 |
|
Homeland Security Advisory System (HSAS)
|
Essential
Documents
|
|
|
|
|
Essential Documents |
Articles | News
Watch | Links
'In
business, having the right information at the right time can make
the difference between profit and loss, success and failure.'
Confidentiality: protecting information from unauthorised
disclosure;
Integrity: protecting information from unauthorised modifications,
and ensure that information is accurate and complete;
Availability: ensuring information is available when needed;
The
three pillars of Information Security.
|
Essential
Documents
Basics
 800-36, "Guide
to Selecting Information Security Products,
NIST, October 2003
800-35,
Guide to Information Technology Security Services
[3 MB].,
NIST, October 2003
Federal
Agency Security Practices (FASP)  effort
was initiated as a result of the success of the Federal
CIO Council’s Federal Best Security Practices
(BSP) pilot effort to identify, evaluate, and disseminate
best practices for CIP and security. 2003 -2000
Computer Security Course (LV 142 A), (Courtesy
of Mark Burgess)
GAO
Executive Guide Information Security Management Learning
From Leading Organizations,
GAO/AIMD-98-68 Information Security Management, May
1998
Biometrics
Hearing
on The Use Of Biometrics To Improve
Aviation Security, Subcommittee
on Aviation, House
Committee on Transportation and Infrastructure,
May 2004
Information
Security: Challenges in Using Biometrics,
by
Keith A. Rhodes, chief technologist, before the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census,
House Committee on Government
Reform. GAO-03-1137T, September 9, 2003.
"Biometric
Identifiers and the Modern Face of Terror: New
Technologies in the Global War on Terrorism", Hearing
before the Senate Judiciary Committee Subcommittee
on Technology, Terrorism and Government Information,
Wednesday, November 14th, 2001
Business
Continuity Planning
Business
Continuity Planning - A safety net for businesses, Infocon Magazine Issue One, October 2003
Business Continuity
Planning Interview with David Spinks, EDS, Infocon Magazine Issue One, October
2003
Encryption & Passwords
Advances
and Remaining Challenges to Adoption of Public Key
Infrastructure Technology [ 742K] is the title
of US General Accounting Office Computer Security
Reports published in February 2001. The report concludes
that the US goverment will have to implement PKI structure
in order to realise its e-goverment initiative.(Currently
US e-government initiatives are hindered by the fact
that many government agencies use different encryption
systems. A PKI might be a solution, but it will be
expensive and difficult to realise due to the sheer
size of the US government.)
Selecting Good Passwords The US Center for Information
Technology, National Institutes of Health advice on
how to choose passwords which are not easily to guess
National Cryptologic Strategy for the 21st Century
NSA: 'These pages outline the National Security Agency/Central
Security Service's strategic plan for the 21st century,
and how we intend to achieve our goal: information
superiority for America.'
Denial
of Service Attacks
DDoS - 15 Preventive Measures by by the 'Bundesamt
für Sicherheit in der Informationstechnik'
Overviews
of Scans and DDoS Attacks - Executive Summary
by the FBI NIPC May 2001
Defense
Tactics for DDOS Attacks FedCIRC
CIAC:
Distributed Denial of Service US Department of
Energy Report published in February 2000.
Firewalls
NIST
Special Publication 800-41, Guidelines on Firewalls
and Firewall Policy [1.2 MB]. This document contains
an overview of recent developments in firewall technology,
and guidance on configuring firewall environments.
It discusses firewall access control, active content
filtering, DMZs, and co-location with VPNs, web and
email servers, and intrusion detection. It contains
guidance on developing firewall policy and recommendations
for administering firewalls. Lastly, it contains several
appendices with links to other firewall-related resources
and recommendations for configuring and operating
firewalls.
Forensics
NIST
SP 800-72 Guidelines on PDA Forensics [1.2
MB] November 2004
Home
PC Security
Connecting
to the Internet Securely; Protecting Home Networks
(CIAC-2324)
This paper discusses problems and solutions related
to protection of home computers from attacks on those
computers via the network connection. (Released 1/08/03)
Defending
Your Home Computer by the Information Warfare
Division Chief (or Branch Chief) of the Joint Command,
Control and Information Warfare School at the Joint
Forces Staff College. It includes best practices
and personal recommendations.
Human
Capital
Human
Capital: Attracting and Retaining a High-Quality Information
Technology Workforce, testimony by David L. McClure,
director, information technology management issues,
before the Subcommittee on Technology and Procurement
Policy, House Committee on Government Reform. GAO-02-113T,
October 4.
IDS
- Intrusion Detection Systems
NIST
Inter-agency Report (NISTIR) 7007: An Overview of
Issues in Testing
Intrusion Detection Systems. While
intrusion detection systems are becoming ubiquitous
defenses
in
today's networks, currently we have no comprehensive
and scientifically
rigorous methodology to test the effectiveness of
these systems. This paper
explores the types of performance measurements that
are desired and that
have been used in the past. We review many past evaluations
that have been
designed to assess these metrics. We also discuss
the hurdles that have
blocked successful measurements in this area and
present suggestions for
research directed toward improving our measurement
capabilities, June 2003
SP
800-31 Intrusion Detection Systems (IDS), [850
KB] August 2001 (NIST Computer Security Special Publications)
Information
Security Awareness
Information Assurance Awareness Posters, Keesler
Air Force Base, 2004
NIST
Special Publication 800-50, Building
an Information Technology Security Awareness and
Training Program,
October, 2003 (previous drafts)
FASP
Security, Awareness, Training and Education improves
awareness of the need to protection system resources
as well as develops skills and knowledge
so computer users can perform their jobs more securely
and build in-depth knowledge.Awareness. 2000 - 2003
Social
Engineering Security Awareness Series, © Melissa
Guenther 2001
Information
Security Awareness Version 1.0 14 April, 2000 (© Treasury
Board of Canada Secretariat 2000) Prepared by:
Bruce Hunter, BEng, MEng, Government of Canada
PKI Secretariat, Chief Information Officer Branch,
Treasury Board of Canada Secretariat
IT
Standards
Measuring the Effectiveness of Security using ISO 27001, Steve Wright, July, 2006
German
IT Baseline Protection Manual Standard security safeguards by
the 'Bundesamt für Sicherheit in
der Informationstechnik' [2000]
BS7799/ISO 17799
How it Works (courtesy of Gamma Secure Systems
Limited)
Technical
Security Standard for Information Technology (TSSIT) A
Canadian IT security guideline ,
which is similar to BS 7799 and available
for free [August 1997, © Copyright
2000. Royal Canadian Mounted Police]
The Rainbow Series including the Orange
Book (Trusted Computer System, Evaluation Criteria)
DOD standard 5200.28-STD, December, 1985 which characterise
secure computing architectures and defines levels
A1 (most secure) through D (least).
ITSEC
'During the 1980s, the United Kingdom, Germany, France
and the Netherlands produced versions of their own
national criteria. These were harmonised and published
as the Information Technology Security Evaluation
Criteria (ITSEC). The current issue, Version 1.2,
was published by the European Commission in June 1991.
In September 1993, it was followed by the IT Security
Evaluation Manual (ITSEM) which specifies the methodology
to be followed when carrying out ITSEC evaluations.'
Network
Security Testing
SP
800-42 Guideline on Network Security Testing [1.6
MB], NIST
October 2003
Patching
Information
Security: Continued Actions Needed to Improve
Federal Software Patch Management.
GAO-04-706, May 02, 2004
GAO
Information Security: Effective
Patch Management Is
Critical to Mitigating Software
Vulnerabilities,
by Robert F. Dacey, director,
information security, before the Subcommittee
on Technology,
Information Policy, Intergovernmental
Relations, and the Census, House
Committee on Government Reform. GAO-03-1138T,
September
11, 2003
SP
800-40 Procedures for Handling Security Patches,
[3.9 MB] NIST, September 2002
Risks
and Threats
NIPC
White Paper "Risk Management:
An Essential guide to Protecting
Critical
Assets - November
2002
Canadian Threat and Risk Assessment Working Guide
'provides
guidance to an individual (or
a departmental team)
carrying out a Threat and Risk
Assessment (TRA) for an existing
or proposed
IT system.' (© Communications
Security Establishment 1999)
Rootkits
Rootkits:
Hiding a Successful System Compromise by
Geoff Galitz, Research Computing, College of Chemistry,
UC Berkeley 2001
Spam
CAN-SPAM
Act Hearing, Senate Committee on Commerce, Science, & Transportation,
May 2004 Spam
Mitigation Techniques: 2004 NISCC Technical
Notes No. 02/04, March
2004 (© Crown
copyright)
About
spam and Tracing Spam
(Courtesy of
Enrico Savazzi) The article provides a good insight
into what spam is and on how to fight it.
Alt.spam
FAQ (1/1) or "Figuring out fake E-Mail &
Posts". Rev 20010410 'This FAQ will help
in deciphering which machine a fake e-Mail or post
came from, and who (generally or specifically) you
should contact.'
Spyware
Hearing:
Spyware: What You Don't Know Can Hurt You,
Subcommittee on Commerce,
Trade, and Consumer Protection,
April 29, 2004
Spyware
- Communications
Hearing,
US Senate Committee on Commerce, Science & Transportation, March
23 2004
Viruses & Worms
Computer
Viruses: The Disease, the Detection, and the
Prescription for Protection,
Subcommittee on Telecommunications and the Internet,
November 6, 2003
Worm
and Virus Defense:
How Can We Protect Our Nation's
Computers From These
Serious Threats?"
Committee
on Government Reform, Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census
Wednesday,
September 10, 2003
" What
Can be Done to
Reduce the Threats Posed by Computer
Viruses and Worms
to the Workings of Government?"
before
the Subcommittee on Government Efficiency, Financial
Management, and Intergovernmental Relations, House
Committee on Government Reform. August 29, 2001.
Information
Security: Code Red, Code Red II, and SirCam Attacks
Highlight Need for Proactive Measures, by Keith
Rhodes, chief technologist, before the Subcommittee
on Government Efficiency, Financial Management, and
Intergovernmental Relations, House Committee on Government
Reform. GAO-01-1073T, August 29, 2001.
Warhol Worms:
The Potential for Very Fast Internet Plagues by
Nicholas C Weaver, August 2001
VIRUS-L/comp.virus Frequently Asked Questions (FAQ)
v2.00 ' This posting contains a list of Frequently
Asked Questions, and their answers, about computer
viruses.'
Wireless
Security
SP
800-48 Wireless Network Security: 802.11, Bluetooth,
and Handheld Devices [1 MB] NIST November 2002
NIPC
Best Practices for Wireless Fidelity (802.11b)
|
|
Cybersecurity & Consumer Data: What's at Risk
for the Consumer? Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
Justify
the Return on Security Investments to Company Stakeholders
- Crafting a quantifiable business case, L Chris
N Shepherd, ICCT Corp Jan, 2003
The
Fundamentals The Fundamentals of Utility IT Security
of Utility IT Security Protecting Networks, Protecting
Networks, Applications and Data Applications
and Data Center for Business Intelligence conference
Center for Business Intelligence conference - Electronic
Security for the Power Industry Electronic Security
for the Power Industry Omni Ambassador East Hotel
Omni Ambassador East Hotel - Chicago, IL Chicago,
IL - October 28 October 28-29, 2002 29, 2002
Information
Security: Additional Actions Needed to Implement Reform
Provisions, by Robert Dacey, director, information
management -- security, before the Subcommittee on
Government Efficiency, Financial Management, and Intergovernmental
Relations, House Committee on Government Reform. GAO-02-470T,
March 6, 2002.
Testimony
and Statement for the Record of Bruce Schneier,
Chief Technical Officer, Counterpane Internet Security,
Inc.; Hearing on Internet Security before the Subcommittee
on Science, Technology, and Space of the Committee
on Commerce, Science and Transportation, United States
Senate, July 16, 2001
Information
Security: Weak Controls Place Interior's Financial
and Other Data at Risk. GAO-01-615, July 3, 2001.
CERT:
The Next Generation
The
Demise of the Internet's Last Objective and "Trusted" Organization
by Richard Forno, Article 2001-03 (c) 2001. All rights
reserved. (article courtesy of Richard
Forno), 21 April 2001
Honeynet
Project Whitepapers The honeynet project is a
group of 30 security professionals dedicated to learning
the tools, tactics, and motives of the blackhat community
and sharing those lessons learned. The team collects
this information on their own time with their own
resources using honey pods.
New
hash algorithms (SHA-256, SHA-384, and SHA-512) have
been developed and will be proposed in a draft Federal
Information Processing Standard (FIPS) in 2001.
The Secretary of Commerce announced NIST's section
of the Rijndael
encryption algorithm, developed by Joan Daemen
and Vincent Rijmen of Belgium, to propose as the Advanced
Encryption Standard [October 2, 2000] .
Subcommittee
Issues First Report Card on Computer Security The
details of the shocking report of the computer security
at Federal departments and agencies published by the
Subcommittee on Government Management, Information
and Technology on September 11, 2000. Some critics
have again asked for the creation of a new position:
a government Information Chief, responsible for the
overall management of Federal Computer Security.
2000
Information Security Industry Survey [542K] by
the Information
Security Magazine (ICSA.net). 'Security budgets
are way up. So are security breaches. As the challenges
multiply, the 2000 Information Security Industry Survey
explores how to maintain your focus.' [offsite, published
September 2000]
Ethics
in Military and Civilian Software Development
(Long Form) by Sam Nitzberg was awarded 2nd place
in the Ft. Monmouth chapter of the Armed Forced Communications
Electronics Association (AFCEA) technical call for
papers competition, June, 1999, Gibbs Hall, Ft. Monmouth.
A short form of this paper was presentated and published
in Ethicomp '99, LUISS, University of Rome, Italy.
GAO
Computer Attacks at the Department of Defense Pose
increasing Risks, GAO -AIMD-96-84. 1998
Computer Viruses in Unix Networks by Peter
Radatti
The Plausibility
of UNIX Virus Attacks by Peter Radatti
|
Computer
Security News & Virus Warnings
|
|
|
| Online Master in Information Assurance |
 |
|
|
|
Information & Computer
Security Links
For
more links visit our new link directory
Academic
|
Companies
& Organisations | Others
| Government
| Mailing
Lists
Academic
UK
Information
Security Group at the Department of Mathematics, Royal Holloway,
University of London. 'This Group offers an active research environment
with ten established academic posts and a large number of research students,
making it one of the largest academic security groups in the world.'
USA
The following 14 research centres have been designated by the NSA
as Centers of Excellence in Information Assurance under the Centers
of Excellence Program:
Companies & Organisations
7Pillars
Partners is a professional military and intelligence advisory firm.
It focuses on Intelligence services: outsourcing, briefings, training
Information security and assurance: defensive strategies and tactics,
design methods, implementation services Information operations and IWAR:
defensive and offensive information and infrastructural operations.
CERT®
Coordination Center
'The CERT® Coordination Center (CERT/CC) is a center of Internet security
expertise. It is located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon University.'
Computer Crime
Consultants 'Computer Crime Consultants Ltd. (CCC), as the name
suggests, is a firm of specialists who offer services in IT security
and in combating computer crime. CCC
is an independent company and has no commercial agreements with suppliers
of either software or hardware products. It derives its income from
the supply of confidential consultancy services in the areas of IT Security,
Investigations and Information Services.'
CyberSoft,
Inc. a
computer security software manufacturer which products are sold to governments
and large international corporations...
Computer Security Institute
'(CSI) is the world's leading membership organization specifically dedicated
to serving and training the information, computer and network security
professional. Since 1974, CSI has been providing education and aggressively
advocating the critical importance of protecting information assets.'
Forum of Incident Response and Security
Teams (FIRST)
Fred
Cohen & Associates 'Innovation,
insight, and objectivity have been the hallmarks of Fred Cohen &
Associates over the last 20 years. From education, to research, to consulting,
they bring their clients the highest quality, the most advanced thinking,
and the best strategic analysis available today.'
Gamma
Secure Systems Limited 'is a leading Information Security consultancy,
famous for its innovative information security solutions. We helped
to write the ITSEC and ISO/IEC 17799 (formerly BS7799), and have helped
our clients to develop a greater understanding of security policy, risk
analysis and trust. We are now engaged in helping our clients to project
the trustworthiness of their own services to their respective markets.'
Navmar
Applied Sciences Corporation 'Professional Engineering Services
firm, has assisted clients over the past 20 years in meeting the challenges
of an ever changing national/international environment.'
Others
General
Argus Revolution
'Open Security Discussion, Free B1 Trusted Operating System for non-commercial
use. The Revolution is about providing a forum for open discussion of
security issues.'
=CALEB15=
'Security for Windows
and Linux'
cgisecurity.com
'A site that looks into the risks that port 80 can bring. We will be
dealing with such aspects as Web Server security, cgi, asp, and various
other scripting languages.'
Cyberdefenders
'provides free internet security tips and techniques aimed at the small
office and home office.'
Dutch Security Information
Network
Hacker Emergency Response Team
'is an international non-profit organization based in France. Exactly
like CERT, the US counterpart, the first goal is to provide accurate
information about computer security vulnerabilities, provide incident
response services to sites that have been the victims of attacks, publish
security alerts and find new vulnerabilities.'
Help
Net Security
'has been online since 1998. The content of the site is the following:
security news, vulnerabilities, press releases, a large download section,
articles, a well-stocked bookstore, an extensive viruses section, a
weekly newsletter, and much more. The site is also WAP enabled.'
Info.sec.radio
broadcast 'This week's Info.sec.radio broadcast
features the latest news from the world of computer and information
security and the latest vulnerabilities'
IT Security Cookbook 'This book is intended as a 'self help' guide
to computer & network security, primarily for security managers, programmers
and system administrators.'
Infowarrior.org
The web site of the authors of the Art of Information Warfare
The
Information Technology Professional's Resource Center
'ITPRC was created in March of 1999 to provide a one-stop-shop for IT
professionals to find technical information relating to data networking.
In addition to providing links to a vast collection of networking related
information available on the Internet, the ITPRC provides links to career
management information and forums for IT professionals to interact.'
Lucid Empires
an Australian website 'designed to inform and educate people in Australia
that have a particular interest in privacy, security and freedom of
speech.'.
Nightbird
a French InfoSecurity Site: 'Base de donnees d'exploits traduits en
francais. News, outils et documentations sur la securite. Mise a jour
quotidienne. '
Packet Storm
'Packet Storm Security is the worlds largest collection of open source
security tools, advisories, exploits, scanners, and new security information.'
Radiusnet 'Radiusnet
is a site that deals mainly with Cryptology, we have the largest known
archive. We also carry all the infamous RFC ducuments along with the
infamous Rainbow Books in 4 different formats.'
The
Rijndael Page The homepage of Vincent Rijmen, the designer of the
rijndael block cipher:
Sam Nitzberg's Security
and Home Page 'This is the web page of Sam Nitzberg, an American
computer security expert who has published and chaired panels internationally
on the subjects of various aspects of computer security, as well as
computer ethics and information warfare. The conferences he has presented
in have included venues focusing on Technology and Society, Computers
and Ethics, Hacker Interests, and Military Informatics. Present on this
web site are Sam Nitzberg's published works, andother items of both
general and security interest.'
secureroot
Secured:
the trojan removal help site 'dedicated to helping those that have
been infected and hacked by trojan hackers . We have detailed information
on over 150 remote access trojans , plus a huge files archives full
of protection programs . This is New Zealands largest net security site.'
SecurityFocus
'SecurityFocus.com is designed to facilitate discussion on security
related topics, create security awareness, and to provide the Internet's
largest and most comprehensive database of security knowledge and resources
to the public. It also hosts the BUGTRAQ mailing list.'
SecurityPortal
' currently
serves as the voice of security with its widely distributed e-newsletter
and website with thousands of pages of security information.'
Talisker's
Intrusion Detection Systems 'This independent site lists every known
commercial Intrusion Detection System, plus a few other seasoned campaigners,
it is aimed at those within the fascinating IDS field, allowing them
to scope the extensive product range available to them.'
TECS:
The Encyclopedia of Computer Security 'comprising full News coverage,
a comprehensive Product database, a detailed Glossary, a wide-ranging
Links library, an extensive Whitepapers archive and much more - all
updated daily."
Vmyths.com
'formerly the Computer Virus Myths home page Learn about computer virus
myths, hoaxes, urban legends, and the implications if you believe in
them. You can also search a list of computer virus hoaxes from A to
Z.'
X Corps Security
a site devoted to Computer Security
Italian
Resources
Securityinfos
'la prima risorsa italiana di Computer Security'
GardaWeb - Security
Advisor
Government
Canada
| Japan
| United Kingdom
| United
States
Canada
Communications
Security Establishment '(CSE) is a federal government lead agency
that delivers Information Technology Security (ITS) solutions to the
government of Canada.'
Japan
Information-Technology
Security Center (ISEC) 'is the center for promoting information
security in Japan. It was established on January 1, 1997 as a department
of the IPA. The IPA is an affiliated organization of the Ministry of
International Trade and Industry (MITI). '
United Kingdom
Communications-Electronics Security
Group 'CESG is the Communications-Electronics Security Group, part
of the United Kingdom Civil Service, tasked with looking after the technical
aspects of keeping official IT and communications systems safe from
compromise.'
ITSEC Scheme
'Under the UK ITSEC scheme, the security features of IT systems and
products are tested independently of suppliers to identify logical vulnerabilities.
This type of testing is known as security evaluation and it is carried
out against standardised criteria to a formalised methodology.'
United States
Computer Incident Advisory Capability
'provides on-call technical assistance and information to Department
of Energy (DOE) sites faced with computer security incidents. This central
incident handling capability is one component of all encompassing service
provided to the DOE community. The other services CIAC provides are:
awareness, training, and education; trend, threat, vulnerability data
collection and analysis; and technology watch.'
Computer Security Resource Center This site contains information
about a variety of computer security issues, products, and research
of concern to Federal agencies, industry, and users. This site is operated
and maintained by NIST's Computer Security Division as a service to
the computer security and IT community
The Federal Computer Incident Response
Center (FedCIRC) 'is the central coordination and analysis facility
dealing with computer security related issues affecting the civilian
agencies and departments of the Federal Government.' | |
