From the Executive Board Chair

I believe in FISSEA and have been a member and supporter of this organization almost from its beginning. First, I want to thank those of you who elected me and the other members of the Executive Board to represent you and provide leadership for FISSEA. We serve on the Board, but we can only be effective in assuring that FISSEA continues to fulfill your needs, if you (i.e., our members) communicate with us regularly. I believe we can improve and accomplish even more in this coming year if you will share your suggestions, products, ideas, time and/or expertise with FISSEA. By the way, I am so happy over your vote of confidence in me that I've decided to share one of our best-kept secrets -- membership in FISSEA is still FREE!

Last year the Board accomplished a great deal with Pauline Bowen steering our course as the Board's Chair. We developed a strategic plan, developed an electronic forum so that our members can share issues, ideas and ask and assist each other through email. Recently, we also began meeting regularly with National Institute of Standards and Technology's (NIST) management to strengthen our relationship and hopefully maximize our utilization of limited resources. The members of the Board are elected volunteers, but we all receive varying levels of support from our employers since our meetings are convened during our normal workday. We are glad that the NIST is still our primary supporter. However, much, if not most, of our work for FISSEA is actually done from our homes after hours. The current Board is comprised of eleven information systems security professionals and/or educators. We are highly motivated to ensure that our members benefit from their FISSEA connection and ensure that our conferences continue to be outstanding. In fact, based on your evaluations and informal feedback from conference participants, the annual FISSEA conference appears to merit an "A" for its quality and favorable return on investment for participants.

We will begin planning for our 2002 Conference shortly. We need to find at least two more people who are willing to serve on the Conference Committee. This may be an opportunity for you to share your experience and skills or to gain experience in an area that may be beneficial to you later in your career. There are so many things that the Board wants to accomplish this coming year that we may sometimes appear overly optimistic considering our sparse resources. You actually have the power to make a BIG difference by volunteering to work with us and thereby increase our resources. Louis Numkin, our able newsletter editor and Board member for several years is always trying to get more members to write articles. Contact Louis if you can help in that way. Regardless of your skills, talents and experience, we can find a job for you. Don't delay. Contact us today and join us in making FISSEA all that it can be and needs to be to help improve the quality and availability of information systems security awareness, training and educational tools and programs.

Barbara G. Cuffie, CISSP
Social Security Administration

Go to top of page

FISSEA 2001 Conference:
TEA--ING Off to a Big Success!

by Dara Murray (Natl Science Foundation) and Patti Black (Treasury)

WOW-INTERESTING- EXHILARATING- JUST FABULOUS-was the tone of the 2001 conference. The biggest turnout ever --almost 170 of our colleagues in Federal government, academia and industry from all over the country attended the annual event held at the Hilton in Gaithersburg, Maryland on March 13-15, 2001.

Pauline Bowen, 2000 FISSEA Chairperson and Lewis Baskerville, Conference Chairperson kicked off the conference with an enthusiastic welcome and brief review of the three-day agenda. Ed Roback, Computer Security Division Chief at NIST's Information Technology Laboratory, gave a warm welcome and provided thoughtful comments regarding the relationship between NIST and FISSEA. Tom Burke, CSC, Alan Paller, SANS and Scott Charney, Price Waterhouse Coopers, were our daily keynote speakers. They geared up the attendees by focusing on some key issues ranging from computer security training policy, hacker and virus prevention as well as computer crime. Daily presentations centered on awareness and training, intrusion detection, certification and accreditation, training tools, Government Information Security Reform legislation, and new OPM and OMB guidance initiatives as well as university and professional certification. Attendees were given the opportunity to "SPEAK OUT" about their training issues and experiences, a traditional activity at our conference.

One conference highlight was the presentation of the "Educator of the Year" award. George Bieber, DISA, received the honor at our award ceremony. Last year's recipient, Roger Quane, NSA, bestowed the award, an engraved plaque. George has been working very, very hard with his training CD's that address various subject areas such as awareness, NT and Unix systems administrator training, and certification and accreditation that are free "kittens" to Federal government agencies. Congrats George!

On Wednesday, March 14th, FISSEA entertained the annual business meeting. Issues addressed at the meeting included 2001 FISSEA Board nominations and elections, and proposed changes to the by-laws. At the end of the meeting a vote was taken to have a newly elected board whose members would serve one or two year sessions. FISSEA members welcome our new Chair-Barbara Cuffie, SSA, (two year term) Dara Murray, Assistant Chair, National Science Foundation (one-year term). Those that have been elected to two year terms are Lewis Baskerville, Small Business Administration, Patti Black, Department of Treasury, Louis Numkin, (News Editor), Nuclear Regulatory Commission, George Bieber, DISA, Mark Wilson, NIST. Those that will be serving one-year terms will be Pauline Bowen, HHS, Vicki Jordan, NSA, Sharon Kavanaugh, HCFA, and Phil Sibert, DOE.

FISSEA would like to thank the Federal Business Council who coordinated the vendors fare and outstanding lunches and great snacks. The brownies were the best! Also, a big applause to the conference committee who spent months and months, a multitude of time and meetings in addition to coordination with speakers to put the conference together. They are Lewis Baskerville, SBA, Conference Chair, Sonja Martin, Co-Chair Department of Treasury, Dara Murray, NSF, Jon Arneson CSC, and Patti Black Department of Treasury. A very special appreciation to our NIST partners, especially, Mark Wilson, Peggy Himes and Patrice Boulanger, who were instrumental in putting this all together. But we couldn't have done it without all of you who support FISSEA-so thanks to all of our attendees and hope to see you next year!

Go to top of page

Editor's Column

by Louis M Numkin (US NRC ), FISSEA Newsletter Editor

Welcome Back FISSEA...

Three Facts: The conference is over, a new Executive Board is in place, and it's time to invite a new crew of correspondents to consider submitting articles to our/your newsletter.

FISSEA's March Conference was surely one of the best ones which I've attended. Our quantity of attendees was up from the last couple of years. The quality of our presenters was generally excellent. Hotel hospitality was as good as ever ... especially the afternoon cookie breaks! This year we had more participation in our social networking gatherings, as well - The Tuesday Night Shmooze, Wednesday Supper, and traditional Thursday lunch at a nearby colorful sandwich shop. As the conference Social Director, I thank all who helped make these activities enjoyable events. A couple of our more talented members have stated a willingness to turn the Shmooze session into a bit of a jam session - as they play a variety of instruments and are looking for others to join them - so, if enough of you are interested, tune up, and BYOSM (Bring Your Own Sheet Music) to the FISSEA 2002 Conference.

During the conference, our new Exec Board was elected. It appears to be a well-charged group of infosec professionals who are committed to providing assistance and guidance to all compusec trainers. This year NIST even authorized a raise in Exec Board salaries ... NOT! But, during the business meeting, the members present did authorize an increase in Board size which permits us to have the benefit of additional support and wisdom. Also, the Board will now serve for two-year stints to improve continuity of planning initiatives - half the Board was elected to two-year status during this year's conference and the other half will stand election in 2002.

Now that I've explained what the Board will be able to do for our membership, it's necessary to state "It's not what FISSEA can do for you but what you can do for FISSEA." Answer? Submit an article to our Newsletter Editor by E-Mail (LMN@NRC.GOV). Original thought is not required but make sure you get permission if copying someone else's work. Perhaps your office is hosting a training course, CSA Day Activity, or has created an on-line tool which you can share? Just drop us a line and we'll let everyone know. Maybe you just aren't a writer - if this is the case offer to volunteer in some other way. These actions will lead to even greater benefits to you and to the rest of our organization.

Go to top of page

George Washington University is seeking
Computer Fraud Program Adjunct Faculty

FISSEA's friend, Mich Kabay (PhD, CISSP, Security Leader, Information Security Group, AtomicTangerine, Inc) forwarded the following note from Eva Vincze, cjhrc@visi.net

"I was recently appointed Acting Director of the whole Computer Fraud Program at George Washington University, so I am now looking for Adjunct Faculty for both the D.C. and Hampton Road Programs..
Our current needs include:

1)J.D.s - prosecutors, especially those who have had experience prosecuting cybercrimes for DC & Hampton Roads Centers to teach Criminal Law 1 & 2;
2) Information Security Specialist who can teach an introductory course in Information Security Systems at Hampton Roads Center; and
3)Computer Forensic Specialists who can teach one of three mid-level courses ( Investigative Processes and Federal Statutes, Data Analysis, or Mock Court) for the Hampton Roads Center.

"I am also looking for Cybercriminologist types . . . to teach a course specifically in Cybercrime."

"Courses in DC run for 16 weeks during the school year and 10 during the summer.
Classes run in 8 week cycles at Hampton Roads.
All faculty need to have real world experience in either the government of private sector. They usually teach once or twice a year depending on the course. Please put the word out to your education sources. I'd like to get a diverse pool of people to give students maximum exposure to lots of different viewpoints."

{If you and/or your contacts might be interested in any of these positions, please contact Eva directly at the above E-Mail address. Ed.}

Go to top of page

It's Time to Secure the Future

by David Sostman, Titan Corporation

There has never been a better time to be educating others about information security. People are more attuned to IT security issues, both at home and in the workplace, than ever before. General levels of awareness and understanding are increasing everyday. And whether or not it's overtly acknowledged, most government managers understand that e-government can't happen successfully in the long term without information security. FISSEA's members would be well advised to capitalize on the tenor of the times, and use it to communicate the critical need for security in the emerging era of e-government.

What needs to be communicated is that before e-government, e-commerce, or e-anything can be truly successful across a wide range of applications, the integrity, confidentiality, and availability of the information involved has to be secured.

Even the recent retrenchments on the dot.com frontier supports this thinking. Many experienced business observers knew that most of these Internet based companies had specious revenue models, yet investors were willing to dispense with caution. The tide was lifting all the "virtual" boats. But as we all know, the reality tide has hit and many castles on the beach have turned back to sand. The same is true for security issues. Caution is advised. Eventually things are going to happen exposing networked enterprises to denial of service attacks, new viruses, and other assaults we have not even begun to imagine.

The recent downing of the American plane over International waters near China serves to illustrate what that nation is already doing to prepare for cyber war. During this international escapade dozens of US government Internet web sites were attacked and some defaced - allegedly by Chinese nationalists who were "expressing outrage at the downing of their pilot." Shouldn't this suggest that China is now engaged in exploring how to wage far more dangerous cyber assaults? So too are other nations.

We also have a generation of young Americans who are exploring the Internet and seeking to gratify their natural inquisitiveness. If just a small percentage probes beyond the ethical boundaries of online behavior, then we're facing an increase in online attacks. What all of this suggests is that both domestically and internationally, we need to be concerned about what's coming down the road, and we need to be prepared.

During the last annual FISSEA Conference in March, those in the crowd heard from OMB's Glen Schlarmann, a contributor to the writing of the Information Security Reform Act and the author of the well-known OMB memo (M-01-08) of January 16, 2001 regarding the Act. As we heard him explain the new law, I was reminded of Obi-Wan Kenobe's words when he said to Luke Skywalker, "May the force be with you."

For those in the Federal Government tasked with persuading others to comply with security requirements, the force, the Zeitgeist, the compelling tenor of the times, is now with us.

The Information Security Reform Act will usher in a new day for those in the Federal government who have been assigned security tasks. The legislation accomplishes several feats, among them tying conformance on security to OMB funding. No annual security assessments, no funds. It's simple math.

Granted, the complexities of everyday events will make this equation more complicated. But this is indeed a new day for those of us involved with information security. It is a day that has been long in coming, but the time is now. To my fellow FISSEA members -- may the force be with you.

Go to top of page

Coming Attractions in the FISSEA Newsletter

We have received a couple of offers for article submissions from new members. FISSEA will look forward to seeing articles such as this one:

Domi Sanchez (CISSP, Adjunct Faculty, Lead Instructor for Information Assurance, Johns Hopkins University School of Professional Studies, RadioDomi@aol.com ) wrote: "I would like to help out writing articles for your newsletter. I'm toying with the idea of doing research in the Instructional Systems Design (ISD) model of developing IA courseware. Its a rather lengthy topic, when last I visited it. Perhaps a multi-issue series would be appropriate?"
{Domi, we are looking forward to your article(s). Thanks, Ed.}

And, "flying" into our view from the FAA is Marie Stella, an accomplished newsletter editor in her own right, who wrote "I'd be interested in writing an article for your newsletter." Here 'tis:

by Marie Stella, FAA

Hundreds of thousands of people couldn't resist finding out last month when they opened the "I love you Virus", which caused havoc not only on the Internet but caused destruction of business and personal files. One has to wonder with all the warnings and the slew of well publicized virus attacks, why so many people fell victim to this scam? The answer will not be found in an analysis of the technical complexity of the virus, but instead in a psychological study of 21st Century man's relationship to the machine. Several studies have come out recently identifying that children relate to the computer in the same way they relate to imaginary friends. They treat the machine as an animated object and attribute human like qualities to it. Other studies show that adults are more likely to attribute truth to news they get over the Internet as opposed to what they see and hear on TV. The love affair between man and machine has never been so prevalent as it is today. Observe, if you can get off your cellular long enough, how many folks are telecommuting on the streets, in their cars, in the grocery store, in restaurants, etc. Beepers and pagers are so prevalent that churches announce that people must turn off their beepers before services start. Romances develop over the Internet, some of them always remain electronic fantasies, imagination and some bending of the truth becoming the replacement for real relationships that ordinarily involve both ecstatic romance and lots of hard work.

Why is this happening? How did chat rooms replace family dinners and dialog? Why is it so much easier for people to communicate electronically versus a face to face dialog with emotional outpour, physical interaction, and spontaneity? Perhaps it is because television has led us to become passive learners and to except our reality (pleasure, pain, and fear) through visual and auditory stimuli? Maybe other factors have caused us to really lack communication skills?

Most likely the reasons are multi-faceted and much more complex. We can expect to see numerous human factors and psychology studies analyzing and theorizing on this problem over the next ten years. What I do know is that electronic enabling is a phenomenon we can expect to see more of in the future. The Jetson's electronic home and workplace is fast becoming reality. Individually we will have to assess how that effects our work environment, family, social life, and spiritual life. We can use automation as a tool to improve the quality of all of these facets of our lives or we can use it to replace a lot of the traditional ways we live. This will always be an individual choice.

What we need to be aware of is that electronic communication does not inherently provide the same privacy that we are us to in our home and workplace. When we use the Internet for our data and eventually for most of our voice communications, we connect to the world but our communications are easily accessed both legally and illegally. This includes our conversations, our financial data, credit information, and anything else we transmit electronically. My only advice is - use it wisely. So before you eagerly open those messages about who loves you, think….do you really want to know?

Happy reading…..Marie
{Marie, we eagerly await more submission(s). Even though you wrote the above article back in September, 2000, thanks for sharing it with us. Ed.}

Go to top of page

Keep That Palm Pilot Secure!

by Dara Murray, National Science Foundation

Palm Pilots or Personal Digital Assistants (PDA's) are electronic hand-held device that offer individuals the convenience of maintaining and working with schedules, contacts lists and email while away from the office. Although they are great and handy tools, the use of PDA's can present some security issues.

The basic security risk for a PDA is simply loss of data. Many of us who use the PDA on a regular basis bring it along while not in secure surroundings such as while riding metro or at a restaurant. Although we try to be careful, sometimes with our fast pace working schedules "we" may forget and leave it behind. If you don't have a password attached to your device, some information that you would like to keep personal could be compromised. Best advice is to install a password on the Palm Pilot and keep it in a safe place if at all possible when not in use. Additionally, Palm Pilots have the capability to mark individual records (e.g. address book entries) as private. This provides password protection at the record level. If you would like to install a separate password on your Palm Pilot, refer to your users manual for detailed instructions. Another risk associated with data loss can occur with synchronizing with your Outlook in box. For more information, see the January 2000 Newsletter article on "Palm Pilot and Outlook Synchronization" at
(http://www.inside.nsf.gov/oirm/dis/disnews/0001/article4.htm).

What about viruses? Yes, this is another threat. Each time a portable device connects to your network, it's almost like a floppy disk being inserted into a computer-you don't know where its been or what infections it might carry. As increasing numbers of users see the value of a device that can pack almost as much computing power as a desktop PC, but fit in a pocket, the threat of infection through PDAs increases. How? In the same way that people can be carriers of biological viruses without actually falling ill, PDAs can be carriers of computer viruses without actually being infected. Though few viruses have been written to infect PDAs themselves as of yet, PDAs can already carry infected documents from one computer to another. Working on a document from a virus-infected computer at home, a user may synchronize his PDA with his home computer, to work on the document a little more on the "metro" to work. Then he may figure out the ability to synchronize again with his desktop computer at work and sends the document to his team and spread the infection. There are new tools such as a McAfee product called VirusScan Wireless. For more information regarding the Virus Scan Wireless product visit the web site at www.McAfeeB2B.com.

For more information regarding the uses of Palm Pilots/PDAs log into www.memoware.com. This is an excellent source of information on PDA's.

The International Information Systems Security Certification Consortium (ISC)2 Recertification News

by John T Atkinson, Chairman CISSP Services

In recent years we have seen a proliferation of certifications offered by professional trade organizations and vendors. The information technology sector has been at the forefront in certifications with many software and hardware vendors offering their own unique certifications.

Among all the certifications, the Certified Information Systems Security Professional (CISSP) designation has become the standard for the information security profession. What makes this designation unique is that it is based on four fundamental principles. A broad Common Body of Knowledge for the Information Security profession, a candidate must pass a rigorous exam that verifies their knowledge of the profession, candidates must subscribe to a code of ethics, continuing education is required to maintain the CISSP credential. The International Information Systems Security Certification Consortium (ISC)² a not-for-profit organization founded in 1989 created a broad-based certification program for the information security professional is the credentialing body.

The CISSP designation is granted on a three-year cycle; during this time period a CISSP must complete 120 hours of continuing professional education credits (CPEs). The approved methods for obtaining CPEs as well as details on how to submit these credits can be found on the (ISC)² web site (www.isc2.org ).

A CISSP must complete a minimum of 80 CPE credits directly related to the Common Body of Knowledge (these credits are referred to as "A" credits) and an additional 40 CPE credits may be earned in general education ("B" credits).

The most frequently asked question about obtaining CPE credits is "How can I earn CPEs?":

(ISC)² has many methods to obtain CPE credits that do not require extensive travel or the expenditure of large sums of money.

Methods include:
Attending an information security professional association chapter meeting sponsored by an approved information security organizations. One bargain that is generally available is the International Systems Security Association (ISSA). The ISSA has chapters in most large cities throughout the world. There is a small membership fee to join, however, this fee generally covers all the chapter meetings. Some chapters have additional fees for some of their events. Most chapters have either monthly or quarterly meetings.

If you have any questions please contact me viva email or call me at 1-212-551-4158.

Go to top of page

Success Stories?

Connie Oden from FedCIRC wants to invite FISSEA membership to search their memories as FedCIRC is looking for an Information Security "Success Story" that you or your agency have done. This information will be posted in FedCIRC's monthly newsletter that goes out to all Federal ISSOs, System Administrators, and CIOs. Success stories should only be one or two paragraphs in length. This is your chance to give your agency and/or yourself a spotlight in the FedCIRC Bits & Bytes. The deadline for submission is the 15th of each month. If you have any questions or suggestions, please email Connie at coden@fedcirc.gov or phone 202-708-9877.

Go to top of page

Vaio, Visto and Volvo

by Sujeet Bambawale, Sujeet@Sujeet.Net

In my continual attempt to balance my time spent on and off the Internet, I was recently faced with an interesting dilemma. It seems to be getting harder and harder to find a place in the "real world" that doesn't have its teeth sunk into a slice of "cyberpie!" This is not to say that the bliss of sipping a tall'n'cold one at a sunny beach on a Saturday afternoon is available online, but that might be among a rapidly decreasing stable of "not yets!" From automobile dealers to groceries, from mass transit to pizza delivery and from city hall to the environmentalists - everyone seems to have a well-defined, well-maintained and well-structured presence on the World Wide Web. Don't get me wrong - I have nothing against this. I think it's very good to have increased visibility and 24-hour availability, and most commendable that the effort towards acceptance and integration of the Internet has received so much motivation and delivered such noteworthy results. However, just as Friday evenings provide temporary solace from the week's woes in the workplace, I was wondering what would qualify as a getaway from the Internet to the netizens who would like to get away from their "connected" lives for a while.

No, this is not going to be about the "natural bliss" of weekend gardening nor taking the kids to the park after a hearty meal with the entire family. I'll save those images for later.

Let's start on a recent weekend when I was looking for a digital video camera. One with a good-sized screen that doesn't make you squint and shake your hand just to see what it is capturing, and one which allows enough of a zoom feature so I could catch my niece swinging in the sandlot without worrying about getting a face full of little feet! Varying prices and specifications had me a mite confused, until I came across the Sony Vaio. No, dear readers, this is not an advertizement for this camera.

The Sony Vaio is one of the most "beautiful" pieces of consolidated personal electronics I've ever seen. It packages a 14 GB hard disk, an 'any-angle-view' color screen capable of 1024 x 768 resolution, and a still/motion digital camera that can be used as anything from a movie maker to a webcam. The resolution and focus features of this camera were quite impressive, and it was then that I realized I was holding a device which combined the full functionality of a personal computer with that of a digital video camera and had enough onboard storage and battery life to be a worthy adversary to my notebook. The Vaio is the size of an extended palm and a half, and has a FireWire port, USB port, 56K software modem and I believe I saw a PCMCIA slot as well.

Without the onboard media drives, holding it felt quite the same as the weight of my handheld, and its thickness didn't seem particularly obtrusive either. Exchanging data with it would be by any of the many supported port connections or by using a network dongle and an Ethernet cord to plug into a standard network.

Did I get it, you ask? No. Why? Because its current price tag was $2,200. This would have been more attractive prior to buying my notebook, not after! I can recommend it for all those who like media - digital video, still digital pictures, porting around MP3, etc. It uses Windows Me, so you don't have to go looking for the "pocket versions" of desired software. Its functionality would extend way beyond being a portable media cart. This is something I could see college kids carrying around in their backpacks instead of relatively "clunky" notebooks.

My little tete-a-tete with the Vaio had me feel a head rush - a head full of interesting "what if" ideas for portable computing devices, and as I was about to send them off to Nirav for his thoughts, a few errors showed up in my mailbox. Delivery errors with email are something that I rarely see, and closer examination revealed that one of my primary external email providers had declared a service outage for maintenance upgrades. In this day and age, service outages seem disastrous, but I guess it was essential. On the upside, that had me visiting my Visto mailbox a lot more frequently, and watching it mutate to a new look without affecting service. I've had, and used a mailbox on the Visto service for around one year and I guess it's about time for me to say that I'm quite impressed with it. Visto was among the first full-featured web-based personal information management tools that sported a calendar, task manager, file storage area and customizable forums. It would be among the first to offer wireless email, and the ability to synchronize mailboxes and address books with known local system formats like Outlook, Outlook Express, and the Palm. With a generous 15 MB of storage quota combined with optional secure access and external mail collection functionality, Visto does a good job of being a personal information manager, and I'm glad that it has kept its head high in spite of the power and economy issues. Registration is still free, but the link for free membership is not the usual big button on the front page - another point of elegance to me, though debatable by many!

Finally... the Volvo. I'm sure a lot of you would have wondered what a reference to Volvo was doing in an article that seemed to have a lot to do with cyberspace and what went on in the realms of digital reality. And No, its not about the new, improved Volvo website, because I'm not really that much of a Volvo automobile fan. What I like about it though, which is why it figures here, is that the Volvo brand is synonymous with the concept of automobile safety (http://new.volvocars.com/new/whyvolvo/why_safety_first.html) - something which I don't see a real counterpart for on the Internet. I used to think a certain certificate authority was almost like this until a recent successful social engineering attack got it to issue fraudulent certificates in the name of a well known software corporation. This caused me to rethink the assumption.

If the "infobahn" is the digital counterpart of the autobahn, then the priority of safety on the latter should translate into an equivalent priority on the former. Unfortunately, it took a history of very sad incidents to shake automobile makers into incorporating things like airbags as standard issue, and for legislators to pass seat belt laws. But, even though places like CD Universe ended up with a lot of customer credit card information out on public view (http://www.zdnet.com/eweek/stories/general/0,11011,2425665,00.html), "cybercrime" still conjures up visions of movies showing "young people" in dimly lit rooms with a lot of typing, flat screens, slick graphics, techno soundtracks, et al. What's even more interesting is to see people dismiss the movie's core idea as mythical. Of course, getting into the NSA through a backdoor might be a lot easier said than done, but after all, it is just a system built by human minds and hands. Anything built in this fashion could be compromised in a similar manner.

For all of you seasoned information security people, the CD Universe story is probably old hat? The included link points to an article released more than a year ago. You would probably send me the link for the mirror site of the March 6 defacement of AudioFind apparently done by supporters of Napster, or a snippet of something similar. Okay, keep them coming - this is all about increasing awareness, isn't it? Ditto for those who have no clue about what CD Universe, or Napster is. You don't have to know what those are because the Internet is essentially a nameless, faceless public medium. If you're interested in making "online" a safe place, please get in touch with me and let's find out how to go about doing it.
{Sujeet welcomes your comments and responses on this article. Please send them to the address in the by-line. Ed.}

Go to top of page

CyberTalk

{New FISSEA member, Marie Stella, is the Editor of the FAA CYBERTALK Information Security Newsletter. She has authorized us to reprint some of her items in this and upcoming issues of our FISSEA News & Views. Thanks, Marie.}

Fad or Fact
User credit cards numbers are stolen off a company's computer via the Internet? When the company refuses to pay a ransom fee, thousands of user names and card numbers are printed on the Internet. Internet users can't access search functions because hackers who overwhelmed the site with attempts to log on (spamming) have bought a major search engine down. Teenage hackers access the computer system controlling electronic-message road signs causes an accident and severe injury to three motorists. Good scenarios for action movies, perhaps, but all true. America has moved from the Industrial age to the Information age, and tools and methodologies to analyze, distribute and store information are our new natural resources. Just as the FAA has moved from a back-up system of "shrimp boats" moving across air space maps to fully automated, distributed and collaborative technology to control air traffic, the nations fastest growing business is the development and movement of information globally. The country's critical infrastructure, those physical and cyber-based systems essential to the minimal operation of the economy and government are becoming increasingly automated and inter-linked as a result of advances in information technology and the need to improve efficiency. This infrastructure is composed of the publicly and privately owned/managed systems that control the country's transportation, telecommunication, energy, banking and finance, water systems and emergency services. These same advances that provide improved efficiency create new vulnerabilities, not the least of which is physical and cyber attacks. Threats to information security have become so serious that cyber attacks are considered one of the five major threats to our national security.

Why the increased interest in information security? Computer hacking has become a popular activity that may fast replace the Sunday football game for the under 25 crowd (and has definitely peaked the interest of us almost retirement age folks). Access to computer systems is no longer limited to those trusted users with highly developed computer literate skills. Today, anyone can access tools to hack into computer systems via the Internet. "How to" guides for dummies that are easily found on the internet allow most junior high students with a modicum of curiosity to be able to get access to information to easily bill their long-distance calls to someone else. Last week at the supermarket, the 16 year old cashier told me he had just finished securing the local high schools operating system and applications so that students wouldn't have access to change grades, attendance records, etc. (You bet I got his name and number and recommended him for a summer job.) Cyber technology is definitely becoming child's play.

Our role in information security is twofold. All of us are users of telecommunications services (and possible victims of cyber attacks) via our own home computers and our personal information stored at work, at our banks, insurance companies, doctor's offices, etc. We are the developers, acquirers, maintainers, and ultimately stewards of NAS operational and administrative data that ensures the safety of the public along with the economic viability of one of the most critical U.S. industries.

For most of us the infosec adventure is just beginning. We are like Gulliver starting on a journey into a new world where we may have to challenge our trusted view of the world of information. For some of you the entire concept of information protection may be new, for others it may require looking at technology from a new perspective. Several of you may find this child's play and I hope you will be the teachers and mentors for this journey. This Newsletter will serve as one of the tools to help us navigate through the world of infosec. From the simple to the sublime, I hope it will be a vehicle for introducing new concepts, a place to get answers and get your views heard, peak your interest in infosec, and guide you to areas of training, learning and camaraderie (make that friends even though the cold war is over.)
{Thanks again, Marie. Ed.}

Go to top of page

Trainia

{Trainia is a contraction of the words "Training" and "Trivia" and is used as a repository for info upcoming courses, book reviews, and even humor which might be adaptable for use in CSA presentations. Please submit any contributions for our next edition to our Editor
( LMN@NRC.GOV ), before 13July2001. Thanks, Ed.}

FISSEA does not validate nor recommend any of the course offerings in this column. Should you be interested in any particular listings, please carefully verify the facts before deciding to attend. Let the buyer beware. If you know that any of the listed training providers are either questionable or malperformers, please inform our Editor, at the above address. Thanks.

---------------
October No More = According to http://csrc.nist.rip/nissc which has been the National Information System Security Conference (NISSC) link, FISSEA mourns the passing of the NISSC into the annals of excellent conferences of "the past." We will all miss this collaborative gathering sponsored by NSA and NIST which was held either in Baltimore or Northern Virginia. The many varied tracks, opportunities to network with thousands of peers from within and outside the US, and to not only hear exceptional speakers who we rarely see gathered in the same place a the same time but with whom we could interact over coffee, cocktails, or during the banquet. Alas dear NISSC, you shall be missed.

---------------
Prof. Dr. Hartmut Pohl sent a note on the SECEDU list which informs of a course offering which will lead to a Certified Information Security Officer (R) degree. The specifics are: Four week crash "bottom up" course, offered by the Summer University Information Security (We believe that this is based in Europe. Ed.) For info, see: http://www.summeruniversity.de

---------------
The SANS Web page http://www.sans.org now points to the reading room topics. If you haven't been to the reading room recently, by the time you read this there will be over 700 papers covering 43 different topics.

---------------
Dennis Steinauer, Computer Security Division at NIST, reminds us about the February 28, 2001 Special Publications release from The General Accounting Office (GAO): Maximizing the Success of Chief Information Officers: Learning from Leading Organizations. (Executive guide.) GAO-01-376G, February 2001.
http://www.gao.gov/cgi-bin/getrpt?rptno=GAO-01-376G

---------------
SANS is revising Information Security KickStart and Security Essentials courses to create a new 6 Day (total) Security Essentials course and certification. Days 2 and 3 of KickStart will be combined with the current Security Essentials course, and enhanced with brand new material. The course will be available online in July 2001 and will be taught "live" starting in August 2001. We are working hard to structure this so that nobody loses. If you are taking either KickStart or Security Essentials online, you will be allowed to finish your program, or to be enrolled at no charge in the new program with a full six months to finish the new program. If you took either earlier program in a conference or online, when you re-certify you will have full access to the new program. For further information:
http://www.sans.org/giactc/new_GSEC.htm

---------------
David Dickson res02mg1@gte.net sent out the following info on Security Training Courses which were available in the Washington, DC area. For more information, please visit www.marketaccess.org where the courses will be listed along with available dates. Course One: Network Security for Managers - Two day course - Fee: $695.00 Course Two: UNIX Countermeasures - 5 Days (Hands-on) - Government Fee: $2,475.00 Course Three: Intro to Network Security and Intrusion Detection - 5 days (Hands-on) - Government Fee: $2,475.00 For more information on these courses or to register, call Margo McPhee, Verizon Federal Network Systems (formerly BBN) at 1-800-334-1553.

---------------
Received an E-Mail advertizement on 13MAY2001 which informed as follows:
"National Education Foundation (NEF) CyberLearning, a non-profit organization dedicated to bridging the Digital Divide since 1994, is offering tuition-free on-line training in Information Technology to the first 10,000 applicants. NEF, nominated for the prestigious Ford Foundation Leadership Award, offers two on-line programs recently acclaimed by FORBES Magazine as the 'Best of the Web'."
1) Personal Computing (300+ self-study and instructor-led courses including all Microsoft Office in English and Spanish, Web Design, Lotus Notes, Internet, E-mail, E-commerce, Palm etc, tuition value of $1,000) for a nominal registration fee, the only cost.
2) Information Technology (650+ self-study and instructor-led courses, including the above and 350+ Certification courses in Microsoft, Cisco, Oracle, Novell, Web Master, A+, Network+ etc, tuition value of $3,000) for a nominal registration fee, the only cost. The registrant receives free unlimited access to all the courses, a 24x7 online library, 24x7 tech support, 24x7 skill tests, chat areas and evaluations. To sign up, visit www.cyberlearning.org and click on "PC Scholarships(300+ Courses)" or click on "IT Scholarships (650+ Courses)." Then, complete the "Federal and Other Government Employees" application.

---------------
New FISSEA member, Regina Martin (FBI), noted a couple of upcoming security related conferences about which she was aware, for others to consider:
- VA Security by Design (InfoSec2001), June 26-29, 2001, in Orlando, Florida
- 2001 INS Security Conference, July 9-13, 2001, in San Antonio, Texas

---------------
18-19JUL2001Second International Common Criteria Conference (ICCC) in Brighton, England. Hosted by the Communications Electronics Security Group (CESG). Theme "Securing the Information Age." For information visit the ICCC website www.iccconference.com or call ICCC hotline +44(0)1635 550845.

---------------
InfoSec forwarded the following conference note:
15th Annual Vanguard Enterprise Security Expo 2001 - Conference = June 3-8, 2001 / Exhibit Show = June 4-5, 2001 in Reno, Nevada. Enterprise Security Expo 2001, Annual ISSA Conference, Annual RACF Users' Conference. For a complete listing of all sessions and abstracts, please visit http://www.go2vanguard.com/conf

---------------
Jim Wilson from LearningTree suggests that if you would like to explore over 160 Hands-On IT Courses covering every technology, just check out http://www2.learningtree.com/us/

---------------
Although InfoSec World 2001 is over, you can still benefit from its information-packed sessions! We have compiled an exceptional resource for you--a CD-ROM of conference presentations featuring invaluable and immediately usable information, checklists, charts, and more. And, new for this year, over 65% of these presentations are accompanied by synchronized audio, so you can hear exactly what the instructors said at the event. Proceedings are $295 each, plus shipping and tax (where applicable).For a complete listing and descriptions of all the sessions covered at InfoSec World 2001, go to: http://www.misti.com/conference_show.asp?id=OS01 To get your CD-ROM contact MIS Training Institute, 498 Concord St., Framingham, MA 01702-2357, or fax to 508-872-1153. You can also call customer service at 508-879-7999 x346.

---------------
Tom Lundeen forwarded this bit of humor for your reading pleasure. It is titled
THE COMPUTER USER'S REBOOT POEM

Don't you wish when life is bad
  and things just don't compute,
That all we really had to do
  was stop and hit reboot?
Things would all turn out ok,
  life could be so sweet
If we had those special keys
  Ctrl, Alt, and Delete

Your boss is mad, your bills not paid,
   your wife, well she's just mute (or substitute "your husband, well he's just mute")
Just stop and hit those wonderful keys
  that make it all reboot
You'd like to have another job
  but you fear living in the street?
You solve it all and start anew;
  Ctrl, Alt, and Delete.

---------------
Sonny Kakar (Skakar@karta.com ) of Karta Technologies wanted to inform our readership of work in which he is involved, supporting the Department of Transportation Virtual University (TVU). The TVU has recently launched an information security library of web-based courses. Currently numbering about 30 courses approximately 30 more are being developed to go live in the next couple of months. All courses are web-based integrated with a learning management system for reporting. The turn key solution includes courses, hosting, site maintenance, implementation and other support. We can provide temporary access to view the courses upon request. Sonny can be reached at (202) 366-5795.

---------------
Don Arnold form E-Gov (Don@e-gov.com ) sent in the following: Sign up now for the National Conference on Cyber and Physical Security at the Downtown Marriott Hotel in New Orleans, Louisiana , June 10-13, 2001. Register online at
http://www.feb.nfc.usda.gov , or by calling 1-504-255-6402

---------------
Richard Thompson, from the National Agricultural Library wrote that there is a free symposium coming up at NIH in Bethesda, MD, that should be a "must attend" event for government employees involved in IT security. It is titled "PKI and Digital Signatures: From E-Commerce to E-Information Management." A CENDI Sponsored Symposium hosted by the National Library of Medicine, it will be held in the Natcher Center Auditorium, National Institutes of Health, on Wednesday, June 13, 2001, from 8:30am to 5:00pm. The event program is at http://www.dtic.mil/cendi/activities/05_13_01_digsig_overview.html and registration form is at http://www.infointl.com/conf_reg/index.html , or call Jennifer Shell at (865)481-0388.

Go to top of page