8. Annotated Bibliography
8. Annotated Bibliography
Copyright(c) Management Analytics, 1995 - All Rights Reserved
The intent of this annotated bibliography is to offer a
representative collection of resources of information that will help the
user of this handbook. It is meant provide a starting point for further
research in the security area. Included are references to other sources
of information for those who wish to pursue issues of the computer
security environment.
8.1 Computer Law
- [ABA89] American Bar Association, Section of Science and
Technology, "Guide to the Prosecution of Telecommunication Fraud by the
Use of Computer Crime Statutes", American Bar Association, 1989.
- [BENDER] Bender, D., "Computer Law: Evidence and Procedure", M.
Bender, New York, NY, 1978-present.
Kept up to date with supplements. Years covering 1978-1984 focuses on:
Computer law, evidence and procedures. The years 1984 to the current
focus on general computer law. Bibliographical references and index
included.
- [BLOOMBECKER] Bloombecker, B., "Spectacular Computer Crimes", Dow
Jones- Irwin, Homewood, IL. 1990.
- [CCH] Commerce Clearing House, "Guide to Computer Law", (Topical
Law Reports), Chicago, IL., 1989.
Court cases and decisions rendered by federal and state courts
throughout the United States on federal and state computer law.
Includes Case Table and Topical Index.
- [CONLY] Conly, C., "Organizing for Computer Crime Investigation and
Prosecution", U.S. Dept. of Justice, Office of Justice Programs, Under
Contract Number OJP-86-C-002, National Institute of Justice, Washington,
DC, July 1989.
- [FENWICK] Fenwick, W., Chair, "Computer Litigation, 1985: Trial
Tactics and Techniques", Litigation Course Handbook Series No. 280,
Prepared for distribution at the Computer Litigation, 1985: Trial
Tactics and Techniques Program, February-March 1985.
- [GEMIGNANI] Gemignani, M., "Viruses and Criminal Law",
Communications of the ACM, Vol. 32, No. 6, Pgs. 669-671, June 1989.
- [HUBAND] Huband, F., and R. Shelton, Editors, "Protection of
Computer Systems and Software: New Approaches for Combating Theft of
Software and Unauthorized Intrusion", Papers presented at a workshop
sponsored by the National Science Foundation, 1986.
- [MCEWEN] McEwen, J., "Dedicated Computer Crime Units", Report
Contributors: D. Fester and H. Nugent, Prepared for the National
Institute of Justice, U.S. Department of Justice, by Institute for Law
and Justice, Inc., under contract number OJP-85-C-006, Washington, DC,
1989.
- [PARKER] Parker, D., "Computer Crime: Criminal Justice Resource
Manual", U.S. Dept. of Justice, National Institute of Justice, Office
of Justice Programs, Under Contract Number OJP-86-C-002, Washington,
D.C., August 1989.
- [SHAW] Shaw, E., Jr., "Computer Fraud and Abuse Act of 1986,
Congressional Record (3 June 1986), Washington, D.C., 3 June 1986.
- [TRIBLE] Trible, P., "The Computer Fraud and Abuse Act of 1986",
U.S. Senate Committee on the Judiciary, 1986.
8.2 Computer Security
- [CAELLI] Caelli, W., Editor, "Computer Security in the Age of
Information", Proceedings of the Fifth IFIP International Conference on
Computer Security, IFIP/Sec '88.
- [CARROLL] Carroll, J., "Computer Security", 2nd Edition,
Butterworth Publishers, Stoneham, MA, 1987.
- [COOPER] Cooper, J., "Computer and Communications Security:
Strategies for the 1990s", McGraw-Hill, 1989.
- [BRAND] Brand, R., "Coping with the Threat of Computer Security
Incidents: A Primer from Prevention through Recovery", R. Brand, 8 June
1990.
As computer security becomes a more important issue in modern society,
it begins to warrant a systematic approach. The vast majority of the
computer security problems and the costs associated with them can be
prevented with simple inexpensive measures. The most important and cost
effective of these measures are available in the prevention and planning
phases. These methods are presented in this paper, followed by a
simplified guide to incident handling and recovery. Available on-line
from: cert.sei.cmu.edu:/pub/info/primer.
- [CHESWICK] Cheswick, B., "The Design of a Secure Internet Gateway",
Proceedings of the Summer Usenix Conference, Anaheim, CA, June 1990.
Brief abstract (slight paraphrase from the original abstract): AT&T
maintains a large internal Internet that needs to be protected from
outside attacks, while providing useful services between the two. This
paper describes AT&T's Internet gateway. This gateway passes mail and
many of the common Internet services between AT&T internal machines and
the Internet. This is accomplished without IP connectivity using a pair
of machines: a trusted internal machine and an untrusted external
gateway. These are connected by a private link. The internal machine
provides a few carefully-guarded services to the external gateway. This
configuration helps protect the internal internet even if the external
machine is fully compromised.
This is a very useful and interesting design. Most firewall gateway
systems rely on a system that, if compromised, could allow access to the
machines behind the firewall. Also, most firewall systems require users
who want access to Internet services to have accounts on the firewall
machine. AT&T's design allows AT&T internal internet users access to
the standard services of TELNET and FTP from their own workstations
without accounts on the firewall machine. A very useful paper that
shows how to maintain some of the benefits of Internet connectivity
while still maintaining strong security.
- [CURRY] Curry, D., "Improving the Security of Your UNIX System",
SRI International Report ITSTD-721-FR-90-21, April 1990.
This paper describes measures that you, as a system administrator can
take to make your UNIX system(s) more secure. Oriented primarily at
SunOS 4.x, most of the information covered applies equally well to any
Berkeley UNIX system with or without NFS and/or Yellow Pages (NIS).
Some of the information can also be applied to System V, although this
is not a primary focus of the paper. A very useful reference, this is
also available on the Internet in various locations, including the
directory cert.sei.cmu.edu:/pub/info.
- [FITES] Fites, M., Kratz, P. and A. Brebner, "Control and
Security of Computer Information Systems", Computer Science Press, 1989.
This book serves as a good guide to the issues encountered in forming
computer security policies and procedures. The book is designed as a
textbook for an introductory course in information systems security.
The book is divided into five sections: Risk Management (I), Safeguards:
security and control measures, organizational and administrative (II),
Safeguards: Security and Control Measures, Technical (III), Legal
Environment and Professionalism (IV), and CICA Computer Control
Guidelines (V).
The book is particularly notable for its straight-forward approach to
security, emphasizing that common sense is the first consideration in
designing a security program. The authors note that there is a tendency
to look to more technical solutions to security problems while
overlooking organizational controls which are often cheaper and much
more effective. 298 pages, including references and index.
- [GARFINKEL] Garfinkel, S, and E. Spafford, "Practical Unix
Security", O'Reilly & Associates, ISBN 0-937175-72-2, May 1991.
Approx 450 pages, $29.95. Orders: 1-800-338-6887 (US & Canada),
1-707-829-0515 (Europe), email: nuts@ora.com
This is one of the most useful books available on Unix security. The
first part of the book covers standard Unix and Unix security basics,
with particular emphasis on passwords. The second section covers
enforcing security on the system. Of particular interest to the
Internet user are the sections on network security, which address many
of the common security problems that afflict Internet Unix users. Four
chapters deal with handling security incidents, and the book concludes
with discussions of encryption, physical security, and useful checklists
and lists of resources. The book lives up to its name; it is filled
with specific references to possible security holes, files to check, and
things to do to improve security. This book is an excellent complement
to this handbook.
- [GREENIA90] Greenia, M., "Computer Security Information
Sourcebook", Lexikon Services, Sacramento, CA, 1989.
A manager's guide to computer security. Contains a sourcebook of key
reference materials including access control and computer crimes
bibliographies.
- [HOFFMAN] Hoffman, L., "Rogue Programs: Viruses, Worms, and Trojan
Horses", Van Nostrand Reinhold, NY, 1990. (384 pages, includes
bibliographical references and index.)
- [JOHNSON] Johnson, D., and J. Podesta, "Formulating A Company
Policy on Access to and Use and Disclosure of Electronic Mail on Company
Computer Systems".
A white paper prepared for the EMA, written by two experts in privacy
law. Gives background on the issues, and presents some policy options.
Available from: The Electronic Mail Association (EMA) 1555 Wilson Blvd,
Suite 555, Arlington, VA, 22209. (703) 522-7111.
- [KENT] Kent, Stephen, "E-Mail Privacy for the Internet: New
Software and Strict Registration Procedures will be Implemented this
Year", Business Communications Review, Vol. 20, No. 1, Pg. 55, 1
January 1990.
- [LU] Lu, W., and M. Sundareshan, "Secure Communication in Internet
Environments: A Hierachical Key Management Scheme for End-to-End
Encryption", IEEE Transactions on Communications, Vol. 37, No. 10, Pg.
1014, 1 October 1989.
- [LU1] Lu, W., and M. Sundareshan, "A Model for Multilevel Security
in Computer Networks", IEEE Transactions on Software Engineering, Vol.
16, No. 6, Page 647, 1 June 1990.
- [NSA] National Security Agency, "Information Systems Security
Products and Services Catalog", NSA, Quarterly Publication.
NSA's catalogue contains chapter on: Endorsed Cryptographic Products
List; NSA Endorsed Data Encryption Standard (DES) Products List;
Protected Services List; Evaluated Products List; Preferred Products
List; and Endorsed Tools List.
The catalogue is available from the Superintendent of Documents, U.S.
Government Printing Office, Washington, D.C. One may place telephone
orders by calling: (202) 783-3238.
- [OTA] United States Congress, Office of Technology Assessment,
"Defending Secrets, Sharing Data: New Locks and Keys for Electronic
Information", OTA-CIT-310, October 1987.
This report, prepared for congressional committee considering Federal
policy on the protection of electronic information, is interesting
because of the issues it raises regarding the impact of technology used
to protect information. It also serves as a reasonable introduction to
the various encryption and information protection mechanisms. 185
pages. Available from the U.S. Government Printing Office.
- [PALMER] Palmer, I., and G. Potter, "Computer Security Risk
Management", Van Nostrand Reinhold, NY, 1989.
- [PFLEEGER] Pfleeger, C., "Security in Computing", Prentice-Hall,
Englewood Cliffs, NJ, 1989.
A general textbook in computer security, this book provides an excellent
and very readable introduction to classic computer security problems and
solutions, with a particular emphasis on encryption. The encryption
coverage serves as a good introduction to the subject. Other topics
covered include building secure programs and systems, security of
database, personal computer security, network and communications
security, physical security, risk analysis and security planning, and
legal and ethical issues. 538 pages including index and bibliography.
- [SHIREY] Shirey, R., "Defense Data Network Security Architecture",
Computer Communication Review, Vol. 20, No. 2, Page 66, 1 April 1990.
- [SPAFFORD] Spafford, E., Heaphy, K., and D. Ferbrache, "Computer
Viruses: Dealing with Electronic Vandalism and Programmed Threats",
ADAPSO, 1989. (109 pages.)
This is a good general reference on computer viruses and related
concerns. In addition to describing viruses in some detail, it also
covers more general security issues, legal recourse in case of security
problems, and includes lists of laws, journals focused on computers
security, and other security-related resources.
Available from: ADAPSO, 1300 N. 17th St, Suite 300, Arlington VA 22209.
(703) 522-5055.
- [STOLL88] Stoll, C., "Stalking the Wily Hacker", Communications of
the ACM, Vol. 31, No. 5, Pgs. 484-497, ACM, New York, NY, May 1988.
This article describes some of the technical means used to trace the
intruder that was later chronicled in "Cuckoo's Egg" (see below).
- [STOLL89] Stoll, C., "The Cuckoo's Egg", ISBN 00385-24946-2,
Doubleday, 1989.
Clifford Stoll, an astronomer turned UNIX System Administrator, recounts
an exciting, true story of how he tracked a computer intruder through
the maze of American military and research networks. This book is easy
to understand and can serve as an interesting introduction to the world
of networking. Jon Postel says in a book review, "[this book] ... is
absolutely essential reading for anyone that uses or operates any
computer connected to the Internet or any other computer network."
- [VALLA] Vallabhaneni, S., "Auditing Computer Security: A Manual
with Case Studies", Wiley, New York, NY, 1989.
8.3 Ethics
- [CPSR89] Computer Professionals for Social Responsibility, "CPSR
Statement on the Computer Virus", CPSR, Communications of the ACM, Vol.
32, No. 6, Pg. 699, June 1989.
This memo is a statement on the Internet Computer Virus by the Computer
Professionals for Social Responsibility (CPSR).
- [DENNING] Denning, Peter J., Editor, "Computers Under Attack:
Intruders, Worms, and Viruses", ACM Press, 1990.
A collection of 40 pieces divided into six sections: the emergence of
worldwide computer networks, electronic breakins, worms, viruses,
counterculture (articles examining the world of the "hacker"), and
finally a section discussing social, legal, and ethical considerations.
A thoughtful collection that addresses the phenomenon of attacks on
computers. This includes a number of previously published articles and
some new ones. The previously published ones are well chosen, and
include some references that might be otherwise hard to obtain. This
book is a key reference to computer security threats that have generated
much of the concern over computer security in recent years.
- [ERMANN] Ermann, D., Williams, M., and C. Gutierrez, Editors,
"Computers, Ethics, and Society", Oxford University Press, NY, 1990.
(376 pages, includes bibliographical references).
- [FORESTER] Forester, T., and P. Morrison, "Computer Ethics: Tales
and Ethical Dilemmas in Computing", MIT Press, Cambridge, MA, 1990.
(192 pages including index.) From the preface: "The aim of this book is
two-fold: (1) to describe some of the problems created by society by
computers, and (2) to show how these problems present ethical dilemmas
for computers professionals and computer users.
The problems created by computers arise, in turn, from two main sources:
from hardware and software malfunctions and from misuse by human beings.
We argue that computer systems by their very nature are insecure,
unreliable, and unpredictable -- and that society has yet to come to
terms with the consequences. We also seek to show how society has
become newly vulnerable to human misuse of computers in the form of
computer crime, software theft, hacking, the creation of viruses,
invasions of privacy, and so on."
The eight chapters include "Computer Crime", "Software Theft", "Hacking
and Viruses", "Unreliable Computers", "The Invasion of Privacy", "AI and
Expert Systems", and "Computerizing the Workplace." Includes extensive
notes on sources and an index.
- [GOULD] Gould, C., Editor, "The Information Web: Ethical and Social
Implications of Computer Networking", Westview Press, Boulder, CO, 1989.
- [IAB89] Internet Activities Board, "Ethics and the Internet", RFC
1087, IAB, January 1989. Also appears in the Communications of the ACM,
Vol. 32, No. 6, Pg. 710, June 1989.
This memo is a statement of policy by the Internet Activities Board
(IAB) concerning the proper use of the resources of the Internet.
Available on-line on host ftp.nisc.sri.com, directory rfc, filename
rfc1087.txt. Also available on host nis.nsf.net, directory RFC,
filename RFC1087.TXT-1.
- [MARTIN] Martin, M., and R. Schinzinger, "Ethics in Engineering",
McGraw Hill, 2nd Edition, 1989.
- [MIT89] Massachusetts Institute of Technology, "Teaching Students
About Responsible Use of Computers", MIT, 1985-1986. Also reprinted in
the Communications of the ACM, Vol. 32, No. 6, Pg. 704, Athena
Project, MIT, June 1989.
This memo is a statement of policy by the Massachusetts Institute of
Technology (MIT) on the responsible use of computers.
- [NIST] National Institute of Standards and Technology, "Computer
Viruses and Related Threats: A Management Guide", NIST Special
Publication 500-166, August 1989.
- [NSF88] National Science Foundation, "NSF Poses Code of Networking
Ethics", Communications of the ACM, Vol. 32, No. 6, Pg. 688, June
1989. Also appears in the minutes of the regular meeting of the
Division Advisory Panel for Networking and Communications Research and
Infrastructure, Dave Farber, Chair, November 29-30, 1988.
This memo is a statement of policy by the National Science Foundation
(NSF) concerning the ethical use of the Internet.
- [PARKER90] Parker, D., Swope, S., and B. Baker, "Ethical
Conflicts: Information and Computer Science, Technology and Business",
QED Information Sciences, Inc., Wellesley, MA. (245 pages).
Additional publications on Ethics:
The University of New Mexico (UNM)
The UNM has a collection of ethics documents. Included are
legislation from several states and policies from many
institutions.
Access is via FTP, IP address ariel.umn.edu. Look in the
directory /ethics.
8.4 The Internet Worm
- [BROCK] Brock, J., "November 1988 Internet Computer Virus and the
Vulnerability of National Telecommunications Networks to Computer
Viruses", GAO/T-IMTEC-89-10, Washington, DC, 20 July 1989.
Testimonial statement of Jack L. Brock, Director, U. S. Government
Information before the Subcommittee on Telecommunications and Finance,
Committee on Energy and Commerce, House of Representatives.
- [EICHIN89] Eichin, M., and J. Rochlis, "With Microscope and
Tweezers: An Analysis of the Internet Virus of November 1988",
Massachusetts Institute of Technology, February 1989.
Provides a detailed dissection of the worm program. The paper discusses
the major points of the worm program then reviews strategies,
chronology, lessons and open issues, Acknowledgments; also included are
a detailed appendix on the worm program subroutine by subroutine, an
appendix on the cast of characters, and a reference section.
- [EISENBERG89] Eisenberg, T., D. Gries, J. Hartmanis, D. Holcomb,
M. Lynn, and T. Santoro, "The Computer Worm", Cornell University, 6
February 1989.
A Cornell University Report presented to the Provost of the University
on 6 February 1989 on the Internet Worm.
- [GAO] U.S. General Accounting Office, "Computer Security - Virus
Highlights Need for Improved Internet Management", United States General
Accounting Office, Washington, DC, 1989.
This 36 page report (GAO/IMTEC-89-57), by the U.S. Government
Accounting Office, describes the Internet worm and its effects. It
gives a good overview of the various U.S. agencies involved in the
Internet today and their concerns vis-a-vis computer security and
networking.
Available on-line on host nnsc.nsf.net, directory pub, filename GAO_RPT;
and on nis.nsf.net, directory nsfnet, filename GAO_RPT.TXT.
- [REYNOLDS89] The Helminthiasis of the Internet, RFC 1135,
USC/Information Sciences Institute, Marina del Rey, CA, December 1989.
This report looks back at the helminthiasis (infestation with, or
disease caused by parasitic worms) of the Internet that was unleashed
the evening of 2 November 1988. This document provides a glimpse at the
infection,its festering, and cure. The impact of the worm on the
Internet community, ethics statements, the role of the news media, crime
in the computer world, and future prevention is discussed. A
documentation review presents four publications that describe in detail
this particular parasitic computer program. Reference and bibliography
sections are also included. Available on-line on host ftp.nisc.sri.com
directory rfc, filename rfc1135.txt. Also available on host
nis.nsf.net, directory RFC, filename RFC1135.TXT-1.
- [SEELEY89] Seeley, D., "A Tour of the Worm", Proceedings of 1989
Winter USENIX Conference, Usenix Association, San Diego, CA, February
1989.
Details are presented as a "walk thru" of this particular worm program.
The paper opened with an abstract, introduction, detailed chronology of
events upon the discovery of the worm, an overview, the internals of the
worm, personal opinions, and conclusion.
- [SPAFFORD88] Spafford, E., "The Internet Worm Program: An
Analysis", Computer Communication Review, Vol. 19, No. 1, ACM SIGCOM,
January 1989. Also issued as Purdue CS Technical Report CSD-TR-823, 28
November 1988.
Describes the infection of the Internet as a worm program that exploited
flaws in utility programs in UNIX based systems. The report gives a
detailed description of the components of the worm program: data and
functions. Spafford focuses his study on two completely independent
reverse-compilations of the worm and a version disassembled to VAX
assembly language.
- [SPAFFORD89] Spafford, G., "An Analysis of the Internet Worm",
Proceedings of the European Software Engineering Conference 1989,
Warwick England, September 1989. Proceedings published by
Springer-Verlag as: Lecture Notes in Computer Science #387. Also issued
as Purdue Technical Report #CSD-TR-933.
8.5 National Computer Security Center (NCSC)
All NCSC publications, approved for public release, are available
from the NCSC Superintendent of Documents.
NCSC = National Computer Security Center
9800 Savage Road
Ft Meade, MD 20755-6000
CSC = Computer Security Center:
an older name for the NCSC
NTISS = National Telecommunications and
Information Systems Security
NTISS Committee, National Security Agency
Ft Meade, MD 20755-6000
- [CSC]
Department of Defense, "Password Management Guideline",
CSC-STD-002-85, 12 April 1985, 31 pages.
The security provided by a password system depends on the passwords
being kept secret at all times. Thus, a password is vulnerable to
compromise whenever it is used, stored, or even known. In a
password-based authentication mechanism implemented on an ADP system,
passwords are vulnerable to compromise due to five essential aspects of
the password system: 1) a password must be initially assigned to a user
when enrolled on the ADP system; 2) a user's password must be changed
periodically; 3) the ADP system must maintain a 'password database'; 4)
users must remember their passwords; and 5) users must enter their
passwords into the ADP system at authentication time. This guideline
prescribes steps to be taken to minimize the vulnerability of passwords
in each of these circumstances.
- [NCSC1] NCSC, "A Guide to Understanding AUDIT in Trusted Systems",
NCSC-TG-001, Version-2, 1 June 1988, 25 pages.
Audit trails are used to detect and deter penetration of a computer
system and to reveal usage that identifies misuse. At the discretion of
the auditor, audit trails may be limited to specific events or may
encompass all of the activities on a system. Although not required by
the criteria, it should be possible for the target of the audit
mechanism to be either a subject or an object. That is to say, the
audit mechanism should be capable of monitoring every time John accessed
the system as well as every time the nuclear reactor file was accessed;
and likewise every time John accessed the nuclear reactor file.
- [NCSC2] NCSC, "A Guide to Understanding DISCRETIONARY ACCESS
CONTROL in Trusted Systems", NCSC-TG-003, Version-1, 30 September 1987,
29 pages.
Discretionary control is the most common type of access control
mechanism implemented in computer systems today. The basis of this kind
of security is that an individual user, or program operating on the
user's behalf, is allowed to specify explicitly the types of access
other users (or programs executing on their behalf) may have to
information under the user's control. [...] Discretionary controls are
not a replacement for mandatory controls. In any environment in which
information is protected, discretionary security provides for a finer
granularity of control within the overall constraints of the mandatory
policy.
- [NCSC3] NCSC, "A Guide to Understanding CONFIGURATION MANAGEMENT in
Trusted Systems", NCSC-TG-006, Version-1, 28 March 1988, 31 pages.
Configuration management consists of four separate tasks:
identification, control, status accounting, and auditing. For every
change that is made to an automated data processing (ADP) system, the
design and requirements of the changed version of the system should be
identified. The control task of configuration management is performed
by subjecting every change to documentation, hardware, and
software/firmware to review and approval by an authorized authority.
Configuration status accounting is responsible for recording and
reporting on the configuration of the product throughout the change.
Finally, though the process of a configuration audit, the completed
change can be verified to be functionally correct, and for trusted
systems, consistent with the security policy of the system.
- [NTISS] NTISS, "Advisory Memorandum on Office Automation Security
Guideline", NTISSAM CONPUSEC/1-87, 16 January 1987, 58 pages.
This document provides guidance to users, managers, security officers,
and procurement officers of Office Automation Systems. Areas addressed
include: physical security, personnel security, procedural security,
hardware/software security, emanations security (TEMPEST), and
communications security for stand-alone OA Systems, OA Systems used as
terminals connected to mainframe computer systems, and OA Systems used
as hosts in a Local Area Network (LAN). Differentiation is made between
those Office Automation Systems equipped with removable storage media
only (e.g., floppy disks, cassette tapes, removable hard disks) and
those Office Automation Systems equipped with fixed media (e.g.,
Winchester disks).
Additional NCSC Publications:
- [NCSC4] National Computer Security Center, "Glossary of Computer
Security Terms", NCSC-TG-004, NCSC, 21 October 1988.
- [NCSC5] National Computer Security Center, "Trusted Computer System
Evaluation Criteria", DoD 5200.28-STD, CSC-STD-001-83, NCSC, December
1985.
- [NCSC7] National Computer Security Center, "Guidance for Applying
the Department of Defense Trusted Computer System Evaluation Criteria in
Specific Environments", CSC-STD-003-85, NCSC, 25 June 1985.
- [NCSC8] National Computer Security Center, "Technical Rationale
Behind CSC-STD-003-85: Computer Security Requirements", CSC-STD-004-85,
NCSC, 25 June 85.
- [NCSC9] National Computer Security Center, "Magnetic Remanence
Security Guideline", CSC-STD-005-85, NCSC, 15 November 1985.
This guideline is tagged as a "For Official Use Only" exemption under
Section 6, Public Law 86-36 (50 U.S. Code 402). Distribution
authorized of U.S. Government agencies and their contractors to protect
unclassified technical, operational, or administrative data relating to
operations of the National Security Agency.
- [NCSC10] National Computer Security Center, "Guidelines for Formal
Verification Systems", Shipping list no.: 89-660-P, The Center, Fort
George G. Meade, MD, 1 April 1990.
- [NCSC11] National Computer Security Center, "Glossary of Computer
Security Terms", Shipping list no.: 89-254-P, The Center, Fort George G.
Meade, MD, 21 October 1988.
- [NCSC12] National Computer Security Center, "Trusted UNIX Working
Group (TRUSIX) rationale for selecting access control list features for
the UNIX system", Shipping list no.: 90-076-P, The Center, Fort George
G. Meade, MD, 1990.
- [NCSC13] National Computer Security Center, "Trusted Network
Interpretation", NCSC-TG-005, NCSC, 31 July 1987.
- [NCSC14] Tinto, M., "Computer Viruses: Prevention, Detection, and
Treatment", National Computer Security Center C1 Technical Report
C1-001-89, June 1989.
- [NCSC15] National Computer Security Conference, "12th National
Computer Security Conference: Baltimore Convention Center, Baltimore,
MD, 10-13 October, 1989: Information Systems Security, Solutions for
Today - Concepts for Tomorrow", National Institute of Standards and
National Computer Security Center, 1989.
8.6 Security Checklists
- [AUCOIN] Aucoin, R., "Computer Viruses: Checklist for Recovery",
Computers in Libraries, Vol. 9, No. 2, Pg. 4, 1 February 1989.
- [WOOD] Wood, C., Banks, W., Guarro, S., Garcia, A., Hampel, V., and
H. Sartorio, "Computer Security: A Comprehensive Controls Checklist",
John Wiley and Sons, Interscience Publication, 1987.
8.7 Additional Publications
Defense Data Network's Network Information Center (DDN NIC)
The DDN NIC maintains DDN Security bulletins and DDN Management
bulletins online on the machine: NIC.DDN.MIL. They are available
via anonymous FTP. The DDN Security bulletins are in the
directory: SCC, and the DDN Management bulletins are in the
directory: DDN-NEWS.
For additional information, you may send a message to:
NIC@NIC.DDN.MIL, or call the DDN NIC at: 1-800-235-3155.
- [DDN88] Defense Data Network, "BSD 4.2 and 4.3 Software Problem
Resolution", DDN MGT Bulletin #43, DDN Network Information Center, 3
November 1988.
A Defense Data Network Management Bulletin announcement on the 4.2bsd
and 4.3bsd software fixes to the Internet worm.
- [DDN89] DCA DDN Defense Communications System, "DDN Security
Bulletin 03", DDN Security Coordination Center, 17 October 1989.
IEEE Proceedings
- [IEEE] "Proceedings of the IEEE Symposium on Security and Privacy",
published annually.
IEEE Proceedings are available from:
Computer Society of the IEEE
P.O. Box 80452
Worldway Postal Center
Los Angeles, CA 90080
Other Publications:
Computer Law and Tax Report
Computers and Security
Security Management Magazine
Journal of Information Systems Management
Data Processing & Communications Security
SIG Security, Audit & Control Review