From the Executive Board Chair

It's the start of a challenging year in the information protection arena. As the incoming FISSEA Executive Board Chair, I would like to reiterate our purpose and goal for FISSEA. I would also like to thank everyone who participated in providing information for our strategic plan, mission and goals and voting in the great team of board members. Looking ahead, I envision a very busy year in IT security initiatives, especially awareness, training and education because it is the key to information protection.

I have elected to republish parts of an article by our outgoing Executive Board Chair, Mr. Philip Sibert, which speaks to the meaning of our mission. This is a reminder of what awareness, training and education really means according to the Webster dictionary along with Phil's commentary.

AWARE·NESS - noun; AWARE -- adjective: having or showing realization, perception, or knowledge. Several synonyms: COGNIZANT -- implies vigilance in observing or alertness in drawing inferences from what one experiences; AWAKE -- implies that one has become alive to something and is on the alert; AWAKEN is action taken to make someone become alive to something, to put them on the alert.

TRAIN - verb: to undergo instruction, discipline, or drill; TRAINING - noun: the state of being trained; the skill, knowledge, or experience acquired by being trained.

EDUCATION - noun: the action or process of educating or of being educated; EDUCATE - verb: to train by formal instruction and supervised practice especially in a skill, trade, or profession; to develop mentally, especially by instruction.

I subscribe to the following definitions as these terms relate to functions performed by FISSEA members in the computer security discipline:

Awareness --

those activities undertaken to awaken (see above) your organization's personnel to organizational policy, and to their computer security responsibilities, system security requirements, best business practices, generally accepted system security principles, and the vulnerabilities of the systems they use. The objectives of the awareness activity are to awaken individuals, to make them alert and vigilant, and to entice them to want to know more about computer security (to get a foot in the door for the next step, training). For example, doing something to make people aware that easily guessed passwords, such as proper names, do not provide acceptable protection.

Training --

instruction tailored to the role(s) individuals play in an organization; the objective is to adopt a new mode of behavior or to achieve a change in existing behavior. For example, having everyone understand why, know how to construct, and begin to use robust passwords.

Education --

the formal training and instruction in the computer security discipline required for professional purposes; the objective is to achieve a high level of knowledge and skills enabling one to become an authority in the discipline. For example, instruction, training, and hands-on experience necessary to prepare one to obtain a graduate degree in Information Systems Security, or to become a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), etc.

These definitions may seem restrictive, but they fit in very nicely when applied to our purposes as information systems security educators, and, they also help in understanding the training and awareness requirements found in the Computer Security Act of 1987 and NIST Special Publication 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), March 1998.

So, what's the point here? The point is, quite often the words in the Computer Security Act are misinterpreted. In fact, often you will hear the term "awareness training" used as if there is only one objective for the mandated training. Let's examine the words from the Computer Security Act, as follows:

SEC. 5. FEDERAL COMPUTER SYSTEM SECURITY TRAINING. (a) In General. -- Each Federal agency shall provide for the mandatory periodic training in computer security awareness and (emphasis added) accepted computer security practice of all employees who are involved with the management, use, or operation of each Federal computer system within or under the supervision of that agency.

(b) TRAINING OBJECTIVES -- Training under this section shall be started within 60 days after the issuance of the regulations described in subsection (c). Such training shall be designed--

1. to enhance employees' awareness of the threats to, and vulnerability of, computer systems; and
2. to encourage the use of improved computer security practices.

While neither the Computer Security Act nor the NIST Special Publication 800-16 addresses the education aspects of the computer security discipline, I encourage all involved in this vital information management function to set higher goals and pursue the formal training and instruction in the computer security discipline required for professional purposes. Become an authority in your field, and lead by example.

We all still have a big and apparently never-ending job ahead of us. I see our primary objective to be Awareness because that's where the real pay-off will be. We need to continue our efforts in the visual arena -- that's the quickest way to get the information protection message to the masses. But, we also need to develop new, interesting, and impressive ways to deliver the awareness messages, and the messages have to be revised continually. Through awareness, we will be able to reach the general user community and introduce them to our training "products."

Remember to keep in touch by phone, e-mail or visit our web site. We are looking for articles related to security awareness, training and education for our newsletter, and welcome your submissions. Send them to Louis Numkin, our newsletter editor for the third year.

Pauline Bowen
FISSEA Executive Board Chair

Go to top of page

1999 Educator of the Year Dr. Quane: His Thoughts

Dear FISSEA Membership,

I would like to take this opportunity to thank the FISSEA Executive Board and all of the members of FISSEA (both current and past) for the honor bestowed on me as "1999 FISSEA Educator of the YEAR". I believe in this very distinguished award and I greatly appreciated the honor of being this year's recipient.

Being a long time member and past Chair, I have seen the FISSEA Conference and membership come and go. I believe that FISSEA has and is playing an important role in the security of our government's information and information systems. We are the Information System Security Educators and we know how to relay information to get people to protect information and information systems. We are an effective countermeasure! We are the INFOSEC trainers and educators of the government's workforce. We develop awareness, training and education programs which benefit our nation. I also realize that our work is very difficult contrary to what some people think. However, this is not a time to delay anything. This is a time of opportunity. With a thrust toward information system security awareness, training and education programs, we must take advantage and bring managers into our playing field. A challenge I make to you is to: Train your manager on the need and benefit for Information System Security Awareness, Training and Education programs. Remember, if you don't, who will?

I strongly support the ideals and goals of the FISSEA organization and I will do all that I can to push "FISSEA" into the great opportunity which currently exists. By the way, I was really proud to see the FISSEA name in print in "Federal Computer Week" (April 1, 2000 - page 22). This is just a start to the recognition the members of this organization deserve.

Again, thank you and I hope all of you still have that renewed hope and energy that the excellent 2000 Conference provided us. See you at next year's conference.

Dr. Roger P. Quane

Go to top of page

Editor's Column: The Challenge of Starting at the Beginning

Computer Security Awareness, Training and Education must begin from Day 1of an employee's career. It is up to you, the Computer Security professional, to ensure this takes place. If you do not already participate in the "Entry On Duty" or EOD process, you should! This can be done by your meeting the "newbies" nose-to-nose or having your Human Resources personnel present informative documents and/or a videotape or other device to inform them of the seriousness of this issue in your organization. You must not permit anyone to begin work without first being informed of the rules. Some installations require the incoming employee(s) to sign a statement upon completion of this initial "boot camp." This can add to the feeling that an office is serious about Computer/Information Security.

It is up to you to protect your organization from Hackers, Viruses, etc, and you need all the help you can get. So... deputize every new employee as soon as they report for duty. If they get into trouble for sending an improper E-Mail, don't let it be because you didn't inform them of what was right or wrong when they first arrived. Handouts are nice as reminders but face-to-face meetings are more personal and direct, and provide the opportunity to immediately ask questions and have them answered by the source. This benefits the new employee and the organization.

There are different types of newbies: first-time Feds, transfers from other agencies or from the civilian side; higher and lower level personnel than yourself; talkative; sleepers; summer interns; etc. Depending on where they are coming from and what experience they have had, you may even find some who know more about Computer Security than you do. If they wish to chime-in, within the limits of time, let them. But you have the duty to help them start off and stay on the right foot.

Now, let me challenge each of you to inform our FISSEA readership of what you include during your new employee in-processing? For example, what topics are covered, perhaps you have handouts which you could share, do you require newbies to sign a statement of policy acceptance? Sharing is the name of the game and we'll display or report on your submissions/comments in our next and succeeding issues.

Thanks and we'll be looking forward to your input.

Louis Numkin, Editor

Go to top of page

Annual Conference a Success
By Peggy Himes

The 13th Annual FISSEA Conference held this past March was one of the most successful conferences in regards to content and attendance. The hard work of our conference directors, Patricia Black and Lisa Biafore, was evident. The theme was "Effective IT Security Training Strategies". The presentations are available on the FISSEA web site under Conferences, 1999.

1999 Educator of the Year:
Dr. Roger P. Quane
Each year FISSEA recognizes the person who has been nominated and selected by a committee who has devoted the greatest effort to the accomplishments of information systems security training and education. Dr. Roger Quane was presented with the 1999 Educator of the Year award. (See "His Thoughts" on page 2). The nomination letter is available to view on the FISSEA web site, with the author's name withheld.

Special Accomplishment Award:
Lee Ohringer
Lee Ohringer received a Special Accomplishment Award "in recognition of his initiative to create and his continuing efforts to sustain National Computer Security Day, the most widely recognized computer security awareness program ever developed."

Election of Executive Board
During the business meeting a new executive board was elected. Executive board members are: Lisa Biafore, George Bieber, Patricia Black, Pauline Bowen, Barbara Cuffie, Louis Numkin, Roger Quane, Philip Sibert, Mark Wilson, and Lewis Baskerville. The 2000-2001 executive board officers are: Pauline Bowen, Chair; Barbara Cuffie, Assistant Chair; Louis Numkin, Newsletter Editor; and Lewis Baskerville, Conference Director.

2000 Conference Committee Formed
A committee was formed to plan the 14th annual conference. Lewis Baskerville is the Conference Director and other members include Jon Arneson, Sonja Martin, and Dara Murray.

FYI, the conference Final Participants' List was mailed by the NIST Conference Office several weeks ago.

Go to top of page

"I Love You, Guys"
By Louis Numkin

This title might lead a casual reader to think that I was just overcome at being reelected to the FISSEA Exec Board and/or appointed to keep Editing this publication. {Yes, I thank all of you for your support.} But, for the savvy computer security professional, the title strikes fear deep into one's heart.

After this past few days either witnessing or dealing with the "I Love You" worm, even the most romantic among us might shy away from using this phrase except while whispering in the ear of our most intimate companion. However, this type of incident is a great way for the "unwashed to get religion" - in other words for those who have no interest in security to become interested. No one wants to be left uninformed of something of this magnitude and global impact.

Use your position to raise computer security to a more visible place in the spectrum of day-to-day work and activities. Each of us receives alerts/bulletins from different respected sources. If you are like me, I tend to redistribute with or without lead-in comments to my "Alert List" of appropriate recipients, e.g.: System/Net- work Administrators, Management, Contractors, etc. Also included as addressees are some of my computer security peers at other agencies who may not be on distribution lists for this type of material. What makes it all worthwhile, is when the incident impact on my agency is small and is attributable, in part, to receipt/reading/ redistributing these bulletins.

This material and result is fine, but what about the "non-techy" - the everyday user in your organization. You shouldn't just let them learn the "facts of Love" from the radio news/talk station, morning paper, or someone in the coffee line. It is incumbent upon you to create and distribute internal informative bulletins to all employees/contractors. Remember your readership's widely varying level of understanding and write so that a layman can comprehend. But, also remember to keep it short and to the point. You may know all the intricacies of the "I Love You" and "Joke" or "Alert" mutant worms, but beware of inundating your readers with more than they need to know. This virus was first discovered on 4MAY. I distributed one single screen bulletin on the 4th and one on the 5th. What really put a smile on my face was receiving feedback from employees which generally said "thanks for the information - it eased my mind and answered my unasked questions."

One of my computer security alert providers (W2Knews) has already written about "The mutated 'Mother's Day' that surfaced yesterday deletes all .ini and .bat files from local directories and drives." Folks, here is another chance to inform our offices about the effects which this might have on the organization. Don't be a Fear Monger - explain the true meaning of the scourge and common sense approach to its solution. And, don't forget to include, as appropriate, whether this might have an effect on their home systems, as well. As the populace gets more technically inclined, though they may not want it to be disclosed, they are interested in having you debunk the hoaxes and inform them of the real computer security concerns as they come into view.

Times like these are useful as an awareness tool. You should seize the opportunity to remind your employees that there is a computer security organization with a mission to improve general understanding of how issues can and do affect your information resources. Don't miss out, Go For It!

Go to top of page

Some Lessons I Learned About Teaching Managers
By Barbara Cuffie

For several years I have been the Principal Security Officer in an information technology systems (ITS) component in a Federal Agency. I have confronted many challenges in this position, and I am pleased to be able to share some of the lessons I have learned through what sometimes seemed to be "the school of hard knocks." Identifying the ITS security training requirements for component personnel was not too difficult. However, finding effective strategies for ensuring that users receive such training continues to be a challenge and also an area where I have experienced some successes as well.

Until recently, getting mid-level managers to voluntarily take any kind of security class was a formidable challenge. I think some managers thought they did not need any ITS security training, because after all, that is why the Agency hired security personnel. Some probably felt that whatever else they had to do was more important and a better, more efficient way of spending their time. For whatever the reason, I can recall having developed security awareness type courses for managers and have only about ten percent of the class consist of managers. I have even had managers send their secretaries as their substitute for a Risk Management and Compliance Responsibilities class I developed and continue to teach periodically. Fortunately, today the class is comprised of the target audience and there is often a waiting list of managers signed up to take the next class.

You may be asking yourself what changed. I think changes in several external and internal factors have resulted in a positive change in the attitudes and behavior of many managers about taking security training. Today, most managers are aware that their critical business processes are dependent on the availability of ITS. They also seem to realize that data confidentiality and integrity are crucial and expected by their users and the American public. I think almost everyone who stays abreast of the News recognizes that the Government and private corporations are addressing many new ITS threats, vulnerabilities and risks daily. Also, the fact that the Administration, CIO Council and most federal agencies have declared that this is the year of ITS security has had a positive impact on security professionals, especially trainers. Many users, including managers, are requesting to know more about safeguarding their software, data, Web applications, telecommunications, etc. Since a part of my job is ensuring that component users are knowledgeable about security policies and safe computing practices to do their jobs, this is a great time to be a security trainer. Finally, I think the excellent evaluations I have been receiving from the class participants has helped me to market the class.

Through experience I have learned the following tips about preparing and teaching ITS security related classes to managers.

1. Prepare thoroughly and try to keep the length of the classes to 4 hours or less. Most managers are busy and more apt to register for a half-day class.
2. Determine the course objectives, logical order for presentation, time to spend on each major topic, relevant examples, and include some optional material that can be used to shorten or lengthen a particular segment (i.e., provide flexibility).
3. Make your slides interesting and use animation, cartoons and surprises to help keep the students' attention to the visual aids.
4. Include lots of examples that are easy to understand. They help to increase interest and make complex concepts easier to explain.
5. Be liberal in your use of humor. I find that students who are enjoying themselves while learning are more attentive and spread positive comments about my classes.
6. Try to continually think of the target audience's needs and circumstances. Be sure to emphasize those things that are most relevant to them.
7. Routinely, prepare practical and useful folders with good reference materials for each participant as a "gift" to reference later. I distribute these folders and review their contents during the class. I share examples of how and when one might use all the materials included.
8. I keep good eye contact with the students and do not read to them. However, I do refer to my notes occasionally to help me stay on course and on time.
9. Engage the participants with questions when possible. I encourage them to voluntarily answer my questions. I use name cards, ask easy questions and call on students that I know to get some interaction going if necessary.
10. Rather than focusing on students completing formal evaluation forms, I encourage students to give me candid feedback, now or later, including their suggestions for improving the class. I have benefited greatly from such feedback.

Go to top of page

Goals for the Future
By David Sostman

The internetworking of computer systems in recent years has created a little bit of heaven for Federal workers as electronic communications enhance workplace activities. But it also offers a little bit of hell as it opens up networks and servers to external -- and internal threats.

In the new era of e-government, as more Federal agency databases and applications are made accessible online, the work of government computer security personnel is becoming more challenging, and increasingly important.

In this new environment there is a greater need than ever for effective methodologies that can assist ISSOs and other Federal personnel in safeguarding and assuring the veracity of information in the public domain.

At the Titan Corporation's System Resource's Division, we saw the importance of developing a comprehensive methodology while supporting the IT security tasks of our Federal agency clients. Our methodology engages a number of best practices for securing information assets. It also notably employs a deliberative process of goal-setting to both focus our client's efforts, while also catalyzing our own effective use of the hours we spend on their behalf.

As Tony Robbins, Steven Covey, and other proponents of pro-active self-management attest, there is great power in goal setting. While most of us recognize the value of this "mental technology," finding the time and perspective to engage in effective goal-oriented planning presents a dilemma most of us also share.

One of the principle advantages of hiring an outside contractor to assist with IT security projects is that consultancy work, by its very nature, requires the development of plans and goals, that clients can review and modify before any technical work begins. The goal setting then acts as a powerful guide for actualizing the desired results.

In the Federal IT security field, contractors and Federal personnel should be sharing one overriding goal, the safeguarding of networks, systems and information. This will be achieved, albeit with some setbacks. But in this new age of invention, its nice to go back to Thomas Jefferson who, when he was eighty years old, remarked that "The daily advance of science will enable [each generation] to administer the commonwealth with increased wisdom."

Once we tackle the problems associated with ensuring security in the Internet age, technology will indeed allow us to administer the commonwealth with increased wisdom.

David Sostman is a member of FISSEA, and a Senior Analyst with the Titan Corporation's System Resources Division. He can be reached at dsostman@titan.com

Go to top of page

Siber' Space Snippets
By Philip L. Sibert, CISSP

Scholarships to Students to Study Information Assurance
The National Science Foundation is expected to release applications next month for grants that would fund the Federal Cyber Services program designed to train the next generation of digital defenders. The NSF grants would be available to colleges and universities, which would use the money to award scholarships to students to study information assurance. These students would receive the scholarships in exchange for full-time employment with a federal agency upon graduation. The students would help protect the government's systems from cyberattack. NSF hopes to announce by September or October which schools will receive the grants and hopes to award the actual student scholarships by January 2001.(Federal Computer Week, 19 April)

New Breed of Training Developers/Delivery
Recently we were visited by the marketing representative from a company called DigitalThink. They were presenting to us their way of developing and delivering web-based training via the Internet. Already NASA is using their services, and their presentation was quite interesting. We are looking in to how we might provide training across the nation and how costly it will be to use their services. If you're interested, go to http://www.digitalthink.com or contact their manager of the government sector, Sally Turner at sallyt@digitalthink.com. Another web site that may be interesting to explore; check out http://www.trainingsupersite.com/index.htm.

In Case You Missed the Conference.....
Too Bad.....

DOE's Training Modules Available
Between October 1999 and February 2000 the Department Of Energy CIO's office delivered technical training and management awareness briefings to over 1000 employees around the country. To do this we had Booz-Allen & Hamilton assist in the development of course materials and in the delivery of training using mobile training teams. The materials we developed are available in PowerPoint format from the DOE Cyber Security web site at http://cio.doe.gov/ucsp/, then look for Training. There you will find the following modules: Cyber Security Training Instructor Guide; Cyber Security Manager Awareness: Host Securities: Insights to Protect Mail and Web Servers; Network Security; and, Unix Security: Insights to Protect Unix Systems. As part of the DOE training and awareness continuum we are looking at delivering some training via satellite (we have our own training center with broadcast capabilities, although it has mostly been used for nuclear related safety and physical security training up to now). However, we are also taking a step back to revisit and revise our training strategy. More on this as the program continues.

Overheard.......
Do it now! We all seem to have been at the nadir in the training cycle, and we're now approaching the zenith. One astute and respected scholar in our midst was heard to say we've got about a two year window to get funding and accomplish training, awareness, and education before the decline of interest sets in. I sure hope that sage is wrong on the latter part!

What's Your Next Targeted Subject for Training?, for Awareness?
Remember, you cannot change the threat - you must reduce the vulnerabilities.

I believe we all need to be putting emphasis on Vulnerabilities, and then on Risk Management. Managers and users alike need to know to what their systems are vulnerable. This requires dedicated development and delivery (sometimes daily!)of briefings on the latest vulnerabilities; the vulnerability information also needs to be widely disseminated to the technical personnel who can use that information.

The process of determining how much residual risk you can live with needs to be implemented. This is accomplished through application of the never-ending cycle of (1) assessing the risk, (2) applying the countermeasure, and (3) monitoring the results. The never-ending cycle implies that there needs to be on-going training of folks in the risk assessment arena to ensure you have a viable risk management program. We need to have good risk assessment practitioners, and we also need to have managers who have been "schooled" in the best practices in risk management.

Go to top of page

Some Lessons Learned From An Information Systems Security Awareness Day Event
by Lisa Biafore, CISSP and Lori O'Donnell

A Security Awareness Day is a great way to start your information system security program or to keep your program active. It can also be a fun and interesting way to keep your employees informed on current security issues and to reinforce basic concepts.

Having just had the opportunity to plan and coordinate a security awareness day event, there were several things that were learned:

1. You can never start planning too soon.
2. There is a lot of work and coordination involved.
3. Location, location, location.
4. Pre-event publicity is a must.
5. Murphy's Law is usually in full force.
6. Make it interesting and fun!

Depending on your organization and your budget, the scope of the Awareness Day event can range from a booth providing handouts and staffed by personnel who answer questions, to a fully integrated day of events including speakers, an awareness booth, games, films, vendor displays, etc. Whatever you decide requires a lot of planning. And since this is probably not the only thing that you have to do, it requires a long planning period. If you have never done this before, you may want to start planning at least 9 months to one year in advance. If you have done this before then you know to start planning for the next year's event as soon as the current year's event is over.

In planning the event, you need to know your budget, identify when the event will occur, where it will take place, what activities will occur, and who will be responsible for what. It is highly recommended that you develop a schedule and time line of the activities or tasks that need to occur, and ensure that you inform all personnel that are involved of the time line and their responsibilities. You may also want to consider including other security-related groups in this event, such as the Privacy or Ethics group, or even your personnel or physical security groups.

Once you have decided what you want to occur at your event, now the fun starts--finding out who is responsible for what and coordinating everything. Such as determining if you can use in-house departments (i.e., Graphics or Printing), selecting publicity methods, identifying and coordinating agency and/or guest speakers, identifying the activities that you want to occur, such as games or contests, and obtaining giveaways. Then you need to integrate all of these activities into your schedule and time line.

As in real estate, location of the event is very important. Unfortunately, most people have little interest in security, so you need to plan the event in a place where they almost have to walk by such as in your lobby or near the cafeteria.

And, let's not forget that in order for this event to be a success, people have to come and in order for people to come they have to be informed. Publicity for such an event is a necessity. This means pre-event publicity, day of event publicity, even post-event publicity (remarking on its success, of course!). There are many ways to publicize your event, you can use posters, broadcast e-mail messages, flyers, public address announcements, etc. Consider, publicizing the event at least 2-3 weeks in advance.

Now, remember that all the planning in the world will not keep Murphy's Law at bay, "if it can go wrong, it will". However, unless it is really significant, in most cases, the people that attend the event won't even notice. Anyway, you can just chalk it up as a lesson learned.

Overall, the most important lesson that we can leave you with is - MAKE THE EVENT FUN! If you and your staff look like you are having fun, then so will the participants. Keep in mind that you can't please everyone, there is always at least one or two grumpy-Gus's out there. But don't let this discourage you. And finally, remember, what will attract people to your event-free food and giveaways! Always offer goodies or freebees (and in the process sneak in a security message or two).

Go to top of page

Security Implications of Active Content
Submitted by Pauline Bowen. Adapted from the "Guideline for Implementing Cryptography in the Federal Government" by Annabelle Lee which appeared in the ITL Bulletin, Feb 2000. ITL Bulletins are published by the Information Technology Laboratory (ITL) of the National Institute of Standards and Technology (NIST). To subscribe to the ITL Bulletins, send an e-mail to listproc@nist.gov with the message subscribe itl-bulletin, and your proper name.

In today's world, both private and public sectors depend upon information technology (IT) systems to perform essential and mission-critical functions. Often, as technology improves to provide new capabilities and features, new vulnerabilities are introduced along with these functional improvements. Organizations implementing and using these advanced technologies must, therefore, be increasingly on guard.

One such emerging technology is active content. Unlike ASCII character documents of the past, electronic documents are able to automatically carry out or trigger actions without the intervention of a user. Examples of active content include PostScript® documents, Java™ applets, JavaScript™, word processing and spreadsheet macros, and executable electronic mail attachments.

Having the ability to download files and electronic documents off the Internet is a useful function and a common practice for many people today. While there are risks involved if one visits an unknown site, it appears at first glance that there should be no harm in downloading information as long as the files are non-executables. Even if a browser plug-in or utility is downloaded, it is recognized as such and must be explicitly installed in order to function, so careful judgment and appropriate preparation can be taken in advance. This view on risks, however, is incorrect. Today, electronic documents are themselves programs or contain programs that can be self-triggered. Loading a document into a word processor can produce the same effect as executing a program, requiring appropriate caution to be taken. After all, if you would not knowingly execute a program from an unknown source, why would you indirectly execute one embedded in an electronic document?

In striving to offer greater functionality and flexibility, software developers will continue to blur the distinctions between program and data. While the developer's intentions are presumably good, they can often have a negative impact when the need for security is not fully taken into account. Such documents are said to have active content, which involves new technology such as built-in macros, scripting languages, and virtual machines. The trend towards active content has been spurred by the popularity of the Web. Like any technology, active content can provide a useful capability, but can also become a source of vulnerability for an attacker to exploit.

Together, active content and implementation errors can damage or subvert an IT system. An attacker needs only to learn what software their target is using, find an appropriate exploit, and send the document to the target.

Bottom line is:
When employing active-content technology, security measures should be put in place to reduce risk to an acceptable level and to recover if an incident occurs.

Go to top of page

Congress Considers Mitnick's Advice
By David Sostman

Infamous computer hacker Kevin Mitnick testified before Congress in March and told members of the Senate Governmental Affairs Committee that the greatest security threat to networked Federal systems was "social engineering" or the practice of deceiving employees into giving him passwords and personal identification numbers.

According to Mitnick, who was released from prison after five years in January, "the weakest link in the security chain is the human element." Mitnick added, "Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems."

In his testimony, Mitnick told the listening Senators that more aggressive outreach efforts are necessary to educate government employees about computer security risks.

The Senate Governmental Affairs Committee is currently considering a bill which would require government agencies to undergo yearly security audits, and give the Office of Management and Budget (OMB) information security oversight over federal agencies.

Go to top of page

TRAINIA
{a combination of the words "TRAINing" and "trivIA" - collected by your Editor to aid in your information gathering, continued education, and improve your sense of humor.}

I received this item, courtesy of Fred Cohen and the SECEDU list, but it was created by The Computer Security Institute:

Ninety percent of survey respondents detect cyber attacks, 273 organizations report $265,589,940 in financial losses.

SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the results of its fifth annual "Computer Crime and Security Survey." The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.

Highlights of the "2000 Computer Crime and Security Survey" include the following:

Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.

Seventy percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft or employee "net abuse"-- for example, theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks.

Seventy-four percent acknowledged financial losses due to computer breaches.

Forty-two percent were willing and/or able to quantify their financial losses. The losses from these 273 respondents totaled $265,589,940 (the average annual total over the last three years was $120,240,180).

Financial losses in eight of twelve categories were larger than in any previous year. Furthermore, financial losses in four categories were higher than the combined total of the three previous years. For example, 61 respondents quantified losses due to sabotage of data or networks for a total of $27,148,000. The total financial losses due to sabotage for the previous years combined totaled only $10,848,850.

As in previous years, the most serious financial losses occurred through theft of proprietary information (66 respondents reported $66,708,000) and financial fraud (53 respondents reported $55,996,000).

Survey results illustrate that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters, confirming the trend in previous years. Seventy-one percent of respondents detected unauthorized access by insiders. But for the third year in a row, more respondents (59%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (38%).

Based on responses from 643 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the "2000 Computer Crime and Security Survey" confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting.

Respondents detected a wide range of attacks and abuses. Here are some other examples:

25% of respondents detected system penetration from the outside.

27% of respondents detected denial of service attacks.

79% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems).

85% detected computer viruses.

For the second year, we asked some questions about electronic commerce over the Internet. Here are some of the results:

93% of respondents have WWW sites.

43% conduct electronic commerce on their sites (in 1999, only it was only 30%).

19% suffered unauthorized access or misuse within the last twelve months.

32% said that they didn't know if there had been unauthorized access or misuse.

35% of those acknowledging attack, reported from two to five incidents.

19% reported ten or more incidents.

64% of those acknowledging an attack reported Web-site vandalism.

60% reported denial of service.

8% reported theft of transaction information.

3% reported financial fraud.

Patrice Rapalus. CSI Director, suggests that the "Computer Crime and Security Survey," now in its fifth year, has delivered on its promise to raise the level of security awareness and help determine the scope of crime in the United States.
"The trends the CSI/FBI survey has highlighted over the years are disturbing. Cyber crimes and other information security breaches are widespread and diverse. Ninety percent of respondents reported attacks. Furthermore, such incidents can result in serious damages. The 273 organizations that were able to quantify their losses reported a total of $265,589,940. Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government."

Bruce J. Gebhardt is in charge of the FBI's Northern California office. Based in San Francisco, his division covers fifteen counties, including the continually expanding "Silicon Valley" area. Computer crime is one of his biggest challenges.

"If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen. The results of the CSI/FBI survey provide us with valuable data. This information not only has been shared with Congress to underscore the need for additional investigative resources on a national level but identifies emerging crime trends and helps me decide how best to proactively, and aggressively assign resources, before those 'trends' become 'crises.'"

CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations.

The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC) located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructures. (These infrastructures include telecommunications, energy, transportation, banking and finance, emergency services and government operations). The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes.

Copyright 2000
Computer Security Institute

Go to top of page

Go to top of page