The White House's national strategy to protect cyberspace, scheduled for release in September, will contain a provision that extends a federal scholarship-for-service program to the state level, said Richard Clarke, cybersecurity adviser to President Bush.

The Federal Cyber Service program provides scholarships to undergraduate and graduate students studying computer security in exchange for two years of federal service. The first group of students is nearly finished with their first year in the program.

Six universities - the University of Tulsa, Carnegie Mellon University, the Naval Postgraduate University, Iowa State University, the University of Idaho and Purdue University - have received scholarship money. Currently, 66 students ages 20 to 64 participate in the program.

The cybercorps is important because the government does not have enough trained experts to protect federal systems, Clarke said, speaking July 22 at the 2002 Cyber Corps Symposium at the University of Tulsa. "We will fight a future cyberwar," Clarke said. "Right now we are not in good shape." The nation is dependent on cyberspace, which opens up vulnerabilities that need to be fixed, he said.

Recognizing that state and local agencies also need trained professionals to protect their networks, the cybersecurity strategy "calls upon state governments to create a state cybercorps," Clarke said.

Clarke would not reveal additional details of the cybersecurity strategy.

The Cyber Service program is scheduled to get a boost from the emergency supplemental funding bill scheduled for a vote in Congress this week. The bill contains $19 million to expand the Cyber Service program, Clarke said. "The president thought this was an emergency."

If the provision remains in the bill, the program would be extended to four additional schools in September.

["Reproduced with permission of Federal Computer Week,Copyright, Federal Computer Week Media Group. All rights reserved."]

Information recently received:
You may want to contact Miguel Hernandez, 210-805-2423 ex 502 or Cathy Robinson, ex 506, they are the OPM program managers.
Some background information may be found at
http://www.opm.gov/hr/employ/products/recruitment/scholarship/scholarship.htm

What does it take to persuade individuals in the workplace to take the proper precautionary measures to mitigate information security risks? How do we change the behavior of recalcitrant employees who remain unconvinced that significant information security threats actually exist? This is a difficult task that FISSEA's members face everyday. Luckily, information technology, the source of this situation, also offers new tools that can help in the battle of persuasion.

Due to advancements in real-time monitoring, detection, and analysis technologies, accurate and verifiable information about actual intrusions can now be used to persuade workplace skeptics that information security threats actually do exist. Until recently, references regarding these threats have been largely hypothetical, hearsay, and conjecture. But all of that's changed. We can now display on a computer screen the electronic renditions of actual intrusion happening in real time. And the audit trails generated by these intrusions, analyzed with new methods of data mining, also offer unassailable evidence that the threats are indeed real.

In recent years, real-time electronic monitoring and reporting tools have become quicker and more accurate than previous generations of information security technologies. Extraordinary data mining analysis tools also allow us to identify the type of assault, where it's coming from, its nature, and whether or not it's successfully penetrating the established layers of electronic defenses.

We have entered a new age of information warfare where we can instantly detect and display detailed accounts of Internet-based intrusions, and other acts of unauthorized access. The Titan Systems Corporation has been helping the Defense Information Systems Agency perform these activities for more than half a decade, and our information security analysts have been utilizing increasingly sophisticated tools for maintaining the security of an electronic enterprise. As various civilian agencies in the Federal government move forward in establishing the next generation of 24x7 cyber network real-time monitoring, detection, and response operations, these new tools, and the reports they generate, can also be used by Information Security Officers and others tasked with communicating the need for individuals to engage in precautionary measures.

This type of information is useful because many individuals don't want to be bothered with the responsibilities associated with protecting information assets. Yet, if a convincing argument can be made, people will pay attention -- especially if they feel the threat. The old parable about putting a frog in a pot of water tells the story well. If the water's boiling hot, the frog will jump out immediately. But put him in a pot of cool water, and gradually turn up the heat, and he won't notice the rising temperature -- until it's too late.

When it comes to information security, many individuals appear to be biding their time, like frogs sitting in cool water. But unlike the boiled frogs, we have the ability to learn -- without direct negative experience. The information gleaned from intrusion detection devices and data mining analysis tools can offer confirmation that in some places the water is already boiling, and for many people, that's all the evidence they need to begin engaging in their information security responsibilities. Those tasked with communicating the importance of information security would be well?advised to utilize the persuasive statistical reports these new tools provide.

The FISSEA 2003 Conference planning is underway! This year's conference theme is " SECURING YOUR CYBER FRONTIER THROUGH AWARENESS, TRAINING AND EDUCATION". The conference dates this coming year are March 4-6, 2003. We are moving to a"NEW" location based on numerous requests from previous conference attendees.

The conference will be held at the Hilton Hotel in Silver Spring, MD. This should be ideal for everyone as it is close to public transportation, a primary consideration of those requesting a different location. More information on registration and logistics for lodging, parking and transportation will be available in the months ahead.

The planning committee is working towards providing a 1st class conference that will not only enhance your knowledge but will provide more information sharing in the areas of awareness and training through government, industry and academia.

The committee and Executive Board have already heard from many of you regarding the FISSEA 2003 conference. We thank everyone for your continued support and commitment in making FISSEA successful year after year as we continue to strive for "excellence" in our profession. Many of your ideas and comments will be useful and helpful in developing and shaping the conference.

If you are interested in working with the committee or have any ideas on specific topics, or you have attended training seminars/workshops that provided you with good information to share, please contact me at my email address: Donna_Robinson-Staton@hud.gov.

More information on potential and confirmed speakers and conference topics will be made available, shortly. Please visit the FISSEA website, http://csrc.nist.gov/fissea for the most recent news. The committee is also planning to begin an advertising and public relations campaign in September to promote the conference and to gain more interest from government, industry and academia in attending.

I look forward to fulfilling the challenging, but rewarding and exciting role as the FISSEA 2003 Conference Director. The Program Director for FISSEA 2003 Conference is Curt Carver, Academy Professor with the U. S. Military Academy at West Point, New York.

On behalf of the Executive Board, Planning Committee Members, Curt Carver and myself, we are at your service to bring to you an exciting and rewarding conference for FISSEA 2003!

FISSEA 2003 Conference Director
Donna Robinson-Staton
Director, Enterprise Security Awareness & Training
Dept. of Housing Urban & Development

FISSEA will participate in the "Federal Information Assurance Conference 2002." Training tracks and vendor exhibits will be held October 29 and 30, and special half-day workshops will be offered on October 31, 2002. All sessions will be at The Inn and Conference Center, University of Maryland University College, in College Park, MD.

This is the 2nd Annual Federal Information Assurance Conference (FIAC) which is trying to fill the void that followed demise of the much-beloved multi-year National Information Systems Security Conference, which was coordinated by NIST and NSA. FIAC is an event for the government and designed by the government. It is specifically to meet the real-world information assurance needs of the Federal Government and its workforce. The current list of participating organizations include but are not limited to: NIST, NSA, NIAP, NRC, GSA, VA, Army, DoD, HUD, and Government Computer News (GCN). Overall coordination of the conference is being handled by the Federal Business Council (FBC) which also provides the vendor exhibits for FISSEA's annual conferences.

Based on the success of last year's conference and the constantly growing need for security, you can find all the information you need at the FIAC website, www.fbcinc.com/fiac.

FISSEA representatives are building Track C and part of Track A so that areas are included to especially benefit computer security educators/trainers, and will also have a booth in the exhibit area.

Here are some highlights of what you can expect at FIAC 2002:

• Richard Clarke, Special Advisor to the President for Cyberspace Security and Chairman of the President's Critical Infrastructure Protection Board, will be the Keynote Speaker on October 29, 2002.



• Also, on October 29th, a General Session will be held to address "GISRA to FISMA - What You Need to Know."



• The NIAP Validated Products Certificate Presentation will take place on October 30th.



• Some of the other sessions at FIAC 2002 include: IT Product Implementation Guidelines, Security Training & Awareness, New Certification and Accreditation Initiatives, Incident Response, Biometrics, Cybercrime, Risk and Vulnerability Assessment/Penetration Tools, IT Security Testing Programs, Intrusion Detection, On-Line Privacy and Public Safety Requirements, and more.

The half-day tutorials on October 31 will address:

1. Certification & Accreditation



2. Common Criteria Validation and



3. Homeland Security Threats.

{Tutorial fees are separate from the conference fee. More details will be posted on the website.}

For those who are "hungry" for knowledge, it is worth noting that food provided for the 2001 FIAC was rated very highly by those in attendance, so this event will nourish your mind as well as your body!

Last year's event had over 400 in attendance and this year it is anticipated that FIAC will sell out at 750 attendees. Registration information, updated sessions, speaker details and more can be found at www.fbcinc.com/fiac.

{This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security Awareness, Training, and Education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov }

*************************

Philip Sibert has another "Siber' Space Snippit" for you:
CISSP Changes
Last month, the Certified Information Systems Security Professional (CISSP) club became a bit more exclusive. In addition to passing the CISSP exam, candidates must receive a written endorsement from a CISSP attesting to their experience and suitability for the title. And starting in 2003, Framingham, Mass. - based International Information Systems Security Certification Consortium Inc. will require CISSPs to have four years of experience or "three years with a college degree or equivalent life experience."

*************************

10-12SEP2002 HealthSec 2002 Conference and Expo, Atlanta, GA. Now in its 8th year, HealthSec takes you beyond the basics of HIPAA, delivering in-depth information about privacy requirements and providing detailed security implementation tactics. For complete conference details, go to http://www.misti.com/ (Please use HS02/EB1 as your priority code when registering.) MIS Training Institute, (508)879-7999.

*************************

10-12SEP2002 The Conference on Mobile and Wireless Security, Atlanta, GA. Optional workshops Sept 9 & 13. MIS Training Institute, (508)879-7999. Go to: http://www.misti.com/ (Please use MWS02/EBAL as your Registration Code.)

*************************

18-19SEP2002 E-Learning 2002 Conference at the Ronald Reagan Building in Washington, DC. Building Advanced Information Environments. Designed by a Program Advisory Board comprised of government and industry leaders, this second annual conference is the one place you can get advice, ask questions, and talk to the people who are implementing and developing E?Learning strategies today. Go to: http://www.e-gov.com/events/2002/el/

*************************

26SEP2002 An Information Security Workshop Designed for the Small Business or Organization. Email, payroll, proprietary information, client or employee data - information is essential to a business's success. A computer failure or other system breach could cost a business anything from its reputation to its competitive advantage. NIST develops guidelines to increase secure IT planning, implementation, management and operation in sensitive federal government systems. These guidelines are used throughout public and private sectors around the world. Now NIST has partnered with the Small Business Administration (SBA) and the National Infrastructure Protection Center (NIPC) to offer a workshop to help small businesses and other organizations across America to increase the security of THEIR information systems. At this workshop, a small business owner can learn how to define information security for his/her business, how to identify IT threats and vulnerabilities, and how to select cost effective, business appropriate solutions. The next workshop will be held in Chicago, IL: Sept 26th 8:30am - 4pm. For an agenda, registration materials and other workshop details, visit: http://csrc.nist.gov/securebiz Contact Dr. Alicia Clay at securebiz@nist.gov.

*************************

18-25OCT2002 SANS Network Security. By far the largest security conference in Washington is Network Security 2002 (NS2002) in late October -- and this year it includes the National Information Assurance Leadership Conference at which the Army, Navy, Air Force, Marines and Coast Guard will all be running their separate Service-Wide IA Leadership programs and the Internet Threat Update and Dick Clarke's keynote will be available to all five services. Full explanation of NS2002 is at http://www.sans.org/NS2002. Or contact Alan Paller, 301-951-0102 x108, paller@sans.org.

*************************

29-30OCT2002 Internet Security Tools & Techniques, Gaithersburg, MD.
31OCT-1NOV Intrusion Detection, Attacks & Countermeasures, Gaithersburg, MD.
14-15NOV2002 How to Create and Sustain a Quality Security Awareness Program, Chicago, IL. For more information on the Computer Security Institute classes, go to www.gocsi.com, or call (415)947-6320.

*************************

29-31OCT2002 Federal Information Assurance Conference (FIAC). (See column on page 4.) Visit the FIAC website at www.fbcinc.com/fiac. Register through Federal Business Council, Bob Jeffers (bj1@fbcdb.com).

*************************

11-13NOV2002 CSI 29th Annual Computer Security Conference and Exhibition. Computer Security Institute (CSI) is a leading membership organization specifically dedicated to serving and training the information, computer and network security professional. Since 1974, CSI has been providing education and aggressively advocating the critical importance of protecting information assets. CSI sponsors two conference and exhibitions each year, NetSec in June and the CSI Annual in November, and seminars on encryption, intrusion management, Internet, firewalls, awareness, Windows and more. E-mail csi@cmp.com, telephone 415-947-6320 or visit the website at http://www.gocsi.com

*************************

30NOV2002 Computer Security Day http://www.geocites.com/a4csd For more information contact Lee Ohringer: 301-229-2346

*************************

Hawaii International Conference on System Sciences - Call for Papers for the minitrack Secure and Survivable Software Systems part of the Software Technology Track of the Hawaii International Conference on System Sciences, January 6-9, 2003, Hilton Waikoloa Village, Big Island, Hawaii. Contact Axel Krings, Ph.D., Assoc. Prof. Computer Science, University of Idaho, Moscow, ID 83844-1010. Phone 208-885-4078, http://www.cs.uidaho.edu/~krings

*************************

Securing Windows 2000 - One day Course.Hands on. Stephen Northcutt of The SANS Institute announced this new course and reported you will receive the training needed to build both the skills and confidence to use the new standards. For more information on the Standard Operating Environment (SOE) in the USA for Windows 2000 called the Gold Standard, go to http://www.sans.org/Gold/glance.php