News and Views September 2000 |
||||
| "I touch the future, I teach." Christa McAuliffe | Issue Two of FISSEA Year 2000-2001 | |||
From the Executive Board ChairSecurity is becoming more and more a priority for many Government entities with increasing demand for accountability for our information resources and data. As Chair of the FISSEA Executive Board, I want to encourage you to not forget that training, education, and awareness will play an increasing role in helping to accomplish our security objectives. In May, 1998, President Clinton issued Presidential Decision Directive 63 (PDD-63), which calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially the cyber-based infrastructure. Federal Departments and agencies are beginning the process of identifying and securing those critical assets and related infrastructure components that they depend on to fulfill their responsibilities of ensuring national security, national economic security, and public health and safety. The overall security of an Agency's cyber-based infrastructure is extremely important based on the mission of the Agency. Information must be protected from unauthorized disclosure or access. Many employees, contractors, emergency management staff, etc. handle information that must be kept secret and transmitted safely across networks, Internet and Intranet in order to accomplish Agency missions and goals. This need requires that we utilize tools such as digital signature technology, encryption tools, secure hubs, availability of operations and services, firewalls, backup systems, secure remote access, PKI technology, virus software, security awareness training, system security planning and network security. A financial system is an example of a mission critical system that needs protection from unauthorized access or disclosure. The financial system requires a high level of protection of the confidentiality, integrity and availability of its' data and operations, because the unavailability of the system could cause any Agency not to meet critical mission goals. Individuals responsible for these systems must be trained in security measures. Protection of sensitive data in mission critical systems has been mandated by OMB, Circular A-130, Appendix III, the DHHS Automated Information Systems Security Handbook, NIST Special Publication 800-12, and the CIAO's Practices For Securing Critical Information Assets. These documents reference security planning, system security engineering, risk assessment, security awareness and training, vulnerability assessment, threat assessment, continuity of operations, and incident handling procedures. Implementation of corrective actions and best practices based on vulnerability assessments, system security engineering, etc., should begin as soon as resources are available. Specifically, attention should be given to controls and procedures that: 1) Limit or detect access to critical asset resource elements (people, systems, applications, data and/or facilities); 2) Prevent implementation of unauthorized programs; 3) Limit and monitor access to programs and sensitive files that control computer hardware and secure applications supported by the system; 4) Ensure that critical services and operations, including computer operations continue without interruption or are promptly resumed. As you can see TEA (training, education and awareness) will be extremely important in our efforts to secure our critical information assets. Pauline Bowen
Editor's Column:
|
||||
Perhaps FISSEA members can help out
Leonid.Dmitrienko@chase.com
We are looking to enhance our yearly Security Awareness program for
next year. We have used a VHS video this year, and it worked well with
our (Powerpoint based ) presentation. We are now looking for
additional sources that have such videos that we can use for next
year.
Thanks,
Len
Corey Schou - in the news
Here is an article about FISSEA's ol' Idaho Pal, Corey Schou, by Dan Verton which appeared in Federal Computer Week on 14AUG2000.
A report to be published this year by one of the nations top educators in information systems and security warns that the current system of higher education cannot support the demand for information assurance professionals and calls for a revolutionary change in the way the government, academia and industry cooperate.
"The present national need for an immediate increase in the development of information assurance professionals at all levels cannot be met within the existing educational structure," said professor Corey Schou, chairman of the National Colloquium on Information Systems Security Education and associate dean of Information Systems at Idaho State University.
In his report, "Meeting the Information Assurance Crisis Now," Schou recommends a nine-point cooperative plan between government, industry and academia that he says has the potential to generate up to 100 doctoral candidates, 200 to 500 masters degree students and 5,000 bachelors degree students annually with an emphasis in information assurance.
Government plays a key role in assisting educators to produce a steady pipeline of well-educated information security professionals, according to Schou. He has urged government to establish a competitive grant process covering "grand challenge" problems in information assurance, selective internships that would provide students and faculty with practical experience, government/academic staff exchanges and even a program that would forgive student loans for graduate students at the masters and doctoral degree level, among other things.
Schou also called for improved training resources for university faculty members across the country and even suggested that government should help establish a distance-learning program in information assurance and the ethical use of information targeted at elementary and secondary education teachers.
"Failure to respond proactively to a similar need a decade ago has contributed to the current national shortage of information technology professionals," Schou said. "Without external stimulus and support, there is no way the educational system can meet the demand in the foreseeable future."
SIBER' SPACE SNIPPETS
The Missing Links
By Philip Sibert (DOE)
Several weeks ago at our Board of Directors' meeting we were discussing "business practices" (vs. "Best business practices" - best by whose choice? best in what environment?, etc.) when Dr. Roger Quane astutely and quietly stated, "You know, there's a link between these 'practices', and awareness and training." Well, that statement got my old brain churning for a short time (too much at once will burn the darn thing out, you know), and I asked myself, " How can we approach awareness and training from the "practices" standpoint"?
Let's try this out by using an example and see if we come up with the link(s). For my "best business practice" I am choosing "Unclassified Multi-User Information System Password Policy". The objective of this new (or revised) business practice is to improve the selection and use of passwords, i.e., we are striving to change people's behavior. The policy ("best business practice") statement goes something like this: All unclassified multi-user systems (excluding those systems intended for unrestricted public access, such as web servers) must use a password mechanism that authenticates the identity of each person accessing the system. And then the requirements are laid out. Passwords shall: (1) contain at least eight non-blank characters; (2) contain a combination of letters (a mixture of upper and lower case), numbers, and at least one special character; (3) contain a non-numeric in the first and last positions; (4) NOT contain your user ID; (5) NOT include the user's own name, or the names of close friends or relatives; (6) NOT include your Social Security Number, date of birth, phone number or address number; (7) NOT include any information that the user believes could be readily learned or guessed; (8) NOT include words that would be in an English dictionary or any other language dictionary with which the user has familiarity; (9) NOT include commonly used proper names, including the names of fictional characters or places; (10) NOT contain any simple pattern of letters or numbers, such as "qwertyxxx" or "xyz123xx"; and, (11) be changed every ninety days, or sooner if the system administrator directs it to be done. If a system cannot accommodate eight character passwords, then the above requirements shall be implemented within the system password constraints.
Now the "best business practice" regarding use and creation of passwords has been blessed by management. What's the next step? The policy makers are done - is it right to just shoot it out the door to be implemented? I don't think so. Remember, we are striving to change people's behavior. So how do we do that most effectively? By establishing links between the desired results, and the awareness and training activities necessary to drive the change and reinforce the practice. What, in this example, links the creation and use of good passwords to Awareness and Training?
AWARENESS LINKS
Before the policy hits the street (but after final management approval for issuance):
- "Advertise" the new business practice everywhere you can imagine - newsletters, e-mail broadcasts, posters, hand-outs, etc.
- Make senior and line management aware of the "best business practice" with a memo from "the boss" (Secretary, Administrator, CIO, whomever...) so they will know it's coming and will discuss this in staff meetings. Give them some credible rationale for supporting the implementation of this business practice and provide information about training resources.
After the policy hits the street for implementation:
- Provide constant reminders about protecting your password through various media, with emphasis on the need for community responsibility -- you are part of your LAN community, and you don't want to be known as the weak link that caused the system to be compromised. - Set up a simple "password creation module" (can be as simple as a paper hand-out for each student) to be used with each IT training course (MS Word, Excel, Lotus Notes, etc.), providing suggestions for strong but readily remembered passwords (should take less than 10 minutes).
- Use special occasions (Computer Security Day, for example) to set up a "password creation" kiosk in the lobby or cafeteria that contains a system for employees to try their hand at creating good passwords.
- Use a module on password creation, use, and protection in new employee orientation.
- Include password use and protection in annual security refresher briefings.
TRAINING LINKS
Before implementing the new (or revised) business practice, get the system administrators involved - they are the ones who will be answering the phones when the users forget their passwords.
- Have a short training session for the system administrators covering the requirements of the new policy so they will be able to provide appropriate answers to user questions about the new policy. (They are also users, so they should be aware of, and follow, best password practices.)
- Implement a computer-based password creation, use, and protection training session for all employees. This training can be completed from the work station via the LAN, or can be accessed by the trainee from an intranet web site.
- Arrange to have a password software package installed on the work stations and servers that will provide prompting and reject passwords that do not fit the criteria in your policy (some software products already have this capability built in). Ensure the system administrators are trained on use of this software.
These were some of my thoughts on links...what are yours? Now, try the "linking" process with another "business practice", such as Back Ups, and see what you come up with. Those links were there all along...it just took a little time to examine the process and capture the thoughts.
Seventh Grade Class Thwarts Hackers
By Jane Powanda (Mitretek Systems)
Jamming, flooding, social engineering, denial of service, mole, encryption, access control intrusion detection, anti-virus protection, and tool effectiveness were just a few of the terms students were spouting as they planned a strategy for protecting a newly installed local area network. A science fiction flick? No, this was the real thing as I guided 7th grade students at the Fairfax County, Virginia, Kilmer Middle School through the CyberProtect Interactive Training Exercise, an interactive multimedia computer program developed and distributed by Defense Information Systems Agency (DISA). During a 54-minute classroom session, which included student discussion as well as the CyberProtect exercise, the students learned about information security threats, vulnerabilities and countermeasures as part of the school's "Expanding Visions" program.
These junior high school students responded very well to the topic of information security and enjoyed the CyberProtect exercise. It really brought the subject alive for them, and many "sleepyheads" perked up as the sound effects of the dwindling resource units made them realize that something exciting was happening. I was amazed at how much they already knew about computers and computer security and how well they were able to understand the concept of tool effectiveness. They were anxious to update and upgrade all the tools that had faded and become out of date.
Part of the challenge in presenting this subject to seventh graders was in determining how to use CyberProtect as a teaching tool. It was not feasible for each of the students to have their own copy of the exercise. Class sizes were between 25 and 50 students, and the class period was limited to 54 minutes in length... The teachers preferred the idea of a group exercise rather than having the students go at it alone. To make this happen, I installed CyberProtect on a laptop and took a projector with me to the classroom. I also used an overhead projector and transparencies to present some of the background information about threats and tools. On the average, each class had about 30 minutes to play the CyberProtect exercise. We were able to make it through either one or two quarters of play, depending on the class.
One of the key tools that made it possible to quickly get into the exercise was the "Purchase Worksheet," that I prepared from descriptions given in the CyberProtect exercise. This worksheet was used to help students plan network defense tool selection and monitor expenditures. This planning aide was designed with student success in mind. From the worksheet, it was obvious where tools could be legally placed. Two worksheet columns were allocated for each tool selection option: one for the level of effectiveness, and one for the cost. This expedited the students' selection of tools and also helped the students to stay within their budget. Once tool selection decisions were made, the tool ordering process was trivial. This tool selection task emphasized the importance of planning.
Many of the students were excited about the "game" and wanted to know where they could get one! They all cheered when they defeated the hacker, and were anxious to figure out what went wrong when the hacker was successful.
Jane Powanda is an information systems security professional at Mitretek Systems in McLean, Virginia. Ms. Powanda has made copies of the CyberProtect worksheets available, which can be obtained from DISA/IPMO. E-mail requests for to DODIAETA@ncr.disa.mil - Thanks to George Bieber for submitting this article from Jane. Ed.
Distance Education: An Oxymoron?
Thought that you might find Eoghan Casey's ending comment in response to a recent book review by Carol Twigg in the Atomic Tangerine NEWS list (overseen by Mich Kabay) interesting.
"Having said this, I acknowledge that
distance education is limited. Even the most skilled teacher using the
most suitable theory from the learning sciences can only convey the
basics of a subject effectively from a distance. Teaching critical
thinking, complex problem solving, and other higher level thought
processes is out of the reach when teaching at a distance. So, a
combination of distance education and face-to-face mentoring is the
strongest approach."
Eoghan Casey Knowledge Solutions
http://www.corpus-delicti.com
And, with Mich's permission," here is Carol's article:
Distance Education: An Oxymoron?
By Carol Twigg
Those who argue that learning must take place face-to-face overlook important questions.
The Chronicle of Higher Education published a review of a new book, The Social Life of Information, by John Sealy Brown and Paul Duguid last week. The headline reads, "Authors Argue that 'Distance Education' Is an Oxymoron."
According to the reviewer, Brown and Duguid believe that proponents of IT suffer from "tunnel vision" that prevents them from seeing than learning is a social experience for which distance-education technology is a poor substitute.
The book builds on the authors' 1995 paper, "Universities in a Digital Age" which makes the same argument: "The central point we want to make is that learning does not occur independent of communities. . . . Learning, at all levels, relies ultimately on personal interactions."
The idea that one cannot learn on one's own is
simply ridiculous. Has neither Brown nor Duguid ever learned anything
from that low-tech item called a book? I would guess that the majority
of learning that goes on in life occurs independently. Even in
traditional group-based classroom environments, the majority of a
student's learning time is spent independently, outside of class: the
standard expectation is two hours of study outside of class for every
one spent in class. As Tony Bates of Canada's Open Learning Agency
says, "There is an even greater myth that students in
conventional institutions are engaged for the greater part of their
time in meaningful, face-to-face interaction. The fact is that for
both conventional and distance education students, by far the largest
part of their studying is done alone, interacting with textbooks or
other learning materials."
http://www.acm.org/ubiquity/views/c_twigg_1.html
CONFERENCE SPEAKER PRESENTATION TIPS
Lou, Just got the necessary clearances to send you the "Tips from MIS Training" from Ken Cutler and Lois Jacobson/ MISTI_BOS@MISTI_BOS I think we should print this in the next Newsletter. I found these very helpful tips and share it internally with trainers. Barbara Cuffie (SSA){Thanks Barbara, I am sure our readers will, too. Ed.}
1. Arrive Early Enough to Test Your Equipment Before Your Session.
2. Be Relevant for this Audience.
They are attending the conference specifically to learn
up-to-the-minute tactics, strategies, and techniques they need to
thrive in the industry, and will expect you to impart practical,
technical, "how-to" information.
-- Assume they have at least basic knowledge of the subject.
-- Assume a more technical, more sophisticated audience than
attendees at other programs.
3. Don't Try to Cover Too Much Material.
DON'T suggest that you are squeezing two or three days of
material into one and a half hours. If you have tailored your
presentation for your allotted time, your material will be focused and
relevant.
4. Never Apologize.
Don't throw a damper on the audience by making them feel they are
not getting your best.
5. Get Right into Your Subject Matter.
Avoid long introductory comments. Spend no time on jokes,
amenities, or platitudes about how important the topic is. If they
didn't already agree, they wouldn't be there.
Start off with a bang. Start off with a promise. Start off with a
pledge. Start off with the "meat" so attendees are
immediately taking notes and thinking of how they will apply what you
are about to tell them.
6. Don't Make Remarks About "Running
Out of Time."
When you suggest things didn't get covered, people feel cheated.
They think the conference and your session were poorly planned.
7. Be Specific.
EXAMPLE: You are making a statement about lawn mowers--which one
do you think is the most valuable to attendees:
1. "Lawn mowers are a boon to mankind."
2. "Some lawn mowers are better than others."
3. "People with large lawns should use mowers with bags to
collect the cuttings."
4. "The following lawn mowers are most effective in the
following situations for the following reasons: etc."
EXAMPLE: You are providing a list of techniques, advantages,
disadvantages, etc. Enumerate them. "Here are 18 quick ideas of
how to . . one, two, etc." Attendees will know where you are at
any point.
EXAMPLE: Instead of "There are hundreds of ways . . . . . .
." say "There are 483 ways to . . . . . . . ."
8. Don't Tell Self-Congratulatory War
Stories.
Your personal experience is valuable, as long as you stick with
brief, relevant illustrations.
9. Don't Advertise Your Consulting Practice.
Let your presentation do it for you.
10. Support the Program and Other Speakers.
Don't be negative. Your success, the program's success and the
participants' reactions are intimately tied to one another. Support
every speaker, the hotel and MIS Training Institute/InfoSecurity
News. If you have problems or concerns, let's discuss them after
the program. In other words, be positive, productive and flexible.
11. Always Repeat Any Question Asked by
Attendees.
You will maintain the interest of all of the attendees if they
hear and understand the issue you're addressing.
AROUND FISSEA's WORLD IN THE MEDIA
By Louis Numkin (NRC)
(Here are summations and references to articles and incidents which you might use in making or illustrating points during awareness presentations)
Exchanged several E-Mails with David Spinks in England (david.spinks@dspinks41.freeserve.co.uk ). Here's a tidbit: "Louis, I think it would be an excellent idea to link the Information Security activities going on in the UK to those in the US. Please find attached details of one of the groups I chair - E-Com-Sec new has 500 members. I would be more than happy to contribute to any US/UK co-operation."
Thanks David we'll be looking forward to your article submission. Here is a downsized E-COM-SEC flier which he sent along for FISSEA's information:
E-COM-SEC = E-Commerce Security - Special
Interest Group Why not join free today? Simply send an email to:
E-COM-SEC-Subscribe@egroups.com
Join 100's of other Security professionals and share information
via email or have access to the group's vaults where documents such as
Best Practice Guides may be found and downloaded to your own system.
Recent topics include:
1. Reputation Management (Turnbull)
2. BS7799 and Legal Issues
3. Intrusion Management
4. Cyber Crime and Law Enforcement
5. Business Continuity Planning
Best Practice documents available include:
1. BCP
2. Intrusion Detection
3. Cyber Forensics
For more information about the E-Com-Sec please contact David Spinks at david.spinks@dspinks41.freeserve.co.uk
>>>>>>>>>>>>>>>>>>>
Keep your anti-virus software up to date,
FISSEA, as InfoWar was openly discussed in the China Times on
8AUG2000.
http://www.chinatimes.com.tw//english/epolitic/89080708.htm
TAIPEI, Aug 7 (AFP) - Taiwan's military for the first time is to demonstrate its computer virus capability at major war-games later this month, it was reported Monday. "The blue and red units involved in the coming Han Kuang (Han Glory war games) will for the first time use computer viruses to attack each other's information network," the Liberty Times newspaper quoted a top defense ministry official as saying.
The blue units represent Taiwanese force, while red units stand for mainland Chinese forces. The official said both units had been exposed to the same types of computer viruses in the maneuvers last year. "How to shield any attack from computer viruses was the major concern last year. Efforts would focus on virus offensive this year," he said. The paper said the military authorities have worked out some 2,000 types of computer viruses and the anti-virus capability of the military units has been upgraded.
"The military is now able to shield itself from many computer viruses including 'I Love You' virus and scores of its derivatives which swept the world earlier this year," the official said.
Chief of the General Staff Tang Yao-ming warned last year China may launch an "information war," including the use of computer viruses to paralyze military command, energy, transportation and banking systems, before an invasion of Taiwan. China, which has regarded Taiwan as part of its territory awaiting reunification since their separation in 1949 at the end of a civil war, has repeatedly vowed to take the island by force should it declare formal independence.
Local media had previously said China's People's Liberation Army had simulated computer virus offensives in exercises in Shenyang, Beijing, and Nanjing over the past two years.
>>>>>>>>>>>>>>>>>>>
William Knowles (wk@c4i.com) informed that there is some interesting reading from "The 'Innovation' Garden State" at http://www.state.nj.us/sci/ The State Commission of Investigation and the Attorney General of New Jersey have released a joint report on Computer Crime. The files are all in PDF format.
>>>>>>>>>>>>>>>>>>>
And, a note from "across the pond":
Though it is FISSEA's duty to improve Awareness, Training, and
Education in the sector known as Computer and Information Security,
there is another side about which Thomas C Greene wrote on 10AUG2000
in
http://www.theregister.co.uk/content/6/12500.html
The colorful article begins with this lengthy opening sentence: "Administrators
of the cracker education Web site Icefortress.com have undergone a
change of heart since we reported their plan to fold under pressure
from Internet billing-service provider IBILL, which has threatened a
copyright infringement suit under the Digital Millennium Copyright Act
(DMCA), claiming that the Icefortress site did it harm by supplying
information and tools which could enable visitors to hack its
protected sites and thereby violate its copyrights."
It appears that this "educational" site had been on line for nearly two years, before being pulled-off "after receiving a threat-memo from IBILL lawyer Stephen Workman, presumably in its eagerness to get clear of a third-party dispute and cut its liabilities as quickly and painlessly as possible... having neither the time nor the money to fight a well-heeled corporation like IBILL in the courts."
The write-up continues with referencing that friends offered support "to keep controversial information safe from interference on First Amendment grounds." One of the reported friends was Carnegie Mellon University Computer Science Professor David Touretzky, "whose testimony on the free-speech aspects of program code during the 2600.com trial was singled out by the judge as especially persuasive." Touretzky has been active in defending free speech on the Net for several years now.
More colorful commentary is followed by this logic: "... any information or tool which can defeat an access control violates the DMCA anticircumvention provisions (17 USC 1201). The 1201 provisions are intended to protect copyrighted materials, and Workman is hoping to get around this by claiming that virtually anything which can be protected with an access control such as a crypto scheme, or even a password, can also be copyrighted ... If the 1201 provisions were interpreted as broadly as Workman would have them, then all the security tools in common use today by systems administrators would be outlawed."
Now comes the reason for including this article
in our newsletter.
How many of us have utilized Carnegie Mellon's CERT in any
way? Well, here it is...
" ... if Cherry's reading of the DMCA is correct, then the
most dangerous hacker education site on the Web would have to be the
Computer Emergency Response Team (CERT) security site, hosted by none
other than Carnegie Mellon University, and financed in part by the US
government. We've spent many a blissful hour trawling its vast
archives for detailed descriptions of security weaknesses in most
popular network hardware and software and their default
implementations, and downloading source code, scripts and tools with
which such holes may be conveniently exploited.
"It is to the CERT site, more than any other source, that we owe our own expertise in network and Web security (such as it is); and while we don't wish to boast, we must note that we could quite easily apply what we've learned and downloaded there to extremely destructive on-line activities if we were so inclined.
"Thus if we accept that the ICE site is subject to closure for providing information and tools related to exploiting computer security weaknesses, we would have to accept that CERT, too, is subject to closure on the same grounds. Indeed, considering CERT's positively immense archive, its immediate closure ought to become the chief priority of anyone wishing to protect themselves from those who educate potential malicious hackers.
"Any distinction between Icefortress.com, which looks like a site catering to crackers, and CERT.org, which offers much the same information but looks like a site catering to systems administrators, is absolutely cosmetic and thus perfectly fraudulent. We are reminded of the US 'assault-rifle' law, which banned the sale of certain semi-automatic rifles because they had the misfortune to be black and scary-looking, while ignoring traditional-looking 'sporting' weapons possessing identical destructive capabilities."
TRAINIA
(This contraction of TRAINing
and trivIA is meant to provide you with places to gain
education, such as websites, conferences, and book reviews. Please
contribute any of these sorts of items about which you might be aware.)
A wonderfully visual story which can be employed while explaining cryptography is about one of the most spectacular coups in military intelligence history. Of course, it was the breaking of ENIGMA, the top-secret code that German forces used to communicate with each other in World War II. A very informative site has been set up by PBS' NOVA which permits you to compose and send your very own coded messages by E-Mail. The site has lots of fascinating info about ciphers and secret codes and is very well designed. You can find it at www.pbs.org/wgbh/nova/decoding/
>>>>>>>>>>>>>>>>>>
A British news source, The Register, reported on 14AUG2000 that "The Christmas Lectures, sponsored by Glaxo Wellcome are an opportunity for young people to learn directly from scientists who are recognised as among the best in their field. Previous lecturers have included Michael Faraday, James Dewar, Frank Whittle, Frank Close and Susan Greenfield. "All explain their work using practical demonstrations and experiments. This year the Christmas Lecturer is Prof Kevin Warwick of Reading University ... Kev will be talking gibberish not once, not twice but five times on dates between 14 and 30 December. They cover most of the same nonsense as previously and no doubt he will become expert in a few more specialities between now and December." You can find details at http://www.ri.ac.uk/Christmas/Home.html
The critic completes his panning of the pending presentation with: "We are genuinely concerned about this apparent approval for Professor Warwick's flights of fancy and plan to make a serious approach to those concerned. We would ask anyone with a serious interest in this area of research to contact us..."
>>>>>>>>>>>>>>>>>>
Here's the url for the training portion of the DOE web site: http://cio.doe.gov/ucsp/training.htm (Be aware we may be changing the "ucsp" portion of the address to "cybersecurity" in the not too distant future.) Use what you want! Phil Sibert
>>>>>>>>>>>>>>>>>>
On 10AUG2000, Alfred Huger ah@SECURITYFOCUS.COM informed BUGTRAQ that there is a new mailing list for penetration testers @SecurityFocus.com which should "shore up some gaps we see via people posting questions based around penetration testing and network auditing."
The penetration testing list is designed to allow people to converse about professional penetration testing and general network auditing. While lists like Vuln-Dev and Bugtraq deal with exploits and flaws in systems there are few interactive forums to discuss actual penetration testing and network auditing. As a result this area has become a difficult topic to learn about outside of print media (books etc.)
This list hopes to dispel some of the confusion and allow for intelligent discourse on the topic. The list is not OS specific and will cater to discussion on all and any network able devices people wish to discuss.
To subscribe - Send an e-mail message to listserv@securityfocus.com with a message body of: SUBSCRIBE PEN-TEST Lastname, Firstname You will receive a confirmation request message to which you will have to answer.
>>>>>>>>>>>>>>>>>>
This case has some interesting implications for site cracks and defacings . . .
Libel Found on Internet Message Board Postings American Lawyer Media
Bio-medical firm Biomatrix won a ruling from a
New Jersey superior court that found three people published libelous
statements against Biomatrix on two Web sites. The ruling is believed
to be one of the first judgments nationwide against those who defame
others online. The two sites were a Yahoo message board and the
message board of Genzyme Corporation, which plans to merge with
Biomatrix this year.
http://www.law.com/professionals/iplaw.html
"An attorney with Boston-based Bingham Dana, Charles L. Solomont, led a legal team representing the bio-medical firm Biomatrix Inc., which won a ruling from the Bergen County Superior Court in New Jersey that found three individuals published libelous statements against Biomatrix on two Web sites,... in what is believed to be one of the first judgments nationwide against those who defame others online... He said the decision has far-ranging implications for other cases now pending nationwide, in which anonymous, defaming claims are made against individuals and other entities.
'People post these messages using aliases and believe it protects them from liability for their actions. But this case shows the perpetrators of [such] online claims can be prosecuted.'"
>>>>>>>>>>>>>>>>>>
EPA Back On Line, More Security Minded - from
Government Computer News of 7AUG2000 - The Environmental Protection
Agency (EPA), whose site has been down since February due to security
problems, is coming back on line with a new stance on security. While
the agency once considered all information public unless there was a
compelling reason to secure it, now the reverse it true: information
is considered sensitive unless officials deem otherwise.
http://www.gcn.com/vol19_no22/news/2572-1.html
>>>>>>>>>>>>>>>>>>
Phil Sibert wrote that he subscribes "to http://www.researchbuzz.com/ , which pointed to a newly revised search engine called http://www.magportal.com/ where, after doing a search on the word "Security" got a 997 item list of stuff. Paging down I came across the following site http://www.thejournal.com/ that should be of interest to you. Enjoy!"
>>>>>>>>>>>>>>>>>>
E-Mail Misconceptions - from WIRED on 4AUG2000 -
A company that advises businesses on legal liabilities released "The
Seven Most Common Misconceptions About E-mail" list. Among the
mistakes people make are assuming that e-mail messages are private,
and that e-mail can be deleted.
http://www.wired.com/news/business/0,1367,38007,00.html
>>>>>>>>>>>>>>>>>>
Did you know that the Government Wants (an) Internet Emergency Preparedness System"? Check out: http://www.computeruser.com/newsletter/3590.html
>>>>>>>>>>>>>>>>>>
(FISSEA is not recommending nor rating these courses. We are just letting our readership know of their existence.)
FREE TRAINING OPPORTUNITIES - More and more of these are becoming available!
F-Secure Corporation is collaborating with GartnerGroup to present a series of web-based briefings on Enterprise Security focused on wireless connectivity. The seminars are offered free of charge on a monthly basis through December 2000. The seminars are as follows:
Oct 24 - Security Issues for Wireless Devices
Nov 22 - Security Issues in Central, Policy Based Security
Dec 12 - A Blue Print for Enterprise Security
Please go to the following url if you are
interested:
http://www.f-secure.com/securityonline/
>>>>>>>>>>>>>>>>>>
This message is to inform you and your staff of the availability of security training courses designed for federal managers and technicians to be held in the Washington, D.C. area.
*** Course One - Network Security and Intrusion Detection 5-days, hands on, Security Training Facility, Columbia, MD
*** Course Two - Network Security for Senior Network and Security Managers - Expand Your Ability to Perform Network Security Planning, Columbia, MD
*** Course Three - UNIX Countermeasures - Learn State-of-the-art Methods of Protecting Your System. 5 days, hands on. Columbia, MD
For more information on these courses, go to www.federalitsecurity.org OR www.marketaccess.org. Course fees and schedules are available at these sites. For questions, call Donna Anderson, 301-805-2166.
>>>>>>>>>>>>>>>>>>
25-28SEP2000 will be the E-GOV Information Assurance Conference and Exhibition in Alexandria - This one will have notable keynotes and lunches, exhibits, and even a fantastic panel named "Security Awareness - The First Challenge" hosted by your Newsletter Editor! - register online at www.e-gov.com
>>>>>>>>>>>>>>>>>>
16-19OCT2000 - The 23rd National Information Systems Security Conference, co-sponsored by the National Institute of Standards and Technology and the National Computer Security Center, is scheduled at the Baltimore Convention Center. Registration deadline (before the fee increases) is September 18, so you can spend this year's bucks and save, or you can register late and spend more of next years bucks! The conference web site is at the following url: http://csrc.nist.gov/nissc/
Unfortunately, SANS Institute has scheduled
their Network Security 2000 conference, being held this year
in Monterey, California, for the same week. Information is available
at their web site:
http://www.sans.org/NS2000.htm
(Now, you really have to make some hard decisions in life - which is
it, Bawlimore or MONTEREY, Monterey, or BAWLIMORE??)
{Ed's note, the foregoing inflection was a Siber' Space
Snippet.}
>>>>>>>>>>>>>>>>>>
7-8NOV2000 Arlington, VA Creativity Day Camp for Managers, Supervisors and Team Leaders through the National Seminars Group 1800-682-5078. Also held on 8-9NOV2000 in Baltimore, MD. http://www.natsem.com/EventListing.cfm
>>>>>>>>>>>>>>>>>>
13-15NOV2000 - The CSI 27th Annual Computer Security Conference and Exhibition will be held in Chicago, at the Chicago Hilton and Towers. See http://gocsi.com/#Annual.
>>>>>>>>>>>>>>>>>>
29-30NOV2000 is the Cyber Sabotage Conference in Alexandria - hands-on plan creation and even a "dine-around" for networking - Register at www.iqpc.com or 1-800-882-8684.
>>>>>>>>>>>>>>>>>>
30NOV-1DEC2000 - E-Security Conference and Exhibition in Arlington, VA - more information may be found at www.imgevents.com/security
>>>>>>>>>>>>>>>>>>
6-7DEC2000 will be The Maryland Technology Showcase at the Baltimore Convention Center - six keynote addresses, 50+ break-out sessions - two one-day workshops - for more information and/or your free Exhibit Hall Pass, check out www.mdtechshowcase.com
>>>>>>>>>>>>>>>>>>
11-15DEC2000 - NSA's Information Assurance Solutions Working Symposium (including EKMS) in New Orleans - for info check http://conferences.securephone.net or E-Mail IASWS@mcneiltechmd.com
>>>>>>>>>>>>>>>>>>
23-25JAN2001 is WEST 2001 at the SanDiego Convention Center - sponsored by AFCEA & US Naval Institute - entitled "Winning the Wars of the 21st Century" - for a free Exhibit Hall Pass or more info, check out www.west2001.org
>>>>>>>>>>>>>>>>>>
25FEB-1MAR2001 - MIS Training Institute InfoSec World 2001 in Orlando. Numerous other conferences and seminars may be found at http://www.misti.com/
>>>>>>>>>>>>>>>>>>
13-15MAR2001 - FISSEA 2001 Annual Conference. This year's theme is "From Y2K To T E A (training, education, awareness) with FISSEA" and it will be held at the Hilton Hotel in Gaithersburg, MD. Mark your calendars!
>>>>>>>>>>>>>>>>>>
CISSP Continuing Education Seminars provided by MIS and ISI and recognized for CPEs by ISC2 may be found at www.misti.com
|
|
|
LEWIS BASKERVILLE, Conference Director
FISSEA Membership
|
