News and Views August 2002 |
||||
Issue Two of FISSEA Year 2002-2003 | ||||
|
||||
From the Executive Board ChairGreetings, Your FISSEA Executive Board members are very busy as well trying to find the time and resources to meet regularly, establish and implement project plans to accomplish our many objectives, and be accountable to each other and ourselves to finish all our tasks completely and timely. All of us are still employed on full-time jobs and must do our paid work well enough for our employers to allow us to voluntarily serve FISSEA too. Ensuring that our 16th Annual FISSEA Conference on March 4 through 6, 2003 meets and exceeds your expectations and ours is difficult, but still is our goal and can be done. We continue to look for outstanding presenters who are willing to volunteer their time and talent for our benefit. I am thankful that so many of you responded to my email request for volunteers to assist with our conference in some meaningful way. If the Conference Committee has not contacted you yet, expect to hear from them shortly. It is also not too late to share your ideas and suggestions with us. Finally, I hope that you reviewed and sent your comments to Mark Wilson on the much-needed NIST draft Special Publication 800-50, "Building an Information Technology Security Awareness and Training Program". I think this document will be very helpful to agencies who are still establishing their programs and those that are trying to enhance their existing security awareness and training program. The guide is available via the web at http://csrc.nist.gov/publications/drafts.html. After reviewing the publication, I believe you will find that it provides clear guidance on ways to assess training needs and then design, develop, implement and maintain a viable IT security awareness and training program within your agency. I am hoping that we will be able to persuade Mark to do a session at our upcoming FISSEA conference on this subject. Barbara G. Cuffie, CISSP
Cybercorps to Extend to StatesBy Colleen O'Hara The White House's national strategy to protect cyberspace, scheduled for release in September, will contain a provision that extends a federal scholarship-for-service program to the state level, said Richard Clarke, cybersecurity adviser to President Bush. The Federal Cyber Service program provides scholarships to undergraduate and graduate students studying computer security in exchange for two years of federal service. The first group of students is nearly finished with their first year in the program. Six universities - the University of Tulsa, Carnegie Mellon University, the Naval Postgraduate University, Iowa State University, the University of Idaho and Purdue University - have received scholarship money. Currently, 66 students ages 20 to 64 participate in the program. The cybercorps is important because the government does not have enough trained experts to protect federal systems, Clarke said, speaking July 22 at the 2002 Cyber Corps Symposium at the University of Tulsa. "We will fight a future cyberwar," Clarke said. "Right now we are not in good shape." The nation is dependent on cyberspace, which opens up vulnerabilities that need to be fixed, he said. Recognizing that state and local agencies also need trained professionals to protect their networks, the cybersecurity strategy "calls upon state governments to create a state cybercorps," Clarke said. Clarke would not reveal additional details of the cybersecurity strategy. The Cyber Service program is scheduled to get a boost from the emergency supplemental funding bill scheduled for a vote in Congress this week. The bill contains $19 million to expand the Cyber Service program, Clarke said. "The president thought this was an emergency." If the provision remains in the bill, the program would be extended to four additional schools in September. ["Reproduced with permission of Federal Computer Week,Copyright, Federal Computer Week Media Group. All rights reserved."] Information recently received: Statistical PersuasionBy David Sostman (Titan Systems Corporation) What does it take to persuade individuals in the workplace to take the proper precautionary measures to mitigate information security risks? How do we change the behavior of recalcitrant employees who remain unconvinced that significant information security threats actually exist? This is a difficult task that FISSEA's members face everyday. Luckily, information technology, the source of this situation, also offers new tools that can help in the battle of persuasion. Due to advancements in real-time monitoring, detection, and analysis technologies, accurate and verifiable information about actual intrusions can now be used to persuade workplace skeptics that information security threats actually do exist. Until recently, references regarding these threats have been largely hypothetical, hearsay, and conjecture. But all of that's changed. We can now display on a computer screen the electronic renditions of actual intrusion happening in real time. And the audit trails generated by these intrusions, analyzed with new methods of data mining, also offer unassailable evidence that the threats are indeed real. In recent years, real-time electronic monitoring and reporting tools have become quicker and more accurate than previous generations of information security technologies. Extraordinary data mining analysis tools also allow us to identify the type of assault, where it's coming from, its nature, and whether or not it's successfully penetrating the established layers of electronic defenses. We have entered a new age of information warfare where we can instantly detect and display detailed accounts of Internet-based intrusions, and other acts of unauthorized access. The Titan Systems Corporation has been helping the Defense Information Systems Agency perform these activities for more than half a decade, and our information security analysts have been utilizing increasingly sophisticated tools for maintaining the security of an electronic enterprise. As various civilian agencies in the Federal government move forward in establishing the next generation of 24x7 cyber network real-time monitoring, detection, and response operations, these new tools, and the reports they generate, can also be used by Information Security Officers and others tasked with communicating the need for individuals to engage in precautionary measures. This type of information is useful because many individuals don't want to be bothered with the responsibilities associated with protecting information assets. Yet, if a convincing argument can be made, people will pay attention -- especially if they feel the threat. The old parable about putting a frog in a pot of water tells the story well. If the water's boiling hot, the frog will jump out immediately. But put him in a pot of cool water, and gradually turn up the heat, and he won't notice the rising temperature -- until it's too late. When it comes to information security, many individuals appear to be biding their time, like frogs sitting in cool water. But unlike the boiled frogs, we have the ability to learn -- without direct negative experience. The information gleaned from intrusion detection devices and data mining analysis tools can offer confirmation that in some places the water is already boiling, and for many people, that's all the evidence they need to begin engaging in their information security responsibilities. Those tasked with communicating the importance of information security would be well?advised to utilize the persuasive statistical reports these new tools provide. FISSEA 2003 Conference UpdateThe FISSEA 2003 Conference planning is underway! This year's conference theme is " SECURING YOUR CYBER FRONTIER THROUGH AWARENESS, TRAINING AND EDUCATION". The conference dates this coming year are March 4-6, 2003. We are moving to a"NEW" location based on numerous requests from previous conference attendees. The conference will be held at the Hilton Hotel in Silver Spring, MD. This should be ideal for everyone as it is close to public transportation, a primary consideration of those requesting a different location. More information on registration and logistics for lodging, parking and transportation will be available in the months ahead. The planning committee is working towards providing a 1st class conference that will not only enhance your knowledge but will provide more information sharing in the areas of awareness and training through government, industry and academia. The committee and Executive Board have already heard from many of you regarding the FISSEA 2003 conference. We thank everyone for your continued support and commitment in making FISSEA successful year after year as we continue to strive for "excellence" in our profession. Many of your ideas and comments will be useful and helpful in developing and shaping the conference. If you are interested in working with the committee or have any ideas on specific topics, or you have attended training seminars/workshops that provided you with good information to share, please contact me at my email address: Donna_Robinson-Staton@hud.gov. More information on potential and confirmed speakers and conference topics will be made available, shortly. Please visit the FISSEA website, http://csrc.nist.gov/fissea for the most recent news. The committee is also planning to begin an advertising and public relations campaign in September to promote the conference and to gain more interest from government, industry and academia in attending. I look forward to fulfilling the challenging, but rewarding and exciting role as the FISSEA 2003 Conference Director. The Program Director for FISSEA 2003 Conference is Curt Carver, Academy Professor with the U. S. Military Academy at West Point, New York. On behalf of the Executive Board, Planning Committee Members, Curt Carver and myself, we are at your service to bring to you an exciting and rewarding conference for FISSEA 2003! FISSEA 2003 Conference Director Federal Information Assurance
|
FISSEA 16th Annual Conference - March 4, 5, 6, 2003 New Location: The Hilton in Silver Spring, MD |
March 4-6, 2003
The Hilton in Silver Spring, Maryland
16th Annual Federal Information Systems Security Educators' Association Conference
CALL FOR PARTICIPATION
FISSEA 2003 is the national forum for information technology systems security awareness, training, and education. The conference will include birds of a feather (new), papers (new), tutorials, panels, presentations, demos, and exhibitions. We invite you to participate by submitting an abstract and joining us in Silver Spring. If you need to learn more about the latest security awareness, training, and education practices and research, this is the conference for you.
Submission deadline for conference:
September 30, 2002
http://csrc.nist.gov/organizations/fissea/conference/2003
Submission Details
Birds of a feather proposals, papers, tutorials, panels, presentations, demos, and exhibition proposals related to security awareness, training and education are welcome. Each submission consists of two parts:
Submit abstracts and proposals (ASCII, postscript, or PDF only) NLT 30 September to curtis.carver@usma.edu.
For additional questions, send email to: curtis.carver@usma.edu
Back to FISSEA Homepage
Back to Newsletter Index
Back to CSRC Homepage
Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: September 16, 2002.