Greetings,
Spring is here and FISSEA's 15th annual conference is over. Were you among those who participated this year? We were glad to see new faces, and equally pleased to greet many who seem to have come to most, if not all, of our conferences. We always read and evaluate the comments on every evaluation form to incorporate your ideas, suggestions for topics or speakers for the next year and to address any issues that you bring to our attention. I am pleased to inform you that we received mostly favorable, formal and informal, comments from attendees about this major FISSEA training event.

The Board owes a special thanks to Dara Murray, our 2002 Conference Director, for her outstanding efforts in making this event a success. Believe me, we are grateful to many people for willingly contributing their time, energy and talent to assist us. This is especially true for all of our speakers. Did you know that we do not pay anything, including travel expenses, to anyone for being a presenter? It is truly amazing to see such a diverse and talented group of individuals accept an invitation to be a presenter at a FISSEA conference. Please consider helping us in our continuing efforts to identify top quality speakers who we can approach about being a presenter at our 2003 Conference and beyond. We are always glad to hear from you.

This year for the first time we were able to tell conference attendees both the date and the location of the next FISSEA Conference. Please mark your calendar now and begin planning to attend our 16th FISSEA Conference from March 4th to 6th in Silver Spring, MD. I encourage you to bookmark and visit our website often for breaking information about this conference as it becomes available. Patrick O'Reilly and Peggy Himes work behind the scenes at NIST to continually keep our FISSEA website current so you can stay informed. http://csrc.nist.gov/fissea/ has a new look and information that we believe can benefit you.

We are now in the early stages of planning for the 2003 conference. I recently sent a message to you seeking volunteers to assist us in this major annual FISSEA initiative. Thank you to all who responded. If we have not already done so, we will be contacting you shortly to find out how you can assist. It seems that there are always more jobs to be done than volunteers. I am glad that Donna Robinson-Staton has agreed to serve as the Conference Director and Curt Carver has agreed to be our Conference Program Director. It is never too late to offer your ideas, time, talents, etc. YOU are the real key to FISSEA's success in accomplishing our mission. Think about it and then contact us to offer your help, if possible.

LTC Daniel Ragsdale, US Army, is the FISSEA 2001 Educator of the Year (EoY). Dan is the Director of the Information Technology and Operations Center (ITOC) of the Department of Electrical Engineering and Computer Science at the United States Military Academy (USMA). He is our 11th EoY, our second active duty EoY, and one of the few from outside the Washington, DC metro Area. A quick review of the criteria for LTC Ragsdale's accomplishments in the context of EoY will explain his selection.

The criteria are straight forward: originality and uniqueness of activity; extension of benefits within and/or beyond the nominee's organization; scope and breadth of accomplishments; and the amount and type of direct participation by the nominee. Dan developed and taught the first Information Warfare course at West Point. Within one year it went from an experimental course to one of the most popular electives in the Computer Science department.

Recognizing that "learning is enhanced by doing" Dan developed a computer laboratory and provided students the opportunity to defend against hacking by learning the likely tactics of cyber attackers. In addition, he designed, developed, and conducted the first inter-service cyber-defend exercise in which teams from the USMA, US Air Force academy, and the Naval Postgraduate School competed against attacks launched by the Air Force's 92nd Aggressor Squadron.

LTC Ragsdale established the first student chapter of the ACM (Association of Computing Machinery) Special Interest Group for Security, Audit and Control (SIGSAC). The chapter has grown to over 200 students of all academic disciplines. In addition, Dan also worked with other departments to infuse Information Assurance (IA) content into Law and Social Science courses taught outside the computer science curriculum.

He initiated and directed an Academy-wide effort that resulted in the USMA being recognized by NSA as a Center for Academic Excellence in Information Assurance Education. The National Science Foundation Scholarship for Service Program and the DoD's IA Scholarship Program target CAES for scholarship building awards and grants.

The Federal Information Systems Security Educators' Association (FISSEA) held its 15th annual conference in Gaithersburg, Maryland on March 5-7, 2002. The conference brings together information technology security (IT) professionals from government, academia, and industry with an interest in security awareness, training, and education issues.

Keynote presentations each day challenged attendees to better prepare themselves for the future by seeking advanced training and education in IT security, and to make their management and executives more aware of the need for a vigilant security program. Keynoters were Dr. William Tafoya of Computer Sciences Corporation, Mr. Alan Paller of the SANS Institute, and Mr. Thornton May of Toffler Associates.

The lunchtime speaker on the first day of the Conference was Mr. G. Mark Hardy of National Security Corporation. He gave a powerful and moving talk about leadership and lessons learned from crisis response. Specifically, leadership lessons learned from a rescue effort that he led on September 11th, 2001 at the World Trade Center - his first day at a new job in New York City.

Presentations during the three-day conference were made by speakers from the Department of Justice, Department of Energy, Department of Defense, Nuclear Regulatory Commission, General Accounting Office, MITRE Corporation, National Science Foundation, McNulty and Associates, NASA, Computer Security Institute, MIS Training Institute, SANS Institute, Department of Treasury, National Security Agency, General Services Administration, Department of Veterans Affairs, Litchko and Associates, Idaho State University, and NIST.

"101" usually denotes an initial or first level course in college. So, often when we converse about an elementary issue, we suffix the name with the digits "101." It is therefore appropriate to name the first computer security activity provided to new employees as "Awareness 101."

Even though my agency has a pretty good introductory videotape, I still like to meet with the "newbies" in order to answer any questions and to clear up confusions especially for people transferring in from other agencies/organizations. By doing this, I can also put a face on Computer Security. They know someone who can assist them with these types of queries. My Mother has long said,"a gift without the giver is bare" - in other words unless you reinforce important points "nose to nose" the inprocessing session will not impact them as much as it should. Remember that this "entry on duty" session lasts only a few hours during which each new employee is inundated with forms, explanations, videos, and piles of welcome manuals. You must do your part to make it last throughout their careers.

Using this logic with the heap of inprocessing data/manuals/mental images, no matter how good our video is, its message may get lost in the deluge.

Meeting with these future co-workers adds to their understanding from the beginning of their career. But, be careful to level the playing field - your audience may possess various levels of understanding - from neophyte computer users to experienced technicians who could probably teach you (us) a few things. As Computer Security practitioners, we must know not only the specifics of the organization's program but also the reason/basis for the stated rules. Don't leave anyone behind - if someone doesn't understand rudiments of resetting their LAN/WAN password, make a date to meet with this person once he/she is settled into their new workstation.

One other thing which may help to make an impact is either a clever handout/brochure or a memory sparking device. By taking some of what you teach and committing it to text in an eye appealing tri-fold or pamphlet, you are giving the new employee something to review at a later more relaxed time. What I mean by "memory sparking device" is what others might call a trinket. Should you host an observance for Computer Security Awareness Day where you give away quaint mementoes of the event, save some for sharing with folks on their first day of work. These items are usually "keepers" and if they carry a few short reminder phrases from your presentation subject matter, they become "memory sparking devices." One last thought, always include your name/title/e-mail address/phone number on your handouts so that if they do think of a question after the session is over, you can easily be contacted to offer assistance.

Newbies need guidance in order to be molded into good organizational citizens. You are part of the team with the ability to perform this necessary task. Approach it with the proper attitude and your new co-workers will thank you for the information. Remember, preventive maintenance is much less expensive than waiting for something to break - give your car regular oil changes and your engine won't lock up and require replacement. Here is the chance to give the benefit of your experience and save them from making mistakes which might really harm agency systems. Your task, should you accept it, is to provide a memorable computer security introduction to new employees... Go to It!

In the aftermath of the horrendous damage inflicted by terrorists upon the United States on September 11, 2001, we are beginning to more clearly see the vulnerabilities to which we are exposed. Setting aside the fact that we can never be 100% secure, and that we can never be 100% prepared to recover quickly from such physical devastation, we do need to carefully analyze our computer/cyber systems and networks to see what steps need to be taken to help us better protect our assets and provide a means to recover quickly from such an event.

Being Federal entities makes us more of a target for acts of terrorism, for several reasons, not the least or which is the disruption of services we provide to the public. Also, being Federal entities means we provide a more visible target and stand a much greater chance of losing face and being disgraced in the media. Although we don't (in most cases) operate for profit, we still have a bottom line - the budget within which we have to operate. Thus, disruptions to services and operations affect our bottom line too.

What assets do we need to protect? As Federal entities, our assets can be grouped roughly into three categories: (1) personnel; (2) facilities; and, (3) information. I think we've gotten a pretty good handle on the physical protection aspect of security - not much has changed in how this is done. In the information security arena we continue to make progress, but the speed of technology changes (improvements?) makes our job one of shooting at a moving target. Personnel security has numerous facets, one of which is protecting our people from harm (primarily physical security and safety issues). However, in the information systems world, we are more concerned with protecting those systems from people, both insiders and outsiders.

Outsiders we know about - hackers and crackers and espionage perpetrators. Of course, these same folks can be insiders as well, and they often have the advantage of being authorized users of our systems. Therefore, protecting our information and systems from insiders is more difficult because we assume a certain amount of trust in our "authorized" users.

So, what are some of the steps we can take as "information systems security educators"?

•  Prepare ourselves by knowing our vulnerabilities and the threats
•  Prepare an effective awareness program (http://csrc.nist.gov/ATE/awareness.html)
•  Work with Human Resources and Personnel Security organizations to help get the message out
  •  Initial briefings for new employees should include cyber security
  •  Technical training should include a brief module on cyber security
  •  Annual briefings by Security organization should include cyber security
•  Work with your LAN/Intranet folks to broadcast cyber security messages
•  Initiate or participate in annual Computer Security day events
•  Carry out a poster program
•  Be sure computer/cyber security articles are in your organization newsletters
•  Network with your FISSEA peers to get ideas, information, and products
•  Practice what you teach

An updated "Federal Information Systems Security Awareness" course was unveiled at the March 2002 FISSEA Conference. The web-enabled, fully interactive multimedia security course contains 5 modules, which take less than 1 hour to complete. The awareness material is generic (not agency specific) yet basic (appropriate for any computer user). It will focus federal computer users' and contractors' attention on the protection of information when using the computer. It reviews why information systems security is important to the user, threats to information systems including insider threats and social engineering, malicious code, user's roles and responsibilities including computer ethics and concerns with wireless technologies, and new developments in information systems security. The tool also includes links to security resource sites, points of contact in the systems security community and a glossary of terms.

One new course feature for which FISSEA is most proud was highlighted at the FISSEA Conference. Susan Boaz, a visually impaired Computer Specialist with the Department of Veteran Affairs, demonstrated the course's accessibility element. Susan used a program called JAWS, which stands for Job Access with Speech. JAWS is an innovative screen reading program for Windows that enables blind and visually impaired individuals to access the information on their personal computer. The "Federal INFOSEC Awareness" course includes a 'text only' version, which Ms. Boaz accessed with the JAWS reader.

After displaying the steps a visually impaired user would take to access the course, Ms. Boaz commented on the success of the course in meeting the requirements of Section 508 of the Americans with Disabilities Act. During her presentation, Ms Boaz stated, "The course is very good, and the text version works well with the JAWS reader." Ms. Boaz suggested ways in which future versions of the course could be improved. She advised FISSEA and Defense Information Systems Agency (DISA) to seek ways to allow JAWS to 'access' all that is transpiring on the screen - the multi-media features, and not just the narrator's and screen text information. One approach would be to create one multi-media presentation with an html overlay for menus and links. This would allow the visually impaired computer user to access all links via keystroke. Initial feedback from FISSEA conference attendees on this portion of the agenda has been positive. It was an enlightening presentation for security trainers. Course designers attending the presentation spoke enthusiastically about ways they would improve accessibility in future versions of the course.

So, if you are looking for a solution to meet your agency's computer user training requirements, go to the DISA Website http://iase.disa.mil/ETA and order a free copy of the course on CD-ROM. The course will run in the web environment on an agency's Intranet, on the Internet, or on an employee's desktop computer, via CD-ROM. Minimum systems requirements and installation directions are included on the CD-ROM cover.

Credits: Working with an interagency group, FISSEA partnered with DISA to perform content review and define requirements for the new awareness product. Thanks to representatives from the National Security Agency, General Services Administration, Energy, Federal Drug Administration, National Institute of Standards and Technology, Interior, Federal Aviation Administration, National Aeronautic and Space Administration, National Labor Relations Board and Treasury, federal agencies now have another tool to use in meeting the training requirements of the Computer Security Act of 1987. But the true leader for this effort was Maryann Dennehy, Program Manager of the DISA ETA program. Through Ms. Dennehy's unwavering support and yearlong efforts, funding for the development and distribution of this product was made possible. The Federal government is indebted to Ms. Dennehy and DISA for championing this project and assisting FISSEA in meeting it's goal of improving information systems security training throughout the federal government.

Here's some old news: information security is not (just) a technical issue. "Everyone knows" that a good security system includes a policy that embodies the security goals and strategy of the organization, procedural and technical controls to enforce the policy, and a managed approach that allows you to measure your current position and improve it as time goes on. Everyone knows that it requires the support of executive management. But just as important as all of these is the culture of the organization, and the knowledge and involvement of employees in the security system.

Overview
A security awareness program comprises a series of educational opportunities, along with a system of motivators: rewards for desirable behavior and penalties for undesirable behavior. Each of these components must be appropriate to the target audience and, like any other program, must be managed for improvement.

The aim is simple: to communicate the relevant portions of the security policy and procedures to the entire enterprise.

Audience
Usually there are three segments of the enterprise that have very different security education needs.

Executives - this will be both the most important and the most difficult group of users to educate. They are most important because executive support means better funding for security programs, an easier time developing necessary security components, and more ability to motivate the rest of the enterprise. On the other hand, executives will have less time and attention to devote to security education, and will be less subject to motivation from the security organization.

Security and IT administration - these employees have specific security responsibilities, and will probably require individualized training. However, they still need to see the user training, so that they can understand how the users view the security organization and what will be expected from them.

General users - the majority of the population, will need to know how they fit into the security system, what their responsibilities are, and where they can turn for help.

Venue
There are a number of ways to get the message across, depending upon the culture of your organization and the level of management support (and budget) for security awareness. You'll probably select more than one of these methods to use for different groups and to ensure that everyone receives the message more than once.

The most obvious venue is the classroom, but it can also be one of the most expensive. Consider distance-learning options such as online courses to reduce costs. For executives, individual sessions may be necessary to accommodate a bust schedule - and try to incorporate demos in these sessions in order to engage the executive. And don't forget the rest of the program: directed messages (e.g., mass emails or articles in newsletters), town meetings, and all the corner-of-the-eye items that keep security in your employees' minds.

Remember that security awareness is not a single-shot issue. You'll have to continually remind your employees of their responsibilities, and periodically refresh the training.

Content
Of course the message you're trying to communicate includes the portions of the security policies and procedures that apply to the audience. But there should probably be more, even in a classroom course. Your employees should feel that they're a part of the system, and that they know enough to be helpful, so they need to have an overview of information security. The course also needs to be relevant and interesting if you expect them to retain the information, so including elements that can be used at home (e.g., how to protect their children from online predators) would be not only civic-minded, but also productive. Security is a contract between the provider and your employees. The awareness programs outline the responsibilities and the terms of this contract.

Testing
There are people who claim that no course is complete without a comprehensive test. I don't happen to believe that, but testing can be a good way to make sure the material was delivered, especially if an online course is used. At the very least, each employee should sign a statement saying that she/he has seen and understands her/his security responsibilities. I recommend that any tests be "open book", since you're trying to test awareness and the ability to find information when it's needed.

Conclusion
I've tried to show some of the components of a good security awareness program, but I make no claim that this is an exhaustive list. Like any program, continual improvement is necessary to keep it vital and targeted, and the best way to make it effective is to use the feedback from participants. Help your employees understand the security goals and threats, so that they can help prevent and detect incidents. This is the real goal of the security awareness program: transforming the employees from a sea of possible security holes into an integral part of the security system, actively involved in the monitoring and escalation process.

[The preceding article was published in a May 2002 issue of Network World and has been submitted by Philip Sibert after requesting permission from the author to reprint.]

Freedom came at a great price to American soldiers and their families during the Revolutionary War, War of 1812, Civil War, Spanish American War, World War I, World War II, Korea, Vietnam, Iraq and now with terrorism. These soldiers were trained by drill sergeants and drill instructors to prepare them for the fight. The training that these soldiers received saved a great many of their lives during battle. They were prepared to fight. They knew what to do and when to do it. Bottom line - good training saved lives.

We honor those who protected our freedom through the observation of Memorial Day, Veterans Day, parades, memorials and 21 gun salutes. These men and women made great sacrifices and some of them gave their lives so that we may stand free against tyranny and oppression. It is right for us to honor those who gave so much. However, much like the unrecognized drill instructors who saved so many lives through their work, the information security training professional has gone unrecognized as well. The information security training professional today is preparing the information security professionals and systems users for the frontlines of the next war - the cyber war.

Freedom is defended on the frontlines of the battlefield, however freedom is also defended from your desk - everyday through your blood, sweat and tears - your tirelessly work to preserve our freedom. Your struggle is not a single battle but a long war, a marathon, against the forces that could destroy our way of life. Sometimes under resourced, and certainly with little public appreciation, you fight the fight for freedom. Thank you!

-Anonymous-

INTEGRITY Security Solutions
Not for Profit organization dedicated to supporting the Federal government in creating cross-cutting security solutions

The FISSEA Executive Board meets monthly at NIST North in Gaithersburg, Maryland. The Executive Board meetings are open to the membership, however, for security reasons one must provide notification at least a week ahead of time by sending an e-mail to fisseamembership@nist.gov. One must receive an acknowledgment before attending. The FISSEA Executive Board meetings for the remainder of the 2002-2003 term are tentatively set for:

•  June 11, 2002
•  July 9, 2002
•  August 13, 2002
•  September 10, 2002
•  October 8, 2002
•  November 19, 2002
•  December 10, 2002
•  January 14, 2003
•  February 11, 2003
•  March 4, 5, 6, 2003 - Annual Conference

{This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov }

*************************

25-26 June 2002, The Kansas City Security Coalition (KCSC) in affiliation with the Federal Executive Board announce the 2nd Annual Security Symposium. This free seminar will be held June 25-26, 2002 from 8:00-4 at the National Weather Service Training Center, 7220 N.W. 101st Terrace, Kansas City, MO. Topics: The seminar will provide the latest information on Homeland Security, Continuity of Operations Planning (COOP), and Biometrics. Ray "Dice Man" Semko, Interagency OPSEC Support Staff, will be featured. The agenda and additional information may be found at http://kcfeb.gsa.gov/kcsc. You must be a federal government employee or a contract employee who has been issued an identification badge by his/her federal agency to attend. Please register by providing your name, agency, address, and phone number to Victoria.l.schuldt@irs.gov or call 913-345-5819 no later than June 14, 2002. Special accommodations should be directed to this same email address.

*************************

11 July 2002 An Information Security Workshop Designed for the Small Business or Organization. Email, payroll, proprietary information, client or employee data information is essential to a business's success. A computer failure or other system breach could cost a business anything from its reputation to its competitive advantage. NIST IS guidelines are used throughout public and private sectors around the world. Now NIST has partnered with the Small Business Administration (SBA) and the National Infrastructure Protection Center (NIPC) to offer a workshop to help small businesses and other organizations across America to increase the security of THEIR information systems. At this workshop, a small business owner can learn how to define information security for his/her business, how to identify IT threats and vulnerabilities, and how to select cost effective, business appropriate solutions.

The next workshop will be held in Washington, DC on July 11th, 8:30am to 4pm at the Small Business Administration, 409 3rd St SW, Washington DC. This is a great opportunity to help resource your small business partners. For an agenda, registration materials and other workshop details, visit: http://csrc.nist.gov/securebiz, or call Alicia Clay (301) 975-3641.

*************************

4-5 September 2002, InforwarCon 2002: Homeland Defense and Cyber-Terrorism in Washington, DC. Presented by MIS Training Institute and Interpact, Inc. and now in its 9th year, InfowarCon offers proven strategies for protecting against threats to critical infrastructures and government systems. As an event highlight, InfowarCon is hosting free, real-time cyber-war games for all attendees. Round-the-clock exercises will let players test their hacker smarts against four servers set to varying degrees of "crackability." For more information and to register, contact MIS Training Institute at 508-879-7999, ext. 346, or go to www.misti.com, E-Z Access IW02.

*************************

FISSEA's pal Mich Kabay (mkabay@compuserve.com) along with Sy Bosworth have finally published the long awaited Computer Security Handbook Fourth Edition. This two inch thick compendium of vital information has already been selected as student text for several university courses. The variety of substance and depth of subject matter is a testimony to the myriad of chapter authors and the two editors. In fact, three other FISSEA members consorted to provide an easy to read chapter on "Awareness." Chapter 29 authors K Rudolph, Gale Warshawsky, and Louis Numkin included lots of personal experiences along with interesting new ideas and resource recommendations into this section which is guaranteed to help first-timers through experienced practitioners set up or improve existing computer security awareness programs. Other topics of interest include: Studies and Surveys of Computer Crime; Information Warfare; Mobile Code; Firewalls and Proxy Servers; E-Mail and Internet Use Policies; Computer Emergency Quick-Response Teams; Management Responsibilities and Liabilities; Privacy in Cyberspace; and 50 more. This appears to be a worthwhile addition to any practitioner's library, is available from John Wiley and Sons, Inc., and can be found in the usual book selling places.

*************************

ISO 17799 - Information Security Management System
If your information's not safe, your future is not secure.
BSI CEEM offers a full complement of instruction in public and private venues in addition to providing publications and assessment services. For more information, contact Craig Heier at 703- 464-1956, craig.heier@ceem.com.

To find out more about ISO 17799 and what is an Information Security Management System, attend their upcoming Free Webinar. It will also be announced on their website at www.ceem.com.
Thursday, June 20, 2002
    (1) 12:00pm Eastern, 9:00am Pacific
          Meeting Number: 18044339
          Voice Bridge: (408) 435-3833
    (2) 3:00pm Eastern, 12:00pm Pacific
          Meeting Number: 15676286
          Voice Bridge: (408) 435-3833

Dates, locations, and costs for the courses below are listed on their public course schedule at www.ceem.com. Ask about special discounts for their June and July courses.

•  ISO 17799 - Understanding an Information Security Management System. A general introduction to the international Information Security Management System standard.
•  BS 7799-2 Information Security Management System Auditor. Prepares attendees for the qualification process for BS 7799-2:1999 and trains them on how to conduct audits for Registration Bodies or internal to the corporation.
•  ISO 17799 Information Security Management System Implementation. Provides attendees with the necessary skills to implement an ISMS that is compliant with the code of practice of ISO/IEC 17799:2000 and meets the registration requirements of BS 7799-2:1999.

*************************

The SANS Institute (sans@sans.org) has announced they are offering Instructor Led On-line Training! FAQ can be found at the SANS Instructor Led On-line Training web page http://www.sans.org/onlinetraining/instructorled.php. This program will start with SANS Security Essentials and offers elements of traditional SANS conference training and their on-line training program.

Initially SANS Instructor Led On-line Training will only be offered in the United States and Canada so that students will have access to an 800 number to reach SANS instructors and teaching assistants during office hours. Course takers will also have a dedicated email address and electronic bulletin board that is monitored by the instructor and teaching assistant team. The teaching team will be available for a ten-week period, but if one falls behind, there is flexibility, as students will have a full six months to complete the training and will have bulletin board access the entire time.

SANS Instructor Led On-line Training is based on the SANS local mentor program (http://www.sans.org/onlinetraining/mentor.php) which uses a ten meeting format where students meet, ask questions and help each other prepare for certification.

*************************

Security University is offering courses in:

•  Total IDS Experience - Understanding the essentials necessary for creating a detection and analysis center.
•  "Ultimate" Penetration Test - Study vulnerable servers, network devices & more from an attacker's perspective using their tools & techniques.
•  Advanced Network Security Architecture - Evaluate business models and create advanced secure network designs.
•  "Naked Virus" Advanced Malware - See the Naked Virus: NIMDA, CODE RED and others and learn how to mitigate risk from these pesky incidents.
•  Forensics 101 and Advanced Forensics - An in-depth hands-on look at high tech crime fighting and best practices in computer forensics.
  For more information, contact Sondra Schneider (s0ndra@securityuniversity.net) or phone (1) 203 357 7744. Hands-On Class Dates & Highlights in Washington, DC, Chicago, and San Francisco can be seen at http://www.securityuniversity.net/sched.htm

*************************

Stephen Northcutt of The SANS Institute wrote that the growing demand from security managers to make sense of the unprecedented volume of data coming from routers, firewalls, anti-virus consoles, intrusion detection systems and more is a real challenge. We must convert that data storm into information that allows us to make informed security decisions, to find anomalies and correlate disparate events. Also, top government management are demanding that their security staff tell "how secure" their systems are in comparison with those of other agencies. In order to respond, we need to know the actual state of our defenses and the risks we face, and for that we need metrics that are technical, detailed and effective. A research study was begun at SANS Washington DC (May 6 - 11, 2002), where SANS presented the state of the art of both enterprise security management and site certification. It will investigate improvements in both areas. A wrap up of the research will be presented at the SANS Network Security conference, in Washington, October 18 - 25, 2002.

*************************

We have received this site info from an NSA pal. Please note that the following is not a government site but you may want to bookmark it as an information source.

The National Homeland Security Knowledgebase Website provides links to just about anything and everything you ever wanted to know about chembio, state preparedness, medical, weapons of mass destruction, emergency food and storage - everything. Pick and choose your favorite topics at: http://www.twotigersonline.com/resources.html

*************************

Philip Sibert has another "Siber' Space Snippit" for you:
Cyberspace Full of Terror Targets
Government and private computer networks are facing new threats of terrorist attacks, ranging from an attempt to bring havoc to a major city to nationwide disruptions of finances, transportation and utilities. Individuals with knowledge of national intelligence briefings say little has been done to protect against a cyber attack. Threats come from individuals who might have connections to Osama bin Laden's al-Qaeda network in Pakistan and elsewhere. An April 18th meeting of government intelligence and information-technology officials discussed protecting the nation's computer networks. Officials are most concerned that a cyber attack could be coupled with a conventional terrorist attack.