News and Views

Federal Information Systems Security Educators' Association
FISSEA logo
Issue Four of FISSEA Year 2004-2005
January 2005


IN THIS ISSUE:

 

From the Chair

Dear FISSEA Membership,
I am writing this note on 30DEC2004 while trying to clean up and closeout 2004 office work so I can start 2005 with a clean slate... never happen... I fear I will never find, let alone, start with a clean desk!

We of the FISSEA Executive Board hope that all of our members will have a satisfying and productive New Year.

Of course, the changing of the calendar also means that our annual Conference is coming ever closer. I do hope that you have already accessed our web site, viewed the planned agenda, and submitted your registration form. This year, our Conference advertising brochure (which should be in your snail mailbox shortly) has a new attractive design. Please inform us of any comments you might have about it. If you have not yet registered, make this one of your New Year's Resolutions... and make it one that you will keep!

With the Conference approaching, it is time to review our by-laws for possible modification, and search for members who would be willing to serve on our Executive Board. Board Member tenure is two years and several of our slots will be up for election this time around. If you have the interest, enthusiasm, creativity, gumption, and willingness to help make our organization even better than it is, please consider having your name submitted for possible election. Further information on this can be found on our website. (http://csrc.nist.gov/fissea)

One point of concern is that you first check with your management and ensure that you will be able to actively participate. This includes attendance (preferably in person) at our monthly Board meetings, which are held at NIST in Gaithersburg, MD. We do employ a telephone bridge for those who are outside the DC-Metro area or have an occasional commitment which might keep them from getting to the meeting location. We are all professionals, hailing from the government, academia, and private industry, who are charged with work responsibilities in order to get our just deserts (isn't it interesting how adding an "s" to this word changes its meaning from "an area devoid of positive character or quality as a wasteland" to "something deserved or merited... as the state... of deserving reward"). The emphasis of this paragraph is that your management permit you to perform such things as: attending meetings, submitting newsletter articles, helping to coordinate the annual conference, providing input to issues on our listserve, and contributing to our free workshops when offered. The total amount of time required during a given month may amount to a few hours.

As you know, we are a volunteer organization and therefore only as good as our volunteers make it. So, I hope you will sincerely consider volunteering yourself as a member of our Exec Board. Election will be held during the Conference so winners can proudly wear their new mantle of honor while returning to their offices. Oh and please do not forget that you and every member of FISSEA receive benefits from your membership which far exceed the membership co$t (which is free!). FISSEA has a website which is kept up to date by NIST and houses a myriad of information. Our members are among the most helpful folks in the field as is witnessed by interactions on our moderated member listserve. Through our quarterly News & Views newsletter, recipients keep up on current items of interest as well as have a ready list of upcoming training opportunities and other activities. These are just a few of the benefits of membership with others being added periodically.

Another highlight of our Conference is when we present the "FISSEA Educator of the Year" award to a deserving person. Do you know of an individual who is worthy of this honor? To find out more about this, please check our website where you will find guidance as well as sample successful nomination letters from past years. Nominees do not need to be members of FISSEA. Please consider recommending someone whose professional efforts in Computer/Information Security Awareness, Training, and Education, are worthy of emulation. The award does come with added value as it includes a free admission for the winner to attend the next year's Conference.

A last note about our Conference: You will really miss a great one if you do not attend! Our coordinators (Curt Carver and Will Suchan) have put together a slate of presenters who will improve all of our understanding of how to perform our jobs. Keynotes will provide experience, insights, and worthwhile thoughts for consideration. The location is a beautiful new conference facility and hotel (with numerous amenities) located on a major transportation route as well as on top of the area's rapid rail system, and is surrounded by restaurants and shopping. Lastly, if you have attended our conferences in the past, be assured that we have received notice that this year we will have NO snow and the weather should be very conducive to improving our professional abilities while providing the networking opportunities for which FISSEA is famous.

Let me close this last column of my term as Exec Board Chair by saying Thank You to the committed members of our Board. Special thanks to our NIST support staff, Peggy, Mark, Patrice, and Patrick, for helping our volunteers do what needs to be done to keep FISSEA the fantastic organization and resource that it is. It has been my pleasure to serve as Chair, this year, and I look forward to continuing my participation with FISSEA in 2005 and the future.
Louis
 
Louis Numkin, CISM
US Nuclear Regulatory Commission
FISSEA Executive Board Chair

Go to top of page

horizontal bar


FISSEA Executive Board
2004-2005

Louis Numkin, CISM, Board Chair*
lmn@nrc.gov

Lewis Baskerville, CISM*
lewis.baskerville@sba.gov

LTC Curt Carver, Jr., Conference Director*
curtis.carver@usma.edu

Barbara Cuffie, CISSP, Past Chair

Thomas Foss **
foss@iogmail.iog.unc.edu

Tanetta Isler*
Isler123@hotmail.com

Gretchen Ann Morris, CISSP**
gretchen.a.morris@grc.nasa.gov

Jeffrey Seeman**
jaseema@nsa.gov

Mary Ann Strawn**
mast@loc.gov

LTC Will Suchan, Conference Program**
will.suchan@us.army.mil

Marvella Towns, Conference Contests*
mltowns@nsa.gov

Mark Wilson, CISSP, NIST Liaison, Assistant Chair*
mark.wilson@nist.gov

Peggy Himes, Executive Assistant to Bd, Newsletter:
peggy.himes@nist.gov

* Term ends March 2005
** Term ends March 2006

 

FISSEA Reminders:

Jan. 31, 2005 - FISSEA Educator of the Year nominations due, submit to fisseamembership@nist.gov

Feb. 1, 2005 - Entries for FISSEA Security, Poster, Website, and Trinket Contest due, submit to fissea-contest@nist.gov

Feb. 28, 2005 - Last day to make your hotel reservations for the FISSEA Conference 1-800-859-8003 Bethesda North Marriott

March 15, 2005 - Electronic registration ends for FISSEA Conference https://rproxy.nist.gov/CRS (walk-in registration available but not preferred)

Submit your name to run for the FISSEA Executive Board: fisseamembership@nist.gov

Attend FISSEA Conference March 22-23, 2005

Ask fellow FISSEA members questions through the list serve fissea@nist.gov. Please reply back to sender, not all.


Go to top of page

horizontal bar


Course Development
(a little method for the madness)

Gretchen Ann Morris, CISSP
NASA IT Security Awareness and Training Center
FISSEA Executive Board Member

When should we create a course?
Many times, course developers are given a topic by management and told to get started. And, because they control the budget, we start on an adventure to give them something that will meet their request and that will be useful to the people we are trying to teach. The powers that be may or may not have done an appropriate needs assessment to see if training in the topic area they have selected is needed, and many times they are not able to tell you who needs to take the training when it is ready. If a topic is new to the Agency or company, training of the differences between what is currently being done (if anything) with what will be expected in the future should be done. Also, if there is a current issue with job performance that has been caused by a lack of skills and/or knowledge, training could help. There are, however, some times when management thinks training will solve a problem that is not caused by a lack of skills and/or knowledge (lack of standards or policy, poor working conditions, lack of motivation…). When this is the case, training usually will not produce the results that management is expecting. The course developer should be able to discuss with his/her management the reasons for requesting the course and advise them if they have inappropriate expectations of the outcome.

Key Elements
One thing for sure is, you must know who the audience is. Many times you will find that there is more than one audience. Each one of them may need to be taught different aspects of the given topic. Depending on the number of audiences and the differences in what each needs to learn, the course developer may find the need for more than one course on the same topic. Each audience should be given a viable "What's in it for me?" (WIIFM); especially if you plan to try and get their support and voluntary participation in the training process. By the way, the word "MANDATORY" is NOT a good WIIFM.

Planning
Start a rough timeline for course development. Many times developers are given the end date (when the course should be up and ready); when this happens, they should work backwards to get dates for other important milestones (like reviews, drafts, and testing) and to see if the final date is reasonable. If the course wasn't a request from management, then you should inform them of the project and get their buy-in on what you will be trying to accomplish. Budgets, resources, and any possible political issues should also be taken into account when first starting the development of a new course.

More Information
Gather as much information about your potential audience(s) as you can. Know how many people, where they are located, what their current skill level is in the area of the topic and related topics as well as in the area of computer skills. This information will help you decide which method of training will be used (on-line, classroom, a hybrid of the two…etc.). Because it is difficult to know each persons learning style, the training should try to include things that appeal to all of them.

Gather information from Subject Matter Experts (from within the Agency or company is best) on what your audience needs to learn. Ask "Who needs to learn what?"* This information will be used to write the course and test (if one is desired). It will be made up of tasks and steps for skills that need to be learned and concepts, guidelines, procedures, or policy for knowledge that needs to be acquired.

*Please note, that if you are thinking of writing training for Information System Security; that this answer has been given to us in the NIST 800-16 through the job roles and training matrix. So, to save much hard work and to keep from re-inventing the wheel, it is a GREAT place to start!

Write the Learning Objectives
Learning Objectives tell the course writers and the students what the course will teach. They are written from the list of tasks (skills) and/or concepts (knowledge) that your audience needs to learn. Be sure to have your SME's validate these before you move forward. Also note that: for Information System Security, the NIST 800-16 has a list of Sample Learning Objectives (in Chapter 4) to help point Information System Security course developers in the right direction.

Do you plan on testing your learners?
One good rule to follow in training is to ensure you repeat the key points (it has been said that in order for a learner to remember a key point, it must be stated 6 times within the training). One way of doing this is to include self-checks throughout the training, to include a review after each section, and to give a final exam. This may seem like overkill, but if the self-checks, review, and final are all written with different types of tests, then it works well and doesn't seem monotonous. Examples of types of tests include: scenarios (or case studies), puzzles (performance), and questions (verbal, written, open, and/or closed)

Design the course
The most fun part for many course developers is when they get to decide the format of the course, the color theme and layout of the training materials, and what types of multimedia will be used to enforce the information being taught.

Some necessary pieces are a style guide (which includes grammar rules and the amount of testing that will be included within the course) as well as a review cycle schedule and a list of who should be included in those reviews.

Develop course content
The entire course text should be written and reviewed prior to developing the actual support materials (if a classroom style course) or the multimedia pieces (for on-line courses). The content should teach the objectives.

Review and Testing
Be sure to have the following people (at a minimum) review the course prior to going "live": your SME's, two or three people who know grammar well, and at least one person who is from the audience the course was written for.

Evaluation
Ensure you have planned for feedback from those who take the course as well as from their supervisors. This can be in many different formats or styles; the most important thing is to ensure you have a way to get information on items to improve (possible additional information needed) and on whether or not the course helped.

Continuous Improvement
With feedback, comes the possible need for changes and editing. Plan that this will be a part of the process. Look at it as one more way to ensure you are giving the best possible course for those who take it.

Hope this is helpful, happy developing!
Gretchen Ann Morris

Go to top of page

horizontal bar


Information Assurance Directorate Sponsored Events

By Jeff Seeman, NSA
FISSEA Executive Board Member

Have you every wondered what the National Security Agency/Central Security Service Information Assurance Directive is up to and are not sure who to contact? IAD has a web page that lists its sponsored events.

You can find them at www.iaevents.com/

Throughout the year several conferences or workshops are offered. Topics range from identity protection and management, high assurance Internet protocol encryptor, and COMSEC monitoring to Operations Security (OPSEC). Add this site to your "favorites list" and check it out every quarter.

Go to top of page

horizontal bar

Book Review of
KNOW IT Security by James P Litchko

Submitted by Barbara Cuffie, CISSP
FISSEA Board Member and SSA, retiree

In KNOW IT Security, Mr. Litchko successfully writes a very interesting story about a security assessment being performed on an Internet gambling casino in a way that clearly explains basic information technology (IT) security concepts, terms and strategies in a non-technical manner. I liked the way he introduces both the island environment and the characters in the story in a manner that helps the reader to relate his/her own experiences, actions and challenges to those described so vividly in the book.

As a certified security professional, I recommend this book to managers at all levels that are responsible for overseeing an effective and efficient IT security program in either the public or private sector. I definitely that think security trainers, educators, officers and other IT systems security professionals will benefit from reading KNOW IT Security as well. The way the author includes diagrams, summary highlights throughout, an index and common sense examples throughout the book makes it a valuable reference tool for security practitioners who are addressing security challenges daily.

Having agreed to review this book for the FISSEA newsletter, I took it on vacation with me not thinking I would actually do more than preview it before returning home. I was really surprised that the book is written in such an engaging style that I actually found it difficult to put it down before I had finished reading it. The bottom line is that as a result of reading this book, many readers may find that they have an improved understanding of IT security and also be better prepared to use some of his illustrative explanations of IT security terms and concepts in training others.

You can find it at www.knowitsecurity.com

(Note, we would like to encourage our members to submit reviews of books and/or movies that deal with computer security training issues. Please send them to peggy.himes@nist.gov.)

Go to top of page

horizontal bar

FISSEA Workshops On Using NIST Special Pub 800-16

By Mark Wilson, NIST
FISSEA Executive Board Member

Two more free workshops were offered recently - heck, three by the time you are reading this. Workshops were held on November 16th and December 1st, with one more on January 19th. The workshops focused on using NIST Special Publication 800-16 - "Information Technology Security Training Requirements: A Role- and Performance-Based Model." Not that this is a new theme in these FISSEA workshops, but this gave me the opportunity to do something I have wanted to do for years. In 1998 and 1999, I gave one-hour presentations - an overview - of the then new publication. I had wanted to expand the presentation into half-day workshops, but our priorities and workload at that time did not allow that to happen.

A good bit of time was spent discussing the FISMA requirement for information security training, including the now-famous "personnel with significant responsibilities for information security" passage. That topic, including identifying whom that includes and how do decide who has significant information security responsibilities, could be the focus of a separate workshop.

The June 2004 Office of Personnel Management (OPM) requirement for information systems awareness and training was also a hot topic. The new OPM regulation, part of the U.S. Code - 5 CFR Part 930, Subpart C - repeats key passages from FISMA that deal with information security awareness and training. The OPM regulation also codifies key passages from NIST Special Publication 800-50 - "Building an Information Technology Security Awareness and Training Program" - and requires federal departments and agencies to provide role-specific training in accordance with NIST publications.

The workshop discussion then focused on NIST Special Publication 800-16. A focal point in the discussion, and in understanding the training methodology in the document, is what has been termed "the NIST Model." This is the graphic that depicts the learning continuum of awareness, training, and education, with a bridge between awareness and training called "basics and literacy." In NIST Special Publication 800-16, the model appears as Exhibit 2-1 (Page 13) and as Appendix A (Page A-3).

We then showed how the training level of the continuum in the NIST Model becomes, in effect, a pull-down menu, revealing the IT Security Training Matrix. This matrix is included in the document as Exhibit 4-1 (Page 44), and Appendix B. The training matrix contains many of the elements of the training methodology we discussed during the remainder of the workshop, including:

* the six functional specialties (i.e., manage, acquire, design and develop, implement and operate, review and evaluate, use),
 
* the three training areas (i.e., laws and regulations, security program, system life cycle security), and
 
* the forty-six cells that are used in developing role-based training courses.

A fair amount of time was spent describing the relationship between the cells that are used to develop each training course (identified in twenty-six matrices in Appendix E) and the set of twelve topics and concepts (listed and described in Exhibit 4-4, beginning on Page 48) that are used to populate each cell with training material.

We illustrated that each of the twelve topics and concepts is further supported by far more detailed information - words and phrases that make up the body of knowledge on which the training methodology relies to build the various training courses. We emphasized that even though some cells may identify some of the same topics and concepts for use in developing the cells, it is critical that the detailed information associated with each topic and concept be used only if it supports the behavioral outcome and learning objectives described for each cell. The behavioral outcomes and learning objectives for the cells are described in detail throughout Chapter 4.

The workshops, while planned for three hours, lasted another half-hour or more. Some workshop evaluations recommended that one-day workshops on the same topic be conducted. The FISSEA Board will discuss this after the annual Conference.

If you have an opinion on these workshops - you would like to see more, or less, on the same topic, or on a different topic, feel free to write the FISSEA Board Chair, Lou Numkin at lmn@nrc.gov, or the FISSEA Board Assistant Chair, Mark Wilson, at mark.wilson@nist.gov.

Slides used in each workshop are available on the FISSEA website - http://csrc.nist.gov/fissea.

Go to top of page

horizontal bar

FISSEA Conference
March 22-23, 2005
"Target Training in 2005" Update

By Curt Carver, USMA
FISSEA Executive Board Member and
Conference Program Co-Director

The FISSEA conference (22-23 March) is rapidly approaching and we are thrilled with the final agenda. The Call for Participation in October resulted in a record number of submissions. Coupled with a two-day agenda instead of the traditional three days, our job of selecting presentations was doubly difficult given the high quality and quantity of submissions. I think you will find the schedule to be an enticing mix of notable speakers, old favorites, and some new presenters.

While the agenda is not included in this newsletter (it is being released in full in a separate conference brochure), here is a sampling of some of the presentation titles that give you a feel for the conference:

  •  A Balancing Act between Risk Appetite and Risk Tolerance
  •  The Hacker Diaries, Confessions of Teenage Hackers
  •  Panel: Where will the next generation of CISOs come from?
  •  Breaking the Mold: Fieldwork approaches within an IA program
  •  CyberCEIGE: A Video Game for Information Assurance Training and Awareness

As you can see from even this small sampling, there is a broad spectrum of presentations at FISSEA. With dual tracks so you can choose which presentations you attend, there is something for all information assurance professionals involved in security awareness, training, and education making FISSEA the must attend conference of 2005. Register now and make sure to get your hotel reservations for the 2005 FISSEA Conference.

 


  Mailing FISSEA Newsletter to be Discontinued

Due to rising costs, mailing the FISSEA newsletter will be discontinued. The newsletter will still be published quarterly but will be available through the FISSEA website. If you still need to have the newsletter mailed, please contact peggy.himes@nist.gov to make arrangements.
 

 

Go to top of page

 

horizontal bar

Thoughts on Awareness

It is an understatement to report that 2005 has opened with horrific events: the Tsunami which devastated South Asia, California mudslides, eight feet of snow in the Sierra mountains, Utah and Ohio River flooding, a South Carolina HazMat situation where a Chlorine Gas train derailed, and more. Not wishing to be perceived as insensitive nor callous, an opportunity does exist for us as awareness/training/education specialists to make lemonade from the lemons we have been dealt.

I can recall numerous awareness presentations which related 9/11, Oklahoma City, and the San Francisco Earthquake to IT Security. It is possible that the recent events could provide us with a greater impact on our audiences. Cataclysmic occurrences in nature happen with little or no warning. These are compounded by the effects that negative human actions could possibly have, such as the hacker attack on George Mason University that stole 32,000 identities (social security numbers, addresses, photos, etc).

Each of us is responsible for protecting data, performing backups, and disaster planning, at work as well as at home. With on-going mourning of over 150,000 victims it reminds each of us that we are not immortal and raises questions which should improve our awareness and thereby aid our organizations. While acknowledging the immensity of the terror, this column seeks to provide current examples of how everyday activities can become meaningful messages for our staffs. Here are just a few questions for your consideration that could become a foundation for awareness presentations/articles:

  •  Have we adequately prepared for Continuity of Operations should any of us become a casualty?
  •  Are backups stored in such a way that a regional disaster will not destroy them along with their primary systems and data?
  •  Has cross-training occurred and been tested so that lead people have knowledgeable backups for their functional roles?

Without our most vital resource, is our documentation up to date and safely stored so that someone can pick it up and continue necessary work?

As one of our Exec Board commented, "Networks are not just technological... but also people." This truism provides us a stepping off point for raising our organizations' awareness at the start of the New Year.

Just a thought,
Louis
Louis M Numkin
US Nuclear Regulatory Commission

Go to top of page

 

horizontal bar

Use Resources to Get Your Message Out

Submitted by Mary Ann Strawn
Library of Congress and FISSEA Board Member

Use the resources at hand to keep on preaching the message.

Sometimes, it's hard to think of how to keep putting out the computer security message in new and meaningful ways. But that's the beauty of FISSEA; it exposes you to fresh ideas and people with unique approaches.

One helpful tool is the calendar. At the end of the year is the perfect time to check on a roundup of news from the old year as well as the predictions of the pundits for the coming year. We looked at media reports and did a very brief roundup, which is reprinted below.

Recapping the perils and problems in IT Security and looking to the New Year.

CNET News.com, reports, "The year also highlighted that the largest flaw in PC security remains the uneducated user." In addition, the source reported that "phishing" attacks jumped by 25percent per month in 2004. (Readers interested in this information will need to cut and paste.) http://news.com.com/Year+in+review+Web+of+deception/2009-1009_3-5487985.html?tag=nl (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)

2004 was good and bad for security according to PCWorld. On line crime went professional big time with the mob taking over from the script kiddies. Balanced against that were several high profile arrests for computer crimes. http://www.pcworld.com/news/article/0,aid,119031,00.asp (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)

While making predictions for the year ahead, TechWeb.com foresees the cost cybercrime exploding. The publication estimates that the amount stolen by hackers and cybercriminals will exceed $500 Billion. http://www.techweb.com/tech/security/

"Threats only got worse in 2004, just as predicted," said Washington Post TechNews.Com. Squelching spyware and spam was listed as the one of the key technology developments of the year. The story on the dangers to watch 2005 is at, http://www.washingtonpost.com/wp-dyn/technology/?nav=left (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)

Several sources, including TechNewsWorld.com blame the USA for flooding the world with spam. http://technewsworld.com/story/39260.html. However, AOL recorded a drop in spam messages hinting that spammers are beginning to give up.

Government Computer News features a malware hall of fame, a hit list of the year's biggest viruses. Topping the chart is the Sasser worm. It makes the infected computer virtually unusable due to continual restarts. http://www.gcn.com/vol1_no1/daily-updates/31421-1.html (NOTE: you will be leaving the FISSEA site and NIST webserver after clicking this link)

Go to top of page

 

horizontal bar

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to lmn@nrc.gov and/or peggy.himes@nist.gov

***************************************************

January 15, 2005 Call for Papers
April 18-21, 2005 The Department of Energy (DOE) Cyber Security Group (CSG) Training Conference has provided a training-based forum for DOE and DOE contractors to share cyber security information and new technologies. To continue the tradition of a quality program, you are invited to submit an abstract for a 45-minute presentation or a proposal for a pre-conference training workshop (workshops can range from 2 hours to all day) for the 27th conference in Denver, Colorado.

This year's theme, "Know Your Enemy, and Protect Your Resources," focuses on the wide range of threats that we, as Cyber Security professionals, face daily (e.g., the Insider, social engineering) and the security solutions that can be shared and deployed across the complex. Presentations and workshops should address the theme in some way and be related to cyber, network, or data security. Presentations that relate to common security solutions (i.e., those that can be implemented across the Department) are especially requested. Vendors planning to submit an abstract or a proposal must be sponsored by a DOE or DOE contractor organization. In addition, if chosen to speak, the sponsor must be present during the session.

The DOE CSG training conference is a 3-day event running Tuesday through Thursday, with pre-conference workshops on Monday. Your audience will range from entry-level to advanced Cyber Security professionals. To accommodate variety of interests and experience levels, the 45-minute sessions are presented in three tracks: Security Basics, Technical, and Management, and the conference agenda is annotated with your assessment of the content of the presentation. Please visit the conference website (http://cybertrain.labworks.org/conferences/april2005) for more information and to submit an abstract or a proposal.

If you are interested in participating or have topic ideas, please contact Beth Harbaugh at (202) 586-7420 or beth.harbaugh@hq.doe.gov. Regina Kahn, 2005 Conference Program Chair, rkahn@pantex.com or (806) 477-3818. If you are interested in conducting a training session or presenting, please submit your abstract (500 words or less) no later than January 15, 2005. Information submitted by Susan Farrand, Susan.Farrand@hq.doe.gov.

***************************************************

February 24, 2005, 6:30-9:30pm, Columbia, MD. The SANS Institute is pleased to offer classroom sessions within your own hometown community designed to accommodate your personal needs. The Stay Sharp Program focuses on education that teaches an audit, operation, legal, management, or security skill in a single evening. The SANS Institute invites you to participate in their Defeating Rogue Access Points course offered in your local area. This SSP is a three-hour course that gives you the experience to leverage popular open-source and commercial tools to detect and mitigate the threat of rogue APs. You'll learn about the different threats imposed by wireless networks and how to use powerful programs such as Nessus, Ethereal and Kismet as well as custom SANS tools to assess and locate the presence of rogue wireless networks in your environment through classroom demonstrations and hands-on labs. With the skills learned in this course you will be able to defeat the threat of rogue APs, protecting your organization's networks. For fees and more detailed information: http://www.sans.org/staysharp/details.php?id=854. or contact StaySharp@sans.org.

***************************************************

February 28-March 1, 2005, Mid-Atlantic Network Security Forum at the Wardman Park Marriott Hotel in Washington DC. (a) Peer-to-peer Discussion Tracks (P-2-P) that focus on deep technical issues or strategic management challenges: Intrusion Detection & Prevention, Security Information Management, Authentication and Access Control - this, the newest track will be led by Glen Sharlun and Brandon Dunlap, two of our highest rated faculty members. Wireless Security, Vulnerability Management, Regulatory Compliance, Strategic Management of the Security Enterprise - Managing a Security Operation; Incident Response: Processes & Procedures; Security Outsourcing. (b) Faculty Focus: While the Forum is focused mainly on the sharing of peer insights, we recognize that many participants also want to hear what the visionaries on our Faculty are thinking. For two sessions, each 30 minutes in duration, you have the opportunity to sit down with the likes of Eric Cole and Marcus Ranum. Please contact Amanda O'Donnell, 617.399.8100 or check the website for pricing. If your schedule does not permit your attendance, but your interest has been aroused, be sure to review the other Forums the Institute will hold in 2005 at http://www.ianetsec.com/forums/calendar.html

***************************************************

March 22-23, 2005 - Federal Information Systems Security Educators' Association (FISSEA) Annual Conference, "Target Training in 2005" to be held at the new Bethesda North Marriott Hotel and Conference Center on Marinelli Road in North Bethesda (White Flint Metro Stop). Please save the date and plan to attend. Emerging details will be announced on the FISSEA website at http://csrc.nist.gov/fissea. At the FISSEA conference you will discover new ways to improve your security program, enjoy high quality relevant presentations, gain awareness and training ideas, resources, and contacts. URL for electronic registration for FISSEA Conference: https://rproxy.nist.gov/CRS. Please review the separate conference brochure in your mailbox and register soon.

***************************************************

April 4-6, 2005 - InfoSec World Conference and Expo 2005, Disneys Coronado Springs Resort/Orlando, FL http://www.misticom/09/os05eb1_infosecworld.html INFOSEC WORLD: 360 Security. For more than a decade, MIS Training Institutes InfoSec World Conference & Expo has been the one event that top information security pros have attended to get up-to-date information, real-world strategies, and cutting-edge techniques for mitigating risk, securing critical data, and strengthening the enterprise. In 2005, InfoSec World will reach new heights in education and offer you the full spectrum of information security like never before! MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357. Tel: (508) 879-7999. E-mail: mis@misti.com. Web: http://www.misti.com

***************************************************

FISSEA member, Bill Uttenweiler, shared his latest batch of 10 new free downloadable security awareness/motivation posters. Point your browser to: http://members.impulse.net/~sate/posters.html If you do not see new posters your firewall is displaying an old copy of the site; hitting Ctrl+Refresh will force the network to get you the newest copy of the page. Bill reports you are welcome to download the posters and use them in your security awareness/motivation program. However, you may NOT modify them without permission. Bill Uttenweiler, 805-606-7722.

***************************************************

dNovus RDI, Inc. is currently offering their System Penetration Methodology course in Columbia, Maryland. Course is scheduled based on customer demand and accommodates 10 students either at our facility, or that of the customer. This 5-day, 40-hour course consists of over 80% hands-on technical lab exercises that enhance students learning on the Hacker Protocol. Students will learn the Hacker Protocol; a methodology used by the adversary to penetrate systems. Current customers include DoD and the Intelligence Community. References available upon request. If interested in a course outline, syllabus, pricing, a capabilities briefing, or further information, please contact the dNovus RDI Program Manager for Information Assurance Training, Jennifer Kyle: jkyle@dnovus.com, 410-309-1244.

***************************************************

Missed the CSI 31st Annual Conference? Wish you could share a session with your colleagues? View up to 9 keynote and conference sessions from the CSI Annual Computer Security Conference and Exhibition, held November 2004 in Washington, D.C. We've made a sampling of sessions available for viewing at no charge for a limited period of time. Topics include Wireless, Intrusion Prevention, Outsourcing, Risk Management and more. Also catch Frank "Catch Me if you Can" Abagnale's keynote (standing room only), and Marianne Emerson of the Federal Reserve Board's keynote. Get a taste of the CSI Conference at no charge. http://www.pqhp.com/cmp/csi04/

***************************************************

Security University computer training classes that will be presented at the SU facility in McLean VA. There are technical and non-technical classes. For more information, see www.securityuniversity.net or contact Sondra J. Schneider, 203.357.7744.

Jan 24-28 Anti-Hacking for Network Penetration Testing Methods + Ethical Hacking
Feb. 5-11 Wireless CWNA/CWSP Bootcamp Exams Incl
Feb. 7-9 Catching the Hackers - Introduction to Intrusion Detection Systems
Feb. 14-16 Anti-Hacking for Trojans, Viruses, Patch Mgt & Incident Response
Feb. 14-18 EC Council Ethical Hacking Certification
Feb 15-16 Linux/UNIX Security with Jay Beal
Feb. 17-18 Anti-Hacking for Secure HTTP and Coding
Feb. 21-25 CWSP Certified Wireless Security Professional Exam incl
Feb. 23-25 Anti-Hacking for Firewalls, VPNs Security & Prevention Tools
Feb 28- March 4 Intrusion Detection II: Systems to Defend Your Network
March 14-18 CWSP Certified Wireless Security Professional
March 21-25 PKI EXPOSED, Authentication, Access and Identity Management
March 21-25 EC - Computer Hacking Forensic Investigator Certification

***************************************************

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: January 29, 2005.