Federal Information Systems Security Educators' Association
Issue Two of FISSEA Year 2003-2004
Hello FISSEA Members:
This is probably a busy season for most of you who work in information systems security for the federal government with many kinds of reporting and/or auditing type activities currently underway. Every year I think it will be better next year, because we will have more clear guidance on what we must do earlier, more realistic timeframes and more qualified security personnel to do the job. If you are lucky enough to have a well-trained, competent security team to help you respond to a steadily increasing and more complex workload, then you are truly blessed.
I sometimes find myself rejoicing that at last top management seems to be aware of the importance of protecting their agency or corporate assets effectively. Most managers realize that they are ultimately responsible for identifying and managing certain risks that unless managed appropriately could cause catastrophic and/or unacceptable consequences if successfully exploited. I wish I could say that it appears that managers at all levels are learning these lessons on managing risks and securing their assets as a result of willingly participating in systems security awareness and training opportunities. Unfortunately, in too many instances, managers appear to be more concerned about doing what is required to convince auditors that existing safeguards or controls are adequate or trying to find out what is the minimum fix we can install to most likely address/complete an audit finding.
FISSEA members, I hope that my perspective is flawed and that you are more optimistic about the effectiveness of your security awareness and training programs for managers. I am convinced that a sound security awareness and training program is more essential than ever before for an Agency or Corporation to have an effective information systems security program. I am equally convinced that it is not enough to assign people to specific positions where they are responsible for fulfilling specific security functions. The time has come when people who have security functions must receive adequate and timely training before they are expected to perform their duties successfully. I believe that there are too many people encumbering security jobs without having taken any formal security classes. Most managers would never assign an untrained employee to manage a major project, yet security officers are sometimes expected to protect critical agency or corporate assets with little or no security training.
Finally, please mark your calendars now and plan to attend the 17th FISSEA Conference on March 9 to 11, 2004. As usual, more details will be forthcoming on our website and in each of our next 3 newsletters. Begin today thinking about whom you will nominate for the 2004 Educator of the Year. Our website includes directions on how to make a nomination. We look forward to communicating with you throughout the year and doing all that we can to assist you in your security awareness, training and education programs.
Barbara Cuffie, CISSP
FISSEA Editor's Column
Now to point - Just two weeks ago, I was on the dais in our auditorium as part of a triumvirate representing physical/personnel/information/computer security. The presentation was an outgrowth from an IG finding that too many staff members had forgotten or never learned the proper care and feeding of sensitive data. So, the three of us attempted to impact on the minds of over 1,000 personnel at various levels of the organization's power structure during five cookie cutter sessions.
As with Computer Security Awareness, we must provide it for varied levels of expertise, from novice to expert - none of whom wanted to be there. Since I was the third to speak, my first glimpse of the 200 attendees was glazed-over eyes with chins and some noses pointed toward the floor. It was not a pretty sight! Anyone who has seen my presentations knows I try to inject some humor in the slides or patter to help hold interest. Well, instead of waiting, I hit them with humor from the start. This quip was definitely not in bad taste (Yes, one must know one's limits based on audience makeup and try to keep the humor rehearsed and somewhere close to the topic being discussed), elicited the desired chuckle response (forcing them to breath in Oxygen), regained the audience's attention (detected by their attentive gaze), and permitted me to provide my talk to a more open eyed/eared group than the earlier speakers.
Proving that no good deed goes unpunished (here I succeeded in getting my message across with out offending anyone)... I heard from the presentation coordinator that the IG said to "drop the humor" as there was no place for it in a serious presentation. Bah Humbug!
The next time we gave our presentation, I saw 200 similar audience faces with closed eyes. So, I tried something else - calling for an audience response en mass. The first try was lukewarm but I challenged them to really sound off and, though they didn't rattle the rafters, it was louder... rousing some dozers to a more alert stature. This time, no IG complaint was voiced.
Another technique which has worked for many speakers is to ask questions to the audience and reward correct answerers with candy or trinkets. Put on your creative hats and you will find more innovative methods which might better work with your audience.
Folks, I am not beating up
on the IG, just encouraging each of us who must address less than extremely
interested groups to have more than one trick up our sleeves to help
in getting our message across. Remember, our sometimes impossible mission
is to increase computer security awareness which is difficult to accomplish
when audience eyes/ears are closed.
In May 2003, the Federal Information Systems Security Awareness web-based training (WBT) product received a "Gold Cindy Award for Training: General" - by the Cinema in Industry, "Cindy Awards" competition. Often equated to the "Emmys" of interactive media, the twice annual Cindy Competition is presented by the International Association of Audio Visual Communicators (IAAVC) http://www.iaavc.org/, a non-profit group representing theatrical, broadcast, non-broadcast, and interactive media professionals throughout the world.
The Federal Information Systems Security Awareness product was a joint FISSEA and Defense Information Systems Agency (DISA) effort. FISSEA member, and former Executive Board member, Patricia Black of the Treasury Department, led the project.
Training, and Education: The Driving Force behind Information Security"
Are you getting excited yet? The 2004 FISSEA conference is right around the corner and the planning staff is hard at work to improve upon last year's conference. This year's conference theme, "Awareness, Training, and Education: The Driving Force behind Information Security" highlights the critical role we play in information security. While last year's conference was awesome, we are looking at ways to make the 2004 conference even better. If you have a great idea for the conference or would like to help, you can contact Chrisan Herrod (firstname.lastname@example.org) about the conference overall or Curt Carver about the technical program (email@example.com). Recommend your favorite keynote speakers and we will do the rest. Look for the call for papers in the next 30 days and submit early as we had many more submissions than presentation slots last year. The 2004 FISSEA conference will set the pace for driving change in information security awareness, training, and education. Don't be left in the dust and miss this year's conference.
Curtis A. Carver Jr., Ph.D.
As a service to FISSEA members, your Executive Board wants to compile a List of Presenters, which will be distributed to members when they send a request to firstname.lastname@example.org. If you are a presenter and give permission to be listed, please submit your name, affiliation, mailing address, phone number, and email address to the above address. Also include the titles of your presentation(s), your website, and a very brief synopsis. Please note any special restrictions, i.e., cannot travel outside DC area, or fee only. Send this information to board member, Mary Ann Strawn, email@example.com.
Ernest L. McDuffie,
Ph.D., Program Director
The Scholarship Track provides funding to colleges and universities to award scholarships in information assurance and computer security fields. Scholarship recipients will become part of the Federal Cyber Service of information technology specialists who ensure the protection of the U.S. Government's information infrastructure. Upon graduation after their two-year scholarships, the recipients will be required to work for a federal agency for two years in fulfillment of their Federal Cyber Service commitment.
The Capacity Building Track provides funds to colleges and universities to improve the quality and increase the production of information assurance and computer security professionals through professional development of information assurance faculty and the development of academic programs. Partnerships designed to increase participation by underrepresented groups are particularly encouraged.
The program solicitation covering the upcoming (anticipated) proposal deadline has not yet been published. NSF 02-181 http://www.nsf.gov/cgi-bin/getpub?nsf02181, covering last year's proposal deadline, contains a description of the SFS program that may be useful to prospective proposers. However, for the latest information and instructions for submitting proposals, proposers must consult the new program solicitation, which will be published at least three months before the relevant proposal deadline.
NSF PR 02-66
NSF PR 01-45
National Security Agency
Centers of Academic Excellence in Information Assurance Education (see
"criteria for measurement")
via Kaspersky Labs
The course is intended to help stop computer viruses but many are not convinced and fear the opposite.
The controversial undergraduate course offered by the University of Calgary is called, "Computer Viruses and Malware" and will be taught for the first time this coming autumn. Students that take the class will learn how to create worms, viruses and trojan horses as well as learn about the legal, ethical and computer security issues that surround the computer virus problem. The logic behind the course being that in order to better fight viruses and malware, tomorrow's programmers need to better understand them.
The "Computer Viruses and Malware" course is the first of its kind in Canada and joins similar programs on the vanguard of this new approach to the battle against viruses and hackers. This past March, England's University of Leeds, in cooperation with the Microsoft corporation, announced its plans to train budding programmers in the art of writing malicious source code in a course entitled, "Secure Programming".
Dr. John Aycock, the professor teaching the University of Calgary course draws a comparison with how the medical field fights biological viruses, "Before you can develop a cure, you have to understand what the virus is and how it spreads. Why should combating computer viruses be any different?"
Not convinced is Graham Cluley, an anti-virus industry technology consultant who stated, "Should we teach kids how to break into cars if they're interested in becoming a policeman one day? One wonders if the university will be held legally and financially responsible if any of the viruses written on their course break out and infect innocent computer users."
This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to the Editor at firstname.lastname@example.org
SEPT 15-17, 2003 E-Gov
Information Assurance Conference and Exhibition. "Building a Cohesive
Are you responsible for ensuring the security of diverse online operations, managing increasingly complex networks, and incorporating security requirements of evolving IA policies and standards? Then attend the Information Assurance Conference & Exhibition. Presented by E-Gov and Federal Computer Week, this conference focuses on a number of disciplines beyond narrowly-defined cybersecurity concerns. Attend and learn how to plan, manage and fund IA initiatives throughout government enterprises. For more information and to register, visit http://www.e-gov.com/events/2003/ia/ or call 800-746-0099.
SEPT 25, 2003 FIRST FREE FISSEA Workshop, "Developing Role-Based Training for System Administrators and Managers". See the full-page flyer at the end of the newsletter or your FISSEA website for complete details.
Upcoming E-Gov Conferences
SEPT 29 - OCT 2, 2003 Black Hat Briefings & Training Federal, Sheraton Hotel, Tysons Corner, VA. The new Federal version of the popular technically focused IT security Black Hat events held worldwide. For more info check out: www.blackhat.com
OCT 21, 22 & 23, 2003 Federal Information Assurance Conference (FIAC) 2003 (in Adelphi, Maryland) "An Alliance for a More Secure Nation" The 3rd Annual Federal Information Assurance Conference is a unique event - designed specifically to meet the real-world information assurance needs of the Federal Government, for the government by the government. Learn more about FIAC, visit www.fbcinc.com/fiac or contact Joyce Anderson, Special Conference Manager by email: email@example.com or voice: (301)206-2940 x201
NOV 11-13, 2003 CPM 2003 EAST in Washington, DC at the Marriott Wardman Park Hotel. Today's effective business continuity professional must understand the strategic value of continuity of operations, emergency management, and security. Visit www.ContingencyPlanningExpo.com for more information.
MARCH 9-11, 2004 17th Annual FISSEA Conference, "Awareness, Training, and Education: The Driving Force Behind Information Security", will be held in the Washington/Baltimore area. Mark your calendars! Further details will be announced on your website, http://csrc.nist.gov/fissea.
Please contact our Program Director, Curt Carver, firstname.lastname@example.org or our Conference Director, Chrisan Herrod, email@example.com or send an email to firstname.lastname@example.org with suggestions on presentations or other conference related ideas.
NEW...The newly released NIST InterAgency Report 6887 - 2003 Edition, Government Smart Card Interoperability Specification (v2.1) is now available. GSC-ISv2.1 has expanded the government smart card architecture defined in GSC-ISv2.0 with the addition of an interface for contactless cards. GSC-ISv2.1 provides a common contactless card interface and establishes the foundation for achieving interoperability for both contact and contactless cards. A copy of NISTIR 6887-2003 can be found at http://smartcard.nist.gov This document can also be found on the NIST Computer Security InterAgency Report page on CSRC under the Publications area: http://csrc.nist.gov/publications/nistir/
Excellent Videotape on Laptop Security Submitted by Rhonda Bitterli (SAIC) Last year, I obtained the Now You See It, Now You Don't videotape for our customer. This 20-minute videotape, available from Greeneway Teleproductions, provides excellent tips on laptop security and theft prevention. Viewers have found this videotape to be very interesting and informative. Information on the videotape is available on the Internet at the following address: http://www.security-videos.com/index.htm or by phone at (319) 366-8778.
The Learning Tree Hands-On IT Course brochure is out. It lists over 155 courses, plus some other exciting opportunities. Info can be found at: http://www2.learningtree.com/
SYTEX Training Facility events (Ellicott City, MD): 8-19Sept03 - Networks & Networking for Agents/System Security & Exploitation (HANDS-ON) Ten day course is designed to meet the special needs of law enforcement, intelligence officers, and analysts who must understand the way networks operate, and the way hackers exploit these networks. For further info contact Joe Zagorski or Lynda Swanson at (410) 465-8744, http://sytexinc.com/SytexInc/services/training.asp
MIS Training Institute upcoming activities: The Conference and Expo on Mobile and Wireless Security
September 23-25, 2003, Chicago, IL Optional Workshops September 21, 22, 26 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512032/http-www.misti.com-05-tris0503mws03sinf.html
HealthSec 2003 Conference and Expo September 23-25, 2003, Chicago, IL Optional Workshops September 21, 22, 26 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512024/http-www.misti.com-05-tris0503hs03inf.html
The MIS and IIA Annual Conference and Expo on Control and Audit of Information Technology September 30-October 2, 2003, Orlando, FL Optional Workshops September 29 & October 2 Updates to come at: http://pull.xmr3.com/p/17724-4273/87512015/http-www.misti.com-05-tris0503conf23inf.html Auditing Your Information Security Program August 4-6, 2003, Boston, MA October 15-17, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512020/http-www.misti.com-05-tris0503eisinf.html
Power IT Auditing August 18-21, 2003, Atlanta, GA November 10-13, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512017/http-www.misti.com-05-tris0503eapinf.html HIPAA Security and the Final Rules October 20-21, 2003, Boston, MA December 8-9, 2003, Chicago, IL http://pull.xmr3.com/p/17724-4273/87512012/http-www.misti.com-05-tris0503br2inf.html
ISACA presents the following Training Weeks: Contact Sandy Arens at (847)253-1545, ext. 485 or email@example.com or http://www.isaca.org/train_kc.htm
22-26 September 2003 in Kansas City, Missouri USA 20-24 October 2003 in Ottawa, Ontario Canada 27-31 October 2003 in Orange County, California USA 12-16 October 2003 in Sao Paulo, Brazil Network Security Conference on 17-19 November 2003 in Milan, Italy
Norwich University's Online Master of Science in Information Assurance Program is a 24 month program utilizing some of the biggest names in information assurance to teach the policies, procedures, and structure of a well-managed information assurance program. Learn more about it at: http://www3.norwich.edu/msia
Patriot Technologies is an authorized training center for many security tools and they offer discounts on some courses. If interested in more info, contact George O'Connell on (888)417-9899 or at www.patriot-tech.com
Azusa Pacific University just released a short video explaining Honeynet and related concepts. It's available on the HoneyNet Project website in QuickTime format, at: http://www.honeynet.org/misc/files/HoneynetWeb.mov The video is particularly useful to show to management types =) For more info, contact: Patrick McCarty (626) 815-6000 x5050 or firstname.lastname@example.org
Call for Papers and Presentations Financial Cryptography '04 - 9-12 February 2004 in Key West, Florida. Submission deadline 1 September 2003 23h59 GMT Author notification 15 November 2003 Pre-proceedings version due 15 December 2003 Conference Web site: http://ifca.ai/fc04 Original papers and presentations on all aspects of financial-data security and secure digital commerce are solicited for submission to the Eight Annual Conference on Financial Cryptography (FC '04). FC '04 will bring together researchers and practitioners in the financial, legal, cryptologic, and data-security fields to foster cooperation and exchange of ideas.
FISSEA's friend, Allan Berg leaves James Madison University (JMU). Should you wish to contact him, here is his information: Allan Berg, Deputy Director, Center for Information Assurance, University of Dallas Graduate School of Management, 2325 Dulles Corner Blvd., Suite 500, Herndon, VA 20171, (703)788-6801, http://gsmweb.udallas.edu/info_assurance/
No, it is not your imagination; the newsletter has undergone a facelift. The masthead and paper color are new and, hopefully, grab your attention. The newsletter will continue to be published quarterly and submissions are always welcomed. Send comments on the new look or submissions to Louis Numkin, email@example.com and/or firstname.lastname@example.org.
Back to FISSEA Homepage Back to Newsletter Index Back to CSRC Homepage
Please send comments
or suggestions to email@example.com.
Last Modified: August 11, 2003.