Hello FISSEA,

Last time I wrote about how my car's brake job made me think of the Executive Board transition. Please bear with me as I continue the automotive maintenance theme.

Today, I am writing while awaiting the return of my car from the mechanic who is changing my oil. I can well remember my youth when crawling under a chassis was an almost daily event and skinned knuckles or grease under my nails was a badge of honor. As cars have become more and more sophisticated and computerized, just like in the world of technology, owners have increasingly become "users". How many of us have cracked open our personal CPU to add a SIMM or troubleshoot a hardware problem?

On the wall of this waiting room hangs a beautiful speed photo poster of a sleek red racecar upon which appears the slogan, "At 244 MPH, Luck's Got Nothing to do With It." Who among us "users" is lucky enough to take our personal computer apart with the self-assurance that we will be able to return it to a functioning machine? Remember as a youngster, when we took things like bikes and watches apart and when reassembled had "extra" pieces lying around which once were within?

Whenever we travel, we need to know that our vehicles are running well enough to make it to the beach, mountains, or even just to the gas station. To be successful, we must be aware of what makes a car run -- gas, oil, tire pressure, etc. Likewise, as computer security awareness/training/education practitioners, we need to know what is important to our organizations.

I have always found value in listening to the car radio. Oftentimes while riding to work I hear about a problem which is affecting computers (like a new virus or scam) and consider informing my organization or family/friends. Getting awareness ideas from news media is a good start but they must be validated before being believed. Remember, the information is often being read by a technically inexperienced or even technophobic individual. Credibility is essential, so research anything about which you are unsure.

In planning for your 2005 observance of Computer Security Awareness Day/Week/Month, please do the same. Ask management and co-workers what is of current interest? Don't just listen to the newscaster unless the report is about your own organization's technical malfeasance or abuse of the public trust. (You may know how morning coffee tastes more acidic when these reports are aired?) But, these current items will draw the most attendees and provide them the greatest bang for the buck. You are in the driver's seat so go for the gusto and instead of being left at the starting line; you and your organization will be well on the way to capturing the checkered flag of the security Awareness 500.

Hope you had a safe and enjoyable summer,

Louis
 
Louis Numkin, CISM
Internal Revenue Service

Go to top of page

FISSEA Executive Board 2005-2006

Go to top of page

Go to top of page

FISSEA Conference 2006

By Curt Carver, USMA, FISSEA Conference Program Co-Director

Go to top of page

Cyber Security Awareness Month

By Justin R. Ripley, US Department of State

Members of the US Department of State's "Awareness Team" recently held a month long event designed to teach, inform, and demonstrate to the domestic Department user community, i.e., IT staff, senior management, and end-users, how and why Cyber Security Awareness is important. The goal of the month was to encourage all Department personnel to be aware of their security responsibilities and their role in safeguarding information processed or stored on automated information systems used by the Department, as well as to raise the overall understanding of the current prevalent threats.

The month's activities kicked off on June 7th with an introductory speech by Deputy Assistant Secretary for Diplomatic Security, Joe Morton followed by a keynote address from the Department's acting Chief Information Officer, Mr. Jay Anania. Mr. Anania spoke of the importance of cyber security awareness at the Department and the commitment of those involved in information assurance activities.

On the following day, a roundtable discussion was held during which a number of experts from various government organizations (including representatives from FBI, NSA and DISA, spoke about their own experiences implementing awareness and training programs for their respective organizations, and the challenges that the Federal sector faces as we move forward.

Some of the best-received events took place during the month's second week, which was geared towards personal home computer use. Presenters from McAfee, Booz Allen Hamilton, CISCO Corporation, and AOL spoke to users about the unique threats associated with the wireless technologies that are becoming increasingly ubiquitous. Individuals attending this session heard a brief history of wireless technologies, but most importantly learned the specific steps needed to secure a wireless home network and achieve a minimum level of protection.

Another session held during this week demonstrated the use of strong passwords to users. Examples of effective passwords were shown, and a password cracking demonstration was conducted. Inevitably, the majority of the audience members were amazed at how easily and quickly passwords can be hacked through the use of this free technology, available on the web to anyone.

The third week of the Cyber Security Awareness Month focused on the information technology professional. Tara Manzow from CompTIA gave a presentation on the future of the IT workplace, with a specific emphasis on those who are engaged in information assurance activities.

Further presentations covered information regarding the value of certifications for IT professionals, pay incentives offered by the Department for holders of these certifications, and the perceived future of the necessity for certification. In addition, several Department employees responsible for protecting State's electronic information assets spoke of their role and mission to ensure a secure and cost effective security stance for the Department.

The final week of the month saw a demonstration on hacking techniques as well as a hands on Hacker Lab sponsored and conducted by Dr. Robert Young of National Defense University. Individuals were able to see first hand how a hacker works and subsequently learned how to protect themselves against this threat.

The entire month concluded with an "Awareness Fair" in which numerous vendors, government agencies, and State Department offices, were able to advertise their products and/or services and generally disseminate information concerning information awareness.

The Department's Chief Information Security Officer, Ms. Jane Scott Norris served as the closing keynote speaker for the event. Ms. Norris addressed the recent security events that have been reported in the media, information security's role, challenges, managing risk, and OMB's Information Systems Security Line of Business initiative.

Awareness month was a tremendous success for the Department, with approximately 1,000 unique visitors attending the various events held throughout the month. This was just the first of what we hope will become an annual fixture at the Department of State, and we hope that future Awareness Months include even greater participation and cooperation with both the private sector and other branches of the Federal government.

A number of private and Federal organizations participated in this first annual Cyber Security Awareness Month. All contributed greatly to the breadth of information that could be promulgated to a diverse workforce, and were instrumental in the overall success of the event. They include: McAfee, Inc., America On Line, CISCO Corporation, Booz Allen Hamilton, CompTIA, Verizon, Symantec, the National Security Agency, the Federal Bureau of Investigation, the Department of Defense, the National Defense University, and the US Agency for International Development.

Go to top of page

This column's name is a contraction of the words "Training" and "Trivia." It includes information on upcoming conferences, book reviews, and even humor. The purpose is to provide readers with places to go and things to use in pursuing and/or providing Computer Security awareness, training, and education. However, FISSEA does not warrant nor determine the value of any inclusions. Readers are encouraged to do their own checking before utilizing any of this data. If readers have items to submit to this column, please forward them to peggy.himes@nist.gov and/or louis.numkin@irs.gov.

***************************************************

How would you like to have a new-hire that could walk into the office on the first day, talk knowledgeably about technical security issues, FISMA, Privacy, Certification and Accreditation, Risk, Threat, A-130, Computer Forensics, CNSS standards, NIST standards, and even prepare a security plan, SSAA or NIACAP documentation? Not only could this new-hire talk about any of these but also they can do it, explain it and teach it to others. Well, that is what you can expect from Cyber Corps (http://www.sfs.opm.gov/) graduates.

All these students understand the national information infrastructure and they are expected to work across a broad spectrum of government jobs. These students all graduate from selected DHS/NSA Centers of Academic Excellence programs. This hand full of schools provides students with two-year full scholarships in exchange for a two-year commitment to federal employment. Between their first and second years, they serve an internship in a federal agency.

As an example, one of these schools is Idaho State University. Their program develops students not only through coursework but direct mentoring of their learning in a live laboratory environment. These students have developed security plans and acceptable use policies while also developing training for ISSOs. Each is expected to be technically qualified as well. No program can claim to be good unless it is externally validated. To ensure technical skills, all students are required to take the Security+ examination at the end of their first semester. At the end of the second semester, they are required to take the (ISC)2 SSCP examination and upon graduation, they take the CISSP examination. So far the program has a 100% pass rate on these examinations. As an added bonus, all ISU Cyber Corps students are Infraguard members so they have had at least an National Agency Check and understand the importance of clearances. This year students from this program have worked in computer security and information assurance roles at the Department of Education, Defense Intelligence Agency, National Security Agency, Governmental Accountability Agency, and Federal Reserve Bank Board among others.

Of course, all Cyber Corps programs are different; however, all have high standards and will provide your agency with outstanding employees. You can find out more about the ISU program at http://security.isu.edu or you can contact Corey Schou if you need help in locating other Scholarship for Service schools.

**********************************************

Florence Olson of FCW provided us with this information.
On July 12, OPM awarded fifty contracts for e-training to support the Office of Personnel Management's GoLearn online training program. While the potential values for the contracts were not announced each of them is worth at least $25,00 and could go for a total of five years, according to the General Services Administration's FedBizOpps Web site where the notice was published. A variety of businesses of different sizes were awarded the contacts, including Plateau Systems, IBM Business Consulting Services, the Apollo Group, GeoLearning, and Pearson Government Solutions.

**********************************************

September 22, 2005 BSU Fraud ID Theft Conference. This conference is free and open to the pubic!
September 21, 2005 A second, free event that you should absolutely MUST attend is the IOSS OPSEC Brief, 21 Sept 05 - please see details below.

The various themes of consideration for the BSU Fraud & ID Theft conference include:

• Identity theft and consumer fraud, such as telemarketing boiler rooms, Internet pyramid schemes, and business and franchise scams
• Privacy and ethical issues such as the collection and analysis of consumer-related data
• Corporate Fraud, such as Intellectual Property theft, financial statement fraud, falsified invoicing, retail loss prevention etc.
• Insurance, Health and Charities fraud
• Mortgage, leading and banking fraud
• Academic settings: cheating, file sharing etc...
• Use of technology in commission of fraud and in the discovery, audit and internal control of illegal activities: COSO, COBIT, SOX, HIPPA

Perhaps the most exciting item to bring to your attention is the availability of participating in the Operations Security (OPSEC) briefing, graciously brought to us by C.Rick Estberg: Chief, Training & Customer Outreach from the National Security Agency at the Interagency OPSEC Support Staff Greenbelt, MD.

They will be conducting a training at Gowen Field, 21 Sept 05 for the Air Force, Army National Guard, Navy Reserves, and various state and city agencies, such as police, EMS and investigators that have a need to protect sensitive information about current and future activities.

Please do NOT miss this extraordinary and engaging opportunity to partake in this training from the very BEST in the business!

What is OPSEC?
Operations Security (OPSEC) is an analytic process used to deny adversary information - generally unclassified - concerning our intentions and capabilities by identifying, controlling, and protecting indicators associated with our planning processes or operations. OPSEC does not replace other security disciplines - it supplements them.

Contact for BSU Fraud & ID Theft conference: Timothy O Neill Web page www.ioss.gov

**********************************************

September 30, 2005, CISA and CISM December 2005 Certification Exam Final Registration Deadline. The online registration process accepts payments and is the preferred method for submitting exam registrations. Due to very heavy registration volume as the early deadline approaches, they ask for patience when registering. Register at www.isaca.org/examreg. Contact the certification department at 1-(847) 253-1545, ext. 471 or 474.

**********************************************

October 4, 2005 If you're located on the US West Coast, there is no faster or more cost effective way to enlighten yourself on the requirements of FISMA and the security governance framework created by NIST than to attend The Facts of FISMA, a one-day intensive seminar presented by the Center for Information Security. This seminar is designed for both technical and management staff who have accountability for Information Security-related activities. After setting the foundation of the objectives of FISMA and the approach taken by NIST, we review the process for Security Categorization and Security Control Selection, Refinement, Documentation, Implementation and Assessment. These well defined activities lead directly to System Certification (a technical act) and System Accreditation (a management act), both necessary inputs for System Authorization, the cornerstone of security assurance and the manifestation of due diligence.

The Center for Information Security (4cis.org) is an initiative of the Regional Training Institute in Walnut Creek California, a non-profit part of the Contra Costa Community College District. The Center's mission is to improve the level of security education and awareness across the community by exploring new and more cost-effective ways to deliver the kind of security training the community needs. You won't find this kind of government-focused information security training anywhere else outside the DC beltway. And at only $199, you can't beat the investment in education, whether you're subject to FISMA compliance or not.

The next Facts of FISMA course will be on October 4, 2005. Visit www.fisma.us or www.securenet-technologies.com for the course outline, instructor bio and registration information.

**********************************************

October 12, 2005 FISSEA Workshop, "Best Practices for Executive-Level Training: A Panel Discussion". Presented by the US Department of State, Diplomatic Security Training Center, Information Assurance Training Team in collaboration with FISSEA. See the one-page flyer for a complete description at the beginning of this newsletter. Technical contact: Susan Hansche (e-mail), CISSP-ISSEP, or Susan Hansche (2nd e-mail address). Registration contact: Cydney Peyton (e-mail), (703) 204-6137 or Peggy Himes (e-mail), 301-975-2489.

**********************************************

October 25-26, 2005 FIAC Conference, "Building Your Government Security Culture" at the University of Maryland University College Inn and Conference Center. http://www.fbcinc.com/fiac/ The 5th Annual FIAC will present a unique perspective on Information Assurance in the Federal Government. Revolving around this year's theme "Building Your Government Security Culture", the conference will bring together a variety of resources from government, industry, and academia to present and discuss information which will shape the information security steps already taken at your agency and throughout the government. FIAC 2005 will provide Information Assurance Policy Updates that are crucial to maintaining security at your agency, the available technologies you can use at your agency to support these policies, and the training programs you can utilize to both create and enhance the security program at your agency. Contact: Federal Business Council, Inc., 8975 Henkels Lane, Suite 700, Annapolis Junction, MD 20701, (800) 878-2940, (301) 206-2950 (fax)
Email bj1@fbcdb.com.

**********************************************

November 30, 2005, Computer Security Day. Readers can get a free poster by writing to ACSD; PO Box 39110; Washington, DC 20016. The website can be located at http://www.geocities.com/a4csd

**********************************************

December 5-9, 2005, Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, http://www.acsac.org. Christoph Schuba, Pierangela Samarati, Charlie Payne, 2005 ACSAC program chairs, program_chair@acsac.org. ACSAC is sponsored by Applied Computer Security Associates, a not-for-profit all-volunteer Maryland corporation.

**************************************************

February 13-17, 2006, RSA Conference, San Jose, California, will be held at the McEnery Convention Center. If you have interest in booth space or becoming an exhibitor: Companies that begin with letters A-N please contact: Don Rosette (e-mail) at +1-617-848-8766 . Companies that begin with letters O-Z please contact: Wendy Anderson at +1-617-848-8756.

**************************************************

March 20-21, 2006 Annual FISSEA Conference at the Bethesda North Marriott Hotel and Conference Center. Theme: "'Training for a Cyber Secure Future". Please plan ahead, mark your calendars, and join your fellow FISSEA members at your annual conference.

**********************************************

April 3-5, 2006, MIS Training Institute, InfoSec World Conference & Expo 2006, Orlando, FL, More than 2000 information security professionals will be attending this event. Email: mis@misti.com, website www.misti.com

**********************************************

January 30-February 2, 2006 The 10th Annual DoD Information Assurance Workshop has been scheduled. The Workshop will run 30 January - 2 February 2006 at the Philadelphia Marriott. Registration will begin late October, go to www.iaevents.com for more details. This year the Workshop will have a registration fee.

**********************************************

The Federal Computer Security Program Managers' Forum is open to federal government employees only who participate in the management of their organization's computer security program. The Forum hosts the Federal Agency Security Practices web site, maintains an extensive e-mail list, and holds bi-monthly meetings to discuss current issues and developments of interest to those responsible for protecting non-national security systems. Marianne Swanson of NIST serves as the Chairperson. NIST serves as the secretariat of the Forum, providing necessary administrative and logistical support. To join the Forum, please provide your name, title, federal agency, mailing address, telephone, fax and e-mail to Kelly Watkins . Forum url: http://csrc.nist.rip/organizations/cspmf.html

**********************************************

NIST has released its new vulnerability management product called the National Vulnerability Database (NVD). NVD is sponsored by the Department of Homeland Security's National Cyber Security Division. It is available at http://nvd.nist.gov

NIST Draft Special Publication 800-18, Revision 1, Guide for Developing Security Plans for Federal Information Systems, the Initial Public Draft of FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, and Initial Public Draft of FIPS 800-53A, Guide for Assessing the Security Controls in Federal Information Systems are available for review on the Computer Security Resource Center web site, http://csrc.nist.rip/publications/drafts.html

***************************************************