From
the Executive Board Chair
Greetings:
It seems like it was only a few days ago since I had the opportunity
to converse with many of you at our 16th Annual FISSEA Conference
in Silver Spring, MD. I am pleased that many of you had the opportunity
to participate in person, and we feel certain that others of you would
have supported us in person if you had been able to do so. We are aware
that some of you who usually attend were unable to come this year because
of funding limitations. Nevertheless, we had a successful conference
and were glad that we had so many people join us for their first FISSEA
event. After thoroughly evaluating and considering all the data you
provided us on your conference evaluation forms, we will try to accept
your suggestions in planning our March 2004 Conference. For example,
we are already investigating another location for next year and will
be posting information about the exact date and location on our website
as soon as it is available.
This is an excellent time to remind you
that we update our website regularly and try to keep you abreast of
our plans, accomplishments, published newsletters, etc. I would be remiss
if I did not thank both Peggy Himes and Patrick O'Reilly, NIST personnel,
for the excellent job they do in keeping our website refreshed. They
have already updated it with the 2003 conference presentations, new
Board member information, etc. Please visit the website at http://csrc.nist.gov/fissea
regularly, and share your feedback and suggestions with us. After all,
FISSEA is your organization, and we want it to be as beneficial to you
as possible. We continue to hope that you will use the list serve as
a means to ask security training related questions. If you follow our
posted rules (e.g., no advertising), one or more of our hundreds of
members will almost always readily reply to your question in an effort
to assist you. This service is available to all members, and you can
setup a contact for the list serve today at fisseamembership@nist.gov.
Finally, I want to thank Steve Willett,
another NIST employee, for working with the Board to develop a membership
survey form. We introduced it and used it to collect data from our members
who attended our conference last month. I want to thank those of you
who completed the survey and remembered to leave it with us to be evaluated.
We must know more about you and your perception of us to be more customer-focused
in serving your needs. With Steve's help, we are in the process of analyzing
the input you provided, making small adjustments in the survey tool
and planning to make the survey available electronically. Stay tuned
to our website so that you can be among our first members to complete
the survey tool from wherever you are. We really do need to get your
insight, volunteer assistance and ideas to be even better. A few of
you indicated that you are willing to volunteer your services, but you
forgot to provide contact information. Please contact us through Peggy
Himes at peggy.himes@nist.gov and let her know how we can contact you.
As always, I thank you for your continued support.
Barbara Cuffie, CISSP
Chair, FISSEA Executive Board
FISSEA Executive Board
2003-2004
* Term ends March 2004
** Term ends march 2005
Barbara
Cuffie, CISSP, Executive Board Chair*
barbara.cuffie@ssa.gov
Lewis Baskerville, lewis.baskerville@sba.gov**
LTC Curt Carver, Jr., Conference Program Director,
curtis.carver@usma.edu**
Tanetta Isler, tanetta_n._isler@hud.gov**
Dara Murray, CISSP, dmurray@psc.gov*
Louis Numkin, Newsletter Editor, lmn@nrc.gov**
LTC Daniel Ragsdale, dd9182@usma.edu*
Donna Robinson-Staton, donna_robinson-staton@hud.gov*
Robert Solomon, CISSP, robert.f.solomon@nasa.gov*
Mary Ann Strawn, mast@loc.gov*
Marvella Towns, mltowns@nsa.gov**
Mark Wilson, CISSP, NIST Liaison, Assistant Chair, mark.wilson@nist.gov**
NIST
Executive Assistant to the Board:
Peggy Himes, peggy.himes@nist.gov
|
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Letter From the Editor:
Essential E's = Employers Educate Employees
By Louis M Numkin,
US Nuclear Regulatory Commission
{Let me start by welcoming our readership
back to FISSEA's quarterly newsletter. Permit me to gently nudge each
one of you to consider submitting an article for an upcoming issue.
As you will see in this edition, several of you have already taken us
up on this offer.}
A few months back, I read a SearchSecurity.com
article by Edward Hurley which made some very good points which I will
employ as a basis for this article.
"Your company has security policies,
but can you prove your employees know the policies related to their
jobs?" Negative responses lead to a lack of consistent enforcement.
Ed continued "Handing employees the policies on their first day
of work isn't enough either." I write from the experience of providing
computer security in-processing presentations to our NRC newbies each
week. My wangling and begging has netted me a half hour to give them
a solid foundation on which to survive while working in this agency.
Other than my section, they "have 50 gazillion things to sign,
ranging from benefits to 401k forms." So, even though we consider
this to be their first taste of computer security awareness, Steve Kahan
(President of the Human Firewall Council) succinctly states, "Chances
are they don't pay a lot of attention to material about computer security."
This was the first I had heard of the council
but it is made up of security professionals, analysts, vendors, government
officials, and academics, whose mission is "to raise the security
awareness of organizations by providing research and tools to make employees
more aware of the need for security." They provide measures or
benchmarks so that similar organizations can gauge how their employee
security awareness programs and security management practices rate against
others.
A recent council security awareness study
of more than 1,500 organizations found few in which the employees actually
understood and believed the security policies. "Typically, you
would find even people in the security departments don't know all the
policies," Kahan said.
Article examples included that at one point,
council members "walked around Victoria Station in London with
a BBC camera crew asking passersby for their passwords. Eight out of
10 people willingly gave it on camera, Kahan said. "They didn't
understand their password disclosure policies." This is just one
example of why it must be that Employers Educate Employees. Employers
have a myriad of policies, but rarely do all affect all employees. Cutting
down the chaff and only giving the employees what they are required
to follow will be a start in the right direction. At the NRC, we are
governed by Management Directives. Of all of these, #12 deals with Security,
and only #12.5 deals with automated information system security. This
is a very small part of the policies guiding our 3,000 employees.
"Companies then need to test employees
to verify that they know the policies, Kahan said." Within the
NRC program, we have an on-line computer security awareness course which
is to be taken by all employees and contractors each year. At the end
of the course, the "student" is to take a quiz. Until this
is completed, training credit is not applied to his/her human resources
record. There are other forms of testing which do not "need to
be boring... A major antivirus vendor recently sent out a bogus e-mail
with an attachment to its employees. The purpose of the exercise was
to see what people would do with suspicious e-mails. A few opened it.
Most just deleted it. Some sent it to the proper person who screens
such things." We can all put on our thinking caps and create innovative
tests to challenge the understanding of our staff members.
"If employees understand policy, they
can be the security department's eyes and ears in the office, on the
lookout for security risks." So, it is our duty as computer/information
security professionals to ensure that behaviors are modified in such
a way as to be consistent with published guidance. Clareon Corp's CSO,
Frank Jaffe, "runs annual security training sessions that include
a security brainstorming session. Employees have the opportunity to
talk about security issues they see in their jobs. 'There is an element
of risk, but it is a good idea,' he said." He goes on to explain
that staff members are encouraged to "talk about security incidents
they have faced." In other words, if an employee successfully uses
a particular security tool (eg: virus detection, firewall) at home,
then perhaps it might help fellow staffers or even be worth considering
for office use. Employers Educating Employees is essential to improve
employee understanding of why the policies were written and possibly
why they should be modified. This way both employers and employees mutually
benefit from the experience.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
FISSEA 2003 Conference:
What You Missed and Congratulations to Patti Black
By Mark Wilson, CISSP, Assistant Chair
NIST
The Federal Information Systems Security
Educators' Association (FISSEA) held its 16th annual conference
in Silver Spring, Maryland on March 4-6. The Conference brings together
information technology security professionals from government, academia,
and industry with an interest in security awareness, training, education,
and professional development issues.
Lieutenant Colonel (LtCol) Curt Carver
of the U.S. Military Academy at West Point served as the Conference
Program Chair. With assistance from the FISSEA Executive Board and volunteers
from the FISSEA membership, LtCol Carver assembled what many have noted
was the best Conference agenda in years. LtCol Carver has offered to
serve again as Program Chair for the next several years. The FISSEA
Executive Board, which met at the close of the Conference on March 6th,
thanked LtCol Carver for his successful work on the 2003 Conference
and welcomed his offer to continue to serve as Program Chair.
Keynote presentations each day challenged
attendees to better prepare themselves for the future by seeking advanced
training and education in IT security, and to make their management
and executives more aware of the need for a vigilant security program.
Keynoters were Keith Rhodes of the General Accounting Office, Mr. Alan
Paller of the SANS Institute, K Rudolph of Native Intelligence, and
Mr. Thornton May of the Graduate School of Management at UCLA.
Presentations during the three-day conference
were made by speakers from the National Security Agency, State Department,
Internet Business Group, Association for Computer Security Day, U.S.
Military Academy at West Point, Federal Computer Incident Response Center,
Purdue University, Towson University, Office of Management and Budget,
Karta Technologies, Defense Information Systems Agency, Centers for
Medicare and Medicaid Services, Federal Bureau of Investigation, Booz
Allen Hamilton, NASA, National Defense University, C-Cubed Corporation,
Nuclear Regulatory Commission, University of Ottawa, Library of Congress,
Iowa State University, and NIST.
The annual Educator of the Year award was
presented to Patricia "Patti" Black of the Treasury Department
for her work in information technology security awareness. Patti formed
and led a working group that updated an existing awareness CD that contained
basic security issues aimed at the user community.
For more information about FISSEA, including
the dates and location of the 2004 Conference, visit the organization's
website at http://csrc.nist.gov/fissea.
2003 presentations are available on the website.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Prizes Add Pizzazz to Conference
By Peggy Himes
NIST
The FISSEA Conference was not all work
and no play. As a little "perk" prizes were given out during
the annual FISSEA Conference. Dara Murray started the tradition last
year and it was such a hit, it was continued in 2003. The prizes started
out small but increased in value as supporters got caught up in the
spirit during the conference. The Executive Board appreciates the donations
from the following supporters. Unfortunately, not all winners were recorded
and only the "known winners" are listed in italics.
Pam Salaway, Computer Security Institute,
donated a one-year subscription to the CSI quarterly security awareness
newsletter, FrontLine, valued around $1,500.
Mary Ann Strawn, Library of Congress (LOC)
Kris Madura, CompTIA, donated vouchers
for the Security+ exam, which is published in a format for the computer
desktop environment and is available at CompTIA authorized testing centers.
Ty Cooper, U.S. Office of Government Ethics
John J Czaplewski, Northrup Grumman Information Solutions
Marvella Towns, National Security Agency
K Rudolph, Native Intelligence, donated
several original computer security posters.
Eva Murphy, USDA-FSIS
Curt Carver, 2003 Conference Program Director,
donated a framed first-issue commemorative stamp from the United States
Military Academy.
John Saunders, IRM College, National Defense
Barbara Cuffie, FISSEA Executive Board
Chair, donated several gifts.
Brenda Williams, IRS, won the golf accessory.
Mark Wilson, Executive Board member, donated
a NIST coffee mug and "collectible" NISSC briefcases.
Diane Coleman, IRS, won a briefcase
Louis Numkin, Nuclear Regulatory Commission won a
briefcase
Mary Ann Strawn, Executive Board member,
donated three LOC Computer Security mugs; one mug contained a coupon
for a tour of the LOC and lunch in the Executive Dining Room.
Angela Adams, IRS, won the mug with the tour coupon
Phil Sibert, long-time Executive Board
member, donated three FISSEA-related mouse pads crafted by Pauline Bowen.
Dara Murray, Health and Human Services,
donated movie passes.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Educator of the Year Award
By Tanetta Isler
Dept of Housing and Urban Development
The Federal Information Systems Security
Educators' Association Educator of the Year Awardees have an extraordinary
impact in information technology security awareness, training, and education.
Past recipients' influence is far reaching with broad impact upon those
affected by information technology security issues. The Executive Board
wants to encourage you to nominate an IT security educator with impeccable
dedication to supporting the goal of producing relevant and needed IT
security skills and competency and integrating the skills into a common
body of knowledge in either the public, private, or federal community.
Nominations can be for work in any aspect of IT security awareness,
training, or education. An ad hoc committee appointed by the Executive
Board Chair will judge the 2004 FISSEA Educator of the Year nominees.
The Educator of the Year ceremony is held each year at the annual FISSEA
Conference.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Who's Job is it Anyway?
Lessons learned while developing a Windows 2000 Security WBT course.
By Grethen Ann Morris, CISSP
RS Information Systems
Contracted to NASA
The purpose of this article is to give others a chance to learn from our experience, not to point fingers or complain (“just the facts-ma'am”). If you have already learned these lessons, maybe it will help to know that you aren’t the only one that has gone through it.
1. Course Outline: the developer’s job or yours?
My team developed an outline of what our new Windows 2000 Security course should teach. We even included guidance documentation with the outline to give the developers some of the content. We requested a proposal and quote for the work, came to an agreement, and started our working relationship. The course developers came back to us with a totally different outline from the one we gave them. When we told them that we wanted them to develop a course according to our original outline, they said they could not start developing the course without us giving them learning objectives instead of an outline.
A lesson learned: If you don’t want any surprises as to who is responsible or in control of what parts of the course development, you better make sure the Statement of Work is very specific and clear. Precautionary note: even if you are specific and clear, there may be misunderstandings.
2. Technical Content: your job or the Subject Matter Experts (SMEs)?
I went to the experts at our agency to get some answers. Several conversations later, we came to the understanding that they did not like the outline either, but could not tell me why. One of the experts suggested that I “read the 19 NSA guidelines for Windows 2000 and write the training from there”. My reply was, “sure, I can throw 500 topics into a hat and pull 50 of them out, but that does not mean the topics will be the ones our audience needs to learn.” This led me to create a new document, “who needs to learn what”. I wrote it from the information I had collected from many conversations.
A lesson learned: The technical content (a training needs analysis) should have been done before writing a course outline or contracting for it to be made. I was taught this in a course once, and now that I’ve learned it first hand, I will never forget it. It is true!
An aside... the experts were trying to be helpful. They all work full time jobs and work on a special committee that is above and beyond their regular work. They did not have the time or energy to build something from nothing, so I had to do it for them. Once we had the “who needs to learn what” document, they could review it and give positive feedback. Also, as an added bonus, the course developers said that they could use the document to build the learning objectives and course from there.
A lesson learned: If you are having a hard time getting input (something from nothing), create something they can comment on. It takes less of their time and effort and they will be much more willing and able to help.
And a note: We found that we had a different audience with Windows 2000 Security than we had with UNIX or NT. UNIX and NT only needed to be taught to system administrators. But, due to the build of Windows 2000 (and Mac OS X), the users need training too. They can actually cause security issues and need to be taught how not to break what the system administrators put in place.
3. Review: Everyone’s job?
How many reviews are needed? Does everyone need to participate in all review cycles? For timing/scheduling purposes, we (course developer and my team) decided to put the content up in stages (the number of review stages changed a few times during the development process). The course developer had internal quality assurance reviewers. My team has two technical reviewers and two general reviewers. We had two sets of SME’s, our Security group and the Windows 2000 (technical) group to help with review.
Sometime during the review process, the first two review stages on the text content were supposed to be complete and were not. My team members had been through the course. The course developer’s internal quality assurance process was running smoothly. Our security group delegated review, but we did get input from their perspective. From our Windows 2000 group, however, we did not hear a word. What happened? They had been very helpful up to this point. With a little checking, we find out they were all called away to put out a Windows 2000 fire, to collect data on the newest threat. I can not approve moving forward on course development without having at least one technical expert review the material, can I? If we wait, we delay the final delivery date.
A lesson I learned in a course I took: It costs less time and money to fix the course content prior to developing the graphics and audio than it does to fix it later.
So... we waited, and stressed the importance and value of the technical experts input. Once they started helping with the reviews, they stayed with us through the rest of the process. Their input made a world of difference in the final product and the initial delay saved a potentially longer delay later if we would have had to change graphics and audio as well as the text content.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Role-Based Training: A Critical Element of Information Assurance
By Patricia Harris and Jeff Dektor, CISSP
Department of State
The Availability-Intregrity-Confidentiality (A-I-C) of an organization’s information system is dependent on the knowledge and skills of those who use, operate, and manage the system. Information assurance (IA), which is synonymous with A-I-C, cannot be achieved and maintained unless all employees with IA responsibilities understand and are able to execute the requirements of their specific roles. For this reason, role-based training is a critical element of a successful IA program
The employees who receive role-based training can be divided into two broad categories – technical and managerial. Technical personnel implement and monitor security procedures that are specific to their computer network’s operating system and work environment. Examples include system administrators, information system security officers (ISSOs), and auditors. By and large, the personnel in these groups are concerned with observable and measurable IA characteristics.
Managerial personnel, through the control of resources, personnel, and policies, deal with more intangible issues. They also have a greater influence on whether the organization’s IA program is effective. A manager’s role includes assessing security risks and making decisions about the types of safeguards to be used. At the same time, a manager’s understanding and support of IA requirements is the key factor in whether or not technical personnel will be able to fulfill their day-to-day responsibilities in securing the organization’s information system.
Another aspect of role-based training is the degree to which it addresses the specific needs of the organization. The content of successful training is based on established policies and procedures. It includes concrete examples, step-by-step procedures, and realistic scenarios that both reinforce learning and promote skills transfer to the workplace.
In terms of learning outcomes, technical personnel should have achieved a greater understanding of the policies related to information security and new or enhanced skills in applying security settings, monitoring system security, and recognizing anomalies that need to be investigated. Managers should be more knowledgeable about security policies, system vulnerabilities, and the job requirements of the technical personnel in their organizations. They should have new or enhanced skills in evaluating the IA situation in their organizations and in selecting the most effective actions to address any shortcomings.
To be effective, IA training must be incorporated into the fabric of the organization. Rather than a one-time event, it must be an on-going process that is changing and growing as rapidly as information technology itself. It should prepare both technical and managerial personnel to not only detect and correct known security flaws, but also to anticipate and guard against the new vulnerabilities that often occur with a technology change.
In today’s world of heightened information security risks, a comprehensive program of role-based, organization-specific training is the first line of defense. Trained employees at every level of the organization are required to ensure the A-I-C of the information system so that the organization can continue to function smoothly and fulfill its mission.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
ISC2 Plans Extensions to the CISSP Credential
By E.C. (Lee) Chambers, CISSP, CISM, CIPS
Falls Church, VA (USA)
703-207-4763
I know many of our members are Certified Information System Security Professionals (CISSPs) or are thinking about obtaining this credential so I thought you might be interested in the three proposed extensions to the CISSP credential that are currently under development. These extensions will all require the candidate to first obtain the CISSP credential in order to apply for these advance certifications, the Information System Security Engineering Professional (ISSEP) and the as-yet-to-be-named credentials in system security management and system security architecture.
As many of you may already know, the ISSEP is being jointly developed by the National Security Agency (NSA) Information Assurance Directorate and the non-profit International Information Systems Security Certification Consortium (ISC2) Inc. The ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. NSA has prepared the groundwork for this certification and will provide the subject matter experts to develop the ISSEP examination. People who have worked in information security for at least four years and who already hold the CISSP credential will be eligible to take the ISSEP exam. According to a recent news release, NSA plans to use this certification for both its employees and contractors.
The other two extensions to the CISSP are still in the very early stages of development. A few weeks ago, I participated with CISSPs from throughout the US and Canada in an ISC2-sponsored three-day workshop to develop exam questions for the these two proposed extensions to the CISSP credential.
These extensions will each concentrate in two discrete areas of certification, information systems security management and information systems security architecture. Once developed, security professionals will be able to qualify in either or both of these two areas after they have obtained the CISSP credential.
ISC2 has additional workshops scheduled in April and May to further develop exam content as well as to convene a panel of subject matter experts (SMEs) to evaluate the exam content for consideration as testing material. Exam content that graduate from this level of SME review will be added to the test bank and (if all goes as planned), ISC2 will start testing the exams for these new extensions later this summer.
FISSEA members who are CISSPs and would like to participate with ISC2 in the continuing need to develop testing material or to participate as an SME to evaluate testing material can contact me directly.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Intrusion Prevention, Fact or Fiction
By Chris Petersen
President/CTO Security Conscious
Intrusion prevention has been one of the most hotly debated topics within information security circles for the past twelve months. The prevailing topic is whether this new breed of technology is marketing hype or reality. If one were to ask my opinion, I’d have to say it’s in large part both.
The Hype
When host-based intrusion prevention was first introduced in early 2000, it didn’t receive the same cynical response network-based intrusion prevention saw in early 2002. I believe the primary reason for this is comfort with the idea of a host-based agent preventing bad things from happening via anti-virus and personal firewall technologies. The move to detecting attacks on the local host to preventing seemed like a natural transition and one that should be possible. Most IDS pundits took the wait and see approach. However, this wasn’t the case when network based intrusion prevention systems (NIPS) hit the market. Two prevailing reasons come to mind. First, those of us who have been working with network based intrusion detection systems (NIDS) have come to understand just how inaccurate the technology is in only identifying real intrusions. In large-scale deployments, we’ve come to expect a 10 to 1 (if not 100 to 1) false alarm to real alarm ratio. This moves me to my second reason, the aggressive marketing practices of the intrusion prevention vendors. Feeding on this false alarm frustration, NIPS vendors market(ed) their products with catch phrases such as “No False Positives”, “100 percent protection”, “complete signature-less prevention”, etc. Many IDS pundits were more than cynical of these bold claims, they were insulted. Why? Because in order for a NIPS to prevent an attack it must first detect it. How could new NIPS technologies using NIDS detection techniques be 100% accurate in prevention when the best of breed NIDS with hundreds of customers and long standing R&D staffs were at best 10% accurate in detection. The claims simply didn’t add up.
The Reality
Intrusion prevention is the goal, not the product. No single technology can stake claim to providing 100% prevention. Security is about risk management not silver bullets. The question is whether or not the current product set under the “intrusion prevention” umbrella can help companies achieve their risk management and associated intrusion prevention goals. They can.
As with any emerging technology market, the new will replace the old. In developing their products, the NIPS vendors went back to the drawing board and devised new solutions based on customer frustrations and limitations with the current intrusion detection technologies. They looked at new ways of detecting misuse, moved to firmware-based platforms to improve performance and reliability, and introduced the ability to place the technology “in-line” allowing packets to be dropped based on detection policies. Unfortunately, this last feature was what allowed NIPS vendors to attract venture capital and was the banner under which they marched to market. However, in reality, the ability to sit in-line like a firewall was simply an evolution of existing intrusion detection preventative features such as automatically resetting a connection or reconfiguring a firewall. Unfortunately, this message didn’t excite the investment community and the intrusion prevention market was born.
However, whether its intrusion prevention or intrusion detection with preventative features, the fundamental measurement remains the same – how effective is it in detecting misuse or intrusion? Improvements have been made with the new crop of NIPS. For instance, detection engines have been expanded to provide features such as multiple signature matches for a single event, the combination and correlation of anomaly based detection with signature based detection, and the virtualization of detection policies allowing for granular tuning based on individual host and network characteristics. Other technologies introduced wholly new and innovative approaches.
While these features have improved detection accuracy or apply a different approach altogether, are they accurate enough to trust in an in-line mode where a false alarm could drop a business connection? The answer depends on the accuracy (false alarm probability) of each individual attack balanced against risk management thresholds. Fortunately, some attacks have a very low false alarm probability and can be prevented with minimal risk. As the false alarm probability increases for other attacks, one needs to balance operational risk against security risk to determine when the product should be configured to alarm only. Fortunately, all of the intrusion prevention products I know of provide this flexibility. In fact, most vendors advise customers initially configure their products in a detection only mode and then selectively enable preventative policies when false alarm probabilities combined with risk management thresholds add up.
Conclusion
Marketing hype aside, intrusion prevention technologies can be a powerful tool in supporting a defense in depth architecture. A silver bullet they aren’t but then again, they don’t need to be. They have advanced the art of intrusion detection and when deployed appropriately can be an effective use of the information security dollar.
About the Author
Chris Petersen is the President/CTO of Security Conscious (www.security-conscious.com), a company specializing in maximizing the return on intrusion detection/prevention via professional services and next generation incident management technologies. You are welcome to contact Chris at chris@security-conscious.com.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Computer Security and Sandwiches at Library of Congress
By Mary Ann Strawn
Library of Congress
Wednesday, May 28, Tamara Maddox of George Mason University will speak at a Brown Bag seminar sponsored by the Library of Congress Computer Security Coordination Group. The event takes place from noon to 1 p.m. in the Madison building, room G-45. It is free and open to the public.
Maddox, Assistant Chair of the Computer Science Department at George Mason, earned her B.S. in Computer Science and a law degree from William and Mary. At GMU she is coordinator of all computer ethics/law courses and developed the junior level course “Ethics and Law for the Computing Professional.” She has been actively involved in numerous issues of computer technology and policy, including serving as chair of an IEEE/CCIP task force on UCITA Uniform Computer Information Technology Act in 2000/2001.
At the Library Maddox will address computer ethics and the role of privacy.
The May 28 event is a part of series of Computer Security lunch-time seminars held throughout the year at the Library of Congress. The Library has drawn upon the expertise of in house staff to talk about subjects such as “Spam,” “Securing Your Home Computer,” “The Perils of Email,” “Hackers.” A recent speaker from the Federal Trade Commission discussed “Identity Theft.”
According to Ann Christy, Computer Security Officer for the Library, “This is just one of many ways we keep reminding people about computer security.”
The seminars are usually about 45 minutes in length with time for questions. The Computer Security Team provides cookies for attendees. For additional information, contact Mary Ann Strawn, mast@loc.gov.
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
One of Our Own
In reference to a recent CNN posting, located at:
http://www.cnn.com/2003/TECH/04/18/cyberwar.training.ap/index.html (NOTE: You will be leaving NIST's and the FISSEA website after clicking the CNN link) our Conference Chairperson, LTC Curtis Carver, contributed this note to acknowledge one of our FISSEA Executive Board Members, LTC Dan Ragsdale (winner of last year's EOY) efforts at the US Military Academy at West Point:
"The cadets really got a lot out of this. Learning went beyond class attendance as the cadets put in hundreds of hours and were really committed to defending their networks. Dan did an awesome job. Just to give you a taste, NSA started with a DoS attack on West Point's email server on Monday.
The cadets could not block the ip address because it was against the rules. They noticed however that the time to live field on the attacking packets had an interesting value and they rapidly modified a firewall to block the DoS based on that value. The enemy adapted his attack and counterattacked.
The cadets saw the counterattack and modified their defense. Very cool stuff. Regardless of whether we beat the other academies, a lot of critical thinking and learning took place this week and the benefit to the cadets and our nation will be an interesting story to watch unfold over the next couple of years."
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
Trainia
This column’s name is a contraction of the words “Training” and “Trivia.” It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov
**************
Please
see the article about our 16th Annual FISSEA Conference as reported
in the March 10, 2003 edition of the Government Computer News. You can
view the entire article on-line at GCN.COM under archives. http://www.gcn.com/22_5/community/21373-1.html
"Conference targets the ABCs of security".
**************
6-8May03
AFCEA TechNet International 2003, Washington DC Convention Center. Contact
703-631-6125 or events@afcea.org.
**************
14May03
CompTIA complimentary event: Cyber Security Workforce Symposium, 8am-1:30pm.
J.W. Marriott Hotel, 1331 Pennsylvania Ave, Washington, DC. Keynote
speaker: The Honorable Howard Schmidt, Special Advisor to the President
on Cyber Security. Seating is limited! To register, visit www.comptia.org/events
or call 703-812-1333 x200.
**************
13-15May03
3rd Annual Department of Energy/U.N. Hybrid Conference and Workshop,
Newport Beach, California. To register and learn more about this conference
www.netl.doe.gov/events/03conferences/hybrid/index.html.
Contact Karen Lockhart, 412-386-4763, karen.lockhart@sa.netl.doe.gov
**************
2-5June03
Colloquium for Information Systems Security Education Cyber Security
Strategy: Meeting the Multi National Challenge Through Education Training
and Awareness. The Washington Marriott Hotel, Washington DC. Conference
Coordinator: Allan Berg, James Madison Univ. 540-568-8773. See http://www.ncisse.org/conferences.htm
**************
4-5JUN03
Gaithersburg, MD. Federal Business Council, Inc. Securing the Homeland
Conference and Expo "A Federal Partnership for Securing America". Industry,
government and law enforcement representatives are invited to present
briefings as they relate to one or more of six critical mission areas
cited in the National Strategy for Homeland Security. Contact Robert
Jeffers, bj@fbcdb.com. Visit www.fbcinc.com
for more information.
**************
4-6June03
TechTarget's Data Center Futures Conference, Chicago, IL. Visit the
conference website to view sessions and speakers or for more information,
call 781-657-1610 http://datacenterfutures.techtarget.com/html/ci_sessions_speakers.htm
**************
23-24June03
Computer Security Institute's 13th Annual NetSec '03 conference program
is now available and registration is open. NetSec blends a management
and awareness focus with technical solutions, giving you a balanced
real-world perspective. Join 1500 of your colleagues in New Orleans
and become a better practitioner. Contact 415-947-6320, csi@cmp.com
View conference at a glance pdf: http://www.responsetrack.net/lnk/gocsi16/?10CTZ0FNJFJ
**************
28-30July03
MIS Training Insitute WebSec 2003: The E-Security Conference and Expo,
San Francisco, CA. WebSec 2003 has been designed to deliver up-to-the-minute
information, cutting-edge strategies, and tested techniques to help
you meet today's tough e-security challenges. Go to http://www.misti.com/.
**************
15-17SEPT03
E-Gov Information Assurance Conference and Exhibition, Ronald Reagan
Building and International Trade Center, Washington, DC. Deadline for
paper submission is Thursday, May 1, 2003, to IA2003@e-gov.com.
**************
View
the updated Foundstone, Inc. security training course calendar for 2003
at www.foundstone.com.
Find their Security curriculum description as well as dates and locations.
Contact Todd McBride 949-297-5600, todd.mcbride@foundstone.com
**************
The
Scholarship for Service Program, a program designed to increase and
strengthen the cadre of Federal information assurance professionals
that protect the Government's critical information infrastructure, has
a new website. To register as an Agency Official, go to http://www.sfs.opm.gov.
Contact sfs.opm.gov or Kathryn Roberson, 210-805-2423 x506, karobers@opm.gov.
**************
VCampus offers courses in Information Security, Contingency Planning, Physical Security, Workplace Security, Healthcare Privacy (HIPPA), and SSCP Certification (coming soon). Headquartered in Reston, VA. Contact Mary McCarthy 301-261-5331
**************
Upcoming
ISACA educational events:
5-9May03 IS Audit & Control Training Week, Minneapolis
18-22May03 North America Computer Audit, Control and Security
Conference, Houston
2-6June03 IS Audit & Control Training Week, Orlando
20-23July03 International Conference, Singapore
8-10Sept03 Network Security Conference, Las Vegas
For further information contact Sandy Arens, 847-253-1545 x485, conference@isaca.org,
http://www.isaca.org/.
Or contact Debra Cutts 847-590-7482, marketing@isaca.org
**************
Upcoming
CSI seminars. For further information contact Nancy Baer nbaer@cmp.com.
5-6May03 Rapid Roll-Out of an Asset Classification Program, Baltimore
7-9May03 CISSP Prep-for-Success Workshop, Baltimore
5-6July03 Practical Guide to Encryption and Certificate Program
7-8July03 How to Create and Sustain a Quality Security Awareness
Program, Gaithersburg
**************
Go to top of page
![horizontal bar](https://webarchive.library.unt.edu/eot2008/20080917170754im_/http://csrc.nist.gov/organizations/fissea/images/bar52.gif)
|