Information Security and related
topics
Suggested Websites
This list has been produced by the
International Computing Centre (UNICC, Geneva) in March 2001.
It makes no attempt to be comprehensive and
the inclusion of vendors or other commercial entities does not constitute an
endorsement of their products or services.
This is a listing of only some of the sites
that offer information and resources on information security. All are worthwhile.
http://www.cerias.purdue.edu/coast/hotlist/
http://packetstorm.securify.com/
http://www.securityportal.com/
http://www.securitysearch.net/
http://www.diffuse.org/secure.html#help
The Diffuse project provides reference and
guidance information on available and emerging standards and specifications
that facilitate the electronic exchange of information, including a
comprehensive listing of information security standards. A good starting point.
http://www.iso.ch/cate/d33441.html
ISO/IEC 17799:2000 Information technology -- Code of practice for information
security management.
See also:
·
http://www.bsi-global.com/group.xhtml
for
BS 7799-2:1999 Information security management -- Specification for information
security management systems.
·
http://www.standards.com.au/ for
AS/NZS 4444-2:1999 Information security management -- Specification for
information security management systems.
http://csrc.nist.gov/publications/
The Computer Security Resource Center is
maintained by the US Government National Institute of Standards and
Technology. Good resource for US
Government standards and other resources.
http://www.radium.ncsc.mil/tpep/
US Government Commercial Product Evaluations,
with links to the “Common Criteria” (Common
Criteria Information Technology Security Evaluation CCITSE), the
“Rainbow Series” (Trusted Computer System
Evaluation Criteria TCSEC) and the Evaluated Products List.
An excellent on-line encyclopædia
specifically for IT-related definitions.
It has a topic specific index for security, among other topics.
http://www.cis.ohio-state.edu/hypertext/information/rfc.html
An index, and key word search, of Internet Request For Comments (RFC) documents, which are the written
definitions of the protocols and policies of the Internet.
Some interesting, general RFCs on Internet
security are:
·
RFC 1281: Guidelines for the
Secure Operation of the Internet / R. D. Pethia, S. Crocker and B. Y. Fraser. -
November 1991
http://www.cis.ohio-state.edu/htbin/rfc/rfc1281.html
·
RFC2084: Considerations for
Web Transaction Security / G. Bossert, S. Cooper, W. Drummond - January 1997
http://www.cis.ohio-state.edu/htbin/rfc/rfc2084.html
·
RFC 2196: Site Security
Handbook / B. Fraser, Editor - September 1997
http://www.cis.ohio-state.edu/htbin/rfc/INDEX.rfc.html
·
RFC 2350:
Expectations for Computer Security Incident Response / N. Brownlee, E. Guttman
- June 1998
http://www.cis.ohio-state.edu/htbin/rfc/rfc2350.html
·
RFC 2504: Users' Security
Handbook. . Guttman, L. Leong, G. Malkin. February 1999
http://www.cis.ohio-state.edu/htbin/rfc/rfc2504.html
·
RFC 2828: Internet Security
Glossary. R. Shirey. May 2000
http://www.cis.ohio-state.edu/htbin/rfc/rfc2828.html
The following web pages are the “home” for
some of the security mailing lists available.
From these web pages you can subscribe to these mailing lists, search
through mailing list archives, or find out about the mailing list itself.
BugTraq http://www.securityfocus.com/
Home of the widely subscribed BugTraq mailing list, for announcements and
detailed discussions of computer security vulnerabilities. And there are several other useful
security-related mailing lists as well.
The web site also has information on security basics, intrusion
detection, incident response, and for Microsoft, Sun and Linux systems, as well
as databases on vulnerabilities and viruses.
CERT Advisory http://www.cert.org/contact_cert/certmaillist.html
A well-respected mailing list providing
descriptions of serious security problems and their impact, along with
instructions on how to obtain patches or details of workarounds. In addition, the web site has excellent
resources for improving security practices and implementations. Highly recommended.
Crypto-Gram Newsletter http://www.counterpane.com/crypto-gram.html
An excellent monthly newsletter on computer
security and cryptography.
Executive Security Digest http://www.securityportal.com/topnews/
A weekly executive-level summary of important
information security news. Other
interesting security mailing list are also available.
Firewalls http://www.lists.gnac.net/firewalls/
A mailing list for the discussion of Internet
firewall security systems and related issues, including the design,
construction, operation, maintenance, and philosophy of Internet firewall
security systems. However, this is a
very active mailing list and you will be inundated with postings.
NTBugtraq http://www.ntbugtraq.com/
NTBugtraq is a mailing list for the
discussion of security exploits and security bugs in Microsoft Windows NT and
its related applications.
Security Alert Consensus http://www.sans.org/sansnews
SANS Newsbites http://www.sans.org/sansnews
SANS (System Administration, Networking and
Security) Institute provides the “Security Alert Consensus”, which is a weekly
summary of new security alerts and recommended countermeasures, and the “SANS
Newsbites”, which is a weekly summary of information security news. The web site also has some excellent
information security resources.
The links below are for some of the
anti-viral software vendors. It is
sorted in alphabetical order.
This is not an exhaustive list of anti-viral
software vendors. Nor does ICC endorse
any product offered by the vendors shown here.
However, the virus information databases on these web sites are very
useful.
Computer Associates:
http://ca.com/virusinfo/encyclopedia/
F-Secure:
http://www.europe.datafellows.com/v-descs/
Network Associates:
http://vil.nai.com/vil/default.asp
Sophos:
http://www.sophos.com/virusinfo/analyses/
Symantic:
http://www.symantec.com/avcenter/vinfodb.html
Trend Micro
http://www.antivirus.com/vinfo/virusencyclo/
Note:
The anti-viral software vendor sites (see above) all have useful
information on virus hoaxes as well.
US Department of Energy (US DOE) and Computer
Incident Advisory Capability (CIAC) on Internet Hoaxes and chain letters.
A useful “independent” site on virus myths,
misconceptions, and hoaxes by a self-proclaimed expert.
This is not an exhaustive list of the various
security sites available. However, the
information provided on these web sites can be very useful.
A web site for the collection, dissemination
and distribution of information about computer security. It is especially known as the largest
mirror of web site defacements.
http://cnet.com/enterprise/0-9567.html?tag=dir
A very informative web site with information
technology and commerce related information.
This is their security site.
A web site with a database of standardised
names for Common Vulnerabilities and Exposures in information systems. Becoming widely referenced in the industry
when referring to recognised vulnerabilities.
http://www.infosecuritymag.com/
Information Security magazine is a recognised
publication with news, analysis, insight and commentary on information
security. The web site also offers an
information security e-mail newsletter and an information security news web
site.
A great web site for offering information
about security and the open source Linux operating system.
http://www.oecd.org//dsti/sti/it/secur
Documents and events relating to information
security and privacy issues.
http://www.zdnet.com/enterprise/filters/resources/0,10227,6007271,00.html
A very informative web site for people who
want to buy, use, or learn more about technology. This is their security site.
http://www.microsoft.com/security/
Microsoft Corporation is the world’s largest
software producer and the number 1 company in the IT industry in terms of
revenue and performance. This is their
IT security web site.
http://www.cisco.com/warp/public/779/largeent/issues/security/
Cisco Systems is the world-wide leading maker
of data networking equipment for the Internet, and the second largest company
in the IT industry in terms of revenue and performance. This is their enterprise security web site.
http://www.ibm.com/services/e-business/security.html
IBM develops and manufactures computers,
networking systems, software, and other IT devices. They are the third largest company in terms of revenue and
performance in the IT industry. This is
their security and privacy web site.
http://www.oracle.com/ip/solve/security/index.html
Oracle Corporation is a provider of software
and services, primarily Internet enabled database, tools and application
products. They are the forth largest
company in terms of revenue and performance in the IT industry. This is their database security web site.
http://www.sun.com/products-n-solutions/software/security/index.html
Sun Microsystems is a provider of Unix
networked systems and are the fifth largest company (in terms of revenue and
performance) in the IT industry. This
is their computer security web site.
Check Point is a commercial provider of
Firewall software and security solutions.
They are the largest company in terms of revenue and performance in the
security and encryption section of the IT industry.
Verisign Incorporated is a commercial
provider of Internet trust services including authentication, validation and
payment needed to conduct secure electronic commerce and communications over
the Internet. They are the second
largest company in terms of revenue and performance in the security and
encryption section of the IT industry.
Symantec Corporation is a commercial provider
of a broad range of content and network security solutions, including
anti-viral software. They are the third
largest company in terms of revenue and performance in the security and encryption
section of the IT industry.
ISS Group is a commercial provider of
security software and management solutions.
They are the forth largest company in terms of revenue and performance
in the security and encryption section of the IT industry. They have an excellent database (“X-Force”)
and other resources for computer threats and vulnerabilities.
Symantec Corporation is a commercial provider
of security products and services to develop trusted, secure systems for
e-business, the Internet and mobile commerce.
They are the fifth largest company in terms of revenue and performance
in the security and encryption section of the IT industry.
Electronic activism, etc
http://www.gn.apc.org/pmhp/ehippies/
The Electrohippies are not hackers per se.
Instead they promote civil disobedience and electronic sit-ins (WTO was one of
their targets) through denial of service attacks, etc
Website devoted to Electronic Civil
Disobedience
http://www.thing.net/~rdom/ecd/ecd.html
Topics of Electronic Civil Disobedience
Hackers are remarkably well organised. Their activities, tools, etc. are reported
through many websites. This list does
not include any such sites.
Many companies offer security audit and
certification services. These are not
included in this document.
Any comments or suggestions
relating to this list would be greatly appreciated. These should be e-mailed to Toby Felgenner, Security and Planning
Officer, felgenner@unicc.org