Computer & Network Security

Grants

Legal stuff

Computer security & audits

Associate Degrees & Certificates

Other Higher Education Degrees

Training Programs for Industry

Other ed programs

Metrics

Simulations

Conferences

Organizations

Standards

Security sites at Institutions

Other resources

Some info about the industry

Grants
NSF Advanced Technological Education (ATE)

Legal stuff
SB 1386 "This bill, operative July 1, 2003, would require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person."

Companies offering products to assist compliance -- There's The SB 1386 Management Toolkit from sb-1386.com; StrongAUTH offers Template SB 1386 Procedures; TruSecure offers services, events, a ThreatScape Newsletter (free), and an upcoming (free) Webinar, December 17, 2003: IntelliShield Threat and Vulnerability.

Computer security and audits
ISSA Silicon Valley Information Systems Security Association, Silicon Valley Chapter, holds meetings on the first Wednesday of every month.

Information Security at CISCO || Cisco's Safe Blueprint

Security audit companies and services: Security Audit Shop || Linux Security Audit || ACM Special Interest Group on Security, Audit and Control (SIGSAC) || LAN Security Audit || Security Posture -- offers courseware || Symantec ||

Associate Degrees & Certificates [There are no doubt more, but these are the ones I have identified so far.]

Austin Community College (Austin, TX) offers a Certificate in Network and Server Security
Blackhawk Technical College (Janesville, WI) has a Computer and Information Systems Security Certificate. Read their description of their program (pdf file)
Canada College (Redwood City, CA) Certificate of Completion in Home Office/Small Business Computer Security
Howard Community College (Columbia, MD) offers an AA degree in network security
Southwestern Community College (Sylva, NC) offers an Associate in Cyber Crime Technology [not quite what you had in mind, but I thought it was interesting]
Springfield Technical Community College (Springfield, MA) offers an Associate Degree in Computer and IT Security
Washtenaw Community College (Ann Arbor, MI) offers two Advanced Certificates in Computer Systems Security

Other Higher Education Degrees

NSA has established a National INFOSEC Educational & Training Program under which they have designated some universities as "Centers of Academic Excellence in Information Assurance." This includes a link to the Naval Postgraduate School's Center for Information Systems Security Studies. [Since all the programs of higher education offering bachelor's or master's degrees in computer/network security are listed on the National INFOSEC Educational Web page, I did not put links to those programs on this page, except for the Naval Postgraduate School, because of its close proximity.]

NSA granted the designations following "a rigorous review of university applications against published criteria based on training standards established by the National Security Telecommunications and Information Systems Security Committee (NSTISSC)." (NOTE: this is now the Committee on National Security Systems, or CNSS). NSA's establishment of this program was "spurred by the growing demand for professionals with Information Assurance expertise in various disciplines. The Centers for Academic Excellence may become focal points for recruiting and may create a climate to encourage independent research in Information Assurance."

UC Santa Cruz Extension Certificate Program in Internet Security

Training Programs for People in the Industry

CERT's Education and Training "We offer courses for managers and technical personnel in areas such as creating and managing computer security incident response teams..." Associated with Carnegie Mellon. Classes held in Pittsburgh, PA.
GIAC Information Assurance Certification GIAC (Global Information Assurance Certification) "offers certifications that address a range of skill sets, including security essentials, intrusion detection, incident handling, firewalls and perimeter protection, operating system security, and more. GIAC is unique in the field of information security certifications by not only testing a candidate's knowledge, but also testing a candidate's ability to put that knowledge into practice in the real world. Because of GIAC's practical focus, a Gartner Group study in the spring of 2001 named GIAC "the preferred credential" for individuals who have technical security responsibilities."
Global Information Assurance Certification "The Industry Standard for Security Knowledge" GIAC certifications are developed in conjunction with the SANS Institute's core training curriculum.
Institute for Certification of Computing Professionals (ICCP). It has an Education Foundation -- "The Education Foundation is a stand alone organization of the ICCP. Its primary set of activities falls into innovation, research, education, publishing and course development, within the information and communications technologies (ICT)." Info about their Systems Security exam.
SANS (SysAdmin, Audit, Network, Security) Institute "SANS is the trusted leader in information security research, certification and education. ...The SANS Institute enables more than 156,000 security professionals, auditors, system administrators, and network administrators to share the lessons they are learning and find solutions to the challenges they face."

Others (Schools that are For-Profits, and Training Schools)

Computer Secruity Certification from various schools, e.g., American InterContinental University, Los Angeles
American InterContinental University
GlobalNet Training
ITT Techical Institute Offers Information Systems Security on-campus and online
Net Security Degrees from UAT (University of Advancing Technology): Associate or Bachelor's -- online or on campus (mailing address for UAT is Tempe, Arizona)

Metrics [If you want any of the articles excerpted below fulltext, just let me know.]
CERT's Survivability Research

Protecting yourself against cyberterrorism, by Reid Goldsborough. Office Solutions. Mt. Airy: Feb 2002. Vol. 19, Iss. 2; pg. 24, 2 pgs "In 2001, the rate of hacker attacks-attempts to gain unauthorized access to a computer system or its data-was more than double that of the previous year, according to the latest figures from CERT, the government-funded computer emergency group at Carnegie Mellon University. ... The cost is particularly high for cleaning up after attacks from viruses and worms-malicious computer code often sent through e-mail that can, at worst, destroy all the data on a computer system. The worldwide cost reached $17.1 billion in 2000, a 41 percent increase over the previous year, according to Computer Economics, an information technology research firm."

IT managers see need for risk metrics, by Jaikumar Vijayan. Computerworld. Framingham: Jun 9, 2003. Vol. 37, Iss. 23; pg. 1 "'You need to have a baseline to measure against. If you don't have any measurements, you don't know where you are,' said Gregory Waters, a senior information assurance engineer at TWM Associates Inc., an IT auditing firm in Fairfax, Va. The numbers can come from a variety of sources. For example, said Gartner, a company could collect metrics on the number of attacks it faced during a specific period, the type of attacks, the percentage of attacks that were successful, the time that elapsed between the onset of an attack and when it was first detected, and the time it took to launch countermeasures."

Metrics: Security threats in the enterprise Internet World. Cleveland: Apr 2003. Vol. 9, Iss. 4; pg. 40, 1 pg "FEBRUARY OF THIS YEAR, SYMANTEC RELEASED THE THIRD VOLUME OF ITS Internet Security Threat Report" detailing attack trends for the third and fourth quarter of 2002. The company analyzed threat data from a sample set of more than 400 companies in 30 countries. Although the report states that measured cyber attack volume (excluding worm and blended threats) was down 6 percent from the prior six-month period, cLearLy certain verticals saw a marked increase. The three verticals with the highest attack percentage increase were power and energy, financial services, and nonprofit. While power and energy and financial services are understandable as primary targets, the nonprofit sector is a little more of a mysterybeating such expected targets as e-commerce and telecommunications. Symantec notes that a possible explanation could be cyber hactivism-which the company defines as "the misuse of computers in carrying out various objectives related to activist causes." Nonprofit companies represent 6 percent of the sample set of companies used for the report. Download the Report.

Simulations
Distributed Denial of Service (DDoS) Attacks/Tools from University of Washington gathers a lot of resources together.

@Stake
lxAttack - Distributed Denial of Service Attacks Simulation (pdf format)
PolarCove has attack simulation programs, including vulnerability scanning
Sleuth9

Conferences [Conferences come & go, I know, but I thought these Web sites provided some "flavor" about the industry]

CyberSecurity 2003 co-sponsored by the San Francisco and Silicon Valley ISSA, and San Francisco Bay Area InfraGard, May 2003
Federal Information Assurance Conference at Univerisity of Maryland, 21-23 Oct. 2003.
IEEE Information Assurance Workshop Web page. Information on upcoming Information Assurance Workshop and Colloquium for Information Systems Security Education, and to materials from previous workshops, e.g., Information Assurance Pedogogy (pdf)
30th Annual Computer Security Conference & Exhibition (3-5 Nov. 2003, Washington DC)

Organizations

Computer Security Institute "Computer Security Institute is the leading international membership organization dedicated to assisting information security professionals in protecting the information assets of their organizations. Established in 1974, CSI provides a wide variety of publications and educational programs. For more information on other CSI events, publications, or membership please contact CSI at (415) 947-6320, fax (415) 947-6023, email: Robert Richardson." Available at the Institute Web site is a free 2003 CSI/FBI Computer Crime and Security Survey
Computer Security Resource Center (CSRC) at the Computer Security Division (CSD) of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST). They also have a publications Web site.
Cyber Enforcement Resources, Inc. "Our mission is to support law enforcement and society by providing both extensive computer investigation assistance, and a diversity of high quality computer technology training and educational programs."
International Information Systems Security Certification Consortium, Inc. "The non-profit international leader dedicated to training, qualifying and certifying information security professionals worldwide."
National Colloquium for Information Systems Security Information -- "A Society for Advancing Information Assurance & Infrastructure Protection"
National Institute of Standards and Technology (NIST) See also Computer Security Resource Center (CSRC) (link is alphabetically above this listing)
National Security Agency (NSA) and its Information Assurance Directorate

Standards

The ISO 17799 Directory and the ISO17799 News. You can click to obtain ISO17799 on this Web page. There's even an ISO 17799 Made Easy Web site!

Security sites at educational institutions (examples) (didn't have to include these, but these particular ones seemed to provide good links for computer/network security issues)

UC Santa Cruz Information Systems Security at UCSC. Includes postings such as SANS Top 20 Internet Security Vulnerabilities (10/15/03)
CERT Coordination Center at Carnegie Mellon; includes advisories and incident notes

Other resources

Computer Security Links from George Mason University
Information and Computer Security Resources from SANS "The most trusted source for computer security training"
Information Technology Security Training Requirements: A Role- and Performance-Based Model, NIST Special Publication 800-16 (pdf format)
National Strategy to Secure Cyberspace from the White House
Towards a Taxonomy of Information Assurance posted at LinuxSecurity.com

Some info about the industry -- excerpts from some articles

Teaching tip: Utilizing simple hacking techniques to teach system security and hacker identification, by Aaron D Sanders. Journal of Information Systems Education. West Lafayette: 2003. Vol. 14, Iss. 1; pg. 5. "Crucial skills for today's Information Technology (IT) professional include the ability to secure networks and servers, and to detect, determine the source of, and correct problems. Server security is paramount in the modern information society, and news stories of high profile hacks are becoming more common. The demand for professionals with strong security skills is growing, and colleges across the nation have begun adding undergraduate and graduate programs in electronic information security. The skills and methodologies detailed in this paper are crucial for the knowledgeable student, and would fit well into a LAN or system administration class, or any other class where system security is concerned. ... The cost of creating a laboratory environment to employ hacking exercises can be minimal..."

Information assurance-train now or pay later, by Herbert A Browne. Signal. Jun 2003. Vol. 57, Iss. 10; pg. 14 "It is plain to any industry observer that traditional information security measures have centered on firewalls, secure routers, commercial 128-bit encryption and other conventional capabilities. While these measures serve an important role, depending solely on these hardware/software solutions to secure information will not enable government and industry to achieve their goal of protecting both information and the ability to exchange it freely. Technology alone is not the answer. The main ingredient in this vital discipline is the human element. And, the key aspect of that ingredient-where there is room for improvement across the spectrum of users-is training."

A Tech Sector That's Set to Soar, by Alex Salkever, Business Week Online 11/19/2002
"STRONG GROWTH. John Pescatore, senior analyst at market researcher Gartner Group, figures that in 2001, corporations spent on average 3.1% of their tech budgets on security. That will rise to 4.3% in 2002 and 5.4% in 2003 -- vs. the anticipated 0.03% decrease in overall corporate tech budgets, according to a November survey of 846 companies by Gartner and investment bank Soundview. "This is strong growth in a tough economy," says Pescatore. ... A smaller sector with slightly slower growth is vulnerability assessment. That involves engaging tech experts to check a corporate network's security by probing and testing it."

Information Watchdogs, by Jean Thilmany. Mechanical Engineering Feb. 2003, p. 72 "The U.S. General Accounting Office says the number of computer attacks in the United States is doubling every year. Fewer than 4 percent of those attacks will be detected, and just 1 percent will be reported. About 250,000 attempts were made in a one-year period to break into the federal computer system and 64 percent of those attempts were successful, according to the GAO."

Boost Your Security Career, by Amy Helen Johnson. Computerworld 14 August 2003, p. 41 Article summary: "Presents tips for information technology professionals in developing a career in information security. Importance of getting the right certification; Consider earning a graduate degree in information security; Increase the disaster and risk management skills." NOTE: If you want to read the whole article, you can get it via Academic Search Elite. Or, contact me and I'll email it to you.

Wanted: More Schools for Security Pros, by Alex Salkever Business Week Online 28 November 2000. "Not nearly enough is being done to train information-security experts, and U.S. companies face a staffing shortfall that will likely grow ever larger According to Al Decker, CEO of information-security consultancy Fiderus, the U.S. alone will face a shortfall of between 50,000 and 75,000 security professionals in the next few years."

Topsy N. Smalley last rev. 11/07