Information Security and related topics
This list has been produced by the International Computing Centre (UNICC, Geneva) in March 2001.
It makes no attempt to be comprehensive and the inclusion of vendors or other commercial entities does not constitute an endorsement of their products or services.
This is a listing of only some of the sites that offer information and resources on information security. All are worthwhile.
The Diffuse project provides reference and guidance information on available and emerging standards and specifications that facilitate the electronic exchange of information, including a comprehensive listing of information security standards. A good starting point.
ISO/IEC 17799:2000 Information technology -- Code of practice for information security management.
· http://www.bsi-global.com/group.xhtml for BS 7799-2:1999 Information security management -- Specification for information security management systems.
· http://www.standards.com.au/ for AS/NZS 4444-2:1999 Information security management -- Specification for information security management systems.
The Computer Security Resource Center is maintained by the US Government National Institute of Standards and Technology. Good resource for US Government standards and other resources.
US Government Commercial Product Evaluations, with links to the “Common Criteria” (Common Criteria Information Technology Security Evaluation CCITSE), the “Rainbow Series” (Trusted Computer System Evaluation Criteria TCSEC) and the Evaluated Products List.
An excellent on-line encyclopædia specifically for IT-related definitions. It has a topic specific index for security, among other topics.
An index, and key word search, of Internet Request For Comments (RFC) documents, which are the written definitions of the protocols and policies of the Internet.
Some interesting, general RFCs on Internet security are:
RFC 1281: Guidelines for the
Secure Operation of the Internet / R. D. Pethia, S. Crocker and B. Y. Fraser. -
RFC2084: Considerations for
Web Transaction Security / G. Bossert, S. Cooper, W. Drummond - January 1997
RFC 2196: Site Security
Handbook / B. Fraser, Editor - September 1997
Expectations for Computer Security Incident Response / N. Brownlee, E. Guttman
- June 1998
RFC 2504: Users' Security
Handbook. . Guttman, L. Leong, G. Malkin. February 1999
RFC 2828: Internet Security
Glossary. R. Shirey. May 2000
The following web pages are the “home” for some of the security mailing lists available. From these web pages you can subscribe to these mailing lists, search through mailing list archives, or find out about the mailing list itself.
Home of the widely subscribed BugTraq mailing list, for announcements and detailed discussions of computer security vulnerabilities. And there are several other useful security-related mailing lists as well. The web site also has information on security basics, intrusion detection, incident response, and for Microsoft, Sun and Linux systems, as well as databases on vulnerabilities and viruses.
CERT Advisory http://www.cert.org/contact_cert/certmaillist.html
A well-respected mailing list providing descriptions of serious security problems and their impact, along with instructions on how to obtain patches or details of workarounds. In addition, the web site has excellent resources for improving security practices and implementations. Highly recommended.
Crypto-Gram Newsletter http://www.counterpane.com/crypto-gram.html
An excellent monthly newsletter on computer security and cryptography.
Executive Security Digest http://www.securityportal.com/topnews/
A weekly executive-level summary of important information security news. Other interesting security mailing list are also available.
A mailing list for the discussion of Internet firewall security systems and related issues, including the design, construction, operation, maintenance, and philosophy of Internet firewall security systems. However, this is a very active mailing list and you will be inundated with postings.
NTBugtraq is a mailing list for the discussion of security exploits and security bugs in Microsoft Windows NT and its related applications.
Security Alert Consensus http://www.sans.org/sansnews
SANS Newsbites http://www.sans.org/sansnews
SANS (System Administration, Networking and Security) Institute provides the “Security Alert Consensus”, which is a weekly summary of new security alerts and recommended countermeasures, and the “SANS Newsbites”, which is a weekly summary of information security news. The web site also has some excellent information security resources.
The links below are for some of the anti-viral software vendors. It is sorted in alphabetical order.
This is not an exhaustive list of anti-viral software vendors. Nor does ICC endorse any product offered by the vendors shown here. However, the virus information databases on these web sites are very useful.
Note: The anti-viral software vendor sites (see above) all have useful information on virus hoaxes as well.
US Department of Energy (US DOE) and Computer Incident Advisory Capability (CIAC) on Internet Hoaxes and chain letters.
A useful “independent” site on virus myths, misconceptions, and hoaxes by a self-proclaimed expert.
This is not an exhaustive list of the various security sites available. However, the information provided on these web sites can be very useful.
A web site for the collection, dissemination and distribution of information about computer security. It is especially known as the largest mirror of web site defacements.
A very informative web site with information technology and commerce related information. This is their security site.
A web site with a database of standardised names for Common Vulnerabilities and Exposures in information systems. Becoming widely referenced in the industry when referring to recognised vulnerabilities.
Information Security magazine is a recognised publication with news, analysis, insight and commentary on information security. The web site also offers an information security e-mail newsletter and an information security news web site.
A great web site for offering information about security and the open source Linux operating system.
Documents and events relating to information security and privacy issues.
A very informative web site for people who want to buy, use, or learn more about technology. This is their security site.
Microsoft Corporation is the world’s largest software producer and the number 1 company in the IT industry in terms of revenue and performance. This is their IT security web site.
Cisco Systems is the world-wide leading maker of data networking equipment for the Internet, and the second largest company in the IT industry in terms of revenue and performance. This is their enterprise security web site.
IBM develops and manufactures computers, networking systems, software, and other IT devices. They are the third largest company in terms of revenue and performance in the IT industry. This is their security and privacy web site.
Oracle Corporation is a provider of software and services, primarily Internet enabled database, tools and application products. They are the forth largest company in terms of revenue and performance in the IT industry. This is their database security web site.
Sun Microsystems is a provider of Unix networked systems and are the fifth largest company (in terms of revenue and performance) in the IT industry. This is their computer security web site.
Check Point is a commercial provider of Firewall software and security solutions. They are the largest company in terms of revenue and performance in the security and encryption section of the IT industry.
Verisign Incorporated is a commercial provider of Internet trust services including authentication, validation and payment needed to conduct secure electronic commerce and communications over the Internet. They are the second largest company in terms of revenue and performance in the security and encryption section of the IT industry.
Symantec Corporation is a commercial provider of a broad range of content and network security solutions, including anti-viral software. They are the third largest company in terms of revenue and performance in the security and encryption section of the IT industry.
ISS Group is a commercial provider of security software and management solutions. They are the forth largest company in terms of revenue and performance in the security and encryption section of the IT industry. They have an excellent database (“X-Force”) and other resources for computer threats and vulnerabilities.
Symantec Corporation is a commercial provider of security products and services to develop trusted, secure systems for e-business, the Internet and mobile commerce. They are the fifth largest company in terms of revenue and performance in the security and encryption section of the IT industry.
Electronic activism, etc
The Electrohippies are not hackers per se. Instead they promote civil disobedience and electronic sit-ins (WTO was one of their targets) through denial of service attacks, etc
Website devoted to Electronic Civil Disobedience
Topics of Electronic Civil Disobedience
Hackers are remarkably well organised. Their activities, tools, etc. are reported through many websites. This list does not include any such sites.
Many companies offer security audit and certification services. These are not included in this document.
Any comments or suggestions relating to this list would be greatly appreciated. These should be e-mailed to Toby Felgenner, Security and Planning Officer, firstname.lastname@example.org