations, and enforcement;
* practical solutions for government, business and industry information security concerns;
* network security issues and solutions;
* management activities to promote security in IT systems including security planning, risk management, and awareness and training;
* implementation, accreditation, and operation of secure systems in a government, business, or industry environment;
* international harmonization of security criteria and evaluation;
* evaluation of products, systems and solutions against trust criteria;
* tutorials on security basics and advanced issues;
* security issues dealing with rapidly changing information technologies;
* highlights from other security forums; and
* implementing policy direction.
For more details see http://csrc.nist.gov/nissc/call.htm.

==============================

Received a catalogue from Langevin Learning Services (The World's Largest Train-The-Trainer Company) which listed their 1999 Workshops for Trainers. A couple caught your Editor's eye:

* Make Your Training Stick: How to Maximize Your Results
* 25 Creative Ways to Add Excitement to Your Training
For a copy of the catalogue, call 1-800-223-2209.

==============================

Fred Cohen recently attended the Security Educator's Workshop at Asilomar Conference Center in Pacific Grove, CA. Here are some of his thoughts, which he shared on the Information Security Educators Mailing List:

The workshop spent a considerable amount of time discussing analogies that could be used in teaching information protection concepts to students, and of course they are also quite helpful in communicating with non-experts for a wide range of other purposes. To give you a flavor (without taking away from the conclusions of the workshop) I thought I would share some examples that didn't make the final cut (you will know why when you read them). Here we go:

Authentication of a message is like when you can tell by its taste that a cake was baked by your mother. Mom does it her way, and from the cake you couldn't tell the ingredients, but for some reason, many people can tell their mother's cake because it just tastes right.

Using exhaustive search to break a strong cryptosystem is like piling up dirt to get to the moon. You keep making progress, but you will never get there. Cryptanalysis is like figuring out how to build a rocket ship instead of piling up more dirt.

Building stronger cryptography without enhancing computer security is like putting $50,000 speakers on a $10 AM radio. No matter how good the speakers get, the radio won't sound any better, and no matter how strong the crypto, on an insecure system, it won't protect you.

{Editor's note: I especially like the third analogy.}