By Peggy Himes, NIST
 
I'd like to take this opportunity to remind everyone of some housekeeping items. If you move, please send your new information, including email address, phone number, and the snail mail address to fisseamembership@nist.gov. If you retire, please suggest to your successor that they join FISSEA and drop us a note so we can correct our records.

We have many aliases set up. If you want to ask fellow members a question on IT security, send your question to the listserve using fissea@nist.gov. Your listserve has approximately 500 members and you are asked to respond directly to the individual rather than the entire list.

The membership voted that the listserve not be used for advertising unless you have a free event that relates to computer security awareness, training, and education. However, the "Trainia" section of the newsletter which Louis Numkin started includes fee events. Please send a brief description paragraph to peggy.himes@nist.gov or lmn@nrc.gov.

In the last issue (July04) we mentioned a contest for the redesign of the FISSEA logo. Please review the rules and submit entries to fisseamembership@nist.gov, attention "FISSEA Logo Contest".

The FISSEA Educator of the Year Award has been in existence since 1991. The following highly regarded people have received this award:

You may want to think about running for the FISSEA Executive Board. Several members are up for reelection and a few will be retiring. The board meets monthly in Gaithersburg with the opportunity to also call-in. Planning the annual conference is one of the major projects. Other projects that board members work on include hosting various ATE workshops, submitting input to the website, writing newsletter articles, and providing outreach and publicity on behalf of FISSEA.

Lastly, the FISSEA annual conference (March 22-23) will be held in a brand new location. It's so new you may have trouble finding it in a search of hotels. But rest assured it is a real conference center and it will be ready for the March conference. It's located at the White Flint Metro.

See you in March!

Go to top of page

NEW FISSEA Workshop:
NIST SP800-16 - 16Nov04

By: Mark Wilson, NIST

By Melissa Guenther, LLC

That said, individuals and groups have established specific date(s) to provide opportunities to focus on security behaviors. The purpose of this document is to provide information to help differentiate between the multiple Security Awareness Day(s), their purpose, and links to more information on each. As stated previously - every day is security awareness day - it is not an either/or situation.

Specific days (highlighted below) are not enough to help community's awareness of cyber, personal and physical security issues and promote safe practices. Therefore, in addition to any of the time frames below, many groups are scheduling other times to participate and celebrate safe habits.

A great example can be viewed at
http://edtechoutreach.umd.edu/cyberawareness.html
by Educational Technology Outreach.

*******************

Security Awareness Day - Physical, Information and Personal Security
September 10
http://www.ussecurityawareness.org/highres/concept.html

The concept of NSAD differs in that it tries to establish a culture of security without focusing solely on computers. It also seeks the validation of a government proclamation so that less effort can go into attracting attention to the event each year leaving more energy devoted to supporting it. Once approved, I would also want to draw attention to the other awareness events to help raise awareness throughout the year.

Please support the establishment of U.S. National Security Awareness Day as an annual observance (similar to Veterans Day). The concept is simple, dedicate a day to mentoring U.S. citizens in the threats facing our country and what they can do to help address them.

There must be top down support of a national security awareness program. Cyber security is a large part of that. However businesses need to be reminded of their responsibilities to security legislation such as Sarbanes Oxley and GLBA. Businesses also need to annually renew their commitments to information security, business continuity and disaster recovery programs.

The U.S. needs to undergo a cultural change to effectively protect against the threats facing it. We need to continue to improve our security posture. The government cannot do this on its own. It needs the support of its citizens. The concept of U.S. National Security Awareness Day is a proactive approach.

Want to make a difference? Let's do it together.

*******************

Cyber Security Day - Computer Security
October 31 and April 4
http://www.staysafeonline.info/

First held in 2002, the semi-annual National Cyber Security Days are coordinated with daylight savings in April and October in the U.S. and are intended to raise the public's awareness of cyber-security issues and promote safe online practices. Sunday, October 31, 2004, is the next Cyber Security Day. Set some time aside this week to update your anti-virus software and scan your computer for viruses. Also, check out the Top Ten Security Tips for more information on keeping your computer safe from hackers.

*******************

Colleges and Universities Recognize Cyber
Security Day with Campus Events
April 4

Setting your clocks forward or back for Daylight Saving Time and replacing the batteries in smoke detectors are rituals repeated every spring and fall. Similarly, the National Cyber Security Alliance established April 4, 2004, as Cyber Security Day to raise awareness about Internet safety and computer security issues. Colleges and universities across the country are planning security education and awareness events between March 29 and April 2 to help promote Cyber Security Day.

*******************

International Computer Security Day
November 30
http://www.computersecurityday.org/ and
http://www.geocities.com/a4csd/

International Computer Security Day is a globally recognized annual event set up to inform computer users of the significance of computer security. Computer Security Day began in 1988 when the Washington, D.C., chapter of the Association for Computer Machinery (ACM) sought to bring computer-related security issues to the nation's forefront. Since that time, Computer Security Day has evolved into a worldwide event. This annual event is held around the world on November 30th although some organizations choose to have functions on the next business day if it falls on a weekend.

By Jim Litchko, Jim Litchko & Associates, Inc.

Question: "How hard could it be to teach IT security to managers who were very interested in the subject?"

Answer: "Very, very hard when you are only using the typical IT security text book."

That answer is based on my first experience teaching computer security at Johns Hopkins University to quasi-technical managers in 1988. Like today the text books on the subject were filled with technical terms and concepts that do not relate to everyday realities. During the first class, I felt like I had just dropped my class into the pool's cold deep end and I was yelling, "STROKE, KICK, BREATH - UNDERSTAND!"

The lucky ones were only treading water. I knew there had to be a better way.

That night my father called and he said, "I just read The Readers Digest article on Cliff Stoll's book The Cuckoo's Egg and now I understand what you do." My father, who had an eight-grade education and never saw a computer, understood computer security? I had to read this book. And I did.

I was impressed with the simplicity that Cliff used to relate his story on discovering and tracking down his hacker. It reminded me of the "sea stories" that I heard in the Navy. It was then that I remembered my senior enlisted explaining that "sea stories" were not just to entertain sailors; they were to provide lessons and/or introduce them to strategies to solve problems. Entertain and inform - two key characteristics of effective training.

At the next class, I gave each student a copy of Cliff's book, provided them a description of the book to get them interested in the story, instructed them to be prepared to discuss it at the next class, and dismissed them.

At the next class, I asked them to identify what they liked about Cliff's book. By using the stories that they identified, I was able to "back" them into understanding what they had perceived to be complex subjects. An example was: by having the class first talk about Cliff printing all the traffic on borrowed printers, reviewing the print outs, and finding the hacker's tracks, made it much easier for the class to grasp concepts like audit, anti-virus, and intrusion detection and prevention.

Since then, I have seen others use fairy tails, sea stories, news articles, and other storybooks to successfully ease my students into deep IT security topics. What they use depends on the subject and the audience's background.

So, when you are thinking about how to teach people about what they perceive is a complex subject, think out of the textbook. Think of using non-technical stories that will allow them to wade in to the shallows and slowly build their confidence before diving into some of the deep topics related to IT security.

Author is Jim Litchko, adjunct professor, professional speaker, and author of KNOW Your Life and KNOW IT Security, and co-author of KNOW Cyber Risk.
Email jim@litchko.com and website www.litchko.com. For overviews and look at the covers you can go to www.knowbookpublishing.com.

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to lmn@nrc.gov and/or peggy.himes@nist.gov

***************************************************

2004 FISMA Reporting Instructions. The Office of Management and Budget (OMB) released the 2004 Reporting Instructions for the Federal Information Security Management Act. A copy of the memorandum, identified as M-04-25 (Aug 23, 2004), can be obtained from the White House web site at http://www.whitehouse.gov/omb/memoranda/index.html. NIST Special Publication 800-53 (Second Public Draft), Recommended Security Controls for Federal Information Systems is now available at the NIST Computer Security Division web site, http://csrc.nist.gov/publications/drafts.html. Comments will be accepted at sec-cert@nist.gov until November 31, 2004. Final publication is expected on January 31, 2005. See the NIST FISMA Implementation website, http://csrc.nist.gov/sec-cert for additional FISMA-related information.

***************************************************

Security Posters Available Free! If you are on the FISSEA listserve, you already saw this message from a new FISSEA member, Bill Uttenweiler. Bill graciously offered the use his security posters. "I am in several security groups on the California Central Coast. Every two months we make new security awareness/education posters available on our web site. They are in PDF format, so you can click on one to download it. Hope the posters are useful for you -- and to those you forward this to. God Bless the USA! Bill Uttenweiler, 805-606-7722 DSN: 276-7722 For free downloadable security posters, go to http://members.impulse.net/~sate/posters.html"

***************************************************

October 26-27, 2004 - Federal Information Assurance Conference (FIAC), UMUC Inn & Conference Center, Adelphi, MD. The 4th Annual FIAC is designed to meet the real-world information assurance needs of the Federal Government and its workforce. This two-day event will provide useful information and educational opportunities for federal managers, acquisition and procurement officials, network and systems administrators, and information security professionals. This year's event features a FISMA Plenary Session presented by OMB and NIST. Three tracks will cover: Ensuring Agency-wide Program Awareness; Developing an Enterprise Security Culture and; Deploying Successful Programs and Solutions. CPE credits are available for CISSP and SSCP certified attendees. The cost to attend FIAC 2004 is $495 for Government Employees and $595 for industry. For more information and to register on-line go to www.fbcinc.com/fiac. The day tutorials are on the 28th. Contact information: Bob Jeffers, FBC, (800) 878-2940, x226, bj1@fbcdb.com

***************************************************

October 28-29, 2004 - Disaster Preparedness and Continuity of Operations (COOP) - Optimizing Your COOP Program Under FPC 65. Ronald Reagan Building, Washington, DC. This two-day workshop will give you practical experience in applying Federal Preparedness Circular 65 guidance in developing a program and writing your department's or agency's Continuity of Operations (COOP) Plan and/or developing or managing an improved Disaster Preparedness Program. Call 703-683-5561, www.potomacforum.org.

***************************************************

November 1-4, 2004 - Back to the Future: Find the Future of Information Security in New Orleans SANS CDI South. That's where SANS will introduce a program of one and two day intensive technology courses on topics ranging from Cutting Edge Hacking Techniques to Ethics, from Business Law and Computer Security to Auditing Wireless Security. If you cannot afford the time for a full week of training, or if you want to focus on two to four topics important to your security program, you won't find a better security conference anywhere. In particular, if you were thinking about attending one of the twenty or thirty old security conferences run by other organizations, compare the faculty they offer against SANS teachers, the timelines and practicality of the information, and the value you will bring back to your employer (not to mention the weather) and we think it will be easy to choose SANS CDI South in New Orleans over any other security conference. http://www.sans.org/cdisouth04/

***************************************************

November 8-10, 2004 - 31st Annual CSI Computer Security Conference & Exhibition. Marriott Wardman Park, Washington, DC. Featuring the largest and most comprehensive conference program anywhere-14 tracks and 160 sessions on: Introduction to Computer Security, Management and Governance, Awareness Training & Education, Risk and Audit, Wireless Technology & Security, Attacks and Countermeasures, Legal, Compliance and Privacy, Continuity, Response & Recovery, Forensics, Technology (Double Track), Government, Critical Issues, Infrastructure ...and much more. The Exhibition November 7-9 features 175 exhibitors displaying the latest security products and technologies. Join over 2500 security pros in Washington, D.C. this November and get the knowledge and skills you need to succeed in the year ahead. For more information on attending call Computer Security Institute at (415) 947-6320 or email csi@cmp.com, http://www.gocsi.com/

***************************************************

November 16, 2004 - Third FREE FISSEA Workshop! NIST Special Publication 800-16. NIST North, Gaithersburg, MD, Lecture Room 152, 9:30-12:30. Space is limited and preregistration is necessary. Contact Mark Wilson, mark.wilson@nist.gov for technical questions and peggy.himes@nist.gov for registration. See page 3 for details.

***************************************************

November 16, 2004 - Homeland Defense Training Conference. GIS in Homeland Security: Creating the Common Operational Picture (COP) to Improve Situational Awareness. Location: Executive Conference Center, NRECA Headquarters Building, 4301 Wilson Boulevard, Arlington, VA. Further information, call 703-807-2753 and speak to Maurice Martin. www.homelanddefensejournal.com

***************************************************

November 18-19, 2004 - CSI Security Awareness Peer Group, in Washington, DC for the first time, hosted by International Finance Corporation (IFC). CSI's Security Awareness Peer Group is a friendly idea exchange for people specializing in the security awareness function at their organization. Registrants will plan the agenda based on their own needs. Come and compare your awareness program activities with sophisticated programs from corporate America. $1895 for first person, second at $745. Meals included. Call or email Pam Salaway for more details (631.878.2205, psalaway@cmp.com) or visit CSI's website at www.gocsi.com/peers/peer.jhtml

***************************************************

April 4-6, 2005 - InfoSec World Conference and Expo 2005, Disneys Coronado Springs Resort/Orlando, FL http://www.misticom/09/os05eb1_infosecworld.html INFOSEC WORLD: 360 Security. For more than a decade, MIS Training Institutes InfoSec World Conference & Expo has been the one event that top information security pros have attended to get up-to-date information, real-world strategies, and cutting-edge techniques for mitigating risk, securing critical data, and strengthening the enterprise. In 2005, InfoSec World will reach new heights in education and offer you the full spectrum of information security like never before! MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357. Tel: (508) 879-7999. E-mail: mis@misti.com. Web: http://www.misti.com

***************************************************

March 22-23, 2005 - Federal Information Systems Security Educators' Association (FISSEA) Annual Conference, "Target Training in 2005" to be held at the new Bethesda North Marriott Hotel and Conference Center on Marinelli Road in North Bethesda (White Flint Metro Stop). Please save the date and plan to attend. Emerging details will be announced on the FISSEA website at http://csrc.nist.gov/fissea. At the FISSEA conference you will discover new ways to improve your security program, enjoy high quality relevant presentations, gain awareness and training ideas, resources, and contacts. Please see the Call for Participation in this issue.

By: Contest Coordinator

If you failed to participate in FISSEA's first Security Poster, Trinket and Website Contest, you are being afforded another opportunity to do so. This contest has been and will be an intricate part of the FISSEA Conference. This venue affords organizations an opportunity to showcase their security paraphernalia that educates via the security themes or messages presented in each poster, trinket or website submitted.

This contest affords organizations an opportunity to not re-invent. If the security message articulated in an item submitted, these items may be shared among the FISSEA community. Below are the rules for the contest:

Rules and Guidelines
This contest includes Awareness, Training and Education posters, trinkets (pens, sewing kits, stress relief items, t-shirts, etc.) and websites. Each category of the competition will be judged separately. A winner will be selected from each category and awarded a certificate at the annual FISSEA conference.

1. RULES

1. Only one item in each category may be submitted (1 poster, 1 website, and/or 1 trinket). However, an individual or organization may enter in all three categories.
2. The entries must be submitted by a FISSEA member prior to the deadline of February 1, 2005.
3. Entries must have a security education theme and be part of the organization's current security awareness program. All entries must be original and wholly unclassified.
4. A Contest Entry Form must accompany all entries and is available on the FISSEA website http://csrc.nist.gov/fissea. Each submission automatically agrees to allow FISSEA to publish, however, only the winning entries will be published on the FISSEA web page.
5. PowerPoint will be used to prepare each entry. One slide will be designated the Entry Form for the category followed by the entry for that category. All slides should be e-mailed to: fissea-contest@nist.gov.
6. Any item not adhering to the rules and entry guidelines will be ineligible. The decision of the contest supervisor is final.

2. GUIDELINES

1. A committee of at least three FISSEA members will judge the contest. The judges will evaluate each category (poster, website and/or trinket) on the basis of originality, security message, and graphic concept.
   
2. The winners in each category will be announced at the FISSEA Conference. A certificate will be awarded to each winner with a congratulatory letter signed by the FISSEA Executive Board Chairperson.

1. A separate title page with:
   
   • The title or topic;
     
   • A contact author with postal address and electronic mail address;
     
   • The name(s) of the authors, organizational affiliation(s), telephone and FAX numbers; and,
      
2. An abstract of no more than 300 words. The abstract is acceptable in ASCII, postscript, or PDF format only) NLT 29 October to Will Suchan at william.suchan@usma.edu.
    
3. Papers and presentations will be due NLT 28 January 2005. They will be published in the conference proceedings.