News and Views
Federal Information Systems Security Educators' Association

 

Issue Two of FISSEA Year 2003-2004
July 2003



IN THIS ISSUE:

 

Letter From the Chair

Hello FISSEA Members:

This is probably a busy season for most of you who work in information systems security for the federal government with many kinds of reporting and/or auditing type activities currently underway. Every year I think it will be better next year, because we will have more clear guidance on what we must do earlier, more realistic timeframes and more qualified security personnel to do the job. If you are lucky enough to have a well-trained, competent security team to help you respond to a steadily increasing and more complex workload, then you are truly blessed.

I sometimes find myself rejoicing that at last top management seems to be aware of the importance of protecting their agency or corporate assets effectively. Most managers realize that they are ultimately responsible for identifying and managing certain risks that unless managed appropriately could cause catastrophic and/or unacceptable consequences if successfully exploited. I wish I could say that it appears that managers at all levels are learning these lessons on managing risks and securing their assets as a result of willingly participating in systems security awareness and training opportunities. Unfortunately, in too many instances, managers appear to be more concerned about doing what is required to convince auditors that existing safeguards or controls are adequate or trying to find out what is the minimum fix we can install to most likely address/complete an audit finding.

FISSEA members, I hope that my perspective is flawed and that you are more optimistic about the effectiveness of your security awareness and training programs for managers. I am convinced that a sound security awareness and training program is more essential than ever before for an Agency or Corporation to have an effective information systems security program. I am equally convinced that it is not enough to assign people to specific positions where they are responsible for fulfilling specific security functions. The time has come when people who have security functions must receive adequate and timely training before they are expected to perform their duties successfully. I believe that there are too many people encumbering security jobs without having taken any formal security classes. Most managers would never assign an untrained employee to manage a major project, yet security officers are sometimes expected to protect critical agency or corporate assets with little or no security training.

Finally, please mark your calendars now and plan to attend the 17th FISSEA Conference on March 9 to 11, 2004. As usual, more details will be forthcoming on our website and in each of our next 3 newsletters. Begin today thinking about whom you will nominate for the 2004 Educator of the Year. Our website includes directions on how to make a nomination. We look forward to communicating with you throughout the year and doing all that we can to assist you in your security awareness, training and education programs.

Barbara Cuffie, CISSP
Chair of the FISSEA Executive Board


Go to top of page

horizontal bar


FISSEA Executive Board
2003-2004

Barbara Cuffie, CISSP, Executive Board Chair*
barbara.cuffie@ssa.gov

Lewis Baskerville,**
lewis.baskerville@sba.gov

LTC Curt Carver, Jr., Conference Program Director,**
curtis.carver@usma.edu

Tanetta Isler,**
tanetta_n._isler@hud.gov

Dara Murray, CISSP,*
dmurray@psc.gov

Louis Numkin, Newsletter Editor,**
lmn@nrc.gov

LTC Daniel Ragsdale,*
dd9182@usma.edu

Donna Robinson-Staton,*
donna_robinson-staton@hud.gov

Robert Solomon, CISSP,*
robert.f.solomon@nasa.gov

Mary Ann Strawn,*
mast@loc.gov

Marvella Towns,**
mltowns@nsa.gov

Mark Wilson, CISSP, NIST Liaison, Assistant Chair,**
mark.wilson@nist.gov

NIST Executive Assistant to the Board: Peggy Himes,
peggy.himes@nist.gov

* Term ends March 2004
** Term ends March 2005

Go to top of page

horizontal bar


FISSEA Editor's Column

By Louis M Numkin
US Nuclear Regulatory Commission

Dear Readers,
I am writing this during one of the few breaks I've had since the Inspector General (IG) contractors' entrance briefing for the start of our annual GISRA/FISMA inspection/audit. With as much as we have done to ensure that we are ready, it seems we are never done! There is always something gnawing at us like a mouse and its cheese. Just one thing we can't remember whether it was completed before the foreign hands touch and foreign eyes find what will confirm our own inferiority complex. We're not trying to hide anything... we just forgot... "can we puleeze have a do over"... before 2004?

Now to point - Just two weeks ago, I was on the dais in our auditorium as part of a triumvirate representing physical/personnel/information/computer security. The presentation was an outgrowth from an IG finding that too many staff members had forgotten or never learned the proper care and feeding of sensitive data. So, the three of us attempted to impact on the minds of over 1,000 personnel at various levels of the organization's power structure during five cookie cutter sessions.

As with Computer Security Awareness, we must provide it for varied levels of expertise, from novice to expert - none of whom wanted to be there. Since I was the third to speak, my first glimpse of the 200 attendees was glazed-over eyes with chins and some noses pointed toward the floor. It was not a pretty sight! Anyone who has seen my presentations knows I try to inject some humor in the slides or patter to help hold interest. Well, instead of waiting, I hit them with humor from the start. This quip was definitely not in bad taste (Yes, one must know one's limits based on audience makeup and try to keep the humor rehearsed and somewhere close to the topic being discussed), elicited the desired chuckle response (forcing them to breath in Oxygen), regained the audience's attention (detected by their attentive gaze), and permitted me to provide my talk to a more open eyed/eared group than the earlier speakers.

Proving that no good deed goes unpunished (here I succeeded in getting my message across with out offending anyone)... I heard from the presentation coordinator that the IG said to "drop the humor" as there was no place for it in a serious presentation. Bah Humbug!

The next time we gave our presentation, I saw 200 similar audience faces with closed eyes. So, I tried something else - calling for an audience response en mass. The first try was lukewarm but I challenged them to really sound off and, though they didn't rattle the rafters, it was louder... rousing some dozers to a more alert stature. This time, no IG complaint was voiced.

Another technique which has worked for many speakers is to ask questions to the audience and reward correct answerers with candy or trinkets. Put on your creative hats and you will find more innovative methods which might better work with your audience.

Folks, I am not beating up on the IG, just encouraging each of us who must address less than extremely interested groups to have more than one trick up our sleeves to help in getting our message across. Remember, our sometimes impossible mission is to increase computer security awareness which is difficult to accomplish when audience eyes/ears are closed.

Go to top of page

horizontal bar

CINDY Award

In May 2003, the Federal Information Systems Security Awareness web-based training (WBT) product received a "Gold Cindy Award for Training: General" - by the Cinema in Industry, "Cindy Awards" competition. Often equated to the "Emmys" of interactive media, the twice annual Cindy Competition is presented by the International Association of Audio Visual Communicators (IAAVC) http://www.iaavc.org/, a non-profit group representing theatrical, broadcast, non-broadcast, and interactive media professionals throughout the world.

The Federal Information Systems Security Awareness product was a joint FISSEA and Defense Information Systems Agency (DISA) effort. FISSEA member, and former Executive Board member, Patricia Black of the Treasury Department, led the project.

"Congrats Patty!"

Go to top of page

horizontal bar

2004 FISSEA Conference

"Awareness, Training, and Education: The Driving Force behind Information Security"
March 9-11, 2004

Are you getting excited yet? The 2004 FISSEA conference is right around the corner and the planning staff is hard at work to improve upon last year's conference. This year's conference theme, "Awareness, Training, and Education: The Driving Force behind Information Security" highlights the critical role we play in information security. While last year's conference was awesome, we are looking at ways to make the 2004 conference even better. If you have a great idea for the conference or would like to help, you can contact Chrisan Herrod (herrodc@ndu.edu) about the conference overall or Curt Carver about the technical program (carverc@acm.org). Recommend your favorite keynote speakers and we will do the rest. Look for the call for papers in the next 30 days and submit early as we had many more submissions than presentation slots last year. The 2004 FISSEA conference will set the pace for driving change in information security awareness, training, and education. Don't be left in the dust and miss this year's conference.

Curtis A. Carver Jr., Ph.D.
Lieutenant Colonel, Academy Professor
Program Director, Information Technology
Department of Electrical Engineering and Computer Science
United States Military Academy
West Point, NY 10996
(845) 938-3933

Go to top of page

horizontal bar

FISSEA Board Compiling List of Presenters

As a service to FISSEA members, your Executive Board wants to compile a List of Presenters, which will be distributed to members when they send a request to fisseamembership@nist.gov. If you are a presenter and give permission to be listed, please submit your name, affiliation, mailing address, phone number, and email address to the above address. Also include the titles of your presentation(s), your website, and a very brief synopsis. Please note any special restrictions, i.e., cannot travel outside DC area, or fee only. Send this information to board member, Mary Ann Strawn, mast@loc.gov.

Go to top of page

horizontal bar

Federal Cyber Service: Scholarship for Service (SFS)

Ernest L. McDuffie, Ph.D., Program Director
National Science Foundation

Overview
This program seeks to increase the number of qualified students entering the fields of information assurance and computer security and to increase the capacity of the United States higher education enterprise to continue to produce professionals in these fields. The program has two tracks:

The Scholarship Track provides funding to colleges and universities to award scholarships in information assurance and computer security fields. Scholarship recipients will become part of the Federal Cyber Service of information technology specialists who ensure the protection of the U.S. Government's information infrastructure. Upon graduation after their two-year scholarships, the recipients will be required to work for a federal agency for two years in fulfillment of their Federal Cyber Service commitment.

The Capacity Building Track provides funds to colleges and universities to improve the quality and increase the production of information assurance and computer security professionals through professional development of information assurance faculty and the development of academic programs. Partnerships designed to increase participation by underrepresented groups are particularly encouraged.

Deadlines

  • Letters of intent (optional): November 2003 (anticipated)
  • Formal proposals: December 2003 (anticipated)
  • Program Solicitation

The program solicitation covering the upcoming (anticipated) proposal deadline has not yet been published. NSF 02-181 http://www.nsf.gov/cgi-bin/getpub?nsf02181, covering last year's proposal deadline, contains a description of the SFS program that may be useful to prospective proposers. However, for the latest information and instructions for submitting proposals, proposers must consult the new program solicitation, which will be published at least three months before the relevant proposal deadline.

Related Documents
NSF PR 03-21
http://www.nsf.gov/od/lpa/news/03/pr0321.htm :
"NSF Announces New Scholarship for Service Awards" (press release announcing additional awards made as a result of the FY2002 supplemental appropriations bill) (Feb. 14, 2003)

NSF PR 02-66
http://www.nsf.gov/od/lpa/news/02/pr0266.htm :
"Scholarship for Service Awards Expanded After President Signs Supplemental Budget Bill" (press release announcing supplemental appropriations to expand the SFS program) (August 7, 2002)

NSF PR 01-45
http://www.nsf.gov/cgi-bin/getpub?pr0145 :
"NSF Scholarship for Service Awards Announced at Information Security Colloquium" (press release announcing the first awards made in the SFS program's "Scholarship" track) (May 22, 2001)

National Security Agency Centers of Academic Excellence in Information Assurance Education (see "criteria for measurement")
http://www.nsa.gov/isso/programs/coeiae/index.htm

Contact Information
Federal Cyber Service: Scholarship for Service (SFS) Program
Division of Undergraduate Education
National Science Foundation
4201 Wilson Blvd., Suite 835
Arlington, VA 22230
Phone: 703.292.8669
E-mail: sfs@nsf.gov or emcduffi@nsf.gov
Lead program director: Dr. Ernest L. McDuffie

Go to top of page

horizontal bar

Canadian University Teaches Students How To Create Malware

via Kaspersky Labs

The course is intended to help stop computer viruses but many are not convinced and fear the opposite.

The controversial undergraduate course offered by the University of Calgary is called, "Computer Viruses and Malware" and will be taught for the first time this coming autumn. Students that take the class will learn how to create worms, viruses and trojan horses as well as learn about the legal, ethical and computer security issues that surround the computer virus problem. The logic behind the course being that in order to better fight viruses and malware, tomorrow's programmers need to better understand them.

The "Computer Viruses and Malware" course is the first of its kind in Canada and joins similar programs on the vanguard of this new approach to the battle against viruses and hackers. This past March, England's University of Leeds, in cooperation with the Microsoft corporation, announced its plans to train budding programmers in the art of writing malicious source code in a course entitled, "Secure Programming".

Dr. John Aycock, the professor teaching the University of Calgary course draws a comparison with how the medical field fights biological viruses, "Before you can develop a cure, you have to understand what the virus is and how it spreads. Why should combating computer viruses be any different?"

Not convinced is Graham Cluley, an anti-virus industry technology consultant who stated, "Should we teach kids how to break into cars if they're interested in becoming a policeman one day? One wonders if the university will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users."

Go to top of page

horizontal bar

TRAINIA

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at lmn@nrc.gov

********************

SEPT 15-17, 2003 E-Gov Information Assurance Conference and Exhibition. "Building a Cohesive Enterprise Approach"
Ronald Reagan Building and International Trade Center Washington, DC.

Are you responsible for ensuring the security of diverse online operations, managing increasingly complex networks, and incorporating security requirements of evolving IA policies and standards? Then attend the Information Assurance Conference & Exhibition. Presented by E-Gov and Federal Computer Week, this conference focuses on a number of disciplines beyond narrowly-defined cybersecurity concerns. Attend and learn how to plan, manage and fund IA initiatives throughout government enterprises. For more information and to register, visit http://www.e-gov.com/events/2003/ia/ or call 800-746-0099.

********************

SEPT 25, 2003 FIRST FREE FISSEA Workshop, "Developing Role-Based Training for System Administrators and Managers". See the full-page flyer at the end of the newsletter or your FISSEA website for complete details.

********************

Upcoming E-Gov Conferences
* Enterprise Architecture - Sept 10-12 - Ronald Reagan Building
* Information Assurance - Sept 15-17 - Ronald Reagan Building, Washington DC
* E-Learning - October 16-17 - Renaissance Hotel, Washington DC
* Homeland Security, December 2-3, Ronald Reagan Building, Washington DC
For info, contact: Helen Ortel at Helen@e-gov.com or (703) 876-5138. A little more about E-Gov Information Assurance Conference, September 15 - 17, 2003. The event will be held at the Ronald Reagan Building and International Trade Center in Washington, DC. In its fourth year, the Conference will include three keynote speakers, 24 conference sessions, and three half-day tutorials focused on the most compelling strategies, technologies, and lessons learned for public sector professionals across government. More info, contact Suzanne Young at Suzanne@e-gov.com visit
http://www.e-gov.com/events/2003/ia/ or call 800-746-0099.

********************

SEPT 29 - OCT 2, 2003 Black Hat Briefings & Training Federal, Sheraton Hotel, Tysons Corner, VA. The new Federal version of the popular technically focused IT security Black Hat events held worldwide. For more info check out: www.blackhat.com

********************

OCT 21, 22 & 23, 2003 Federal Information Assurance Conference (FIAC) 2003 (in Adelphi, Maryland) "An Alliance for a More Secure Nation" The 3rd Annual Federal Information Assurance Conference is a unique event - designed specifically to meet the real-world information assurance needs of the Federal Government, for the government by the government. Learn more about FIAC, visit www.fbcinc.com/fiac or contact Joyce Anderson, Special Conference Manager by email: joyce@fbcdb.com or voice: (301)206-2940 x201

********************

NOV 11-13, 2003 CPM 2003 EAST in Washington, DC at the Marriott Wardman Park Hotel. Today's effective business continuity professional must understand the strategic value of continuity of operations, emergency management, and security. Visit www.ContingencyPlanningExpo.com for more information.

********************

MARCH 9-11, 2004 17th Annual FISSEA Conference, "Awareness, Training, and Education: The Driving Force Behind Information Security", will be held in the Washington/Baltimore area. Mark your calendars! Further details will be announced on your website, http://csrc.nist.gov/fissea.

Please contact our Program Director, Curt Carver, curtis.carver@usma.edu or our Conference Director, Chrisan Herrod, herrodc@ndu.edu or send an email to fisseamembership@nist.gov with suggestions on presentations or other conference related ideas.

********************

NEW...The newly released NIST InterAgency Report 6887 - 2003 Edition, Government Smart Card Interoperability Specification (v2.1) is now available. GSC-ISv2.1 has expanded the government smart card architecture defined in GSC-ISv2.0 with the addition of an interface for contactless cards. GSC-ISv2.1 provides a common contactless card interface and establishes the foundation for achieving interoperability for both contact and contactless cards. A copy of NISTIR 6887-2003 can be found at http://smartcard.nist.gov This document can also be found on the NIST Computer Security InterAgency Report page on CSRC under the Publications area: http://csrc.nist.gov/publications/nistir/

********************

Excellent Videotape on Laptop Security Submitted by Rhonda Bitterli (SAIC) Last year, I obtained the Now You See It, Now You Don't videotape for our customer. This 20-minute videotape, available from Greeneway Teleproductions, provides excellent tips on laptop security and theft prevention. Viewers have found this videotape to be very interesting and informative. Information on the videotape is available on the Internet at the following address: http://www.security-videos.com/index.htm or by phone at (319) 366-8778.

********************

The Learning Tree Hands-On IT Course brochure is out. It lists over 155 courses, plus some other exciting opportunities. Info can be found at: http://www2.learningtree.com/

********************

SYTEX Training Facility events (Ellicott City, MD): 8-19Sept03 - Networks & Networking for Agents/System Security & Exploitation (HANDS-ON) Ten day course is designed to meet the special needs of law enforcement, intelligence officers, and analysts who must understand the way networks operate, and the way hackers exploit these networks. For further info contact Joe Zagorski or Lynda Swanson at (410) 465-8744, http://sytexinc.com/SytexInc/services/training.asp

********************

MIS Training Institute upcoming activities: The Conference and Expo on Mobile and Wireless Security

September 23-25, 2003, Chicago, IL Optional Workshops September 21, 22, 26 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512032/http-www.misti.com-05-tris0503mws03sinf.html

HealthSec 2003 Conference and Expo September 23-25, 2003, Chicago, IL Optional Workshops September 21, 22, 26 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512024/http-www.misti.com-05-tris0503hs03inf.html

The MIS and IIA Annual Conference and Expo on Control and Audit of Information Technology September 30-October 2, 2003, Orlando, FL Optional Workshops September 29 & October 2 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512015/http-www.misti.com-05-tris0503conf23inf.html Auditing Your Information Security Program August 4-6, 2003, Boston, MA October 15-17, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512020/http-www.misti.com-05-tris0503eisinf.html

Power IT Auditing August 18-21, 2003, Atlanta, GA November 10-13, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512017/http-www.misti.com-05-tris0503eapinf.html HIPAA Security and the Final Rules October 20-21, 2003, Boston, MA December 8-9, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512012/http-www.misti.com-05-tris0503br2inf.html

********************

ISACA presents the following Training Weeks: Contact Sandy Arens at (847)253-1545, ext. 485 or conference@isaca.org or http://www.isaca.org/train_kc.htm

22-26 September 2003 in Kansas City, Missouri USA 20-24 October 2003 in Ottawa, Ontario Canada 27-31 October 2003 in Orange County, California USA 12-16 October 2003 in Sao Paulo, Brazil Network Security Conference on 17-19 November 2003 in Milan, Italy

********************

Dear FISSEA,
. Do remember that all of my stuff on the Web is available free to anyone for non-commercial use; that includes entire courses and the whole archive of newsletters. M. E. Kabay, PhD, CISSP, Assoc. Prof. Info. Assurance, Prog. Dir., MSc in Info. Assurance Norwich University, Northfield VT (802) 479-7937 E-mail: mailto:mkabay@norwich.edu http://www2.norwich.edu/mkabay/index.htm http://www3.norwich.edu/msia * Network World Fusion Security Newsletters http://www.nwfusion.com/newsletters/sec

Norwich University's Online Master of Science in Information Assurance Program is a 24 month program utilizing some of the biggest names in information assurance to teach the policies, procedures, and structure of a well-managed information assurance program. Learn more about it at: http://www3.norwich.edu/msia

********************

Patriot Technologies is an authorized training center for many security tools and they offer discounts on some courses. If interested in more info, contact George O'Connell on (888)417-9899 or at www.patriot-tech.com

********************

Azusa Pacific University just released a short video explaining Honeynet and related concepts. It's available on the HoneyNet Project website in QuickTime format, at: http://www.honeynet.org/misc/files/HoneynetWeb.mov The video is particularly useful to show to management types =) For more info, contact: Patrick McCarty (626) 815-6000 x5050 or mccartyp@apu.edu

********************

Call for Papers and Presentations Financial Cryptography '04 - 9-12 February 2004 in Key West, Florida. Submission deadline 1 September 2003 23h59 GMT Author notification 15 November 2003 Pre-proceedings version due 15 December 2003 Conference Web site: http://ifca.ai/fc04 Original papers and presentations on all aspects of financial-data security and secure digital commerce are solicited for submission to the Eight Annual Conference on Financial Cryptography (FC '04). FC '04 will bring together researchers and practitioners in the financial, legal, cryptologic, and data-security fields to foster cooperation and exchange of ideas.

********************

FISSEA's friend, Allan Berg leaves James Madison University (JMU). Should you wish to contact him, here is his information: Allan Berg, Deputy Director, Center for Information Assurance, University of Dallas Graduate School of Management, 2325 Dulles Corner Blvd., Suite 500, Herndon, VA 20171, (703)788-6801, http://gsmweb.udallas.edu/info_assurance/

********************

Go to top of page

horizontal bar

New Look for Newsletter

No, it is not your imagination; the newsletter has undergone a facelift. The masthead and paper color are new and, hopefully, grab your attention. The newsletter will continue to be published quarterly and submissions are always welcomed. Send comments on the new look or submissions to Louis Numkin, lmn@nrc.gov and/or fisseamembership@nist.gov.

Go to top of page

horizontal bar

Back arrow Back to FISSEA Homepage back arrow Back to Newsletter Index back arrow Back to CSRC Homepage

Please send comments or suggestions to webmaster-csrc@nist.gov.
Last Modified: August 11, 2003.