September 2000

"I touch the future, I teach." Christa McAuliffe Issue Two of FISSEA Year 2000-2001


From the Executive Board Chair

Security is becoming more and more a priority for many Government entities with increasing demand for accountability for our information resources and data. As Chair of the FISSEA Executive Board, I want to encourage you to not forget that training, education, and awareness will play an increasing role in helping to accomplish our security objectives.

In May, 1998, President Clinton issued Presidential Decision Directive 63 (PDD-63), which calls for a national effort to assure the security of the increasingly vulnerable and interconnected infrastructure of the United States, especially the cyber-based infrastructure. Federal Departments and agencies are beginning the process of identifying and securing those critical assets and related infrastructure components that they depend on to fulfill their responsibilities of ensuring national security, national economic security, and public health and safety.

The overall security of an Agency's cyber-based infrastructure is extremely important based on the mission of the Agency. Information must be protected from unauthorized disclosure or access. Many employees, contractors, emergency management staff, etc. handle information that must be kept secret and transmitted safely across networks, Internet and Intranet in order to accomplish Agency missions and goals. This need requires that we utilize tools such as digital signature technology, encryption tools, secure hubs, availability of operations and services, firewalls, backup systems, secure remote access, PKI technology, virus software, security awareness training, system security planning and network security.

A financial system is an example of a mission critical system that needs protection from unauthorized access or disclosure. The financial system requires a high level of protection of the confidentiality, integrity and availability of its' data and operations, because the unavailability of the system could cause any Agency not to meet critical mission goals. Individuals responsible for these systems must be trained in security measures.

Protection of sensitive data in mission critical systems has been mandated by OMB, Circular A-130, Appendix III, the DHHS Automated Information Systems Security Handbook, NIST Special Publication 800-12, and the CIAO's Practices For Securing Critical Information Assets. These documents reference security planning, system security engineering, risk assessment, security awareness and training, vulnerability assessment, threat assessment, continuity of operations, and incident handling procedures. Implementation of corrective actions and best practices based on vulnerability assessments, system security engineering, etc., should begin as soon as resources are available. Specifically, attention should be given to controls and procedures that: 1) Limit or detect access to critical asset resource elements (people, systems, applications, data and/or facilities); 2) Prevent implementation of unauthorized programs; 3) Limit and monitor access to programs and sensitive files that control computer hardware and secure applications supported by the system; 4) Ensure that critical services and operations, including computer operations continue without interruption or are promptly resumed.

As you can see TEA (training, education and awareness) will be extremely important in our efforts to secure our critical information assets.

Pauline Bowen
FISSEA Executive Board Chair

Go to top of page

horizontal bar

Editor's Column:
By Louis M Numkin (NRC)

First, a note from our sponsor... Sonja Martin (FMS): Here is the information for FISSEA Conference 2001. Mark your calendars for the FISSEA Conference March 13-15, 2001 at the Hilton Hotel Gaithersburg, MD. This years' theme FROM Y2K to T E A (training, education, awareness) with FISSEA. Please submit recommendations for speakers, topics and ideas that will assist the committee in planning a successful conference to Lewis Baskerville Conference Director (email ). See ya at the conference!

Did you know that Leonardo da Vinci could write with one hand and draw with the other at the same time. Well folks, this is your friendly Editor, asking you to pick up a pen, pencil, laptop, etc. and use either hand to create an article for submission to the FISSEA News and Views. Of course, if you follow Leonardo's example, you could write two articles at the same time... one per hand. But, just think of it, You, too, could be immortalized in type and be the object of admiration among your peers. Let us share your wisdom and experience with the rest of our readership. You never know where it could lead... and it will make you feel so much better. Just E-Mail your submission to with a subject of "FISSEA article" and you'll receive a smile by return E-Mail.

"Education is what remains after one has forgotten everything he learned in school." This quote is from Albert Einstein and appeared on the website on 16AUG2000. This is just one site which can provide quotes, trivia, quizzes, historical notes, etc, that can liven up any training session. Have you got a favorite site which helps you to punch up your presentations? C'mon and share it with us.

FISSEA would like to offer our best wishes to GSA's Tom Burke as he retires from his post on 1SEP2000. Even after 34 years of Federal Service, Tom needed to keep his hand in, so he has accepted a position with Computer Sciences Corp. in their Information Assurance group. Our world is a small one and I expect that we'll be seeing him around the community for years to come. Best of Luck, Tom.

As many of you already know, one of my pet areas of attention is outreach programs to teach computer ethics to children of all ages. Well, a while back, the SECEDU list referenced some excellent presentation material which you might find of interest if you are involved in this kind of outreach program. The Pueblo High Tech Crimes Unit has created some presentations on computer crime and related material which can be found at One of the slide sets is named "Child Safety on the Information Highway" and others are just as good.

Go to top of page

horizontal bar

Educating the Internet Generation About Information Security
By David Sostman (Titan Corporation)

Last March, while attending my first FISSEA annual meeting, I was delighted to be in the company of so many experienced people in the field of computer security, and struck by the fact that at the age of 43, I was one of the youngest members of FISSEA. Upon further reflection I realized that age has become a significant element in the battle to safeguard our government's information assets. For in many respects, this has become an inter-generational battle between hackers weaned on computers, and those who were inspired into public service by the motto, "Ask not what your country can do for you. Ask what you can do for your country."

There is a commonly held belief among those who remember the Beatles on Ed Sullivan and JFK's assassination that members of the current "Internet generation" are more adept than their elders at using computers and the interactive tools of cyberspace. Just spend time with any typical 15-year-old, (63% of whom, according to a recent AOL sponsored Roper poll, prefer the Internet to television.) Watch their fingers fly over the keys while they communicate, in real time, with a half dozen of their friends - simultaneously. Probe deeper into these young, sensitive and inquisitive minds, and you will see the inklings of future hackers. This raises the question, how then can we deter these young people, who are fascinated with computers and cyberspace, from evolving into full-blown computer crackers?

FISSEA is an organization dedicated to IT security education issues, and perhaps some of the knowledge and experiences of the organization's members can be helpful in creating a societal Zeitgeist that condemns computer cracking. While this is admittedly outside the purview of FISSEA's mission, it is nonetheless something clearly needed in society today.

The Internet is growing every day, and the ability to inflict harm is growing proportionately. In the years ahead, there are bound to be an increasing number of malicious attacks aimed at the information assets of our government. What is needed now, in addition to increased Federal spending on information security efforts, is a public campaign to stem the rising tide of hacking activities perpetrated by members of the Internet generation. Perhaps, as we enter the critical months of a Presidential election year, this issue will be addressed by our political leaders, and the public they represent.

Go to top of page

horizontal bar

EDS CyberIntelligence Service

Phil Sibert (DOE) wrote: "I've received permission from EDS CyberIntelligence Service to reprint the attached article. I submit this because it plays on the importance of training and the need for managers to be aware of this aspect of a good security program. Please credit the EDS Cyberintelligence Report Monthly, Vol. 01 No. 06." {THANKS, Phil. Ed)

The Manager's Role in Security
Good security requires a comprehensive effort. An organization is not secure simply because it has a good security department, nor because it is protected by a good firewall (even if it is configured well) nor by developing and implementing a comprehensive security policy and educating employees about smart physical and information security procedures. These things must happen in concert in order to protect that organization's assets - both physical and informational. All of this can only be possible, however, if management appreciates the importance of security and acts to foster its development.

The first step towards a healthy managerial role in security is an understanding on the part of management of their business's relationship to security. That relationship is fairly obvious to managers in traditionally high-security businesses such as finance and telecommunications. However, as information systems become more prevalent and more connected, security - in particular information security - is becoming more important to all businesses. The more any organization depends on its information systems, the more important it becomes to protect them. This is especially true given the fact that the number of those who threaten such systems grows at least as quickly as global dependence on those systems.

Armed with this appreciation of security's importance to the business, managers need to hire people to safeguard that security, and make careful choices in doing so. Here the old lessons of checking backgrounds and references apply. It is also becoming increasingly important to thoroughly check the qualifications of those hired as security managers and administrators. Again, the proliferation of information systems is the root cause. As the use of information systems has risen, so has the need for information technology professionals. Unfortunately, since the need has not grown at the same pace as the supply, many who are under-qualified have stepped in to fill the gap. This is particularly true of the information security field.

The topic of information security (particularly network security) is relatively new to academic computer science. Training in this area has, until relatively recently, occurred most commonly on the job or through personal pursuit (hackers, for instance, have become some of the most noted professional security experts). This less regularized training is no less useful than academic training (many would argue that it is more useful), but it is difficult to measure. Consequently it is crucial that managers judge the credentials of the security professionals they hire very carefully. Once management has hired the right security professionals, the next task is to give them the support and the freedom to do their jobs.

Security professionals require resources - including money, people and time. To a certain extent, managers should be able to trust the security professionals they have hired to allocate these resources wisely. However, security systems - from state of the art firewalls to intrusion detection systems - can be very expensive. Most managers will demand a certain amount of oversight over the more expensive decisions, such as purchasing, hiring experts or contracting out for security audits. In order to oversee these decisions effectively, managers should have at least a basic understanding of the issue at hand. Here again, trusted security professionals can be invaluable as advisors. In addition, staying current on major issues in the security field will enable managers to maintain a context beyond their normal business functions within which to consider the advice of their security professionals.

Lastly, just as managers may require some additional training to deal more effectively with security, so do the professionals that they hire. No matter how qualified they may be when they come to an organization, security professionals must work constantly to keep up with the fast pace of change in the information security realm. New computer viruses, vulnerabilities and exploits emerge daily, amounting to dozens each week. To keep pace, security professionals should be allowed the time and opportunity to read about the issues as they occur, and to address them. This often means allowing workdays for time-consuming patching of operating systems and other applications.

On a broader level, managers are encouraged to recognize the value of networking in the human sense - allowing and encouraging security professionals to keep in touch with other professionals in different organizations. Fostering this interaction may require management to pay for membership in professional organizations such as SANS (System Administration, Networking and Security) and/or sending their employees to security conferences where they can share ideas and keep in touch with the state of the art. This kind of sensitivity from management to security's role in business is perhaps the most important ingredient in building and maintaining strong security. A security professional cannot secure an organization's physical and information systems without the support of his or her managers, no matter how much skill he or she brings to the project. A manager who appreciates the importance of security to the business and knows how to cultivate strong security, however, does have the power to build that security. A farsighted manager has already begun the process.

Go to top of page

horizontal bar

From the Desk of Mark Wilson (NIST)
CSRC Training Page

We are "upgrading" the training page on our Computer Security Resource Clearinghouse (CSRC). This upgrade will aid its ease of use and may change its name to either "Training and Education" or "Awareness, Training, and Education."

Your help is needed - to identify websites we can link to that already offer lists of courses, actual course material, training-oriented publications, conferences, etc. We don't want to duplicate what we tried to do with the GITS training initiative, nor do I want to duplicate what DISA, NSA, Carnegie-Mellon, USDA Grad School, CSI, MISTI, and others, already have on their sites.

To begin with, we just want to point to those sites. The next step will be to continue to collect training (and maybe awareness) material and post it on CSRC. And, yes, we will coordinate this with the CIO Council/GSA best practices website.

If your agency has material that can be accessed via the 'Net, and you would not mind if we build a link from our training page to it, please let me know. If your company offers IT Security (InfoSec, Information Assurance, etc.) courses, let me know. We have a section on the training page for vendors of training classes, courses, seminars, etc.

Hope to hear from you,
Mark Wilson

Perhaps FISSEA members can help out We are looking to enhance our yearly Security Awareness program for next year. We have used a VHS video this year, and it worked well with our (Powerpoint based ) presentation. We are now looking for additional sources that have such videos that we can use for next year.

Go to top of page

horizontal bar

Corey Schou - in the news

Here is an article about FISSEA's ol' Idaho Pal, Corey Schou, by Dan Verton which appeared in Federal Computer Week on 14AUG2000.

A report to be published this year by one of the nations top educators in information systems and security warns that the current system of higher education cannot support the demand for information assurance professionals and calls for a revolutionary change in the way the government, academia and industry cooperate.

"The present national need for an immediate increase in the development of information assurance professionals at all levels cannot be met within the existing educational structure," said professor Corey Schou, chairman of the National Colloquium on Information Systems Security Education and associate dean of Information Systems at Idaho State University.

In his report, "Meeting the Information Assurance Crisis Now," Schou recommends a nine-point cooperative plan between government, industry and academia that he says has the potential to generate up to 100 doctoral candidates, 200 to 500 masters degree students and 5,000 bachelors degree students annually with an emphasis in information assurance.

Government plays a key role in assisting educators to produce a steady pipeline of well-educated information security professionals, according to Schou. He has urged government to establish a competitive grant process covering "grand challenge" problems in information assurance, selective internships that would provide students and faculty with practical experience, government/academic staff exchanges and even a program that would forgive student loans for graduate students at the masters and doctoral degree level, among other things.

Schou also called for improved training resources for university faculty members across the country and even suggested that government should help establish a distance-learning program in information assurance and the ethical use of information targeted at elementary and secondary education teachers.

"Failure to respond proactively to a similar need a decade ago has contributed to the current national shortage of information technology professionals," Schou said. "Without external stimulus and support, there is no way the educational system can meet the demand in the foreseeable future."

Go to top of page

horizontal bar

The Missing Links
By Philip Sibert (DOE)

Several weeks ago at our Board of Directors' meeting we were discussing "business practices" (vs. "Best business practices" - best by whose choice? best in what environment?, etc.) when Dr. Roger Quane astutely and quietly stated, "You know, there's a link between these 'practices', and awareness and training." Well, that statement got my old brain churning for a short time (too much at once will burn the darn thing out, you know), and I asked myself, " How can we approach awareness and training from the "practices" standpoint"?

Let's try this out by using an example and see if we come up with the link(s). For my "best business practice" I am choosing "Unclassified Multi-User Information System Password Policy". The objective of this new (or revised) business practice is to improve the selection and use of passwords, i.e., we are striving to change people's behavior. The policy ("best business practice") statement goes something like this: All unclassified multi-user systems (excluding those systems intended for unrestricted public access, such as web servers) must use a password mechanism that authenticates the identity of each person accessing the system. And then the requirements are laid out. Passwords shall: (1) contain at least eight non-blank characters; (2) contain a combination of letters (a mixture of upper and lower case), numbers, and at least one special character; (3) contain a non-numeric in the first and last positions; (4) NOT contain your user ID; (5) NOT include the user's own name, or the names of close friends or relatives; (6) NOT include your Social Security Number, date of birth, phone number or address number; (7) NOT include any information that the user believes could be readily learned or guessed; (8) NOT include words that would be in an English dictionary or any other language dictionary with which the user has familiarity; (9) NOT include commonly used proper names, including the names of fictional characters or places; (10) NOT contain any simple pattern of letters or numbers, such as "qwertyxxx" or "xyz123xx"; and, (11) be changed every ninety days, or sooner if the system administrator directs it to be done. If a system cannot accommodate eight character passwords, then the above requirements shall be implemented within the system password constraints.

Now the "best business practice" regarding use and creation of passwords has been blessed by management. What's the next step? The policy makers are done - is it right to just shoot it out the door to be implemented? I don't think so. Remember, we are striving to change people's behavior. So how do we do that most effectively? By establishing links between the desired results, and the awareness and training activities necessary to drive the change and reinforce the practice. What, in this example, links the creation and use of good passwords to Awareness and Training?


Before the policy hits the street (but after final management approval for issuance):

  • "Advertise" the new business practice everywhere you can imagine - newsletters, e-mail broadcasts, posters, hand-outs, etc.
  • Make senior and line management aware of the "best business practice" with a memo from "the boss" (Secretary, Administrator, CIO, whomever...) so they will know it's coming and will discuss this in staff meetings. Give them some credible rationale for supporting the implementation of this business practice and provide information about training resources.

After the policy hits the street for implementation:

  • Provide constant reminders about protecting your password through various media, with emphasis on the need for community responsibility -- you are part of your LAN community, and you don't want to be known as the weak link that caused the system to be compromised. - Set up a simple "password creation module" (can be as simple as a paper hand-out for each student) to be used with each IT training course (MS Word, Excel, Lotus Notes, etc.), providing suggestions for strong but readily remembered passwords (should take less than 10 minutes).
  • Use special occasions (Computer Security Day, for example) to set up a "password creation" kiosk in the lobby or cafeteria that contains a system for employees to try their hand at creating good passwords.
  • Use a module on password creation, use, and protection in new employee orientation.
  • Include password use and protection in annual security refresher briefings.


Before implementing the new (or revised) business practice, get the system administrators involved - they are the ones who will be answering the phones when the users forget their passwords.

  • Have a short training session for the system administrators covering the requirements of the new policy so they will be able to provide appropriate answers to user questions about the new policy. (They are also users, so they should be aware of, and follow, best password practices.)
  • Implement a computer-based password creation, use, and protection training session for all employees. This training can be completed from the work station via the LAN, or can be accessed by the trainee from an intranet web site.
  • Arrange to have a password software package installed on the work stations and servers that will provide prompting and reject passwords that do not fit the criteria in your policy (some software products already have this capability built in). Ensure the system administrators are trained on use of this software.

These were some of my thoughts on links...what are yours? Now, try the "linking" process with another "business practice", such as Back Ups, and see what you come up with. Those links were there all just took a little time to examine the process and capture the thoughts.

Go to top of page

horizontal bar

Seventh Grade Class Thwarts Hackers
By Jane Powanda (Mitretek Systems)

Jamming, flooding, social engineering, denial of service, mole, encryption, access control intrusion detection, anti-virus protection, and tool effectiveness were just a few of the terms students were spouting as they planned a strategy for protecting a newly installed local area network. A science fiction flick? No, this was the real thing as I guided 7th grade students at the Fairfax County, Virginia, Kilmer Middle School through the CyberProtect Interactive Training Exercise, an interactive multimedia computer program developed and distributed by Defense Information Systems Agency (DISA). During a 54-minute classroom session, which included student discussion as well as the CyberProtect exercise, the students learned about information security threats, vulnerabilities and countermeasures as part of the school's "Expanding Visions" program.

These junior high school students responded very well to the topic of information security and enjoyed the CyberProtect exercise. It really brought the subject alive for them, and many "sleepyheads" perked up as the sound effects of the dwindling resource units made them realize that something exciting was happening. I was amazed at how much they already knew about computers and computer security and how well they were able to understand the concept of tool effectiveness. They were anxious to update and upgrade all the tools that had faded and become out of date.

Part of the challenge in presenting this subject to seventh graders was in determining how to use CyberProtect as a teaching tool. It was not feasible for each of the students to have their own copy of the exercise. Class sizes were between 25 and 50 students, and the class period was limited to 54 minutes in length... The teachers preferred the idea of a group exercise rather than having the students go at it alone. To make this happen, I installed CyberProtect on a laptop and took a projector with me to the classroom. I also used an overhead projector and transparencies to present some of the background information about threats and tools. On the average, each class had about 30 minutes to play the CyberProtect exercise. We were able to make it through either one or two quarters of play, depending on the class.

One of the key tools that made it possible to quickly get into the exercise was the "Purchase Worksheet," that I prepared from descriptions given in the CyberProtect exercise. This worksheet was used to help students plan network defense tool selection and monitor expenditures. This planning aide was designed with student success in mind. From the worksheet, it was obvious where tools could be legally placed. Two worksheet columns were allocated for each tool selection option: one for the level of effectiveness, and one for the cost. This expedited the students' selection of tools and also helped the students to stay within their budget. Once tool selection decisions were made, the tool ordering process was trivial. This tool selection task emphasized the importance of planning.

Many of the students were excited about the "game" and wanted to know where they could get one! They all cheered when they defeated the hacker, and were anxious to figure out what went wrong when the hacker was successful.

Jane Powanda is an information systems security professional at Mitretek Systems in McLean, Virginia. Ms. Powanda has made copies of the CyberProtect worksheets available, which can be obtained from DISA/IPMO. E-mail requests for to - Thanks to George Bieber for submitting this article from Jane. Ed.

Go to top of page

horizontal bar

Distance Education: An Oxymoron?

Thought that you might find Eoghan Casey's ending comment in response to a recent book review by Carol Twigg in the Atomic Tangerine NEWS list (overseen by Mich Kabay) interesting.

"Having said this, I acknowledge that distance education is limited. Even the most skilled teacher using the most suitable theory from the learning sciences can only convey the basics of a subject effectively from a distance. Teaching critical thinking, complex problem solving, and other higher level thought processes is out of the reach when teaching at a distance. So, a combination of distance education and face-to-face mentoring is the strongest approach."
Eoghan Casey Knowledge Solutions
And, with Mich's permission," here is Carol's article:

Distance Education: An Oxymoron?
By Carol Twigg

Those who argue that learning must take place face-to-face overlook important questions.

The Chronicle of Higher Education published a review of a new book, The Social Life of Information, by John Sealy Brown and Paul Duguid last week. The headline reads, "Authors Argue that 'Distance Education' Is an Oxymoron."

According to the reviewer, Brown and Duguid believe that proponents of IT suffer from "tunnel vision" that prevents them from seeing than learning is a social experience for which distance-education technology is a poor substitute.

The book builds on the authors' 1995 paper, "Universities in a Digital Age" which makes the same argument: "The central point we want to make is that learning does not occur independent of communities. . . . Learning, at all levels, relies ultimately on personal interactions."

The idea that one cannot learn on one's own is simply ridiculous. Has neither Brown nor Duguid ever learned anything from that low-tech item called a book? I would guess that the majority of learning that goes on in life occurs independently. Even in traditional group-based classroom environments, the majority of a student's learning time is spent independently, outside of class: the standard expectation is two hours of study outside of class for every one spent in class. As Tony Bates of Canada's Open Learning Agency says, "There is an even greater myth that students in conventional institutions are engaged for the greater part of their time in meaningful, face-to-face interaction. The fact is that for both conventional and distance education students, by far the largest part of their studying is done alone, interacting with textbooks or other learning materials."

Go to top of page

horizontal bar


Lou, Just got the necessary clearances to send you the "Tips from MIS Training" from Ken Cutler and Lois Jacobson/ MISTI_BOS@MISTI_BOS I think we should print this in the next Newsletter. I found these very helpful tips and share it internally with trainers. Barbara Cuffie (SSA)
{Thanks Barbara, I am sure our readers will, too. Ed.}

1. Arrive Early Enough to Test Your Equipment Before Your Session.

2. Be Relevant for this Audience.
They are attending the conference specifically to learn up-to-the-minute tactics, strategies, and techniques they need to thrive in the industry, and will expect you to impart practical, technical, "how-to" information.
-- Assume they have at least basic knowledge of the subject.
-- Assume a more technical, more sophisticated audience than attendees at other programs.

3. Don't Try to Cover Too Much Material.
DON'T suggest that you are squeezing two or three days of material into one and a half hours. If you have tailored your presentation for your allotted time, your material will be focused and relevant.

4. Never Apologize.
Don't throw a damper on the audience by making them feel they are not getting your best.

5. Get Right into Your Subject Matter.
Avoid long introductory comments. Spend no time on jokes, amenities, or platitudes about how important the topic is. If they didn't already agree, they wouldn't be there.

Start off with a bang. Start off with a promise. Start off with a pledge. Start off with the "meat" so attendees are immediately taking notes and thinking of how they will apply what you are about to tell them.

6. Don't Make Remarks About "Running Out of Time."
When you suggest things didn't get covered, people feel cheated. They think the conference and your session were poorly planned.

7. Be Specific.
EXAMPLE: You are making a statement about lawn mowers--which one do you think is the most valuable to attendees:
1. "Lawn mowers are a boon to mankind."
2. "Some lawn mowers are better than others."
3. "People with large lawns should use mowers with bags to collect the cuttings."
4. "The following lawn mowers are most effective in the following situations for the following reasons: etc."

EXAMPLE: You are providing a list of techniques, advantages, disadvantages, etc. Enumerate them. "Here are 18 quick ideas of how to . . one, two, etc." Attendees will know where you are at any point.

EXAMPLE: Instead of "There are hundreds of ways . . . . . . ." say "There are 483 ways to . . . . . . . ."

8. Don't Tell Self-Congratulatory War Stories.
Your personal experience is valuable, as long as you stick with brief, relevant illustrations.

9. Don't Advertise Your Consulting Practice.
Let your presentation do it for you.

10. Support the Program and Other Speakers.
Don't be negative. Your success, the program's success and the participants' reactions are intimately tied to one another. Support every speaker, the hotel and MIS Training Institute/InfoSecurity News. If you have problems or concerns, let's discuss them after the program. In other words, be positive, productive and flexible.

11. Always Repeat Any Question Asked by Attendees.
You will maintain the interest of all of the attendees if they hear and understand the issue you're addressing.

Go to top of page

horizontal bar

By Louis Numkin (NRC)

(Here are summations and references to articles and incidents which you might use in making or illustrating points during awareness presentations)

Exchanged several E-Mails with David Spinks in England ( ). Here's a tidbit: "Louis, I think it would be an excellent idea to link the Information Security activities going on in the UK to those in the US. Please find attached details of one of the groups I chair - E-Com-Sec new has 500 members. I would be more than happy to contribute to any US/UK co-operation."

Thanks David we'll be looking forward to your article submission. Here is a downsized E-COM-SEC flier which he sent along for FISSEA's information:

E-COM-SEC = E-Commerce Security - Special Interest Group Why not join free today? Simply send an email to:
Join 100's of other Security professionals and share information via email or have access to the group's vaults where documents such as Best Practice Guides may be found and downloaded to your own system.

Recent topics include:
1. Reputation Management (Turnbull)
2. BS7799 and Legal Issues
3. Intrusion Management
4. Cyber Crime and Law Enforcement
5. Business Continuity Planning

Best Practice documents available include:
1. BCP
2. Intrusion Detection
3. Cyber Forensics

For more information about the E-Com-Sec please contact David Spinks at


Keep your anti-virus software up to date, FISSEA, as InfoWar was openly discussed in the China Times on 8AUG2000.

TAIPEI, Aug 7 (AFP) - Taiwan's military for the first time is to demonstrate its computer virus capability at major war-games later this month, it was reported Monday. "The blue and red units involved in the coming Han Kuang (Han Glory war games) will for the first time use computer viruses to attack each other's information network," the Liberty Times newspaper quoted a top defense ministry official as saying.

The blue units represent Taiwanese force, while red units stand for mainland Chinese forces. The official said both units had been exposed to the same types of computer viruses in the maneuvers last year. "How to shield any attack from computer viruses was the major concern last year. Efforts would focus on virus offensive this year," he said. The paper said the military authorities have worked out some 2,000 types of computer viruses and the anti-virus capability of the military units has been upgraded.

"The military is now able to shield itself from many computer viruses including 'I Love You' virus and scores of its derivatives which swept the world earlier this year," the official said.

Chief of the General Staff Tang Yao-ming warned last year China may launch an "information war," including the use of computer viruses to paralyze military command, energy, transportation and banking systems, before an invasion of Taiwan. China, which has regarded Taiwan as part of its territory awaiting reunification since their separation in 1949 at the end of a civil war, has repeatedly vowed to take the island by force should it declare formal independence.

Local media had previously said China's People's Liberation Army had simulated computer virus offensives in exercises in Shenyang, Beijing, and Nanjing over the past two years.


William Knowles ( informed that there is some interesting reading from "The 'Innovation' Garden State" at The State Commission of Investigation and the Attorney General of New Jersey have released a joint report on Computer Crime. The files are all in PDF format.


And, a note from "across the pond":
Though it is FISSEA's duty to improve Awareness, Training, and Education in the sector known as Computer and Information Security, there is another side about which Thomas C Greene wrote on 10AUG2000 in
The colorful article begins with this lengthy opening sentence: "Administrators of the cracker education Web site have undergone a change of heart since we reported their plan to fold under pressure from Internet billing-service provider IBILL, which has threatened a copyright infringement suit under the Digital Millennium Copyright Act (DMCA), claiming that the Icefortress site did it harm by supplying information and tools which could enable visitors to hack its protected sites and thereby violate its copyrights."

It appears that this "educational" site had been on line for nearly two years, before being pulled-off "after receiving a threat-memo from IBILL lawyer Stephen Workman, presumably in its eagerness to get clear of a third-party dispute and cut its liabilities as quickly and painlessly as possible... having neither the time nor the money to fight a well-heeled corporation like IBILL in the courts."

The write-up continues with referencing that friends offered support "to keep controversial information safe from interference on First Amendment grounds." One of the reported friends was Carnegie Mellon University Computer Science Professor David Touretzky, "whose testimony on the free-speech aspects of program code during the trial was singled out by the judge as especially persuasive." Touretzky has been active in defending free speech on the Net for several years now.

More colorful commentary is followed by this logic: "... any information or tool which can defeat an access control violates the DMCA anticircumvention provisions (17 USC 1201). The 1201 provisions are intended to protect copyrighted materials, and Workman is hoping to get around this by claiming that virtually anything which can be protected with an access control such as a crypto scheme, or even a password, can also be copyrighted ... If the 1201 provisions were interpreted as broadly as Workman would have them, then all the security tools in common use today by systems administrators would be outlawed."

Now comes the reason for including this article in our newsletter.
How many of us have utilized Carnegie Mellon's CERT in any way? Well, here it is...
" ... if Cherry's reading of the DMCA is correct, then the most dangerous hacker education site on the Web would have to be the Computer Emergency Response Team (CERT) security site, hosted by none other than Carnegie Mellon University, and financed in part by the US government. We've spent many a blissful hour trawling its vast archives for detailed descriptions of security weaknesses in most popular network hardware and software and their default implementations, and downloading source code, scripts and tools with which such holes may be conveniently exploited.

"It is to the CERT site, more than any other source, that we owe our own expertise in network and Web security (such as it is); and while we don't wish to boast, we must note that we could quite easily apply what we've learned and downloaded there to extremely destructive on-line activities if we were so inclined.

"Thus if we accept that the ICE site is subject to closure for providing information and tools related to exploiting computer security weaknesses, we would have to accept that CERT, too, is subject to closure on the same grounds. Indeed, considering CERT's positively immense archive, its immediate closure ought to become the chief priority of anyone wishing to protect themselves from those who educate potential malicious hackers.

"Any distinction between, which looks like a site catering to crackers, and, which offers much the same information but looks like a site catering to systems administrators, is absolutely cosmetic and thus perfectly fraudulent. We are reminded of the US 'assault-rifle' law, which banned the sale of certain semi-automatic rifles because they had the misfortune to be black and scary-looking, while ignoring traditional-looking 'sporting' weapons possessing identical destructive capabilities."

Go to top of page

horizontal bar


(This contraction of TRAINing and trivIA is meant to provide you with places to gain education, such as websites, conferences, and book reviews. Please contribute any of these sorts of items about which you might be aware.)

A wonderfully visual story which can be employed while explaining cryptography is about one of the most spectacular coups in military intelligence history. Of course, it was the breaking of ENIGMA, the top-secret code that German forces used to communicate with each other in World War II. A very informative site has been set up by PBS' NOVA which permits you to compose and send your very own coded messages by E-Mail. The site has lots of fascinating info about ciphers and secret codes and is very well designed. You can find it at


A British news source, The Register, reported on 14AUG2000 that "The Christmas Lectures, sponsored by Glaxo Wellcome are an opportunity for young people to learn directly from scientists who are recognised as among the best in their field. Previous lecturers have included Michael Faraday, James Dewar, Frank Whittle, Frank Close and Susan Greenfield. "All explain their work using practical demonstrations and experiments. This year the Christmas Lecturer is Prof Kevin Warwick of Reading University ... Kev will be talking gibberish not once, not twice but five times on dates between 14 and 30 December. They cover most of the same nonsense as previously and no doubt he will become expert in a few more specialities between now and December." You can find details at

The critic completes his panning of the pending presentation with: "We are genuinely concerned about this apparent approval for Professor Warwick's flights of fancy and plan to make a serious approach to those concerned. We would ask anyone with a serious interest in this area of research to contact us..."


Here's the url for the training portion of the DOE web site: (Be aware we may be changing the "ucsp" portion of the address to "cybersecurity" in the not too distant future.) Use what you want! Phil Sibert


On 10AUG2000, Alfred Huger ah@SECURITYFOCUS.COM informed BUGTRAQ that there is a new mailing list for penetration testers which should "shore up some gaps we see via people posting questions based around penetration testing and network auditing."

The penetration testing list is designed to allow people to converse about professional penetration testing and general network auditing. While lists like Vuln-Dev and Bugtraq deal with exploits and flaws in systems there are few interactive forums to discuss actual penetration testing and network auditing. As a result this area has become a difficult topic to learn about outside of print media (books etc.)

This list hopes to dispel some of the confusion and allow for intelligent discourse on the topic. The list is not OS specific and will cater to discussion on all and any network able devices people wish to discuss.

To subscribe - Send an e-mail message to with a message body of: SUBSCRIBE PEN-TEST Lastname, Firstname You will receive a confirmation request message to which you will have to answer.


This case has some interesting implications for site cracks and defacings . . .

Libel Found on Internet Message Board Postings American Lawyer Media

Bio-medical firm Biomatrix won a ruling from a New Jersey superior court that found three people published libelous statements against Biomatrix on two Web sites. The ruling is believed to be one of the first judgments nationwide against those who defame others online. The two sites were a Yahoo message board and the message board of Genzyme Corporation, which plans to merge with Biomatrix this year.

"An attorney with Boston-based Bingham Dana, Charles L. Solomont, led a legal team representing the bio-medical firm Biomatrix Inc., which won a ruling from the Bergen County Superior Court in New Jersey that found three individuals published libelous statements against Biomatrix on two Web sites,... in what is believed to be one of the first judgments nationwide against those who defame others online... He said the decision has far-ranging implications for other cases now pending nationwide, in which anonymous, defaming claims are made against individuals and other entities.

'People post these messages using aliases and believe it protects them from liability for their actions. But this case shows the perpetrators of [such] online claims can be prosecuted.'"


EPA Back On Line, More Security Minded - from Government Computer News of 7AUG2000 - The Environmental Protection Agency (EPA), whose site has been down since February due to security problems, is coming back on line with a new stance on security. While the agency once considered all information public unless there was a compelling reason to secure it, now the reverse it true: information is considered sensitive unless officials deem otherwise.


Phil Sibert wrote that he subscribes "to , which pointed to a newly revised search engine called where, after doing a search on the word "Security" got a 997 item list of stuff. Paging down I came across the following site that should be of interest to you. Enjoy!"


E-Mail Misconceptions - from WIRED on 4AUG2000 - A company that advises businesses on legal liabilities released "The Seven Most Common Misconceptions About E-mail" list. Among the mistakes people make are assuming that e-mail messages are private, and that e-mail can be deleted.,1367,38007,00.html


Did you know that the Government Wants (an) Internet Emergency Preparedness System"? Check out:


(FISSEA is not recommending nor rating these courses. We are just letting our readership know of their existence.)

FREE TRAINING OPPORTUNITIES - More and more of these are becoming available!

F-Secure Corporation is collaborating with GartnerGroup to present a series of web-based briefings on Enterprise Security focused on wireless connectivity. The seminars are offered free of charge on a monthly basis through December 2000. The seminars are as follows:

Oct 24 - Security Issues for Wireless Devices
Nov 22 - Security Issues in Central, Policy Based Security
Dec 12 - A Blue Print for Enterprise Security

Please go to the following url if you are interested:


This message is to inform you and your staff of the availability of security training courses designed for federal managers and technicians to be held in the Washington, D.C. area.

*** Course One - Network Security and Intrusion Detection 5-days, hands on, Security Training Facility, Columbia, MD

*** Course Two - Network Security for Senior Network and Security Managers - Expand Your Ability to Perform Network Security Planning, Columbia, MD

*** Course Three - UNIX Countermeasures - Learn State-of-the-art Methods of Protecting Your System. 5 days, hands on. Columbia, MD

For more information on these courses, go to OR Course fees and schedules are available at these sites. For questions, call Donna Anderson, 301-805-2166.


25-28SEP2000 will be the E-GOV Information Assurance Conference and Exhibition in Alexandria - This one will have notable keynotes and lunches, exhibits, and even a fantastic panel named "Security Awareness - The First Challenge" hosted by your Newsletter Editor! - register online at


16-19OCT2000 - The 23rd National Information Systems Security Conference, co-sponsored by the National Institute of Standards and Technology and the National Computer Security Center, is scheduled at the Baltimore Convention Center. Registration deadline (before the fee increases) is September 18, so you can spend this year's bucks and save, or you can register late and spend more of next years bucks! The conference web site is at the following url:

Unfortunately, SANS Institute has scheduled their Network Security 2000 conference, being held this year in Monterey, California, for the same week. Information is available at their web site: (Now, you really have to make some hard decisions in life - which is it, Bawlimore or MONTEREY, Monterey, or BAWLIMORE??)
{Ed's note, the foregoing inflection was a Siber' Space Snippet.}


7-8NOV2000 Arlington, VA Creativity Day Camp for Managers, Supervisors and Team Leaders through the National Seminars Group 1800-682-5078. Also held on 8-9NOV2000 in Baltimore, MD.


13-15NOV2000 - The CSI 27th Annual Computer Security Conference and Exhibition will be held in Chicago, at the Chicago Hilton and Towers. See


29-30NOV2000 is the Cyber Sabotage Conference in Alexandria - hands-on plan creation and even a "dine-around" for networking - Register at or 1-800-882-8684.


30NOV-1DEC2000 - E-Security Conference and Exhibition in Arlington, VA - more information may be found at


6-7DEC2000 will be The Maryland Technology Showcase at the Baltimore Convention Center - six keynote addresses, 50+ break-out sessions - two one-day workshops - for more information and/or your free Exhibit Hall Pass, check out


11-15DEC2000 - NSA's Information Assurance Solutions Working Symposium (including EKMS) in New Orleans - for info check or E-Mail


23-25JAN2001 is WEST 2001 at the SanDiego Convention Center - sponsored by AFCEA & US Naval Institute - entitled "Winning the Wars of the 21st Century" - for a free Exhibit Hall Pass or more info, check out


25FEB-1MAR2001 - MIS Training Institute InfoSec World 2001 in Orlando. Numerous other conferences and seminars may be found at


13-15MAR2001 - FISSEA 2001 Annual Conference. This year's theme is "From Y2K To T E A (training, education, awareness) with FISSEA" and it will be held at the Hilton Hotel in Gaithersburg, MD. Mark your calendars!


CISSP Continuing Education Seminars provided by MIS and ISI and recognized for CPEs by ISC2 may be found at

Go to top of page

horizontal bar


LEWIS BASKERVILLE, Conference Director
BARBARA CUFFIE, Assistant Chair
LOUIS NUMKIN, Newsletter Editor

FISSEA Membership
Peggy Himes

Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: March 4, 2002.