News and Views
Federal Information Systems Security Educators' Association |
|
||||
Issue Four of FISSEA Year 2004-2005 |
January
2005
|
||||
From the Chair Dear FISSEA Membership, We of the FISSEA Executive Board hope that all of our members will have a satisfying and productive New Year. Of course, the changing of the calendar also means that our annual Conference is coming ever closer. I do hope that you have already accessed our web site, viewed the planned agenda, and submitted your registration form. This year, our Conference advertising brochure (which should be in your snail mailbox shortly) has a new attractive design. Please inform us of any comments you might have about it. If you have not yet registered, make this one of your New Year's Resolutions... and make it one that you will keep! With the Conference approaching, it is time to review our by-laws for possible modification, and search for members who would be willing to serve on our Executive Board. Board Member tenure is two years and several of our slots will be up for election this time around. If you have the interest, enthusiasm, creativity, gumption, and willingness to help make our organization even better than it is, please consider having your name submitted for possible election. Further information on this can be found on our website. (http://csrc.nist.gov/fissea) One point of concern is that you first check with your management and ensure that you will be able to actively participate. This includes attendance (preferably in person) at our monthly Board meetings, which are held at NIST in Gaithersburg, MD. We do employ a telephone bridge for those who are outside the DC-Metro area or have an occasional commitment which might keep them from getting to the meeting location. We are all professionals, hailing from the government, academia, and private industry, who are charged with work responsibilities in order to get our just deserts (isn't it interesting how adding an "s" to this word changes its meaning from "an area devoid of positive character or quality as a wasteland" to "something deserved or merited... as the state... of deserving reward"). The emphasis of this paragraph is that your management permit you to perform such things as: attending meetings, submitting newsletter articles, helping to coordinate the annual conference, providing input to issues on our listserve, and contributing to our free workshops when offered. The total amount of time required during a given month may amount to a few hours. As you know, we are a volunteer organization and therefore only as good as our volunteers make it. So, I hope you will sincerely consider volunteering yourself as a member of our Exec Board. Election will be held during the Conference so winners can proudly wear their new mantle of honor while returning to their offices. Oh and please do not forget that you and every member of FISSEA receive benefits from your membership which far exceed the membership co$t (which is free!). FISSEA has a website which is kept up to date by NIST and houses a myriad of information. Our members are among the most helpful folks in the field as is witnessed by interactions on our moderated member listserve. Through our quarterly News & Views newsletter, recipients keep up on current items of interest as well as have a ready list of upcoming training opportunities and other activities. These are just a few of the benefits of membership with others being added periodically. Another highlight of our Conference is when we present the "FISSEA Educator of the Year" award to a deserving person. Do you know of an individual who is worthy of this honor? To find out more about this, please check our website where you will find guidance as well as sample successful nomination letters from past years. Nominees do not need to be members of FISSEA. Please consider recommending someone whose professional efforts in Computer/Information Security Awareness, Training, and Education, are worthy of emulation. The award does come with added value as it includes a free admission for the winner to attend the next year's Conference. A last note about our Conference: You will really miss a great one if you do not attend! Our coordinators (Curt Carver and Will Suchan) have put together a slate of presenters who will improve all of our understanding of how to perform our jobs. Keynotes will provide experience, insights, and worthwhile thoughts for consideration. The location is a beautiful new conference facility and hotel (with numerous amenities) located on a major transportation route as well as on top of the area's rapid rail system, and is surrounded by restaurants and shopping. Lastly, if you have attended our conferences in the past, be assured that we have received notice that this year we will have NO snow and the weather should be very conducive to improving our professional abilities while providing the networking opportunities for which FISSEA is famous. Let me close this last column of my term
as Exec Board Chair by saying Thank You to the committed members of
our Board. Special thanks to our NIST support staff, Peggy, Mark, Patrice,
and Patrick, for helping our volunteers do what needs to be done to
keep FISSEA the fantastic organization and resource that it is. It has
been my pleasure to serve as Chair, this year, and I look forward to
continuing my participation with FISSEA in 2005 and the future.
Course Development
|
Mailing FISSEA Newsletter to be Discontinued
|
It is an understatement to report that 2005 has opened with horrific events: the Tsunami which devastated South Asia, California mudslides, eight feet of snow in the Sierra mountains, Utah and Ohio River flooding, a South Carolina HazMat situation where a Chlorine Gas train derailed, and more. Not wishing to be perceived as insensitive nor callous, an opportunity does exist for us as awareness/training/education specialists to make lemonade from the lemons we have been dealt.
I can recall numerous awareness presentations which related 9/11, Oklahoma City, and the San Francisco Earthquake to IT Security. It is possible that the recent events could provide us with a greater impact on our audiences. Cataclysmic occurrences in nature happen with little or no warning. These are compounded by the effects that negative human actions could possibly have, such as the hacker attack on George Mason University that stole 32,000 identities (social security numbers, addresses, photos, etc).
Each of us is responsible for protecting data, performing backups, and disaster planning, at work as well as at home. With on-going mourning of over 150,000 victims it reminds each of us that we are not immortal and raises questions which should improve our awareness and thereby aid our organizations. While acknowledging the immensity of the terror, this column seeks to provide current examples of how everyday activities can become meaningful messages for our staffs. Here are just a few questions for your consideration that could become a foundation for awareness presentations/articles:
Without our most vital resource, is our documentation up to date and safely stored so that someone can pick it up and continue necessary work?
As one of our Exec Board commented, "Networks are not just technological... but also people." This truism provides us a stepping off point for raising our organizations' awareness at the start of the New Year.
Just a thought,
Louis
Louis M Numkin
US Nuclear Regulatory Commission
Submitted
by Mary Ann Strawn
Library of Congress and FISSEA Board Member
Use the resources at hand to keep on preaching the message.
Sometimes, it's hard to think of how to keep putting out the computer security message in new and meaningful ways. But that's the beauty of FISSEA; it exposes you to fresh ideas and people with unique approaches.
One helpful tool is the calendar. At the end of the year is the perfect time to check on a roundup of news from the old year as well as the predictions of the pundits for the coming year. We looked at media reports and did a very brief roundup, which is reprinted below.
Recapping the perils and problems in IT Security and looking to the New Year.
CNET News.com, reports, "The year also highlighted that the largest flaw in PC security remains the uneducated user." In addition, the source reported that "phishing" attacks jumped by 25percent per month in 2004. (Readers interested in this information will need to cut and paste.) http://news.com.com/Year+in+review+Web+of+deception/2009-1009_3-5487985.html?tag=nl (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)
2004 was good and bad for security according to PCWorld. On line crime went professional big time with the mob taking over from the script kiddies. Balanced against that were several high profile arrests for computer crimes. http://www.pcworld.com/news/article/0,aid,119031,00.asp (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)
While making predictions for the year ahead, TechWeb.com foresees the cost cybercrime exploding. The publication estimates that the amount stolen by hackers and cybercriminals will exceed $500 Billion. http://www.techweb.com/tech/security/
"Threats only got worse in 2004, just as predicted," said Washington Post TechNews.Com. Squelching spyware and spam was listed as the one of the key technology developments of the year. The story on the dangers to watch 2005 is at, http://www.washingtonpost.com/wp-dyn/technology/?nav=left (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)
Several sources, including TechNewsWorld.com blame the USA for flooding the world with spam. http://technewsworld.com/story/39260.html. However, AOL recorded a drop in spam messages hinting that spammers are beginning to give up.
Government Computer News features a malware hall of fame, a hit list of the year's biggest viruses. Topping the chart is the Sasser worm. It makes the infected computer virtually unusable due to continual restarts. http://www.gcn.com/vol1_no1/daily-updates/31421-1.html (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)
This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to lmn@nrc.gov and/or peggy.himes@nist.gov
***************************************************
January 15, 2005 Call for Papers
April 18-21, 2005 The Department of Energy (DOE) Cyber Security
Group (CSG) Training Conference has provided a training-based forum
for DOE and DOE contractors to share cyber security information and
new technologies. To continue the tradition of a quality program, you
are invited to submit an abstract for a 45-minute presentation or a
proposal for a pre-conference training workshop (workshops can range
from 2 hours to all day) for the 27th conference in Denver, Colorado.
This year's theme, "Know Your Enemy, and Protect Your Resources," focuses on the wide range of threats that we, as Cyber Security professionals, face daily (e.g., the Insider, social engineering) and the security solutions that can be shared and deployed across the complex. Presentations and workshops should address the theme in some way and be related to cyber, network, or data security. Presentations that relate to common security solutions (i.e., those that can be implemented across the Department) are especially requested. Vendors planning to submit an abstract or a proposal must be sponsored by a DOE or DOE contractor organization. In addition, if chosen to speak, the sponsor must be present during the session.
The DOE CSG training conference is a 3-day event running Tuesday through Thursday, with pre-conference workshops on Monday. Your audience will range from entry-level to advanced Cyber Security professionals. To accommodate variety of interests and experience levels, the 45-minute sessions are presented in three tracks: Security Basics, Technical, and Management, and the conference agenda is annotated with your assessment of the content of the presentation. Please visit the conference website (http://cybertrain.labworks.org/conferences/april2005) for more information and to submit an abstract or a proposal.
If you are interested in participating or have topic ideas, please contact Beth Harbaugh at (202) 586-7420 or beth.harbaugh@hq.doe.gov. Regina Kahn, 2005 Conference Program Chair, rkahn@pantex.com or (806) 477-3818. If you are interested in conducting a training session or presenting, please submit your abstract (500 words or less) no later than January 15, 2005. Information submitted by Susan Farrand, Susan.Farrand@hq.doe.gov.
***************************************************
February 24, 2005, 6:30-9:30pm, Columbia, MD. The SANS Institute is pleased to offer classroom sessions within your own hometown community designed to accommodate your personal needs. The Stay Sharp Program focuses on education that teaches an audit, operation, legal, management, or security skill in a single evening. The SANS Institute invites you to participate in their Defeating Rogue Access Points course offered in your local area. This SSP is a three-hour course that gives you the experience to leverage popular open-source and commercial tools to detect and mitigate the threat of rogue APs. You'll learn about the different threats imposed by wireless networks and how to use powerful programs such as Nessus, Ethereal and Kismet as well as custom SANS tools to assess and locate the presence of rogue wireless networks in your environment through classroom demonstrations and hands-on labs. With the skills learned in this course you will be able to defeat the threat of rogue APs, protecting your organization's networks. For fees and more detailed information: http://www.sans.org/staysharp/details.php?id=854. or contact StaySharp@sans.org.
***************************************************
February 28-March 1, 2005, Mid-Atlantic Network Security Forum at the Wardman Park Marriott Hotel in Washington DC. (a) Peer-to-peer Discussion Tracks (P-2-P) that focus on deep technical issues or strategic management challenges: Intrusion Detection & Prevention, Security Information Management, Authentication and Access Control - this, the newest track will be led by Glen Sharlun and Brandon Dunlap, two of our highest rated faculty members. Wireless Security, Vulnerability Management, Regulatory Compliance, Strategic Management of the Security Enterprise - Managing a Security Operation; Incident Response: Processes & Procedures; Security Outsourcing. (b) Faculty Focus: While the Forum is focused mainly on the sharing of peer insights, we recognize that many participants also want to hear what the visionaries on our Faculty are thinking. For two sessions, each 30 minutes in duration, you have the opportunity to sit down with the likes of Eric Cole and Marcus Ranum. Please contact Amanda O'Donnell, 617.399.8100 or check the website for pricing. If your schedule does not permit your attendance, but your interest has been aroused, be sure to review the other Forums the Institute will hold in 2005 at http://www.ianetsec.com/forums/calendar.html
***************************************************
March 22-23, 2005 - Federal Information Systems Security Educators' Association (FISSEA) Annual Conference, "Target Training in 2005" to be held at the new Bethesda North Marriott Hotel and Conference Center on Marinelli Road in North Bethesda (White Flint Metro Stop). Please save the date and plan to attend. Emerging details will be announced on the FISSEA website at http://csrc.nist.gov/fissea. At the FISSEA conference you will discover new ways to improve your security program, enjoy high quality relevant presentations, gain awareness and training ideas, resources, and contacts. URL for electronic registration for FISSEA Conference: https://rproxy.nist.gov/CRS. Please review the separate conference brochure in your mailbox and register soon.
***************************************************
April 4-6, 2005 - InfoSec World Conference and Expo 2005, Disneys Coronado Springs Resort/Orlando, FL http://www.misticom/09/os05eb1_infosecworld.html INFOSEC WORLD: 360 Security. For more than a decade, MIS Training Institutes InfoSec World Conference & Expo has been the one event that top information security pros have attended to get up-to-date information, real-world strategies, and cutting-edge techniques for mitigating risk, securing critical data, and strengthening the enterprise. In 2005, InfoSec World will reach new heights in education and offer you the full spectrum of information security like never before! MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357. Tel: (508) 879-7999. E-mail: mis@misti.com. Web: http://www.misti.com
***************************************************
FISSEA member, Bill Uttenweiler, shared his latest batch of 10 new free downloadable security awareness/motivation posters. Point your browser to: http://members.impulse.net/~sate/posters.html If you do not see new posters your firewall is displaying an old copy of the site; hitting Ctrl+Refresh will force the network to get you the newest copy of the page. Bill reports you are welcome to download the posters and use them in your security awareness/motivation program. However, you may NOT modify them without permission. Bill Uttenweiler, 805-606-7722.
***************************************************
dNovus RDI, Inc. is currently offering their System Penetration Methodology course in Columbia, Maryland. Course is scheduled based on customer demand and accommodates 10 students either at our facility, or that of the customer. This 5-day, 40-hour course consists of over 80% hands-on technical lab exercises that enhance students learning on the Hacker Protocol. Students will learn the Hacker Protocol; a methodology used by the adversary to penetrate systems. Current customers include DoD and the Intelligence Community. References available upon request. If interested in a course outline, syllabus, pricing, a capabilities briefing, or further information, please contact the dNovus RDI Program Manager for Information Assurance Training, Jennifer Kyle: jkyle@dnovus.com, 410-309-1244.
***************************************************
Missed the CSI 31st Annual Conference? Wish you could share a session with your colleagues? View up to 9 keynote and conference sessions from the CSI Annual Computer Security Conference and Exhibition, held November 2004 in Washington, D.C. We've made a sampling of sessions available for viewing at no charge for a limited period of time. Topics include Wireless, Intrusion Prevention, Outsourcing, Risk Management and more. Also catch Frank "Catch Me if you Can" Abagnale's keynote (standing room only), and Marianne Emerson of the Federal Reserve Board's keynote. Get a taste of the CSI Conference at no charge. http://www.pqhp.com/cmp/csi04/
***************************************************
Security University computer training classes that will be presented at the SU facility in McLean VA. There are technical and non-technical classes. For more information, see www.securityuniversity.net or contact Sondra J. Schneider, 203.357.7744.
Jan 24-28 Anti-Hacking for Network Penetration Testing Methods + Ethical Hacking
Feb. 5-11 Wireless CWNA/CWSP Bootcamp Exams Incl
Feb. 7-9 Catching the Hackers - Introduction to Intrusion Detection Systems
Feb. 14-16 Anti-Hacking for Trojans, Viruses, Patch Mgt & Incident Response
Feb. 14-18 EC Council Ethical Hacking Certification
Feb 15-16 Linux/UNIX Security with Jay Beal
Feb. 17-18 Anti-Hacking for Secure HTTP and Coding
Feb. 21-25 CWSP Certified Wireless Security Professional Exam incl
Feb. 23-25 Anti-Hacking for Firewalls, VPNs Security & Prevention Tools
Feb 28- March 4 Intrusion Detection II: Systems to Defend Your Network
March 14-18 CWSP Certified Wireless Security Professional
March 21-25 PKI EXPOSED, Authentication, Access and Identity Management
March 21-25 EC - Computer Hacking Forensic Investigator Certification
***************************************************
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments
or suggestions to webmaster-csrc@nist.gov.
Last Modified: January 29, 2005.