News and Views August 2001 |
||
Issue Two of FISSEA Year 2000-2001 | ||
From the Executive Board ChairGreetings to FISSEA members, friends and supporters, It is hard for me to believe that it has been four months since you elected us to be your Executive Board and to provide leadership for our organization. Although it is often a challenge, we meet monthly to carry out our responsibilities. I am pleased to report that we have developed a new operational plan for this year, and we are in the process of implementing some activities while still developing detailed action plans for other initiatives. As we continue to define our priorities, we realize it is important for us to ensure that both our plans and expectations are realistic. We are busy and productive although we simply lack the time and required resources to accomplish everything that we want to do. Let me share some of the highlights about activities currently in process. The Board is fortunate that Dara Murray agreed to Chair the Conference Committee. The Committee is working hard to ensure that FISSEA offers you a top quality-training event next year. I am sure you will be hearing more about this in the near future. However, it is not too early for you to begin planning to attend by earmarking the funds required to register. We don't know the exact date, place or price at this point, but we do know that it will be a Tuesday through Thursday in March 2002. We also know that the price will have to increase in order for us to move to a location near a Metro station as many of you requested in your evaluation forms. We think it is important for us to be responsive to your requests, suggestions and general comments. Please continue to communicate with us regularly. It helps us to know what we are doing well and for you to share your suggestions for ways that we can improve. Philip Sibert has agreed to lead an initiative to revise our By-laws. This is an effort that the Board has planned to undertake for at least two years so I am happy that it is being done. Hopefully, some of you will take time to review this document on our website and send any suggestions for revisions to Phil before the end of August. I am sure he would appreciate your input. Patricia Black has taken the lead on updating the Federal Awareness compact disc. She has assembled an interagency group of educators to assist her in this important effort. They expect to complete this initiative and have the updated discs available for distribution at our next conference. Of course, the price will be the same as usual, i.e., FREE. Louis Numkin continues to serve as our able editor of this publication. He seems to never tire of reminding us to send him our articles timely. By the way, he extends that same invitation to all of our members, supporters and other information systems security professionals and educators. Please help me to surprise Lou by showering him with an abundance of great articles so that his biggest problem will be selecting the best ones for publication. He assures the Board that he cannot meet his quarterly schedule without us. The Board is undertaking a major redesign of our website. Falan Memmott volunteered to assist us by sharing his expertise in web design at one of our meetings. This was very helpful to us and really gave us the jump-start that we needed to tackle this significant priority. Hopefully, you will see the fruits from our labors before long. Barbara G. Cuffie, CISSP Some New Surprises For 2002by Dara
Murray (Natl Science Foundation) Although FISSEA's last conference was a great success, "we" want to make our next one more effective, interesting and as accommodating as possible. A great deal of feedback from last years participants emphasized the location of the conference. As you know, in previous years the conference has been held in Gaithersburg, Maryland. However, the 2002 Conference Committee in cooperation with NIST has been researching the possibility of hosting it at a hotel on the metro line in the Washington, DC metropolitan area. In addition, the format or "flow" of the conference may be changing as well. With emphasizing FISSEA's goal-implementing effective computer security training, education and awareness, "Focus" days similar to tracks may be offered. Special sessions during the conference will include "Lessons Learned", "Birds of a Feather" and "Information Sharing" from volunteers who would like to talk about their own experiences while implementing a security awareness program in their agencies or organizations. Also, a session on a Government-wide initiative headed up by the Department of Treasury and Department of Defense with a status of the development of a "generic" Information Security Awareness training tool for "all of us" to use will be presented. Currently, there's a lot of "high profile" activity regarding "GISRA," so the thought of providing some valuable time with training issues of how agencies worked with their individual staff's and offices to provide their responses. A "how to" session on "working through" an audit "focusing" on IT security has also been suggested. More emphasis will also be placed on "speakout" and the business meeting so that issues which affect all computer security professionals and FISSEA can be more "openly" discussed. Since Section "508"is a big factor in the area of IT development, a session on what "tools" are available to assist handicapped personnel with training regarding computer security awareness is sure to be very informative. Lastly, the theme -- OH YES ---THE
THEME...... If you have a suggestion of what "YOU" would like to see in next years conference, please contact FISSEA at (301)975-2489.
Scourge or Opportunity?by Louis M Numkin (US NRC ), FISSEA Newsletter Editor The recent spate of viruses and worms has given many of us larger and more frequent headaches. SirCam, Code Red, Code Red again, and Code Red II (or 2 or C or CRv2). It appears that the news media and technical services, at least as of this writing, haven't yet decided what to name the latest member of the Code Red Worm regiment. However, WE have a name for it - "More Work!" At NRC, I research virus reports from many sources, including Federal, commercial, educational, and news purveyors. Often, I will hear about a pending virus on the morning news while shaving or driving to my office. Immediately upon arrival at my workstation, I will begin researching the item. This includes redistributing FedCIRC, CERT, CIAC, etc Alerts to our System/Network Administrators so we get a jump on developing protection needs to ensure agency systems will not be compromised or harmed. Following this, further research is conducted. This is the point where a "Scourge" becomes an "Opportunity." We should recognize that many of our fellow employees have also heard or read about this latest computer security problem, as we did. These folks have different levels of technical acuity - some understand bits and bytes while others may be "technophobes." How to inform and not unduly alarm this mixed audience ... this is the issue. When deemed appropriate, I recommend to our CIO that a Network Announcement should be disseminated. This is an in-house on-line notice system which can be directed at all employees or select groups. As needed, I consult with our lead techies to determine if there might be an impact to our internal systems. Further research is used to ascertain if the virus can attack personal computers or just networks. These decisions lead to the crafting of an announcement. Verbosity is not a hallmark, yet this probably requires more than a Hallmark greeting! Our CIO prefers fewer words with greater explanation. This follows the old summertime adage that an explanation should be like a bikini - enough fabric to cover the subject while still short enough to be interesting. As with any written material, after checking the facts, vetting with the techies and management, and having grammar reviewed by technical editors, it goes to the CIO for approval. Usually, one or two cycles of wordsmithing and it is ready for "prime time." The operative word in the last sentence is "time" because the notice must be timely in order to be helpful. If a virus is striking as we arrive at work, response speed is essential. Likewise, it is important to dot all the "I's" and cross all the "T's" so that a hoax or minor virus does not take on a more important persona. And remember to give contact information of someone whom employees can call/email if they have further questions or concerns. What I am trying to encourage in this article, is that you look at any virus or malicious activity as an opportunity to improve and heighten the computer security awareness of all your employees. Reality can be a wonderful teacher. And Remember... Sircam does have the ability to resurface on 16 October... So the opportunities keep on coming... and, Quality training occurs when preparation meets opportunity. FISSEA E-Mail List ServeBy Mark Wilson (NIST) I am writing to advise you that the e-mail list for FISSEA members will be back online. I'm also taking this opportunity to pass along some guidance on how the list should and should not be used. This is for the benefit of those members who have been on the list since it went live in March of this year, and for the many new members to both FISSEA and this list. The NIST Computer Security Division is hosting the e-mail list in support of FISSEA and the federal IT security community. The list is not moderated; any FISSEA member subscribed to the list can post a message directly to the list. However, to help ensure that this service does not become a free-for-all . . . an example of anarchism in action . . . we are asking for your help in following the guidance in this note. For example, there is a correct way to ask to be removed from the list, a way that does not result in every other member on the list hearing a "get me off this list" request, and inflaming the entire membership in the process. This issue is addressed in detail below. Why A FISSEA Membership List?: Why a list? This list will allow you to converse with other IT security professionals who have an interest in awareness, training, and education issues. Any issue related to federal IT security awareness, training, and education is fair game for this list. It can be used to ask for help from the many veterans in FISSEA who have experience designing, developing, implementing, and maintaining awareness and training programs. Why a list? Do you have an awareness program, but need to develop a training course for a particular audience? Chances are that some other FISSEA members have already developed this for their agencies. Ask if anyone would send you their material, or an outline, if you just need to get started. Are you considering hiring a contractor to develop awareness or training material? Would you like input from people who can recommend someone? Would you like to know what material is out there for the taking? DISA (do you know who they are?), Department of Energy, and other agencies have material you can download. I'm sure you will find other reasons to use the list . . . just ask. To Post A Message To The FISSEA List,
send it to: The list is not moderated, in that neither Peggy Himes or I review each message before it is allowed to hit the list. Controls On The FISSEA List: Only people who have been subscribed (added) to the list by Peggy or I can post messages to the list. The upside is that we should not see spam from outside the list. The downside is that even though you are a FISSEA list member, if you attempt to send a message to the list from an address that is not on the list (e.g., your home account, a secondary work account) the e-mail list server here at NIST will not allow your message to be posted. For example, I am known to the FISSEA list as mark.wilson@nist.gov. However, if my e-mail package knows me as mwilson@nist.gov and identifies outgoing messages as such, this address will not be recognized by the FISSEA list. Make sure that the address that your e-mail package assigns to your outgoing messages is the same as the address you provided us when you joined FISSEA. If you want to be able to send messages
to the list from an account other than the one you are using now, let Peggy
know. If you send a message to: To Unsubscribe From The FISSEA List: To get our attention to remove your
address from the list, send a message to: Do not send a message to the list asking to be removed. The last time this occurred there were so many "get me off this list" follow-up requests that we had to shut the list down for an extended period of time until we sorted through all of these requests and updated the subscriber list. Some of these requests were from members who were perfectly content with the flurry of messages on the list that dealt with awareness, training, and education, but were quickly disillusioned by the "get me off..." messages sent to the entire membership. Your List And Attached Files: Please do not send attached files to the list. If, during the course of corresponding to fellow list members about an awareness or training course or module that you have developed, someone asks for it, send it to them, not to the list. If there is significant interest in material that you are developing, we would encourage (beg) you to send it to us (Peggy or me) and let us post it on our Awareness, Training, and Education pages of our Computer Security Resource Center (CSRC) - http://csrc.nist.gov/ATE/. If you send a file to the list, we will provide one reminder. If you send a second file we will remove you from the list. Your List And Replying To A Message: If you reply to a message from someone on the list, your reply should go only to the sender, not to everyone on the list. When you begin to reply, check the address that appears in the "To:" block of your soon-to-be outgoing message; make sure it is to the sender and not the list. Keep in mind that the list has several hundred members. Determine before you send your reply if your message would be of value to many of the list members, or to just the sender to whom you are replying. If your e-mail package's default is set to "reply to sender" (the entire FISSEA list) or "reply to all" please change the default, or change the address that your mailer places in the "To:" line to the individual who should receive your reply. Your List And "Me Too" Messages: Please avoid sending "me too" agreement messages to the list. If you would like a copy or follow-up information related to something that a member has posted, send a message to that individual, not to the entire membership. Your List And Advertisements: In June, we floated a "trial balloon" message to this list, asking what you, the on-line FISSEA membership, thought of allowing member vendors to post one message a month to the list. Your responses to that query resulted in the FISSEA Executive Board and NIST Computer Security Division management making a joint decision to consider another approach. We continually welcome your ideas and feedback on how FISSEA can improve the way we serve our membership. FISSEA members who want to make others
aware of upcoming IT security related classes, seminars, and conferences may
send the message they would like posted to this list to me, Mark Wilson at: Send the information you would like posted to my e-mail address above. NIST cannot endorse or give the appearance of endorsing any particular vendor product or service. Therefore, limit the information in your message to the essentials needed for someone to take advantage of the training, seminar, conference, etc. - i.e., who, what, where, why, when, and how much. You may reinforce the reference by including a website URL "for more information." Do not send ads directly to the FISSEA list. Omit marketing and public relations "hype" from your message. If it looks like an ad and sounds like an ad, it probably is, and you will hear from us, asking that you re-write your message if it is to be posted to the list. One last word on advertisements - if you reply to a query sent to the list (asking for sources of training or material, for example), ensure that your reply is not a thinly veiled ad. One way to avoid this possibility is by replying directly to the individual asking for assistance, not to the entire membership. If you send such an ad to the list, you will hear from us. A second occurrence will result in removal of your e-mail address from the FISSEA e-mail list. Thanks, and enjoy your list. Please
contact me if you have any questions or concerns. Federal Best Security Practices Pilot Effort{The following item was recently circulated by Elaine Frye (NIST) to members of the inter-agency Computer Security Program Managers' Forum. It is included here to help it gain wider distribution. If you wish to find out more, contact information is at the end.} The Federal CIO Council has recognized
the success of the Federal Best Security Practices (BSP) pilot effort and is
ready to see it transitioned to an operational, institutional program. They
have asked NIST's Computer Security Division (CSD) to undertake this effort.
NIST's plan is to create a web site known as, Federal Agencies Security Practices
(FASP). The FASP will consist of three main areas: We are streamlining the submission process and seeking a wider range of materials. This Forum web site would be available through the CSD's CSRC web site. The Forum is an excellent source to proliferate the sharing of agency information technology (IT) security information and practices desired for this site. Forum email list discussions have addressed many topics that would be useful site postings. Request: If you have questions to
include in the FAQ, please let us know. You might ask yourself, "If I were a
new Federal security officer, what would help me?" We have compiled a list of
suggested categories to initiate information gathering. This list is based on
the categories found in many of the NIST Special Publications:
Request: In addition to the categories above, we are soliciting security position descriptions and statements of work for contracting security-related activities. If you only have hard copies available, please fax them to (301)926-2733, and we'll scan them for posting. If they are very long, please send them via regular mail to: Elaine Frye Note: except for FAQ questions, the materials posted will be available on the public web site with credit given to the submitting agency unless otherwise requested. A future web site phase will include FAQ developed/culled from the Forum email exchanges. The FAQ will contain no agency affiliations. We appreciate your efforts in making this project a success. Our goal is to have the NIST site operational and sunset the CIO BSP pilot site by September 7, 2001. If you have questions, please feel free to contact: Elaine Frye at (301)975-2819 or elaine.frye@nist.gov Marianne Swanson at (301)975-3293 or marianne.swanson@nist.gov. Winning Organizational Buy-in for an IT Security Awareness and Training ProgramBy Mark Wilson (NIST) No IT security program can be effective without senior management support and buy-in at all levels of management. Likewise, an awareness and training program must have management support and buy-in to be effective, help reduce problem areas, and mitigate risks. Several ways exist to garner and reinforce this support. Findings and recommendations from external or internal inspections can result in management attention; however, one-time implementation of awareness or training done to satisfy an audit recommendation will not reflect the level of buy-in necessary to run an effective program. When an organization's internal controls program is active and respected by management, identification of a lack of IT security awareness and/or training as a material weakness can be a stimulus to gain management buy-in. Buy-in can also be achieved through various approaches employed by the IT security program office. One informal approach is the development and presentation of periodic security updates for each layer of management, working upward through the organization. If organizational culture or convention would not support this "grassroots" approach, a more formal, top-down presentation could be developed for the most senior managers or executives. Their support should sway more junior managers. Another tactic can be periodic e-mail advisories sent to appropriate levels of management and technical staff. Occasional and timely briefings to management during their regularly scheduled meetings would also reinforce the belief that security is simply one aspect of everyone's job, as opposed to being viewed as a one-time, out of the mainstream, function. These briefings can describe the latest threat to a particular operating system and, therefore, to a system or application critical to the accomplishment of the organization's mission. Subject matter can include the latest change to public law, federal requirement, or higher-level (e.g., department) policy, and the impact that these new provisions may have on the organization. The goal of this management-oriented awareness campaign is to make senior management more aware of the impact of internal and external threats to the business of the organization and the need to better protect itself. This awareness effort, in turn, can result in increased support and buy-in. Securing management support through an overt or covert awareness campaign can also pay dividends in the struggle for resources. While management should be aware of the posture of an IT security program, and how (or if) the program is maturing over time, hearing and seeing evidence of "battles won" can provide the justification for increased funding and staffing. The evidence would serve as an indication that resources expended on the IT security program are showing results - a return on the organization's investment. Evidence can include statistics of virus attacks thwarted by vigilant users, system and network attacks blocked by system/network administrators, and sources of attacks identified by joint actions of administrators, security staff, and investigative personnel. Evidence can also include rapid recovery from website defacements and other incidents, in which loss of production capability or public trust is minimized by effective response and recovery. Without an organization-wide awareness program, however, these "battles won" may be the exception, rather than the rule. An organization may suffer a significant denial of service attack, a virus attack, or some other widespread calamity. A potential disaster can be used by the IT security staff to highlight the need for an awareness and training program. For example, a few vigilant users or system administrators might have adequately protected their systems or subnets while the organization was under attack. Their efforts can be shown as examples of what the organization's incident response or system/network monitoring capability could be, if there was an effective awareness and training program. As managers are made aware of the daily efforts to protect system and network-based IT resources, they can be made more aware of the continuing and growing threats facing the organization, and therefore, become more supportive of efforts to mitigate risks to the organization. Government Information Security
Reform Act
|
Back to FISSEA Homepage
Back to Newsletter Index
Back to CSRC Homepage
Please send comments or suggestions to
webmaster-csrc@nist.gov.
Last Modified: September 6, 2001.