News and Views February 2000 |
||||||||||||||||
"I touch the future, I teach." Christa McAuliffe | Vol. II No. III | |||||||||||||||
From the Executive Board ChairNow it's time to map our course, to gather up the security force, For our job has just begun for the new millennium. One of the lessons learned, from the past several years' efforts to ensure our country's information and computer based control systems would function properly when the clock turned over to the year 2000, is that appropriate resources and management attention can produce desired results. Just think of the various information security elements that received attention in preparation for the Y2K event -- system configuration control, software validation, identification of "sensitive" or "critical" systems, business continuity plans, back-up procedures, incident identification and reporting procedures, etc., etc. All of these information security program elements received heightened attention. Awareness of their importance in the grand scheme of providing uninterrupted system and network service had a bearing on the desired outcome. The momentum created by the Y2K activities in the area of information technology must be on-going and re-directed to address security improvements. Now it's time for the information security educators and trainers to be creative and present management with proposals for viable education, training, and awareness programs. These programs should take advantage of the improvements in information system management and user awareness brought on by Y2K. I sincerely believe the Federal CIO Council Security, Privacy, and Critical Infrastructure Committee will continue to emphasize the importance of protecting the technology and information assets that we, as both providers and users, rely upon every day. We should look to that body to sponsor cross-cutting information security awareness, training, and education activities and initiatives. On another note...I am nearing completion of a second term as FISSEA Executive Board Chairman and will reluctantly be stepping down to become an Ex-Officio member of the board come March 2000. I say reluctantly because I have enjoyed serving you, working with you, and steering this organization through the tough times we've endured. It's now time for someone else to have the opportunity to guide FISSEA to bigger and better accomplishments. Please come out for our annual conference March 14-16, 2000, and enjoy the enlightening sessions prepared for you. Philip L. Sibert, CISSPOffice of the Chief Information Officer U. S. Department of Energy CISSP Examination UpdateFISSEA Conference
The International Information Systems Security Certification Consortium, or (ISC)2, working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination . . . which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are:
The applicant must meet the following requirements in order to sit
for the examination:
1. Subscribe to the (ISC)2 Code of Ethics. Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The 3-year experience requirement is actual time worked; the requirement is cumulative, however, and may have been accrued over a much longer period of time. The Examination and Registration fee is $450 USD. There is an added $100 late registration fee for registrations received less than 14 days in advance of the Exam date. All registrations should be received at least 10 days in advance of the Examination date. Registration information and Forms should be requested directly from (ISC)2 by fax or e-mail (recommended) providing your full postal mailing address. When requesting materials by e-mail, please put FISSEA Exam Registration Info in the subject line for expedited handling. (ISC)2
A FISSEA Conference 2000 UpdateA FISSEA Conference 2000 Update Well, we are down to the final month in planning your FISSEA conference. It has been an invigorating experience coordinating with IT security training experts, the NIST Computer Security Division and the FISSEA Executive Board. We have some of the best minds in the community working with us in putting the Conference together which guarantees that it will be a great experience for all attendees. If you have not looked at the FISSEA Conference web site lately,
please check it out
NIST will keep the conference agenda current, so you can watch as we refine conference sessions. While you are at the site, don't forget to register! You may do so on-line with a credit card. If your organization does not handle training payments in this manner, please pre-register via the web and bring your training order paperwork to the conference with you. We have a free gift for each of the first 100 attendees, courtesy of the Computer Security Institute - so plan on arriving early. The FISSEA Weather Prognosticator has stated that for the first time in the last several years, we will not have snow during our conference. So, we are looking orward to welcoming you on March 14, 2000. Patti Black
Tools of the Trade
|
HAPPY LEAP DAY |
Ann Brown from Indian Health Service informed us that last year's conference keynoter, the "DICEMAN", Ray Semco, has moved from DOE to NSA. Messages may be left on his voice mail 202-586-1788.
Gale Warshawsky "I moved out of the Honolulu apartment on Dec. 11,1999 and into our new home:" New Email address msgale50@yahoo.com
Tom Walsh sent the following sad news of the loss of a
friend:
"The DOE computer security community has lost a great friend
and co-worker. Charlene Douglass of LANL passed away at
approximately 11pm, January 1, 2000. As many of you know she had
fought a gallant battle with cancer over the past many months and
seemed to be on the road to a somewhat normal life again. However, in
the waning days of 1999 she contracted a lung infection and was medic
vac'd to Albuquerque for extensive treatment. The nature of the
infection is not yet known, whether viral or bacterial, but she
succumbed to it within just a few days of contracting the infection."
Mich Kabay, who will be addressing this year's FISSEA
conference, wrote about his new job, as of 30 January 2000: "Yes,
it's great! Everything I love doing -- research, writing, teaching,
distance education, lecturing at conferences, consulting on enterprise
security -- plus a rise in salary!"
M. E. Kabay, PhD, CISSP
Security Leader
Information Security Group
Adario, Inc.
255 Flood Road
Barre, VT 05641-4060
V: +1.802.479.7937 F: +1.802.479.1879
E: mkabay@compuserve.com
Shannon Collins wrote on 15 December, 1999 a note of: "Thanks
and Farewell - I will be leaving the Department of Labor to accept a
position at the Department of Veterans Affairs, Veterans Heath
Administration. My new position does not involve security directly, so
I will no longer be attending meetings and reading the good ideas of
my colleagues at other agencies. I want to thank all of you (and there
are many) who made a complete novice welcome and shared your
considerable knowledge with me. They say to be good in security you
have to be paranoid, but I think you have been one of the best groups
I've ever been involved with, due to wonderful members and great
leadership from NIST.
TTFN
Shannon Collins
Steve.Skolochenko sent us "A Fond Farewell" during his last days at the Dept of Treasury. He retired after 36-years of Federal service on the 31 of December, 1999. Here are some of his sentiments: "I just want you all to know how much I appreciated the mutual supporting relationship and the part all of you played in sharing sources of information and advice. Being able to learn from each other has been a real resource saver for me over the years. Being able to hear different views and the issues as seen be different departments was always enlightening."
And, to close this column, I write as Newsletter Editor and a member of the FISSEA Exec Board for 1999-2000. We want to thank all our members and friends for the support we've received as well as much valued camaraderie. We look forward to seeing you at the 2000 Conference.
In light of the recent Hacker activity, Pauline Bowen sent in the following segment from the CSL Bulletin entitled "Operating System Security: Adding To The Arsenal of Security Techniques. The full article can be found at http://csrc.nist.gov/nistbul/. You can also subscribe to the bulletins via e-mail. To subscribe to the e-mail service, send an e-mail message to listproc@nist.gov with the message subscribe itl-bulletin, and your proper name, e.g., John Doe.
"One of the most common methods for plugging known security flaws is the installation of the latest vendor-supplied security patches. Patches are programs that fix errors in software. However, patching systems is not a perfect security solution. First, the constant stream of patches can quickly overwhelm administrators who are already burdened with other administrative tasks. Second, even though organizations install all of the latest patches, new attacks via the Internet will continue. When new attacks are discovered and published on the Internet, a large number of networks will become instantly vulnerable to attack until new patches are created and installed. Several weeks or months may elapse before an effective patch can be prepared to counter a new attack, leaving affected servers wide open to attack. Organizations can maintain their awareness about new patches by monitoring security advisories about threatening or popular attacks. These advisories are issued by a variety of organizations and usually reference a patch or work-around that will fix the discussed vulnerability. The most popular source of security advisories comes from the Carnegie Mellon Emergency Response Team at http://www.cert.org. In addition, we suggest you consult with http://www.fedcirc.gov."
"The FDA ISSO receives information on new patches from the FBI and other sources and immediately disseminates them to all ISSOs within FDA. These announcements contain vulnerability information and their fixes."
The Year 2000 problem was easy to understand and to explain. Security holes, however, are numerous and complicated. Computer security does not have a deadline. The Year 2000 had an immovable deadline.
(From a December 6, 1999 Federal Computer Week editorial)
Computer security does not have a deadline because our systems
and software are changing too rapidly for software creators to ensure
there are no flaws. Software is released in the rush to beat the
competitive vendors to market. Flaws are discovered, and either
work-arounds or patches are created and released; sometimes more flaws
are discovered requiring additional patches, and sometimes these
patches cause flaws in what has already been patched. Patches pertain
to specific versions of software, but when newer versions come out we
find old vulnerabilities have somehow carried over to the new release.
This situation requires the attention of well trained system
administrators working for managers who have a good computer security
awareness and who understand the threats, vulnerabilities, and
associated risks.
Consequently, computer security awareness, training, and education will be an integral part of our initiatives to provide a workforce that is security savvy and competent. Too often we are called upon to provide training and awareness in short spurts - training for this or that, awareness for this week or month. Seldom is a budget established to underwrite a continuing program with funding committed for multiple years, yet everyone knows security practices and skills quickly erode without an on-going commitment to these activities. Technology changes so rapidly now that training in system administrator skills should be part of each year's budget. Being in the loop for threat information and preparing briefings for managers and other activities to inform users is also part of our job.
So, what are the challenges we face in this new millennium?
Are these challenges any different from those of the last 5 years? I don't think so, but our approach should be as up-to-date as the technology we are implementing. Devising strategies and creating business cases should include multiple cost-effective options for delivery of training if at all possible.
The FISSEA Educator of the Year award ceremony is held during the annual Conference on March 15 at 12:15p.m. Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security.
Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information security education or training, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the federal community. Nominees are judged by an ad hoc committee appointed by the FISSEA Executive Board Chair. The nomination deadline is February 22, 2000, e-mail to: peggy.himes@nist.gov. See the FISSEA web site for detailed information on nomination justification and the selection process.
Award Recipient for 1998:
Louis Numkin, Nuclear Regulatory Commission
Award Recipient for 1999:
NEED YOUR NOMINATIONS NOW
In addition to well deserved recognition and a plaque, the Educator of the Year recipient will be provided free registration for the next FISSEA conference. |
For my last contribution of this term, I want to consider how some clever phrases relate to what we do.
I saw an automobile with a bumper sticker which read "Visualize Whirled Peas." It took a moment to realize what the owner was trying to say. In current vernacular it would be "think outside the box." Just because something sounds the same doesn't mean it is the same. In this issue's TRAINIA column, you will find bits of humor which you may be able to use during awareness presentations. Remember the old speaker's axiom and include a story or joke within your talk so as to spark the audience's attention. Oh, and be sure to rehearse it so that it flows easily from your lips... and don't blow the punch line!
One day, a radio commentator reported that "Dana Carvey is 30 years old... but reads at a 34 year old level." This has multiple implications. Always consider your audience demographics. Is it a large room or is the group older where you might need to amplify your voice to get your message across? The same holds true for slides or projections - are they large and clear enough to be seen by everyone anywhere in the room? And, do not neglect the needs of an attendee who is hearing and/or vision impaired - You need not especially change your delivery but just be sure that they also get the full value of your training. And, beware of talking down or up to an audience - try to monitor their faces for response and modify your level of verbiage style. In general, it is safe to speak so the lowest level participant can understand - this permits those who should know more but don't to act like they do... get it?
Attending the rescheduled recent FORUM meeting at NIST, I witnessed nature's teaching tool. With a sizable dumping of snow which closed the Government for two-days, plows had cleared the parking lots by piling snow around the edges. This demonstrated how much snow fell out there but also provided the material to build wind breaks to protect us while walking in to the building. It's sort of a Ying and Yang thing, if you think about it. So, know that not everyone wants to attend your training but build a successful windbreak by really investing yourself in it and making it interesting. Find analogies, such as this one, to demonstrate that computer security has the same abbreviation as common sense - and employ it in improving your talk.
This morning, I heard someone explain that "every expert says Bumblebees cannot fly ...because their mass is too great to get airborne on those tiny wings." The problem with experts is that they are sometimes very correct in establishing rules but not in dealing with reality. Don't be an expert without first experiencing what it is like to be a bumblebee. Know your audience and their level of comprehension. If they are using a tool incorrectly, don't just tell them they are wrong but show them how to use it right. If an expert pontificates without foundation, then he's just "flapping" his lips without really getting the job done. Please do not act like an expert... even if you are.
And for the golfers out there, I understand there are two ways to play, by feel and by mechanics. If a mechanical golfer whiffs a ball, he knows which joint or angle to change so that it doesn't happen again. Though this is good when you are in training, everyone should aspire to playing by feel. We know what feels right and need not worry about the angle of the dangle. As a trainer, you create your slides mechanically, but you present based on feel. Feel is impacted by current events which you can dribble into your rhetoric, or visual aids which provide the basis for analogies, or experience from your years of playing the game. You must know what feels right in order for your class to make a hole in one.
This is the last issue of our second year of FISSEA newsletters. As Justin Wilson, "the Cajun Cook", says "I don't know how I do it, but I hope I never forget." One thing is for sure, it would not be worth reading without contributions from the Exec Board, Members, and Friends, and would not make it into your mailbox without the dedicated support of NIST's Peggy Himes. I sure hope you have enjoyed reading them. Y'all come back now... ya hear?
** Our Air Force pal, Tim Mucklow, sent these useful reference sites for your consideration:
Cryptome:
http://jya.com/crypto.htm
HAARP:
http://www.haarp.alaska.edu/haarp/
Steganography:
http://securityportal.com/direct.cgi?/coverstory19991018.html
Archive of Network World Fusion Focus on Security newsletters:
http://www.nwfusion.com/newsletters/sec/
Best products picks of six Network World columnists, Network World, 11/15/99
http://www.nwfusion.com/best99/best99-wares.html
Network World's 1999 User Excellence Awards Winner -Olsten Staffing Service, Network World, 11/15/99
http://www.nwfusion.com/best99/best99-overhaul.html
Network execs' favorite products, Network World, 11/15/99
http://www.nwfusion.com/best99/best99-userpick.html
Products that tested best this year at Network World, Network World, 11/15/99
http://www.nwfusion.com/best99/best99-testerschoice.html
** Mich Kabay forwarded this note from Gene Spafford, INTERNET:spaf@cerias.purdue.edu: Purdue Computer Sciences has positions open for new faculty. Although the published announcement does not explicitly list openings in infosec, that is one of the priority areas for hiring. As we are about to add an interdisciplinary MS in information security, there is interest in adding more faculty in this area, particularly ones with interests in complementary areas (e.g., psychology, criminology, management). The emphasis is on assistant professor positions, but more senior applicants will be considered. More information is available at http://www.cs.purdue.edu/positions.html.
** A student came back to the dorm to find his roommate near
tears.
"What's the matter pal?" he asked.
His roommate moaned, "I wrote home for my parents to send
money so that I could buy a laptop; and they sent me the laptop!"
** Fred Cohen forwarded info on a new study to the
SECEDU list:
"Employees, Not Hackers, Greatest Computer Threat New Study
Shows Unhappy Workers Steal Trade Secrets. The greatest security
threat to companies' computer systems comes from disgruntled employees
stealing confidential information and trade secrets, according to a
new study on cyber-security. The survey, conducted by Michael G.
Kessler & Associates Ltd., a New York-based security firm, found
that 35 percent of the theft of proprietary information is perpetrated
by discontented employees. Outside hackers steal secrets 28 percent of
the time; other U.S. companies 18 percent; foreign corporations 11
percent and foreign governments, 8 percent. The remaining 10 percent,
according to the study, are listed as miscellaneous crimes."
http://www.apbnews.com/newscenter/internetcrime/2000/01/04/comptheft0104_01.html
** The college President hired a new Admissions Administrator. At the conclusion of the interview he said, "Please don't tell anyone what we're paying you." "Don't worry Sir," the new bureaucrat replied, "I'm as ashamed of my salary as you are."
** Hi, I am writing to let you know about a tenure-track
faculty position (junior-level) we have open in the Department of
Computer Science at Dartmouth College (see below). It's particularly
exciting this year because we have just opened a new "Institute
for Security Studies" with a $15M startup research budget. So,
we're looking for core "systems" people, particularly those
who are interested in security-related topics. If you are interested,
or know someone who might be interested, please let me know. Please
send applications materials and general inquiries to Faculty Position,
Department of Computer Science, Dartmouth College, 6211 Sudikoff
Laboratory, Hanover, NH 03755-3510. Specific questions can be referred
to David Kotz at facapps@cs.dartmouth.edu.
Thanks,
David Kotz, Chair of recruiting committee
** There was a university in New England where the students
operated a "bank" of term papers and other homework
assignments including papers to suit all needs and as it would look
odd if an undistinguished student suddenly handed in a brilliant
essay, there were papers for an A grade, B grade and C grade.
A student who had spent the weekend on pursuits other than his
assignment, went to the "bank" and as his course was a
standard one, he took out a paper for a inconspicuous C, retyped it
and handed the work in.
In due course he received it back with the professor's comments, "I
wrote this paper myself twenty years ago. I always thought it should
have had an A, and now I am glad to give it one!"
** ** Are you looking for a conference of a different kind?
Then consider participating in the Project 2005 Millennium
Congress which will be held in San Antonio, TX, August 10-12,
2000.
Project 2005 is a multi-year, multidisciplinary effort to promote
the integration of management, education, technology, and leadership
through a series of international congresses, special issues of
journals, monographs and other types of publications as well as
partnerships with corporations, institutions of higher learning and
professional associations. For a background description of the Project
2005 and the conceptual framework underlying the Project, visit the
following URLS:
http://www.aom-iaom.org/Project-2001.html
and
http://www.aom-iaom.org/framwork.html.
The Call for papers, submission guidelines, and registration
forms along with information regarding the conference venue are
located at
http://www.aom-iaom.org/Project-call.html.
The theme of this year's congress is: "Is the Question
the Answer: Paradigms and Paradoxes in Management, Education,
Cybertechnology, and Leadership." The submission deadline is
March 31, 2000.
** Modern Aphorisms (@phorisms?)
1. Home is where you hang your @
2. The E-mail of the species is more deadly than the mail..
3. A journey of a thousand sites begins with a single click..
4. You can't teach a new mouse old clicks..
5. Great groups from little icons grow..
6. Speak softly and carry a cellular phone..
7. C:\ is the root of all directories..
8. Don't put all your hypes in one home page..
9. Pentium wise; pen and paper foolish..
10. The modem is the message..
** The Fourth Annual Information Security Conference of the Veterans Health Administration will be held the week of June 26 in Reno, Nevada. For details on the conference including registration, lodging, and agenda, contact Ann Brown at IHS.
** Phil Sibert sent along the following tidbit of info: (U) (Newsbytes, 17 January) According to a report released by Computer Economics virus attacks cost organizations a total of $12.1 billion during 1999. The report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage.
** More Modern Aphorisms (@phorisms?)
11. Too many clicks spoil the browse..
12. The geek shall inherit the earth..
13. A chat has nine lives..
14. Don't byte off more than you can view..
15. Fax is stranger than fiction..
16. What boots up must come down..
17. Windows will never cease..
18. Virtual reality is its own reward..
19. Modulation in all things..
20. A user and his leisure time are soon parted.
** Here's another false alert from the Urban Legends list:
AMERICA ONLINE TO START CHARGING FOR INSTANT MESSAGES! Sound familiar?
It should. The same phony-baloney petition has been popping up every
six months or so for the past several years. Does anybody really
believe that the World's Largest Online Service would reconsider a
policy change because 100,000 people forwarded a chain letter?
Apparently so.
http://urbanlegends.about.com/library/weekly/aa020300a.htm
** And the Last of our Modern Aphorisms (@phorisms?)
21. There's no place like http://www.home.com
22. Know what to expect before you connect..
23. Oh, what a tangled website we weave when first we practice...
24. Speed thrills..
25. Give a man a fish and you feed him for a day; teach him to
use the Web and he won't bother you for weeks..
** Techno-Security 2000 April 16-19, 2000
Wyndham Myrtle Beach Resort
Myrtle Beach, South Carolina
This one-of-a-kind conference is intended for private industry,
government, law enforcement decision makers and technical experts
interested in, or involved with information security, operations
security, high tech crime and it's prevention. Untraditional
conference format with interactive high intensity training and
tremendous networking opportunities. Featured speakers include: Bill
Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin
Manson, Rick Forno, Don Delaney, Dr. Terry Gudaitis and many more...
This year's high intensity tracks will include: Hacker Profiling,
Intrusion Detection, Beginner & Advance Computer Forensics,
e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism,
Live Vulnerability Testing, Incident Response, Tools for Protecting
the Enterprise, PKI, plus many more.
For more info, contact:
http://www.TheTrainingCo.com
** The First International Common Criteria Conference;
Sponsored by NIST, NSA, and NIAP
(National Information Assurance Partnership)
Baltimore Convention Center, Baltimore MD
May 23-25, 2000
Learn more about the international IT security standard ISO/IEC
15408 (Common Criteria); hear about national and international Common
Criteria initiatives and IT security testing programs; find out how to
receive a Common Criteria certificate for an IT product; learn about
the International Common Criteria Mutual Recognition Arrangement;
discover educational opportunities to support Common Criteria
initiatives; see what protection profiles have been developed by
governments and industries around the world; learn how automated tools
can help consumers write protection profiles and IT product developers
write security targets; hear about Common Criteria guidance documents
and web-based information sources; and see what new products have
received Common Criteria certificates. For details, visit
http://www.niap.nist.gov/iccc
** Lewis Baskerville contributed Information Systems Security Program: Good Computer Security Practices listed on the last page of our newsletter.
LEWIS BASKERVILLE Lewis.Baskerville@SBA.gov LISA BIAFORE, Co-Conference Director lbiafore@imsidc.com PATTI BLACK, Co-Conference Director Patricia.Black@cio.treas.gov PAULINE BOWEN, Assistant Chair pbowen@oc.fda.gov BLAINE BURNHAM burnham@cc.gatech.edu BARBARA CUFFIE barbara.cuffie@ssa.gov DEBORAH HEFNER dhefner@bpd.treas.gov LOUIS NUMKIN, Newsletter Editor LMN@nrc.gov PHILIP L. SIBERT, Chair philip.sibert@hq.doe.gov CAREN WILLIAMS caren.l.williams@usdoj.gov |
Always Protect Your Information Resources - All
classified, sensitive, private, and mission-critical information,
data, systems, and applications require protection from
unauthorized access, use, disclosure, alteration, and loss.
Know Our Policies - Read all Information Resources
Directives, including all Information Systems Security Program
Policies.
Protect Your Work Area - Recognize, politely challenge,
and assist people who DO NOT belong in the work
area.
Preventing Unauthorized Access - Computer resources and
equipment, especially personal computers and servers, should not
be exposed to unauthorized access.
Protect Passwords - Use only passwords which are not
easily guessed or not in the dictionary, change them frequently,
and DO NOT share your password with anyone.
Protect Your Files - Establish and periodically review
access privileges for each file.
Protect Your Computer - Always logoff or password protect your screen before leaving your computer system unattended. Always safeguard software and removable media such as diskettes. Protect Against Computer Viruses - Never load unauthorized or personal software on your computer system. Report viruses immediately to your supervisor and the appropriate Help Desk for corrective action. Before loading data from any media (diskette, Internet, etc.), always check it for viruses. Protect Against Disaster - Always have backup copies of program, equipment, and databases ready to go. Protect Classified and Sensitive Data and Information - Read all directives, policies, handbooks, and manuals to protect classified, sensitive data and information, especially the Privacy Act of 1974. Report Violations - Document any computer and communications misuse, abuse, security incident or breach. Report it immediately to your supervisor and your Information Systems Security Officer. Information Systems Security Officer anytime. |
Back to FISSEA Homepage
Back to Newsletter Index
Back to CSRC Homepage
Please send comments or suggestions to
webmaster-csrc@nist.gov.
Last Modified: March 5, 2002.