I am not sure if this is a Phishing email but if it is from the National Lottery, then they should review their policies on sending suspicious messages to people on their mailing lists.

Very impressed by these Pedalite pedals that make your bike very easy to see and are self-charging.

Great series for Network Newcomers - Networking as a 2nd Language

Sorry if I am plugging up Planet ScotLUG with this stuff. Just trying to get my web resources sorted for the CISSP.

You want a crypto course and don't want to pay for it?

Check out the University of Washington CSE P 590TU: Practical Aspects of Modern Cryptography with brilliant slides and lecture notes.

MIT's OCW also has some good offerings.

6.897 Selected Topics in Cryptography

This is Dave Libershal's CISSP page recovered from Google Cache

CISSP Prep Resources

---

Contents

• General CISSP Info
  
  
• Sample CISSP Exam Questions
  
• Domain 1 - Security Management Practices
  
• Domain 2 - Access Control Systems and Methodology
  
• Domain 3 - Telecommunications and Network Security
  
• Domain 4 - Cryptography
  
• Domain 5 - Security Architecture and Models
  
• Domain 6 - Operations Security
  
• Domain 7 - Applications and Systems Development Security
  
• Domain 8 - BCP and Disaster Recovery Planning
  
  
• Domain 9 - Law, Investigations, and Ethics
  
• Domain 10 - Physical Security
  

---

General CISSP Info:

CISSP_ISSA_BALTIMORE
Study Group Yahoo Site

CISSP Yahoo Group
FAQ

About
the CISSP Test & Certification

NIST Computer
Security Publications - from the NIST Computer Security Resources Site.

NIST Computer Security Resource Center
- CSRC.

ISC2 - International Information Systems
Security Certification Consortium.

CISSP Open Study Guide site

Seminal
Papers - from the Computer Security Paper Archive Project.

NSTISSI No. 4009 - 1992 National
Information Systems Security (INFOSEC) Glossary. "Provides standard definitions
for many of the specialized terms relating to the disciplines of communications
security (COMSEC) and automated information systems security (AISS), sometimes
referred to as computer security (COMPUSEC)." The most recent Sept. 2000
version is available as a PDF file at www.nstissc.gov/Assets/4009.pdf.

Wikipedia's
Review of Information Security.

Handbook of Information
Security Management - 1999 edition.

Computer Security Resources

Federation of American Scientists

SecurityManagement Online
extensive news and legal coverage of security issues.

Microsoft
Security Tips

Back to Index

Sample CISSP Exam Questions:

CCCure's Sample CISSP Questions
. Be sure to check their Study
Guides and download materials.

Cert21 practice tests
- but you first need to set up an account with them.

Back to Index

Domain 1 - Security Management Practices:

Note that there is much commonality between this and other domains.

Modelling
Information Risk Elements - by Alan Oliphant (in ITAudit)

Configuration
Management Guides - This material is also useful for Domain 7 review
of applications configuration management.

Risk Management
- from the Handbook of Information Security Management.

Microsoft
Whitepapers on Security Management - This is a recent (9/2002) guide
with set of links to various Microsft papers that cover the management of
site security policies and procedures.

Back to Index

Domain 2 - Access Control Systems and Methodology:

There is much repetition here with other domains - review OPSEC (Domain
6) and Physical Security (Domain 10) in particular. See additional Common
Criteria and Biometrics resources at those Domains.

General Access Control info from
Security Solutions.

NIST Paper on Role-Based
Access Controls - considered to be better than DAC for non-military
sites.

Rainbow Series
Library - with PS and PDF formatted documents.

DOD
5200.28-STD - Orange Book (1983) - DoD Trusted Computer System Evaluation
Criteria (TCSEC).

Evaluated
products List - listed by rating from Orange Book. Since this list only
covers evals in past three years (note the site was last updated in Sept,
2000) Also, be sure to see the Historical
List of all previously evaluated systems (listed by vendor).

NCSC-TG-005
- Trusted Network Interpretation of the TSEC (Red Book) and NCSC-TG-011
- Guidance for Applying the Trusted Network Interpretation. These extend
the Orange Book coverage to networks.

ITSEC
- Information Technology Security Evaluation Criteria - British certification
recognized in Europe. Developed as an international alternative to TCSEC.
In May 1990 France, Germany, the Netherlands and the United Kingdom published
the Information Technology Security Evaluation Criteria (ITSEC) based on
existing work in their respective countries. Following extensive international
review, Version 1.2 was subsequently published in June 1991 by the Commission
of the European Communities for operational use within evaluation and certification
schemes. ITSEC is a structured set of criteria for evaluating computer security
within products and systems. Each evaluation involves a detailed examination
of IT security features culminating in comprehensive and informed functional
and penetration testing. This work is undertaken using an agreed Security
Target as the baseline for ensuring that a product or system meets its security
specification. ITSEC operates the concept of assurance levels E0 to E6.
This scale represents ascending levels of confidence that can be placed
in the TOEs security functions and determines the rigour of the evaluation.
Since the launch of ITSEC in 1990, a number of other European countries
have agreed to recognise the validity of ITSEC evaluations. Both ITSEC and
TCSEC are forerunners of the Common
Criteria - ISO 15408 (1998)- first released in 1996.

CC
EALs - Common Criteria's 7 Evaluation Assurance Levels (EAL 1-7) and
their relationship to ITSEC evaluation levels (E0-6).

Understanding the
Windows EAL4 Evaluation - a useful discussion of how the CC works.

National
Biometric Test Center Publications

Biometrics Links
from the MSU Biometrics Research Site.

Back to Index

Domain 3 - Telecommunications and Network Security:

Telecom & Networks web courses - easy to follow, and a good place to start

Communications Protocols

Cisco Network Terms Glossary

Techweb Networking Terminology

www.whatis.com

Searchable RFC Database

Cisco Documentation

Guide to Network Administration - good coverage of common issues, plus technical info on LANs, VPNs, and network security.

TCP/IP Overview
from ACM.

Intro to TCP/IP -
an old (1995) and brief document. The ACM overview is better.

TCP/IP
Tutorial from Dragonmount

RFC1180 - a TCP/IP
tutorial.

Network Device Presentation - good descriptions and helpful diagrams.

Uri's TCP/IP Resources
List - a massive set of well-organized links. This is THE PLACE to go
for TCP/IP information. Much of what you need to know or want to find about
TCP/IP is at this site.

Understanding Communications - focus on the WAN side - From Ericsson

O'Reilly Network Articles

Data Network Resources - this is good overall coverage

Anritsu
Must-Have Reference for IP - has a very good glossary of IP acronyms.

Webopedia On-line Computer Encyclopedia
- good network coverage

Cable and Connectors - this is an excellent document with helpful drawings and tables.

Cable Products Catalog

Networking Media Course - good overview set of slides, includes wireless.

Fiber Technology

Images of Cisco network devices

Ethernet
Designations - nice chart of the different Ethernet flavors.

Telecommunications Media - Chapter 4 of Stallings' Data and Computer Copmmunications textbook.

CAT7
vs Fiber - discussion of the different cable types and expected usage;
good coverage of fiber technology.

WANs

Google
Searchable Subject Index on Internet Protocols

IANA List of Registered TCP/IP Ports

TCP/IP
Protocols, Ports, and Sockets - good coverage of how they work.

DOD Migration
to IPv6 - 10/14/03 issue of GCN

Security Implications
of IPv6 - ISS paper that discusses how migration to IPv6 may create
security problems.

VoIP

Wireless Tutorial

802.11 Tutorial

Comprehensive list of network monitoring tools

Shomiti Taps - Finistar site

LURHQ's Malware Technical Papers contain some solid info about various worms and viruses, and exploits like DNS cache poisoning.

Access Control and Firewalls

SSL
and IPSec Tutorial - presentation with good coverage and useful diagrams. Also see SSL and TLS description
and thorough IPSec presentation

IPSec Overview from Cisco

IPSec
White Paper - from Cisco, contains a useful summary.

IPSec
Tunneling Described - short Microsoft article with some helpful diagrams

PKI
Tutorial

Radius and TACACS
- Network Computing article.

Secure
RPC - brief overview.
Application Layer Security Protocols

Sniffer tools
and detection article in Linux Journal - brief overview.

packetsniff site by Steve
Gibson.

Packet Storm's alphabetized
download site for sniffer and analyzer software, with descriptions.

High-level Overview of Attacks, Services, and Mechanisms

RAD Network Tutorials
- much easy to find info and a glossary.

Network Security Articles
by Rik Farrow

FAX FAQS - from
FAXIMUM. Very extensive coverage.

ISS Security Center's Underground info

My Network Resourcess

My Security Resources

Back to Index

Domain 4 - Cryptography:

Intro
to Cryptography and PGP - Good intro with useful Glossary - heavy focus
on PGP.

Summary of Cryptographic Techniques

My Crypto
Links - several useful links that I have found are here (part of my
security web page). These include two quality sites that have massive sets
of links to numerous crypto sites. Also, see My
Security Class Links that includes various NIST links.

NIST's
Cryptography Overview - good discussion of symmetric and asymmetric
methods.

Homeland Insecurity
- Atlantic Monthly interview with Bruce Schneier. Some good crypto background
material and a primer
on public-key encryption.

Wikipedia's review
of cryptography

Back to Index

Domain 5 - Security Architecture and Models:

IPSEC
- Charter for IETF's IPSEC with list of relevant RFPs from this group.

The
Anderson Report - Computer Security Technology Planning Study, 1972
for USAF.

Enterprise Security Architecture - Draft document from the NAC Security Architecture Work Group April 2004

The
Design and Evaluation of Infosec Systems - C-TR-32-92.

Security Architecture
- from the Handbook of Information Security Management.

Multics General Info and
FAQ - early mainframe timesharing system, forerunner of UNIX but more
heavily secured.

Matrix
of TCB Divisions - a nice visual aid helping to understand the different
levels of the Trusted Computer Base in TCSEC.

The Complete, Unofficial
TEMPEST Information Page

Back to Index

---

Domain 6 - Operations Security:

 

Links to CIRT Sites

http://www.defendamerica.mil/articles/a021202b.html

National Infrastructure Protection Center

RAD Network Tutorials
- much easy to find info and a glossary.

Common Criteria - ISO 15408.
Be sure to read the Introduction
to CC - pdf file for those (like us) who don't need to read the full
document.

FCAPS - Fault,
Configuration, Accounting, Performance, and Security - model for asset management.

Rainbow Series
- online library - note the Configuration Management and Trusted Recovery
documents.

Interagency OPSEC Support
Staff - info about IOSS plus links to other good OPSEC sources such
as NSDD 298, and the OPSEC Professionals Society.

DoD OPSEC Program
- DoD Dir 5205.2.

Andrews
AFB OPSEC Site - has many related organizational and reference links,
including a useful glossary of terms.

Northrop Grumman IT Site

Back to Index

Domain 7 - Applications and Systems Development Security:

Fast
Guide to RAM Types

Objects and Components - OO
resources from I.T. Works.

Relational
Database Concepts - a brief review.

Database Security
- helpful PowerPoint presentation from a college course.

Back to Index

---

Domain 8 - BCP and Disaster Recovery Planning

 

http://www.nwfusion.com/research/disasterrecov.html
Network World Fusion Research site on Disaster Recovery with a wide assortment
of links.

Back to Index

---

Domain 9 - Law, Investigation & Ethics:

US Information Security
Law - Part 1 - from SecurityFocus 2/25/2003.

Federal Laws & Regs
- good set of links from fedlaw site but only thru the late 90's. Some additional
related links as well to federal agencies and other security sites.

Code of Ethics
from various sources including ISC2.

RFC 1087 - the IAB's
"Ethics and the Internet".

LAWSOURCE - American Law Sources
On-Line.

MLAT - Mutual Legal Assistance
Treaties.

Digital Millenium Copyright
Act - many links to resources about the DMCA - from educause.

Computer
Security Act of 1987 - Public Law 100-235

Computer
Fraud and Abuse Act of 1986 - 18 USC 1030

Why the Due Care security
review method is superior to Risk Assessment - Donn Parker's argument
against using Risk Assesssment techniques. CSI's Computer Security Alert,
Number 212, November 2000.

Intellectual Property Law - from
KuesterLaw - The Technology Law Resource with links to many patent, copyright,
and trademark related sites.

Legal & Ethical Issues
from NIPC

Electronic Frontier Foundation

Electronic Privacy Information Center - EPIC

WWW.CYBERCRIME.GOV - US DOJ

Federal
Computer Intrusion Laws - links provided by CCIPS at the cybercrime
site.

Computer
Fraud & Abuse Act of 1986 - 18 USC 1030 w/ 1996 amendments - from the
DOJ cybercrime site.

Computer
Security Act of 1987 - the full text of the law in an easy-to-read format.

Computer Security Act of 1987
- Site at the Electronic Privacy Information Center (www.epic.org) that
contains links to additional related info.

Patriot Act

- at the EPIC site.

USA
Patriot Act - full text (from the EFF site).

USA
Patriot Act analysis by EFF - very thorough.

FIRST - Forum for Incident Response.

CERT Incident Response Team Resources

Glasser LegalWorks - much info (online
newsletters and many links) relating to the legal side of computing.

State Law Search
and State
Computer Laws

more
- additional computer law & forensics resources from my security site.

Back to Index

---

Domain 10 - Physical Security:

CISSP_ISSA_BALTIMORE
Yahoo Files

The International Biometric Society
is devoted to the mathematical and statistical aspects of biology.

The Biometric Consortium US govt.
focal point for research, development, testing, and evaluation. It is sponsored
by NSA and NIST. See their Introduction
to Biometrics.

NIST Biometrics
Research Center

Common Criteria
-site index for the new international standard for Information Security
- ISO/IEC 15408. Includes a list of products that meet Common Criteria evaluation
requirements.

National Information Assurance Partnership
sponsored by NIST and NSA to disseminate information on the status of all
development efforts associated with new security specs and requirements
that comply with the Common Criteria. See the NSTISSP
No. 11 FAQ that clarifies compliance with this national IA acquisition
policy for deploying IA products at govt. sites.

Halon
1301 FAQ.

Halon
Alternatives FAQ. FM-200
is supposed to be the most effective alternative.

Army
Field Manual of Physical Security - (314 pages). recommended sections
are Physical Barriers (c.4), Lighting (c.5), Security Systems (c.6), Access
Control (c.7), and Lock and Key (c.8)

Back to Index

I have been thinking of blogging this one for a while. For those who admire the Victorian period but but do not want to lose all of the technology that they use daily.

The Steampunk Workshop is producing the goods for those Victoriana Tech-Heads.

Best new firefox plugin is Firegpg

Use it with GPG to sign and encrypt your Gmail emails easily.

This is too good.

It is lovely when the BBC gets done over - now could they start to mention that Bush started the recent nuclear escalation in Europe and not Putin?

What are you doing this weekend?

Build an bunch of SF AT-AT Snow Walkers and recreate the Battle of Hoth.

Why not use reCAPTCHA to stop spam on your blog and help the internet archive digitise books?

reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher.

Well, I had a lovely discussion with the Vodafone technical team who told me that the Vodafone network does not offer VoIP as part of their network. I asked why they had disabled internet telephony on my Nokia N95 and they said that they hadn't.

The salespeople told me that the phone was a standard Nokia N95 with all of the features of this phone.

I love it when they lie.

So, not sure when I can start to use VoIP - this is not over yet.

I have trying to develop a way to make the encryption of sensitive documents as seamless and effortless as possible for non-techie people.

There are brilliant applications available for people to use and they are very easy to set-up.

The problem is that secure volumes and folders are set-up as separate areas for the storage of sensitive documents, with the result that either they are not used or some sensitive documents are left out.

The solution is to make the secure volume the default area for these individuals to store all of their data and for most windows users, that means the My Documents folder.

I used Truecrypt to create the secure volume. It was setup using a meaningless file name in a non-descript folder on the C: drive. Normally, I would have used a separate physical disk for this volume but it was a laptop with only a single hard drive.

I then moved the My Documents folders for this user into the secure volume after pruning out some default save folders for iTunes and Google Video.

The trade-off for using the my Documents folder is that a lot of non-secure items will be saved to this location (Christmas lists, letters to family and friends) but it will also be the default folder to hold all of the sensitive items that need to be secured. The user does not need to make a decision whether or not the document being saved is needing encryption.

As long as the TrueCrypt password chosen is of a reasonable length and memorable, this fellow is safe from prying eyes for those items that need to be secured.

This is very scary.

Can we now discount the U.S. as part of the first world? Move them down the chain to those groups who pray to jeeps in the South Pacific?

I have just returned to twitter

I joined a couple months ago and let it sit. I have joined and used things like this before and never found them to be beneficial (buddyping comes to mind). I still believe it is a stalker's dream site.

Been working on the new ScotLUG t-shirts for the Paisley Beer Festival.

It was work acheived through a number of people. Mike Quin took my original idea and refined it into a decent piece of work.

I put the fonts I liked past the folks in IRC and they chose the ones they wanted.

Lucinda Sans and Magik.

The t-shirts will be ready in a week and hopefully Linux Format will run the picture again.

I have just found Epica leather bound journals, which is serious notebook pr0n. They look fantastic, straight out of a museum or a Myst episode.

The only problem is that I would never write anything in these journals. I have a problem in marking up a ten quid moleskine, with my thoughts. A £1200 leather bound journal would remain pristine.

Picked up a Nokia N95 from Vodafone. Supposedly Vodafone have killed VoIP on this phone - so it is time to flash the firmware on this puppy and get some functionality back.

We used the Tomtom One a great deal while holidaying down in South Ayrshire. It worked very well and guided us to a number of places, including the remote cottage that we stayed in.

We put the postcode supplied to us by the owner of the cottage into the Tomtom and it took us within a 100 yards of the place. I think the postcode designated the area rather than the individual buildings. Without it, I doubt we would have been there as quickly.

Another situation was when I tried to find the Sulwath Brewery in Castle Douglas. We found ourselves on King Street and as Liz pulled over to park, we were right beside the brewery. It would not have been easy to find since the brewery is actually not on the street.

The Sopranos in 7 minutes and 36 seconds

Easy way to catch up on the Sopranos.