|"I touch the future, I teach." Christa McAuliffe||Vol. II No. III|
From the Executive Board Chair
Now it's time to map our course, to gather up the security force,
For our job has just begun for the new millennium.
One of the lessons learned, from the past several years' efforts to ensure our country's information and computer based control systems would function properly when the clock turned over to the year 2000, is that appropriate resources and management attention can produce desired results. Just think of the various information security elements that received attention in preparation for the Y2K event -- system configuration control, software validation, identification of "sensitive" or "critical" systems, business continuity plans, back-up procedures, incident identification and reporting procedures, etc., etc. All of these information security program elements received heightened attention. Awareness of their importance in the grand scheme of providing uninterrupted system and network service had a bearing on the desired outcome.
The momentum created by the Y2K activities in the area of information technology must be on-going and re-directed to address security improvements. Now it's time for the information security educators and trainers to be creative and present management with proposals for viable education, training, and awareness programs. These programs should take advantage of the improvements in information system management and user awareness brought on by Y2K. I sincerely believe the Federal CIO Council Security, Privacy, and Critical Infrastructure Committee will continue to emphasize the importance of protecting the technology and information assets that we, as both providers and users, rely upon every day. We should look to that body to sponsor cross-cutting information security awareness, training, and education activities and initiatives.
On another note...I am nearing completion of a second term as FISSEA Executive Board Chairman and will reluctantly be stepping down to become an Ex-Officio member of the board come March 2000. I say reluctantly because I have enjoyed serving you, working with you, and steering this organization through the tough times we've endured. It's now time for someone else to have the opportunity to guide FISSEA to bigger and better accomplishments.
Please come out for our annual conference March 14-16, 2000, and enjoy the enlightening sessions prepared for you.Philip L. Sibert, CISSP
Office of the Chief Information Officer
U. S. Department of Energy
CISSP Examination Update
The International Information Systems Security Certification Consortium, or (ISC)2, working with a professional testing service, has developed a certification examination based on the information systems security Common Body of Knowledge (CBK). Candidates have up to 6 hours to complete the examination . . . which consists of 250 multiple choice questions that address the ten topical test domains of the CBK. The information systems security test domains are:
The applicant must meet the following requirements in order to sit
for the examination:
1. Subscribe to the (ISC)2 Code of Ethics.
Valid experience includes information systems (IS) security-related work performed as a practitioner, auditor, consultant, vendor, investigator or instructor, that requires IS security knowledge and involves the direct application of that knowledge. The 3-year experience requirement is actual time worked; the requirement is cumulative, however, and may have been accrued over a much longer period of time.
The Examination and Registration fee is $450 USD. There is an added $100 late registration fee for registrations received less than 14 days in advance of the Exam date. All registrations should be received at least 10 days in advance of the Examination date.
Registration information and Forms should be requested directly from (ISC)2 by fax or e-mail (recommended) providing your full postal mailing address. When requesting materials by e-mail, please put FISSEA Exam Registration Info in the subject line for expedited handling.
A FISSEA Conference 2000 Update
A FISSEA Conference 2000 Update Well, we are down to the final month in planning your FISSEA conference. It has been an invigorating experience coordinating with IT security training experts, the NIST Computer Security Division and the FISSEA Executive Board. We have some of the best minds in the community working with us in putting the Conference together which guarantees that it will be a great experience for all attendees.
If you have not looked at the FISSEA Conference web site lately,
please check it out
NIST will keep the conference agenda current, so you can watch as we refine conference sessions. While you are at the site, don't forget to register! You may do so on-line with a credit card. If your organization does not handle training payments in this manner, please pre-register via the web and bring your training order paperwork to the conference with you.
We have a free gift for each of the first 100 attendees, courtesy of the Computer Security Institute - so plan on arriving early. The FISSEA Weather Prognosticator has stated that for the first time in the last several years, we will not have snow during our conference. So, we are looking orward to welcoming you on March 14, 2000.
Tools of the Trade
HAPPY LEAP DAY
Ann Brown from Indian Health Service informed us that last year's conference keynoter, the "DICEMAN", Ray Semco, has moved from DOE to NSA. Messages may be left on his voice mail 202-586-1788.
Gale Warshawsky "I moved out of the Honolulu apartment on Dec. 11,1999 and into our new home:" New Email address firstname.lastname@example.org
Tom Walsh sent the following sad news of the loss of a
"The DOE computer security community has lost a great friend and co-worker. Charlene Douglass of LANL passed away at approximately 11pm, January 1, 2000. As many of you know she had fought a gallant battle with cancer over the past many months and seemed to be on the road to a somewhat normal life again. However, in the waning days of 1999 she contracted a lung infection and was medic vac'd to Albuquerque for extensive treatment. The nature of the infection is not yet known, whether viral or bacterial, but she succumbed to it within just a few days of contracting the infection."
Mich Kabay, who will be addressing this year's FISSEA
conference, wrote about his new job, as of 30 January 2000: "Yes,
it's great! Everything I love doing -- research, writing, teaching,
distance education, lecturing at conferences, consulting on enterprise
security -- plus a rise in salary!"
M. E. Kabay, PhD, CISSP
Information Security Group
255 Flood Road
Barre, VT 05641-4060
V: +1.802.479.7937 F: +1.802.479.1879
Shannon Collins wrote on 15 December, 1999 a note of: "Thanks
and Farewell - I will be leaving the Department of Labor to accept a
position at the Department of Veterans Affairs, Veterans Heath
Administration. My new position does not involve security directly, so
I will no longer be attending meetings and reading the good ideas of
my colleagues at other agencies. I want to thank all of you (and there
are many) who made a complete novice welcome and shared your
considerable knowledge with me. They say to be good in security you
have to be paranoid, but I think you have been one of the best groups
I've ever been involved with, due to wonderful members and great
leadership from NIST.
Steve.Skolochenko sent us "A Fond Farewell" during his last days at the Dept of Treasury. He retired after 36-years of Federal service on the 31 of December, 1999. Here are some of his sentiments: "I just want you all to know how much I appreciated the mutual supporting relationship and the part all of you played in sharing sources of information and advice. Being able to learn from each other has been a real resource saver for me over the years. Being able to hear different views and the issues as seen be different departments was always enlightening."
And, to close this column, I write as Newsletter Editor and a member of the FISSEA Exec Board for 1999-2000. We want to thank all our members and friends for the support we've received as well as much valued camaraderie. We look forward to seeing you at the 2000 Conference.
In light of the recent Hacker activity, Pauline Bowen sent in the following segment from the CSL Bulletin entitled "Operating System Security: Adding To The Arsenal of Security Techniques. The full article can be found at http://csrc.nist.gov/nistbul/. You can also subscribe to the bulletins via e-mail. To subscribe to the e-mail service, send an e-mail message to email@example.com with the message subscribe itl-bulletin, and your proper name, e.g., John Doe.
"One of the most common methods for plugging known security flaws is the installation of the latest vendor-supplied security patches. Patches are programs that fix errors in software. However, patching systems is not a perfect security solution. First, the constant stream of patches can quickly overwhelm administrators who are already burdened with other administrative tasks. Second, even though organizations install all of the latest patches, new attacks via the Internet will continue. When new attacks are discovered and published on the Internet, a large number of networks will become instantly vulnerable to attack until new patches are created and installed. Several weeks or months may elapse before an effective patch can be prepared to counter a new attack, leaving affected servers wide open to attack. Organizations can maintain their awareness about new patches by monitoring security advisories about threatening or popular attacks. These advisories are issued by a variety of organizations and usually reference a patch or work-around that will fix the discussed vulnerability. The most popular source of security advisories comes from the Carnegie Mellon Emergency Response Team at http://www.cert.org. In addition, we suggest you consult with http://www.fedcirc.gov."
"The FDA ISSO receives information on new patches from the FBI and other sources and immediately disseminates them to all ISSOs within FDA. These announcements contain vulnerability information and their fixes."
The Year 2000 problem was easy to understand and to explain. Security holes, however, are numerous and complicated. Computer security does not have a deadline. The Year 2000 had an immovable deadline.
(From a December 6, 1999 Federal Computer Week editorial)
Computer security does not have a deadline because our systems and software are changing too rapidly for software creators to ensure there are no flaws. Software is released in the rush to beat the competitive vendors to market. Flaws are discovered, and either work-arounds or patches are created and released; sometimes more flaws are discovered requiring additional patches, and sometimes these patches cause flaws in what has already been patched. Patches pertain to specific versions of software, but when newer versions come out we find old vulnerabilities have somehow carried over to the new release. This situation requires the attention of well trained system administrators working for managers who have a good computer security awareness and who understand the threats, vulnerabilities, and associated risks.
Consequently, computer security awareness, training, and education will be an integral part of our initiatives to provide a workforce that is security savvy and competent. Too often we are called upon to provide training and awareness in short spurts - training for this or that, awareness for this week or month. Seldom is a budget established to underwrite a continuing program with funding committed for multiple years, yet everyone knows security practices and skills quickly erode without an on-going commitment to these activities. Technology changes so rapidly now that training in system administrator skills should be part of each year's budget. Being in the loop for threat information and preparing briefings for managers and other activities to inform users is also part of our job.
So, what are the challenges we face in this new millennium?
Are these challenges any different from those of the last 5 years? I don't think so, but our approach should be as up-to-date as the technology we are implementing. Devising strategies and creating business cases should include multiple cost-effective options for delivery of training if at all possible.
The FISSEA Educator of the Year award ceremony is held during the annual Conference on March 15 at 12:15p.m. Each year the FISSEA recognizes an individual who has made significant contributions in education and training programs for information systems security.
Nominees need not be members of FISSEA, but do need to be nominated by a member. Nominees may be involved in any aspect of information security education or training, including, but not limited to, instructors, security program managers, and practitioners who further education and training programs for information systems security in the federal community. Nominees are judged by an ad hoc committee appointed by the FISSEA Executive Board Chair. The nomination deadline is February 22, 2000, e-mail to: firstname.lastname@example.org. See the FISSEA web site for detailed information on nomination justification and the selection process.
Award Recipient for 1998:
Louis Numkin, Nuclear Regulatory Commission
Award Recipient for 1999:
NEED YOUR NOMINATIONS NOW
In addition to well deserved recognition and a plaque, the Educator of the Year recipient will be provided free registration for the next FISSEA conference.
For my last contribution of this term, I want to consider how some clever phrases relate to what we do.
I saw an automobile with a bumper sticker which read "Visualize Whirled Peas." It took a moment to realize what the owner was trying to say. In current vernacular it would be "think outside the box." Just because something sounds the same doesn't mean it is the same. In this issue's TRAINIA column, you will find bits of humor which you may be able to use during awareness presentations. Remember the old speaker's axiom and include a story or joke within your talk so as to spark the audience's attention. Oh, and be sure to rehearse it so that it flows easily from your lips... and don't blow the punch line!
One day, a radio commentator reported that "Dana Carvey is 30 years old... but reads at a 34 year old level." This has multiple implications. Always consider your audience demographics. Is it a large room or is the group older where you might need to amplify your voice to get your message across? The same holds true for slides or projections - are they large and clear enough to be seen by everyone anywhere in the room? And, do not neglect the needs of an attendee who is hearing and/or vision impaired - You need not especially change your delivery but just be sure that they also get the full value of your training. And, beware of talking down or up to an audience - try to monitor their faces for response and modify your level of verbiage style. In general, it is safe to speak so the lowest level participant can understand - this permits those who should know more but don't to act like they do... get it?
Attending the rescheduled recent FORUM meeting at NIST, I witnessed nature's teaching tool. With a sizable dumping of snow which closed the Government for two-days, plows had cleared the parking lots by piling snow around the edges. This demonstrated how much snow fell out there but also provided the material to build wind breaks to protect us while walking in to the building. It's sort of a Ying and Yang thing, if you think about it. So, know that not everyone wants to attend your training but build a successful windbreak by really investing yourself in it and making it interesting. Find analogies, such as this one, to demonstrate that computer security has the same abbreviation as common sense - and employ it in improving your talk.
This morning, I heard someone explain that "every expert says Bumblebees cannot fly ...because their mass is too great to get airborne on those tiny wings." The problem with experts is that they are sometimes very correct in establishing rules but not in dealing with reality. Don't be an expert without first experiencing what it is like to be a bumblebee. Know your audience and their level of comprehension. If they are using a tool incorrectly, don't just tell them they are wrong but show them how to use it right. If an expert pontificates without foundation, then he's just "flapping" his lips without really getting the job done. Please do not act like an expert... even if you are.
And for the golfers out there, I understand there are two ways to play, by feel and by mechanics. If a mechanical golfer whiffs a ball, he knows which joint or angle to change so that it doesn't happen again. Though this is good when you are in training, everyone should aspire to playing by feel. We know what feels right and need not worry about the angle of the dangle. As a trainer, you create your slides mechanically, but you present based on feel. Feel is impacted by current events which you can dribble into your rhetoric, or visual aids which provide the basis for analogies, or experience from your years of playing the game. You must know what feels right in order for your class to make a hole in one.
This is the last issue of our second year of FISSEA newsletters. As Justin Wilson, "the Cajun Cook", says "I don't know how I do it, but I hope I never forget." One thing is for sure, it would not be worth reading without contributions from the Exec Board, Members, and Friends, and would not make it into your mailbox without the dedicated support of NIST's Peggy Himes. I sure hope you have enjoyed reading them. Y'all come back now... ya hear?
** Our Air Force pal, Tim Mucklow, sent these useful reference sites for your consideration:
Archive of Network World Fusion Focus on Security newsletters:
Best products picks of six Network World columnists, Network World, 11/15/99
Network World's 1999 User Excellence Awards Winner -Olsten Staffing Service, Network World, 11/15/99
Network execs' favorite products, Network World, 11/15/99
Products that tested best this year at Network World, Network World, 11/15/99
** Mich Kabay forwarded this note from Gene Spafford, INTERNET:email@example.com: Purdue Computer Sciences has positions open for new faculty. Although the published announcement does not explicitly list openings in infosec, that is one of the priority areas for hiring. As we are about to add an interdisciplinary MS in information security, there is interest in adding more faculty in this area, particularly ones with interests in complementary areas (e.g., psychology, criminology, management). The emphasis is on assistant professor positions, but more senior applicants will be considered. More information is available at http://www.cs.purdue.edu/positions.html.
** A student came back to the dorm to find his roommate near
"What's the matter pal?" he asked.
His roommate moaned, "I wrote home for my parents to send money so that I could buy a laptop; and they sent me the laptop!"
** Fred Cohen forwarded info on a new study to the
"Employees, Not Hackers, Greatest Computer Threat New Study Shows Unhappy Workers Steal Trade Secrets. The greatest security threat to companies' computer systems comes from disgruntled employees stealing confidential information and trade secrets, according to a new study on cyber-security. The survey, conducted by Michael G. Kessler & Associates Ltd., a New York-based security firm, found that 35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent. The remaining 10 percent, according to the study, are listed as miscellaneous crimes."
** The college President hired a new Admissions Administrator. At the conclusion of the interview he said, "Please don't tell anyone what we're paying you." "Don't worry Sir," the new bureaucrat replied, "I'm as ashamed of my salary as you are."
** Hi, I am writing to let you know about a tenure-track
faculty position (junior-level) we have open in the Department of
Computer Science at Dartmouth College (see below). It's particularly
exciting this year because we have just opened a new "Institute
for Security Studies" with a $15M startup research budget. So,
we're looking for core "systems" people, particularly those
who are interested in security-related topics. If you are interested,
or know someone who might be interested, please let me know. Please
send applications materials and general inquiries to Faculty Position,
Department of Computer Science, Dartmouth College, 6211 Sudikoff
Laboratory, Hanover, NH 03755-3510. Specific questions can be referred
to David Kotz at firstname.lastname@example.org.
David Kotz, Chair of recruiting committee
** There was a university in New England where the students
operated a "bank" of term papers and other homework
assignments including papers to suit all needs and as it would look
odd if an undistinguished student suddenly handed in a brilliant
essay, there were papers for an A grade, B grade and C grade.
A student who had spent the weekend on pursuits other than his assignment, went to the "bank" and as his course was a standard one, he took out a paper for a inconspicuous C, retyped it and handed the work in.
In due course he received it back with the professor's comments, "I wrote this paper myself twenty years ago. I always thought it should have had an A, and now I am glad to give it one!"
** ** Are you looking for a conference of a different kind?
Then consider participating in the Project 2005 Millennium
Congress which will be held in San Antonio, TX, August 10-12,
Project 2005 is a multi-year, multidisciplinary effort to promote the integration of management, education, technology, and leadership through a series of international congresses, special issues of journals, monographs and other types of publications as well as partnerships with corporations, institutions of higher learning and professional associations. For a background description of the Project 2005 and the conceptual framework underlying the Project, visit the following URLS:
The Call for papers, submission guidelines, and registration forms along with information regarding the conference venue are located at http://www.aom-iaom.org/Project-call.html.
The theme of this year's congress is: "Is the Question the Answer: Paradigms and Paradoxes in Management, Education, Cybertechnology, and Leadership." The submission deadline is March 31, 2000.
** Modern Aphorisms (@phorisms?)
1. Home is where you hang your @
2. The E-mail of the species is more deadly than the mail..
3. A journey of a thousand sites begins with a single click..
4. You can't teach a new mouse old clicks..
5. Great groups from little icons grow..
6. Speak softly and carry a cellular phone..
7. C:\ is the root of all directories..
8. Don't put all your hypes in one home page..
9. Pentium wise; pen and paper foolish..
10. The modem is the message..
** The Fourth Annual Information Security Conference of the Veterans Health Administration will be held the week of June 26 in Reno, Nevada. For details on the conference including registration, lodging, and agenda, contact Ann Brown at IHS.
** Phil Sibert sent along the following tidbit of info: (U) (Newsbytes, 17 January) According to a report released by Computer Economics virus attacks cost organizations a total of $12.1 billion during 1999. The report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage.
** More Modern Aphorisms (@phorisms?)
11. Too many clicks spoil the browse..
12. The geek shall inherit the earth..
13. A chat has nine lives..
14. Don't byte off more than you can view..
15. Fax is stranger than fiction..
16. What boots up must come down..
17. Windows will never cease..
18. Virtual reality is its own reward..
19. Modulation in all things..
20. A user and his leisure time are soon parted.
** Here's another false alert from the Urban Legends list:
AMERICA ONLINE TO START CHARGING FOR INSTANT MESSAGES! Sound familiar?
It should. The same phony-baloney petition has been popping up every
six months or so for the past several years. Does anybody really
believe that the World's Largest Online Service would reconsider a
policy change because 100,000 people forwarded a chain letter?
** And the Last of our Modern Aphorisms (@phorisms?)
21. There's no place like http://www.home.com
22. Know what to expect before you connect..
23. Oh, what a tangled website we weave when first we practice...
24. Speed thrills..
25. Give a man a fish and you feed him for a day; teach him to use the Web and he won't bother you for weeks..
** Techno-Security 2000 April 16-19, 2000
Wyndham Myrtle Beach Resort
Myrtle Beach, South Carolina
This one-of-a-kind conference is intended for private industry, government, law enforcement decision makers and technical experts interested in, or involved with information security, operations security, high tech crime and it's prevention. Untraditional conference format with interactive high intensity training and tremendous networking opportunities. Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin Manson, Rick Forno, Don Delaney, Dr. Terry Gudaitis and many more...
This year's high intensity tracks will include: Hacker Profiling, Intrusion Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing, Incident Response, Tools for Protecting the Enterprise, PKI, plus many more.
For more info, contact: http://www.TheTrainingCo.com
** The First International Common Criteria Conference;
Sponsored by NIST, NSA, and NIAP
(National Information Assurance Partnership)
Baltimore Convention Center, Baltimore MD
May 23-25, 2000
Learn more about the international IT security standard ISO/IEC 15408 (Common Criteria); hear about national and international Common Criteria initiatives and IT security testing programs; find out how to receive a Common Criteria certificate for an IT product; learn about the International Common Criteria Mutual Recognition Arrangement; discover educational opportunities to support Common Criteria initiatives; see what protection profiles have been developed by governments and industries around the world; learn how automated tools can help consumers write protection profiles and IT product developers write security targets; hear about Common Criteria guidance documents and web-based information sources; and see what new products have received Common Criteria certificates. For details, visit http://www.niap.nist.gov/iccc
** Lewis Baskerville contributed Information Systems Security Program: Good Computer Security Practices listed on the last page of our newsletter.
LISA BIAFORE, Co-Conference Director
PATTI BLACK, Co-Conference Director
PAULINE BOWEN, Assistant Chair
LOUIS NUMKIN, Newsletter Editor
PHILIP L. SIBERT, Chair
Always Protect Your Information Resources - All
classified, sensitive, private, and mission-critical information,
data, systems, and applications require protection from
unauthorized access, use, disclosure, alteration, and loss.
Know Our Policies - Read all Information Resources
Directives, including all Information Systems Security Program
Protect Your Work Area - Recognize, politely challenge,
and assist people who DO NOT belong in the work
Preventing Unauthorized Access - Computer resources and
equipment, especially personal computers and servers, should not
be exposed to unauthorized access.
Protect Passwords - Use only passwords which are not
easily guessed or not in the dictionary, change them frequently,
and DO NOT share your password with anyone.
Protect Your Files - Establish and periodically review
access privileges for each file.
Protect Your Computer - Always logoff or password protect your screen before leaving your computer system unattended. Always safeguard software and removable media such as diskettes.
Protect Against Computer Viruses - Never load unauthorized or personal software on your computer system. Report viruses immediately to your supervisor and the appropriate Help Desk for corrective action. Before loading data from any media (diskette, Internet, etc.), always check it for viruses.
Protect Against Disaster - Always have backup copies of program, equipment, and databases ready to go.
Protect Classified and Sensitive Data and Information - Read all directives, policies, handbooks, and manuals to protect classified, sensitive data and information, especially the Privacy Act of 1974.
Report Violations - Document any computer and communications misuse, abuse, security incident or breach. Report it immediately to your supervisor and your Information Systems Security Officer.
Information Systems Security Officer anytime.
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments or suggestions to
Last Modified: March 5, 2002.