Essential Documents |
Articles | News
Watch | Links
business, having the right information at the right time can make
the difference between profit and loss, success and failure.'
Confidentiality: protecting information from unauthorised
Integrity: protecting information from unauthorised modifications,
and ensure that information is accurate and complete;
Availability: ensuring information is available when needed;
three pillars of Information Security.
to Selecting Information Security Products,
NIST, October 2003
Guide to Information Technology Security Services
NIST, October 2003
Agency Security Practices (FASP) effort
was initiated as a result of the success of the Federal
CIO Council’s Federal Best Security Practices
(BSP) pilot effort to identify, evaluate, and disseminate
best practices for CIP and security. 2003 -2000
Computer Security Course (LV 142 A), (Courtesy
of Mark Burgess)
Executive Guide Information Security Management Learning
From Leading Organizations,
GAO/AIMD-98-68 Information Security Management, May
on The Use Of Biometrics To Improve
Aviation Security, Subcommittee
on Aviation, House
Committee on Transportation and Infrastructure,
Security: Challenges in Using Biometrics,
Keith A. Rhodes, chief technologist, before the
Subcommittee on Technology, Information Policy,
Intergovernmental Relations, and the Census,
House Committee on Government
Reform. GAO-03-1137T, September 9, 2003.
Identifiers and the Modern Face of Terror: New
Technologies in the Global War on Terrorism", Hearing
before the Senate Judiciary Committee Subcommittee
on Technology, Terrorism and Government Information,
Wednesday, November 14th, 2001
Continuity Planning - A safety net for businesses, Infocon Magazine Issue One, October 2003
Planning Interview with David Spinks, EDS, Infocon Magazine Issue One, October
Encryption & Passwords
and Remaining Challenges to Adoption of Public Key
Infrastructure Technology [ 742K] is the title
of US General Accounting Office Computer Security
Reports published in February 2001. The report concludes
that the US goverment will have to implement PKI structure
in order to realise its e-goverment initiative.(Currently
US e-government initiatives are hindered by the fact
that many government agencies use different encryption
systems. A PKI might be a solution, but it will be
expensive and difficult to realise due to the sheer
size of the US government.)
Selecting Good Passwords The US Center for Information
Technology, National Institutes of Health advice on
how to choose passwords which are not easily to guess
National Cryptologic Strategy for the 21st Century
NSA: 'These pages outline the National Security Agency/Central
Security Service's strategic plan for the 21st century,
and how we intend to achieve our goal: information
superiority for America.'
of Service Attacks
DDoS - 15 Preventive Measures by by the 'Bundesamt
für Sicherheit in der Informationstechnik'
of Scans and DDoS Attacks - Executive Summary
by the FBI NIPC May 2001
Tactics for DDOS Attacks FedCIRC
Distributed Denial of Service US Department of
Energy Report published in February 2000.
Special Publication 800-41, Guidelines on Firewalls
and Firewall Policy [1.2 MB]. This document contains
an overview of recent developments in firewall technology,
and guidance on configuring firewall environments.
It discusses firewall access control, active content
filtering, DMZs, and co-location with VPNs, web and
email servers, and intrusion detection. It contains
guidance on developing firewall policy and recommendations
for administering firewalls. Lastly, it contains several
appendices with links to other firewall-related resources
and recommendations for configuring and operating
SP 800-72 Guidelines on PDA Forensics [1.2
MB] November 2004
to the Internet Securely; Protecting Home Networks
This paper discusses problems and solutions related
to protection of home computers from attacks on those
computers via the network connection. (Released 1/08/03)
Your Home Computer by the Information Warfare
Division Chief (or Branch Chief) of the Joint Command,
Control and Information Warfare School at the Joint
Forces Staff College. It includes best practices
and personal recommendations.
Capital: Attracting and Retaining a High-Quality Information
Technology Workforce, testimony by David L. McClure,
director, information technology management issues,
before the Subcommittee on Technology and Procurement
Policy, House Committee on Government Reform. GAO-02-113T,
- Intrusion Detection Systems
Inter-agency Report (NISTIR) 7007: An Overview of
Issues in Testing
Intrusion Detection Systems. While
intrusion detection systems are becoming ubiquitous
today's networks, currently we have no comprehensive
rigorous methodology to test the effectiveness of
these systems. This paper
explores the types of performance measurements that
are desired and that
have been used in the past. We review many past evaluations
that have been
designed to assess these metrics. We also discuss
the hurdles that have
blocked successful measurements in this area and
present suggestions for
research directed toward improving our measurement
capabilities, June 2003
800-31 Intrusion Detection Systems (IDS), [850
KB] August 2001 (NIST Computer Security Special Publications)
Information Assurance Awareness Posters, Keesler
Air Force Base, 2004
Special Publication 800-50, Building
an Information Technology Security Awareness and
October, 2003 (previous drafts)
Security, Awareness, Training and Education improves
awareness of the need to protection system resources
as well as develops skills and knowledge
so computer users can perform their jobs more securely
and build in-depth knowledge.Awareness. 2000 - 2003
Engineering Security Awareness Series, © Melissa
Security Awareness Version 1.0 14 April, 2000 (© Treasury
Board of Canada Secretariat 2000) Prepared by:
Bruce Hunter, BEng, MEng, Government of Canada
PKI Secretariat, Chief Information Officer Branch,
Treasury Board of Canada Secretariat
Measuring the Effectiveness of Security using ISO 27001, Steve Wright, July, 2006
IT Baseline Protection Manual Standard security safeguards by
the 'Bundesamt für Sicherheit in
der Informationstechnik' 
How it Works (courtesy of Gamma Secure Systems
Security Standard for Information Technology (TSSIT) A
Canadian IT security guideline ,
which is similar to BS 7799 and available
for free [August 1997, © Copyright
2000. Royal Canadian Mounted Police]
The Rainbow Series including the Orange
Book (Trusted Computer System, Evaluation Criteria)
DOD standard 5200.28-STD, December, 1985 which characterise
secure computing architectures and defines levels
A1 (most secure) through D (least).
'During the 1980s, the United Kingdom, Germany, France
and the Netherlands produced versions of their own
national criteria. These were harmonised and published
as the Information Technology Security Evaluation
Criteria (ITSEC). The current issue, Version 1.2,
was published by the European Commission in June 1991.
In September 1993, it was followed by the IT Security
Evaluation Manual (ITSEM) which specifies the methodology
to be followed when carrying out ITSEC evaluations.'
800-42 Guideline on Network Security Testing [1.6
Security: Continued Actions Needed to Improve
Federal Software Patch Management.
GAO-04-706, May 02, 2004
Information Security: Effective
Patch Management Is
Critical to Mitigating Software
by Robert F. Dacey, director,
information security, before the Subcommittee
Information Policy, Intergovernmental
Relations, and the Census, House
Committee on Government Reform. GAO-03-1138T,
800-40 Procedures for Handling Security Patches,
[3.9 MB] NIST, September 2002
White Paper "Risk Management:
An Essential guide to Protecting
Assets - November
Canadian Threat and Risk Assessment Working Guide
guidance to an individual (or
a departmental team)
carrying out a Threat and Risk
Assessment (TRA) for an existing
IT system.' (© Communications
Security Establishment 1999)
Hiding a Successful System Compromise by
Geoff Galitz, Research Computing, College of Chemistry,
UC Berkeley 2001
Act Hearing, Senate Committee on Commerce, Science, & Transportation,
Mitigation Techniques: 2004 NISCC Technical
Notes No. 02/04, March
2004 (© Crown
spam and Tracing Spam
Enrico Savazzi) The article provides a good insight
into what spam is and on how to fight it.
FAQ (1/1) or "Figuring out fake E-Mail &
Posts". Rev 20010410 'This FAQ will help
in deciphering which machine a fake e-Mail or post
came from, and who (generally or specifically) you
Spyware: What You Don't Know Can Hurt You,
Subcommittee on Commerce,
Trade, and Consumer Protection,
April 29, 2004
US Senate Committee on Commerce, Science & Transportation, March
Viruses & Worms
Viruses: The Disease, the Detection, and the
Prescription for Protection,
Subcommittee on Telecommunications and the Internet,
November 6, 2003
and Virus Defense:
How Can We Protect Our Nation's
Computers From These
on Government Reform, Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census
September 10, 2003
Can be Done to
Reduce the Threats Posed by Computer
Viruses and Worms
to the Workings of Government?"
the Subcommittee on Government Efficiency, Financial
Management, and Intergovernmental Relations, House
Committee on Government Reform. August 29, 2001.
Security: Code Red, Code Red II, and SirCam Attacks
Highlight Need for Proactive Measures, by Keith
Rhodes, chief technologist, before the Subcommittee
on Government Efficiency, Financial Management, and
Intergovernmental Relations, House Committee on Government
Reform. GAO-01-1073T, August 29, 2001.
The Potential for Very Fast Internet Plagues by
Nicholas C Weaver, August 2001
VIRUS-L/comp.virus Frequently Asked Questions (FAQ)
v2.00 ' This posting contains a list of Frequently
Asked Questions, and their answers, about computer
800-48 Wireless Network Security: 802.11, Bluetooth,
and Handheld Devices [1 MB] NIST November 2002
Best Practices for Wireless Fidelity (802.11b)
Cybersecurity & Consumer Data: What's at Risk
for the Consumer? Subcommittee on Commerce, Trade, and Consumer Protection
November 19, 2003
the Return on Security Investments to Company Stakeholders
- Crafting a quantifiable business case, L Chris
N Shepherd, ICCT Corp Jan, 2003
Fundamentals The Fundamentals of Utility IT Security
of Utility IT Security Protecting Networks, Protecting
Networks, Applications and Data Applications
and Data Center for Business Intelligence conference
Center for Business Intelligence conference - Electronic
Security for the Power Industry Electronic Security
for the Power Industry Omni Ambassador East Hotel
Omni Ambassador East Hotel - Chicago, IL Chicago,
IL - October 28 October 28-29, 2002 29, 2002
Security: Additional Actions Needed to Implement Reform
Provisions, by Robert Dacey, director, information
management -- security, before the Subcommittee on
Government Efficiency, Financial Management, and Intergovernmental
Relations, House Committee on Government Reform. GAO-02-470T,
March 6, 2002.
and Statement for the Record of Bruce Schneier,
Chief Technical Officer, Counterpane Internet Security,
Inc.; Hearing on Internet Security before the Subcommittee
on Science, Technology, and Space of the Committee
on Commerce, Science and Transportation, United States
Senate, July 16, 2001
Security: Weak Controls Place Interior's Financial
and Other Data at Risk. GAO-01-615, July 3, 2001.
The Next Generation
Demise of the Internet's Last Objective and "Trusted" Organization
by Richard Forno, Article 2001-03 (c) 2001. All rights
reserved. (article courtesy of Richard
Forno), 21 April 2001
Project Whitepapers The honeynet project is a
group of 30 security professionals dedicated to learning
the tools, tactics, and motives of the blackhat community
and sharing those lessons learned. The team collects
this information on their own time with their own
resources using honey pods.
hash algorithms (SHA-256, SHA-384, and SHA-512) have
been developed and will be proposed in a draft Federal
Information Processing Standard (FIPS) in 2001.
The Secretary of Commerce announced NIST's section
of the Rijndael
encryption algorithm, developed by Joan Daemen
and Vincent Rijmen of Belgium, to propose as the Advanced
Encryption Standard [October 2, 2000] .
Issues First Report Card on Computer Security The
details of the shocking report of the computer security
at Federal departments and agencies published by the
Subcommittee on Government Management, Information
and Technology on September 11, 2000. Some critics
have again asked for the creation of a new position:
a government Information Chief, responsible for the
overall management of Federal Computer Security.
Information Security Industry Survey [542K] by
Security Magazine (ICSA.net). 'Security budgets
are way up. So are security breaches. As the challenges
multiply, the 2000 Information Security Industry Survey
explores how to maintain your focus.' [offsite, published
in Military and Civilian Software Development
(Long Form) by Sam Nitzberg was awarded 2nd place
in the Ft. Monmouth chapter of the Armed Forced Communications
Electronics Association (AFCEA) technical call for
papers competition, June, 1999, Gibbs Hall, Ft. Monmouth.
A short form of this paper was presentated and published
in Ethicomp '99, LUISS, University of Rome, Italy.
Computer Attacks at the Department of Defense Pose
increasing Risks, GAO -AIMD-96-84. 1998
Computer Viruses in Unix Networks by Peter
of UNIX Virus Attacks by Peter Radatti
Security News & Virus Warnings
Information & Computer
more links visit our new link directory
& Organisations | Others
Security Group at the Department of Mathematics, Royal Holloway,
University of London. 'This Group offers an active research environment
with ten established academic posts and a large number of research students,
making it one of the largest academic security groups in the world.'
The following 14 research centres have been designated by the NSA
as Centers of Excellence in Information Assurance under the Centers
of Excellence Program:
Companies & Organisations
Partners is a professional military and intelligence advisory firm.
It focuses on Intelligence services: outsourcing, briefings, training
Information security and assurance: defensive strategies and tactics,
design methods, implementation services Information operations and IWAR:
defensive and offensive information and infrastructural operations.
'The CERT® Coordination Center (CERT/CC) is a center of Internet security
expertise. It is located at the Software Engineering Institute, a federally
funded research and development center operated by Carnegie Mellon University.'
Consultants 'Computer Crime Consultants Ltd. (CCC), as the name
suggests, is a firm of specialists who offer services in IT security
and in combating computer crime. CCC
is an independent company and has no commercial agreements with suppliers
of either software or hardware products. It derives its income from
the supply of confidential consultancy services in the areas of IT Security,
Investigations and Information Services.'
computer security software manufacturer which products are sold to governments
and large international corporations...
Computer Security Institute
'(CSI) is the world's leading membership organization specifically dedicated
to serving and training the information, computer and network security
professional. Since 1974, CSI has been providing education and aggressively
advocating the critical importance of protecting information assets.'
Forum of Incident Response and Security
Cohen & Associates 'Innovation,
insight, and objectivity have been the hallmarks of Fred Cohen &
Associates over the last 20 years. From education, to research, to consulting,
they bring their clients the highest quality, the most advanced thinking,
and the best strategic analysis available today.'
Secure Systems Limited 'is a leading Information Security consultancy,
famous for its innovative information security solutions. We helped
to write the ITSEC and ISO/IEC 17799 (formerly BS7799), and have helped
our clients to develop a greater understanding of security policy, risk
analysis and trust. We are now engaged in helping our clients to project
the trustworthiness of their own services to their respective markets.'
Applied Sciences Corporation 'Professional Engineering Services
firm, has assisted clients over the past 20 years in meeting the challenges
of an ever changing national/international environment.'
'Open Security Discussion, Free B1 Trusted Operating System for non-commercial
use. The Revolution is about providing a forum for open discussion of
'Security for Windows
'A site that looks into the risks that port 80 can bring. We will be
dealing with such aspects as Web Server security, cgi, asp, and various
other scripting languages.'
'provides free internet security tips and techniques aimed at the small
office and home office.'
Dutch Security Information
Hacker Emergency Response Team
'is an international non-profit organization based in France. Exactly
like CERT, the US counterpart, the first goal is to provide accurate
information about computer security vulnerabilities, provide incident
response services to sites that have been the victims of attacks, publish
security alerts and find new vulnerabilities.'
'has been online since 1998. The content of the site is the following:
security news, vulnerabilities, press releases, a large download section,
articles, a well-stocked bookstore, an extensive viruses section, a
weekly newsletter, and much more. The site is also WAP enabled.'
broadcast 'This week's Info.sec.radio broadcast
features the latest news from the world of computer and information
security and the latest vulnerabilities'
IT Security Cookbook 'This book is intended as a 'self help' guide
to computer & network security, primarily for security managers, programmers
and system administrators.'
The web site of the authors of the Art of Information Warfare
Information Technology Professional's Resource Center
'ITPRC was created in March of 1999 to provide a one-stop-shop for IT
professionals to find technical information relating to data networking.
In addition to providing links to a vast collection of networking related
information available on the Internet, the ITPRC provides links to career
management information and forums for IT professionals to interact.'
an Australian website 'designed to inform and educate people in Australia
that have a particular interest in privacy, security and freedom of
a French InfoSecurity Site: 'Base de donnees d'exploits traduits en
francais. News, outils et documentations sur la securite. Mise a jour
'Packet Storm Security is the worlds largest collection of open source
security tools, advisories, exploits, scanners, and new security information.'
is a site that deals mainly with Cryptology, we have the largest known
archive. We also carry all the infamous RFC ducuments along with the
infamous Rainbow Books in 4 different formats.'
Rijndael Page The homepage of Vincent Rijmen, the designer of the
rijndael block cipher:
Sam Nitzberg's Security
and Home Page 'This is the web page of Sam Nitzberg, an American
computer security expert who has published and chaired panels internationally
on the subjects of various aspects of computer security, as well as
computer ethics and information warfare. The conferences he has presented
in have included venues focusing on Technology and Society, Computers
and Ethics, Hacker Interests, and Military Informatics. Present on this
web site are Sam Nitzberg's published works, andother items of both
general and security interest.'
the trojan removal help site 'dedicated to helping those that have
been infected and hacked by trojan hackers . We have detailed information
on over 150 remote access trojans , plus a huge files archives full
of protection programs . This is New Zealands largest net security site.'
'SecurityFocus.com is designed to facilitate discussion on security
related topics, create security awareness, and to provide the Internet's
largest and most comprehensive database of security knowledge and resources
to the public. It also hosts the BUGTRAQ mailing list.'
serves as the voice of security with its widely distributed e-newsletter
and website with thousands of pages of security information.'
Intrusion Detection Systems 'This independent site lists every known
commercial Intrusion Detection System, plus a few other seasoned campaigners,
it is aimed at those within the fascinating IDS field, allowing them
to scope the extensive product range available to them.'
The Encyclopedia of Computer Security 'comprising full News coverage,
a comprehensive Product database, a detailed Glossary, a wide-ranging
Links library, an extensive Whitepapers archive and much more - all
'formerly the Computer Virus Myths home page Learn about computer virus
myths, hoaxes, urban legends, and the implications if you believe in
them. You can also search a list of computer virus hoaxes from A to
X Corps Security
a site devoted to Computer Security
'la prima risorsa italiana di Computer Security'
GardaWeb - Security
| United Kingdom
Security Establishment '(CSE) is a federal government lead agency
that delivers Information Technology Security (ITS) solutions to the
government of Canada.'
Security Center (ISEC) 'is the center for promoting information
security in Japan. It was established on January 1, 1997 as a department
of the IPA. The IPA is an affiliated organization of the Ministry of
International Trade and Industry (MITI). '
Group 'CESG is the Communications-Electronics Security Group, part
of the United Kingdom Civil Service, tasked with looking after the technical
aspects of keeping official IT and communications systems safe from
'Under the UK ITSEC scheme, the security features of IT systems and
products are tested independently of suppliers to identify logical vulnerabilities.
This type of testing is known as security evaluation and it is carried
out against standardised criteria to a formalised methodology.'
Computer Incident Advisory Capability
'provides on-call technical assistance and information to Department
of Energy (DOE) sites faced with computer security incidents. This central
incident handling capability is one component of all encompassing service
provided to the DOE community. The other services CIAC provides are:
awareness, training, and education; trend, threat, vulnerability data
collection and analysis; and technology watch.'
Computer Security Resource Center This site contains information
about a variety of computer security issues, products, and research
of concern to Federal agencies, industry, and users. This site is operated
and maintained by NIST's Computer Security Division as a service to
the computer security and IT community
The Federal Computer Incident Response
Center (FedCIRC) 'is the central coordination and analysis facility
dealing with computer security related issues affecting the civilian
agencies and departments of the Federal Government.'
Operations Squadron 'Established in 1992, the mission of the AFCERT
is to provide information protect (IP) assistance to Air Force units.
The AFCERT conducts operations involving intrusion detection, incident
response, computer security information assistance, and vulnerability
assessment of Air Force automated information systems. The AFCERT also
provides decision support to the Air Staff, Defense Information Systems
Agency, and Air Force Office of Special Investigations, and guidance
on policies and procedures to other government agencies.'
Information Systems Security Organization
(NSA)l 'NSA/CSS provides the Solutions, Products and Services, and
conducts Defensive Information Operations, to achieve Information Assurance
for information infrastructures critical to U.S. National Security interests.'
Computer Security Center
'(NCSC) of the National Security Agency is the world leader in information
systems security standards and solutions. Working in partnership with
industry, academic institutions, and other U.S. government agencies,
including the National Institute of Standards and Technology (NIST),
the NCSC initiates needed research and develops and publishes standards
and criteria for trusted information systems.'
NIST's Computer Security Resource Center 'This site contains information
about a variety of computer security issues, products, and research
of concern to Federal agencies, industry, and users.'
The IWS INFOCON Centre mailing
list is devoted to the discussion
of cyberthreats and all aspects of information operations, including
offensive and defensive information warfare, information assurance,
psychological operations, electronic warfare, ....
News is a privately run, medium traffic list that caters to distribution
of information security news articles. These articles will come from
newspapers, magazines, online resources, and more. '
Internet Security Conference Newsletter
(TISC Insight) has been designed to be a resource for security professionals.
IWS welcomes suggestions
regarding site content and usability. Please use our contact
form to submit your comments.
13 February, 2011
by Wanja Eric Naef
IWS Copyright © 2000 - 2011