Our tax dollars at work...or is it tax dollars from our work? Regardless, you can save budgetary resources by outsourcing security training to our government. A curriculum of free web based training from the Department of Defense (DoD) concentrates on Information assurance (IA), although covers a wide range of security topics.
As security professionals, implementing principles of IA is almost reflexive in nature, although it has become one of those amorphously defined terms. Other than consistency with the CIA (confidentiality, integrity, availability) triad core, most comprehensive definitions vary considerably among sources. Maintaining my policy of providing vague, yet all encompassing definitions, I usually refer to IA as--assuring appropriate levels of all forms of security across processes involving information, or when lazy, just "assurance of information."
If unfamiliar with the intricacies of IA, know that it's an umbrella term that includes corporate governance issues such as privacy, authenticity, authorization, compliance, audits, business continuity, disaster recovery, and emphasizes areas of strategic risk management. Obviously, these are all relevant issues for our government's information resources.
The Technology Training Corporation's conference on Cyber Security, co-sponsored by the American Institute of Engineers, is scheduled to take place in Washington, DC on March 12th & 13th. Navigation from the conference's main page (see previous sentence for link), to the "about the conference" page, presents the following significantly statistic (although, not necessarily statistically significant) paragraph:
"Last year, the Department of Defense suffered an estimated 80,000 network attacks. On government networks alone, a new software vulnerability is exploited every 82 minutes. Meanwhile, attacks on US federal agencies' computer systems are increasing at alarming rates. Furthermore, utilities are being hit by an estimated 500 to 1000 attacks from hackers and malicious code every year. The financial and economic impact of a one day cyber sabotage effort that disrupts US credit and debit card transactions is estimated at being about $35 billion USD. For 2009, the national cyber budget will exceed $6 billion USD. Given our ever-increasing reliance on digital connectivity, it is imperative that the US directly engages these threats in order to avert potential catastrophe."
I haven't personally fact checked these numbers, but I think they're trying to convey that national cyber security is an issue of concern.
The DoD sponsored, Information Assurance Support Environment, claiming to be your "One-Stop-Shop" for IA information, offers slew of online IA training. Unfortunately, those without CAC (common access card) PKI authentication will be ineligible for a few of the presentations, however, I encourage you to watch, bookmark, and pass along the rest, provided in the following links.
Main starting page for IA Education, Training and Awareness
Information Systems Security Awareness - This provides an interactive course which is a scenario-based exercise in security awareness. Navigating through a "typical US government" building, you are presented with comically obvious informational situations, requiring responses in the form of multiple choice questions. My personal favorites are Miguel's enticing offer to hang out in his cubicle for some P2P file sharing and Alex's bank informing him that 10 years worth of savings have disappeared from his account.
Some other free video training courses include:
A site called Information Assurance Awareness Shorts provides further training of:
Insider Threat: about the insider threat and their devious behaviors.
Telework: introduces the basic concept of working on teles.
Wireless Security: reveals the latest wireless threats from 2004 and shows you how to protect your network using WEP.
Passwords: introduces the concept of passwords and provides you with the six federally approved ones to choose from.
Peer-to-Peer: explains P2P threats within the DoD, but mentions nothing about their palindromic similarities
Social Engineering: explains what social engineering is, and how it differs from software and networking engineering
Information Assurance for Professionals Shorts
This course offers specific information related to the topics listed below.
IA Roles and Responsibilities introduces the Information Assurance hierarchy, including the roles and responsibilities of key leadership positions as well as the responsibilities of all Authorized Users.
Auditing Logs for IA Managers introduces the auditing responsibilities of IA Managers. It describes the audit log and event information displayed by the system's auditing software.
Security Technical Implementation Guides (STIGs) introduces the purpose and uses of STIGs.
SCADA describes how Supervisory Control and Data Acquisition systems function and significant cyber-security issues associated with DoD SCADA systems.
FISMA explains what the FISMA is, why it is important, how it is implemented within the Federal government and the DoD, and identifies where to obtain guidance for FISMA responsibilities.
IA Vulnerability Management describes the vulnerability management process in DoD and the tools that support the process.
The DoD IA Workforce Improvement Plan (WIP) presents an overview of the IA Workforce Improvement Program, defines the DoD IA workforce, and outlines the IA workforce training and certification requirements.
The Zero Day Attack provides an introduction to the steps an IA professional needs to follow if they suspect that their system has been compromised by an attack which otherwise is unknown to the IA technical community (aka Zero Day Attack).
These review vulnerabilities which have been around for some time, and which are commonly overlooked in the press of new technology and new threats. Each subject briefly covers the nature of the problem and its general resolution
The subjects are:
Overall, some good information is provided. As an added bonus, completion of each course provides you with a genuine certificate of completion, with the DoD logo, ready for framing and impressing coworkers.
As a follow up to their software training, I had submitted a formal inquiry to the DoD, requesting free public training with some of their hardware. Unfortunately, when asking specifically about the use of an F-22 Raptor, your IP address is logged, you get to have a long talk with your supervisor, and your security clearance is suspended. I'm still waiting for an answer about the AH-64 Apache.
I'll be in the stockade, but can still be reached at:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.