February 2000

"I touch the future, I teach." Christa McAuliffe Vol. II No. III


From the Executive Board Chair

Y2K came and went, lots of energy has been spent;
Now it's time to map our course, to gather up the security force,
For our job has just begun for the new millennium.

One of the lessons learned, from the past several years' efforts to ensure our country's information and computer based control systems would function properly when the clock turned over to the year 2000, is that appropriate resources and management attention can produce desired results. Just think of the various information security elements that received attention in preparation for the Y2K event -- system configuration control, software validation, identification of "sensitive" or "critical" systems, business continuity plans, back-up procedures, incident identification and reporting procedures, etc., etc. All of these information security program elements received heightened attention. Awareness of their importance in the grand scheme of providing uninterrupted system and network service had a bearing on the desired outcome.

The momentum created by the Y2K activities in the area of information technology must be on-going and re-directed to address security improvements. Now it's time for the information security educators and trainers to be creative and present management with proposals for viable education, training, and awareness programs. These programs should take advantage of the improvements in information system management and user awareness brought on by Y2K. I sincerely believe the Federal CIO Council Security, Privacy, and Critical Infrastructure Committee will continue to emphasize the importance of protecting the technology and information assets that we, as both providers and users, rely upon every day. We should look to that body to sponsor cross-cutting information security awareness, training, and education activities and initiatives.

On another note...I am nearing completion of a second term as FISSEA Executive Board Chairman and will reluctantly be stepping down to become an Ex-Officio member of the board come March 2000. I say reluctantly because I have enjoyed serving you, working with you, and steering this organization through the tough times we've endured. It's now time for someone else to have the opportunity to guide FISSEA to bigger and better accomplishments.

Please come out for our annual conference March 14-16, 2000, and enjoy the enlightening sessions prepared for you.

Philip L. Sibert, CISSP
Office of the Chief Information Officer
U. S. Department of Energy

Go to top of page

horizontal bar

CISSP Examination Update

FISSEA Conference
CISSP® Examination – Friday, 17 March – Gaithersburg, MD

The CISSP® Certification Examination

The International Information Systems Security Certification Consortium, or (ISC)2, working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination . . . which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are:

Access Control {Computer} Operations Security
Cryptography Application Program Security
Risk Management and Business Continuity Planning Communications Security
Computer Architecture and Systems Security Physical Security
Law, Investigations and Ethics Policy, Standards and Organization

Applicant Requirements

The applicant must meet the following requirements in order to sit for the examination:

1. Subscribe to the (ISC)2 Code of Ethics.
2. Have three years of direct work experience in one or more of the ten test domains of the information systems security Common Body of Knowledge (CBK), listed above.

Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The 3-year experience requirement is actual time worked; the requirement is cumulative, however, and may have been accrued over a much longer period of time.

Examination Registration

The Examination and Registration fee is $450 USD. There is an added $100 late registration fee for registrations received less than 14 days in advance of the Exam date. All registrations should be received at least 10 days in advance of the Examination date.

Registration information and Forms should be requested directly from (ISC)2 by fax or e-mail (recommended) – providing your full postal mailing address. When requesting materials by e-mail, please put “FISSEA Exam Registration Info” in the subject line for expedited handling.

Shrewsbury, MA
+ 508-845-9200; Fax: + 508-845-2420

Note: The examination is planned to be held in the Gaithersburg Holiday Inn, not the Hilton Hotel; applicants will be notified of the exact location and time. Remember to REGISTER FOR THE CISSP EXAM NO LATER THAN MARCH 3 BECAUSE THERE IS A $100 LATE REGISTRATION FEE!

Go to top of page

horizontal bar

A FISSEA Conference 2000 Update

A FISSEA Conference 2000 Update Well, we are down to the final month in planning your FISSEA conference. It has been an invigorating experience coordinating with IT security training experts, the NIST Computer Security Division and the FISSEA Executive Board. We have some of the best minds in the community working with us in putting the Conference together which guarantees that it will be a great experience for all attendees.

If you have not looked at the FISSEA Conference web site lately, please check it out

NIST will keep the conference agenda current, so you can watch as we refine conference sessions. While you are at the site, don't forget to register! You may do so on-line with a credit card. If your organization does not handle training payments in this manner, please pre-register via the web and bring your training order paperwork to the conference with you.

We have a free gift for each of the first 100 attendees, courtesy of the Computer Security Institute - so plan on arriving early. The FISSEA Weather Prognosticator has stated that for the first time in the last several years, we will not have snow during our conference. So, we are looking orward to welcoming you on March 14, 2000.

Patti Black
Conference CoChair

Go to top of page

horizontal bar

Tools of the Trade
submitted by Gale S. Warshawsky

{Editor's Note: FISSEA's dear friend, Gale, has relocated to Hawaii where she has begun a new stage in her career. Though she will be unable to attend this year's Conference, her article seems to relate to one of our panels, near the end of day two.

Now for the necessary disclaimer: As with all newsletter submissions, we want our readers to benefit from the suggestions made, however included names of contacts/vendors are not a certification or accreditation by FISSEA nor NIST. They should be viewed as just information to illustrate the subject or possible alternatives to be considered by the reader. That being stated, on with Gale's article...}

An Information Security Awareness Program has many facets. It is most definitely a people-oriented program. It makes use of communication skills, and Information Technology (IT). Oh yes, it must also be fun! Remember to add an element of "Infotainment," a word I first heard used by Raymond Semko, of the DOE Office of Counterintelligence.

Elements of a comprehensive Awareness Program contain:

* Use of an Intranet web site for your organization's staff to access.
* Ways for the customer to contact you - Awareness E-mail address and AwarenessVoice Mailbox
* Give-A-Ways
* Participation in Awareness Activities

A Detailed Look

1. Use of an Intranet web site - This use of IT is critical to a comprehensive awareness program. Communication to hundreds or thousands of staff located locally or worldwide becomes doable when one makes use of an Intranet web site. If you do not know how to create html web pages - learn to do it. There are software applications available that make it easy to get started. While it is useful to know how to write html code manually using a text editor such as WordPad® or Notepad® (PCs) or SimpleText® (Macintosh®), makes it no longer necessary. Applications such as FrontPage®, HomeSite®, Bbedit®, Dreamweaver®, etc. are available for purchase. In fact, one can use the newer versions of Microsoft Word® to create web pages. One can buy books to help learn how to create web pages. Suggestion: go to and type a query to find out what web authoring books are listed. Read the reviews. Invest in one or two books, and come into the information age! Web page authoring is time consuming. It is not for everyone. If it is not something you enjoy or want to do, then there is the possibility of hiring someone to do the work for you.

What should you consider placing on your Awareness web site? I have found the following to be useful:

* Contacts (names, phone numbers, and E-mail addresses of Information Security Staff in your organization.) - I've used tables on web sites for this and it looks nice and clean. Such a contacts web page makes it easy for your customers to reach the staff in your Infosec department.

* Frequently Asked Questions (FAQ) - Think of your FAQ page as several sub pages. In one of the companies I worked for, we found it was a good practice to have one FAQ page for each major topic. For example: Password FAQs, PKI-Encryption FAQs, Policy related FAQs, and General FAQs (for miscellaneous questions that did not fit well into main FAQ categories). Each of the sub-FAQ pages linked off from and navigated back to a main FAQ page. The main FAQ page navigated back to the home page. Ensure that your customer has a way to ask YOU their questions. We found it useful, as the first FAQ on the main FAQ page, to include how our customers could ask us their questions. We provided a hot link to our Awareness E-mail address. Did it work? Absolutely! Our customers submitted their questions to us by E-mail. We answered them and then also made their question into an FAQ so everyone in the organization would benefit from that communication.

* Company Policies - Using Adobe Acrobat's Distiller® software application makes this so simple to do. Take your company's policy (word / text based) files and convert them into .pdf files. Then make a jump list of those files off a Policy Page on your web site. The Adobe Acrobat Reader® is free. We found it good business practice to include the link to Adobe Acrobat's Reader® on our Policy web page, with a note alerting our customers that the files were in Acrobat .pdf format, and they would need to have the Acrobat Reader® to view them. In addition to using Adobe Acrobat's Distiller® to convert word / text based files, it is very easy to use the same process on PowerPoint® presentation files. The .pdf format provides a common denominator and works cross platforms. It is a real time saver and keeps the same look and feel of the original file (including graphic images). Making your company's/organization's policies available via your intranet web site affords your customers with an easy way to refer to them, from the convenience of their workstation.

* Training Course Information - an intranet web site is an ideal location to list Infosec training courses you offer. Include dates, times, location, and contact information. It has been found useful to have a web page on course descriptions. At the end of each course description, provide a link to the scheduled courses page. Thereby giving our customers information on the course content and making registering by E-mail an easy process.

* Awareness Quizzes - This is a time consuming project when creating html files for multiple-choice questions. I have found it worth the time and effort to do. If you select to do such a project, be sure to consider the following:

Most people do NOT like to take tests. So, make it an awareness quiz and tell your customer on your first page that the answers will be provided. The purpose of awareness is to make your customers aware of threats, vulnerabilities, corporate policy compliance issues, etc. Your goal is to change behavior and make the customer knowledgeable of their role in protecting your company's/organization's information You WANT them to get the correct information, even if they select the wrong quiz answer.
The format is as follows: Provide the question. Provide the multiple-choice answers. If the customer selects the correct answer, that html-linked file informs them, "Congratulations! That was the correct answer." If the customer selects an incorrect answer, that html-linked file informs them, "That was not the correct answer. The correct answer is ..." (and provide information as to why it is the correct answer).
We found it useful to provide an on-line certificate of awareness at the end of the quiz. You can create a certificate using Power Point®, and convert to a .pdf file with Adobe Acrobat's Distiller®. Instruct the customer to print it out and enter their name on it. I have found that people LOVE to have certificates of awareness and certificates of training. I've seen them displayed in cubicles at many office locations. I've received E-mail messages from satisfied customers complimenting Information Security management on the awareness quiz and its usefulness.

* Video Information/Awareness Activities - I have found it to be useful to show a variety of Information Security Awareness videos in conjunction with a lunchtime awareness activity. Why not plan to host brown bag monthly luncheons and show an awareness video? At one company I worked for, we printed our Infosec logo on popcorn bags. We brought popcorn and the video, and our customers brought their lunches. At the end of the video, we had ample time for sharing Infosec war stories and answering questions. The video lunch activities were advertised on our intranet web site with our awareness E-mail address so people could sign up to attend. Awareness videos can be purchased from:

Commonwealth Films, E-mail:
(Many titles.)
Chevron, Mike Wolfe (925) 842-2618
"Information Security is a Piece of Cake."
Software and Information Industry Association (formerly Software Publishers Association),
"It Could Have Been So Easy."
Savage Productions, E-mail:
"Unauthorized Access."

* Links to Information Security Organizations such as Computer Incident Advisory Capability (CIAC), Computer Emergency Response Team/Coordination Center (CERT/CC), Forum of Incident Response and Security Teams (IRST) Information Systems Security Association (ISSA), Computer Security Institute (CSI), Center for Education and Research in Information Assurance and Security (CERIAS) etc., provide valuable information to your customers.

* Newsworthy items: Bulletins, Announcements, Techtips, Newsletters, etc. These can be created in a word-text file or as a PowerPoint file and easily converted with Acrobat's Distiller to a .pdf file to be placed on your intranet web site.

2. Ways for the customer to contact you -Awareness E-mail address and AwarenessVoice Mail. Once you set these up, you MUST view the E-mail in box and listen to the voice mail in box daily! The goal is to get the answers to our customers in a timely manner. An answer of "I don't know the answer to your question, and I will find out and get back to you," is an acceptable answer. Then research the question and get back to the customer with the answer!

3. Give-A-Ways. The goal is to make it easy for our customers to contact us and to provide useful information in a user-friendly format.

Awareness cards (business card stock) featuring your Infosec logo, perhaps a company mascot, and contact information (awareness E-mail, awareness phone, url to your intranet Infosec home page).

Pencils and pens with your contact information on them.

Brochures (PowerPoint files - 2 pages printed double sided and folded in thirds), with policy/compliance information, overall awareness tips, technical tips for protecting information, and contact information.

Depending on budget (and most of us do get some end of year funds to use): tee shirts, caps, water bottles, key chains, puzzles, etc., with Infosec contact information. A wonderful vendor to work with is Banner Printing, located in Foster City, CA. Contact them by E-mail:

4. Participation in Awareness Activities - monthly awareness video brown bag lunches and annual participation in Computer Security Day, E-mail: Come up with fun activities to raise and create awareness within your organization. Even setting up a table by the company cafeteria and handing out awareness cards, gets you and your customers together for some face-to-face time, and provides the space for communication to occur.

There are many ways we can help our customers to pay attention to Information Security! Have fun and enjoy the experience.

Gale S. Warshawsky
can be reached at Bits & Bytes of Awareness ©

Go to top of page

horizontal bar

Siber' Space Snippets
By Philip L. Sibert, CISSP

Did you know that "cyber" and "siber" are homophones? (No, that's not a type of telecommunications device!) A homophone is one of two or more words pronounced alike but different in meaning or derivation or spelling (as the words to, too, and two). Keep the homophones out of your training programs and you can be assured you will be understood.

FISSEA needs the younger generation to step forward and take the reins for this organization. Please consider running for the Executive Board and participating more actively in the coming year. If that's not your mettle, surely you can write, so why not express some views or tell some success stories in this newsletter.

If you ask Linus, he might take his thumb out of his mouth long enough to tell you it gives him a warm fuzzy feeling whenever he's feeling alone in this big world. Linus' security blanket conjures up many scenarios for me. For example, picture the line manager who hasn't the faintest idea of what his security role and responsibilities are, but someone told her everything was OK because they just installed a great new tool called a "firewall", and it would take care of all the problems they had been experiencing with hackers getting into their systems. Boy, does she need manager awareness briefings!

Or, how about the end user who was provided with an agency procured anti-virus software package licensed for his home computer two years ago, but no one has bothered to follow-up with periodic software releases. Is that anti-virus software security blanket a false sense of security? Where is the training session and the awareness briefing needed in this picture?

The only way a security blanket can be of any use to our organizations is if the top side carries the security message (policy), the fringes are embroidered with guidance and procedures for implementing the policy, and the underside is keeping the bodies warm so they can happily be learning and implementing best security practices on a daily basis. That way, when Snoopy comes roaring by and rips that blanket out of that happy, warm, user's grasp, all you have to do is retrieve the blanket because the policy, guidance, procedures, and practices will have been ingrained in that warm body.

The security blanket should be viewed as your total computer security program - make sure education, training, and awareness are woven into the fabric!


Go to top of page

horizontal bar

These are notes and bits of info which your Editor has gleaned from several of our FISSEA Family members.

Ann Brown from Indian Health Service informed us that last year's conference keynoter, the "DICEMAN", Ray Semco, has moved from DOE to NSA. Messages may be left on his voice mail 202-586-1788.

Gale Warshawsky "I moved out of the Honolulu apartment on Dec. 11,1999 and into our new home:" New Email address

Tom Walsh sent the following sad news of the loss of a friend:
"The DOE computer security community has lost a great friend and co-worker. Charlene Douglass of LANL passed away at approximately 11pm, January 1, 2000. As many of you know she had fought a gallant battle with cancer over the past many months and seemed to be on the road to a somewhat normal life again. However, in the waning days of 1999 she contracted a lung infection and was medic vac'd to Albuquerque for extensive treatment. The nature of the infection is not yet known, whether viral or bacterial, but she succumbed to it within just a few days of contracting the infection."

Mich Kabay, who will be addressing this year's FISSEA conference, wrote about his new job, as of 30 January 2000: "Yes, it's great! Everything I love doing -- research, writing, teaching, distance education, lecturing at conferences, consulting on enterprise security -- plus a rise in salary!"
M. E. Kabay, PhD, CISSP
Security Leader
Information Security Group
Adario, Inc.
255 Flood Road
Barre, VT 05641-4060
V: +1.802.479.7937 F: +1.802.479.1879

Shannon Collins wrote on 15 December, 1999 a note of: "Thanks and Farewell - I will be leaving the Department of Labor to accept a position at the Department of Veterans Affairs, Veterans Heath Administration. My new position does not involve security directly, so I will no longer be attending meetings and reading the good ideas of my colleagues at other agencies. I want to thank all of you (and there are many) who made a complete novice welcome and shared your considerable knowledge with me. They say to be good in security you have to be paranoid, but I think you have been one of the best groups I've ever been involved with, due to wonderful members and great leadership from NIST.
Shannon Collins

Steve.Skolochenko sent us "A Fond Farewell" during his last days at the Dept of Treasury. He retired after 36-years of Federal service on the 31 of December, 1999. Here are some of his sentiments: "I just want you all to know how much I appreciated the mutual supporting relationship and the part all of you played in sharing sources of information and advice. Being able to learn from each other has been a real resource saver for me over the years. Being able to hear different views and the issues as seen be different departments was always enlightening."

And, to close this column, I write as Newsletter Editor and a member of the FISSEA Exec Board for 1999-2000. We want to thank all our members and friends for the support we've received as well as much valued camaraderie. We look forward to seeing you at the 2000 Conference.

Go to top of page

horizontal bar

Using Patches to Enhance Security

In light of the recent Hacker activity, Pauline Bowen sent in the following segment from the CSL Bulletin entitled "Operating System Security: Adding To The Arsenal of Security Techniques. The full article can be found at You can also subscribe to the bulletins via e-mail. To subscribe to the e-mail service, send an e-mail message to with the message subscribe itl-bulletin, and your proper name, e.g., John Doe.

"One of the most common methods for plugging known security flaws is the installation of the latest vendor-supplied security patches. Patches are programs that fix errors in software. However, patching systems is not a perfect security solution. First, the constant stream of patches can quickly overwhelm administrators who are already burdened with other administrative tasks. Second, even though organizations install all of the latest patches, new attacks via the Internet will continue. When new attacks are discovered and published on the Internet, a large number of networks will become instantly vulnerable to attack until new patches are created and installed. Several weeks or months may elapse before an effective patch can be prepared to counter a new attack, leaving affected servers wide open to attack. Organizations can maintain their awareness about new patches by monitoring security advisories about threatening or popular attacks. These advisories are issued by a variety of organizations and usually reference a patch or work-around that will fix the discussed vulnerability. The most popular source of security advisories comes from the Carnegie Mellon Emergency Response Team at In addition, we suggest you consult with"

"The FDA ISSO receives information on new patches from the FBI and other sources and immediately disseminates them to all ISSOs within FDA. These announcements contain vulnerability information and their fixes."

Go to top of page

horizontal bar

Why Security is Not the Next Y2K

The Year 2000 problem was easy to understand and to explain. Security holes, however, are numerous and complicated. Computer security does not have a deadline. The Year 2000 had an immovable deadline.

(From a December 6, 1999 Federal Computer Week editorial)
Computer security does not have a deadline because our systems and software are changing too rapidly for software creators to ensure there are no flaws. Software is released in the rush to beat the competitive vendors to market. Flaws are discovered, and either work-arounds or patches are created and released; sometimes more flaws are discovered requiring additional patches, and sometimes these patches cause flaws in what has already been patched. Patches pertain to specific versions of software, but when newer versions come out we find old vulnerabilities have somehow carried over to the new release. This situation requires the attention of well trained system administrators working for managers who have a good computer security awareness and who understand the threats, vulnerabilities, and associated risks.

Consequently, computer security awareness, training, and education will be an integral part of our initiatives to provide a workforce that is security savvy and competent. Too often we are called upon to provide training and awareness in short spurts - training for this or that, awareness for this week or month. Seldom is a budget established to underwrite a continuing program with funding committed for multiple years, yet everyone knows security practices and skills quickly erode without an on-going commitment to these activities. Technology changes so rapidly now that training in system administrator skills should be part of each year's budget. Being in the loop for threat information and preparing briefings for managers and other activities to inform users is also part of our job.

So, what are the challenges we face in this new millennium?

  • Understanding the problem - delivering continuous awareness and training
  • Assessing the needs
  • Developing goals
  • Devising strategies
  • Outlining awareness activities and a training program
  • Creating business cases to present to management
  • Evaluating effectiveness of the activities and programs
  • Revising and repeating the programs

Are these challenges any different from those of the last 5 years? I don't think so, but our approach should be as up-to-date as the technology we are implementing. Devising strategies and creating business cases should include multiple cost-effective options for delivery of training if at all possible.

Go to top of page

horizontal bar

Educator of the Year Award
by Peggy Himes, NIST

The FISSEA Educator of the Year award ceremony is held during the annual Conference on March 15 at 12:15p.m. Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security.

Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information security education or training, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the federal community. Nominees are judged by an ad hoc committee appointed by the FISSEA Executive Board Chair. The nomination deadline is February 22, 2000, e-mail to: See the FISSEA web site for detailed information on nomination justification and the selection process.

Award Recipient for 1998:
Louis Numkin, Nuclear Regulatory Commission

Award Recipient for 1999:

In addition to well deserved recognition and a plaque, the Educator of the Year recipient will be provided free registration for the next FISSEA conference.

Go to top of page

horizontal bar

by Louis M Numkin, US NRC, FISSEA Newsletter Editor

For my last contribution of this term, I want to consider how some clever phrases relate to what we do.

I saw an automobile with a bumper sticker which read "Visualize Whirled Peas." It took a moment to realize what the owner was trying to say. In current vernacular it would be "think outside the box." Just because something sounds the same doesn't mean it is the same. In this issue's TRAINIA column, you will find bits of humor which you may be able to use during awareness presentations. Remember the old speaker's axiom and include a story or joke within your talk so as to spark the audience's attention. Oh, and be sure to rehearse it so that it flows easily from your lips... and don't blow the punch line!

One day, a radio commentator reported that "Dana Carvey is 30 years old... but reads at a 34 year old level." This has multiple implications. Always consider your audience demographics. Is it a large room or is the group older where you might need to amplify your voice to get your message across? The same holds true for slides or projections - are they large and clear enough to be seen by everyone anywhere in the room? And, do not neglect the needs of an attendee who is hearing and/or vision impaired - You need not especially change your delivery but just be sure that they also get the full value of your training. And, beware of talking down or up to an audience - try to monitor their faces for response and modify your level of verbiage style. In general, it is safe to speak so the lowest level participant can understand - this permits those who should know more but don't to act like they do... get it?

Attending the rescheduled recent FORUM meeting at NIST, I witnessed nature's teaching tool. With a sizable dumping of snow which closed the Government for two-days, plows had cleared the parking lots by piling snow around the edges. This demonstrated how much snow fell out there but also provided the material to build wind breaks to protect us while walking in to the building. It's sort of a Ying and Yang thing, if you think about it. So, know that not everyone wants to attend your training but build a successful windbreak by really investing yourself in it and making it interesting. Find analogies, such as this one, to demonstrate that computer security has the same abbreviation as common sense - and employ it in improving your talk.

This morning, I heard someone explain that "every expert says Bumblebees cannot fly ...because their mass is too great to get airborne on those tiny wings." The problem with experts is that they are sometimes very correct in establishing rules but not in dealing with reality. Don't be an expert without first experiencing what it is like to be a bumblebee. Know your audience and their level of comprehension. If they are using a tool incorrectly, don't just tell them they are wrong but show them how to use it right. If an expert pontificates without foundation, then he's just "flapping" his lips without really getting the job done. Please do not act like an expert... even if you are.

And for the golfers out there, I understand there are two ways to play, by feel and by mechanics. If a mechanical golfer whiffs a ball, he knows which joint or angle to change so that it doesn't happen again. Though this is good when you are in training, everyone should aspire to playing by feel. We know what feels right and need not worry about the angle of the dangle. As a trainer, you create your slides mechanically, but you present based on feel. Feel is impacted by current events which you can dribble into your rhetoric, or visual aids which provide the basis for analogies, or experience from your years of playing the game. You must know what feels right in order for your class to make a hole in one.

This is the last issue of our second year of FISSEA newsletters. As Justin Wilson, "the Cajun Cook", says "I don't know how I do it, but I hope I never forget." One thing is for sure, it would not be worth reading without contributions from the Exec Board, Members, and Friends, and would not make it into your mailbox without the dedicated support of NIST's Peggy Himes. I sure hope you have enjoyed reading them. Y'all come back now... ya hear?

Go to top of page

horizontal bar

{a combination of the words "TRAINing" and "trivIA" - collected by your Editor to aid in your information gathering, continued education, and improve your sense of humor.}

** Our Air Force pal, Tim Mucklow, sent these useful reference sites for your consideration:




Archive of Network World Fusion Focus on Security newsletters:

Best products picks of six Network World columnists, Network World, 11/15/99

Network World's 1999 User Excellence Awards Winner -Olsten Staffing Service, Network World, 11/15/99

Network execs' favorite products, Network World, 11/15/99

Products that tested best this year at Network World, Network World, 11/15/99

** Mich Kabay forwarded this note from Gene Spafford, Purdue Computer Sciences has positions open for new faculty. Although the published announcement does not explicitly list openings in infosec, that is one of the priority areas for hiring. As we are about to add an interdisciplinary MS in information security, there is interest in adding more faculty in this area, particularly ones with interests in complementary areas (e.g., psychology, criminology, management). The emphasis is on assistant professor positions, but more senior applicants will be considered. More information is available at

** A student came back to the dorm to find his roommate near tears.
"What's the matter pal?" he asked.
His roommate moaned, "I wrote home for my parents to send money so that I could buy a laptop; and they sent me the laptop!"

** Fred Cohen forwarded info on a new study to the SECEDU list:
"Employees, Not Hackers, Greatest Computer Threat New Study Shows Unhappy Workers Steal Trade Secrets. The greatest security threat to companies' computer systems comes from disgruntled employees stealing confidential information and trade secrets, according to a new study on cyber-security. The survey, conducted by Michael G. Kessler & Associates Ltd., a New York-based security firm, found that 35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent. The remaining 10 percent, according to the study, are listed as miscellaneous crimes."

** The college President hired a new Admissions Administrator. At the conclusion of the interview he said, "Please don't tell anyone what we're paying you." "Don't worry Sir," the new bureaucrat replied, "I'm as ashamed of my salary as you are."

** Hi, I am writing to let you know about a tenure-track faculty position (junior-level) we have open in the Department of Computer Science at Dartmouth College (see below). It's particularly exciting this year because we have just opened a new "Institute for Security Studies" with a $15M startup research budget. So, we're looking for core "systems" people, particularly those who are interested in security-related topics. If you are interested, or know someone who might be interested, please let me know. Please send applications materials and general inquiries to Faculty Position, Department of Computer Science, Dartmouth College, 6211 Sudikoff Laboratory, Hanover, NH 03755-3510. Specific questions can be referred to David Kotz at Thanks,
David Kotz, Chair of recruiting committee

** There was a university in New England where the students operated a "bank" of term papers and other homework assignments including papers to suit all needs and as it would look odd if an undistinguished student suddenly handed in a brilliant essay, there were papers for an A grade, B grade and C grade.

A student who had spent the weekend on pursuits other than his assignment, went to the "bank" and as his course was a standard one, he took out a paper for a inconspicuous C, retyped it and handed the work in.

In due course he received it back with the professor's comments, "I wrote this paper myself twenty years ago. I always thought it should have had an A, and now I am glad to give it one!"

** ** Are you looking for a conference of a different kind? Then consider participating in the Project 2005 Millennium Congress which will be held in San Antonio, TX, August 10-12, 2000.
Project 2005 is a multi-year, multidisciplinary effort to promote the integration of management, education, technology, and leadership through a series of international congresses, special issues of journals, monographs and other types of publications as well as partnerships with corporations, institutions of higher learning and professional associations. For a background description of the Project 2005 and the conceptual framework underlying the Project, visit the following URLS: and
The Call for papers, submission guidelines, and registration forms along with information regarding the conference venue are located at
The theme of this year's congress is: "Is the Question the Answer: Paradigms and Paradoxes in Management, Education, Cybertechnology, and Leadership." The submission deadline is March 31, 2000.

** Modern Aphorisms (@phorisms?)
1. Home is where you hang your @
2. The E-mail of the species is more deadly than the mail..
3. A journey of a thousand sites begins with a single click..
4. You can't teach a new mouse old clicks..
5. Great groups from little icons grow..
6. Speak softly and carry a cellular phone..
7. C:\ is the root of all directories..
8. Don't put all your hypes in one home page..
9. Pentium wise; pen and paper foolish..
10. The modem is the message..

** The Fourth Annual Information Security Conference of the Veterans Health Administration will be held the week of June 26 in Reno, Nevada. For details on the conference including registration, lodging, and agenda, contact Ann Brown at IHS.

** Phil Sibert sent along the following tidbit of info: (U) (Newsbytes, 17 January) According to a report released by Computer Economics virus attacks cost organizations a total of $12.1 billion during 1999. The report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage.

** More Modern Aphorisms (@phorisms?)
11. Too many clicks spoil the browse..
12. The geek shall inherit the earth..
13. A chat has nine lives..
14. Don't byte off more than you can view..
15. Fax is stranger than fiction..
16. What boots up must come down..
17. Windows will never cease..
18. Virtual reality is its own reward..
19. Modulation in all things..
20. A user and his leisure time are soon parted.

** Here's another false alert from the Urban Legends list: AMERICA ONLINE TO START CHARGING FOR INSTANT MESSAGES! Sound familiar? It should. The same phony-baloney petition has been popping up every six months or so for the past several years. Does anybody really believe that the World's Largest Online Service would reconsider a policy change because 100,000 people forwarded a chain letter? Apparently so.

** And the Last of our Modern Aphorisms (@phorisms?)
21. There's no place like
22. Know what to expect before you connect..
23. Oh, what a tangled website we weave when first we practice...
24. Speed thrills..
25. Give a man a fish and you feed him for a day; teach him to use the Web and he won't bother you for weeks..

** Techno-Security 2000 April 16-19, 2000
Wyndham Myrtle Beach Resort
Myrtle Beach, South Carolina
This one-of-a-kind conference is intended for private industry, government, law enforcement decision makers and technical experts interested in, or involved with information security, operations security, high tech crime and it's prevention. Untraditional conference format with interactive high intensity training and tremendous networking opportunities. Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin Manson, Rick Forno, Don Delaney, Dr. Terry Gudaitis and many more...
This year's high intensity tracks will include: Hacker Profiling, Intrusion Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing, Incident Response, Tools for Protecting the Enterprise, PKI, plus many more.
For more info, contact:

** The First International Common Criteria Conference; Sponsored by NIST, NSA, and NIAP
(National Information Assurance Partnership)
Baltimore Convention Center, Baltimore MD
May 23-25, 2000
Learn more about the international IT security standard ISO/IEC 15408 (Common Criteria); hear about national and international Common Criteria initiatives and IT security testing programs; find out how to receive a Common Criteria certificate for an IT product; learn about the International Common Criteria Mutual Recognition Arrangement; discover educational opportunities to support Common Criteria initiatives; see what protection profiles have been developed by governments and industries around the world; learn how automated tools can help consumers write protection profiles and IT product developers write security targets; hear about Common Criteria guidance documents and web-based information sources; and see what new products have received Common Criteria certificates. For details, visit

** Lewis Baskerville contributed Information Systems Security Program: Good Computer Security Practices listed on the last page of our newsletter.

Go to top of page

horizontal bar

Executive Board Email Addresses

LISA BIAFORE, Co-Conference Director
PATTI BLACK, Co-Conference Director
PAULINE BOWEN, Assistant Chair
LOUIS NUMKIN, Newsletter Editor

Go to top of page

horizontal bar

Good Computer Security Practices


To: Employees, Contractors and External Users


Always Protect Your Information Resources - All classified, sensitive, private, and mission-critical information, data, systems, and applications require protection from unauthorized access, use, disclosure, alteration, and loss.

Know Our Policies - Read all Information Resources Directives, including all Information Systems Security Program Policies.

Protect Your Work Area - Recognize, politely challenge, and assist people who DO NOT belong in the work area.

Preventing Unauthorized Access - Computer resources and equipment, especially personal computers and servers, should not be exposed to unauthorized access.

Protect Passwords - Use only passwords which are not easily guessed or not in the dictionary, change them frequently, and DO NOT share your password with anyone.

Protect Your Files - Establish and periodically review access privileges for each file.

Protect Your Computer - Always logoff or password protect your screen before leaving your computer system unattended. Always safeguard software and removable media such as diskettes.

Protect Against Computer Viruses - Never load unauthorized or personal software on your computer system. Report viruses immediately to your supervisor and the appropriate Help Desk for corrective action. Before loading data from any media (diskette, Internet, etc.), always check it for viruses.

Protect Against Disaster - Always have backup copies of program, equipment, and databases ready to go.

Protect Classified and Sensitive Data and Information - Read all directives, policies, handbooks, and manuals to protect classified, sensitive data and information, especially the Privacy Act of 1974.

Report Violations - Document any computer and communications misuse, abuse, security incident or breach. Report it immediately to your supervisor and your Information Systems Security Officer.

Please contact your
Information Systems Security Officer anytime.

Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: March 5, 2002.