Letter From the Chair

Dear FISSEA,

In this, my first column where I will write to you as your Chairperson and not the News and Views Editor, it is with humility that I move from page two to page one. One of my proudest moments was when I was nominated for and received the Educator or the Year Award - a title which I am truly honored to wear. Having been active in FISSEA for around 13 years and on the Exec Board for half that time I have served under several excellent Board Chairs.

When first I ran for the Board, it was on the plank that I would like to revitalize the newsletter. For the next two years, with Phil Sibert at the helm, FISSEA moved forward. Upon his departure, Pauline Bowen took the Chair for a year and we were fortunate enough to have Barbara Cuffie willing to pickup the orb and continue our progress as an organization for the subsequent three years.

With this as my FISSEA experience, I hope that I will be able to demonstrate how much I care by following in Phil, Pauline, Barbara, and all our prior Chairperson's footsteps. Since my immediate predecessor is Barbara, let me state for the record that she does not have big feet.... but her footsteps are gigantic. My respect for her began many years ago and it has never wavered. I am thankful that FISSEA will still have Barbara on our leadership team during this Board year.

It is also important for me to acknowledge the strong support which FISSEA receives from NIST. Our independent organization could not meet its goals without people like Assistant Chair Mark Wilson, Special Staffer Peggy Himes (who will assume the title of Newsletter Editor), Web Page Guru Patrick O'Reilly and NIST's conference support staff: Patrice Boulanger, and Teresa Vicente. These folks are the power behind the FISSEA throne and they deserve a lot of the credit for our continued success.

Our Executive Board is multi-faceted with wonderfully experienced individuals. We are lucky to have several voluntary contributors. Our Conference Program Chair will remain Curt Carver of the West Point Carvers (demonstrating dedication, his wife accompanied him to the conference so that they could be together while celebrating their 20th Wedding Anniversary). Also hailing from West Point is Will Suchan, whose leadership was shown in keeping our alternate conference track on schedule. NSA has permitted us to use the talents of Marvella Towns (who worked on our conference poster/trinket contest). Also we still have the services of HUD's Tanetta Isler. Our conference's third day leader was Lew "Who Let The Dogs Out" Baskerville, and SBA has permitted him to return to the Board. Mary Ann Strawn from the Library of Congress will continue to work on our shared experience and speakers' bureau. And, now we'll get to test the newbies who represent our three supporting cultures: contractor Gretchen Ann Morris (a long time supporter hailing from NASA in Ohio), academia's Thomas Foss (from the University of North Carolina) and Jeffrey Seeman (a new Fed from the NSA).

Departees who deserve our adulation include Dan Ragsdale, from West Point, and Chrisan Herrod, from NDU. Dan gave an engaging lunchtime presentation during the conference and Chrisan performed as overall conference chair. We will miss them both. We will also miss NASA's Bob Solomon's dry sense of humor as he retired shortly before the conference and we bid farewell to HUD's Donna Robinson-Staton, as well as Dara Murray from HHS (who worked with Marvella on the contest).

With all of the ever-increasing computer security job responsibilities as well as voluntary support given to the Exec Board, all the aforegoing named individuals deserve praise. Outgoing Chair Barbara's favorite phrase was "Committed to FISSEA." Each of this year's Board will have their work cut out for them during the current term. Our organization thrives on individual ideas and collective support. As in the past, we have a great deal of experience on our Board, but we cannot do the job alone. We ask several things of our members:

• please employ our list serve in asking, answering, and offering opinions;
• please submit articles for publication; and
• please consider volunteering when we ask for member support of our conference and other initiatives.

Thanks for your continuing support of FISSEA,
Louis Numkin, CISM
FISSEA Executive Board Chair

Go to top of page

Go to top of page

FISSEA 2004 Annual Conference Cub Reporter Submissions

As Editor, Louis Numkin, asked attendees at the annual FISSEA conference to submit articles as Cub Reporters. Please enjoy the submissions.

"This was my first time at the FISSEA Conference and even a short time into the first day, it was great to see how much is being done in the area over here in the U.S. I work for the Ministry of Defence in the UK and work closely with the DOJ and DoD but thought it would be useful to give delegates an opportunity to find out what we are doing in this area on the other side of the pond.

The MOD has been at the forefront of Information Technology within the UK and the issue of Information Assurance that this includes for decades. As part of this, it was decided to create a separate division with the task of dealing with the issue of security, training, education, and awareness. My job was to design a program to make sure that all 320,000 staff within MOD acted securely and safely in relation to our Information Systems. The result of this nine-month study was the formulation and implementation of the SAFE (Security Awareness for Everyone) project and I thought it would be helpful to explain how this will help MOD secure its systems.

TRAINING:
Both government and private industry provide a plethora of courses for everyone from System Administrators all the way down to the System User. We evaluated many of the most commonly used courses and came to some interesting, yet obvious, conclusions. Some courses are much better than others and the expense of the course rarely correlates with its utility. In fact, some of the best conferences and training courses were free or very low cost. The culminations of these findings are two-fold. For technical areas such as System Administrators and Network Engineers, certain security courses have now been mandated. By making sure we have evaluated the courses, we can be relatively sure of the level of expertise they will gain. Also, we have decided to create a CBT in-house to provide basic security to all of our 320,000 System Users. This will cover the lowest ranks to the highest director. We are eagerly anticipating the results.

EDUCATION:
We have taken a two-pronged approach to security education. The first prong is direct education through annual security presentations. The task I have is to make these interesting as well as comprehensible and I have partially achieved this by providing more interactivity into the briefings. We have found that no matter how difficult it is to make security interesting, all the effort is worth it in getting your staff to improve the way they work generally.

We have also begun looking at indirect education mediums. This has been achieved through a quarterly magazine, induction booklets and an all singing, dancing new website on our website which includes games and competitions to draw in those groups of staff that would normally avoid security.

AWARENESS:
This is an area where we have taken advantage of many of the merchandising techniques of the commercial world. Posters, videos and screensavers are now complemented by more general merchandise. Pens, mugs and more advanced items are no longer produced to promote a specific department or agency but instead carry simple, one sentence, security messages. By doing this, a little can go a long way and staffs begin to change their ways.

Clearly, along the way, we have had bumps as well as benefits and we have so far managed to ride these successfully. However, we remain vigilant and I believe that FISSEA's work and indeed influence, is something we will continue to work alongside for many years to come. See you next year."
Tony Thomas
Directorate of Defence Security (Information)
Ministry of Defence, London
ddefsy-infosypol3@defence.mod.uk

**************************

"Being away from the Conference the past couple of years, it is good to see and hear that the need for training, education, and awareness is growing. The people in the trenches seem to be getting noticed by senior management. Case in point - State Department awarding their CISSP certified employees pay bonuses. From the span of speakers at this year's conference it shows that people care about protecting their computer systems while at the same time keeping their work behind the scene of the daily user. This conference may be small, but we have a big stick and the word is spreading. If you have a SIPRNET account, take a look at the courses and the skills map that the National Cryptologic School, NSAless, can offer you. IAD.nsa.smil.mil and click on Services, lower left screen IA/OPSE courses."
    Submitted by Jeff Seeman

Go to top of page

UMUC's Remote-Access Labs: The Next Generation of Online Learning

By Don Goff
Information and Telecommunication Studies,
University of Maryland University College

When the National Security Agency designated University of Maryland University College a Center of Academic Excellence in Information Assurance Education, we were already looking beyond that prestigious honor and far in to the future. We were envisioning the "next generation" of online delivery-establishing online computer laboratories that students can access from a distance.

Now, with the very generous support from a number of vendors we have realized that dream. The first remote-access lab-the database laboratory-went online in the fall of 2001. The second-the network systems and security laboratory-became available to students in 2003, allowing them to develop and implement access lists, conduct configuration management, balance traffic loads, and perform other network security functions-all online.

Previously, online "labs" were simulations or animations that didn't offer students the opportunity to truly experiment, to find out what works and what doesn't. In remote-access labs, students can access real, hands-on applications, and it doesn't even require a broadband connection. Educationally speaking, it's a quantum leap.

Equally important is the fact that students have the opportunity to use the latest technologies from a variety of vendors, and here, UMUC has had the generous support of industry icons like Cisco Systems, Oracle, Microsoft, Computer Associates, and others, who have provided the university with free or deeply discounted, cutting-edge hardware and software systems that are the building blocks of industries like data communication, systems administration, network security, computer forensics, and more.

Since the mid-1990s, UMUC has tweaked and perfected-and tweaked and perfected-its online delivery system. Last year alone, the university amassed a record of more than 110,000 online enrollments, and the university's IT program-the largest and most comprehensive in Maryland-is operated in accordance with National Security Telecommunications and Information Systems Security standards. UMUC also offers collaborative programs with the National Defense University, the General Services Administration, and the U.S. Army Signal Center to provide graduate IT courses for chief information officers and signal officers, respectively.

Our remote access labs afford us the consummate win-win arrangement: Students have access to cutting-edge technology; the workforce benefits from graduates who already have hands-on experience with that cutting-edge technology; and vendors ensure that graduates enter the workforce as competent users of their products.

Go to top of page

FISSEA 2004 Security Awareness Contest ...and the WINNERS are:

• University of Arizona for the best poster, submitted by Melissa Guenther
• Internal Revenue Service for the best trinkets, submitted by Diane A. Coleman
• Health and Human Services for best website, submitted by Captain Cheryl A. Seaman

This year FISSEA conducted its first Security Awareness Contest and announced the winners at this year's conference held at the University of Maryland University College, Adelphi, Maryland. Congratulations to all the winners for their innovative and out of the box means of presenting security concepts.

The contest was designed to have organizations showcase their security awareness posters, trinkets and websites. Also, the contest affords FISSEA an opportunity to provide its members with knowledge of some of the best security awareness information within the community. The entries were judged on accuracy, originality, message and graphics by an independent panel of judges.

The URL for the winning website, submitted by Captain Cheryl Seaman is http://irtsectraining.nih.gov/. This is the NIH on-line security awareness training and is available to the public. Diane Coleman submitted IRS Security Awareness Week Trinkets including notepads: "Preventing Intrusion-Awareness is Our Best Defense"; "Accentuate the Positive - Understand the WHY of Security"; two ink pens (3 sided) with security awareness messages on all sides. Some of the messages were: "Keep your Laptop Secure at ALL Times", "For a Password That is Strong - Make it at least 8 characters long", Think Safe - Know Your Occupant Emergency Plan", "Security website url". Key chains that read "You Are the Key to Security". Button - "Clean-up Back-up Lock-up". Melissa Guenther submitted the winning poster campaign. (Note, you will be able to view the winning entries on the FISSEA website soon).

If you did not participate this year, watch for the announcement later this year on the 2005 FISSEA Conference webpage.

Go to top of page

FISSEA Educator of the Year Awarded to Jeff Recor, Walsh College

Submitted By Peggy Himes, NIST

Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security. The FISSEA Educator of the Year for 2003 was awarded to Jeff Recor, Walsh College, on March 10, 2004 by last year's winner, Patricia Black, Department of Treasury.

Brian Gawne's nomination said, "Jeff Recor is an outstanding educator whose impact reaches outside the boundaries of his educational institution. Jeff's passion for teaching and his philosophy of 'learning by doing' helped establish the Information Assurance Center at Walsh College. The main focus of the IAC is to act as a 'community outreach' program…." …"Jeff Recor continues to dedicate himself to reaching beyond the confines of the classroom to develop security awareness and training." The complete nomination letter for Jeff Recor may be viewed on the FISSEA website.

Jeff's competition was quite significant. To be nominated by one's peers is in itself, an honor. The other nominees were:

• Michael Arant and Terri Cinnamon and the Training, Education, Awareness and Professionalization Team, VA
• Jeffrey Dektor, US State Department
• Clifton Poole, National Defense University
• Anita Shandor, Financial Management Service
• Anthony D Smith, Tennessee Valley Authority
• Robert Solomon, NASA
• Marvella Towns, NSA

An impartial judging committee and not the FISSEA Executive Board made the final selection. Please see the FISSEA website for complete nomination information and think about submitting someone next year.

Go to top of page

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Co-Editors at lmn@nrc.gov and/or peggy.himes@nist.gov

***************************************************

On-line Tutorial for NIST Special Publication 800-37
NIST is pleased to announce that an on-line tutorial is now available for Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. The tutorial can be obtained from the FISMA News Section or Library Section of the FISMA Implementation Project web site at http://csrc.nist.gov/sec-cert. It is our intent to develop on-line tutorials for all of the FISMA-related publications in the series to serve as a training vehicle for agencies and to facilitate greater awareness of the NIST security standards and guidelines. The introductory section of every tutorial in the series will provide an overview of the FISMA Implementation Project (vision and strategy) and establish the context for the particular publication in the overall risk management process. Your comments on the tutorials are welcomed as we attempt to better serve your information security needs.
Ron Ross, Project Manager, FISMA Implementation Project

***************************************************

FYI, two CDs (and 3 and 4 coming soon) were offered to our conference attendees by Anton Ljutic, one of our Canadian attendees. He wrote that he "will certainly keep in touch. FISSEA is a great help to my work. We (CSE) already have a good working relation with NIST and you might be interested to know that DISA/IASE will distribute the Wireless LAN CD to US Gov departments." If you wish to contact Anton, his phone is 613-991-7966 or Email: anton.ljutic@cse-cst.gc.ca

***************************************************

FISSEA's friend, Mich Kabay has written to let us know that the new BSIA (Bachelor of Science in Computer Security and Information Assurance) and minor in information assurance programs, info may be found at:
http://www2.norwich.edu/mkabay/bsia For more info, contact Mich at mkabay@norwich.edu

***************************************************

CPM has joined with IP3, to provide a program in Information Assurance and Information Security Leadership. Drawing on materials from the industry's leading vendors, NIST, the FBI and the NSA, they have tried to create a structured overview of a comprehensive model for Information Assurance. To register for your discounted seat, go to: http://www.ip3seminars.com/security/register.php and use code CPM464. For the complete program outline visit: http://www.ip3seminars.com/u/rcs34835.php

***************************************************

VERIZON has a Learning Center available on the web. Within it, we found " What is a firewall? Should I protect my home network? What happens to personal information traveling over the Internet?" Find out more on security in their articles which can be found at: (by clicking this link, you will be leaving the FISSEA website, along with leaving all NIST webservers.)
http://www22.verizon.com/about/community/learningcenter/topics/displaytopic1/0,4023,05z6,00.html
In their Premium Courses they include sessions on professional certifications, though none specific to our field. Why, they even have one under their Business Skills area on Stress Management... not that any of us need that. Evidently, a subscriber can take up to 30 of the standard courses for just $99 a year.

***************************************************

Insider Training's Anniversary Training Sale. It only comes around once a year. For all our most popular classes listed in the PDF, we are offering: *20% OFF for any individual and *3 students for the price of 2 for 3 students enrolling in the same class and session. Registration and payment executed together. Call Insider Training at (866)509-7511 or go to www.insidertraining.com for details.

***************************************************

Allan Berg, now at the University of Dallas Graduate School of Management, as the Deputy Director, Center for Information Assurance can be reached at aberg@gsm.udallas.edu or by phone at (703) 788-6801. They have mapped our IA curriculum to the NSTISSI Standards 4011 through 4015 and have received both concurrence and recognition by the NSA for our efforts. Congrats!! Allan adds that for $480 per credit hour, all programs are 100% on-line and are taught by the same professors who teach the courses in a classroom on the university campus. For more info, check http://gsmweb.udallas.edu/info_assurance/

***************************************************

CSI 2004 April / May Seminar Calendar
CSI is offering classes in April and May, all designed to make you a better practitioner. Improve your skills and improve the security of your organization. For more information call (415) 947-6320 or email csi@cmp.com.
April 27-28, 2004 Managing a Privacy Governance Program, New York, NY
April 29-30, 2004 Rapid Roll-out of an Asset Classification Program, New York, NY
May 4-5, 2004 How to Create and Sustain a Quality Security Awareness Program, Ottawa, Canada
May 6-7, 2004 Defense Against Social Engineering, Ottawa, Canada
May 11-12, 2004 Hands-on Hacking, Orlando, FL
May 13-14, 2004 How to Conduct a Network Vulnerability Assessment, Orlando, FL

***************************************************

12-14MAY2004 - Electronic Entertainment Expo will be in Los Angeles, CA, at the Convention Center. If interested, check out the show site at: www.e3expo.com or contact Zach Toczynski at 1211 CONNECTICUT AVE #600, Washington, DC, or e-mail zach@theesa.com or telephone (202)223-2400.

***************************************************

19MAY2004 - Government Computer News is sponsoring a Management Leadership Conference at the Marriott Wardman Park hotel in Washington, DC. The Government fee is $195 and Industry is $295 which includes meals and breaks, a cocktail reception, and reference material. For More Information Or Registration visit http://www.gcn.com/a?Leadership_01 or Call 202-624-1756.

***************************************************

19-20MAY2004 - eFRAUD Conference at the Embassy Suites Hotel in New York City. Learn how to detect, investigate, and prevent electronic fraud. Express register online today at: http://pull.xmr3.com/p/10308-C907/7675358/http-www.misti.com-03-ef04eb4reg.html (if you click this link you will be leaving the FISSEA website, along with leaving NIST webserver) Please use EF04/EB4 as your Registration Code to ensure early- bird savings.

***************************************************

25MAY2004 Second FREE FISSEA Workshop, "Developing Role Based Information Assurance Training and Classroom Demonstrations", presented by the US Department of State, Diplomatic Security Training Center. See the flyer at the end for complete details.

***************************************************

25-27MAY2004 - U.S. Department of Energy (DOE) Cyber Security Group (CSG) training conference, titled "Take the Puzzle Out of Cyber Security" will be held in Kansas City, with pre-conference workshops on May 24. As always, there is no cost to attend the conference, although there is a $35 fee for an optional social event. To make registration easy for you, this year we have implemented a web-based registration form that will accept credit cards (credit card needed only if you want to attend the social event) http://cybertrain.labworks.org/conferences/may2004.
For more information about the conference and to register, see http://cybertrain.labworks.org/conferences/may2004.
See you in Kansas City! Lori Ross O'Neil, 2004 Conference Program Chair lro@pnl.gov, doecsg2004@pnl.gov, or 509-375-6702

***************************************************

8-9JUN2004 - The Forum on Information Security in Government will be held in Washington, DC, with Optional Workshops on 7 and 10JUN. Both the FISSEA Chair and Assistant Chair will be presenting sessions. More info can be found at http://pull.xmr3.com/p/3792-0DD3/92622542/http-www.misti.com-03-mi2eb1inf.html (by clicking this link, you will be leaving the FISSEA and NIST webserver) or by contacting MIS Training Institute at 498 Concord St., in Framingham, MA 01702-2357, Tel: (508) 879-7999, Fax: (508) 872-1153, E-mail: mis@misti.com

***************************************************

14-16JUN2004 CSI's 14th Annual NETSEC '04: BUILDING THE SECURE ENTERPRISE Conference Program is now available and registration is now open. NETSEC will be held in San Francisco at the Hyatt Regency Embarcadero. NetSec blends a management and awareness focus with technical solutions, giving you a balanced real-world perspective you won't find at other conferences. The conference program covers a broad array of topics, from the management issues of awareness, privacy and policy to more technical issues like wireless security, VPNs and Internet security. REGISTER FOR SHOW ONLY June 14-15 - FREE! http://i.nl03.net/ltr0/?_m=2g.0007.16.ri07j00zjt.1 Julie Hogan, Director of Events, CSI , Computer Security Institute, jhogan@cmp.com

***************************************************

01JUL2004 at 11:59pm is deadline for submission of papers to the Phrackstaff for presentation at PHRACK-62. "Dont bother us with lame articles -- only the real papers will make it." They are seeking papers on "hacking, phreaking, spying, carding, cybernetics, radio, electronics, forensics, reverse engineering, cryptography, anarchy, conspiracy, and world news." Also, they "will showcase selected tools from the hacking community." For more info, contact phrackstaff@phrack.org

***************************************************

8-11JUL2004 - Purdue University in West Lafayette, Indiana, will host CAITA-2004. This is a broadband conference, aimed at bringing together the scientific/technical elite. This year's Keynote is Dr. Dag von Lubitz, Laureate of the Smithsonian Award. More details on the Web at www.internetconferences.net

***************************************************

Go to top of page

2nd FREE FISSEA Workshop
Developing Role Based Information Assurance Training and Classroom Demonstrations

To learn more about this workshop, please visit this link on the FISSEA website. You will be opening up a MS Word file of the workshop announcement.