From the Executive Board Chair

Happy New Year:
This still seems an appropriate greeting since this is the first time I have communicated with you this year. I am hoping that you will have a safe, peaceful, and productive year where your dreams and your reality will be the same. Time is on our minds a great deal now as the FISSEA Conference Committee, Board members, and NIST support staff continue working together to identify and accomplish all the remaining details on our "Conference To Do List." FISSEA Board members have an excellent opportunity and a responsibility to learn and/or utilize their skills and special gifts to plan and execute the plan to provide you, our members, a quality conference event each year. I believe there are numerous benefits from serving on the Board (e.g., networking with a diverse group of security professionals and/or educators, learning new skills, and having the opportunity to use one's expertise that may not be needed in his/her work environment.)

From my perspective, I think we mange to have fun and still accomplish a great deal of real work during our tenure on the board. There are a few times when I find myself so overwhelmed with job-related tasks to do that I wonder why I volunteered to do this or that activity. Sometimes when I think about it, I realize that most of the people I work with in volunteer activities are busy, energetic people too. Maybe that is an indicator members should consider when trying to decide who to elect as a member of the FISSEA Board. I still recall my mother saying to me many years ago that if you want to get something done, ask a busy person to do it. The point I am trying to make is that the Board needs dedicated people to serve for FISSEA to be as effective as it needs to be.

One of the most important factors one should consider when deciding to volunteer to run for a seat on the Board is whether or not he/she will get the support required from his/her management to serve effectively. In fact, this year we are requesting that anyone, who is considering being a candidate for nomination, discuss this matter with your supervisor and get his/her approval in advance. I encourage you to invite him/her to visit our Home Page on the Web to learn more about FISSEA. However, it will still be up to you to convince him/her that it will be very beneficial to both you and your employer for you to serve on our Board.

The Board really needs you if you are willing and able to serve. We also need more assistance from our members to be more effective in accomplishing our objectives. We have identified many tasks that just need additional staffing to be completed. Please think about this letter and then consider volunteering to share your time, ideas, energy and expertise. FISSEA really needs you!

Barbara G. Cuffie, CISSP
Social Security Administration

Go to top of page

FISSEA Conference - 2002 - A Sneak Preview

Dara Murray, FISSEA Conference Committee Chairperson
Dept of Health and Human Services

It's hard to believe, but March 2002 is right around the corner. It seems that just yesterday that last year's conference was just ending and planning for this year was just beginning. Based on some of the abstracts that the conference committee and board has received, the conference promises to be very interesting, and enlightening educational experience. FISSEA would like to give you a "taste" just how rewarding and interesting the conference will be.

In keeping with an "All American" baseball, apple pie and "red, white and blue" theme, we plan to kickoff with some musical talent brought to you by some of our own FISSEA members, have you indulge in some American favorite foods and all attendees be part of a security awareness, training and awareness exercises. Nothing too strenuous of course!

Most of all, we have some great speakers lined up. To start us off, Bill Tafoya, a retired FBI agent who is most famous for profiling the una-bomber case will give an "edge off our seat" educational presentation on profiling and investigations. Alan Paller, SANS, always provides great information regarding the latest issues affecting the protection of the Federal governments enterprise infrastructure and Thornton May, Toffler Associates will provide a great perspective on information assurance. This year we have a new twist and added a lunchtime speaker for the first day of the conference. Kamela White, Office of Management and Budget will give us a "Security Training - Year in Review for GISRA". Angel Rivera, Mitre will cover lessons learned in setting up a incident response team. We will all learn from Jim Litchko, Litchko & Associates about the hard job that many of us encounter as computer security professionals - "selling information security to your boss".

Andy Bernat, National Science Foundation and Vic Maconachy, National Security Agency will take part in a panel discussion of Cybersecurity training and education initiatives. Maxine Hill, General Services Administration and Susan Boaz, Veterans Administration will provide a fascinating "live" demonstration to training persons with disabilities on security education and awareness. Mike Robertson, Department of Energy will feature some work that their agency is doing in the area of cyber security and a hot area of metrics, metrics, metrics! Robert Solomon, NASA, will present on "NASA's Expert Center on Information Security Training". To top it all off, the Department of Justice, Computer Crime Unit has agreed to head off a "Birds of a Feather Session" on Cyber ethics. How did our agencies do with the auditing approach to GISRA? Well, come and find out-FISSEA has devoted an entire panel to discuss this issue first hand!

Now that you have a little nibble, it's now time to take the plunge and register at http://csrc.nist.gov/organizations/fissea/conference/2002/. At the site you will also see updates to the conference, schedules and the most up to date information on presentations.

And saving the best for last ... CPE credits will be tracked via ISC2 during the conference as well.

Go to top of page

Becoming Aware of METRO

by Louis M Numkin, Newsletter Editor
US Nuclear Regulatory Commission

The snow was lightly falling
I could not see very far
'Twas a cool night in Virginia
When I boarded the METRO car.

For those who do not know, the METRO is our Washington, DC Metropolitan Area Rapid Rail system. It is made up of silver colored transporters which travel mainly through tunnels beneath the ground though occasionally erupting into the light of day or dark of night to carry their charges from point to point. This clean, safe, and comfortable mode of conveyance provided me with an analogy which you are welcome to consider using in awareness sessions.

First I needed to gain access from the street via escalator to the toll gate where my ticket was electronically stamped with the emigrating location and time of entrance into the system. This might provide an illustration of gaining access to a computer by using a token or password. Records and logs of computer activity include date and time of access. With access, you enter an amazing maze of interconnecting railways, not unlike a miniature depiction of the global Internet.

While standing on the platform awaiting my desired train, one going a different direction picked up other riders and whisked them off into the dark. Men, women, children, all welcomed. Not unlike a ring system reading packets to determine their destination or purpose. Or, another tribute of the Internet which is available to all who wish it.

My sleek vehicle came soon thereafter and beckoned me through open doors to board and be seated. Around me were passengers speaking many languages. Though communicating among themselves, others could not understand. Perhaps like differing E-Mail packages or browsers which chase around the globe in search of those with whom communication can occur. An easy comparison to various programming languages might also be drawn or possibly any of the many encryption routines used to ensure privacy in the wilds.

After halting, the doors opened.
Some departed while other boarded.
Was it the departed's destination,
Or just a midroute way station
Before crossing a track intersection
And heading off in a different direction?

Staying on board, I found new faces trying not to look others in the eye. A bevy of teenaged girls spoke as if they were the only ones aboard, in loud laughing sentences of sometimes defamatory gossip. Names were freely included and exploits which might color the ears of some more conservative riders. For any rider not buried deep in reading material or whose ears were not clogged by the throbbing bebop of headsets, one could not help but eavesdrop. One of the young ladies used her cell phone to inform friends not aboard to meet them at a particular Pizzeria, including the address, and a description of the parking and some of the waiters. This might provide thoughts on being more guarded in conveying personal and business information - being more protective of one's privacy and entrusted secrets. Of course, the obvious thought is that of being in a chat room where one may vie for attention and receive more than anticipated. Providing too much unguarded information can lead to problems.

The walls of the cars have tastefully displayed posters which might be considered as pop-up ads during on-line sessions. Easily seen subway maps are also displayed, not unlike when one hits the HELP key to get directions on how to proceed. For more assistance, some riders carry folded cards which provide written guidance including rider responsibilities. Such things as No eating, No drinking, No smoking, No radio playing except through headphones, and even where the priority seating is located for senior citizens and the handicapped. These booklets could be seen as written policies providing appropriate behavior for netizens - manuals which guide us in the correct path and keep us from the grasp of the Inspector General or in this case the METRO law enforcement personnel.

For those who haven't yet tried it
When next you are in front of a class
Allow yourself to be creative
Have fun and your students will have an educational blast!

Folks, what I have tried to offer in this article is a demonstration of just how easy it is to find illustrative situations in everyday life which can help to explain complex technology. I venture to think that if you have read this far, you have also found your mind contemplating how you could employ transportation or some similar device as a tool during awareness activities. You will no doubt find more direct relationships to what you are trying to teach by just allowing your mind to roam freely through creative pastures. Remember... Awareness may only be the first step, but with Computer Security as a destination, it is only reached step by step by step.

Go to top of page

THE A-B-C's 0F FISSEA

Some people read the telephone book yellow pages (and I don't mean the Yahoo ones!). Others folks are paper trained, can't get through the day without reading the newspaper front to back, even if it means reading while in the bathroom (I haven't figured that one out yet!). Well, I have to admit to a fondness for Mr. Webster's tome, and often find myself out on one of the many branches that I am led to by the definitions for a single word. I don't do this all the time, but when I go looking for the definitions of, and synonyms for, a word, I usually fall into Webster's web. I think it's wonderful to learn something new every day, and sometimes this is the only place that provides the bit of knowledge needed. Anyhow, that's what led me to compose this article. I went looking for the definition of ASSOCIATION, and wound up with other ideas associated with that word.

So, let's examine the A-B-C'S as they relate to our organization, the Federal Information Systems Security Educators' Association. You will easily recognize the words being used and the dictionary definitions (those that fit my purpose) as we go through the article.

First of all there's A, for as so ci a tion  n., defined as "an organized body of people who have an interest, activity, or purpose in common; a society". That's what we are: people who have an interest and purpose in common, with one major focused activity - the annual conference.

B is for band  n., "an unofficial association of people (or groups)" that bands, v. I., "confederates, or unites for some common purpose". (I must admit, there are times when I think of FISSEA as a band, in other senses of the word.) Our common purpose, as paraphrased from our mission statement, is to elevate the level of information systems security awareness and knowledge, to provide for the exchange of information, and to encourage professional development of members.

Then comes C, for corps (kôr, kr) n. pl. corps (kôrz, krz) , "a body of persons acting together or associated under common direction". Again, we find these references/definitions focusing on people who have a common purpose - in our case it's focused on improving information systems security by fostering awareness, training, and education of all folks who have anything to do with information systems.

There is another C word, a homonym of "corps", that I want to bring to your attention, i.e., core (kôr, kr) n., "the basic or most important part; the essence: a small core of dedicated supporters." We on the Executive Board constitute the core of FISSEA, though we don't consider ourselves the most important part - we're just dedicated supporters because we believe in the mission of our organization, and because we know, without a doubt, that awareness, training, and education are essential elements in every information systems security program!

What FISSEA needs is a more active "corps", because the "core" cannot carry the load alone for an extended period of time. Don't just join up! Step up and serve on the Executive Board - chair the annual conference, or work on the committee - volunteer to help FISSEA help you.

- by Philip L. Sibert
National Nuclear Security Administration
U. S. Department of Energy

Go to top of page

On Certification

(Submitted by Philip L. Sibert, NNSA)
In a January 14, 2002, posting to the "Ask the Expert" portion of the web site the following question was posed to Ed Tittel:

"I've been in the computer field for 20 years but do not have any security experience. Would it be possible to break into the field with education/certification? What would be the best path for a beginner (in terms of inexpensive training, certification, etc.)? How easy would it be to break into the field after that? And how about salaries? Thanks."

Thanks for your recent e-mail inquiry. While it is indeed possible to "break into" the security field with education and/or a relevant certification, a perusal of the certifications behind my recent survey of the field (see accompanying list) will reveal that senior-level security certs usually come with a 3+ year on the job experience requirements.

Thus, while you can break into the field with an entry-level cert like the TICSA, SSCP, CIW Security Professional exam, and so forth, most of the stronger, more valuable credentials will only be open to you after you put some time in and pay your dues to the subject, so to speak.

To get yourself started, I recommend tackling the BrainBench Internet and Network security exams first, tackling the CIW Security professional exam second, then looking into either the ISC-squared's SSCP or the TruSecure/ICSA TICSA certification. After you climb those various entry- level certifications, you can start looking into other programs from ISC-squared (CISSP), TruSecure/ICSA (ICSE), SANS (GSEC and advanced certs) and so forth.

For pure entry-level credentials, you will be hard-pressed to exceed normal salaries for network or system administrators. But when you start climbing the ladder, you'll start to experience more pay benefits as salaries climb beyond the 50s and 60s, into higher levels. For senior security certs (CISSP, CCO, CPP and so forth) six-figures are not unheard of.

I hope I've answered your questions. If you have further follow-up or additional comments or concerns, please post again.

For a list of security related certification programs, as August 2001, go to the following url:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci762690,00.html

[Ed Tittel is a principal at a content development company based in Austin, Texas, and the creator of the Exam Cram series. He's worked on numerous certification titles on Microsoft, Novell, CIW and Sun related topics and is working on several security certification books for delivery in 2001.]

Go to top of page

Best Practice Nominations Are Open

The E-Gov 2002 Government Solutions Center (GSC) Selection Committee invites you to nominate your "best practice" or program for delivering citizen-centric E-Government services. Winners will be chosen in three award categories from the nominations submitted. Each program selected will receive broad recognition in the E-Gov 2002 promotional campaign, as well as during the E-Gov 002 Conference and Exposition, to be held Monday, June 24 through Thursday, June 27, 2002, at the Washington Convention Center, in Washington, DC.

In its fifth year, E-Gov 2002 is the only Conference and Exposition dedicated to discussion of the essential strategies and technologies required to deliver government services in the digital world. The Government Solutions Center is a popular focal point of the E-Gov Exposition and an integrated component of the professional educational program open to all E-Gov attendees. This is an excellent opportunity for leaders in E-Government to demonstrate the impact and results of their efforts on how the public sector does business in the Information Age.

The GSC demonstration pavilion and the individual Best Practice Briefings, held in the adjacent GSC Theatre, provide a forum for sharing applications and ideas that are transforming government service. Please note that all awardees will be invited to participate in the E-Gov 2002 Awards Luncheon scheduled for Tuesday, June 25, 2002.

We invite you to nominate your organization's Best Practice. A complete description of the Government Solutions Center, the selection process and criteria, the nomination form, and the benefits accorded to participants can be obtained by clicking on: http://www.e-gov.com/speaking.asp. Please note that GSC nominations are due no later than 5:00 PM, EST, Friday, March 8, 2002.

If we may provide additional information or answer questions about the Government Solutions Center and other E-Gov events, please visit www.e-gov.com or contact us at (703) 876-5060 and ask for Terri Randolph (ext. 7866) or Martha McGrath (ext. 5140).

Go to top of page

Trainia

{This column is a compendium of info on upcoming conferences/seminars, courses, books which may be worth your reading time, and more. That is why it is named TRAINIA, a contraction of the words TRAINing and trivIA. Hope you find it useful... Ed.}

{This column’s name is a contraction of the words “Training” and “Trivia.” It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at >lmn@nrc.gov}

The W2knews list provides this quick book review of Windows 2000 Security for your consideration:
“Bored hackers looking for a new playground. Digital marauders destroying a carefully planned network infrastructure. These and other security nightmares keep network administrators awake at night. Knowledge is the best way to combat these fears, and Windows 2000 Security does its part to help you protect your systems against intruders. The book speaks to an audience of network administrators and support personnel. Previous knowledge of Windows 2000 and Active Directory is recommended, but not required, to find this book useful. ”For more, see:http://www.w2knews.com/rd/rd.cfm?id=020207BW-WindowsSecurity

Philip Sibert has another "Siber'Space Snippit" for you:
SearchSecurity has collected the Web's best resources on privacy regulations:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281951,00.html

Since this issue is coming out around 14FEB2002, here is a true tale from Jeff Foxworthy’s mail bag. Evidently, a listener wrote that he had seen a Valentine’s card display in a store which advertized that the “I Love You Only” card was now available in multi-packs. Hmmm...

Homeland Defense Journal launches publication. It will track news from the White House, Capitol Hill, federal agencies and state governments, as well as key players in the defense, telecommunications and information technology industries following developments in: Information systems, data sharing, data warehousing, National defense and security, Outfitting emergency response teams, Physical security and infrastructure protection, Chemical and biological defense and protection, Telecommunications and networking, Information technology, Cyber warfare and network security, Emergency response, surge planning, logistics support, Research and development, Training and Simulation, An advisory board will include legislators, former government officials and industry executives with broad experience in security issues. For more information, contact Vicki Orendorff at (703)807-2747.

27-28 Feb 2002- AFCEA Homeland Security Conference at the conveniently located Ronald Reagan Building and International Trade Center, in Washington, DC. If you have questions about attending, exhibiting or would prefer to have AFCEA mail you a registration package, please contact Tina Schaefer at (800) 336-4583, ext. 6250 or e-mail her at >tschaefer@afcea.org.

5-7 March 2002 - 15th Annual FISSEA CONFERENCE, Gaithersburg Hilton Hotel, MD. See the Sneak Preview article on page two. Technical contact: Peggy Himes, >peggy.himes@nist.gov or 301-975-2489. Registration contact: Teresa Vicente, >teresa.vicente@nist.gov, fax 301-948-2067, phone 301-975-3883 or register on-line through www.nist.gov/conferences.

13-14 March 2002 - Intrusion Detection Forum on Shared Solutions and Best Practices at Lansdowne Resort and Conference Center in Leesburg, VA. This is limited to only 45 experienced network security practitioners and costs $495 for materials, meals, and the Summary of Findings. For more info, contact the Institute for Applied Network Security, 411 Waverley Oaks Road, Suite 321, Waltham, MA 02452-8401, Phone = (781)894-1965, Fax = (781)894-0831, or e-mail >info@ianetsec.com or call Phil Gardner at the Institute on (781)894-1965

18-20 March 2002 - Diane O'Shaughnessy writes: InfoSec World Conference and Expo/2002 being held at Disney's Coronado Springs Resort in Orlando, FL with optional workshops on March 16, 17, 20, 21 and 22nd. Special team discount; If you register 2 people at the regular conference fee, the 3rd person goes for FREE to the conference (they would just need to pay for any optional workshops). To qualify for the team discount, registrations must be made and paid for at the same time. This is a $1,195 savings! If you are interested in attending, please call me at (508)879-7999 x 354 or e-mail >doshaughn@misti.com.

19-21 March 2002 FOSE ES 2002 - 9am to 4 pm all three days at the Washington Convention Center in Washington, D.C. This Enterprise Solutions Event is a free gathering of senior government managers implementing enterprise-wide solutions. Some of the sessions will specifically cover security-related topics, including: Building Consensus Security Benchmarks, and Protect, Detect, React - A Comprehensive Approach To Securing the Enterprise. For more info, check out http://www.fose.com/ES/education.html or R.S.V.P. at http://ww2.expocard.com/shows/fos021/es/index.cfm?source=E2EBPR

20-22 Mar 2002 Fourth Annual e-ProtectIT Infrastructure Security Conference at Norwich University in Northfield, VT. For more info, go to: http://www.e-protectIT.org. Contact Mich Kabay, PhD, CISSP, Program Chair, >mkabay@norwich.edu.

25-26 March 2002 Information Security in the Age of Terrorism sponsored the American Management Training Association. In addition to lots of varied training sessions, they will host two workshops: “Building a Strategic Incident Response Management Team” and “Extreme Hacking - Defending Your Site.” To register or ask questions, call 1(800)280-8440 or go to www.frallc.com

26-27 March 2002 Cryptographic Module Validation Program Conference 2002. To be held at the Washington Plaza Hotel in Washington, DC. Sponsored by NIST and the Canadian Cryptographic Module Validation Program (CMVP). The conference will include presentations and discussions on the new FIPS 140-2 standard, security requirements for cryptographic modules, differences between FIPS 140-1 and FIPS 140-2, algorithm testing suites, common criteria and the CMVP, a number of panel discussions for federal and user agencies. Additional information is available at: >www.nist.gov/cmvp2002.

7-10 April 2002 - The 4th Annual Techno-Security Conference - at Wyndham Myrtle Beach Resort in Myrtle Beach, South Carolina. This will be held in conjunction with the Internet Security Alliance Conference. Topics will include: Terrorism and Homeland Security Summit, Computer Forensics, Intrusion Detection LIVE, Identity Theft, Weapons of Mass Destruction, Corporate Espionage Countermeasures, Internet Investigations, HIPAA, Incident Response, Managing Evidence Workshop, Body Armor for Cyber-Cops, Managed Security Services, Steganography, Architectural Design Reviews, InfraGard, Physical Security Bonus Sessions. **Special Engagements - Foundstone will be offering a 2 day Incident Response: Techno-Security Edition class on April 11&12 following the conference and the Security University will be offering a 2 day Advanced Forensics: Techno-Security Edition on April 6&7 prior to the conference. Details and Online Registration is available at: www.TECHSEC.com or phone = (410)703-0332.

29 April 2002 Johns Hopkins University’s Information Security Institute New Facility Open House - Directions link: www.jhu.edu/~tour/map.html

30 April 30 - 2 May 2002 - ISI Forum on Information Security in Government in Washington, DC. MIS states that the ISI Forum is the only conference devoted exclusively to infosecurity in the government arena. For more info, contact: MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357, or Tel: (508) 879.7999 x346, or Fax: (508) 872.1153 or E-mail: mailto:mis@misti.com. Contact: Diane Kelley (dkelley@misti.com)or Melissa Salce (>msalce@misti.com)

6-11 May 2002 - SANS Capitol Hill Conference will be offering six of SANS in-depth training tracks, including a NEW offering: SANS Security Essentials for Auditors! In addition to SANS new Track 10, SANS Capitol Hill will present the introductory level offering: Track 9: Information Security Officer. Also offered will be advanced, level two tracks: Firewalls and Perimeter Protection; Intrusion Detection In-Depth; Hacker Techniques, Exploits and Incident Handling; and Securing Windows. This conference is also an opportunity to prepare for GIAC certification. For more information on this, please see: www.giac.org. For the full details on this conference see: http://www.sans.org/CapitolHill

19-21 May 2002 - GovNet 2002 Summit at the Homestead Resort, Hot Springs, VA - includes: Full Participation in Summit program ; Two Nights Accommodation; All Communal Meals; One on One meetings; for $950. Coordinated by Marcus Evans 49 Stevenson Street 7^th Floor, San Francisco, CA 94105 - phone (415)817-0400 or Fax (415)817-0444.

2002 FIRST Conference program is being finalized and should be on the website in late February. They have had a record number of submissions and the conference is shaping up. We believe it just might be held in Hawaii in June. Direct questions by e-mail to first-2002@first.org or Roger Safian <>r-safian@nwu.edu> (847) 491-4058 (voice) or (847) 467-5690 (Fax).

17-19 June 2002 - The United States Military Academy, the IEEE and the National Security Agency are pleased to announce the Third Annual IEEE Information Assurance Workshop at West Point, New York. Workshop Keynote Speaker is Mudge (aka Peiter Zatko), the Chief Scientist of @Stake and author of L0phtCrack. For information: http://www.itoc.usma.edu/workshop/2002/

JHU Information Security Institute Spring 2002 Schedule of (free) Seminars & Events. For abstracts and further information visit http://www.jhuisi.jhu.edu/Activs/isi_act_seminars.html Topics include: A Research Agenda for the New Computing: Preventing Terrorism, Strengthening Communities, Reducing Inequities; Tending the Garden of Civilization: What Kind of Digital World Do You Want? Perspectives on Personal Identity Privacy and Security; Issues in Secure Electronic Voting; Alternative Futures: Personal Identity Policies to Balance Security and Privacy.

Army Reserve Readiness Training Center, Ft. McCoy WI, opens up computer Security courses to ALL Federal Government System and Network Administrators. Current courses include: The System Administrator Network Manager Security Course (SA/NMSC); Computer Network Defense Course (CNDC); and Department of Defense Information Technology Security Certification & Accreditation Process (DITSCAP). For more information, please contact: Cathy Zilmer, Chief, Security & Resource Information Training Center, Army Reserve Readiness Training Center, 50 South O Street, Ft. McCoy, Wisconsin 54656, phone (608) 388-7166, or go to http://arrtc.mccoy.army.mil/

CSI is offering a variety of courses in 2002. Here are the dates and locations for their 3-Day CISSP Prep for Success Workshop
     March 11-13, 2002 in Fort Lauderdale, FL.
     April 15-17, 2002 in Toronto, CANADA
     June 19-21, 2002 in San Francisco, CA
     August 5-7, 2002 in Gaithersburg, MD
     September 23-25, 2002 in Ontario, California
     October 8-10, 2002 in Wixom, MI
     November 13-15, 2002 in Chicago, IL
Questions and information may be requested from Nancy Baer, Senior Marketing Manager for Computer Security Institute, Phone: 415/947-6364, Fax: 415/947-6023, E-Mail: nbaer@cmp.com

FISSEA’s pal, Mich Kabay, has forwarded the following information:
OKENA, Inc. has developed a new Higher Education Security Consortium to serve as a test bed for its intrusion prevention software. For details on getting free licenses to its software, see the company's press release at: http://www.okena.com/areas/news/news_02_01_29.html
 
If you want to see Mich in his element, his college is hosting the Fourth Annual e-ProtecIT Infrastructure Security Conference, on March 20-22, 2002. See full details in the conference listings.

Book Review

A Practical Guide to Security Engineering and Information Assurance
by Debra S. Herrmann
ISBN 0-8493-1163-2, CRC Press (www.crcpress.com)
417 pages, 120 tables and figures, Sept/Oct 2001
 
This book is a comprehensive yet practical guide to security engineering and the broader realm of information assurance (IA). This book informs on how to:
1. examine the impact of both accidental and malicious intentional action and inaction on information security and IA; 2. explore the synergy between security, safety, and reliability engineering that is the essence of IA; 3. introduce the concept of IA integrity levels; and 4. provide a complete methodology for security engineering and IA throughout the life of a system. The relationship between security engineering and IA and why both are needed is explained. How to protect critical systems and data from accidental and intentional action and inaction that could lead to a system failure/compromise. Real world strategies are applicable to all systems. In depth solutions take readers from defining information security/IA goals through performing vulnerability/threat analyses, and conducting accident/incident investigations, whether internal, independent, regulatory, or forensic. A review of historical approaches and glossaries of information security/IA terms as well as 80 techniques are an added bonus. Those who have to comply with Presidential Decision Directive (PDD-63), which requires all government agencies to implement an IA program and certify mission critical systems by May 2003, will find this book useful. Discussion problems at the end of each chapter facilitate the use of the book.

An NSA FISSEA member sent in this item:
The February, 2002, issue of the magazine The Atlantic Monthly has an article on page 33 entitled 'Losing the Code War' by Stephen Budiansky. This piece puts forth the notion that advances in modern general purpose computers have given the edge to code makers over code breakers, by allowing people to use harder encryption, e.g., with longer keys.

By now, The Atlantic's website (http://www.theatlantic.com) should have the article on-line.

There is a discussion of DES being cracked a few years ago, and the article also talks about one time pads, Enigma machines, the Scarfo case, the Clipper chip, and reported al Qaeda stego use. Definitely not a technical article, but it is interesting to see how the mainstream press deals with the concepts and facilities of crypto.

Feb 19, 2002 - new Information Security course offering at the University of Maryland in Baltimore - CISSP prep course - this 10 day course offered by UMBC's Technology Workforce Enterprise is intended for experienced information security/assurance practitioners. The course covers all topics included on the CISSP examination. The 250 question CISSP exam is included and will be administered at the conclusion of the course. For description, fees, dates and times of the course visit our website at http://www.continuinged.umbc.edu/infosec {Thanks for the info to Ethel Matthews at the U. S. Department of Justice}

A Charlotte, N.C. lawyer purchased a box of very rare and expensive cigars, then insured them against fire (among other things). Within a month, having smoked his entire stock-pile of these great cigars, and not yet having made even his first premium payment on the policy, the lawyer filed a claim against the insurance company. In his claim, the lawyer stated the cigars were lost "in a series of small fires."

The insurance company refused to pay, citing the obvious reason: the man had consumed the cigars in the normal fashion.

The lawyer sued....and won!

In delivering the ruling, the judge agreed with the insurance company that the claim was frivolous, however, the judge stated that the lawyer held a policy from the company in which it had warranted that the cigars were insurable, and had guaranteed that it would indeed insure them against fire, without defining what is considered "unacceptable fire"- and was obligated to pay the claim.

Rather than endure a lengthy and costly appeal process, the insurance company accepted the ruling and paid $15,000.00 to the lawyer for his incendiary bamboozle.

NOW FOR THE GOOD PART.............

After the lawyer cashed the check, the insurance company had him arrested on 24 counts of ARSON!!!!! with HIS OWN INSURANCE CLAIM AND TESTIMONY FROM THE PREVIOUS CASE BEING USED AGAINST HIM, THE LAWYER WAS CONVICTED OF INTENTIONALLY BURNING HIS INSURED PROPERTY AND SENTENCED HIM TO 24 MONTHS IN JAIL AND A $24,000.00 FINE.

This is a true story and was the 1st place winner in the recent Criminal Lawyers Award Contest or so he said.

Go to top of page