FISSEA Logo News and Views
April 2003
Issue One of FISSEA Year 2003-2004



From the Executive Board Chair

It seems like it was only a few days ago since I had the opportunity to converse with many of you at our 16th Annual FISSEA Conference in Silver Spring, MD. I am pleased that many of you had the opportunity to participate in person, and we feel certain that others of you would have supported us in person if you had been able to do so. We are aware that some of you who usually attend were unable to come this year because of funding limitations. Nevertheless, we had a successful conference and were glad that we had so many people join us for their first FISSEA event. After thoroughly evaluating and considering all the data you provided us on your conference evaluation forms, we will try to accept your suggestions in planning our March 2004 Conference. For example, we are already investigating another location for next year and will be posting information about the exact date and location on our website as soon as it is available.

This is an excellent time to remind you that we update our website regularly and try to keep you abreast of our plans, accomplishments, published newsletters, etc. I would be remiss if I did not thank both Peggy Himes and Patrick O'Reilly, NIST personnel, for the excellent job they do in keeping our website refreshed. They have already updated it with the 2003 conference presentations, new Board member information, etc. Please visit the website at regularly, and share your feedback and suggestions with us. After all, FISSEA is your organization, and we want it to be as beneficial to you as possible. We continue to hope that you will use the list serve as a means to ask security training related questions. If you follow our posted rules (e.g., no advertising), one or more of our hundreds of members will almost always readily reply to your question in an effort to assist you. This service is available to all members, and you can setup a contact for the list serve today at

Finally, I want to thank Steve Willett, another NIST employee, for working with the Board to develop a membership survey form. We introduced it and used it to collect data from our members who attended our conference last month. I want to thank those of you who completed the survey and remembered to leave it with us to be evaluated. We must know more about you and your perception of us to be more customer-focused in serving your needs. With Steve's help, we are in the process of analyzing the input you provided, making small adjustments in the survey tool and planning to make the survey available electronically. Stay tuned to our website so that you can be among our first members to complete the survey tool from wherever you are. We really do need to get your insight, volunteer assistance and ideas to be even better. A few of you indicated that you are willing to volunteer your services, but you forgot to provide contact information. Please contact us through Peggy Himes at and let her know how we can contact you. As always, I thank you for your continued support.

Barbara Cuffie, CISSP
Chair, FISSEA Executive Board

  FISSEA Executive Board

* Term ends March 2004
** Term ends march 2005

Barbara Cuffie, CISSP, Executive Board Chair*
Lewis Baskerville,**
LTC Curt Carver, Jr., Conference Program Director,**
Tanetta Isler,**
Dara Murray, CISSP,*
Louis Numkin, Newsletter Editor,**
LTC Daniel Ragsdale,*
Donna Robinson-Staton,*
Robert Solomon, CISSP,*
Mary Ann Strawn,*
Marvella Towns,**
Mark Wilson, CISSP, NIST Liaison, Assistant Chair,**

NIST Executive Assistant to the Board:
Peggy Himes,


Go to top of page

horizontal bar

Letter From the Editor:
Essential E's = Employers Educate Employees

By Louis M Numkin, US Nuclear Regulatory Commission

{Let me start by welcoming our readership back to FISSEA's quarterly newsletter. Permit me to gently nudge each one of you to consider submitting an article for an upcoming issue. As you will see in this edition, several of you have already taken us up on this offer.}

A few months back, I read a article by Edward Hurley which made some very good points which I will employ as a basis for this article.

"Your company has security policies, but can you prove your employees know the policies related to their jobs?" Negative responses lead to a lack of consistent enforcement. Ed continued "Handing employees the policies on their first day of work isn't enough either." I write from the experience of providing computer security in-processing presentations to our NRC newbies each week. My wangling and begging has netted me a half hour to give them a solid foundation on which to survive while working in this agency. Other than my section, they "have 50 gazillion things to sign, ranging from benefits to 401k forms." So, even though we consider this to be their first taste of computer security awareness, Steve Kahan (President of the Human Firewall Council) succinctly states, "Chances are they don't pay a lot of attention to material about computer security."

This was the first I had heard of the council but it is made up of security professionals, analysts, vendors, government officials, and academics, whose mission is "to raise the security awareness of organizations by providing research and tools to make employees more aware of the need for security." They provide measures or benchmarks so that similar organizations can gauge how their employee security awareness programs and security management practices rate against others.

A recent council security awareness study of more than 1,500 organizations found few in which the employees actually understood and believed the security policies. "Typically, you would find even people in the security departments don't know all the policies," Kahan said.

Article examples included that at one point, council members "walked around Victoria Station in London with a BBC camera crew asking passersby for their passwords. Eight out of 10 people willingly gave it on camera, Kahan said. "They didn't understand their password disclosure policies." This is just one example of why it must be that Employers Educate Employees. Employers have a myriad of policies, but rarely do all affect all employees. Cutting down the chaff and only giving the employees what they are required to follow will be a start in the right direction. At the NRC, we are governed by Management Directives. Of all of these, #12 deals with Security, and only #12.5 deals with automated information system security. This is a very small part of the policies guiding our 3,000 employees.

"Companies then need to test employees to verify that they know the policies, Kahan said." Within the NRC program, we have an on-line computer security awareness course which is to be taken by all employees and contractors each year. At the end of the course, the "student" is to take a quiz. Until this is completed, training credit is not applied to his/her human resources record. There are other forms of testing which do not "need to be boring... A major antivirus vendor recently sent out a bogus e-mail with an attachment to its employees. The purpose of the exercise was to see what people would do with suspicious e-mails. A few opened it. Most just deleted it. Some sent it to the proper person who screens such things." We can all put on our thinking caps and create innovative tests to challenge the understanding of our staff members.

"If employees understand policy, they can be the security department's eyes and ears in the office, on the lookout for security risks." So, it is our duty as computer/information security professionals to ensure that behaviors are modified in such a way as to be consistent with published guidance. Clareon Corp's CSO, Frank Jaffe, "runs annual security training sessions that include a security brainstorming session. Employees have the opportunity to talk about security issues they see in their jobs. 'There is an element of risk, but it is a good idea,' he said." He goes on to explain that staff members are encouraged to "talk about security incidents they have faced." In other words, if an employee successfully uses a particular security tool (eg: virus detection, firewall) at home, then perhaps it might help fellow staffers or even be worth considering for office use. Employers Educating Employees is essential to improve employee understanding of why the policies were written and possibly why they should be modified. This way both employers and employees mutually benefit from the experience.

Go to top of page

horizontal bar

FISSEA 2003 Conference:
What You Missed and Congratulations to Patti Black

By Mark Wilson, CISSP, Assistant Chair

The Federal Information Systems Security Educators' Association (FISSEA) held its 16th annual conference in Silver Spring, Maryland on March 4-6. The Conference brings together information technology security professionals from government, academia, and industry with an interest in security awareness, training, education, and professional development issues.

Lieutenant Colonel (LtCol) Curt Carver of the U.S. Military Academy at West Point served as the Conference Program Chair. With assistance from the FISSEA Executive Board and volunteers from the FISSEA membership, LtCol Carver assembled what many have noted was the best Conference agenda in years. LtCol Carver has offered to serve again as Program Chair for the next several years. The FISSEA Executive Board, which met at the close of the Conference on March 6th, thanked LtCol Carver for his successful work on the 2003 Conference and welcomed his offer to continue to serve as Program Chair.

Keynote presentations each day challenged attendees to better prepare themselves for the future by seeking advanced training and education in IT security, and to make their management and executives more aware of the need for a vigilant security program. Keynoters were Keith Rhodes of the General Accounting Office, Mr. Alan Paller of the SANS Institute, K Rudolph of Native Intelligence, and Mr. Thornton May of the Graduate School of Management at UCLA.

Presentations during the three-day conference were made by speakers from the National Security Agency, State Department, Internet Business Group, Association for Computer Security Day, U.S. Military Academy at West Point, Federal Computer Incident Response Center, Purdue University, Towson University, Office of Management and Budget, Karta Technologies, Defense Information Systems Agency, Centers for Medicare and Medicaid Services, Federal Bureau of Investigation, Booz Allen Hamilton, NASA, National Defense University, C-Cubed Corporation, Nuclear Regulatory Commission, University of Ottawa, Library of Congress, Iowa State University, and NIST.

The annual Educator of the Year award was presented to Patricia "Patti" Black of the Treasury Department for her work in information technology security awareness. Patti formed and led a working group that updated an existing awareness CD that contained basic security issues aimed at the user community.

For more information about FISSEA, including the dates and location of the 2004 Conference, visit the organization's website at 2003 presentations are available on the website.

Go to top of page

horizontal bar

Prizes Add Pizzazz to Conference

By Peggy Himes

The FISSEA Conference was not all work and no play. As a little "perk" prizes were given out during the annual FISSEA Conference. Dara Murray started the tradition last year and it was such a hit, it was continued in 2003. The prizes started out small but increased in value as supporters got caught up in the spirit during the conference. The Executive Board appreciates the donations from the following supporters. Unfortunately, not all winners were recorded and only the "known winners" are listed in italics.

Pam Salaway, Computer Security Institute, donated a one-year subscription to the CSI quarterly security awareness newsletter, FrontLine, valued around $1,500.
   Mary Ann Strawn, Library of Congress (LOC)

Kris Madura, CompTIA, donated vouchers for the Security+ exam, which is published in a format for the computer desktop environment and is available at CompTIA authorized testing centers.
   Ty Cooper, U.S. Office of Government Ethics
   John J Czaplewski, Northrup Grumman Information Solutions
   Marvella Towns, National Security Agency

K Rudolph, Native Intelligence, donated several original computer security posters.
   Eva Murphy, USDA-FSIS

Curt Carver, 2003 Conference Program Director, donated a framed first-issue commemorative stamp from the United States Military Academy.
   John Saunders, IRM College, National Defense

Barbara Cuffie, FISSEA Executive Board Chair, donated several gifts.
   Brenda Williams, IRS, won the golf accessory.

Mark Wilson, Executive Board member, donated a NIST coffee mug and "collectible" NISSC briefcases.
   Diane Coleman, IRS, won a briefcase
   Louis Numkin, Nuclear Regulatory Commission won a briefcase

Mary Ann Strawn, Executive Board member, donated three LOC Computer Security mugs; one mug contained a coupon for a tour of the LOC and lunch in the Executive Dining Room.
   Angela Adams, IRS, won the mug with the tour coupon

Phil Sibert, long-time Executive Board member, donated three FISSEA-related mouse pads crafted by Pauline Bowen.

Dara Murray, Health and Human Services, donated movie passes.

Go to top of page

horizontal bar

Educator of the Year Award

By Tanetta Isler
Dept of Housing and Urban Development

The Federal Information Systems Security Educators' Association Educator of the Year Awardees have an extraordinary impact in information technology security awareness, training, and education. Past recipients' influence is far reaching with broad impact upon those affected by information technology security issues. The Executive Board wants to encourage you to nominate an IT security educator with impeccable dedication to supporting the goal of producing relevant and needed IT security skills and competency and integrating the skills into a common body of knowledge in either the public, private, or federal community. Nominations can be for work in any aspect of IT security awareness, training, or education. An ad hoc committee appointed by the Executive Board Chair will judge the 2004 FISSEA Educator of the Year nominees. The Educator of the Year ceremony is held each year at the annual FISSEA Conference.

Go to top of page

horizontal bar

Who's Job is it Anyway?

Lessons learned while developing a Windows 2000 Security WBT course.
By Grethen Ann Morris, CISSP
RS Information Systems
Contracted to NASA

The purpose of this article is to give others a chance to learn from our experience, not to point fingers or complain (“just the facts-ma'am”). If you have already learned these lessons, maybe it will help to know that you aren’t the only one that has gone through it.

1. Course Outline: the developer’s job or yours?
My team developed an outline of what our new Windows 2000 Security course should teach. We even included guidance documentation with the outline to give the developers some of the content. We requested a proposal and quote for the work, came to an agreement, and started our working relationship. The course developers came back to us with a totally different outline from the one we gave them. When we told them that we wanted them to develop a course according to our original outline, they said they could not start developing the course without us giving them learning objectives instead of an outline.

A lesson learned: If you don’t want any surprises as to who is responsible or in control of what parts of the course development, you better make sure the Statement of Work is very specific and clear. Precautionary note: even if you are specific and clear, there may be misunderstandings.

2. Technical Content: your job or the Subject Matter Experts (SMEs)?
I went to the experts at our agency to get some answers. Several conversations later, we came to the understanding that they did not like the outline either, but could not tell me why. One of the experts suggested that I “read the 19 NSA guidelines for Windows 2000 and write the training from there”. My reply was, “sure, I can throw 500 topics into a hat and pull 50 of them out, but that does not mean the topics will be the ones our audience needs to learn.” This led me to create a new document, “who needs to learn what”. I wrote it from the information I had collected from many conversations.

A lesson learned: The technical content (a training needs analysis) should have been done before writing a course outline or contracting for it to be made. I was taught this in a course once, and now that I’ve learned it first hand, I will never forget it. It is true!

An aside... the experts were trying to be helpful. They all work full time jobs and work on a special committee that is above and beyond their regular work. They did not have the time or energy to build something from nothing, so I had to do it for them. Once we had the “who needs to learn what” document, they could review it and give positive feedback. Also, as an added bonus, the course developers said that they could use the document to build the learning objectives and course from there.

A lesson learned: If you are having a hard time getting input (something from nothing), create something they can comment on. It takes less of their time and effort and they will be much more willing and able to help.

And a note: We found that we had a different audience with Windows 2000 Security than we had with UNIX or NT. UNIX and NT only needed to be taught to system administrators. But, due to the build of Windows 2000 (and Mac OS X), the users need training too. They can actually cause security issues and need to be taught how not to break what the system administrators put in place.

3. Review: Everyone’s job?
How many reviews are needed? Does everyone need to participate in all review cycles? For timing/scheduling purposes, we (course developer and my team) decided to put the content up in stages (the number of review stages changed a few times during the development process). The course developer had internal quality assurance reviewers. My team has two technical reviewers and two general reviewers. We had two sets of SME’s, our Security group and the Windows 2000 (technical) group to help with review.

Sometime during the review process, the first two review stages on the text content were supposed to be complete and were not. My team members had been through the course. The course developer’s internal quality assurance process was running smoothly. Our security group delegated review, but we did get input from their perspective. From our Windows 2000 group, however, we did not hear a word. What happened? They had been very helpful up to this point. With a little checking, we find out they were all called away to put out a Windows 2000 fire, to collect data on the newest threat. I can not approve moving forward on course development without having at least one technical expert review the material, can I? If we wait, we delay the final delivery date.

A lesson I learned in a course I took: It costs less time and money to fix the course content prior to developing the graphics and audio than it does to fix it later.

So... we waited, and stressed the importance and value of the technical experts input. Once they started helping with the reviews, they stayed with us through the rest of the process. Their input made a world of difference in the final product and the initial delay saved a potentially longer delay later if we would have had to change graphics and audio as well as the text content.

Go to top of page

horizontal bar

Role-Based Training: A Critical Element of Information Assurance

By Patricia Harris and Jeff Dektor, CISSP
Department of State

The Availability-Intregrity-Confidentiality (A-I-C) of an organization’s information system is dependent on the knowledge and skills of those who use, operate, and manage the system. Information assurance (IA), which is synonymous with A-I-C, cannot be achieved and maintained unless all employees with IA responsibilities understand and are able to execute the requirements of their specific roles. For this reason, role-based training is a critical element of a successful IA program

The employees who receive role-based training can be divided into two broad categories – technical and managerial. Technical personnel implement and monitor security procedures that are specific to their computer network’s operating system and work environment. Examples include system administrators, information system security officers (ISSOs), and auditors. By and large, the personnel in these groups are concerned with observable and measurable IA characteristics.

Managerial personnel, through the control of resources, personnel, and policies, deal with more intangible issues. They also have a greater influence on whether the organization’s IA program is effective. A manager’s role includes assessing security risks and making decisions about the types of safeguards to be used. At the same time, a manager’s understanding and support of IA requirements is the key factor in whether or not technical personnel will be able to fulfill their day-to-day responsibilities in securing the organization’s information system.

Another aspect of role-based training is the degree to which it addresses the specific needs of the organization. The content of successful training is based on established policies and procedures. It includes concrete examples, step-by-step procedures, and realistic scenarios that both reinforce learning and promote skills transfer to the workplace.

In terms of learning outcomes, technical personnel should have achieved a greater understanding of the policies related to information security and new or enhanced skills in applying security settings, monitoring system security, and recognizing anomalies that need to be investigated. Managers should be more knowledgeable about security policies, system vulnerabilities, and the job requirements of the technical personnel in their organizations. They should have new or enhanced skills in evaluating the IA situation in their organizations and in selecting the most effective actions to address any shortcomings.

To be effective, IA training must be incorporated into the fabric of the organization. Rather than a one-time event, it must be an on-going process that is changing and growing as rapidly as information technology itself. It should prepare both technical and managerial personnel to not only detect and correct known security flaws, but also to anticipate and guard against the new vulnerabilities that often occur with a technology change.

In today’s world of heightened information security risks, a comprehensive program of role-based, organization-specific training is the first line of defense. Trained employees at every level of the organization are required to ensure the A-I-C of the information system so that the organization can continue to function smoothly and fulfill its mission.

Go to top of page

horizontal bar

ISC2 Plans Extensions to the CISSP Credential

By E.C. (Lee) Chambers, CISSP, CISM, CIPS
Falls Church, VA (USA)

I know many of our members are Certified Information System Security Professionals (CISSPs) or are thinking about obtaining this credential so I thought you might be interested in the three proposed extensions to the CISSP credential that are currently under development. These extensions will all require the candidate to first obtain the CISSP credential in order to apply for these advance certifications, the Information System Security Engineering Professional (ISSEP) and the as-yet-to-be-named credentials in system security management and system security architecture.

As many of you may already know, the ISSEP is being jointly developed by the National Security Agency (NSA) Information Assurance Directorate and the non-profit International Information Systems Security Certification Consortium (ISC2) Inc. The ISSEP will focus on the technical knowledge required of government information systems security engineers such as ISSE processes and government regulations. NSA has prepared the groundwork for this certification and will provide the subject matter experts to develop the ISSEP examination. People who have worked in information security for at least four years and who already hold the CISSP credential will be eligible to take the ISSEP exam. According to a recent news release, NSA plans to use this certification for both its employees and contractors.

The other two extensions to the CISSP are still in the very early stages of development. A few weeks ago, I participated with CISSPs from throughout the US and Canada in an ISC2-sponsored three-day workshop to develop exam questions for the these two proposed extensions to the CISSP credential.

These extensions will each concentrate in two discrete areas of certification, information systems security management and information systems security architecture. Once developed, security professionals will be able to qualify in either or both of these two areas after they have obtained the CISSP credential.

ISC2 has additional workshops scheduled in April and May to further develop exam content as well as to convene a panel of subject matter experts (SMEs) to evaluate the exam content for consideration as testing material. Exam content that graduate from this level of SME review will be added to the test bank and (if all goes as planned), ISC2 will start testing the exams for these new extensions later this summer.

FISSEA members who are CISSPs and would like to participate with ISC2 in the continuing need to develop testing material or to participate as an SME to evaluate testing material can contact me directly.

Go to top of page

horizontal bar

Intrusion Prevention, Fact or Fiction

By Chris Petersen
President/CTO Security Conscious

Intrusion prevention has been one of the most hotly debated topics within information security circles for the past twelve months. The prevailing topic is whether this new breed of technology is marketing hype or reality. If one were to ask my opinion, I’d have to say it’s in large part both.

The Hype
When host-based intrusion prevention was first introduced in early 2000, it didn’t receive the same cynical response network-based intrusion prevention saw in early 2002. I believe the primary reason for this is comfort with the idea of a host-based agent preventing bad things from happening via anti-virus and personal firewall technologies. The move to detecting attacks on the local host to preventing seemed like a natural transition and one that should be possible. Most IDS pundits took the wait and see approach. However, this wasn’t the case when network based intrusion prevention systems (NIPS) hit the market. Two prevailing reasons come to mind. First, those of us who have been working with network based intrusion detection systems (NIDS) have come to understand just how inaccurate the technology is in only identifying real intrusions. In large-scale deployments, we’ve come to expect a 10 to 1 (if not 100 to 1) false alarm to real alarm ratio. This moves me to my second reason, the aggressive marketing practices of the intrusion prevention vendors. Feeding on this false alarm frustration, NIPS vendors market(ed) their products with catch phrases such as “No False Positives”, “100 percent protection”, “complete signature-less prevention”, etc. Many IDS pundits were more than cynical of these bold claims, they were insulted. Why? Because in order for a NIPS to prevent an attack it must first detect it. How could new NIPS technologies using NIDS detection techniques be 100% accurate in prevention when the best of breed NIDS with hundreds of customers and long standing R&D staffs were at best 10% accurate in detection. The claims simply didn’t add up.

The Reality
Intrusion prevention is the goal, not the product. No single technology can stake claim to providing 100% prevention. Security is about risk management not silver bullets. The question is whether or not the current product set under the “intrusion prevention” umbrella can help companies achieve their risk management and associated intrusion prevention goals. They can.

As with any emerging technology market, the new will replace the old. In developing their products, the NIPS vendors went back to the drawing board and devised new solutions based on customer frustrations and limitations with the current intrusion detection technologies. They looked at new ways of detecting misuse, moved to firmware-based platforms to improve performance and reliability, and introduced the ability to place the technology “in-line” allowing packets to be dropped based on detection policies. Unfortunately, this last feature was what allowed NIPS vendors to attract venture capital and was the banner under which they marched to market. However, in reality, the ability to sit in-line like a firewall was simply an evolution of existing intrusion detection preventative features such as automatically resetting a connection or reconfiguring a firewall. Unfortunately, this message didn’t excite the investment community and the intrusion prevention market was born.

However, whether its intrusion prevention or intrusion detection with preventative features, the fundamental measurement remains the same – how effective is it in detecting misuse or intrusion? Improvements have been made with the new crop of NIPS. For instance, detection engines have been expanded to provide features such as multiple signature matches for a single event, the combination and correlation of anomaly based detection with signature based detection, and the virtualization of detection policies allowing for granular tuning based on individual host and network characteristics. Other technologies introduced wholly new and innovative approaches.

While these features have improved detection accuracy or apply a different approach altogether, are they accurate enough to trust in an in-line mode where a false alarm could drop a business connection? The answer depends on the accuracy (false alarm probability) of each individual attack balanced against risk management thresholds. Fortunately, some attacks have a very low false alarm probability and can be prevented with minimal risk. As the false alarm probability increases for other attacks, one needs to balance operational risk against security risk to determine when the product should be configured to alarm only. Fortunately, all of the intrusion prevention products I know of provide this flexibility. In fact, most vendors advise customers initially configure their products in a detection only mode and then selectively enable preventative policies when false alarm probabilities combined with risk management thresholds add up.

Marketing hype aside, intrusion prevention technologies can be a powerful tool in supporting a defense in depth architecture. A silver bullet they aren’t but then again, they don’t need to be. They have advanced the art of intrusion detection and when deployed appropriately can be an effective use of the information security dollar.

About the Author
Chris Petersen is the President/CTO of Security Conscious (, a company specializing in maximizing the return on intrusion detection/prevention via professional services and next generation incident management technologies. You are welcome to contact Chris at

Go to top of page

horizontal bar

Computer Security and Sandwiches at Library of Congress

By Mary Ann Strawn
Library of Congress

Wednesday, May 28, Tamara Maddox of George Mason University will speak at a Brown Bag seminar sponsored by the Library of Congress Computer Security Coordination Group. The event takes place from noon to 1 p.m. in the Madison building, room G-45. It is free and open to the public.

Maddox, Assistant Chair of the Computer Science Department at George Mason, earned her B.S. in Computer Science and a law degree from William and Mary. At GMU she is coordinator of all computer ethics/law courses and developed the junior level course “Ethics and Law for the Computing Professional.” She has been actively involved in numerous issues of computer technology and policy, including serving as chair of an IEEE/CCIP task force on UCITA Uniform Computer Information Technology Act in 2000/2001.

At the Library Maddox will address computer ethics and the role of privacy.

The May 28 event is a part of series of Computer Security lunch-time seminars held throughout the year at the Library of Congress. The Library has drawn upon the expertise of in house staff to talk about subjects such as “Spam,” “Securing Your Home Computer,” “The Perils of Email,” “Hackers.” A recent speaker from the Federal Trade Commission discussed “Identity Theft.”

According to Ann Christy, Computer Security Officer for the Library, “This is just one of many ways we keep reminding people about computer security.”

The seminars are usually about 45 minutes in length with time for questions. The Computer Security Team provides cookies for attendees. For additional information, contact Mary Ann Strawn,

Go to top of page

horizontal bar

One of Our Own

In reference to a recent CNN posting, located at: (NOTE: You will be leaving NIST's and the FISSEA website after clicking the CNN link) our Conference Chairperson, LTC Curtis Carver, contributed this note to acknowledge one of our FISSEA Executive Board Members, LTC Dan Ragsdale (winner of last year's EOY) efforts at the US Military Academy at West Point:

"The cadets really got a lot out of this. Learning went beyond class attendance as the cadets put in hundreds of hours and were really committed to defending their networks. Dan did an awesome job. Just to give you a taste, NSA started with a DoS attack on West Point's email server on Monday.

The cadets could not block the ip address because it was against the rules. They noticed however that the time to live field on the attacking packets had an interesting value and they rapidly modified a firewall to block the DoS based on that value. The enemy adapted his attack and counterattacked.

The cadets saw the counterattack and modified their defense. Very cool stuff. Regardless of whether we beat the other academies, a lot of critical thinking and learning took place this week and the benefit to the cadets and our nation will be an interesting story to watch unfold over the next couple of years."

Go to top of page

horizontal bar


This column’s name is a contraction of the words “Training” and “Trivia.” It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at


Please see the article about our 16th Annual FISSEA Conference as reported in the March 10, 2003 edition of the Government Computer News. You can view the entire article on-line at GCN.COM under archives. "Conference targets the ABCs of security".


6-8May03 AFCEA TechNet International 2003, Washington DC Convention Center. Contact 703-631-6125 or


14May03 CompTIA complimentary event: Cyber Security Workforce Symposium, 8am-1:30pm. J.W. Marriott Hotel, 1331 Pennsylvania Ave, Washington, DC. Keynote speaker: The Honorable Howard Schmidt, Special Advisor to the President on Cyber Security. Seating is limited! To register, visit or call 703-812-1333 x200.


13-15May03 3rd Annual Department of Energy/U.N. Hybrid Conference and Workshop, Newport Beach, California. To register and learn more about this conference Contact Karen Lockhart, 412-386-4763,


2-5June03 Colloquium for Information Systems Security Education Cyber Security Strategy: Meeting the Multi National Challenge Through Education Training and Awareness. The Washington Marriott Hotel, Washington DC. Conference Coordinator: Allan Berg, James Madison Univ. 540-568-8773. See


4-5JUN03 Gaithersburg, MD. Federal Business Council, Inc. Securing the Homeland Conference and Expo "A Federal Partnership for Securing America". Industry, government and law enforcement representatives are invited to present briefings as they relate to one or more of six critical mission areas cited in the National Strategy for Homeland Security. Contact Robert Jeffers, Visit for more information.


4-6June03 TechTarget's Data Center Futures Conference, Chicago, IL. Visit the conference website to view sessions and speakers or for more information, call 781-657-1610


23-24June03 Computer Security Institute's 13th Annual NetSec '03 conference program is now available and registration is open. NetSec blends a management and awareness focus with technical solutions, giving you a balanced real-world perspective. Join 1500 of your colleagues in New Orleans and become a better practitioner. Contact 415-947-6320, View conference at a glance pdf:


28-30July03 MIS Training Insitute WebSec 2003: The E-Security Conference and Expo, San Francisco, CA. WebSec 2003 has been designed to deliver up-to-the-minute information, cutting-edge strategies, and tested techniques to help you meet today's tough e-security challenges. Go to


15-17SEPT03 E-Gov Information Assurance Conference and Exhibition, Ronald Reagan Building and International Trade Center, Washington, DC. Deadline for paper submission is Thursday, May 1, 2003, to


View the updated Foundstone, Inc. security training course calendar for 2003 at Find their Security curriculum description as well as dates and locations. Contact Todd McBride 949-297-5600,


The Scholarship for Service Program, a program designed to increase and strengthen the cadre of Federal information assurance professionals that protect the Government's critical information infrastructure, has a new website. To register as an Agency Official, go to Contact or Kathryn Roberson, 210-805-2423 x506,


VCampus offers courses in Information Security, Contingency Planning, Physical Security, Workplace Security, Healthcare Privacy (HIPPA), and SSCP Certification (coming soon). Headquartered in Reston, VA. Contact Mary McCarthy 301-261-5331


Upcoming ISACA educational events:
5-9May03 IS Audit & Control Training Week, Minneapolis
18-22May03 North America Computer Audit, Control and Security Conference, Houston
2-6June03 IS Audit & Control Training Week, Orlando
20-23July03 International Conference, Singapore
8-10Sept03 Network Security Conference, Las Vegas
For further information contact Sandy Arens, 847-253-1545 x485,, Or contact Debra Cutts 847-590-7482,


Upcoming CSI seminars. For further information contact Nancy Baer
5-6May03 Rapid Roll-Out of an Asset Classification Program, Baltimore
7-9May03 CISSP Prep-for-Success Workshop, Baltimore
5-6July03 Practical Guide to Encryption and Certificate Program
7-8July03 How to Create and Sustain a Quality Security Awareness Program, Gaithersburg


Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to
Last Modified: May 9, 2003.