News and Views

Federal Information Systems Security Educators' Association


FISSEA logo
Issue Two of FISSEA Year 2004-2005
July 2004



IN THIS ISSUE:

 

From the Chair

It is difficult to believe that three months have already flown by... one quarter of our Exec Board year is already gone. Whew! Though this seems like a lot of time, the Board only has one half-day meeting per month and as you can guess these are chock full of substance and interchange. Thankfully, the Board is composed of amicable, open-minded, creative and sincere folks who collegially perform the tasks on hand. Utilizing e-mail and teleconferencing has helped us poll the Board, provide guidance, and make decisions.

One of our major decisions relates to the FISSEA Annual Conference for 2005. With assistance from NIST's Patrice Boulanger we have found a superb location. The name will be released when all is confirmed but suffice it to say that if all goes as planned... It will be held on March 22 and 23, 2005, as a two-day two-track conference. The hotel offers complimentary parking and is located on the Metro Red Line (with numerous shopping and restaurant opportunities within walking distance). The hotel and meeting facilities are brand new and we will be one of the first conferences to utilize them.

The 2005 Conference will be titled "Target Training" with a focus on awareness, training and education. It will be under the tag-team leadership of "Dead Eye" Curt (Curt Carver) and "Wild Will Hickok" (Will Suchan). So, take aim on our conference and keep a sharp lookout for upcoming information which will provide the costs, as soon as the deal is finalized.

Now, let me ask you to think of our FISSEA News and Views Newsletter as well as the FISSEA web site. Our newsletter can always use articles (perhaps you held a successful ATE activity from which others might benefit, etc) as well as submissions of TRAINIA material (eg: upcoming meetings, book reviews, humor - please, only send us those which are related to the FISSEA mission). As for the web page, please visit it - check it out and let us know if anything is unclear or difficult to use/find, and if you perhaps have something you could offer in substance or perhaps as a better way to display our organization and its resources. These are serious requests. Please help us make both of these FISSEA mainstays as good as they can be.

In this issue are some interesting items which will provide you with opportunities to participate. Remember, our organization is only as good as the contributions of its members... and by the way, that's YOU. The FISSEA acronym could also stand for "Fun, Interesting, Sensational, Superior, Educational, Active"... if you work with our Exec Board and Committees, we can make it happen.

Thanks for your support,
Louis
 
Louis Numkin, CISM
US Nuclear Regulatory Commission
FISSEA Executive Board Chair

Go to top of page

horizontal bar


FISSEA Executive Board
2004-2005

Louis Numkin, CISM, Board Chair*
lmn@nrc.gov

Lewis Baskerville, CISM*
lewis.baskerville@sba.gov

LTC Curt Carver, Jr., Conference Director*
curtis.carver@usma.edu

Barbara Cuffie, CISSP, Past Chair
barbara.cuffie@ssa.gov

Thomas Foss **
foss@iogmail.iog.unc.edu

Tanetta Isler*
tanetta_n._isler@hud.gov

Gretchen Ann Morris, CISSP**
gretchen.a.morris@grc.nasa.gov

Jeffrey Seeman**
jaseema@nsa.gov

Mary Ann Strawn**
mast@loc.gov

LTC Will Suchan, Conference Program**
will.suchan@us.army.mil

Marvella Towns, Conference Contests*
mltowns@nsa.gov

Mark Wilson, CISSP, NIST Liaison, Assistant Chair*
mark.wilson@nist.gov

Peggy Himes, Executive Assistant to Bd, Newsletter:
peggy.himes@nist.gov

* Term ends March 2005
** Term ends March 2006


Go to top of page

horizontal bar


Note From the Editor

I'd like to ditto what Louis said in his Letter from the Chair about the need for articles. The due date for the October issue is September 10, 2004. Please send items relating to computer security awareness, training, and education to peggy.himes@nist.gov.

I think it's noteworthy to mention that Barbara Cuffie retired from the Social Security Administration after 35 years. On June 15, 2004 her coworkers gave her a send-off truly befitting the wonderful leader she is. Barbara has been the FISSEA Board Chair for the past three years and if you've gone to a recent conference, you know her. Even in retirement, Barbara's commitment to FISSEA will not cease. She plans to continue to be active on the Board (at least until the next conference in March 2005). I'm sure everyone wishes that Barbara will have a wonderful retirement; that she'll continue to have good health and that she finds joy in her travels and volunteer work. She now has time to devote to the Red Hat Society too. Keep smiling, Barbara, and congratulations on your retirement.
Peggy Himes

Go to top of page

horizontal bar


Federal Information Systems Security Educators' Association (FISSEA) LOGO CONTEST

By: FISSEA Contest Coordinator

Do you remember when a computer system's standard configuration came with a 5-¼ floppy? During the 80s, they were cutting edge portable storage media. In the 90s, the 3 ½ floppy became the portable storage media of choice and replaced the 5-¼ floppy. They were smaller, but with more storage capacity and ease of portability. Recently, I purchased a new laptop and the 3-½ floppy wasn't an inherent part of the system. This fact made me think of the FISSEA logo.

To ensure that FISSEA presents an image of forward and out of the box thinking, we want to update the logo. The FISSEA Board would like for you to participate in determining the new logo by entering the FISSEA Logo Contest.

RULES - The design/logo must:

  • Be innovative, original, and education and security based
  • Include the Federal Information Systems Security Educators' Association (FISSEA) name
  • Be submitted in a Word document
  • Another PowerPoint slide will be used to submit the entrant's information: name of developer and/or submitter, organization, address, phone number and email address. Entries should be forwarded to fisseamembership@nist.gov
  • Only one entry per organization. Any entry submitted that does not comply with the rules will automatically be disqualified.
Current Logo

Go to top of page

horizontal bar

FISSEA Outreach Committee

The Outreach Committee is a FISSEA committee dedicated to informing local, state, and federal governments and universities about the organization's annual conference and other FISSEA sponsored activities throughout the entire year. The goal is to have those responsible for providing security awareness, training, and education programs look to FISSEA as a valuable resource.

Perhaps other readers of our newsletter might like to assist the committee or can provide some added value. Please pass along information about joining FISSEA to your computer security training personnel. To join, send an email to fisseamembership@nist.gov, include your complete mailing address, email, and phone information. We look forward to hearing from you.

Committee members:
Tanetta Isler:        tanetta_n._isler@hud.gov
Thomas Foss:     foss@iogmail.iog.unc.edu
Jeff Seeman:       jaseema@nsa.gov

Go to top of page

horizontal bar

NIST SP800-16 Proposal

Hello all,
As a member of your executive board, I would like to offer my time and efforts to help and coordinate the development of a web-based training course for those within your agency (or company) with significant security responsibilities (one of the FISMA requirements). Most know (I hope), that the 800-16 training matrix has 46 cells and training descriptions for beginning, intermediate, and advanced levels for each of those cells. There are examples of some job roles and the suggested training listed is selected from a certain grouping (number) of cells within the training matrix. I doubt any one of us could build the entire training library alone, but if enough of us volunteered to take a piece, we could build it (possibly one job role at a time).

I propose the following to the membership:

To create a committee dedicated to the project (FISSEA By-laws say: "Various committees may be established by the Executive Board from time to time to accomplish the objectives of the FISSEA. So, if I receive enough positive feedback and volunteers to help, I would request that the board make this an official committee)

When (and if) the committee is formed, we would send a request for volunteers (writers and editors) and:

  • For the writers: give them an example to follow and a writing guide to get them started
  • For all: be available to answer questions, give guidance, coordinate the effort, and keep the membership informed of progress

For those who have written training materials that cover some of the cells at various levels already, I would ask the following:

  • share the content with us so that we can try to work smarter and not harder
  • or volunteer to adapt your content to the format given and turn it in for inclusion

Please let me know if you would be interested in helping with this project and in what capacity. I thank you for your time and consideration; I look forward to your replies.
Gretchen Ann Morris, CISSP
NASA Glenn Research Center
Gretchen.A.Morris@grc.nasa.gov

Go to top of page

horizontal bar

2005 FISSEA Conference

March 22-23, 2005
By Curt Carver, United States Military Academy

The 2005 FISSEA conference is right around the corner and the planning staff is hard at work to improve upon last year's conference. This year's conference theme highlights the critical role we play in information security by targeting security training now before you become a target of a cyber attack. As attacks become increasingly sophisticated, every user is a potential Achilles heel for your organization. Are you ready for the new attacks this next year will bring? Learn the latest advances in security education, training and awareness. With papers, panels and presentations geared for novices and seasoned pros alike, find out the latest changes to certification, information assurance education, government regulations and much, much more.

With a brand new location conveniently located on top of the Metro, FISSEA has never been easier to attend if you live in the DC area. With a two-day schedule in the middle of the week in a new hotel, the FISSEA conference will be even easier to attend if you are coming from out of town or could not allocate three days to a conference. With more submissions last year than we could handle, you know you are only going to see and hear the best names in the field. With almost 20 years of annual conferences by this close knit community, FISSEA has all the contacts to help you target awareness, training and education in 2005.

While last year's conference was awesome, we are looking at ways to make the 2005 conference even better. If you have a great idea for the conference or would like to help, you can contact Curt Carver (carverc@acm.org ) or Will Suchan (will.suchan@usma.edu). Recommend your favorite speakers and we will do the rest. Look for the call for papers in the next 30 days and submit early because the agenda is going to fill fast. The 2005 FISSEA conference is about targeting security awareness, training, and education.

Next year, will you be the hunted or the hunter? Plan now to attend the 2005 FISSEA conference.

Go to top of page

 

horizontal bar

2nd FISSEA Workshop
....a great success!

By: Susan Hansche, CISSP, ISSEP
PEC Solutions Program Manager for
U.S. Department of State, Information Assurance Training Program

On May 25th, over 30 FISSEA members attended the 2nd FISSEA Workshop (offered free to FISSEA members) on "Developing Role-Based Information System Security Training." The U.S. Department of State Information Assurance (IA) Training Group was proud to sponsor and present the workshop at the Diplomatic Security Training Center in Dunn Loring. It was a day full of activities and discussions on the best practices for designing and developing a role-based IA training program.

The workshop objectives were to provide the participants with an opportunity to discuss how Federal guidelines can help:

  • Determine information systems security training needs
  • Identify course topics, learning objectives, and training solutions.

The first half of the day was spent reviewing the guidance from NIST SP 800-50 ("Building an Information Technology Security Awareness and Training Program") and NIST SP 800-16 ("Information Technology Security Training Requirements: A Role- and Performance-Based Model.") Specifically, the workshop addressed the various roles within an organization that need training, such as those identified in SP 800-50: Executive Management, Security Personnel, System Owners, System Administrators and IT Support Personnel, and Operational Managers. Based on these generic roles, the discussion turned to methods of conducting a needs analysis that would assist agencies in determining the roles within their own organizations. That is, these are methods that determine whether the generic roles are appropriate for your organization and, also, whether your agency has any other specific roles that might need training.

The next step was to map the identified roles to the SP 800-16 framework, which identifies five functional role responsibility categories: Manage, Acquire, Design, Operate, and Review. (Users are also included, but this is more of an awareness than training requirement.) Table 1 is an example of how a role based training matrix might look. I like to think of it as matching "job roles" (usually a job title that we can recognize) with "functional roles" (specific type of activity performed). Although this sounds easy, it has some complexity based on the fact that each agency has different job roles and expects different performances from those roles. Therefore, each agency will not only have different job roles, but also will define and match the job roles to the functional roles differently.


  Manage
 
Acquire
Design
Operate
Review
Executive
Management,
Senior-Level
Management,
System Owners,
Designated
Approving
Authority
 
Systems
Architects
Systems
Engineers
System Administrators,
IT Support Personnel,
Operational Managers
Security Personnel,
Information
Systems Security
Officer

Table 1: Role Based Learning Framework

Once the information systems security roles have been identified and documented, the next step is to outline the learning objectives and topics for each of the roles. To identify high-level learning objectives, the workshop distributed a synopsis of learning topics (based on security controls identified in initial draft NIST SP 800-53). An important part of this process is to identify the level of knowledge needed for each role. Working in small groups, workshop participants identified the learning objectives for a designated role, either Program Manager, Information Systems Security Officer (ISSO), or System Administrator. An important part of this process is determining the information level (i.e., breadth, depth) needed by that role, such as beginning, intermediate, or advanced. Table 2 provides examples of what participants wrote regarding learning topic, level, and objective for the "risk assessment" topic.

Role
Learning
Topic
Learning Level
  Learning Objective
ISSO
Risk Assessment
Intermediate
Knowledge of policy and procedures and be able to oversee risk assessments and ensure they are performed adequately.
System Administrator
Risk Assessment
Advanced
Evaluate the impact of the loss of confidentiality, integrity, and availability to a specific information system.
Program Manager
Risk Assessment
None
Program Manager had no responsibility for this topic.

Table 2: Role-Based Learning Topics and Objectives

I must admit there was an interesting (!) discussion between the Program Manager and ISSO groups regarding who actually had the responsibility for risk assessments.

The final group activity of the day was to look at various methods of instructional activities that can be used to create interactive training solutions. Ideas generated by participants included case studies, demonstrations, simulations, matching items, walk-through scenarios, and small-group activities. Participants also defined measurement strategies that would evaluate whether learning had taken place.

In between all this hard work, members of the State Department IA training team (Jason Geiger, Pat Harris, and Mike Petock) demonstrated some of the tools we use in our training program. Pat Harris showed the vulnerabilities of passwords using the LoPht Crack password-checking software. Unfortunately, all participants promised not to tell which (and who's) password was broken quickest, but let's just say it only took about six seconds. Mike Petock demonstrated how using Virtual Machine Ware (VMWare) software has made a big difference in preparing our computers for each class and the ease in which students switch between various operating systems to learn several security configuration requirements. Finally, Jason Geiger encouraged participants to take part in a challenging game of "Information Assurance Jeopardy." We use this game format in quite a few of our classes to evaluate whether students have learned details of key topics. It also reinforces the training material. A note of caution though -- students can become very competitive and noisy.

The State Department IA Training team, led by Jeffrey Dektor, Acting Division Chief for Department of State, Diplomatic Security, Security Engineering and Computer Training Division wants to thank all participants for joining us in a great day of meeting new people, sharing ideas about training, and generating new ideas for meeting the Federal work force's information systems security training needs. We all look forward to working with FISSEA and our great community of awareness, training, and education professionals. If you would like more information about the IA Training Program at State Department, please contact Jeffrey Dektor (dektorJ@state.gov) or me (hansches@state.gov ).

Go to top of page

 

horizontal bar

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to lmn@nrc.gov and/or peggy.himes@nist.gov

***************************************************

On Monday, June 14, the Office of Personnel Management (OPM) issued their final version of new information systems security training regs. The document can be found at:
http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/04-13319.htm (you will be leaving NIST and FISSEA website and webserver after clicking this link)
A related Government Computer News article is at: http://gcn.com/vol1_no1/security/26205-1.html

***************************************************

A team of EVOLVENT Information Systems Security Engineers has developed a quarterly Information Assurance (IA) Newsletter for its Army IT medical system development customer to augment the solid "Defense-in-Depth" IA program they have deployed for their client.

The newsletter is designed to answer the IA "Who, What, Why, When, Where, and How" questions normally addressed by all IT users. Special emphasis to remove "techno talk" allows for ease of reading by system users with varying IT skill levels.

The newsletter addresses a variety of relevant subjects for the non-IT skilled individual, as well as technical topics all focused on IA. The first publication of this quarterly newsletter, in May of 2004 was intended for internal distribution to the 280 plus IT personnel supported by the EVOLVENT team. Within two weeks, through multiple requests the distribution within Army Medical channels had grown to well over 5,000 users.

In over thirty-years of managing security programs within and outside of the military, the one common request presented by the supported customer base was to present security education, motivation and awareness information in "Plain English". In other words, drop the legal and technical jargon, and tell how the requirement is to be implemented and why. In deploying a "Defense-in-Depth" IA process, you must have total involvement of the non-technical system user, as well as the technicians who administer the systems and networks.

While the first newsletter continues to gain popularity, we are looking to improve with each quarterly publication. The next quarterly publication, due out in August will have two faces; one for the military community and the other for the non-military audience.

The EVOLVENT corporate website www.evolvent.com will soon have a link to download copies of the newsletter. In the interim, please send requests for a copy of the newsletter to Guy.Sherburne@evolvent.com

***************************************************

12-16 July04 Lockheed Martin Information Technology, Intelligence Services, presents a 5-day Intrusion Methodology Course, taught in Elkridge, Maryland, scheduled for 12-16 July 2004. This course is first in the Defense in Depth, Information Assurance Training Series offered by Lockheed. The course is comprised of over 80% hands on lab exercises, using a variety of vulnerability assessment and penetration testing tools, with a live Internet presence and a target base of current and legacy software and hardware. Most importantly, the course concentrates on the methodology that a hacker would use, enabling the student to use and apply tools of his or her choosing to assess system vulnerabilities. The course is taught and updated by senior engineers in the field of Information Assurance, specializing in cyberforensics, vulnerability assessment and penetration testing.

For a course syllabus, details on location, pricing, seats available and other inquiries, please contact Jennifer Kyle, Senior Program Manager, Information Assurance Training on 410-540-4785 or via email: jennifer.kyle@lmco.com. Customer references available upon request. Course can also be taught on the customer site.

***************************************************

10-11 August04 Awareness Peer Group: http://i.nl03.net/ltr0/?_m=2g.000y.5fh07j0081i.0, San Francisco, CA. If you sometimes feel like you're the only person at your organization dedicated to awareness, then it's time to re-energize yourself and your awareness program by spending two days with your security awareness peers - people willing to share their experiences and what works. A unique opportunity to learn what your counterparts from other organizations are doing to raise awareness. Faciliated by John O'Leary, Computer Security Institute (CSI) Director of Education. For more information on this and other courses, call (415) 947-6320 or email csi@cmp.com

***************************************************

15-19 August04 Electronic Develop-A-Curriculum Workshop, Request for Participation. Under the auspices of the Committee on National Security Systems (CNSS) Education, Training, and Awareness Working Group, the National Security Agency is sponsoring an Electronic Develop-a-Curriculum (EDACUM) workshop at Idaho State University (ISU), Pocatello, ID, from 15 through 19 August 2004. Subject matter experts (SMEs), i.e., participants who are qualified to address the knowledges, skills, and attributes (KSAs) of Information System Security Engineer (ISSE) personnel are encouraged to attend.

Continuing the tradition of collaborative work by the CNSS agencies, NSA, Idaho State University (ISU), the academic community, and the private sector, the participants will work to identify and codify the knowledges, skills, and attributes (KSAs) of ISSEs in the context of Information Assurance (IA). This effort will provide the nation with collaboratively developed performance standards and standardized programs of instruction. Due to the limited number of workstations available at the SIMPLOT Decision Support Center (SDSC), the number of primary participants is restricted to 20 SMEs.

Idaho State University's SDSC, with its state-of-the art decision support software and extensive experience in facilitating and documenting IA-related EDACUM exercises, is uniquely equipped to develop national training data. Before attending, participants must understand that the EDACUM process is ambitious and aggressively applied, requiring dedication and long hours - some of which may be outside normal duty hours.

Please reply NLT 16 July 2004. Nominee information and questions regarding this EDACUM workshop may be directed to NSA's point of contact, Dr. Mucklow (t.mucklo@radium.ncsc.mil), who may be contacted at: 410.854.6206; FAX 410.854.7043.

***************************************************

14-15 September04 Cryptographic Module Validation Program Symposium, DoubleTree Hotel & Executive Meeting Center in Rockville, Maryland. Sponsored by NIST and the Canadian Security Establishment (CSE). The "CMVP Symposium 2004 - FIPS 140-2: Where security starts …" will focus on the Cryptographic Module Validation Program. To register, go to http://www.nist.gov/conferences. Further details are available on the CMVP website: http://nist.gov/cmvp2004. The CMVP Symposium will focus on navigating through the FIPS 140-2 testing and validation program and what is coming on the horizon as work starts on FIPS 140-3, new guidance, expectations, FISMA implementation, international topics, new algorithm tests suites, CMVP laboratory panel discussion, and more.

***************************************************

14-16 September04 Global Mobile Enterprise 2004 Conference and Exhibition, Ottawa, Canada at Brookstreet Hotel. Join colleagues from around the world in identifying the trends in developing in the enterprise mobility industry. The theme of this years conference is Wireless Business Solutions: Security, Vertical Markets and Emerging Technologies. Contact Zora Arnautovic, 613-828-2800, zora.arnautovic@globalmobileenterprise.com, www.globalmobileenterprise.com

***************************************************

22-23 March05 Federal Information Systems Security Educators' Association (FISSEA) Annual Conference, "Target Training in 2005" to be held in the Rockville/Bethesda area. Please save the date and plan to attend. Complete details will be announced later or you may visit the FISSEA website at http://csrc.nist.gov/fissea. At the FISSEA conference you will discover new ways to improve your security program, enjoy high quality relevant presentations, gain awareness and training ideas, resources, and contacts.
 

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: July 14, 2004.