horizontal bar
FISSEA Logo News and Views
December 2001
Issue Three of FISSEA Year 2000-2001



From the Executive Board Chair

This is our first newsletter since the world changed on September 11, 2001. It has been and still is difficult to grasp the magnitude of the horror and the personal pain that so many people are still suffering with such a tremendous loss of loved ones on that day. I want to assure you that the FISSEA Board extends its heartfelt sympathy to any of you who may have experienced a personal loss due to the events of that day.

As President Bush has encouraged all of us to do, we are overcoming the challenges we must confront daily to carry on FISSEA's business as usual. We are in the midst of planning our 15th Annual FISSEA Conference, and doing the many tasks required to ensure that it will meet our standards and fulfill your expectations. The Conference Committee and the Board are working collaboratively to invite the kind of quality speakers who will share substantive, relevant information in interesting ways. Please plan to attend. After all, we are working diligently to make this our best conference yet.

We will soon be accepting your nominations for the Educator of the Year. Recognizing the accomplishments of the person selected by his/her peers to become FISSEA's Educator of the Year is one of the highlights of every conference. We hope that you will consider nominating someone whom you believe merits such an honor. Each year our nomination review committee must select that special individual who deserves recognition for noteworthy efforts and accomplishments in the field of information systems security awareness, training and education. To make a nomination go to FISSEA's Home Page at http://csrc.nist.gov/organizations/fissea/ and click on Educator of the Year Award. Perhaps you are interested in volunteering to be involved in the evaluation process this year. Contact Ms. Peggy Himes (peggy.himes@nist.gov) to volunteer as an evaluator or to obtain additional details.

Remember that FISSEA primarily exists to serve and assist you, our members. However, it is difficult for us know if we are meeting your needs effectively without your input. Thank you, in advance, for doing your part to communicate with us regularly. We really need your candid feedback, and sometimes encouragement, to continually volunteer our time and efforts to benefit FISSEA and ensure that we accomplish its mission.

Barbara G. Cuffie, CISSP
Social Security Administration

Go to top of page

horizontal bar

FISSEA Executive Board 2001-2002

Two Year Terms:
Barbara Cuffie, Chair, barbara.cuffie@ssa.gov

Lewis Baskerville, lewis.baskerville@sba.gov
George Bieber, george.bieber@osd.mil
Patricia Black, patricia.black@do.treas.gov
Louis Numkin, Newsletter Editor, lmn@nrc.gov
Mark Wilson, mark.wilson@nist.gov

One Year Terms:
Pauline Bowen, pauline.bowen@nist.gov
Vicki Jordan, keviev@erols.com
Sharon Kavanagh, skavanagh@hcfa.gov
Dara Murray, Assistant Chair, dmurray@psc.gov
Philip Sibert, philip.sibert@nnsa.doe.gov

(Non-Voting Member)
Peggy Himes, peggy.himes@nist.gov



Go to top of page

horizontal bar

Does A Hacker Own YOUR Computer?

Submitted by George Bieber (DIAP)

Though it may seem like a strange question it is an important one for every computer owner. Contrary to popular opinion, hackers do target the home and home business computer user on dial-up, DSL and cable modem connections. Clearly they are not interested in your child's homework, your recipe files, genealogy, or e-mail to your family, so why target the home computer? Although they might like to get financial records, especially credit card numbers, what they really want is to control your computer. To be able to use it, at will, for any purpose they devise.

What kinds of things do they do? Using a commonly available hacker tool called the SubSeven Trojan, they can activate the computer's microphone and video camera to see in the victim's house. They can read, copy, modify, or delete any file on the computer. They can use that computer as the launching point for attacks on other computers, which if traced will show that computer as the bad guy, not theirs. They can use it to store files they don't want to keep on their own computer for legal or other reasons. In other words, if you can do it on your computer, they can do it on your computer, without your knowledge.

How do they get control of your computer? It is usually through the use of programs known as Trojans. These programs masquerade as useful or at least benign programs that you run yourself. You receive them in e-mail, in chat rooms, or news groups. When you run the program, usually double clicking on the file name or icon, it may or may not run the program you thought you were getting, but it does run the Trojan which installs itself and allows the hacker to control your computer. Many of these programs actually send a message to the hacker informing him your computer has been captured. In most cases the user sees nothing to alert them to the problem.

How do you know if a hacker has captured your computer and how do you keep a hacker from capturing your computer? The answer is the same for both questions. Install anti-virus software and keep it current using the vendor's website to download updated signature files at least every two weeks. Anti-virus programs from the major venders, including Symantec (Norton Anti-virus, http://www.symantec.com/product/home-is.html), Network Associates (McAfee Anti-virus, http://www.nai.com) and Trend-Micro (PC-Cillin, http://www.antivirus.com), will find, and in most cases, remove both viruses and Trojans. Additionally, the use of a "firewall," a program that controls access and data flow between the computer and the internet, is recommended for dial-up users and is critical for DSL and cable modem users. Firewalls such as Symantec's Norton Personal Firewall (http://www.symantec.com/product/home-is.html), Network ICE's BlackIce Defender (http://www.netice.com/products/blackice_defender.html)and ZoneLabs' Zone Alarm (http://www.zonelabs.com), will alert you anytime a program you have not authorized to access the internet attempts to do so. They will also block anything from the Internet from accessing the computer without your permission. Computers without firewalls can be attacked by hackers using different tools but ultimately with similar results.

Regardless of their level of knowledge or skill, computer owners need to be responsible for their computers. The anti-virus and firewall software is available to protect computers from malicious software and hacker tools. These easy to use software programs are readily available from computer stores and on-line directly from the manufacturer. They are inexpensive, and sometimes free through Internet Service Providers and manufacturer promotions. Considering the risks to an unprotected computer and the availability of protection tools, there is no good reason for not protecting your computer from the hackers.

NOTE: The views expressed are the author's and not necessarily those of the Department of Defense. Reference to commercial products does not constitute an endorsement by the Department of Defense.

Chuck Chassot
CAPT, USNR, Operations Officer,
Defense-wide Information Assurance Program

horizontal bar

Security Certification: It's Worth the Effort

(Reprinted with permission of Computerworld Magazine)

After resisting the idea for years, Mathias decides it's time to study for the CISSP exam

By Mathias Thurman (Nov. 05, 2001) This month, I'm going in two directions at once. I have had several tasks to complete in light of the Sept. 11 tragedy in order to reduce the impact of a potential security breach or disaster at my company. And after hours, I'm preparing for a security certification exam.

In my day job, I have user account audits under way, and we're about to implement group structures within our Windows NT domain to ease administration. This powerful NT feature lets us configure groups with different access privileges and place users into the groups that have the proper access profiles for their roles. That should make it easier to apply a consistent set of security rules across our user base.

Our CIO is in the process of executing what's called a "structured walk-through" of our disaster recovery plan. We'll do this by using checklists and running through different scenarios with key staff. If the structured walk-through is a success, we will proceed with a more realistic test using one of our hot sites.

As for physical security, the security guards down in the lobby seem to have an increased awareness of who's coming and going. And it seems that most employees are more aware of their surroundings and more diligent in questioning unusual behavior.

I decided about a month ago to start studying for the Certified Information Systems Security Professional (CISSP) certification offered by the International Information Systems Security Certification Consortium Inc. (ISC)2 in Framingham, Mass. The CISSP is well respected within the information security community and is a highly desired-or even required-certification in some industries. Every so often, I do a search of the employment Web sites for the CISSP, and the number of listings requiring that certification is increasing.

The CISSP exam consists of 250 multiple-choice questions. The exam covers 10 common bodies of knowledge (CBK), ranging from access control to cryptography and physical security. (ISC)2 says CISSP candidates must "have a working knowledge of all 10 domains of the CBK" but "a minimum of three years' cumulative experience in one or more of the 10 CBK domains."

Why Now?

My colleagues have asked why I've waited this long to get my CISSP certification. In the past, I've always thought that I didn't need a certification, that they were a waste of time and money, and that experience is far better that some acronym next to my name.

My experience with job applicants reinforced those perceptions. About four years ago, I interviewed a candidate for a security administrator position. His resume included many acronyms, such as ones that stand for Microsoft Certified Systems Engineer, A+ and Certified Novel Administrator. He professed significant experience with Solaris administration and firewall installation and maintenance. He also claimed to have experience with security tools and other security applications, so I was excited to interview him.

When he arrived, I was duly impressed. He was about 30 years old and was dressed appropriately for the interview. However, as the interview progressed, I realized that this person had little real-world experience in security or systems administration. His certifications were all gained through crash courses intended to teach you what you need to know to pass the certification tests. I needed someone who could hit the ground running. I didn't have time to train anyone.

Since then, I've had similar experiences with other candidates. That's not to say that there aren't respectable certifications. The Cisco Certified Internetworking Engineer, which includes a hands-on lab test, is probably the most difficult. In my experience, individuals with this certification are generally well qualified and well versed in some facets of information security as well.

I decided to finally give in and take the CISSP exam after meeting several security professionals who have studied for it. I was impressed with their knowledge, and they had nothing but great things to say about the program.

I also considered the SANS Institute's Global Information Assurance Certification (GIAC) Program. SANS has always been a leader in security information and programs. Its certification covers a wide range of information security issues and is especially common in the government sector. It sounds a bit trivial, but I chose the CISSP over the GIAC exams based purely on popularity. For example, one job search engine produced almost 100 hits on CISSP vs. 14 hits for GIAC.

I gave myself two months to study for the exam, and I'm almost done. I spend at least four hours a day after hours and as much time as possible on weekends.

For reference material, I'm using three publications. I'm also using an excellent Web site, http://www.cccure.org, which contains reference materials and links that will help me pull together the many documents, presentations and programs I may need to prepare for the CISSP exam. I assembled a binder containing printed material from the Web site and am using it for study. For each of the 10 sections, I read one chapter each from the publications, then review the printed materials. Finally, I'm taking whatever practice exams I can get my hands on. After going through all 10 segments, I've gone back to study my weak areas: cryptography, security models and physical security. I also made flashcards to help with the more difficult concepts.

Do you have resources you're using to prepare for the CISSP or GIAC exams? If so, I welcome your suggestions in the Security Manager's Journal Forum.

(Philip Sibert, DOE, obtained permission from Computerworld for the Security Certification article above and passed along the following from the SANS news... thanks for sharing.)

Go to top of page

horizontal bar

New Security Salary Data

The Foote Salary Survey of all computer skills (covering 53 certifications and 82 skills) shows pay for all computer skills declining but pay for certified security people rising rapidly. David Foote writes, "The press has picked up the pattern, showing GIAC certifications on a real tear. Even National Public Radio highlighted this in an interview with me broadcast during drive time this morning." The survey data show that security certifications achieved the highest growth rates (up 9.2% to 8.3% of base pay in the past quarter and up 18.6% in the past two quarters). The five leading security certifications are all GIAC programs: UNIX, Intrusion Detection, System and Network Security Auditor, Incident Handler and Firewall Analyst.

Go to top of page

horizontal bar

CISSP Exam Preparation Guide

By Michael S. Arant, Dept. of Veterans Affairs

This guide is designed to help you prepare for the CISSP Exam. It gives you some background, points the way to study material, provides some study strategy, and imparts some Exam-taking tips. This Guide is for we mortals with too little time to study and too many other things with which to occupy our minds, like work and family. It gives the reader the benefit of our corporate experience with the Exam. Unfortunately, we are ethically bound not to talk about the Exam's specific content. There's one last thing here. The CISSP designation is unique in that it requires more than the demonstrable knowledge of a body of information. It indicates that the holder is able to integrate cyber security knowledge into the greater worlds of IT and the overall organization.

Background: First off, you need to know about the International Information Systems Security Certifications Consortium, Inc. (ISC²). They're a global, not-for-profit organization dedicated to maintaining a Common Body of Knowledge (CBK) for Information Security (IS), certifying industry professionals and practitioners in an international IS standard, administering training and certification examinations, and ensuring credentials are maintained, primarily through continuing education. Their homepage is http://www.isc2.org/.

When you go there, you will learn that you must to be able to demonstrate at least three years experience in at least one of the ten information security "Domains" that constitute what ISC² refers to as the CBK. You must also ascribe, by signature, to the ISC² Code of Ethical Behavior.

Once you have all that out of the way, all that is left is to pass the Exam! Seriously, the process is mapped out for you when you decide to begin the process.

The Exam is 250 well-researched multiple-choice questions. Each question is required to be founded on at least two references from the body of recognized literature. (We'll get into the references later.) No acronyms are used in the Exam without being spelled out. All ten Domains are represented in the Exam, but the questions are not distributed evenly across the Domains. The questions go through a rigorous process before being placed in the Exam. There is no extra penalty for wrong answers. (Wrong answers are not subtracted from the right answers.) You need to get 700 "points" out of a possible 1000 to pass. ISC² applies some statistical sorcery to the scores to ensure Exam batch-to-batch equivalence. That's right, it's a "curve". They say the questions themselves are not weighted. In the end, it's a distinction without a difference. The folks on either side of you will be taking the same test, but the order of their questions will be different. You will have six hours to complete the Exam. The Exam questions force you to read them carefully and consider context.

There are 25 new questions on the Exam that are being researched for inclusion on the test but are not graded. You won't know which ones, though.

You should understand that while the CBK is a learnable stack-o'-facts, the Exam tests your in-depth knowledge and your ability to integrate knowledge and experience, not your ability to memorize those facts. Experience pays off. So does a calm approach on Exam day.

Study Strategy:  There is a lot to know and you should use the "Eating an Elephant" technique*one bite at a time with time to digest between bites. Note again the emphasis on time. Give yourself plenty of it.

Regiment yourself.  Announce the date you're taking the test to your friends, family, and colleagues. This will intensify the pressure and help you keep on track.

Begin by reviewing ISCē CBK Study Guide.  This gives you an unambiguous list of the stack-o'-facts you need to know. Unfortunately, there is no "meat" on those bones! Not a scrap. You have to go forth and find the "meat". Read on.

Next have a look at ISCē 's reference list. After looking this list over, you have two choices, 1) curl up in a fetal position and cry or 2) start focusing in on those references you realistically have time to absorb. Here is where the materials cited below will help you narrow the field. Speaking of which, consider carefully those materials cited in the Materials and References section. These are the items that your colleagues found to be helpful.

Attack the Domains one at a time, remembering that you will want to review the material. Remember to make time for review.

Assemble the material reflecting each Domain in turn.

Read, review, and repeat. Repetition and review are good.

You know how you best learn new material (e.g., auditory, visual, kinetic). Use those techniques that help you learn. For example, if you are an auditory learner, get into a CISSP prep class. If you are visual, read. If you are kinetic, write everything down.

Did we mention that review is good?

Identify those non-security areas in which you need deeper knowledge and get up to speed on them. We can't tell you what to study here, but you'll see your technical knowledge gaps as you study.

Identify those security areas where you need additional help. Focus on them.

Don't get yourself wound around the axle of thinking you need to know everything about everything, like elliptic curves or derivation of the factors of the product of large prime numbers. Just learn the words and be able to associate them with concepts, like (in this case) keystream generation. As you look over the "test" Exam questions, you'll see what we're getting at.

Talk to people! Every organization has an expert or so in any security subject area you could imagine.  Join the listed focus groups. (Somebody out there can tell you how a discrete logarithm in a finite field relates to cryptographic keystreams or the price of tea in China.)

Study Materials and Resources:

First, go to the ISCē homepage and order a Study Guide. It's free, but they want you to order one on-line and they don't want you sharing it. This is your road map for the security CBK.

Arm yourself with some of the more helpful texts. The authors of this document found these books to be helpful:

The CISSP Prep Guide, Wiley Press, R.L. Krutz and R.D. Vines. After looking over the ISCē Study Guide, consider reading through one of these prep guidebooks. This one is concise and gives you the first layer of "meat". It also shows you where you need additional material.

CISSP Exam Cram, Coriolis Press, Mandy Andress. This, too, could serve as your second-level study guide after the ISCē Study Guide. This book covers the same material as the Prep Guide, but there's not quite as much "meat". Again, it shows you where you're weak.

The classic text is Information Security Management Handbook (Fourth Edition) edited by Micki Krause and Harold F. Tipton and from the CRC Press/Auerbach Publications. This is a loose compilation of essays and such. Although lots of the CBK seems to stem from this book, not everyone agrees that it's all that great in the completeness realm.

If you can get hold of a copy, look at CISSP Examination Textbooks (Two Volumes) by S. R. Vallabhaneni at SRV Professional Publications. Folks have had lots of different opinions about these.

The reader is fortunate that there are now lots of books hitting the CISSP marketplace. Just go to a bookseller of your choice (e.g., Amazon) and search on "CISSP".

The Web is a fantastic source for material. Unfortunately, there's also lots of junk, so focus on the good stuff. A search with the "CISSP" key word will cough up lots of material. In addition, a search on the Domain titles will uncover lots of material, too. Just remember that not everything out there applies to your particular task of passing the Exam. Here are some of the better Web sources:

CCECURE is a great resource. They are now compiling a series of Open Study Guides (OSG), one for each Domain. The good news is that their Access Control, Telecommunications and Network, and Applications and Systems Development Domain texts are said to be among the best sources in the business. The bad news is that the remaining seven Domains are very much works in progress. In addition to their OSG Guides, they have lots of other security study material. The price is right, too.

Of course ISCē is at http://www.isc2.org/ and is a "gotta-have". There is no study material there, but there are references to lots of it. They also host a series of preparation courses.

Although it caters to those already CISSPed, http://www.cissps.com/, provides pointers to some learning material.

There are short (10 minute) audiovisual primers on network fundamentals at http://www.nwfusion.com/primers/index.html.

As always, there are dozens of useful sources on the Office of Cyber Security Homepage (http://vaww.infosec.va.gov) under the "Resource Links" section.

There is an Internet CISSP Study Group hosted by SecurityFocus. You can post questions there or just lurk and listen.

Exam-Taking Tips:

Enter the Exam room as rested and relaxed as possible. Forget about last minute cramming. Passing the CISSP Exam depends on in-depth understanding. Cramming the night before won't help you. Rest will.

Pay attention to the Exam Proctors. ISCē is serious about the security of the Exam and the testing environment, so expect a great deal of regimentation and scrutiny. If you break their rules, you're out of there, so listen carefully.

Study the questions carefully. No word is wasted. Every word is important. Remember that the "easy" questions might have a nuance you are not expecting. Remember also, these questions are highly researched. Every word in the question is there for a reason. On the flip side, try not to read into a question a meaning or context that is not literally in the question. Us "Old-Timers" do this sometimes.

Look closely for key words, especially NOT, NEVER, ALWAYS, FIRST, and BEST.

Think the "big picture". Look for the most universal or general choice in a list of all right answers. (Yeah, they do that to you!)

Answer the questions on the answer sheet with a light mark so you can easily erase it if you change your mind. After you finish making all your choices, go back and darken them in. Don't forget that last bit!

Answer all the easy questions in order as you go down the list.

Go back and attack the "hard" questions. Try to eliminate the obviously wrong choices. Every choice you eliminate works in your favor. If you just don't know, guess. Your chance of getting it right is 25% (there are always four choices), even better if you can throw out any obviously wrong choices.

Stop and stretch occasionally. Have a snack. Take a bio-break.

Parting Words:

There are several reactions folks have when they get up from taking the Exam. The universal response is exhaustion. Some folks have no feeling about how they did until "The Letter" arrives. Some folks wonder if they took the right test! Stay loose, relax, and good luck.

Go to top of page

horizontal bar

The Impact of September 11th on e-Government Initiatives: A White Paper

By David P. Huchette and Brian Schultz, TROY Systems

Pre-September 11th State of e-Government. During the past year the Federal, State, and Local Governments have made significant strides in providing citizens and government employees with increased capabilities through the Internet. While the gains to date have been mostly in providing greater access to current information (e.g.: Firstgov - www.firstgov.com, Energy - www.energy.gov) or providing basic services to the citizens (e.g.: State of Virginia - www.myvirginia.org) the true value of e-Government has yet to be realized. Any early primer for the potential of e-Government can be found in a recent GEIA white paper on the subject: E-Government: The Promises and the Challenges (http://www.geia.org/pdf/egov2000.pdf).

During the latest government fiscal year (2001), the funding for e-Government efforts was not fully realized and therefore delayed or stalled a number of important efforts or creative thinking. The current administration has identified four key e-Government goals for the coming year - improving interaction between the government and citizens, government and business, federal and other government agencies, and internally within agencies. Recently the administration has requested $20M to support twenty-three efforts in each of these key areas. A list of these initiatives will be released by OMB shortly. These goals and initiatives represent a start for transforming government from the current environment to one that interacts better with all constituent groups.

E-Government was an interesting concept, provided good conversation, and began to get government thinking in new ways. Abruptly, the recent events of September 11th have created a new reality that requires our immediate and focused attention.

Now What* Of course the events of September 11th will impact the future of e-Government. The current focus of the government seems to be concentrating on protecting and securing the infrastructure of our data networks. While this is a natural reaction to the threats, the long term message will be that e-Government represents a better and more efficient way to operate. I believe that over the next few months, as the shock subsides, creative thinking can and must become part of our vision for government.

Examination of the four goals outlined by OMB shows that interaction between and among government agencies is a major focus for the coming year. Imagine for a moment if the FAA, FBI, SEC, Treasury, and Intelligence community had "pooled" their information prior to September 11th. The story we would be telling may have been significantly different. The new cabinet position of Homeland Security will undoubtedly realize this and work closely with all Federal Agencies to maximize the benefits of greater data sharing and collaboration. The reality of the situation today however, is that this exchange can not occur due to a variety of technical and political obstacles. E-Government initiatives in the next years should focus on making this increased data collaboration a reality. The technology exists, it is a question of focus, creative thinking, execution, and of course money.

In addition to the collaboration between agencies of the government the citizens and businesses of this country will demand greater access to information as a result of the events of September 11th. Those of us in Washington, DC know the problems that we encountered shortly after the Pentagon crash in communicating with our employees, agencies, or loved ones. The phone systems were frustratingly overloaded or inoperable. In many cases the best source of information or communication was the Internet (e.g.: web sites, email, chat). I've heard stories, and experienced them personally, of people only being able to communicate through email until late on that day. As we prepare for a long term conflict, the citizens and businesses of this nation will increasingly look to the government as a source of critical and up-to-the minute information about a variety of subjects. While some, and probably most, of this information will be at the state and local level, word from our National leaders will be essential. While the commercial news sources will continue to be vital in this mix they can not and should not be looked at as the official source of information. We all are painfully aware of the shortcomings of the commercial press; just recall the events surrounding the recent Presidential election. In a time of war the Government is and must be looked at as the official source to protect or communicate with the citizens. This delivery of information and services should be part of the e-Government vision.

With this increased reliance on the Internet for data dissemination and collaboration the need for better security is heightened. To date the Government has made a lot of noise about security but in many cases instituted little more than "shelf-ware." Representative Horn's recent report card and the upcoming GISRA results will tell a "scary" story about information security in the federal government. The time has come for the government to implement true information security and not just complete a check-list or perform cursory certifications. This is serious business, and the government must realize the true vulnerabilities and impacts of inaction.

Security does not only involve planning it involves contingency or continuity planning. The companies affected by the WTC disaster were for the most part prepared and utilized a variety of contingency plans and operational centers. These firms were operational, albeit in a sub-optimal environment, within days of the crisis. Can the government say the same thing if their agencies were similarly impacted? Business Continuity Planning (BCP) is a major consideration in the commercial world, but the government has done little to prepare for disasters. I personally know of agencies that have security or contingency plans that date back to the 70s or 80s. A bit has changed in the Information Technology world since those days of IBM Mainframe computers and no or very limited use of personal computers. In an e-Government world that relies on the Internet for greater access security is a critical component.

Roadmap for the future During the coming year, the Federal government should focus e-Government initiatives to better serve the citizens or prepare the country for a post-September 11th world. The value of the Internet as a valuable communication media has now been verified and government must ensure that its services are properly aligned and protected to take advantage of this capability.

Government must realize that they represent a single entity to the citizens and not a number of independent organizations. Just as in a major corporation, success is achieved through leveraging the internal strengths of all parts of the organization. While this concept is somewhat foreign to the traditional thinking of the Government it is imperative to combat and succeed in this new world. I am hopeful that the newly created Office of Homeland Security and Governor Ridge will realize the true power and potential of e-Government in protecting our country. I encourage Governor Ridge to solicit the input from commercial businesses to quickly achieve success. A first step could be the creation of a panel of industry leaders to support the Office. This group would serve to advise and ensure that true creative thinking is achieved. With the new spirit of volunteerism and patriotism, the Government would have no problem in soliciting members that want to make a difference.

To foster greater cooperation between agencies or governments is a major challenge. Government, unlike business, does not have the financial incentive to operate more efficiently. The motivation for Government must be in providing a better or safer country. In a peacetime world this motivation is minimal, but today it should be paramount. The leaders of the Government agencies should convene a summit to discuss the types of information that could best be shared to support the new mission. Once the priorities are established, work must begin in developing the systems to make this a reality. Traditional reluctance to share data must be quashed. The biggest offenders, the DoD and Intelligence communities, have traditionally hidden behind the "security curtain" and refused or created obstacles for cooperation even among themselves. Obviously these agencies can not protect this country or its interests alone, consider recent examples including the Cole, the African embassy bombings, and September 11th. A portion of each agencies budget could be dedicated to inter-agency cooperation. These funds could be used to create a number of Government-wide initiatives such as: a Government-wide intranet with central management and a large-scale data mining system to collect and "interpret" the data. This will require a great leader as well as considerable money, well in excess of the $20M identified for e-Government.

I believe that we are at the cross-roads for a new government that provides for and communicates with its citizens in new ways that meet the realities of today's world.

Go to top of page

horizontal bar

Information Security Is Good Business: Survival Tools and Techniques

By Alicia Clay, Ph.D. (NIST)

To address the specific needs of small and medium sized businesses and organizations, The National Institute of Standards and Technology (NIST), in co-sponsorship with the Small Business Administration (SBA) and the National Infrastructure Protection Center's (NIPC) InfraGard Program will hold a series of regional workshops in cities across the country. These one-day workshops are designed to raise awareness of Information Security risks and vulnerabilities, while providing specific techniques to improve Information Security practices. The meetings focus on the reasons to secure information, ways to evaluate the needs of the organization, and the practical steps to take to protect business information. While the workshops are targeted at small business owners, the information being presented could prove to be very valuable for non-profits and school districts as well as local and state government offices.

The co-sponsorship with SBA and InfraGard will greatly enhance the effectiveness of this effort. SBA is encouraging their members to attend and to use their established channels to distribute the education materials we've developed. They have also agreed to encourage SBA district offices to support us in workshop activities, encourage workshop attendees to join ProNet and work with us to identify computer security issues plaguing small to medium sized businesses. InfraGard brings continuity to the effort. With the launch of the first workshop in Richmond, Virginia we will form a NIST SBA Small Business InfraGard Resource Group. Meeting attendees will be encouraged to become members of InfraGard. With membership, attendees receive free computer security related benefits (such as a VPN and secure email) and become a part of a local community concerned about information security. They'll have resources to turn to in times of crisis or if they're simply looking for additional support after the workshop. They can receive support and guidance from local InfraGard members, many of whom are very "security savvy", as well as from the FBI field office from which the local InfraGard chapter is sponsored. Through the InfraGard Resource Group, NIPC will give small businesses owners a way to anonymously share incident data. NIPC will share this information with NIST and SBA. Together we will use the information to identify the issues plaguing small businesses and to identify paths for researching solutions. For registration forms, more detailed information, and a complete list of locations and dates, check the web site at http://csrc.nist.gov/Bus_Regional_Mtgs/. Dates and locations will be updated as meeting space is confirmed. Contact Alicia Clay, by phone (301) 975-3641, or e-mail alicia.clay@nist.gov.

Regional Security Meeting Locations and Dates

Raleigh-Durham-Chapel Hill, NC.      Jan 16, 2002

Birmingham, AL.      Feb 20, 2002

Go to top of page

horizontal bar



On behalf of FISSEA, I would like to encourage everyone to attend the 15th Annual FISSEA Conference, March 5-7, 2002 at the Hilton Hotel, Gaithersburg, Maryland. The conference will not only be informative, stimulating, but entertaining as well! On that "note" if there are any fellow FISSEA members out there who are: TRAINED SINGERS, (NOT SINGERS IN TRAINING), we would like to hear from you to be involved with the upcoming conference. For more information, please contact me or Peggy Himes at peggy.himes@nist.gov -- Thanks in advance!!!

Dara Murray, Department of Health and Human Services, Assistant FISSEA Chairperson & FISSEA Conference Committee Chairperson - dmurray@psc.gov (301) 443-0881.

Go to top of page

horizontal bar


{This column is a compendium of info on upcoming conferences/seminars, courses, books which may be worth your reading time, and more. That is why it is named TRAINIA, a contraction of the words TRAINing and trivIA. Hope you find it useful... Ed.}

I recently saw the following on the bumper of a SUV...
"True Educators Never Graduate".... Phil Sibert

* * * * * * * * * *
On October 26, 2001, the U.S. Office of Personnel Management kicked off a new program titled "Scholarship For Service" designed to protect the Federal Government's critical information infrastructure. This program aims at strengthening the cadre of Federal information assurance professionals by providing scholarships that fully fund the typical costs students pay for books, tuition, and room and board while attending an institution of higher learning. In addition, undergraduate students receive an annual stipend in the amount of $8,000. Graduate students receive a $12,000 stipend. In exchange, students agree to work for the Federal Government for a period equivalent to the length of the scholarship.

The scholarships are funded through grants awarded by the National Science Foundation to selected institutions of higher learning certified by the National Security Agency (NSA) as Centers of Academic Excellence for Information Assurance Education. Institutions that are not NSA-certified may also receive grants if their information assurance programs are deemed "equivalent" to those of certified schools.

Students who participate in the program enroll in curricula that provide intensive training in the information assurance field. The participants' competency development also includes hands-on work experiences. Thirty-two students at four universities enrolled in the program this fall. Approximately 15 are expected to begin in the spring. To be awarded a scholarship, students must be attending a participating institution. Institutions award the scholarships based on merit-based criteria. Participating this academic year are the University of Tulsa, Iowa State University, Carnegie Mellon University, Purdue University, University of Idaho, and the Naval Postgraduate School. More information about the program may be obtained at sfspo@opm.gov.

* * * * * * * * * *
According to a news report, a certain private school in Victoria recently was faced with a unique problem. A number of girls were beginning to use lipstick and would put it on in the bathroom. That was fine, but after they put on their lipstick they would press their lips to the mirror leaving dozens of little lip prints.

Every night, the maintenance man would remove them and the next day, the girls would put them back. Finally the principal decided that something had to be done. She called all the girls to the bathroom and met them there with the maintenance man. She explained that all these lip prints were causing a major problem for the custodian who had to clean the mirrors every night. To demonstrate how difficult it was to clean the mirrors, she asked the maintenance man to clean the mirrors. He took out a long-handled squeegee, dipped it in the toilet, and cleaned the mirror with it. Since then, there have been no lip prints on the mirror.

There are Teachers, and then there are Educators.

* * * * * * * * * *
Barbara Cuffie passed this on, enjoy:

Subject: Charles Schulz Philosophy

Here's an interesting quiz. You don't actually have to answer the questions, just read thru the message:

  1. Name the five wealthiest people in the world.
  2. Name the last five Heisman trophy winners.
  3. Name the last five winners of the Miss America contest.
  4. Name ten people who have won the Nobel or Pulitzer prize.
  5. Name the last half dozen Academy Award winners for best actor and actress.
  6. Name the last decade's worth of World Series winners.

How did you do? The point is, none of us remember the headliners of yesterday. These are no second-rate achievers. They are the best in their fields. But the applause dies. Awards tarnish. Achievements are forgotten. Accolades and certificates are buried with their owners.

Here's another quiz. See how you do on this one.

  1. List a few teachers who aided your journey through school.
  2. Name three friends who have helped you through a difficult time.
  3. Name five people who have taught you something worthwhile.
  4. Think of a few people who have made you feel appreciated and special.
  5. Think of five people you enjoy spending time with.
  6. Name half a dozen heroes whose stories have inspired you.

Easier? The lesson: The people who make a difference in your life are not the ones with the most credentials, the most money, or the most awards. They are the ones that care.
"Don't worry about the world coming to an end today. It's already tomorrow in Australia." ---- Charles Schulz

* * * * * * * * * *
From Marc Noble: Here is the site you want for the CISSP & nbsp; http://www.cccure.org/ This site has study guides and a lot of tips including sample tests that are good to take. The book I just purchased via Amazon for about $50 is The CISSP Prep Guide by Krutz and Vines from Wiley the ISBN No. is 0-471-41356-9. The other book I would recommend is Computer Security Basics by Russell and Gangemi from O'Reilly. I also have the Information Security Management Handbook that the CCURE site talks about but I didn't think it was that helpful, I've only gotten bits and pieces of information from it. I've been reviewing Cryptography and Network Security, Principles and Practices by Stallings and it's been very helpful. The other book(s) I'm studying for the CISSP can be purchased from SRV Professional Publications. Phone number is 847-330-0126. Their Web Site is www.srvbooks.com and from what I recall, they have a number of review books on a number of certifications.

* * * * * * * * * *
Dept. of Commerce news release (12/04/01) announced the official adoption of the new Advanced Encryption Standard (AES). The new standard developed by Joan Daemen and Vincent Rijmen, will replace one first adopted by the federal government in 1977.

"Fact Squad Radio" Cutting through hype, spin, and propaganda - http://www.factsquad.org/radio. The main purpose of People For Internet Responsibility's recently announced "Fact Squad" effort is to cut through hype, spin, misinformation, and propaganda regarding technological issues and their effects upon society. We're pleased to announce the launching of the "Fact Squad Radio" service. Fact Squad Radio is providing very short (one minute), tightly-focused audio features, each concentrating on a single relevant topic of importance. These vignettes are aimed at explaining the issues briefly in a non-technical manner suitable for general audiences. Topics to be covered will include both matters of long-standing importance and crucial issues of the moment. We encourage linking and redistribution of these features, and they are freely distributable without any further permission being needed for non-broadcast, non-commercial usage. The debut Fact Squad Radio feature concerns a topic of some significant interest right now -- National ID Cards. Contact: Lauren Weinstein lauren@pfir.org or lauren@vortex.com or lauren@privacyforum.org

* * * * * * * * * *
March 5-7, 2002 - FISSEA CONFERENCE, Gaithersburg Hilton Hotel, MD. Learn how federal agencies are focusing on security issues involving awareness, training and education. Networking with other information system security professionals. Theme: Information Security - Spring Training is Here! Topics include GISRA, cyber-grants, awareness, tools, and training. See the FISSEA website (address below in footnote) for conference agenda. Technical contact Peggy Himes (301)975-2489 or peggy.himes@nist.gov. It's a steal, 3 days for only $235. Registration contact Teresa Vicente, NIST, 100 Bureau Drive, Stop 3461, Building 101, Room B116, Gaithersburg, MD 20899-3461, fax: 301-948-2067 or register on-line through www.nist.gov/conferences.

* * * * * * * * * *
Phoenix, Arizona. DOE Computer Security Group Training Conference Call for Speaker Participation. Submit abstracts to Shannon Bean, 2002 CSG Training Conference Program Chair, shannon.bean@pnl.gov. Proposals due Jan 15, 2002. Contact Gary Blair, CSG Training Conference Chair (925)294-3819 or gjblair@sandia.gov.

* * * * * * * * * *
May 16-19, 2002 SHAPING THE NETWORK SOCIETY Patterns for Participation, Action, and Change DIAC-02 Symposium; Seattle, Washington. Researchers, community workers, social activists, educators and students, journalists, artists, policy-makers, and citizens are all concerned about the shape that the new information and communication infrastructure will take. This symposium, sponsored by the Public Sphere Project of Computer Professionals for Social Responsibility and the National Communication Association Task Force on the Digital Divide, will provide a forum and a platform for these critical issues. To promote bridge-building between theory and practice, across economic, cultural, geographical, and disciplinary chasms, we are soliciting "patterns," instead of abstracts, and accepted patterns will be developed into full papers for this symposium. Complete details on pattern submission, including example patterns, are available at the web site: http://www.cpsr.org/conferences/diac02/.

Go to top of page


Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: January 7, 2002.