This action might not be possible to undo. Are you sure you want to continue?
N.S.A. & BUSINESS NETWORKING ECHELONS
[ Click Image (above) To Learn More About EPM ]
National Information Systems Security
U.S.A., Washington, D. C. - November 1, 2001: The National Information Systems Security Conference (aka) NISSC holds special annual conferences where handpicked representatives of top corporate America and top intelligence agencies get together on a variety of subjects which relates to industrial modeling information systems and security management. Such a curious intertwining of business leaders channeling and brainstorming directly with intelligence hierarchy officials is absolutely amazing, as shown in detail here. This think tank of sorts, conducts its business intelligence
brainstorming in any one of a variety of pre-scheduled meeting places around the World. As an example, one year it met be held at what once was (until 2001) one of the many U.S. National Security Agency (aka) N.S.A. listening post for the global ECHELON telecommunication satellite surveillance intelligence station at Bad Aibling Station (aka) BAS, located inside the little village of
Mietraching, Germany while the following year, it could meet at the Hyatt Regency Hotel & Convention Center in Orlando, Florida. The National Security Agency (aka) N.S.A., is NISSC's "host" and working participant along with a few "handpicked" American and foreign firms, i.e. I.B.M., FUJITSU, BOEING, SIEMENS, LOCKHEEDGRUMAN, SAAB, ARINC, BAES SYSTEMS, PTC, AIRBUS, ROCKWELLCOLLINS, MICROSOFT, MITRE, and even ESTEE LAUDER (a cosmetics firm), to name just a few. The collective, goes over "in detail", what they submitted in their lengthy papers sent ahead of time to, the N.S.A. for its review. The N.S.A. with a few sponsored firms then select their specific personnel to study the reports these handpicked firms address. Some topics may have an N.S.A. mission need and/pr, impact so in most all instances of these meetings, NSA staff are present. Security is tremendous, to say the least. The focus on "information system security" a subject matter the N.S.A. no doubt has already written the book on - provides this co-joint think tank workshop exercises the time to study how a new information security management system will best serve their future needs. The prime subject matter's intelligence, deals with encryption codes, dictionary standards and, methods for using and/or modifying a new form of high-technology information management transference which, is already designed to provide heightened security when handshaking of data occurs over the internet and other means via satellite system links for all these firm's current and future information requirements.
EPM - The Software Mastermind Firm
The purpose of EPM TECHNOLOGY, a JOTNE firm, based out of Oslo, Norway, is distributing - with the blessing of the N.S.A. - its form of modularly innovative high-tech data management technology throughout global organizations in a variety of industries. Specifically, the focus is on EPM Technology's, EXPRESS Data Manager (aka) EDM based tools, designed for the many uses for its global multi-user customer's Management Information Systems (aka) M.I.S.. These organizations are now gradually moving away from managing information "on paper" and toward, being able to exchange and share huge amounts of data electronically via extremely fast digital formats using computers which, the N.S.A. has an interest in. EPM's technology creation management system tools enable product data to be effectively managed, exchanged and shared across radically different systems, independent of location, type or network design. It allows access to this data throughout the life cycle of the product and ensures that the information is in a form that can be accessed and interpreted for decades to come. It is already quick, easy and inexpensive to transfer or access basic, everyday information via Databases, E-Mail, Internet Websites and, Intranet. It is nearly impossible, however, to accurately and reliably exchange, share and manipulate complex, technical data about a product - its design, properties and
structures, its development and history, its costs and maintenance, etc.. Problems arise because: 1. Different systems are used to design, analyze, manufacture and document a product.; 2. Each system has its own way of representing data.; 3. Each group or organization tends to choose its own systems.; 4. Systems in use change over time, making some data inaccessible.; and, 5. Different hardware and software environments are a fact of computer life. The ability to efficiently transfer and translate sophisticated product data, independent of hardware and software environments, is now recognized worldwide as the next, natural and vital step in the evolution of product data technology and product information management. This ability is considered essential for effective communication and cooperation, not only within work groups and among colleagues but with customers, suppliers, users and business partners. It is considered absolutely critical if an organization wants to archive and maintain a competitive advantage well into the 21st century. EPM sees the 21st century as significant for the deployment of its EDM set of tools for Electronic Commerce and Product Data Technology standards - in particular ISO 10303 - the international standard for the representation and exchange of product model data, also known as STEP and EXPRESS-compliant products EXPRESS, is a product suite that contains the tools needed to begin implementing the product data technology standards for the 21st century by, creating and managing EXPRESS schemata, customizing data models, and establishing product-data databases and archives. EXPRESS products from EPM Technology are available today to meet crucial needs for future success. EDM is modular by design, enabling a firm to mix and match the products and
options they want, and to easily expand or update the system as their needs change and as the standard continues to evolve. EDM products are available for UNIX or Microsoft Windows platforms. EDM is designed to make all product details, not just visual details, available to a variety of users during all phases of engineering, development, production, operation and maintenance. Ultimately, the EXPRESS Data Manager helps transform many business theories into realistic business goals; goals which will ensure a strategic, competitive edge for projects and companies, large or small: 1. Minimize product life-cycle costs.; 2. Provide continuous acquisition and life-cycle support (CALS).; 3. Ensure data integrity.; 4. Collaborate in virtual or extended enterprises; 5. Shorten product development cycles.; 6. Support concurrent product and process development.; and, 7. Respond with agility to changing customer needs. The information handled by the EXPRESS Data Manager is contained in data models rather than in paper-based blueprints or application-specific programs, databases or texts. These models are created and defined in EXPRESS, the information modeling language specified in STEP (ISO 10303-11). Like other computer languages, EXPRESS has a well-defined syntax, structure and set of language rules. In sharp contrast to other languages, however, in an EXPRESS-based approach to product data the models are totally independent of any underlying implementation tools.
As the foundation for EPM Technology's EDM, EXPRESS makes it possible to link pieces of information that were once isolated from one another by incompatible formats. Together, EXPRESS and the EXPRESS Data Manager make it possible to overcome one of the main obstacles in true business and process integration for the future.
NSA-EDM Cast Of Business Character Interests
To demonstrate a few examples of which EDM character firms might be represented and how they might interact with the N.S.A. in being casted for tutorials in an N.S.A. workshop workgroup and, in what the subject areas of information management security focus might specifically be, is ascertained by reviewing the minutes of previous meetings, studying a 1997 NISSC pre-scheduled meeting’s itineraries, topics and subject matter along with their chairman's and panelists, as follows: The Secret and Below Interoperability (aka) SABI Process
Continuing the Discovery of Community Risk
Rooms: ____ - ____
Chairman: Mark Loepker, National Security Agency Panelists: Curtis Dukes, National Security Agency; Charles Schreiner, National Security Agency; Willard Unkenholz, National Security Agency; Corky Parks, National Security Agency; Dallas Pearson, National Security Agency; Warner Brake, Defense Information Systems Agency.
Topic Chairman and Panelist's Biographies
Mark Loepker: The Chief, Information Assurance Process Special Project Office, Information Assurance Solutions, National Security Agency. He is responsible for all matters impacting the development, refinement, and implementation of the information assurance solution process. In this capacity, Mr. Loepker leads the Secret and Below Interoperability (SABI) project. He last served with the Command, Control, Communications, and Computer Systems Directorate, U.S. European Command, as Chief, Information Systems Security Division, responsible for all European theater policy and policy enforcement concerning information warfare and communications and computer security. During this tour, he led INFOSEC actions in support of Operation Provide Comfort, Joint Endeavor, and Combined Endeavor (Partnership for Peace).; Curtis Dukes: is the Deputy Chief, Architectures and Applications Division of the Systems and Network Attack Center, National Security Agency. He is responsible for the technical direction of the Intrusion Detection and Enterprise Management System's vulnerability research within the Center. In this capacity, he leads the Joint Vulnerability Assessment Process of the Secret and Below Interoperability (SABI) Initiative. He previously served in an Intelligence Community assignment in the Directorate of Operations, Central Intelligence Agency.; Chuck Schreiner: the Chief of the Solution Security Analysis Division, National Security Agency, which provides customers with vulnerability analysis and test services to support their local risk decisions. He has held previous positions as
NSA Representative to the Pentagon, Technical Director for Fielded Systems, and Deputy Chief of the RF Communications Division. ; Willard Unkenholz: a Technical Director for the System Security Guidance and Evaluation Division, National Security Agency. His current duties involve developing and leading the DoD risk analysis capabilities applied to the Secret and Below Interoperability Initiative.; Corky Parks: a risk analyst in the System Security Guidance and Evaluation Division, National Security Agency. His areas of interest include the theory and practice of information risk management, and decision theory.; Dallas Pearson: the Technical Director for Security and Evaluations in National Security Agency’s Office of Information Assurance Solutions Deployment and Maintenance. All of Dallas’ 29 years at NSA have been in technical roles in COMSEC and INFOSEC. He received a Bachelor of Science in Physics from the University of Southern Mississippi in 1970 and a Master of Science in Systems Engineering from Johns Hopkins University in 1995. He is a co-author of NSA’s Information Systems Security Engineering (ISSE) Handbook and teaches an inhouse introduction to ISSE course.; Warner Brake: the Deputy Chief, Information Assurance Implementation Branch of the Information Assurance Program Management Office, Defense Information Systems Agency. He is the senior certification test director and advisor for certification team members, who perform in-depth technical certification testing and compliance validation of DISA pillar, Joint, and NATO programs. He is also responsible for the periodic review and update of DOD Instruction 5200.40, DOD Information Technology Security Connection Approval Process (DITSCAP), and the operation of the Information Assurance Support Environment information desk and website. Secret and Below Interoperability (aka) SABI, is an Information Assurance initiative mandated by the Assistant Secretary of Defense for Command, Control,
Communications, and Intelligence (ASD/C3I) and sponsored by the Joint Chiefs of Staff, Command, Control, Communications, and Computer Systems (JS/J6). SABI improves the security posture of all secret and below DoD systems by using a community-based risk acceptance approach. SABI utilizes proven system security engineering to address the risks to the community, and employs mission-oriented risk management in making sound community decisions. The goal of SABI is to ensure secure secret and below interoperability solutions for the Warfighter within community-acceptable risks. It is a network-centric process with procedures to review interconnections and leverage proven solution reuse. It is founded on information system security engineering (ISSE) principles whereby information systems security (INFOSEC) is integrated as a part of systems engineering and systems acquisition processes, strong customer participation in support of mission needs, and the optimal use of INFOSEC disciplines to provide security solutions. Documentation implements the DoD Instruction 5200.40, Defense Information Technology Security Certification and Accreditation Process (DITSCAP). The SABI process teams the local site customer with appropriate engineering, risk, vulnerability, training and programmatic community risk-focused support necessary to develop the right solution for the customer's SABI requirement. SABI maintains this community team throughout the system security engineering process. This strengthens the community risk acceptability of a specific site solution through continued dialog and participation of all relevant stakeholders. During the discussion about the current status of the SABI program, the panel will focus on the progress and impact of the National Information Assurance Certification and Accreditation Process (NIACAP), NSTISSI 1000.
Topic Workgroup Meeting Examples
Depicted below, are just some examples only, of how an NISSC topic workgroup itinerary meeting outline might appear which, could also begin with a background of information, as follows: National Computer Security Center (aka) NCSC In 1978, the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence (aka) C3I, established the Department of Defense, Computer Security Initiative (aka) CSI, to ensure the widespread availability of trusted Automatic Data Processing (aka) ADP systems for use within the DoD. In January 1981, the National Computer Security Center (aka) NCSC, was established and assumed responsibility for the activities of the Initiative. The NCSC encourages the development of trusted computing system products, develops computer security standards and guidelines for interested users, and sponsors basic research in this robust field. In order to encourage the widespread availability of trusted systems, the NCSC has developed an industry-government relationship, called the Trusted Product Evaluation Program (aka) TPEP. This effort focuses on the technical protection capabilities of commercially produced and supported systems, based on the Department of Defense, Trusted Computer Security Evaluation Criteria (aka) TCSEC. Three (3) important interpretations are used to assist in this program: 1. Trusted Network Interpretation (aka) TNI; 2. Computer Security Subsystem Interpretation (aka) CSSI; and,
3. Trusted Database Interpretation (aka) TDI. The NCSC also promotes information security education and cooperates with the National Institute of Standards and Technology (aka) NIST, to provide computer security assistance to other government departments and agencies. In support of the above, the NCSC operates a B2 Level Of Trust computer system, i.e. DOCKMASTER, which provides on-line service to the information security [intelligence] community.
NIST built a new Information Technology Laboratory (aka) ITL, in response to the growing need for measurement and testing technology to support the development of computing and communications systems that are usable, scalable, interoperable, and secure. This need has come into sharper focus in recent years with the national effort to develop an information infrastructure and to support U. S. Industry in a global information marketplace.
The lTL seeks to enable the usability, scalability, interoperability, and security of information technology through a focus on three (3) areas: 1. Development of tests for human-machine interfaces, software diagnostics and performance, mathematical software, security, and conformance to standards.; 2. Collaborating, consulting and operational services for other NIST laboratories in computational sciences and information services; and, 3. Federal government activities, especially security. Since 1972, NIST has played a vital role in protecting the security and integrity of information in computer systems in the public and private sectors. The Computer Security Act of 1987 reaffirmed NIST's leadership role in the federal government for the protection of unclassified information. NIST assists industry and
government by promoting and supporting better security planning, technology, awareness, and training. In addition, NIST fosters the development of national and international standards for security technology and commercial off-the-shelf (aka) COTS security products. Finally, NIST has an active, laboratory-based research program in computer and network security with special technical emphasis in cryptography, authentication, public-key infrastructure, internetworking, and security criteria and assurance. NIST also has a special program in support of government key escrow activities. On October 24, 2001 a conference was held at the Hyatt Regency and the itinerary was scheduled as follows: Track A Criteria & Assurance Ballroom 2
PANEL: Trust Technology Assessment Program (aka) TTAP (643) Chairman: T. Anderson, National Security Agency Panelists: P. Toth, N.I.S.T. (644); TTAP Working Group Members This panel will focus on the progress of the TTAP initiative including the lessons learned from the prototype effort to validate the process, procedures, and documentation to support the program in a commercial environment. Track B Electronic Commerce Ballroom 3
PANEL: Using Security to Meet Business Needs - An Integrated View From the United Kingdom (677) Chairman: A. McIntosh, PC Security, Ltd. Panelists: D. Brewer, Gamma Secure Systems, Ltd. (679); N. Hickson, Department of Trade & Industry (682); D. Anderton, Barclays Bank PLC (684); J. Hodsdon, CESG (685); M. Stubbings, Government Communications
Headquarters (aka) G.C.H.Q. [ British agency equivalent to the U.S. National Security Agency (NSA) ], UK (686) This panel discusses the use of risk management techniques in the identification, accreditation, and maintenance of appropriate security profiles for single organization systems dispersed across a wide range of sites. Track C In Depth Room: ___ - ___
Best of the New Security Paradigms Workshop Chairman: T. Haigh, Secure Computing Corporation (693) Panelists: R. Blakely, International Business Machines (694); S. Greenwald, Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer Science, Sweden (701); W. Wulf, University of Virginia (704) This year's workshop focuses on the need to identify new approaches for proving security in very heterogenous, highly internetworked environments. Track D--Internet--Ballroom 1 OVERVIEW Chair: C. Bythewood, NCSC Introduction to Infowarfare Terminology (718): F. Bondoc, Klein & Stump This overview is aimed at the newcomer to Information Warfare (IW), and introduces the terminology, threats and countermeasures of Information Warfare (aka) IW.
Legal Issues for the User Chairman: Special Agent John Lewis, United States Secret Service Intellectual Property Rights and Computer Software (296): D. Bowman, University of Maryland Case Study of Industrial Espionage Through Social Engineering (306): I. Winkler, National Computer Security Association Legal Aspects of Ice-Pick Testing (313): B. Gabrielson, Department of the Navy Track F Management & Administration Room: ___ - ___
PANEL: Ethical and Responsible Behavior for Children to Senior Citizens in the Information Age - Community Responsibilities Chairman: J. Lisi, National Security Agency Panelists: R. Koenig, ISC2; G. Warshawsky, International Community Interconnected Computing eXchange Track G Research & Development Room: ___ - ___
PANEL: Database Systems Today - Safe Information at My Fingertips? (842) Chairman: J. Campbell, National Security Agency Panelists: T. Ehrsam, Oracle; R. O'Brien, SCC; T. Parenty, Sybase; J. Worthington, Informix Software Company; Lt. Colonel Pointdexter, D.I.S.A.; S. Sahni, 3S Group Incorporated
This panel will address distributed and web database system security issues and solutions. Track H--Solutions Room--343-344 Future Activities Chairman: J. Tippett, National Security Agency Computer Virus Response Using Autonomous Agent Technology (471): C. Trently, MITRETEK Systems Security Across the Curriculum - Using Computer Security to Teach Computer Science Principles (483): Major General White, USAF Academy U.S. Government Wide Incident Response Capability (489): M. Swanson, NIST Track I--Tutorials Room--327-328 Introduction to Information System Security: L. Smith and D. Strickland, National Cryptologic School This tutorial will use an interactive computer-based training course to present the basics of information system security (INFOSEC). The course is composed of five instructional units: information systems overview, threats, INFOSEC solutions, INFOSEC techniques, and risks management. A CD-ROM with this and other courses will be provided to attendees. Tuesday, October 22nd------------4:00 P.M. -- 6:00 P.M.
Track A--Criteria & Assurance--Ballroom 2 Gaining Assurance though Evaluations Chairman: H. Holm, National Security Agency E4 ITSEC Evaluation of PR/SM on ES/9000 Processors (1): R. Nasser, International Business Machines A High-Performance Hardware-Based High Assurance Trusted Windowing System (12): J. Epstein, Cordant, Inc. WWW Technology in the Formal Evaluation of Trusted Systems (22): E. McCauley, Silicon Graphics, Inc. Track B--Electronic Commerce--Ballroom 3 Electronic Commerce: International Security Chairman: V. Gibson, Computer Science Corporation EDI Moves from the VAN to the Internet (98): B. Bradford, University of Maryland An International Standard for the Labeling of Digital Products (109): V. Hampel, Hampel Consulting The Business-LED Accreditor - OR...How to Take Risks and Survive (123): M. Stubbings, Government Communications Headquarters (aka) G.C.H.Q., UK Integration of Digital Signatures into the European Business Register (131): H. Kurth, Industricanlagen Betriebsghesellschaft mbH (IABG), Germany
Track C--In Depth Room--349-350 PANEL Best of the New Security Paradigms Workshop (continued from 2:00) (693) Chairman: T. Haigh, Secure Computing Corporation Panelists: R. Blakely, International Business Machines (694); S. Greenwald, Naval Research Laboratory (698); S. Janson, Swedish Institute of Computer Science, Sweden (701); W. Wulf, University of Virginia (704) This year's workshop focuses on the need to identify new approaches for proving security in very heterogenous, highly internetworked environments. Track D--Internet-- Ballroom 1 PANEL Information Warfare: Real Threats, Definition Changes, and Science Fiction (725)* Chairman: W. Madsen, Computer Sciences Corporation Panelists: M. Hill, Office of the Assistant Secretary of Defense C3/Information Warfare; F. Tompkins, Science Applications International Corporation; S. Shane, The Baltimore Sun; J. Stanton, Journal of Technology Transfer This panel will discuss the Information Warfare scenario, which has received a great deal of attention from national security planners, legislators, the military,
intelligence agencies, the media, and industry. Track E--Legal Perspectives--Ballroom 4 PANEL: Electronic Data: Privacy, Security, Confidentiality Issues Chairman: K. Blair, Esq., Duvall, Harrington, Hale and Hassan (740) Panelists: The Honorable L. Alden, Judge, Fairfax County Circuit Court (741); S. Mandell, Esq., The Mandell Law Firm (749); R. Palenski, Esq., Gordon and Glickson, P.C. (749); S. Ray, Esq., Kruchko & Fries (800) This panel will discuss how the legal system is dealing with crimes involving the use of computers. Because computers are relatively new in the world of established criminal law, many of the illegal events associated with the use of computers did not come with definitions established by legislation or case law. Track F--Management & Administration--Room 341-342 New Workplace Paradigms for Security Chairman: C. Hash, National Security Agency Security Through Process Management (323): J. Bayuk, Price Waterhouse Malicious Data and System Security (334): O. Sibert, Oxford Systems, Inc. Security Issues for Telecommuting (342): L. Carnahan, NIST Track G--Research & Development Room--345-346 PANEL
PANEL: Information Systems Security Research Joint Technology Office Chairman: R. Schaeffer, National Security Agency Panelists: T. Lunt and H. Frank, Defense Advanced Research Projects Agency (aka) DARPA; R. Meushaw, National Security Agency This panel will discuss its successes since the first (1st) year of this joint partnership to develop and integrate security technology. The partnership will maximize security solutions for building the DII & NII. Track I Tutorials Room: 327-328
Trusted Systems Concepts: C. Abzug, Institute for Computer and Information Sciences
This tutorial focuses on the fundamental concepts and terminology of trust technology. It includes descriptions of the Trusted Computer System Evaluation Criteria (TCSEC) classes, how the classes differ, and how to determine the appropriate class for your operation environment. Wednesday, October -----------23rd 8:30 A.M. -- 10:00 A.M. Track A--Criteria & Assurance--Ballroom 2 PANEL: Alternative Assurance: There's Gotta Be a Better Way! (644)* Chairman: D. Landoll, ARCA Systems, Inc. Panelists: J. Adams, NSA; Speaker TBD, WITAT System Analysis & Operational Assurance Subgroup Chair; M. Abrams, The MITRE Organization, WITAT Impact Mitigation Subgroup Chair; Speaker TBD, WITAT Determining Assurance Mix Subgroup Chair A Workshop report about the evolving development of practical solutions for business and industry in need of confidence in their information systems. Track B--Electronic Commerce--Ballroom 3 PANEL Information Security - Transforming the Global Marketplace: D. Gary, Booz-Allen & Hamilton Panelists: J. M. Anderson, Morgan Stanley; K. Panker, American Bankers Association; P. Freund, CertCo
Technology resources are means to achieve organizational goals --- not solutions in their own right. New dimensions will be discussed of commercial interchange in a highly networked marketplace. Track C--In Depth Room--349-350 PANEL Public Key Infrastructure: From Theory to Implementation Public Key Infrastructure Technology (707) Chairman: D. Dodson, NIST Panelists: R. Housley, Spyrus; C. Martin, Government Accounting Office; W. Polk, NIST; S. Chokani, Cygnacom Solutions, Inc.; V. Hampel, Hampel Consulting; W. Ford, Independent Consultant This panel will familiarize the audience with PKI standards, interoperability solutions, and implementation issues. This session will concentrate on technical specifications and standards; the session that follows will review lessons learned during implementation of existing PKIs. Track D--Internet--Ballroom 1 PANEL Security in World Wide Web Browsers - More than Visa cards? (737) Chairman: R. Dobry, N.S.A.
Panelists: C. Kolcun, Microsoft; B. Atkins, NSA; K. Rowe, NCSA; Speaker TBD, Netscape This panel will discuss the security problems and solutions required to handle electronic commerce via the Internet. Track E--Legal Perspectives--Ballroom 4 PANEL Computer Crime on the Internet - Sources and Methods (817) Chairman: C. Axsmith, The Orkand Corporation Panelists: Special Agent M. Pollitt, Federal Bureau of Investigation (F.B.I.); P. Reitinger, Esq., Department of Justice; B. Fraser, CERT, Carnegie Mellon University This panel will discuss some case studies of system break-ins, what information system administrators should focus on saving for the evidentiary trail, and some resources available to the system administrator should a break-in be attempted. Track F--Management & Administration Room--341-342 PANEL Current Challenges in Computer Security Program Management (828) Chairman: M. Wilson, NIST
Panelists: L. McNulty, McNulty and Associates; P. Connelly, White House Communications Agency; A. Miller, Fleet and Industrial Supply Center; B. Gutmann, NIST This panel will discuss managing a computer security program in light of budget constraints, reorganizing and downsizing, and the continuous decentralization of ever increasing complex computing and communications environments. Track G--Research & Development--Room 345-346 PANEL Availability Policies: The Forgotten INFOSEC Pillar Chairman: V. Gligor, University of Maryland Panelists: H. Hosmer, Data Security, Inc.; J. Millen, The MITRE Corporation; R. Nelson, Information System Security; M. Reiter, AT&T This panel will discuss various kinds of availability policies, highlighting impact assumptions and potential conflicts with other kinds of security policies. Track H--Solutions--Room343-344 PANEL Security Management Infrastructure Deployment and Operations (871) Chairman: A. Arsenault, N.S.A. Panelists: D. Heckman, NSA; S. Capps, NSA; S. Hunt, NSA
This panel will focus on lessons learned from the deployment of MISSI security management infrastructure at NSA and GSA. Track I--Tutorials--Room 327-328 OS Security: M. Weidner, ARCA Systems This tutorial focuses on security issues for commercial operating systems. Topics include common vulnerabilities, security services, and potential safeguards. Specific capabilities of several commercially available operating systems will be discussed. Wednesday, October 23rd------------10:30 A.M.-- 12:00 Noon Track A---Criteria & Assurance--Ballroom 2 PANEL Current Perspective on Strategies for the (646) Certification & Accreditation Processes Chairman: B. Stauffer, CORBETT Technologies, Inc. (653) Panelists: P. Wisniewski, NSA (647); C. Stark, Computer Science Corporation (648); R. Snouffer. NIST (652); J. Eller, DISA, CISS (ISBEC) (646) Paper The Certification of the Interim Key Escrow System (26): R. Snouffer, NIST Track B--Electronic Commerce--Ballroom 3
PANEL Security APIs: CAPIs and Beyond (687) Chairman: A. Reiss, N.S.A. Panelists: J. Centafont, NSA; Speaker TBD, Microsoft; L. Dobranski, Communications Security Establishment (aka) C.S.E., Canada; D. Balenson, Trusted Information Systems, Inc. The panelists will discuss Cryptographic Application Program Interfaces, FORTEZZA, Public Key Infrastructures, the International Cryptography Experiment, and the Microsoft Internet Security Framework. Paper NIST Proposal for a Generic Authentication Module Interface: J. Dray, NIST Track C-In Depth--Room 349-350 PANEL Public Key Infrastructure: From Theory to Implementation (continued from 8:30) (707) Public Key Infrastructure Implementations Chairman: W. Polk, NIST Panelists: P. Edfors, Government Information Technology Services (GITS) Board;
D. Heckman, NSA; D. Dodson, NIST; J. Galvin, CommerceNet; W. Redden, Communications Security Establishment (aka) C.S.E.; R. Kemp, General Services Administration SI-PMO Track D--Internet--Ballroom 1 OVERVIEW Chairman: M. Schaffer, ARCA Systems Secure Business on the Internet: Looking Ahead with Electronic Data Interchange: D. Federman, Premenos The speaker will discuss the history of Electronic Data Interchange and how today's marketplace on the Internet needs cost effective and secure business solutions to function over the World Wide Web. Track E--Legal Perspectives--Ballroom 4 PANEL Legal Liability for Information System Security Compliance Failures - New Recipes for Electronic Sachertorte Algorithms (818) Chairman: F. Smith, Esq., Private Practice, Santa Fe, New Mexico Panelists: J. Montjoy, BBN Corporation; E. Tenner, Princeton University; D. Loundy, Esq., Private Practice, Highland Park, Illinois This panel will discuss the liabilities associated with the increased expansion of increasingly complex computer networks and associated services.
Track F--Management & Administration--Room 341-342 PANEL Achieving Vulnerability Data Sharing (830)* Chairman: L. Carnahan, NIST Panelists: M. Bishop, University of California, Davis, CA.; J. Ellis, CERT, Carnegie Mellon University; I. Krsul, COAST Laboratory, Purdue University This panel will discuss security issues to be addressed when building a data repository that will be shared by different communities of interest. Track G--Research & Development--Room 345-346 PANEL Secure Systems and Access Control (851) Chairman: T. Lunt, Defense Advanced Research Projects Agency (DARPA) Panelists: D. Sterne, Trusted Information Systems, Inc. (852); R. Thomas, ORA (854); M. Zurko, OSF (855); J. Lepreau, University of Utah (857); J. Rushby, SRI International The panelists will discuss their respective security programs. Track H--Solutions--Room 343-344
Future of Trust in Commercial Operating Systems (872) Chairman: T. Inskeep, NSA Panelists: K. Moss, Microsoft; J. Alexander, Sun Microsystems; J. Spencer, Data General; M. Branstad, Trusted Information Systems, Inc.; G. Liddle, Hewlett Packard This panel will discuss where assurance and functionality in commercial systems are going. Track I--Tutorials--Room 327-328 Network Security: J. Wool, ARCA Systems This tutorial focuses on basic issues in network security and gives an overview of the implementing process. Topics include network security concerns and services, vendor qualification issues, system composition and interconnection, and cascading. Wednesday, October 23rd---------12:45 p.m. -- 1:45 p.m. Midday Seminar--Room 327-328 War Stories Speaker: James P. Anderson, J. P. Anderson & Co. Wednesday, October 23rd-----------2:00 P.M. -- 3:30 P.M. Track A--Criteria & Assurance--Ballroom 2
PANEL Firewall Testing and Rating (655) Chairman: J. Wack, NIST Panelists: I. Winkler, National Computer Security Association; K. Dolan, NSA; J. McGowen, National Computer Security Association; C. Costack, Computer Science Corporation This panel will discuss whether firewalls can be effectively rated, what the rating criteria is, characteristics of firewalls that don't lend themselves to rating, and how well rating and testing actually work. Track B--Electronic Commerce--Ballroom 3 PANEL Are Cryptosystems Really Unbreakable? (691) Chairman: D. Denning, Georgetown University Panelists: S. Bellovin, AT&T Research; P. Kocher, Independent Cryptography Consultant; A. Lenstra, Citibank (692); E. Thompsom, AccessData Corporation The panelists will explore the strengths of existing cryptosystems in terms of potential weaknesses in algorithms, protocols, implementation, and application environments. Track C--In Depth--Room 349-350
Chairman: T. Zmudzinski, Defense Information Systems Agency Establishing an Enterprise Virus Response Program (709): C. Trently, MITRETEK Systems; Laboratory Assistants: E. Hawthorn, MITRETEK Systems; D. Black, MITRETEK Systems The speakers will provide practical information that can be used to understand the virus threat; institute low cost preventative mechanisms; develop and implement enterprise response mechanisms, including when to contact the experts; and monitor the effectiveness of the tools and program within the enterprise. Thirty attendees will be able to get hands-on practice in the lab in Room 330 during Part 2 of the lecture. This In-depth tutorial will be repeated at 8:30 a.m. on Thursday. Track D--Internet--Ballroom 1 Security Issues in a Networked Environment Chairman: D. Branstad, Trusted Information Systems, Inc. The Advanced Intelligent Network -- A Security Opportunity (221): T. Casey, Jr., GTE Laboratories, Inc. Security Issues in Emerging High Speed Networks (233): V. Varadharajan, University of Western Sydney, Australia A Case Study of Evaluating Security in an Open Systems Environment (250): D. Tobat, TASC Track E--Legal Perspectives--Ballroom 4
PANEL The Next Generation of Cyber Criminals Chairman: M. Gembicki, WARROOM RESEARCH LLC. Panelists: J. Christie, AFOSI; K. Geide, Federal Bureau of Investigation ( FBI ); D. Waller, Time Magazine The panelists will address cybercrime issues and how it affects legal competitive intelligence, the National Information Infrastructure, information warriors, and the commercial business environment. Examples of traditional organized crime elements to individual "Cyber-Terrorists" as well as proposed changes in Government strategies will be presented. Track F--Management & Administration--Room 341-342 PANEL Incident Handling Policy, Procedures, and Tools (831) Chairman: M. Swanson, NIST Panelists: K. Cooper, BBN Planet; T. Longstaff, Computer Emergency Response Team; P. Richards, Westinghouse Savannah River Company; K. van Wyk, Science Applications International Corporation ( SAIC ) This panel will discuss the incident handling policy and procedures that have been implemented within their organizations. They will also discuss a new methodology that system administrators can use for characterizing network
security tools. Track G--Research & Development--Room 345-346 Network Attacks, Protections, and Vulnerabilities Chairman: W. Murray, Deloitte & Touche An Isolated Network for Research (349): M. Bishop, University of California, Davis, CA. GrIDS-A Graph-Based Intrusion Detection System for Large Networks (361): S. Staniford-Chen, University of California, Davis, CA. Attack Class - Address Spoofing (371): T. Heberlein, University of California, Davis, CA. Track H--Solutions--Room 343-344 PANEL Vendors Experience with Security Evaluations (873) Chairman: J. DeMello, Oracle Corporation Panelists: J. Caywood, Digital Equipment Corporation (DEC); D. Harris, Oracle Corporation (874); K. Moss, Microsoft Corporation (876); I. Prickett, Sun Microsystems (877) This panel will discuss their experiences in achieving successful evaluations, identifying what has worked well for them, and not-so-well, in the process.
Track I--Tutorials--Room 327-328 Database Security: W. Wilson, Arca Systems This tutorial focuses on database security issues from the standpoint of using database management systems to meet the organization's security requirements. Topics include data security requirements, vulnerabilities, database design considerations, and implementation issues. Wednesday, October 23rd----------4:00 P.M. -- 6:00 P.M. Track A Criteria & Assurance--Ballroom 2 PANEL The Trusted Product Evaluation Program: Direction for the Future (656) Chairman: J. Pedersen, N.S.A. Representatives from various initiatives within the Trusted Product Evaluation Program will discuss the overall strategy for the future of TPEP, including specific steps for moving the program to a new evaluation criteria, mechanisms for commercial advice to vendors, and new types of products which will be evaluated. Track B--Electronic Commerce--Ballroom 3 Information Security in the Business World Chairman: N. Pantiuk, IIT Research Institute
Industrial Espionage Today and Information Wars of Tomorrow (139): P. Joyal, INTEGER Inc. B is for Business - Mandatory Security Criteria & the OECD Guidelines for Information Systems Security (152): W. Caelli, Queensland University of Technology, Australia Marketing & Implementing Computer Security (163): M. Wilson, NIST Secure Internet Commerce - Design and Implementation of the Security Architecture of Security First Network Bank, FSB (173) N. Hammond, NJH Security Consulting, Inc. Track C--In Depth--Room 349-350 Concerns in the Cryptographic Arenas Chairman: P. Woodie, NSA Automatic Formal Analyses of Cryptographic Protocols (181): S. Brackin, ARCA Systems, Inc. Surmounting the Effects of Lossy Compression on Steganography (194): C. Irvine, Naval Postgraduate School Key Escrowing Systems and Limited One Way Functions (202): W. T. Jennings, E-Systems The Keys to a Reliable Escrow Agreement (215): R. Sheffield, Fort Knox Escrow Services, Inc.
Track D--Internet--Ballroom 1 WWW: The Case for Having a Security Policy and Measuring It Chairman: R. Wood, National Cryptologic School Internet Firewalls Policy Development and Technology Choices (259): L. D'Alotto, GTE Laboratories A Case for Avoiding Security-Enhanced HTTP Tools to Improve Security for Web Based Applications (267): B. Wood, Sandia National Laboratories Applying the Eight Stage Risk Assessment Methodology to Firewalls (276): D. Drake, Science Applications International Corporation Lessons Learned: An Examination of Cryptographic Security Services in a Federal Automated Information System (288): J. Foti, NIST Track E--Legal Perspectives--Ballroom 4 PANEL Legal Aspects of the Internet - Rights and Obligations of Users and Vendors Chairman: C. Castagnoli, Esq., Haystack Labs Panelists: C. Merrill, Esq., Carter & English; M. Lemley, Esq., Professor of Law, University of Texas; M. Godwin, Esq., Electronic Frontier Foundation The panelists will discuss digital signatures, on-line contracting and the liability issues for the operator and the user.
Track F--Management & Administration--Room 341-342 PANEL Interdisciplinary Perspectives on INFOSEC: Mandatory Reporting (833) Chairman: M. Kabay, National Computer Security Association Panelists: B. Butterworth, Federal Aviation Administration; B. Smith Jacobs, Securities and Exchange Commision (SEC); R. Whitmore, Occupational Health and Safety Administration (OSHA); S. Wetterhall, Centers for Disease Control and Prevention (C.D.C.&P.) This panel will discuss their experiences from other disciplines with mandatory reporting of security incidents and accidents, with an eye to avoiding known pitfalls and benefiting from their years of experience. Track G--Research & Development--Room 345-346 PANEL Facing the Challenge: Secure Network Technology for the 21st Century (867) Chairman: R. Schaeffer, NSA Panelists: R. Meushaw, NSA; C. McBride, NSA; D. Muzzy, NSA; B. Burnham, NSA This panel discusses current initiatives and collaborations within the research
communities in government, industry, and academia. Additionally, room 347-348 is set up to demonstrate examples of core technologies to include Token Technology, Voice Verification, Real-time Encrypted Voice, Firewalls, Secure Wireless Communications, and others. Track H--Solutions--Room 343-344 Security with COTS (Commercial-Off-The-Shelf) Products Chairman: S. Kougoures, N.S.A. MLS DBMS Interoperability Study (495): R. Burns, ESC/ENS MISSI Compliance for Commercial-Off-The-Shelf Firewalls (505): M. Hale, NSA Designing & Operating a Multilevel Security Network Using Standard Commercial Products (515): M. McGregor, Air Force C4 Technology Validation Office Track I--Tutorials--Room 327-328 Information Systems Security Officer's Challenges: C. Breissinger, Department of Defense Security Institute This tutorial focuses on the continued protection and accreditation of operational information systems. Topics include: virus prevention and eradication; access control evaluation and configuration; media clearing and purging; intrusion detection and handling; and dealing with risk. Thursday, October 24th-----------------8:30 A.M. -- 10:00 A.M. Track A--Criteria & Assurance--Ballroom 2
PANEL Common Criteria Project Implementation Status (657) Chairman: L. Ambuel, BDM International Panelists: M. Donaldson, Communications-Electronics Security Group, UK; R. Harland, Communications Security Establishment (aka) C.S.E., Canada; K. Keus, BSI/GISA, Germany; F. Mulder, Netherlands National Communications Security Agency; J. Smith, Gamma Secure Systems, UK The panelists will discuss the Common Criteria trial version's structure and content, the status and results to date of the trial-use and implementation activities, the planned future of the project, and the expected impact of all this work on US and international IT security communities. Track B--Electronic Commerce--Ballroom 3 OVERVIEW Security Concerns in the Private Sector - Banking: S. Ross, Deloitte & Touche Track C--In Depth--Room 349-350 OVERVIEW Chairman: S. Lipner, Trusted Information Systems, Inc. Establishing an Enterprise Virus Response Program (709): C. Trently, MITRETEK Systems; Laboratory Assistants: E. Hawthorn; MITRETEK Systems; D. Black, MITRETEK Systems
The speakers will provide practical information that can be used to understand the virus threat; institute low cost preventative mechanisms; develop and implement enterprise response mechanisms, including when to contact the experts; and monitor the effectiveness of the tools and program within the enterprise. Thirty attendees will be able to get hands-on practice in the lab in Room 330 during part 2 of the lecture. This In Depth tutorial is a live encore presentation from Wednesday at 2:00. Track D--Internet--Ballroom 1 PANEL Secure Use of the World Wide Web: Moving From Sandbox to Infrastructure Chairman: R. Bagwill, NIST Panelists: J. Pescatore, IDC Government; S. Smaha This panel will explore the current state of practice in WWW security practices and standards, and provide predictions for the evolution of these security services in the commercial environment. Track E--Legal Perspectives--Ballroom 4 PANEL V-Chip: Policies and Technology (822) Chairman: H. Hosmer, Data Security, Inc.
Panelists: D. Moulton, Esq., Chief of Staff, Office of Congressman Markey, HR; D. Brody, MD, American Academy of Child and Adolescent Psychiatry; S. Goering, Esq., American Civil Liberties Union; W. Diffie, Sun Microsystems This panel will address a variety of legal and technical issues concerning the Vchip, a hardware device inserted into new televisions which can identify labels attached to movies, etc. Track F--Management & Administration--Room 341-342 PANEL Industrial Espionage Today and Information Wars of Tomorrow Chairman: P. Joyal, Interger, Inc. Panelists: Ret. Major General O. Kalugin, Russia; S. Baker, Esq.; M. Lajman, Author on French Intelligence; E. O'Malley, retired F.B.I.. This panel will discuss the perspectives of Industrial Espionage as the focus of a multi-national problem which affects everyone. Track G--Research & Development--Room 345-346 Implementations of the Security Policy Chairman: D. Gambel, General Research Corporation Generic Model Interpretations: POSIX.1 and SQL (378): D. Elliott Bell, MITRETEK Systems
The Privilege Control Table Toolkit: An Implementation of the System Build Approach (389): T. Woodall, Hughes Aircraft Company Use of the Zachman Architecture for Security Engineering (398): R. Henning, Harris Corporation Track H--Solutions--Room 343-344 New Test Methodologies Chairman: R. Lau, N.S.A. Real World Anti-Virus Product Reviews and Evaluation - The Current State of Affairs (526): S. Gordon, Command Systems, Inc. Security Proof of Concept Keystone (SPOCK) (539): J. McGehee, COACT, Inc. Use of a Taxonomy of Security Faults (551): I. Krsul, Coast Laboratory, Purdue University Track I--Tutorials--Room 327-328 Information Systems Security Engineering: P. Boudra, NSA; D. Pearson, NSA Thursday, October 24th-----------10:30 A.M. -- 12:00 Noon Track A--Criteria & Assurance--Ballroom 2 Views of Assurances
Chairman: D. Kinch, N.S.A. Configuration Management in Security related Software Engineering Processes (34): K. Keus, Bundesamt fur Sicherheit in der Informationstechnik, Germany The Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP)(46): B. Stauffer, CORBETT Technologies, Inc. Trusted Process Classes (54): W. Steffan, Tracor Applied Science, Inc. Track B--Electronic Commerce--Ballroom 3 OVERVIEW Security Concerns in the Private Sector: Brokerage: D. Gary, Booz-Allen & Hamilton Track C--In Depth--Room 349-350 PANEL Information Security Policy: There has to be a Better Way Chairman: J. Pescatore, Trusted Information Systems, Inc. Panelists: K. Kasprzak, Maryland Bancorp; S. Smaha, Haystack Labs; R. Stratton, Wheelgroup Inc. The panelists will discuss new ideas for transforming organizational needs into security controls and policies.
Track D--Internet--Ballroom 1 PANEL Attack/Defense (738) Chairman: J. David, The Fortress Panelists: S. Bellovin, AT&T; W. Cheswick, AT&T; P. Peterson, Lockheed-Martin; M. Ranum, V-One The panel will discuss how the role of the Internet security practitioner has changed. Keep-ing the bad guys out is no longer the prime goal of security, rather the prompt and accurate identification of intrusions (or, preferably, intrusion attempts) and minimizing the damages. This session examines these "popular" attacks and presents ways to effectively defend your site against them. Track E--Legal Perspectives--Ballroom 4 PANEL Protecting Medical Records and Health Information (824) Chairman: J. Winston, Trusted Information Systems, Inc. Panelists: G. Belles, VA Medical Information Security Service; B. Braithwaite, US Department of Health and Human Services*; P. Bruening, Information Policy Consultant; P. Taylor, US General Accounting Office This panel will examine the technical, policy, and legal issues involved in establishing and implementing appropriate protections for patient medical
records and other types of health information. Track F --Management & Administration --Room 341-342 PANEL International Perspectives on Cryptography Policy (835) Chairman: D. Denning, Georgetown University Panelists: P. Ford, Attorney General's Office, Australia; D. Herson, Commission of the European Communities, Belgium; N. Hickson, Department of Trade and Industry, UK Panelists from outside the United States will discuss their views on cryptography policy and national and international proposals and initiatives. Track G--Research & Development--Room 345-346 Mechanisms in Understanding Security Chairman: H. Weiss, SPARTA, Inc. Developing Secure Objects (410): D. Frincke, University of Idaho Deriving Security Requirements for Applications on Trusted Systems (420): R. Spencer, Secure Computing Corporation Security Implications of the Choice of Distributed Database Management Systems Model: Relational vs. Object-Oriented: S. Coy, University of Maryland
Track H--Solutions--Room 343-344 Defenses in Networks Chairman: M. Woodcock, National Cryptologic School Protecting Collaboration (561): G. Wiederhold, Stanford University Design and Management of A Secure Networked Administration System: A Practical Solution (570): Prof. V. Varadharajan, University of Western Sydney, Australia Information Warfare - INFOSEC and Dynamic Information Defense (581): V. Winkler, PRC Inc. Track I--Tutorials--Room 327-328 Systems Security Engineering Capability Maturity Model: K. Ferraiolo, ARCA Systems A capability maturity model (CMM) has been developed to help organizations improve their security engineering capability. This tutorial will describe the model, why it was developed, how it is being used, and plans for its use in the future. Thursday, October 24th----------12:45 P.M. -- 1:45 P.M. Midday Seminar--Room 343-344 PANEL Security Protocols/Protocol Security
Chairman: D. Maughan, N.S.A. Panelists: TBD This panel will discuss why standards and protocols are needed for the increased use of the Internet by personal as well as business ventures. Thursday, October 24th --------------2:00 P.M. -- 3:30 P.M. Track A--Criteria & Assurance--Ballroom 2 Evolution of Criteria Requirements and User Needs Chairman: J. Arnold, Science Applications International Corporation Design Analysis in Evaluations Against the TCSEC C2 Criteria (67): D. Bodeau, The MITRE Corporation System Security Engineering Capability Maturity Model and Evaluations Partners within the Assurance Framework(76): C. Menk III, NSA Applying the TCSEC Guidelines in a Real-Time Embedded System Environment (89): D. Frincke, University of Idaho Track B--Electronic Commerce--Ballroom 3 OVERVIEW Security Concerns in the Private Sector - Communications: J. Klein, Wizards Keys Track C--In Depth--Room 349-350
OVERVIEW & PANEL Data Warehousing I: An Introduction to Data Warehousing, Data Mining and Security (711) Chairman: J. Campbell, N.S.A. Panelists: B. Thuraisingham, The MITRE Corporation; J. Worthington, Informix Software, Inc.; P. Lambert, Oracle Corporation These sessions will investigate Data Warehousing from what it is to what are the security issues associated with it. These sessions will provide a basis for a Friday afternoon workshop co-sponsored by the IEEE Mass Storage Committee. The goal of the workshop is to provide direction in future R&D efforts ensuring optimal security for Data Warehousing and Data Mining environments. Track D--Internet--Ballroom 1 PANEL The Web - What is it? Why/How is it Vulnerable? (739)* Chairman: J. David, The Fortress Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D. Dean, Department of Computer Science, Princeton University The speakers will formally describe what the web is/does, indicate how it differs from "normal" Internet use, show it is used in typical/popular operational modes, and point out the nature and magnitude of primary vulnerabilities.
Track E--Legal Perspectives--Ballroom 4 PANEL Crimes in Cyberspace: Case Studies (827) Chairman: W. Galkin, Esq., Law Office of William S. Galkin Panelists: A. Weiner, Esq., Weiner, Astrachan, Gunst, Hillman & Allen; K. Bass, III, Venable, Baetjer, Howard & Civeletti The panel will present, discuss, and analyze the legal issues involving several actual criminal incidents that have occurred in Cyberspace. Track F--Management & Administration--Room 341-342 PANEL Surviving the Year 2000 Time Bomb (839): G. Hammonds, AGCS, Inc. Panelists: J. White, OAO Corporation; A. Hodyke, ESC/AXS/USAF This panel will identify the complexity and magnitude of the Year 2000 Problem, why so many people will likely be affected, and some practical near and longterm solutions. Track G--Research & Development--Room 345-346 PANEL
Toward a Common Framework for Role-Based Access Control (868)* Chairman: D. Ferraiolo, NIST Panelists: R. Sandhu, George Mason University; V. Gligor, University of Maryland; R. Kuhn, NIST This panel will discuss the issues related to the development of a common reference model for Role-Based Access Control. Track H--Solutions--Room 343-344 PANEL Workshop Report on the Role of Optical Systems and Devices for Security (879) Chairman: T. Mayfield, Institute for Defense Analyses Panelists: M. Medard, MIT Lincoln Laboratory; J. Ingles, NSA; M. Krawczewicz, NSA; B. Javidi, University of Connecticut This panel will address security and vulnerabilities in all-optical networks, discuss the use of optics for information encoding, and introduce some applications that might take advantage of optical technology. Track I--Tutorials--Room 327-328 Common Criteria: K. Britton, NSA; L. Ambuel, BDM International The Common Criteria has been developed as the next generation of IT Security Criteria replacing the TCSEC, ITSEC, and CTCPEC. This session will provide a
working knowledge of the concepts and contents of the Common Criteria. Thursday, October 24th------------4:00 P.M. -- 6:00 P.M. Track A-- Criteria & Assurance--Ballroom 2 PANEL Assurance Measures in Evaluation Assurance Level 3 of the Common Criteria (660)* Chairman: M. Schanken, N.S.A. Panelists: S. Katzke, NIST; K. Keus, GISA; Y. Klein, France The Common Criteria Sponsoring Organizations are investigating alternative approaches for gaining assurance that products and systems meet their security requirements. The initial phase of the activity maps several alternative assurance approaches to Evaluation Assurance Level 3 (EAL 3) of the Common Criteria. Track B--Electronic Commerce--Ballroom 3 OVERVIEW Security Concerns in the Private Sector - Manufacturing: S. Meglathery, Estee Lauder (Cosmetics) Track C--In Depth--Room 349-350 OVERVIEW & PANEL
Data Warehousing II: The Security Issues Chairman: D. Kinch, N.S.A. This session continues discussing current data warehousing security issues. Track D--Internet--Ballroom 1 PANEL Securing the Web (739) Chairman: J. David, The Fortress Panelist: J. Freivald, Charter Systems, Inc.; P. Peterson, Lockheed-Martin; D. Dean, Department of Computer Science, Princeton University The speakers will show how to treat the vulnerabilities uncovered in the first session in and of themselves, and as a part of both Internet security programs and total security programs. Track E--Legal Perspectives--Ballroom 4 (OPEN) Track F--Management & Administration --Room 341-342 PANEL Security Siblings
Chairman: C. Pfleeger, Trusted Information Systems, Inc. Panelist: W. Agresti, MITRETEK Systems This panel will discuss other venues of assurance developed in the reliability, safety critical, fault-tolerant as well as the security communities. By working together, we can reduce the expense of repeating each other errors and share our successes. Track G--Research & Development--Room 345-346 Security Policy & PKI Certification Chairman: H. Highland, FICS Management Model for the Federal Public Key Infrastructure (438): N. Nazario, NIST Security Policies for the Federal Public Key Infrastructure (445): N. Nazario, NIST A Proposed Federal PKI using X.509 V3 Certificates (452): W. Burr, NIST A Security Flaw in the X.509 Standard (463): S. Chokani, Cygnacom Solutions, Inc. Track H--Solutions--Room 343-344 PANEL Cryptography's Role in Securing the Information Society
Chairman: H. Lin, National Research Council (N.R.C.) Panelists: W. Ware, The Rand Corporation, Emeritus; P. Neumann, SRI International The panel will discuss the National Research Council (N.R.C.) report on Cryptography and its role. Track I--Tutorials--Room 327-328 Education Technology: R. Quane, National Cryptologic School Friday, October 25th------------8:30 A.M. -- 10:00 A.M. Track A--Criteria & Assurance--Ballroom 2 PANEL Secure Networking and Assurance Technologies (661)* Chairman: T. Lunt, Defense Advanced Research Projects Agency (D.A.R.P.A.) Panelists: K. Levitt, University of California, Davis, CA; J. McHugh, Portland State University (663); S. Kent, BBN; J. Voas, Reliable Software Technologies (669); D. Weber, Key Software (666); L. Badger, Trusted Information Systems, Inc. (667) The speakers will discuss their goals for secure networking and assurance technologies in the following areas: Intrusion Detection, Secure Mobile Computing, and new inroads to Internet Security.
Track C--In Depth--Room 349-350 PANEL ISSO as a Vendor Partner in a Changing World Chairman: B. Snow, N.S.A. Panelists: C. Baggett, NSA, S. Barnett, NCSC, M. Fleming, NSA, R. George, NSA, R. Marshall, Esq., NSA, H. Novitsky, NSA, R. Schaffer, NSA This panel of technical leaders from the Information Systems Security Organization will discuss their organizational plans for vendor interaction and support, and under what terms, with the stress on how the ISSO is changing to better accomplish the ISSO mission. Track F--Management & Administration--Ballroom 4 PANEL The Assessment Methodology in the Corporate Sector Chairman: R. Lopez, N.S.A. Panelists: J. Jackson, N.S.A., V. Moseley, N.S.A.. G. Hale, N.S.A., S. Dombkowski, NSA The panelists will provide a background of the methodology and tools used by reviewers of information assets in the corporate environment. Track H--Solutions--Room 343-344
Execution of Security Policies Chairman: D. Arnold, N.S.A. Security for Mobile Agents: Issues and Requirements (591), V. Swarup, The MITRE Corporation Extended Capability: A Simple Way to Enforce Complex Security Policies in Distributed Systems (598), I-Lung Kao, IBM Corporation IGOR: The Intelligence Guard for ONI Replication (607), R. Shore, The ISX Corporation Friday, October 25th-----------------10:20 A.M. -- 12:30 P.M. Closing Plenary Ballrooms 1 & 3 Information Systems Security - Directions and Challenges Moderator: Willis H. Ware, Corporate Research Staff, Emeritus -- The Rand Corporation Distinguished Panelists: C. Thomas Cook (889)*, Executive Vice President -Banc One Services Corporation; William P. Crowell, Deputy Director -- National Security Agency; John Lainhart (890), Inspector General -- U.S. House of Representatives; J. F. Mergen, Principal Scientist -- BBN; Stephen Smaha, Chief Executive Officer/President -- Haystack Labs; Charles Stuckey, Chief Executive Officer -- Security Dynamics The need for seamless value-added, yet end-to-end secure and cost-effective, information systems and networks in a rapidly evolving technological world that is
globally competitive, has created extraordinary demands and challenges for the public, academic, and private sectors. Each is asking itself how to meet the future with a stalwart information infrastructure, and wondering what roles and contributions of the other two sectors will or should be. This distinguished panel is convened to address such over-arching issues and to engage the audience in a dialogue on such questions as the following: * What challenges do you perceive for your own business or end-user community with respect to information system security? * What are the security-relevant challenges for your organization? What is security's strategic role in your organization? How are you making the tradeoffs? * As you move into new technology, how do you see the challenges changing, evolving, or growing more serious? * How do you think these challenges can best be dealt with -- from a management view; from a public policy view; from a technical view; from a business view? * What do you see as the respective roles for government, industry, and academia as the country and the world move into an ever more informationintensive future? * What do you see that industry, government, and academia should be doing in computer security? What is each doing well or not so well now? Demonstrations and Activities Wednesday - Thursday ---Information Systems Security Exposition -----Hall G The Armed Forces Communications and Electronics Association will host, in parallel with the Conference, an exhibition of security products and services. This
exposition provides a forum for industry to showcase information systems security technology and hands-on demonstrations of products and services that are potential solutions to many network and computer security products. Wednesday - Friday -----Research and Development Demonstrations -----Room 347-348 As a follow-up to the "INFOSEC Research and Technology, Facing the Challenge: Secure Network Technology for the 21st Century," the National Security Agency will demonstrate some of the techniques coming down the future trails. Conference attendees are invited to see the demonstration of future solutions to the 21st Century challenges. Tuesday - Friday ------European Community ------Registration Area The Information Technology Security Evaluation Facilities (ITSEF) in Europe and the European Certification Bodies invite the attendees to learn about the European system and security product evaluations and will demonstrate the product evaluation methodology. Tuesday - Friday -----NIST Clearinghouse -----Room 347-348 A wide variety of information security information is available to federal agencies and to the public through the NIST Clearinghouse. Information posted to this system include an events calendar, computer-based training, software reviews, publication, bibliographies, lists of organization with points of contact, and other government bulletin board numbers and WWW pointers. Tuesday - Friday -----NSA INFOSEC Awareness ------Booth Registration Area The booth offers a variety of INFOSEC publications most frequently requested by users, developers, operators, and administrators of products and services.
Publications available include the INFOSEC Products and Services Catalog and the National Computer Security Center's computer security technical guidelines -the RAINBOW Series. The National Cryptologic Museum is also represented at this booth. Tuesday - Friday------DOCKMASTER I ------Room 347-348 The National Computer Security Center, DOCKMASTER I, is a focal point for nationwide dissemination and exchange of information security data through electronic mail and bulletin boards. Over 2,000 users from federal government, private companies, and academic institutions participate in its electronic forums and retrieve data on INFOSEC products, conferences, and training. Tuesday - Friday ------Information Systems Security Association Booth -----Registration Area The Information Systems Security Association (ISSA) is an international association of information security practitioners whose aim is to enhance professionalism through education, information exchange, and sharing among those who do INFOSEC day-to-day. The booth contains newsletters, resource guides, Guidelines for Information Valuation, and the Draft of "Generally Accepted System Security Principles." Tuesday - Friday ------NIST Publication --------Booth Registration Area NIST's Publication Booth will distribute information and publications on a variety of information systems security issues, including the latest issues of the CSL Bulletin. Each bulletin discusses a relevant information security topic in depth. A catalog of our current publications will also be available, as well as instructions for accessing our Computer Security Resource Clearinghouse electronically. Tuesday - Thursday -------Book Exhibition --------Registration Area
A book exhibit display representing selections from leading worldwide publishers dealing specifically with information security is presented by: Association Book Exhibit, 693 S. Washington Street, Alexandria, VA 22314
Wednesday - Thursday ---Establishing an Enterprise Virus Response Program ----Laboratory Room 330
MITRETEK Systems is providing a hands on demonstration of tools discussed in the overview session for "Establishing an Enterprise Virus Response Program." The Enterprise Virus Response is designed to help the organization develop a proactive program for the prevention, detection, containment, management, and recovery of computer virus incidents. The workshop will demonstrate the processes needed to prepare for an incident or infection, to detect and contain a virus exposure or infection, to recover from an infection, and to manage the response program. Friday -----IEEE Data Warehouse Security Workshop -----Room 349-350 The Workshop follows from the two Thursday sessions on Data Warehousing. The output of the workshop should be research directions for future Data Warehousing security solutions. The workshop is co-sponsored by the IEEE Mass Storage Committee and will become a component of the next IEEE Mass Storage Symposium.
General Information Meeting Site: The conference will be held at the Baltimore Convention Center, 1 West Pratt Street. Baltimore, Maryland, close to Baltimore Inner Harbor area. The Opening Plenary Session will be held in Ballroom I, on the Ballroom Level (enter the Pratt Street lobby). Registration and information services, and all technical sessions, will be held on the third floor Meeting Room Level and the fourth floor Ballroom Level. The Convention Center is conveniently located close to hotels, major highways, and numerous restaurants, shops, and sightseeing attractions.
Transportation: For those attendees not staying in Baltimore, daily bus service will be provided from the parking lot across from the National Computer Security Center (NCSC) Fanx III, 840 Elkridge Landing Road, Linthicum, MD. The buses will run in a round-robin fashion from the NCSC from 7:00 a.m. to 8:30 a.m. Buses will return to the NCSC at the end of the sessions each day, following the banquet, and periodically throughout the awards reception. Communications: Messages will be taken for conference attendees between the hours of 8 a.m. and 5 p.m. Tuesday through Thursday, and between the hours of 8 a.m. and 12 noon on Friday. Messages will be posted on a message board adjacent to the Registration/Information Area. Attendees will not be called out of a meeting except for emergencies. The phone numbers for leaving messages will be posted on the message board. Evaluation Forms: Evaluation forms are provided in your conference folder for your comments. Please leave the completed forms in the boxes provided at the registration area. We thank you in advance for your comments since your comments help the committee to develop and improve the conference program each year.
Volunteers: If you would like to serve as a referee for the 20th National Information Systems Security Conference being planned for October 1997 please E-MAIL: NISSConference@dockmaster.ncsc.mil or call (410) 850-0272. Special Interest Rooms: There will be a limited number of rooms available for special interest discussions ("Birds of a Feather," etc.). These rooms may be reserved in one-hour increments and must not be used for commercial purposes. To reserve a room, please stop at the registration area. Breaks and Lunches Coffee service: Provided to all the attendees during registration each morning and at midmorning and mid-afternoon breaks. Attendees will be free at lunch time to explore the convenient restaurants or other sites near the Convention Center.
On Wednesday, box lunches will be provided to the first 1,500 attendees on a first-come, first-served basis at the AFCEA exhibit in Hall G. Banquet: The conference banquet will be held on Wednesday, October 23, beginning with a cash bar reception at 6 p.m. and followed by dinner at 7 p.m. The dinner speaker is Kenneth Chenault, Vice Chairman, American Express Co., Inc. A coupon for this event, which may be exchanged for a dinner ticket on a first-come first-served basis, will be included in each attendee's registration kit. Awards Ceremony and Reception: On Thursday, October 24, at 2:00 pm in rooms 337338, awards will be presented to vendors that have successfully developed security product lines that have been approved by the NIST Validation Program or the NCSC Trusted Computer System Evaluation Program. Following the award presentation, conference participants will have an opportunity to learn more about these products as each vendor hosts a display. Awards also will be presented to companies that have participated in Systems Security Engineering Capability Maturity Model (SSE-CMM) pilot appraisals. You are invited to visit the SSE-CMM project display for more information regarding this community-supported initiative. An awards reception will begin at 6 p.m. in the lower lobby. A ticket for the reception will be included in the registration kit of each registered attendee. Housing: See map of the conference hotels in the area 20th National Information Systems Security Conference ( October 6 - 9, 1997 in Baltimore, MD )