From the Executive Board Chair

We have all been extremely busy since our last issue went out, especially as the end of the fiscal and calendar years approached. The end of the fiscal year brought opportunities to complete current activities in the training area, and for planning (and budgets!) The end of the calendar year closes out a millennium (how many times do you plan to do that?!), and brings along the baggage associated with Y2K activities.

In addition to normal training and awareness activities, many of us have been able to influence additional training and awareness for Y2K security related issues, and for critical infrastructure protection initiatives. AWARENESS becomes the watchword now as the century comes to a close and we begin anew with year 2000. Our objective should be to recognize and take action whenever a new opportunity arises where we can be effective with computer/cyber security and information protection awareness messages.

Personally, I've been so swamped with work relating to new policy and guidance issuance, participating in the training initiative I mentioned in the last newsletter, and overseeing the Department's computer incident response team (DOE/CIAC) that there's hardly time to do anything else, and meetings usually eat up the rest of the time available.

The training initiative at the Department of Energy is underway. The first sessions were held at Headquarters the week of October 4 for NT and Unix systems administrators; web server and e-mail administrators; and for managers. After these sessions are completed, we take the training to the field where we will be delivering training and awareness to about 1000 participants by the end of this calendar year. After that, we will embark on Phase II of the plan to deliver training to the rest of the DOE community over the next several years, all of this being dependent upon favorable budgets and backing from the highest management at the Department. As I get feedback from the training assessment forms I should be able to put together an overall assessment of the effectiveness of our training, and also develop additional needs for future training. This will be made available as a lesson learned paper or presentation at our conference in March.

It's been difficult for all FISSEA board members to find the time for the volunteer activities that keep our organization going, and I express my appreciation and gratitude for the work being done by the newsletter editor, the contributors of articles, and especially to Peggy Himes at NIST without whom this newsletter and many other things would not get accomplished. The conference committee has also been working hard and carrying out their activities to provide you with a great conference next March, and I appreciate their effort to keep moving ahead even when I could not participate in some of the planning sessions. We will be issuing another newsletter prior to the March conference, and certainly will appreciate any and all submissions.

Those who have completed study and passed the Certified Information Systems Security Professional examination, and those who continue to study for the next exam, are to be applauded (see Pauline's article). Primarily, becoming a CISSP at this time provides you with a certain amount of pride and accomplishment. In the near future the CISSP designation will be more meaningful as the computer security/information protection profession becomes more widely recognized as a job specialty. What better way is there to prepare you as a computer security trainer, or manager of that function, than to be knowledgeable in so many different domains in this area? Go for it!

In closing, I wish you all a happy and safe winter, and hope your holiday seasons are peaceful!

Go to top of page

CISSP Update

After the 1999 FISSEA Conference, a self-help study group was formed to aid members in studying for the CISSP exam (basic information is available at http://www.isc2.org). Approximately 10-13 individuals have been showing up at the Alexandria, VA, meeting place, each Saturday (except for holiday weekends) from 1-3pm, since March 21, 1999. Participants take turns presenting the chapters, sharing ideas, test materials (when available) and providing encouragement and inspiration. Though domain eight is about to be wrapped-up, to review previous chapters and catch new people up on the various domains, we also spend some time on old material.

A list serve has been created so that anyone interested may join in the group, on-line. The web site is: http://www.onelist.com/subscribe/CISSPStudy_1. We currently have 104 members on the list serve and of these, 8-15 participate in the Saturday study group.

Many members in the group are planning to take the November 14, 1999-exam. Since others will not be able to take this exam, NEW GROUP MEMBERS ARE ALWAYS WELCOME! People invest their time and energy, but the study group does not cost any money. The idea is to help each other understand the ten security domains, share experiences, motivate each other, and demonstrate our knowledge by passing the CISSP exam. If you run out of time during the week, you can still sleep in and read enough to participate on Saturday afternoon. Should you be unable to attend one session just come the following week and you won't get far behind.

E-Mails will be exchanged with any interested people and assistance provided to other self-help study groups. Here is the web site for the 1999 handbook which we plan to use as primary resource information in our study group:
http://www.auerbach-publications.com /catalog/au9974.htm

It gives us pride to announce that as of May 12, 1999, four of the study group participants have passed the exam and received their CISSP. Two of these individuals are still participating and sharing expertise with those who have not yet taken the exam.

Go to top of page

Call for FISSEA Conference Exhibits

FISSEA will host its 13th Annual Conference on March 14- 16, 2000 at the Gaithersburg Hilton.The highlight on Wednesday, March 15 (the middle day of this three-day event), will be the Technology Exposition. The purpose of the exposition is to bring government and industry together. In the past, attendees have enjoyed seeing new products hands-on and learning about emerging technologies.

This time, there will be opportunities for exhibitors to sponsor a morning break and a luncheon that will be held in the exhibit area. If you would like to exhibit or would like to recommend a company/product for the exhibition, please contact Liz Hood at The Federal Business Council, (301) 206-2940 ext.227 or e-mail liz@fbcdb.com. Your feedback is greatly appreciated!

Go to top of page

Editor's Column: Travel Based Training

I propose that the acronym for Computer Security is "CS" which should also stand for Common Sense. This somewhat clever phrase needs something to make it a teaching point. So, I usually relate how while doing a survey of computer security implementation in our organization, I found an employee who wanted to help herself meet the requirement to change her password every 60-days. To do so, she had taken a Government- issued cardboard-backed three month wall calendar for the upcoming year and dutifully written her planned passwords every 60-days, thereon. The teaching point, of course, is to not write down one's password and if done, don't put it where others can casually observe, especially in advance of its use. The segue is that the rest of this article will deal with common sense computer security awareness observed in an analogous situation.

For two weeks, I have been on travel for my agency. The first week, spent inspecting a facility, and this week presenting computer security awareness training to personnel in different locations around the country. So, you ask, what can be learned from business travel that might be worth sharing with FISSEA? Always be prepared, CS, carpe diem (seize the day), include appropriate humor, teach the newbies, people watching, and crossword puzzles.

During the inspection, I found that the computer security training device which the facility employed was ten years old. This in itself would not be of concern except it included out of date information. Checking further, I determined that they had begun drafting a replacement manual months ago, but that the effort was overtaken by events and had been placed on the back burner. Needless to say, noting it in my inspection report returned it to a position of prominence on their "To be done" list. The moral to this story is that just routinely presenting computer security awareness training year after year leads to out of date information being passed on to the audience. We should try to keep it interesting as well as educational by populating it with current events and appropriate happenings. And remember, as was apparent in this case, "Security is not costly . . . but Procrastination is."

Carpe Diem (seize the day) - yesterday, while meeting with some of our far-flung employees, we had to drive for over an hour to our all-day work sight. On the trip out we discussed the purpose and plan for the day ahead. But, on the way back, since no earlier opportunity availed itself, I pulled out my trusty laptop and provided the carload with their computer security awareness training. Though I was unable to project my slides onto a screen as earlier in the week it was presented to larger audiences, with passenger approval, I depleted some of the laptop's battery while offering this captive audience the mandatory periodic presentation. In the Army it was called "hip pocket training" (when Sergeants carried already-prepared lesson plans "in their hip pockets" for unexpected opportunities to educate personnel). Now, we could simply say that as educators, we need to seize any chance to provide further computer security education.

Punch it up! After seeing many different renditions of the safety briefing given by flight attendants at the start of a flight, I have found that the vast majority of passengers do not pay attention. It has become so mundane and repetitive that few even look up from their reading . . . that is, unless you fly (and I have no stock in this company) Southwest Airlines. Their attitude is to be less stuffy and rehearsed - as their uniforms are nonconformists, so to they include good- natured humor in their briefing which causes passengers to take notice. Now, I know that explaining what to do in the event of an emergency is not to be taken lightly, but - Injecting something unusual (eg.: stories, jokes, tangential but related material or even using audience members to exemplify subject matter) will benefit your efforts to enliven your sessions, gain and hold your audience' attention, and give them something to remember.

Teaching the newbies, as a topic, comes from a pleasant interchange I had while awaiting a connecting flight to DC, from St. Louis. Quite unexpectedly, the young lady sitting next to me was, as she said, "fresh off the farm." She was moving to DC to work with the State Department, having just graduated from Peperdine. After chatting for a short while, it became apparent to me just how much personal information we had shared. This causes me to recommend that when giving new employees their computer security in-brief, be sure to include information about Social Engineering - and of course, this form of intelligence gathering can also be carried out by a listener (someone who is sitting nearby and overhearing another's conversation).

"People watching" is what one does (when they have no newspaper and don't want to pull out their office work) while sitting in an airport terminal. There are so many different types of folks passing through, some "dressed to the nines" and others in tee shirts and cut offs; some carrying offspring and others barely able to move themselves and their baggage; some downing what appears to be their last (and certainly most expensive) meal while others hang out in the nearest bar to their departure gate. It's the carry-on luggage which comes to mind, here. Remember to educate your employees about laptop theft. It is still occurring and costing the Government and industry valuable equipment as well as the data stored, thereon. Especially include any incidents directly related to such occurrences in your agency, and real stories tend to make more impact.

When I fly, I enjoy trying my hand/mind at the airplane magazine's crossword puzzle. However, my bane is flying at the end of the month when someone has already marked answers in ahead of me . . . and they're in ink! On the chance that I can't find a virgin copy, I proofread what has been done before. If I find an error, then I whip out my trusty whiteout and set to correcting the unknown prior's misteak . . . or is that mestake. Anyway, the final point to make is that when you have to educate someone who comes to your agency/organization from somewhere else, you sometimes have to modify their preconceived notions about computer security - how serious "you versus they" take it, what you feel is important versus what they feel is unnecessary - etc. Policies, procedures, and awareness may help you to solve this puzzle.

Go to top of page

FISSEA Members Invited to CSI Gala

John O'Leary and Pam Salaway of the Computer Security Institute (CSI) warmly invite their FISSEA friends to join them for food and beverages at the CSI NovemberFest on Sunday evening, November 14th from 4:00-8:00pm at the Marriott Wardman Park in Washington, DC.

NovemberFest is the kick-off event for CSI's 26th Annual Computer Security Conference and Exhibition which runs in the same hotel from November 15-17. More than 150 vendors of computer security products/services will be looking to meet you but you are sincerely requested to stop by the CSI booth and say hello to John and Pam, who have been longtime attendees, presenters, and supporters at FISSEA Conferences. Admission to the NovemberFest (on Sunday) and the Sunday-Tuesday exhibits will be complimentary though pre-registration is recommended via CSI's web site at http://www.gocsi.com or by calling CSI at 415/905-2626.

Go to top of page

Go to top of page

Join FISSEA

Membership is open to information systems security professionals, trainers, educators, and managers who are responsible for information systems security training programs in federal agencies. Contractors of these agencies and faculty members of accredited educational institutions are also welcome.

There are no membership fees; all that is required is a willingness to share your products, information, and experiences. Send an e-mail to peggy.himes@nist.gov.

Go to top of page

Go to top of page

FISSEA Web Page Hits

Mark Wilson informed the FISSEA Executive Board that Patrick O'Reilly, FISSEA's Web Administrator, has captured the hits per month on the FISSEA web site since it went online in January 1998. The following numbers reflect hits on the homepage, not including hits on any of the subsequent pages (e.g., Newsletters, About FISSEA, FISSEA Executive Board, etc.)

1999: 1,895 hits (through August)
1998: Total hits 1,891

{Thanks for the info, Mark and Patrick. Ed.}

Go to top of page

Security Educational Material Resource Online

ICSA's Mich Kabay, PhD, forwarded this worthwhile E- mail:
From: "Marquis Grove" infosyssec@infosyssec.net
Subject: Security Educational Material Resource Online -
Algonquin College - Ottawa Ontario Canada
Date: Mon., 23 Aug. 1999 13:15:18 -0700

http://www.infosyssec.org/infosyssec/index.html
I thought I would share the above URL with you for consideration in including with your mail list.

This web site began approximately one year ago by the students of the Information System Security program at Algonquin College, Ottawa Ontario. This is a one year certification program that covers all the materials that are tested for the CISSP certification. You could say that it is an all-encompassing course of study, touching on all aspects of security. But enough about the course of a program at Algonquin . . .

The web site features more than 10,000 hand-picked links, articles, FAQs, tutorials and materials to assist the students of the Information System Security program and as well to any other security professional seeking to acquire knowledge on a specific area of interest in the security field.

The web page is set up in a manner similar to a 'Security Officers' dream home page. All links to the most important sources of information are available directly off the main index page. Suffice to say that this web site is the security officers equivalent to Disneyland, in that it is not possible in one day to fully explore and drill through all the material that can be found on this web site. Fortunately, the editors at Yahoo, Excite, Hotbot, DMOZ, About.com and other significant search engines have stumbled on this web site and have ranked it on par with COAST, CERT etc. for the valuable source of educational security materials contained on it.

The test of the pudding would be to visit yourself to determine if this web site is worthy of inclusion in your mailings.

Best wishes,
Marquis Grove, WebOp for the InfoSysSec web site,
Information System Security,
Algonquin College Ottawa, Ontario, Canada

Go to top of page

Book Review:
"I-Way Robbery"

ISN Rob Slade reviewed the following book on the ISN List on 20SEP99.
Its title was "I-Way Robbery: Crime on the Internet" Written by William C. Boni/Gerald L. Kovacich,1999,
0-7506-7029-0, 240 p. 225 Wildwood Street, Woburn, MA 01801-2041 Butterworth-Heinemann, U$34.95
(781)904-2500 fax: (781)904-2620 http://www.bh.com

Mr. Slade was not overly impressed with this book and stated: "The book is aimed at security and law enforcement professionals needing basic information about Internet criminal activity. In addition, the volume is promoted for college courses in information systems security management and criminal justice. Finally, small and home based businesses are to use it in place of security personnel for protecting themselves from I-way robbery. A rather tall order for a fairly small book."

Rob's synopsis of various chapters included: "we are told in chapter two, that the Internet has had an impact on society." As you can easily see, this reviewer was not overwhelmed with the text. He continues to discuss its insight: "A very strained attempt is made, in chapter three, to draw a parallel between the rise of the gangs of the thirties (Bonnie and Clyde, Dillinger, Capone, ummm .. . ) prompted by the interstate highway system (built thirty years later) and the rise in crime (left undefined) prompted by the development of the Internet." It appears that Mr. Slade likes to play with words, when he states: "Chapter four rigorously defines Internet crime as crime involving the Internet."

One spot where he appears somewhat satisfied with reality versus a premise was: "Chapter seven starts to touch on actual penetration techniques, and includes such advanced technologies as the BASIC source code for a demon dialer." But that's about the only bright spot as he concludes: "An attempt to analyze the growth in I-way crime, in chapter nine, has little significance since most of the foundational material has not been clearly presented. Protective measures are mentioned in chapter ten, but without the conceptual background the text is not of much use. Given no groundwork upon which to build, chapter eleven's look at the future can be nothing but blue sky speculation."

Mr. Slade's postscript is not unexpected: "The text is undisciplined, unfocussed, and difficult to understand. Other than presenting a vague warning about an ill-defined threat, it presents no help to those who may need to protect information in an interconnected world."

I guess, based on Rob Slade's review, I won't be putting this book on my list of desired holiday gifts. {ISN is sponsored by Security-Focus.COM}

Go to top of page

TRAINEA

(Miscellaneous Computer Security Training and Related Information)

Upcoming conferences and meetings, available training, and "A College Slashes Its Fees":

11-15OCT99 - The Internet Security Conference in Boston. For info visit: http://www.TISC.corecom.com

16OCT99 - CPCUG will present a "Before You Buy a Computer" free seminar from 9am to 2pm. For more information, visit: http://cpcug.org/user/comm/free-sem.html

18-19OCT99 - Jupiter Consumer Online Forum - Europe will be held in "merry old London". For more info on this Internet and Ecommerce conference, visit http://www.jup.com/events/forums

18-21OCT99 - 22nd National Information Systems Security Conference at the Hyatt Regency Crystal City in Arlington, VA. Visit http://csrc.nist.gov/nissc/

18-21OCT99 - Internet Commerce EXPO (Ice) ‘99 will be held in San Francisco. For info, visit: http://www.iceexpo.com

3-5NOV99 - 3rd Annual NEW ‘99 NETEXPO at the Washington (DC) Convention Center. For info call (703)536-2100 or E-Mail: Lindcomm@aol.com or visit: http://www.newexpo.com

15-17NOV99 - Computer Security Institute's 26th Annual Computer Security Conference and Exhibition, entitled "Shape Your Destiny," at the Marriott Wardman Park Hotel in Washington, DC. For info, visit: http://www.gocsi.com

11-16DEC99 - SANS Security ‘99 in San Francisco. Intensive, in-depth courses in many topic areas: 11-16DEC99 will see the top SANS Courses on Securing Networks of UNIX and NT Systems; 13- 14DEC99 will be Information Security in the Modern University - Is It Mission Impossible?; and 15-16DEC99 will be Securing Linux. For info and immediate registration, visit: http://www.sans.org

14-16DEC99 - The Bazaar - Where Free and Open Source Software Meet the Real World. To be held at the Jacob Javits Center in New York City. For more info visit: http://www.thebazaar.org

Learning Tree International has distributed its "Hands- On Training for IT Professionals" course schedule listing classes thru February of 2000. For a copy, call 1- 800-843-8733 or visit: http://www.learningtree.com

{extracted from The Washington Computer User newspaper from August, 1999}

"Community College Slashes Student Fees" Charles County Community College, this fall, has eliminated application fees, laboratory fees, late registration and transcript fees. Other fees will be modified to be more standard. They also implemented a new interest-free tuition payment plan which allows students to spread the college course cost over a five-month period. For more info or a Schedule of Classes, contact (301)870-3008.

(extracted from ComputerWorld's Daily E-Mail of 27SEP99}

Techno-MBA Top Dogs
Judging by the results of our annual survey, the best MBA programs for would-be CIOs and technology-savvy executives are all dark horses -- with Boston's Northeastern University, the University of Texas at Austin, the University of Maryland at College Park and the University of Alabama at Tuscaloosa leading the way. For the rest of the story, visit:
http://www.computerworld.com/home/print.nsf/CWFlash/990927C35A

Go to top of page

Go to top of page