From the Executive Board Chair
Training, Education and Awareness Still Key for Agencies

As we put Y2K issues behind us and press forward to PDD-63 and other legislative changes in information security, we find that training, education and awareness are still key for Government Agencies.

Technology is changing at a never-ending pace and one way to minimize risks is to focus on educating users. According to a recent article noted in the weekly "SANS NEWSBITES," some agencies are starting a full-scale information assurance awareness program.

Many security issues will not be solved by technical solutions, but by getting managers to understand the importance of their role in federal systems security. Part of this understanding involves user education.

In my Agency, we have taken the initiative to develop training for every employee with specific focus on senior executives, information system security officers, system administrators, and program and functional managers. We plan to make educating users a priority this year because we feel this will help minimize risk to our systems and infrastructure.

Of the many challenges we face, training, education, and awareness are needed in the areas of cyber ethics, wireless technologies, computer crime, e-commerce, and managing risks. I know that FISSEA will work to address these challenges through continued training, education and awareness. We will continue to publish our newsletter, communicate with the membership through e-mail, and sponsor the annual conference each year with NIST support. I encourage you to join us in our efforts in this very important arena.

Hope to see you at the FISSEA Conference this year (March 13-15, 2001)

Pauline Bowen (FDA)
FISSEA Executive Board Chair

Go to top of page

Commitment - What's in it for YOU??

by Philip Sibert (DOE), FISSEA Executive Board Member

MEMBERS OF THE FISSEA BOARD OF DIRECTORS are expected to have a commitment to the organization and it's constituency.

Generally there are two types of members in any organization - the "joiners," and the "doers." There's nothing wrong with being a joiner because organizations usually exist to provide some benefit to the joiners, and in many cases the financial support of the joiners in the form of dues, pledges, or donations are necessary to keep the organization alive (but not in the case of FISSEA). And then, there is usually a small core of doers who take on the tasks associated with running the organization and seeing that the joiners are provided with the benefits the organization promises. Doers are usually those who are strongly bound to the vision and mission of the organization, and who believe in what the organization stands for and what the organization does, or should be doing, for its members.

What's a commitment? According to the dictionary, it's the state of being bound emotionally or intellectually to a course of action or to another person or persons. In essence, it's nothing more than "a pledge to do." This is what is expected of those who make it to the Executive Board, or others who take on particular tasks such as the Conference Director and the Newsletter Editor, to meet the objectives of the FISSEA mission.

FISSEA has evolved to the point where we have very good liaison with, and fine administrative and technical support from NIST, but the organization cannot function without the commitment of the Executive Board and other committee members. That's why it is necessary for those of you who are interested in becoming Board or committee members to be sure you have approval from your management to make the commitment to help FISSEA. It's not that great of a commitment, but you should figure on a minimum of a half a day each month for the Board meeting at NIST, and then probably another 8 to 10 hours each month taking care of FISSEA business from your office. And then, of course you're expected to attend and/or participate in the annual 3-day conference each March. The Conference Director, and some of the committee members, will probably spend a similar amount of time throughout the year planning for and coordinating the conference.

What's in it for you?

• Pride in doing something to benefit others; it's that "feel good" sensation.
• Working with others who strongly believe in "the cause."
• The opportunity to network with other federal, university, and private enterprise professionals to address issues and solve problems associated with computer security training, education, and awareness.
• Visibility for you in the Federal arena.
• A chance to show your boss you have an interest in outside activities that relate to your job, and that you and your organization can benefit from participation.
• An opportunity to show your organizational skills and leadership potential.
• A chance to shine as an author! Everyone is encouraged to write for the FISSEA News and Views quarterly newsletter.

What's NOT in it for you?

• A big pay raise (in fact, no pay nor raise at all!).
• Free trips at the expense of the organization (in fact, even the Board and committee members have to pay the registration fee for the conference!).
• Free lunches (we don't even get free coffee or donuts for Board meetings!)
• A cushy position where you get the title and glory for someone else's effort.

So, here's the challenge to all FISSEA members: make a commitment to FISSEA!

Go to top of page

I Haven't Lost My Mind.... It's Backed Up On Disk Somewhere

by Louis M Numkin (US NRC ), FISSEA Newsletter Editor

Did you know that according to a recent poll, 78% of children have been exposed to computers prior to college age?

With this group chomping at the employment bit, it behooves computer information security educators to take stock of their own abilities and knowledge levels. All, including the purists, believe that we are now truly in the new Millennium. It's a good time to consider making some Millennial Resolutions.

Here are five examples which you might wish to consider... in addition to the proverbial "I must start exercising," "I will quit smoking," and "I want to lose some weight:"

1) I won't buy the latest and greatest application software until I can honestly say that I fully understand those which I already have on my system.

2) I must improve my current "tech-knowledgy" level - perhaps by actually reading (not just subscribing to) techie magazines and newspapers.

3) I will look into taking a course at an educational institution to improve my understanding of underlying technology - such as how Internet cache could show my boss where I've been surfing on my work computer.

4) I will buy the text and join a study group to prepare for Spring, 2001 CISSP events. I must plan for the eight day review seminar since I just missed the latest one in Tysons Corner, VA.

5) I will attend professional conferences, like FISSEA's, to learn how to merge all the knowledge I've gained into worthwhile and appropriate TEA messages for employees.

Standing around the water cooler with your co-workers musing over what the newly inaugurated governing team will do and how it will affect your job is not as valuable as making your job more insightful and your performance more stellar. To rephrase an earlier President's famous words: Remember - Ask not what your job can do for you but what you can do for your job!

While recalling President Kennedy's words, please permit me to digress ...
Recently, I received an E-Mail bumper snicker list which included this one:

"Illiterate? Write For Help..."

It caused me to chuckle until I saw a 14JAN2001 Washington Post article entitled "Can't Read, Can't Count, Can't Depend on the System to Help" by Shari Lawrence Pflegger. No snickering about this write-up. Here are some excerpts:

"I tutor a 17-year-old who has trouble with fractions and doesn't understand the difference between negative and positive numbers."
"Or another 14-year-old who asked me how many bagels were in my bag... When I told him 'two dozen,' he didn't know how many were in a dozen. And when I told him '12,' he couldn't calculate the total."

"... kids don't read either - because they can't. The girl... does not know how to sound out words."

Our efforts to wire public schools for access to the Internet will do little to aid those without the rudimentary 3R skills of "Reading, wRiting, and aRithmetic."

"The Children's Defense Fund urges us to 'leave no child behind.'" Now is the time for each of us to help the less fortunate. "Remember these kids the next time you grumble about the clerks in the supermarket or department store. If they can't make change or read the week's list of sales, perhaps it is because we did not give them the chance to learn."

For those of you who know me, you are aware of my personal interest in providing computer ethics outreach presentations in schools and at senior citizen centers. So, in light of Ms Pflegger's article, here's one more resolution for your consideration:

*) I will arrange to spend some time with kids/youth/young adults (other than my own) to help them to learn whatever is needed. No matter whether it is how to do long division using only paper and pencil or the difference between what is right and wrong as relates to this new Cyber world. I will try to find out their knowledge and curiosity levels, and use this information for their own good... and the good of society both today and in the future. I will do this because I can ... and I care.

28JAN01 marked the 15th anniversary of the Challenger disaster and this is as an appropriate place to restate our FISSEA motto, attributed to Christa McAuliff "I touch the future, I teach."

"This is your mission, should you choose to accept it!" Happy New Millennium, FISSEA.

Go to top of page

Teaching Cyber Ethics

by David Sostman, a Senior Analyst with the Titan Corporation

Recently, I spent some time sitting at a computer alongside the 14-year-old son of an old friend. He is an engaging young man, smart, gracious, and the product of a good home. He's also a hacker, and one night a few weeks ago we spent about an hour talking about his activities as he showed me some of the Internet sites where anyone can download an assortment of penetration tools. He has used some of these to probe into the home computers of his friends while they were online, and he has used other tools to access sensitive files housed on his school's computer system. These types of "cyburban" intrusions are rarely reported, and my young friend represents the tip of a growing digital iceberg. If he and other members of the Internet generation are not taught today that what they're doing is unethical and wrong, what will they be doing five years from now?

As you may have read in the last FISSEA Newsletter, the Justice Department and the Information Technology Association of America (ITAA) have joined together to form the Cyber Citizen Partnership, an organization designed to promote cyber ethics. Their activities are necessary and needed in the growing online environment of information insecurity.

In the past, hacking activities were perpetrated by a knowledgeable group of individuals, often programmers, who were interested in exploring various operating systems. Rarely did the pioneering group of hackers engage in "cracking" or activities that damaged data or systems. But the "times, they are a'changing".

Today, anyone can be a hacker. The use of the Internet is widespread and the ability to penetrate does not depend on the ability to write programming scripts. Rather, the simple ability to find a script online that can be used as a penetration tool is all that's required.

According to recent studies, many teenagers now spend more time online than they spend watching television. It's their medium. They're the ones interacting online, exploring, downloading and investigating. And this new environment opens the door for an increase in "crackers," those who disavow society's constraints. That is the coming threat which is already underway - there are no statistics on teenagers attacking other individuals online or breaking into their school computer systems.

Young people today generally don't watch television news or read newspapers, and conversely, their activities online are largely unseen, conducted beneath the media's radar. The problem that FISSEA and other groups concerned with cyber ethics must consider is how to reach these young people before they engage in unethical and ultimately regrettable acts. How can they be taught that it's wrong to invade another person's privacy and property online? Where do we begin? I'm glad to know the Cyber Citizen Partnership is now trying to address this problem.

{Editor's Note... If you would like to read a wonderfully insightful related article, please see "Why Kids Shouldn't Be Criminal Hackers: An Explanation for High School Students, Parents & Teachers" by FISSEA's friend and Conference Speaker Mich Kabay, PhD. It begins in this manner:

"At some time, someone is going to tell you how much fun it is to hack into computer systems and networks. I'm here to tell you it's a bad idea. I'd like you to understand what happens on the other side of that modem - on the other side of that Internet connection - when someone uses a computer system without permission." Interested? Just point your browser to http://securityportal.com/cover/coverstory20001009 I think you'll find it a good read.}

Go to top of page

Notable Quotable Departs...

Whether you knew and/or worked with him, or not, Feds were affected by this gentleman over the past several years. A tribute written by Dan Verton on January 15, 2001 appeared in Computerworld - reference:
http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-91_STO56349,00.html

"... the federal government will say goodbye to one of the national security community's premiere experts on cybersecurity policy. On Jan. 20, Jeffrey Hunker, the senior director for critical infrastructure protection at the National Security Council, will end a seven-year stint in public service.

What started as a serendipitous move into a senior policy advisory role under Secretary of Commerce Ron Brown in 1993 soon led to an assignment to create a new national security organization that would be at the forefront of the nation's cyberdefenses. In 1998, that organization became known as the Critical Infrastructure Assurance Office (CIAO)."

And that's... The rest of the story.

Go to top of page

MISDIAGNOSIS

by Louis M Numkin (US NRC ), FISSEA Newsletter Editor

The definition of "Misdiagnosis" (or "Missed Diagnosis") is NOT always:
* The claim of a litigious lawyer while facing a doctor before a judge
NOR
* The plaintiff wail heard at the repair shop when the car owner is asked to pay for "necessary services/parts" not normally needed for the advertized $9.99 Oil Change Special Offer.

Misdiagnosis could also be the determination when you provide a wonderful computer security course which answers the wrong question. This is analogous to the philosophy used in the sport of road rallying, "It's no good being perfectly on time ... but ten miles off course!" An example of this would be when you are fully prepared to speak about viruses and the audience really needs to hear about inappropriate E-Mail. Now that's an example of the old road rally "ten mile" rule!

As Computer Security Specialists, we are asked to provide awareness sessions for our own employees as well as special request audiences. Did you ever participate in a debate at school? When we were on the high school debating team, we learned that we had to be ready for anything and everything if we were going to win the contest. Today, we must be ready to deal with any kind of computer security question and get added support from knowing both the pro's and con's of each concept.

As happens during Presidential Press Conferences, should we be invited to address a select staff/management grouping on specific ways to protect the data, applications, and hardware, at designated security levels for an agency mission, someone in the audience may ask an unexpected question. Perhaps it will come from a real life situation which has also affected other less outspoken audience members or it might be something which was just surfaced by the news media. YOU are the quintessential computer security guru in your organization and as stated in the Boy Scout motto, you must "Always Be Prepared."

So, keep reading the FISSEA News and Views newsletter and other security and technical trade publications. Develop thought patterns so that when you read a particularly good article you know how you would present the subject to various audiences. You may find yourself riding to work one day when you hear a report on the news/talk radio station which is germane to your office. Take a few minutes to contemplate what audience might benefit from this knowledge and make mental notes on how it should be validated/researched, as well as presented.

Speaking from experience, this thought pattern becomes a habit - it seems that whenever I hear/read anything I try to apply it to an TEA situation. If not immediate needed, it gets filed away until a more appropriate forum. Habits like this will help to protect you from a possible "misdiagnosis."

Go to top of page

It's Alive.... The FISSEA Membership E-Mail List... that is

by Mark Wilson (NIST/FISSEA Liaison)

For several months Peggy Himes, who works with me providing NIST Liaison support to FISSEA, has been sending the occasional e-mail message to you, mentioning the upcoming FISSEA Conference and the related Educator of the Year nomination deadline, as well as providing other training-related information.

We have since turned the list of e-mail addresses that Peggy uses into a FISSEA membership e-mail list . . . your e-mail list . . . that you can use as you would use any other list to which you are subscribed. The list is called:

fissea@nist.gov

If you need to conduct a training session for a specific audience, or create a general awareness session that you'll march everyone through, and you don't know how to get started, send a message to the list asking for ideas. You'll probably get a ton and a half of URLs for websites that contain material and good ideas (but that's the subject of another article for another time). Should you need to build a training session and would like to see what other people at other organizations have done, send a message to the list, asking if anyone would be willing to offer up a file that they have built.

Not getting messages from Peggy? Would you or a comrade like to be added to the list? Just contact Peggy at peggy.himes@nist.gov or by phone at (301) 975-2489 and ask her to add whomever to the FISSEA membership e-mail list.

Also...

We are building a new "IT Security Professional Certification and Related Issues" page on our Training and Education page on our website - CSRC. A link will be added to the FISSEA page to get to this page, so visitors to the FISSEA page who are looking for professional certification info can easily find it.

http://csrc.nist.rip/training/

For those interested in becoming certified as an Information Security Auditor, check out: http://www.isaca.org/cert1.htm

Another Certification Program

ICSA.net, a certification authority for network security hardware and software, has two certifications to increase the number of skilled Network Security Professionals in the industry. These certifications are skills based, vendor neutral, and technology specific. The certifications are the ICNSA (ICSA.net Certified Network Security Administrator) and the ICNSE (ICSA.net Certified Network Security Engineer). ICNSA's first exam was in August, 2000, and the ICNSE exam and Hands-on Lab test was begun in January, 2001.

Global Knowledge is the authorized provider of training which directly maps the skills and knowledge necessary to these certifications. Courses are hands-on and occur throughout the country. To get more info on these programs just point your browser at www.icsa.net

Go to top of page

From the Artistic Desk of Ann Brown (IHS)

Computer Security Awareness posters are now available from Indian Health Service by accessing:
http://www.ihs.gov/CIO/ITSecurity/Posters/sec_post.asp Many different topics are included but suggestions are always welcome. Just contact Ann by E-Mail at: abrown@hqe.ihs.gov

Go to top of page

From the Keyboard of Barbara Cuffie (SSA), Exec. Board Co-Chair

The following article was printed in the "Data Link," a Social Security Administration publication. I thought it was excellent and hope readers will find it a worthwhile primer on this frequent awareness topic. It was well-received here, at SSA.

For LAN Sakes Those Nasty Viruses - What You Need to Know to Avoid Them
by Greg Whitehair (SSA)

"To most people, a virus breakout means the flu season is upon us. But this isn't the only virus spreading in your office. Another kind of virus breakout is any software that makes modifications to computer files and performs actions to replicate itself without the consent of the computer owner. To the engineers who actively combat these unwelcome guests, the definition for a computer virus and other types of malicious software are more specific.

"A 'true' virus is a small computer program that spreads from one file to another on a single computer. It does not actively try to spread itself to other machines. Like an organic virus, a computer virus needs a 'host,' a specific type of file to infect on a particular platform. It replicates itself by attaching itself to a host computer's memory or computer file."

{If you would like the complete text of this four-page article, please send an E-Mail to: lmn@nrc.gov with a subject of: "FISSEA Virus Article" and a reply will include the copy. Ed.}

Go to top of page

Trainia

{This column is a compendium of info on upcoming conferences/seminars, courses, books which may be worth your reading time, and more. That is why it is named TRAINIA, a contraction of the words TRAINing and trivIA. Hope you find it useful... Ed.}

18JAN-16JUL2001 - Presidential Classroom Volunteer Instructors Program-for info, check http://www.presidentialclassroom.org or Instruct@presidentialclassroom.org Application deadline for the Summer, 2001, sessions is 30MAR2001

7FEB2001 - NIST Technical Seminar on Pitching IT Security to Federal Executives - at NIST in Gaithersburg, Maryland. To register, contact: teresa.vicente@nist.gov or phone (301)975-3883.

14FEB2001 - GSA/FTS/OIS 2^nd Annual ACES Forum - Almas Temple in Washington, DC. Agenda, directions, and registration at: www.fedpage.com/aces

25FEB-1MAR2001 - MIS Training Institute InfoSec World 2001 - in Orlando, Florida.. This and other conference info may be found at: http://www.misti.com/

26-28FEB2001 - American Society for Industrial Security (ASIS) Cybercrime Summit 2001 - Washington, DC. "The first-of-its-kind educational event focusing on today's emerging Internet crime - how to recognize it, understand it, and effectively respond to it." Contact ASIS at: www.asisonline.org or by phoning (703)519-6200.

5-6MAR2001 - Symposium on Requirements Engineering for Information Security, CERIAS, Purdue University. Contact Annie or Spaf at: sreis-inf@cerias.purdue.edu

7MAR2001 - NIAP Government-Industry IT Security Forum: Strategies for the Developing of Security Requirements and Specifications for Computing and Real-Time Control Systems, Indianapolis, Indiana. For more info: http://niap.nist.gov

13-15MAR2001 - the FISSEA 2001 Annual Conference. This year's theme is "From Y2K To TEA (Training, Education, Awareness) With FISSEA" - at the Hilton Hotel in Gaithersburg, Maryland. For more info, check:
http://csrc.nist.rip/organizations/fissea.html

8-12APR2001 - RSA Conference 2001 - Moscone Center in San Francisco, California. For info, go to: http://www.rsaconference.com

30APR-3MAY2001 - AIIM2001 Exposition & Conference - Javits Convention Center in New York City. For info: www.aiim2001.com

7-10MAY2001 - US Department of Energy 2001 Computer Security Group Training Conference - Cincinnati, Ohio. General questions may be sent to: gjblair@sandia.gov or jnichols@pantex.com

22-23MAY2001 - NRC will host CSI's John O'Leary teaching Management Skills for a Superior Information Security Program. 24-25MAY2001 - NRC will host CSI's Tom Peltier teaching Facilitated Risk Analysis for Business and Security. For info, go to: www.gocsi.com E-Mail ljkaufman@mfi.com or phone: 1(415)947-6369.

22-24MAY2001 - 5^th Annual National Colloquium for Information Systems Security Education - at George Mason University in Fairfax, Virginia. Forum to define current and emerging requirements for information security education. For more info: http://www.ncisse.org/conference2001

18-19JUL2001 - Second International Common Criteria Conference (ICCC) at the Hilton Brighton Metropole Conference and Exhibition Centre, England. Hosted by the Communications-Electronics Security Group (CESG). Theme "Securing the Information Age." For information visit the ICCC website www.iccconference.com or call the ICCC Hotline +44 (0) 1635 550845.

29-31OCT2001 - 24^th National Information Systems Security Conference - Baltimore, Maryland. For more info, check: http://csrc/nist/gov/nissc/call.htm or: NistConference@dockmaster2.ncsc.mil or phone (301)975-2775

** Fred Cohen sent a note that Eoghan Casey has reported on some upcoming on-line courses thru the University of New Haven:

One is "Introduction to Digital Evidence and Computer Crime". This three week course provides an overview of digital evidence and computer crime. This course begins by discussing computer related crime, providing specific examples and articles to demonstrate how criminals use computers and the new challenges that technology creates. The second week of the course covers tools and standard operating procedures for handling evidence stored on standalone computers. Relevant legal considerations are presented. The final week is devoted to networks as a source of evidence with an emphasis on the Internet.
For more information see: http://www.forensic-science.com/course_description/de101.html

The other course is "Advanced Digital Evidence" - a ten week course designed to give corporate security professionals, forensic scientists, attorneys, and law enforcement an in-depth understanding of evidence stored on and transmitted using computers. This is a technical course that concentrates on practical approaches to collecting, analyzing, and utilizing digital evidence in a variety of situations including computer intrusions, sexual predation on the Internet, and violent crime. More details are available at:
http://www.forensic-science.com/course_description/de582.html
A course outline with related online reading is available at:
http://www.forensic-science.com/syllabus/de582_syl.html

** InformationWeek will host four five-day sessions entitled "Redefining IT Leadership: New Rules, New Opportunities" at Stanford University in Palo Alto,California on: 25-29MAR2001, 24-28JUN2001, 14-18OCT2001, and 9-13DEC2001. For more info, contact: 1(800)450-1840.

** Several mailing lists have recently reported that Random House has permitted the complete unabridged electronic text of "Underground: Tales of Hacking, Madness and Obsession on the Electronic Frontier" to be publicly and freely released. Author Suelette Dreyfus has created a 500 page tale which will surely hold the interest of any computer security professional. It may be downloaded in several different formats (including PALMs) by going to: http://www.underground-book.com/download.php3

** Found a great new TV show with the title "Standard Deviants" on PBS. Segments air for a half-hour once-a-week and deal with a variety of subjects. One recent telecast dealt with the Internet. Both adults and children can/will benefit from this show.

** Call For Papers for the "New Security Paradigms Workshop 2001," sponsored by ACM/SIGSAC, 11 - 13 September 2001, in Cloudcroft, New Mexico, USA (20 miles from Alamogordo/White Sands). For more info, go to: http://www.nspw.org

** Just received a snail-mailer from Salinas Group advertizing their courses. They appear to be held all over the country during the first quarter of calendar year 2001. Subject matter includes: "SecurityInstructor.com" and RSA Security, among others. If interested, contact: REGISTER@www.salinasgroup.com or phone: 1(800)251-2456.

** An E-Mail arrived providing notice of three Network and IT Security Training courses:
Course One: Network Security for Managers - 2 day course - Fee: $695.00.
Course Two: UNIX Countermeasures - 5 days (Hands-on) - Fee $2,475.00.
Course Three: Intro to Network Security and Intrusion Detection - 5 days (Hands-on) - Fee: $2,475.00.
For more information on these courses or to register, call Margo McPhee, Verizon Federal Network Systems (formerly BBN) at 1-800-334-1553. See their web site for course dates, prerequisites and more details on course content. Visit www.marketaccess.org and the courses will be listed at their home page.

{Editor's Note: FISSEA does not evaluate nor recommend training courses. They are listed in our "News and Views" for reader's information. If interested in any of them, please do your own verification of the information we report to determine if they are appropriate for your needs.}

Go to top of page