| October 6, 1997 Pre-Conference Workshops October 7-10, 1997 Baltimore Convention Center Baltimore, MD |
Sponsored by:
Information Technology Lab, National Institute of Standards and Technology Contents
|
As a leading global forum on computer and information systems security, the National Information Systems Security Conference seeks to:
The conference will present multiple tracks with workshops, tutorials, panels, and refereed papers in the areas of:
To improve the conference and increase its focus, the Program Committee has been expanded this year. The new members include Jim Schlinder, Hewlett Packard; Peter Tasker, MITRE Corporation; and Roger Quane, NSA; who have orchestrated the Electronic Commerce, Internet, and Tutorial tracks respectively. In addition, Joan Winston, Trusted Information Systems, Inc., and John Woodward, MITRE Corporation, have arranged several sessions in the new Debate Track and Critical Infrastructure Thread. Hilary Hosmer, Data Security, Inc., has provided overall guidance to the Program Committee.
Conference threads will address the interests of the financial, business, academic, and government communities. Topics discussed will be directed toward:
There will be opportunities for information sharing as well as new approaches for solving management and technical issues. The conference will contribute to your professional growth as you gain new insights and knowledge, in turn assisting in your information systems security responsibilities. The formal sessions and social events will provide time to network with experts and peers across a wide spectrum of interests.
This Preliminary Program contains the most current information available at the time of printing. As we add additional sessions to the program, times and dates may be changed to avoid conflicts. The final program will be distributed at the conference and will be available on the World Wide Web at http://csrc.nist.rip/nissc/.
Information Systems Security Exposition (held in parallel)
A parallel exposition will provide a forum for industry to showcase information systems security technology and hands-on demonstrations of products and services that are potential solutions to many network and computer security problems. The exposition, sponsored by the Armed Forces Communications and Electronics Association (AFCEA), will be presented on October 8 and 9, from 10 a.m. to 5 p.m. For exposition information, call the AFCEA at (703) 631-6200 or send e-mail to jspargo@aol.com.
11:00 a.m.-5:30 p.m. Pre-registration required. Cost: $100 I Risk Management for Information Systems: A Quantitative Solution II Common Criteria Protection Profile III How to Establish an Incident Handling Capability IV Connecting to the Internet
October 7, 1997
8:30 a.m.-10:00 a.m.
Christopher Bythewood, National Security Agency, Chair
Christine Trently, Lockheed Martin, Chair
Nick Pantiuk, IITRI, Chair
Roger Quane, NSA, Chair
Opening Plenary
10:30 a.m.-12 noon
Ballroom I
Keynote Speaker
Award Ceremony and Reception
Awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability Maturity Model.
The ceremony commences at 5:45 p.m., followed by the reception.
Banquet
Best paper and best student paper awards will be presented at the National Cryptologic Museum at Fort Meade, Maryland. Directions and bus information will be available at the conference Information Booth. An awards reception will begin at 6:30 p.m. and end at 8 p.m. in the museum.
Ballroom
Dr. Peter G. Neumann, SRI International, will lead an internationally distinguished panel on "The Future of Electronic Commerce: Risks, Realities, and Expectations."
This panel begins at 10:30 a.m.
Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA)
Pre-Conference Workshops
Pre-registration is required.
Cost: $100 per workshop
11:00 a.m.-5:30 p.m.
Baltimore Convention Center
During this course, the instructor uses a series of tutorials and interactive class exercises to give the student a comprehensive overview of the quantitative risk analysis process. At the end of the day, the student will have a thorough understanding of the phases which make up the risk assessment process and the algorithms used to calculate vulnerability, asset, threat, and risk-measures.
This workshop will provide information and instruction on using the Common Criteria to build protection profiles to express information technology security requirements. Community experience in building protection profiles will be used for this instruction. Alternative sets of related technologies will be compared and contrasted in the hope of harmonizing like requirements into generic protection profiles for given technologies (i.e., firewalls). In addition, issues arising from attempting to create protection profiles representing non-classic requirement sets will be discussed.
This workshop, which is sponsored by the Federal Computer Incident Response Capability (FedCIRC), will address many of the technical and administrative issues involved in establishing an incident handling capability. Topics to be covered include organizational structure, roles and responsibilities, technology platforms, incident handling methods, sample policy, reporting and issuing alerts, administrative and incident handling procedures, communications (users, other), and lessons learned.
This workshop will address many of the technical issues involved in connecting to and managing systems and sites that are parts of the Internet. Current threats on the Internet and how to work with incident response teams and obtain sources for more information will be explored. Administrative information also will be given, such as the importance of setting up policies with management support. Topics to be covered include current Internet threats, securing the system, detecting intrusions, and security on the Internet.
October 7, 1997
Early Bird Sessions
8:30 a.m.-10:00 a.m.
Christopher Bythewood, National Security Agency, Chair
Christine Trently, Lockheed Martin, Chair
Nick Pantiuk, IITRI, Chair
Roger Quane, NSA, Chair
10:30 a.m.-12 noon
Ballroom I
Tom Marsh, Presidential Commission on Critical Infrastructure Protection, Chair
Chair: Judith Furlong, Lead INFOSEC Engineer, MITRE Corporation
This panel session focuses upon the critical elements of security frameworks and examines how these elements address the objectives of the framework and contribute to the development of security products. Commonality and differences of the emerging security frameworks will be examined and issues associated with security framework development and implementation will be discussed. The panel will also examine how influential these emerging security frameworks have been on the development of security products and will attempt to predict the future direction of security frameworks.
Panelists:
Michael Willett, Consultant, Cryptography Competency Center, IBM Corporation[IBM SecureWay Key Management Framework]
Dave Aucsmith, Security Architect, Intel Architecture Labs [Intel Common Data Security Architecture (CDSA)]
Keith Klemba, Senior Technical Contributor, Hewlett-Packard Company [International Cryptography Framework (ICF)]
A basic issue in the world of commerce on the Internet is the development of an appropriate business model. Some examples are entertainment (cable TV), telecoms, computing, and publishing. Each industry has different views based on history, economics, and technology. This session will discuss the industry's experience and their applicability to electronic commerce.
John P. L. Woodward, MITRE, Chair
Panelists: Duane G. Hardy, Presidential Commission Staff
Other Panelists: TBD
This panel will discuss information vulnerabilities of infrastructures on which our national security depends, including telecommunications/networks, transportation systems, banking/finance systems, and electric power distribution. Audience participation - asking questions and sharing points of view - will be encouraged.
Joan Winston, TIS, Chair
Panelists: TBD
Increasingly, encryption is seen as a major tool for safeguarding information as it is stored or transmitted in electronic form. This session will debate the following topics: What will constitute business "best practice" for use of encryption? What will be required for "due care" in the use of encryption to safeguard stored files and records? What are the liability concerns for the use of powerful encryption products and who will bear the risks? How can these risks be mitigated?
Timothy Grance, NIST, Chair
Panelists: Senior Representatives from NSA, NIST, and Industry.
Reconciling the cost, quality, and timeliness of computer security testing and evaluation with the time-to-market pressures of IT vendors and the assurance needs of government and business is a daunting challenge. In response, NIST and NSA are forming the National Information Assurance Center. This session will discuss the center's goals, scope, agenda, projects, and partnership opportunities.
David Ferraiolo, NIST, Chair
Role-Based Access Control for the World Wide Web
Richard Kuhn, NIST
Observations on the Real-World Implementation of Role-Based Access Control
Burkhard Hilchenbach, Schumann Security Software, Inc.
Ronda Henning, Harris Corporation, Chair
A Multi-Level Secure Object-Oriented Database Model
George Durham, University of Maryland-Baltimore County
Use of SSH on a Compartmented Mode Workstation
Johnny S. Tolliver, Oak Ridge National Laboratory
Multilevel Architectures for Electronic Document Retrieval
James A. Rome, Oak Ridge National Laboratory
Introduction to Information Systems Security
Diana Strickland, NSA
This tutorial presents a computer-based training overview of the multi- disciplined practice of Information Systems Security (INFOSEC) guidelines and policies as well as the basic INFOSEC elements of Communications Security (COMSEC) and Computer Security (COMPUSEC). There is also a review of information processing which outlines user responsibilities for handling data being stored, transmitted, or processed.
3:30 - 4:00 PM
Session Break & Social Networking
J. Miller, World Wide Web Consortium(W3C), Domain Leader, Technology And Society Domain, Chair
| Panelists: | Phil DesAutels, W3C Winn Treese, Open Market, Inc. Brian O'Higgins, Entrust |
The panel will discuss the issues that they believe are key to creating an acceptable business environment on the Web, including issues of both security and trust. The discussion will focus on both the technology issues and the social issues, since both must be addressed to create a true electronic marketplace.
Clint Brooks, National Security Agency, Chair
Panelists: TBD
This panel will discuss architectural requirements and examine the comparisons and applications of existing security architectures.
Charles Abzug, Institute for Computer and Information Sciences, Inc.,
Chair
Panelists: TBD
This panel will explore to what extent the U.S. civilian population must be concerned regarding the possibility of adversaries of the United States carrying out acts of information warfare against our information systems.
Ed Roback, NIST, Chair
Panelists: TBD
The panelists will debate the impact of the Administration's cryptographic policies, including export controls. Industry and government perspectives will be presented and approaches to change will be discussed and created.
Karen Ferraiolo, Arca Systems, Inc., Chair
This session will provide an overview of security and security engineering, describe the need for a capability maturity model (CMM) for security engineering, present the current SSE-CMM, and illustrate the application of the SSE-CMM using a hypothetical case study.
Robert Blakley, IBM, Chair
Panelists: TBD
This panel will select topics from the 1997 New Security Paradigms Workshop, reflecting one or two important themes.
Richard Lefkon, Year 2000 Committee of AITP SIG-Mainframe, Chair
| Panelists: | Gregory Cirillo, JD, Williams, Mullen, Christian &
Dobbin Daniel Miekh, Terasys Sanford Feld, TBI |
This panel will discuss the security implications of Year 2000 problems. What is the effect of "clock roll-over?" The panelists will provide an overview of problems and solutions with a seven-step process. Additionally, attendees responsible for Y2K issues in their organization are eligible for complementary copies of "Year 2000: Best Practices for Millennium Y2K Computing: Panic in Year Zero".
Jim Urbanski, NSA, Chair
This tutorial provides a perspective of systems methodologies with applications to INFOSEC principles and disciplines. Attendees will gain an appreciation for the systems approach to problem solving, a technique that is applicable to both technical and non-technical problems within and outside your organization.
Awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability maturity Model.
Chair: Jill Oliver, Vice President, CitiCorp Information Security Office, Citibank
| Panelists: | Dan Esbensen, Touch Technologies Lee Sutterfield, WheelGroup Mark Crosbie, Hewlett-Packard Chris Klaus, Internet Security Systems, Inc. |
Intrusion detection systems are coming of age. Today’s products include capabilities to look at intrustion detection at a system-of-systems level, report suspected intrusions to a home office, and react locally to suspected intrusions by automatically denying access to the suspected attacking node. The panel members represent vendors and experienced users. They will discuss what’s important and why for current and future capabilities.
Taher ElGamal, Netscape Communications Corporation, Chair
This panel will discuss implementation experiences in electronic payment systems ranging from macropayment protocols, micropayment protocol design and analysis. Example applications of electronic malls will highlight the use of electronic payment mechanisms.
Michelle Van Cleave, Senate Judiciary Subcommittee on Technology, Terrorism, and Government Information, Chair
Panelists: TBD
This panel will discuss and debate information sharing and cooperation among the government and private sector infrastructure providers that will be necessary to protect our critical infrastructures in the future. Audience participation - asking questions and sharing points of view - will be encouraged.
Joan Winston, TIS, Chair
Panelists: TBD
This session will debate the following topics: Should network- accessible information be regulated? Is the Internet more like "broadcast" media that have historically faced regulatory and/or voluntary content controls (e.g., nudity, types of advertising) or is it more like a bookstore or library? Should we rely on market-based approaches and end-user discretion (parental guidance, employer policies for use of company resources) or should we have some form of government intervention to protect vulnerable groups like children?
Mary Schanken, NSA, Chair
| Panelists: | Todd D. Schucker, LT. Renell D. Edwards Charles G. Menk, III, NSA |
The panelists will discuss the Trusted Capability Maturity Model, Network Rating Model, and Systems Security Engineering Capability Maturity Model. The audience will be provided a brief overview, current status, and future goals of the three models. Time is provided for audience interaction in discussing details about these models.
Bruce Schneier, Counterpane Systems, Chair
From encryption to digital signatures to electronic commerce to secure voting -- cryptography has moved out of the military and into the world. The speaker will address the future of non-military cryptography, the business opportunities, the risks, and work that needs to be done. Mr. Schneier will also address some common mistakes companies make when implementing cryptography and provide tips on how to avoid them.
Jack Eller, DISA, Chair
Panelists: TBD
The panelists will discuss the current perspective on strategies for the certification and accreditation process.
Anne Brooker-Grogan, NSA, Chair
This tutorial provides the first of three foundation tutorials of Risk Management. The session is designed to help attendees answer the questions: what do we really need to protect, and who or what are we protecting it from? It takes a systems analysis approach to looking at the tangible and intangible things we value and the threats to them. The tutorial provides an overview of multi-disciplined threat, threat to information systems, and an overview of information warfare. The tutorial prepares the attendee for the Risk Management II and Risk Management III sessions later in the week.
Peter G. Neumann, SRI International, Chair
| Panelists: | Dave Balenson, Trusted Information Systems Taher Elgamal, Netscape Communications Corp. George Fox, Intel Architecture Labs Li Gong, Javasoft, Sun Microsystems John Marchioni, Cylink Tim Moses, Entrust Amy Reiss, NSA |
This panel session will track progress in the emerging field of Cryptographic Application Programming Interfaces(CAPIs). Status of the major CAPIs in development and use today will be provided. In addition, vendors will discuss lessons learned from the development and utilization of these CAPIs in their products.
Richard Brackney, NSA, Chair
Panelists: TBD
This panel will present a discussion of R&D activities needed or underway to focus technology on solving infrastructure assurance problems.
Lynn McNulty, RSA Data Security, Inc., Chair
Panelists: TBD
This session will be devoted to a debate of the future of the Computer Security Act. Such issues as its applicability to the existing government systems environment, the impact of information warfare concepts, and the concerns of civil agencies with respect to the mandated adoption of national security community-driven standards and technologies will be examined.
Assurance / Criteria / Testing Integrity Engineering
Donald Evans, Space Flight Operations Center, Chair
Panelists: TBD
This panel will discuss the identification and deployment of protection mechanisms, reduction of residual risks, and determination of the metrics of protective effectivity and efficiency for inter/intra- networked systems-of-systems. These systems are comprised of heteromorphic major applications and general support systems requiring disparate levels of integrity, consistency, and operational continuity.
John Campbell, NSA, Chair
Panelists: Senior Technologists from Oracle, Informix, Sybase
This session explores security problems and solutions with "new" database systems including those with web browsers and servers, systems requiring strong identification and authentication, single signon, multilevel systems and large mainframe and warehouse systems.
Policy / Administration / Management
Public Key Certificate Policies
Noel Nazario, NIST, Chair
| Panelists: | Warwick Ford, Verisign Santosh Chokhani, CygnaCom Michael Jenkins, NSA |
The panel will discuss the current status of Public Key (PK) Certificates as defined by ITU Recommendation X.509 version 3. This discussion will be of interest to representatives from Federal agencies interested in the use of PK technology to provide services to conduct their internal operations, industry participants interested in using or providing certificate management services, and people interested in the future of electronic communications and electronic commerce.
Bill Unkenholz, NSA, Chair
This tutorial provides the second of three foundation tutorials of Risk Management. This tutorial continues with the methodology from Risk Management I, using a systems analysis approach to identify, analyze, and quantify system vulnerabilities.
Lunch Break
Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA)
Warwick Ford, Verisign, Chair
| Panelists: | Taher ElGamal, Netscape Communications Corporation Donna Dodson, NIST |
This panel session examines the significant issues and challenges in the development and deployment of PKIs. PKI issues and challenges will be examined from both the PKI component vendor as well as the PKI implementer perspective.
Kawika Daguio, American Bankers Association, Chair
Panelists: TBD
Is "E-Cash" the future of money? This session will discuss the pros and cons of digital money from both a security acceptance and policy perspective. Topics include electronic wallets, the various types of digital money, and money laundering.
Wayne Madsen, Privacy International, Chair
Panelists: David Banisar, Electronic Privacy Information Center (EPIC) Other Panelists: TBD
This session will examine various information age threats to personal privacy and the means by which government and business can provide for the common privacy of all.
Steven Miller, CPSR, Chair
| Panelists: | Dorothy Denning, Georgetown University Ruth Nelson, Information Systems Security Others: TBD |
The panelists will discuss the sociological effects 20 years from now of INFOSEC technology, law, and the customs we are putting into place now.
Harold Highland, FICS, Chair
A New Strategy for COTS in Classified Systems
Simon Wiseman, Defense Research Agency, UK
Outsourcing: A Certification & Accreditation Dilemma
Harold Gillespie, CISSP, CTA, Incorporated
The Department of Defense INFOSEC Certification and Accreditation Help
Environment
Barry C. Stouffer, Corbett Technologies
Christine Axsmith, Esq., The Oakland Corporation, Chair
| Panelists: | Mark Pollitt, Federal Bureau of Investigation Tim Corcoran, The Oakland Group Kim Johnson, U.S. State Department |
This panel will highlight the realities of cyber terrorism and educate the audience on its impact. The panel will provide an educated framework in which informed analysis can take place. The type of environments that are subject to attack will be discussed. The audience will also be presented with solutions from both industry and government perspectives to cyber terrorism issues.
Tutorials
Network Security
Jack Wool, Arca Systems, Inc., Chair
This tutorial focuses on network security fundamentals and threats and provides a summary of traditional computer security concerns and objectives, relating the concepts to network security concerns. Security properties required of a trusted network are described in detail per the OSI security services model.
3:30 - 4:00 PM Session Break & Social Networking
Judith A. Spencer, General Services Administration, Chair
| Panelists: | Phil Mellinger, First Data Monette Respres, Mitretek Stanley Choffee, General Services Administration Monette Respres, Mitretek Systems Isadore Schoen, Cygnacom Solutions A representative from DOT, GPO, GSA, or NSTISSC |
The Federal Information Security Infrastructure Program is running a pilot involving PKI and applications and called Paperless Federal Transactions for the Public. This panel addresses the philosophy behind the pilot, how it works, what has been learned, and where it goes from here.
Paul Dorey, Barclays Bank, UK, Chair
Panelists: TBD
This panel will discuss the threats to vendors, consumers, and service providers. They will address security attacks on electronic transactions, liability issues, and the necessary requirements for reliability and availability in electronic commerce.
Virgil Gibson, Computer Sciences Corporation, Chair
Panelists: TBD
The panelists will address the question: Is INFOSEC a scientific or technical profession? Representatives from academia, who develop INFOSEC curricula in graduate degree programs, will discuss the options for their graduates. Practitioners will address the pros and cons of degree programs versus other paths of becoming an INFOSEC professional.
Joan Winston, TIS, Chair
Panelists: TBD
The ease of copying material in digital form continues to exacerbate the historical tensions between copyright proprietors and users of copyrighted materials. WIPO recently rejected copyright proposals that would have greatly extended copyright protections on electronic information and databases, potentially curtailing the traditional U.S. copyright provisions for fair use. This session will debate the following topics: To what extent can we continue to rely on traditional notions that evolved in an analog, paper-based world? Can principles such as fair use and the first-sale doctrine endure in the digital global information infrastructure?
Les Fraim, ANS, Chair
Cyberterrorists
Mark Pollitt, Federal Bureau of Investigation
Protecting American Assets, Who is Responsible?
Anthony C. Crescenzi, Defense Investigative Service
Who Should Really Manage Information Security in the Federal Government?
Alexander D. Korzyk, Sr., Virginia Commonwealth University, Ph.D.
Program
Gene Spafford, Purdue University, Co-Chair
Karl Levitt, UC Davis, Co-Chair
Event Monitoring Enabling Responses to Anomalous Disturbances (EMERALD)
Phillip Porras, SRI International
An Application of Machine Learning to Anomaly Detection
Carla E. Brodley, Purdue University
A Process of Data Reduction in the Examination of Computer Related Evidence
Mary F. Horvath, Federal Bureau of Investigation
Automated Information System (AIS) Alarm System
William Hunteman, Los Alamos National Laboratory
Charles Pfleeger, Arca Systems, Inc., Chair
Security Modeling for Public Service Communication
Dan Gambel, Mitretek, Inc.
Security Metrics - A Practical Approach
Chenxi Wang, University of Virginia
Connecting Classified Nets to the Outside World: Costs and Benefits
Christopher P. Kocher, Lockheed Martin Corporation
Speaker: Bran Ferran, Walt Disney Imagineering
Peter Tasker, The MITRE Corporation, Chair
| Panelists: | Tom Haigh, Secure Computing Corporation John Pescatore, TIS Tony Vincent, Raptor Systems Rick Siebenaler, CyberGuard Corp. |
Firewalls started as a relatively static first-line of defense, but they have become a more central part of providing many protection services to an enterprise. This panel will look at the present roles played by firewalls and directions for the future. Can they be effective against all of the emerging rich protocols associated with the World Wide Web? How will IPSEC affect them? What is the right mix of centralized firewall and distributed desktop protection features?
Diane Darrow, Smart Card Forum, Chair
Panelists: TBD
This session will focus on Smart Cards, Smart Card alternatives, and how they will be used in an electronic commerce environment.
D. Elliott Bell, Mitretek Corporation, Chair
Cryptographic Algorithm Metrics
Landgrave T. Smith, Jr., Institute for Defense Analyses
Using Datatype-Preserving Encryption to Enhance Data Warehouse Security
Harry E. Smith, Quest Database Consulting, Inc.
Multistage Algorithm for Limited One-Way Functions
William T. Jennings, Raytheon E-Systems & Southern Methodist University
Hilary Hosmer, Data Security Inc., Chair
Panelists: TBD
The telecommunications giants are investing for the long term and Bill Gates plans to defy the tradition that a leader in one computer technology era is never a leader in the next. INFOSEC executives debate what's to come in 20 years.
Jim Codespote, NSA, Chair
Panelists: TBD
There are several intrusion detection and auditing products commercially available to help protect computer systems and networks. Panelists will discuss their experiences with installation, configuration, ease of use, scalability, and overall capabilities of the products they use and maintain. The intent of the panel is to provide insight (war stories) for those attendees looking to implement a COTS intrusion detection solution from a non-vendor (customer) point of view.
Tim Polk, NIST, Chair
The Use of Belief Logics in the Presence of Casual Consistency Attacks
J. Alves-Foss, University of Idaho
Achieving Interoperability Through Use of the Government of Canada Public
Key Infrastructure
Capt. John H. Weigelt, Department of National Defense (Canada)
Implementation of Key Recovery with Key Vectors to Minimize Potential
Misuse of Keys
William J. Caelli, Queensland University of Technology, Australia
James P. Anderson, J.P. Anderson Company, Chair
Software Encryption in the DoD
Russell Davis, Boeing Information Services, Inc.
TRANSMAT Trusted Operations for Untrusted Database Applications
Dan Thomsen, Secure Computing Corporation
Methodology for Evaluating Assets for Threats from Information Warfare
and Economic Warfare Attacks
Roger A. Stutz, Los Alamos National Laboratory
Charles Abzug, Institute for Computer and Information Sciences
This tutorial will present today's cryptographic protocols, the principles by which they operate, their principal advantages and disadvantages, and a sampling of products using some of these protocols.
Peter Coffee, PC Week Labs, Chair
Go Ahead, Visit Those Web Sites, You Can't Get Hurt, Can You?
James S. Rothfuss, Lawrence Livermore National Laboratory
Web Spoofing: An Internet Con Game
Edward W. Felton, Princeton University
When JAVA Was One: Threats from Hostile Byte Codes And JAVA Platform
Viruses
Mark D. Ladue, Georgia Institute of Technology
Java Script: Security Tricks
Walter Cooke, CISSP, W. J. Cooke & Associates
Win Treese, OpenMarket, Inc., Chair
Panelists: TBD
This panel will discuss the requirements for an electronic mall as it affects small businesses, information services, and education and learning for the participants in the "Emall" stores.
Kenneth Van Wyk, SAIC, Chair
Practical Defenses Against Storage Jamming
John McDermott, Naval Research Laboratory
What is Wild?
Sarah Gordon, IBM
Secure Software Distribution System
Tony Bartoletti, Lawrence Livermore National Laboratory
Dorothy E. Denning, Georgetown University, Chair
Panelists: William J. Caelli, Queensland University of Technology,
Australia
Stephen T. Kent, GTE
William H. Murray, Deloitte & Touche
This panel will review the significance of DES to the information security field and to infosec products and practices. Panelists will discuss the impact of DES on academic research, cryptanalysis, algorithm and product development, standards, network security, application-level security, and business practices.
Marshall Abrams, The MITRE Corporation, Chair
Application of the IT Baseline Protection Manual
Angelika Plate, BSI, Germany
The Extended Commercially Oriented Functionality Class for Network-
Based IT Systems
Alexander Herrigel, r3 Security Engineering ag, Switzerland
The Use of Information Technology Security Assessment Criteria to Protect
Specialized Computer Systems
Ronald Melton, Pacific Northwest National Laboratory
Joseph Lisi, National Security Agency, Chair
Security Tools - A "Try Before You Buy" Web-Based Approach
Sheila Frankel, NIST
Internet Protocol Next Generation: Saving the Internet in the New Millennium
Robert A. Kondilas, MCI
Vulnerability of "Secure" Web Browsers
F. De Paoli, University of California-Santa Barbara
Paul Woodie, National Security Agency, Chair
A New Paradigm for Performing Risk Assessment
Judith L. Bramlage, Computer Associates, Inc.
INFOSEC Risk Management: Focused, Integrated & Sensible
Donald R. Peeples, NSA
Role-Based Risk Analysis
LT Amit Yoran, USAF
William Wilson, Arca Systems, Inc.
This tutorial focuses on database security issues from the standpoint of using database management systems to meet an organization's security requirements. Topics include data security requirements, vulnerabilities, database design considerations, and implementation issues. Several architectural approaches to building multilevel database systems are presented, including integrity lock, kernalized, layered, partitioned, and distributed. Other database security issues discussed include view versus relation discretionary controls, mandatory controls, inference, aggregation, and statistical inferences.
Visit the vendor exposition! Over 100 INFOSEC vendors in the Convention Center Exhibition Hall Sponsored by the Armed Forces Communications and Electronics Association (AFCEA)
Internet Discussion
Chair: Jon David, The Fortress
This session follows up on the problems described in the previous session.
Christine Varney, Commissioner, Federal Trade Commission, Chair
Panelists: TBD
This session will identify the critical components that must be in place for an electronic commerce solution to be successful in a global environment.
William H. Murray, Deloitte & Touche, Chair
A Methodology for Mechanically Verifying Protocols Using an Authentication
Logic
J. Alves-Foss, University of Idaho
A Practical Approach to Design and Management of Secure ATM Networks
Vijay Varadharajan, University of Western Sydney, Australia
Distributed Network Management Security
Paul Meyer, Secure Computing Corporation
James R. Wade, AirTouch Cellular, Chair
| Panelists: | Dennis Walters, Comcast Cellular Communications Angel Morales, Professional Security Bureau, Inc. Dave Daniels, AirTouch Cellular |
The panelists will discuss and debate various issues regarding wireless fraud, which is emerging as the number one crime for the 21st century.
Teresa Lunt, DARPA, Chair
| Panelists: | Lee Badger, TIS Franklin Webber, Key Software John Knight, SUniversity of Virginia Rich Feiertag, TIS |
This panel will provide a brief summary of the DARPA security program goals and plans for wrappers, composition, architecture issues for security and survivability.
Policy / Administration / Management Cryptographic Standards for the Next Century Miles E. Smid, NIST, Chair Panelists: Burt Kukliski, RSA Laboratories Don Johnson, Certicom Corporation Jim Foti, NIST
A set of standard cryptographic algorithms is needed to support services for the information infrastructure in the next century. Organizations including the National Institute of Standards and Technology (NIST), the American National Standards Institute (ANSI) and the Institute of Electrical and Electronics Engineers (IEEE), are developing cryptographic standards to address the need. The purpose of this panel is to discuss these emerging cryptographic standards. Panelists will also provide an overview of relevant cryptographic standards-making organizations and the relationship of their work to other organizations. In particular, the panelists will discuss emerging symmetric-based encryption standards specifically focusing on the Advanced Encryption Standard, Digital Signature Standards, and Public Key Based Cryptographic Key Agreement and Exchange Standards.
Tutorials How to be a Better Security Officer Chris Breissinger, Department of Defense Security Institute
This tutorial focuses on the continued protection and accreditation of operational information systems. Topics include: virus prevention and eradication; access control evaluation and configuration; media clearing and purging; intrusion detection and handling; and dealing with risk.
3:30 - 4:00 PM Session Break & Social Networking
Practical Experience with Virtual Private Networks
Steve Kent, BBN, Chair
| Panelists: | Paul Lambert, Oracle Naganand Doraswamy, FTP Software Roy Pereira, Timestep Dan McDonald, Sun Microsystems, UK |
This panel session will discuss experiences with and lessons learned from developing and implementing VPNs, specifically making use of the IPsec standard protocols adopted by the Internet Engineering Task Force. Topics to be addressed include challenges (e.g., scalability, widespread deployment) and future needs (e.g., administration tools) for VPN solutions. The chair and all the panel members have been closely involved in the develop-ment of the IPsec standards and the panel members have implementation experience with IPsec and other VPN technologies.
Hal Varian, Dean, University of California-Berkeley, Chair
Panelists: TBD
This session will look at the current and future directions of electronic commerce in the international environment, and the impact that it will have on business and society.
Mark Wilson, NIST, Chair
| Panelists: | William D. Tate, Daniel T. Crowley, Northrup Grumman Corporation John McWhorter, Defense Investigative Service |
This panel will discuss how to create effective partnerships between an organization's computer security program management office, users, and auditors. The panel will help participants to fully integrate computer security awareness and responsibility throughout a business or agency.
Debate The Future Role of Government in International Cyberspace Vin McClelland, The Privacy Guild, Chair Panelists: TBD
When national boundaries are permeable, national INFOSEC policy may be irrelevant.
Steve Reichert, NSA, Chair
| Panelists: | Margie Zuk, MITRE Tom Anderson, Kris Britton, William J. Marshall, Lou Giles, NSA |
The Common Criteria is the result of an integrated attempt to align the trusted product evaluation criteria and activities of Canada, France, Germany, the Netherlands, the United Kingdom, and the United States into a single document. This panel will provide critical U.S. evaluation program status information to groups that will be directly impacted as a result of CC implementation efforts.
Teresa Lunt, DARPA, Chair
| Panelists: | Phil Porras, SRI Dan Schnackenberg, Boeing Maureen Stillman, ORA Stuart Staniford-Chen, University of California-Davis |
This panel will provide a brief summary of the DARPA security program goals and plans for wrappers, composition, and architecture issues for security and survivability.
Robert Bagwill, NIST, Chair
Panelists: John Pescatore, TIS
Others: TBD
This panel will discuss a new NIST special publication on technical internet security policy. Technical policy issues include the use and configuration of firewalls, virtual private networks, and interactive software. The panel will provide an overview of the NIST publication and then discuss methods for using the guideline within organizations.
Tom Peltier, Computer Science Institute, Chair
This tutorial provides the third of three foundation tutorials on Risk Management. This tutorial continues with the methodology from Risk Management I & II, using a systems analysis approach to identify, analyze, and quantify risks.
National Cryptologic Museum Fort Meade, MD
Buses will be available.
8:30-10:00 AM
Ken Heist, NSA, Chair
| Panelists: | Richard Parker, NATO Command, Control, & Communications Agency Frank Hecker, Netscape Jim Prohaska, Litronic, Inc. Gregory Gilbert, NSA |
This panel will consider questions related to the implementation of current government-developed network security products, applications, and infrastructure. The panelists have experience with current MISSI Beta Test activity, Defense Message System (DMS) pilot tests, MISSI and DMS for NATO, FORTEZZA infrastructure, emerging FORTEZZA-compatible applications, and government product evaluation and approval processes in both North America and Europe. Responses will be an indicator of where the current programs are meeting user needs and how governments and industry can best work together to meet future network security requirements.
Electronic Commerce Copyright & Intellectual Property Issues Associated with Electronic Commerce Jessica Litman, Wayne State University, Chair Panelists: TBD
This session will discuss the legal issues associated with electronic commerce regarding copyright and IP from a local, national, and international perspective.
Willis Ware, Chair
| Panelists: | David Van Wie, Olin Sibert James Horning, InterTrust Technologies Corporation |
This panel will discuss how one company executed their vision of electronic commerce, an architecture, and research directions.
Christine Axsmith, Esq., The Oakland Corporation, Chair
Panelists: TBD
This panel will debate the pros and cons of controlling employees' use of the Internet.
Assurance / Criteria / Testing Vendor Dialog on Evaluation Programs Jeremy Epstein, Tracor, Co-Chair Casey Schaufler, Silicon Graphics, Co-Chair
The co-chairs will lead the audience in a discussion of their experiences in performing TCSEC/TNI/TDI evaluations, opinions of TPEP and TTAP programs, use of the RAMP program, interpretations of TCSEC, ITSEC evaluations, and the forthcoming Common Criteria evaluations.
Mark Gembicki, War Room, Chair
Panelists: Manhattan Cyber Project members
A few select members of the Manhattan Cyber Project will discuss their findings to date as well as future initiatives. Their mission is to improve on the availability and effectiveness of technology, people, and processes that safeguard critical infrastructure areas and U.S. corporations from the "cyber threat." The approach to accomplish this mission is based on developing and facilitating a coordinated "outreach" program with industry, government, and academia.
G. Mark Hardy, AXENT Technologies, Inc., Chair
Panelists: Jim Mork, BSG, Inc.
Others: TBD
This panel will discuss how information security managers can leverage technology to keep pace with the threat posed in the networked client/server environment.
Tutorials
Infrastructure Security
John T. Egan, National Defense University, Chair
This session will cover the fundamentals of encryption and the security services that are proposed for large infrastructures such as the NII and the DII. There is a movement in some quarters for providing a common set of security services that will support both types of infrastructures even though their missions are quite different.
10:00-10:30 AM Session Break & Social Networking
10:30 a.m.
Peter G. Neumann, Chair
SRI International
Distinguished Panelists:
Larry Stewart
Chief Technology Officer, Open Market
Steve Walker
President, Trusted Information Systems, Inc.
Rick Hite
Director, Risk Management and Security, Visa International
Helmut Kurth
IAGB, Germany
The future of computer-communication security will to a large extent be driven by the urgent needs of electronic commerce, while at the same time being hindered by the realities of emerging computer and networking infrastructures. This session will address those realities, and will attempt to see into the future. Its scope will be fairly broad, encompassing systems, networks, financial applications, and digital commerce generally, from the primary viewpoint of security risks and their avoidance, but also cognizant of the social issues. It will also recognize that the problems are international, not just national.
Many questions might arise in the course of the discussion. What is achievable? What is likely? What are the most difficult obstacles to be overcome? What research areas are not being adequately stressed? What can we expect of technology? What are the intrinsic limitations? What are the weakest links? What non-technological issues, such as human compromisibility, must be defended against? What are the tradeoffs (for example, among cost-effectiveness, integrity, confidentiality, anonymity, accountability, and law enforcement needs)? What residual risks will necessarily remain? What should or should not governments do to ensure that electronic commerce and related applications can take place dependably? What impacts are national cryptological policies having on electronic commerce? What can be done to ensure that critical components of the national infrastructure (including telecommunications and electrical power) remain adequate?
The conference will be held at the Baltimore Convention Center, 1 West Pratt Street, Baltimore, Maryland, close to the Baltimore Inner Harbor area. The Opening Plenary Session will be held in Ballroom I, on the# Ballroom Level (enter the Pratt Street lobby). Registration and information services, and all technical sessions, will be held on the third floor Meeting Room Level. The Convention Center is conveniently located close to the meeting hotels, major highways heading into Baltimore, numerous restaurants, shops, and sight-seeing attractions.
The registration fee covers conference materials, coffee breaks, and admission to the banquet and award ceremony. There is an additional fee for the October 6 workshops.
| Early Registration | $360.00 |
| After September 8, 1997 | $410.00 |
| October 6 Workshops | $100.00 |
To register, complete the enclosed registration form and return it with payment to:
Office of the Comptroller National Institute of Standards and Technology
Room A807, Administration Building Gaithersburg, MD 20899.
If using a check, make it payable to NIST/20th National Information Systems Security Con-ference or NIST/20th NISSC. Mastercard or VISA for credit card payment can be faxed into the Conference office at (301) 948-2067. NIST does not accept any other credit cards. The Federal Tax ID number for NIST is 530205706. Confirmation cards will be mailed daily.
To register for workshops I through IV, please check the appropriate box on the registration form. There is an additional fee for these workshops.
To ensure a proper address for the participant list, badging, and confirmations, we ask each registrant to complete the registration form (training forms and/or purchase orders usually list billing address or corporate office). We encourage typed forms with complete information. Because the processing of payment sometimes can be slow, attendees can fax in registration forms with a notation "payment to follow in mail" or "will be paying on-site."
Cancellation Policy: Cancellations must be made in writing by September 8 in order to receive a refund. Letters can be faxed to NIST at (301) 948-2067. Any substitute registrations are to be in writing, with an accompanying registration form for the new registrant.
The registration desk at the Convention Center will be open from 6:30 p.m. to 8:30 p.m. on Monday evening, October 6, and will re-open each morning of the conference at 8 a.m.
For those attendees not staying in Baltimore, daily bus service will be provided from the parking lot across from the National Computer Security Center (NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, Md. This is a convenient location for attendees staying at hotels near Baltimore Washington International airport. The buses will run in a round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the NCSC at the end of the sessions each day, periodically throughout the awards reception, and following the banquet.
A hard copy and CD-ROM of the conference proceedings will be included as part of the registration packet for all attendees.
Messages will be taken for conference participants between 8 a.m. and 5 p.m., Tuesday through Thursday, and between 8 a.m. and 12 noon on Friday. Messages will be posted on a message board adjacent to the Registration/ Information Area. Attendees will not be called out of a meeting except in emergencies. The phone numbers to be used for leaving messages will be posted on the message board.
There will be a limited number of rooms available for special interest discussions ("Birds of a Feather," etc.) These rooms may be reserved in one-hour increments and must not be used for commercial purposes. Call the NCSC Conference Administrator at (410) 850-0272 to make a reservation. The originator should post notice of an open meeting on the message board.
Coffee service will be provided to all attendees during registration each morning and at mid-morning and mid-afternoon breaks. Attendees will be free at lunch time to explore the convenient restaurants or other sites near the convention center. In addition, an award reception and banquet will be held on Tuesday and Wednesday evenings, respectively.
On Tuesday, October 7, awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Cryptographic Validation Program or the NCSC Trusted Computer System Evaluation Program. Certificates also will be presented to participants in the Systems Security Engineering Capability Maturity Model. The awards reception will begin at 6 p.m. in the third floor lobby.
The conference banquet will be held on Wednesday, October 8, beginning with a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is Bran Ferren, Executive Vice President, Walt Disney Imagineering. A coupon for this event, which may be exchanged for a dinner ticket on a first-come, first-served basis, will be included in each attendee's registration kit.
On Thursday, October 9, best paper and best student paper awards will be presented at the National Cryptologic Museum in Fort Meade, Maryland. Directions and bus information will be available at the conference Information Booth. An awards reception will begin at 6:30 p.m. and end at 8 p.m. in the museum.
Blocks of rooms have been reserved for conference attendees at hotels near the convention center at special group rates. The hotels, with their daily rates, are listed at the right in order of their proximity to the convention center. To register for rooms at the special rates, return the enclosed hotel registration form directly to:
Baltimore Convention Centeror fax the form to (410) 659-7313, with a deposit of $100, no later than September 8, 1997. After this date, we cannot guarantee that rooms will be available at the special conference rate. RESERVE EARLY! Government employees please note: The number of government rated rooms is limited and will be available on a first-come, first-served basis.
Please note: Reservations may ONLY be mailed or faxed. NO telephone reservations will be accepted.
Because the 1997 conference overlaps with meeting dates for a large city-wide convention, sleeping rooms are extremely scarce on Sunday, October 5. Attendees to the Monday workshops should consider making travel plans to arrive in Baltimore on Monday morning. The workshops have been scheduled to start as late as 11 a.m., for this reason.
Rooms are also somewhat limited for Monday evening, October 6. To get the hotel of your choice, reserve early.
|
Single Rate |
Double Rate |
|
| Doubletree at the Colonnade Code DBLCO |
$129 plus tax | $129 plus tax |
| Holiday Inn Inner Harbor Code HIDIN |
$96 plus tax | $96 plus tax |
| Govt. $96 incl. tax | ||
| Days Inn Inner Harbor Code DAYSI |
$83 plus tax | $83 plus tax |
| Baltimore Hilton and Towers Code HILTN |
Govt. $96 inclusive | |
| Hyatt Regency Baltimore Code HYATT |
$142 plus tax | $150 plus tax |
For further information, call Tammie Grice, the Conference Registrar, at (301) 975-3883.
In 1978, the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence established the Department of Defense Computer Security Initiative to ensure the widespread availability of trusted ADP systems for use within the DoD.
In January 1981, the National Computer Security Center (NCSC) was established at the National Security Agency and assumed responsibility for the activities of the Initiative. The NCSC encourages the development of trusted computing system products, develops computer security standards and guidelines for interested users, and sponsors basic research in this robust field. To encourage the widespread availability of trusted systems, the NCSC has developed an industry- government relationship, called the Trusted Product Evaluation Program (TPEP). This effort focuses on the technical protection capabilities of commercially produced and supported systems, based on the Department of Defense Trusted Computer Security Evaluation Criteria (TCSEC). Three important interpretations are used to assist in this program: the Trusted Network Interpretation (TNI), the Computer Security Subsystem Interpretation (CSSI), and the Trusted Database Interpretation (TDI). The NCSC also promotes information security education and cooperates with NIST to provide computer security assistance to other government departments and agencies. In support of the above, the NCSC operates a B2-level of trust computer system that provides on-line service to the information security community.
The National Institute of Standards and Technology, an agency of the Commerce Department's Technology Administration, promotes economic growth by working with industry to develop and apply technology, measurements and standards. Through its Information Technology Laboratory, NIST works to promote the development and use of information technology systems that are interoperable, easily usable, scalable and secure.
NIST's information technology research concentrates on developing tests and test methods for information technologies that are still in the early stages of development-long before they're available in new products. But even once information technology products are available, tests developed by ITL provide impartial ways of measuring them so developers and users can evaluate how products perform and assess their quality based on objective criteria.
Since 1972, NIST has played a vital role in protecting the security and integrity of information in computer systems in the public and private sectors. The Computer Security Act of 1987 reaffirmed NIST's leadership role in the federal government for the protection of unclassified information. NIST assists industry and government by promoting and supporting better security planning, technology, awareness and training. In addition, NIST fosters the development of national and international standards for security technology and commercial off-the- shelf security products. Finally, NIST has an active, laboratory-based research program in computer and network security with special technical emphasis in cryptography; authentication; public-key infrastructure; internetworking; and security criteria, assurance and testing.
