Security Education is Simple as U-R-L
Hundreds of Web sites offer information on intranet/Internet security
Systems integrators called on to plan and implement intranet/Internet security often face the added and unexpected task of educating the customer. This is not just a training exercise; it can be an efficient and effective way to get the client, the one funding the project, involved in the decision process.
If you want to jump-start the effort, as an SI, you can point customers to the Internet, which today represents the best repository for quick turnaround data and information, a source of checklists, case studies and product literature. Then the real question becomes gathering timely, relevant, accurate and quality information from the more than 50 million Web documents. Here are descriptions of several sites with URLs, or Uniform Resource Locators, that you can pass to customers to bring them up to speed on systems security issues.
1. National Institute of Standards and Technology's Computer Security Resource Clearinghouse (http://csrc.nist.gov/)
The closest thing to a one-stop shop Web site for security information is NIST's CSRC. (Surprisingly, the World Wide Web Virtual Library http://www.w3.org/pub/ DataSources/bySubject/Overview2.html lacks a category, Security.) Links on the page worth noting are the Forum of Incident Response and Security Teams (http://www. first.org/) and the Revised OMB Circular A-130 (http://csrc.nist.gov/secplcy/a130.txt). FIRST is an international consortium of computer incident response and security teams working to handle computer security incidents.
The OMB Circular describes the uniform governmentwide information resources management policies. You also find at CSRC links to newsletters, organizations, patches, policy, publications, technologies, tools, training and viruses.
2. Internet Engineering Task Force
(http://www.ietf.org/html.charters/wg-dir.html The IETF, as noted on its World Wide Web home page, is the protocol engineering and development arm of the Internet. A global community of network designers, operators, vendors and researchers interested in the evolution of the Internet architecture and the operation of the Internet, IETF is open to anyone. Its technical work is done through working groups, organized by topic. For Security, the area director is Jeffrey Schiller (firstname.lastname@example.org); the different working groups under Security are:
- Authenticated Firewall Traversal (http://www.ietf.org/html.charters/aft-charter.html)
- Common Authentication Technology
- Domain Name System Security
- IP Security Protocol (http://www.ietf.org/html.charters/ipsec-charter.html)
- One Time Password Authentication
- Public-Key Infrastructure (X.509)
- Transport Layer Security
- Web Transaction Security
Especially helpful are the IETF Request For Comments documents, known as RFCs (http://www.internic.net/ds/dspg1intdoc.html). Searching the RFC index on the key word, "security," yields a number of valuable ASCII files, including "Site Security Handbook," RFC1244 (http://www.internic.net/ rfc/rfc1244.txt), edited by P. Holbrook and J. Reynolds, July 1991.
3. National Computer Security Association (http://www.ncsa.com/)
A membership organization focused on tackling computer security issues, NCSA shares knowledge, distributes information and offers certification of security products. They have a number of studies and guides, including Firewall Policy Guide, a White Paper on Internet Commerce and a Virus Study.
Also worth exploring is their Certified Secure Web Site Certification Program, first announced Aug. 1.
4. Computer Incident Advisory Capability (http://ciac.llnl.gov/)
For SIs doing federal government work, a strong Web site to review is CIAC, part of the U.S. Department of Energy. Set up in 1989 (in the wake of the infamous Cornell or Internet Worm released on Nov. 2, 1988; for history, see "The Helminthiasis of the Internet," RFC1135, http://www.internic.net/ rfc/rfc1135.txt), CIAC offers computer security services to DOE employees and contractors. The group maintains two mailing lists: CIAC-Bulletin, which carries "time-critical" computer security information; and CIAC-Notes, a collection of "less urgent" computer security information. You can subscribe by completing a form on their Web site (http://ciac.llnl.gov/ciac/CIACMailingLists.html).
5. The World Wide Web Consortium (http://www.w3.org/)
An industry consortium that promotes standards to guide the orderly evolution of the Web, the vendor-neutral W3C supports interoperability through specifications and reference software. Given the overwhelming popularity of the Web both on the Internet and with intranets, this site is required reading, as well as a rich resource for SIs. Specific information on security (http://www.w3.org/ pub/ WWW/Security/) covers the Web, Web transactions, electronic commerce, systems with security, general security and cryptography, and key organizations working on Web security.
6. CERT Coordination Center (http://www.cert.org/)
The CERT center, located at the Software Engineering Institute of Carnegie Mellon University in Pittsburgh, was formed in 1988. Its purpose is "to serve as a focal point for the computer security concerns of Internet users," according to its home page. Among the links worth pursuing on the site are those under the category, CERT Security Information, that is, CERT Advisories (ftp://info. cert.org/pub/ cert_advisories/) and CERT FTP Archives (ftp://info.cert. org/pub/). Dig deep enough (ftp://info. cert.org/pub/tech_tips/security_tools) and you eventually find, "List of Security Tools," a text file that describes tools to help secure a system and prevent break-ins.
7. Discussion Groups (http://www.liszt.com/)
Few substitutes for gathering trustworthy information can be found than by talking to colleagues. One of the Net ways to do that is through discussion groups. To uncover e-mail discussion groups on security, connect to Liszt, which now lists 55,501 different ones from 1,817 sites. The simple search using the key word, "security," yielded 74 matches. Refining the search to "computer security" gave three matches: csrs-l, Computer Security Representatives; nu-cert, Northwestern University Computer Security Issues; and security-managers, Computer Security Managers. "Network security" also produced three matches: jhu-net-security, Johns Hopkins University Network Security Working Group; netsec-camb, Network Security (Cambridge); and security, System and Network Security Alert. Using Scott Southwick's own index, you find five links covering firewalls and UNIX security holes.
While Web sites allow the multimedia array to come across in all their fervor and flavor, for timely information and popular opinion, the newsgroups are a unique resource. Looking at a listing of more than 17,500 Usenet newsgroups, 45 appear when using the key word, "security." The key ones, however, for computer users include alt.security, alt.security.index, alt.security.pgp, cern.security.unix, comp.lang.java.security, comp.os.netware.security, comp.security.announce, comp.security.firewalls, comp.security.misc, comp.security.unix and sun. security.digest. The names are fairly self-evident, with comp. standing for the mainstream category, computer. Thus, comp.security. unix covers issues of UNIX security. SIs should forewarn their clients to adjust their mental filters because the ravings of the highly opinionated line up alongside the reasoned judgments of experts.