NEWS 
AND 
VIEWS
July 1998   Vol. I  No. II


FROM THE  EXECUTIVE BOARD CHAIR

    As FISSEA members we are challenged by the tremendous responsibility to ensure employees' awareness of the threats to and vulnerability of computer systems; and to encourage all users of Federal computer systems to use improved computer security practices.  In order to do this, we must embrace the recently issued NIST Special Publication 800-16, "Information Technology Security Training Requirements: A Role- and Performance-Based Model.  (We also need to be familiar with the Special Publications, FIPS Publications, and statutes that govern our organizations and programs.)   Be sure to "ear mark" your copy of these publications whenever you have any question about their contents.  Then, send in questions for either a written response or a response via our FISSEA web page.  We can also discuss this  at the annual conference.
    If you have an idea on how to do some aspect of training or awareness, or a unique and effective way, let us know that, too.  We'll gladly give you credit for anything submitted.  We need to reach out and touch everyone with our training and awareness today because we no longer live in a confined environment. 

    When using the computer systems and networks provided to us for our work, we have a community responsibility to know how our systems are vulnerable and how we, as individual users, can use those systems in a responsible and secure way.  It is our job to reach out to everyone to help them understand their responsibilities and realize they are accountable for their actions.  Therefore, accountability will become one of the ingredients in the training and awareness mix we deliver.  Ultimately, everyone will see that understanding the vulnerabilities of the systems and networks and knowing how to use improved security techniques will make them better computer and network users.  Better users will understand what they are accountable for, and this accountability will bring prevention--prevention of errors and prevention of unauthorized activities.

    Philip L. Sibert, CISSP

"‘SIBER' SPACE" SNIPPITS

    Time surely flies when you're having fun! (Or when there's a deadline popping over the horizon!)   It seems like it was just yesterday that the April issue went out.  The Board of Directors is committed to providing quarterly FISSEA newsletters in April, July, October, and January.  It will be extremely helpful if FISSEA members submit articles to Lou Numkin, the "FISSEA News and Views" editor, by the first of each publication month. 

    A mistake was made in our last issue when the "return mail" card sent out was smaller than the post office allows.  Because of this, we are unable to determine if all cards mailed were received.  Therefore, in this issue there will again be a card to mail back to NIST verifying your desire to continue membership in FISSEA, and requesting you provide contact information.  Please return the card, even though you may already have mailed one back recently.  THANKS FOR YOUR HELP!


EVALUATING RESULTS-BASED LEARNING FOR INFORMATION TECHNOLOGY SECURITY:  Synopsis of NIST ITL Bulletin dated June 1998

    The training requirements for Results-Based Learning were developed by the FCSPM Forum and FISSEA.  Results- based training for information technology (IT) security focuses on employees' job functions and their specific organizational roles and responsibilities.  This approach to learning is based on the premise that employees have unique backgrounds and different ways of learning.  Other considerations in the program are that employees may have more than one role in an organization, and that IT security training may need to be tailored for the specific responsibilities of each role.  Awareness of the need for IT security is the starting point in the learning process for all employees.  The next step is training, which starts with security basics, then training in a range of security-related skills needed by employees for their specific roles and responsibilities.  It is critical that the training is current and customized to meet the needs of the individual employees and organizations. 

    Organizations need to evaluate the effectiveness of the training and its relevance to their IT security training requirements.  Evaluating training can be beneficial for employees (able to assess post-training job performance), managers (able to assess on-the-job performance after training), and trainers (able to use evaluation to improve training methods).  The evaluation process can include the following: 
     

    • Training (student) satisfaction - provides feedback from the student's perspective
    • Learning effectiveness - what employee learned from training
    • Teaching effectiveness - how well training is implemented
    • Training program effectiveness - value of the training in relation to organization's overall IT security training program.
    An evaluation plan must identify mission-related goals and learning objectives, along with the following: 
     
    • Description of environment before training
    • Activity to be performed so evaluator can observe employee conduct, skills
    • Success measures derived from employee's work rather than from classroom testing; i.e., written behavioral objectives; risk management techniques; qualitative skills; and nature and purpose of training activity
    • Steps for collecting and using evaluation data
    There are four levels of evaluation:  1) End-of-Course Evaluation (Student Evaluation) where employees rate training; 2) Behavior Objective Testing (Learning and Teaching Effectiveness) that measures level of information or skill of the training with respect to employee's background, education, and skills; 3) Job Transfer Skills (Student Performance Effectiveness), which is a "before" and "after" job skills comparison completed by the employee's supervisor to evaluate how the training benefits the organization as well as the employee; and 4) Organizational Benefit (Training Program Effectiveness) that quantifies the value of training in relation to the costs by interviewing employees, supervisors, and colleagues. 

    NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, provides detailed, specific information to help organizations evaluate their IT security training programs, the extent to which the programs are useful, and how to make wise decisions in allocating training resources.  An electronic copy of NIST 800-16 can be accessed at http://csrc.nist.gov/training/800-16.pdf


IN YOUR SPARE TIME (YOU CAN LAUGH HERE!)

    CHECK OUT THE FOLLOWING URLhttp://glef.org/learnlive/redirect/esources.html  Anyone familiar with the George Lucas Education Foundation?  If so, let us know.  There is an extensive list of sponsors, many from the computer industry.  Maybe we should try to have them speak at the annual conference?  Your help is appreciated!

EDITOR'S CORNER

    First... a KUDO is due: The FISSEA Exec Board  thanks K. Rudolph, Native Intelligence, and John Orban, NRC, for creating our newsletter banner artwork.  Though I may have had the original idea, it took these two folks to get it into our paper.  Thanks, again. 

    And now, the rest of the column... 

    Did you ever wonder what happens to all the letters and words that an Editor cuts out of articles written by newsletter contributors?  Well, they are molded into a post script column that fills a little more white space and hopefully carries some message. 

    For years, folks who know me know that I am a staunch supporter of Government Computer Security professionals getting out into their community schools and senior citizen centers to preach the gospel of good computer security as well as computer ethics.  My agency and management have always supported this endeavor... but... I have been informed that in the future we may not be able to because of budget and other constraints.  Oh, they will still permit personnel to keep up such efforts on an individual case basis, but our agency Community Outreach Program may be a thing of the past. 

    This is a real concern to me.  Advertising by our Public Affairs Office mentor and internally has resulted in  more employees volunteering their time and staying interested in this good deed activity.  No, the fight is not over yet, but from what I've been told, this central focusing office will no longer be able to directly encourage our participation.  It is mentioned here as an inducement to get each of you to ensure that if your agency has such a program, support it and don't let it die.  If your agency does not have an outreach program to schools and centers, suggest it and offer to participate.  It feels good to give something back to your community. 

    The April 24, 1998, Washington Post's Federal Diary column by Mike Causey was entitled "Mobilizing an Army of Volunteers."  It referenced something that may make my quest in this editorial a bit easier for the readership.  For those of you who are unaware, "The White House has announced a policy encouraging 'citizen service' by federal workers... In a directive...to agency heads, President Clinton told them to develop volunteer-friendly procedures.  The directive is titled 'Strengthening Our Commitment to Service.'" 

    This directive states that employees "should be encouraged to do volunteer work on their own time.  But it also gives Cabinet officers and agency heads the authority to pay workers for the time they spend on volunteer services."  It means that if one's boss approves, administrative leave could be granted for volunteer activities outside of the agency.  According to Causey, "Agencies have 90 days to report to the Office of Personnel Management on what they have done to set up voluntary service programs.  OPM will coordinate the effort and provide agencies with citizen service guidelines."  Also quoting from the directive, agencies may grant "excused absence (paid administrative leave) for volunteer work if the absence is directly related to the department or agency's mission ... (and) the absence will clearly enhance the professional development or skills of the employee in his or her current position." 

    Mike's conclusion is that "an agency head interested in a community or national program could easily steer thousands of volunteers to it by not only granting them paid time off, but also giving the employees experience or skill credits for doing the work." 

    Kudos to Causey for bringing this to the public's attention.  It is my feeling that each of us should ensure that our agencies are aware of and support this directive.  Reports must be in to OPM by the end of July so get on your horses and ride, compadres!  Enlist the support of other school volunteers and encourage your agency to respond favorably to this initiative.  As President Bush said, "make yourself a Shining Star." And then, with agency support, get out into your schools and senior centers and explain computer security and ethics to help improve all our futures. 

    Louis Numkin


BOARD MEMBERS TRAINING ACTIVITIES

    The Year 2000 can mean big trouble for Government personnel and business people who depend on computer software--which is almost everyone.  Two FISSEA board members (Dr. Pat Ciuffreda and John Ippolito) are involved in private sector efforts that directly address computer ethics and the Year 2000 problem. 

    PAT'S WORK AT STRAYER

    Dr. Pat Ciuffreda just completed teaching the course, "Computers and Society," at Strayer University in Takoma Park, Washington, D.C.  For the first time a course that addressed the ethical, sociological, and philosophical effects of information technology on social settings was taught at Strayer.  This included the Year 2000 problem as a case study since it highlighted the pervasiveness of computing on today's society as industries try to identify and resolve their Year 2000 dependencies. 

    In  Pat's class of thirty, only a few students understood why or how the problem occurred and was allowed to persist as technology advanced.  Further, although almost half of her students had heard references to the Year 2000 issue or remembered seeing a newspaper article, none appreciated its broad implications to our computer- dependent society.  Her class included computer science, business administration, and accounting majors.  With these educational backgrounds, Pat expected that the students would have learned about the Year 2000 problem in their other course work or reading and would have kept up-to-date on the impacts of technology on their areas. 

    The students became more interested after Pat presented an overview of the problem, its history, and described what Government and industry are trying to do to address this challenge.  In open discussions, the students made it clear that they wanted to know as much as possible about the issues associated with the Year 2000 and what the impacts would be if this challenge was not met.  The students' expanded interest provided Pat the opportunity to involve her class in the Year 2000 issue by assigning it as the topic of their term papers.  The students prepared insightful and comprehensive reports, some of which were as thought- provoking as the General Accounting Office Year 2000 report.  Working with her students on the Year 2000 problem was a dual learning experience.  Her students became aware of the Year 2000 problem, and uncovered potential Year 2000 implications that she had not previously considered. 

    JOHN'S WORK AT THE UNIVERSITY OF MARYLAND

    The Maryland State government recognized that there are not enough programmers with Year 2000 remediation experience to support the needs of both the public and private sectors.  State officials, working with the University of Maryland, established a program to train "Year 2000 Technicians" to help alleviate the labor shortage.  Under this program, individuals receive a 5 week day or 7 week night course in COBOL and techniques for identifying and resolving Year 2000 dependencies.  In addition to receiving the training at no cost, students who stay with the program for two years receive monetary credits toward continuing their education at the University of Maryland.  The University and the State get partial repayment from private sector organizations who hire program participants.  In addition to paying the students a competitive wage for their skills, participating companies pay into a fund that supports Year 2000 training and follow-on education. 

    Establishing the Year 2000 Technician Program created another problem for the University. Where would they get instructors who understood the Year 2000 problem and could teach COBOL from a practical perspective?  This is where John Ippolito came in.  In addition to teaching a number of the classes, John helped locate instructors who had both attributes. 

    Working with the University and its Year 2000 Technician Program provided several insights into the problem and how organizations and individuals are dealing with it: 
     

    • People are still in denial.  Many company managers and individuals still do not believe a Year 2000 problem exists.  Consequently, they are not addressing the problem.  Failure to address the problem is giving lawyers an incentive to become experts in Year 2000 liability because they see easy wins when suing and a market for their services to prevent companies from being sued.
    • A number of highly-qualified individuals do not want to go into Year 2000 remediation work.  As was simply put by one instructor, he didn't want to get the 2:00 a.m. call when a program failed to work because of an undetected/uncorrected Year 2000 dependency.
    • Many people are still waiting for the silver bullet. Providing silver bullets has generated a sizable market in Year 2000 remediation tools.   Those who really understand the problem recognize that, while tools can help the process, they are not silver bullets and failures will occur, regardless of how much effort is put into remediation.  Thus, organizations must develop contingency plans, something that few organizations have created, even for their critical assets.
    • There are a number of Year 2000 "experts" who are predicting the fall of society as our technology- dependent economy collapses as a result of Year 2000 problems.  These harbingers of doom are putting their money into gold and other traditional disaster hedges, while at the same time selling their expertise to Government and industry to resolve the Year 2000 problem.
    Both Pat and John agree the need is critical to train people, at all levels, in the issues that can affect the availability and integrity of our information technology infrastructure.  The Year 2000 problem is an issue that won't go away, but can be ignored.  Resolving the Year 2000 issue will require attacking the critical issues senior management has ignored for years: 
     
    • Ethics — is it ethical for a manager to ignore Year 2000 dependencies when there are lives at stake?
    • Resources — will management now devote the resources necessary to ensure that their people are properly trained and their system integrity assured rather than the binge-like spending required to resolve those same issues in crisis mode?
    • Recognition — will management recognize the year 2000 problem and accept the recommendations of those responsible for system availability and security when they identify potential problems rather than ignore the situation until there is a failure?
    For more information on the Year 2000 issue, you may wish to visit The Year 2000 Information Center Web site at http://www.year2000.com/.

    Did you know...The National Economic Council and the Office of Science and Technology Policy, in consultation with the Office of Personnel Management, seek information about how to make the most efficient use of new information technologies for training Federal employees in ways that will also  accelerate the development of the broader commercial marketplace.  Additional information and materials are available at http://www.fed-training.org. Check out all of the items on that web site.

Your article or comments

         could be here.


DEAR FISSEA MEMBERS:

    Your help is needed.  A pilot project to promote sharing of computer security training resources throughout the Government is being conducted.  As part of this effort a prototype web site is being constructed that will maintain a repository of such materials, allowing Federal users easy access.  With the web site, you will be able to provide comments on your experience with specific training materials, obtain training materials, and obtain other individuals' comments on their experience with those materials. 

    The initial objective is to populate the training materials repository with public domain materials currently available in electronic form, or where the owner of those materials agrees to supply copies upon request.  Your help is needed in identifying such materials. 

    Any materials you contribute are greatly appreciated.  Please complete the materials transmittal form and send it, along with a copy of the materials, to: 
     

       Fran Nielsen 
       National Institute of Standards and Technology 
       U.S. Department of Commerce 
       NIST North, Mail Stop 427 
       820 West Diamond Avenue 
       Gaithersburg, MD  20899 
    If you know of anyone (in either the public or private sector)  who has materials and might be willing to provide us with copies, please send contact information to the above address. 

    It is appreciated if you would send any materials and information at your earliest convenience.  Thank you for your help.  If you have any questions, please don't hesitate to call me on  (301) 975-3669, or send e-mail to:  fran.nielsen@nist.gov.

TRAINING AND AWARENESS MATERIALS TRANSMITTAL FORM

    Name:  ___________________________________ 
    Phone: ___________________________________ 
    e-mail address: _____________________________ 

    Organization: ______________________________ 
    U.S. mail address: __________________________ 
                                __________________________ 

    Material being contributed: ____________________ 

    Format: (e.g., word processing, image, hard copy, executable, video) 
           ____________________________________ 

    Comments about material : ___________________ 
        _____________________________________ 
        _____________________________________ 

    Are you willing to be the distribution point for these materials? 
    Yes _____  No _____ 

    If so, at no-cost  __________  or per cost  __________  (check one) 

    Other contact: 

    Name: __________________________________ 

    Phone: __________________________________ 

    e-mail address: ____________________________ 

    U.S. mail address: _________________________ 
                                _________________________


DID YOU KNOW ABOUT THE....FEDERAL GOVERNMENT DISTANCE LEARNING ASSOCIATION (FGDLA)? 


WHILE THERE, VISIT THE GOVERNMENT ALLIANCE FOR TRAINING AND EDUCATION .... GATE... AT: 

    http://www.fgdla.org/gate.htm

    Goals:  Promote sharing of Distance Learning resources across agencies; establish a Federal Center for Excellence in Distance Learning; identify and establish gateways for interconnectivity; establish and maintain data bases for uplinks, studios, receive sites, courses, and other video teletraining services; identify requirements for new and emerging Distance Learning technologies; promote professional association through the United States Distance Learning Association/Federal Government Distance Learning Association. 

    Membership:  Open to  all Government/Department of Defense Agencies--No contractors are allowed to attend these meetings. 

    History:  Established March 1995.  Concerned with duplication of hardware and courseware across Agencies. 

    Current Actions:  Establishing data bases; creating WWW pages; seeking funding for government-wide teletraining course; and developing and staffing charter. 


RECOMMENDED READING:  NEW SECURITY BOOK 

    NEW BOOK: At Large - The Strange Case of the World's Biggest Internet Invasion by David H. Freedman and Charles C. Mann, Touchstone, 1998, Paperback, $13.00, ISBN: 0-684-83558-4 
    http://simonsays.com/titles/bookpage.cgi?isbn=0684 835584 and 
    http://www.webreference.com/internet/security.html

    At Large - The Strange Case of the World's Biggest Internet Invasion is the true story of how an obsessive asthmatic teenage hacker with lots of time on his hands broke into many high profile Web sites using widely known security holes, persistence, and hacker toolkits.  Besides being a great read, this book shows, in dramatic fashion, the need for better security on today's Internet. The Net is growing faster than the availability of experienced system administrators, so the security problem is actually getting worse. Well-documented security holes (sendmail, etc.) are not being patched routinely, and users are using easy-to-crack, one-word passwords and giving them up through social engineering (hackers tricking users into giving up their passwords, usually over the phone). There are automated tools that allow inexperienced hackers to find and exploit holes, become root and install Trojans, and wreak havoc on unprotected Web sites.  It's been said that if someone wants to get into your system, there's nothing you can do. The idea is to make it more difficult to get in, and use monitoring tools like Tripwire to catch the offenders and SATAN to test for weak points remotely.  While the press writes mainly about hackers breaking in from the outside, most security breaches happen from the inside, by a disgruntled employee. Recent surveys show that  33-73% of companies reported security breaches from insiders and 17-48% from outsiders, with losses in about 30% of these cases, some over $1 million each.  This book will put a jolt in most sysops, and reads like a good novel to boot. 


ASSOCIATION FOR COMPUTING MACHINERY SEMINARS

    Washington, D.C., Chapter Association for Computing Machinery Fall 1998 Professional Development Seminars, November 9-13, 1998 

    The Professional Development Committee of the Washington, D.C., Chapter of the Association for Computing Machinery (ACM) presents technical and management seminars for computer professionals and managers. This Fall, the Committee will offer 12 one-day Professional Development Seminars the week of November 9 - 13, 1998, on topics of current interest.  The seminars will be held at the Inn and Conference Center, University of Maryland University College, College Park, Maryland, at the intersection of University Boulevard (MD 193) and Adelphi Road. The seminars run from 9:00 a.m. (registration at 8:30 a.m.) until 5:00 p.m.. 

    Additional information about the seminars is available via e-mail to dcseminars@acm.org, via the Worldwide Web at http://www.acm.org/chapters/dcacm/ or via anonymous FTP to acm.org. The files are in the directory chapter_forums/chapter_articles/prochap. The information is available in both ASCII and Postscript format. 

    The early registration deadline is October, so there is still time to register at a substantial discount. 

    The following is the current speaker status. 

    MONDAY

    Web Site Management - Speaker - Houser 
    Y2K - Speaker - Bohner 
    XML - Speaker - Webber 

    TUESDAY

    Preparing Graphics for the Web - Speaker - O'Connell 
    Internet Architecture - Speaker - Sandhu 

    WEDNESDAY

    Server Side Programming (ASP) - Speaker - Coup 
    Internet Security Threats:  Identification and Reduction - Speaker - Stang 

    THURSDAY

    Cascading Style Sheets - Speaker - O'Connell 
    Secure Electronic Commerce - Speaker - Sandhu 
    NT Security - Speaker - Rustein 

    FRIDAY

    Java Script - Speaker - Houser 
    Advanced Java - Speaker - Carson 


Call for Papers and Presentation Planning Form 
FISSEA Information Security Conference 
March 9-11, 1999, Gaithersburg, MD
    Self-nominations accepted.  Topic suggestions and speaker recommendations also desired. 

    1. Session Title.    _________________________________________________________________
                                 _________________________________________________________________

    2. Attach a Session Description.  (Not to exceed 75 words.) 

    3. Technical Level.  Describe the technical level of your presentation.  Use 1 for a non-technical presentation, and 5 for highly technical topics.  Technical level: __________

    4. Speaker(s).  If there are multiple speakers for this session, please list the primary point of contact first.
     

    • Name, as to be shown in the program.  ________________________________________
    • Mailing address.  ___________________________________________________________
    • Preferred e-mail address.  ___________________________________________________
    • Office Phone.  _______________________________
    • Office Fax.   _________________________________
    5. Duration of session in minutes.  The standard session length is 50 minutes including time for questions and answers.  __________ minutes 

    6. Maximum number of attendees for this session.  If no limit, leave blank.  _______________

    7. Hands-on for attendees? (yes or no) _______________

    8. Presentation needs.  The presentation area will be equipped with a microphone, podium, and projection screen.  There will also be a microcomputer set up for projection.  This PC will be running Windows95 and PowerPoint97.  Please provide (in detail) any additional audiovisual equipment, hardware, software (including version), or connectivity required below.
    ______________________________________________________________________________________

    9.  List any equipment you will be bringing, special cabling, electrical requirements, etc.
    ______________________________________________________________________________________

    10. Is there anything else we should know that will help ensure the success of your presentation?
    ___________________________________________________________________________ 
     


Top of Page  Back to FISSEA's Newsletter Index
Back to CSRC's Home Page
Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: March 4, 2002.