Information Security and related topics

Suggested Websites

 

This list has been produced by the International Computing Centre (UNICC, Geneva) in March 2001.

 

It makes no attempt to be comprehensive and the inclusion of vendors or other commercial entities does not constitute an endorsement of their products or services.

 

 

SECURITY PORTALS

 

This is a listing of only some of the sites that offer information and resources on information security.  All are worthwhile.

 

http://www.cerias.purdue.edu/coast/hotlist/

 

http://www.infosyssec.org/

 

http://www.itsecurity.com/

 

http://packetstorm.securify.com/

 

http://secinf.net/

 

http://www.securityfocus.com/

 

http://www.securityportal.com/

 

http://www.securitysearch.net/

 

 

SECURITY STANDARDS

 

http://www.diffuse.org/secure.html#help

The Diffuse project provides reference and guidance information on available and emerging standards and specifications that facilitate the electronic exchange of information, including a comprehensive listing of information security standards. A good starting point.

 

http://www.iso.ch/cate/d33441.html

ISO/IEC 17799:2000  Information technology -- Code of practice for information security management.

See also:

·        http://www.bsi-global.com/group.xhtml for BS 7799-2:1999 Information security management -- Specification for information security management systems.

·        http://www.standards.com.au/ for AS/NZS 4444-2:1999 Information security management -- Specification for information security management systems.

 

http://csrc.nist.gov/publications/

The Computer Security Resource Center is maintained by the US Government National Institute of Standards and Technology.  Good resource for US Government standards and other resources.

 

http://www.radium.ncsc.mil/tpep/

US Government Commercial Product Evaluations, with links to the “Common Criteria” (Common Criteria Information Technology Security Evaluation CCITSE), the “Rainbow Series” (Trusted Computer System Evaluation Criteria TCSEC) and the Evaluated Products List.

 

 

REFERENCE SITES

 

http://whatis.techtarget.com/

An excellent on-line encyclopædia specifically for IT-related definitions.  It has a topic specific index for security, among other topics.

 

http://www.cis.ohio-state.edu/hypertext/information/rfc.html

An index, and key word search, of Internet Request For Comments (RFC) documents, which are the written definitions of the protocols and policies of the Internet.

 

Some interesting, general RFCs on Internet security are:

 

·        RFC 1281: Guidelines for the Secure Operation of the Internet / R. D. Pethia, S. Crocker and B. Y. Fraser. - November 1991
http://www.cis.ohio-state.edu/htbin/rfc/rfc1281.html

 

·        RFC2084: Considerations for Web Transaction Security / G. Bossert, S. Cooper, W. Drummond - January 1997
http://www.cis.ohio-state.edu/htbin/rfc/rfc2084.html

 

·        RFC 2196: Site Security Handbook / B. Fraser, Editor - September 1997
http://www.cis.ohio-state.edu/htbin/rfc/INDEX.rfc.html

 

·        RFC 2350: Expectations for Computer Security Incident Response / N. Brownlee, E. Guttman - June 1998
http://www.cis.ohio-state.edu/htbin/rfc/rfc2350.html

 

·        RFC 2504: Users' Security Handbook. . Guttman, L. Leong, G. Malkin. February 1999
http://www.cis.ohio-state.edu/htbin/rfc/rfc2504.html

 

·        RFC 2828: Internet Security Glossary. R. Shirey. May 2000
http://www.cis.ohio-state.edu/htbin/rfc/rfc2828.html

 

 

SECURITY MAILING LISTS

 

The following web pages are the “home” for some of the security mailing lists available.  From these web pages you can subscribe to these mailing lists, search through mailing list archives, or find out about the mailing list itself.

 

 

BugTraq                   http://www.securityfocus.com/

Home of the widely subscribed BugTraq mailing list, for announcements and detailed discussions of computer security vulnerabilities.  And there are several other useful security-related mailing lists as well.  The web site also has information on security basics, intrusion detection, incident response, and for Microsoft, Sun and Linux systems, as well as databases on vulnerabilities and viruses.

 

 

CERT Advisory                 http://www.cert.org/contact_cert/certmaillist.html

A well-respected mailing list providing descriptions of serious security problems and their impact, along with instructions on how to obtain patches or details of workarounds.  In addition, the web site has excellent resources for improving security practices and implementations.  Highly recommended.

 

 

Crypto-Gram Newsletter          http://www.counterpane.com/crypto-gram.html

An excellent monthly newsletter on computer security and cryptography.

 

 

Executive Security Digest       http://www.securityportal.com/topnews/

A weekly executive-level summary of important information security news.  Other interesting security mailing list are also available.

 

 

Firewalls                              http://www.lists.gnac.net/firewalls/

A mailing list for the discussion of Internet firewall security systems and related issues, including the design, construction, operation, maintenance, and philosophy of Internet firewall security systems.  However, this is a very active mailing list and you will be inundated with postings.

 

 

NTBugtraq                          http://www.ntbugtraq.com/

NTBugtraq is a mailing list for the discussion of security exploits and security bugs in Microsoft Windows NT and its related applications.

 

 

Security Alert Consensus        http://www.sans.org/sansnews

SANS Newsbites                           http://www.sans.org/sansnews

SANS (System Administration, Networking and Security) Institute provides the “Security Alert Consensus”, which is a weekly summary of new security alerts and recommended countermeasures, and the “SANS Newsbites”, which is a weekly summary of information security news.  The web site also has some excellent information security resources.

 

 

VIRUS INFORMATION

 

The links below are for some of the anti-viral software vendors.  It is sorted in alphabetical order.

 

This is not an exhaustive list of anti-viral software vendors.  Nor does ICC endorse any product offered by the vendors shown here.  However, the virus information databases on these web sites are very useful.

 

Computer Associates:

http://ca.com/virusinfo/encyclopedia/

 

F-Secure:

http://www.europe.datafellows.com/v-descs/

 

Network Associates:

http://vil.nai.com/vil/default.asp

 

Sophos:

http://www.sophos.com/virusinfo/analyses/

 

Symantic:

http://www.symantec.com/avcenter/vinfodb.html

 

Trend Micro

http://www.antivirus.com/vinfo/virusencyclo/

 

 

VIRUS HOAXES

 

Note:  The anti-viral software vendor sites (see above) all have useful information on virus hoaxes as well.

 

http://hoaxbusters.ciac.org/

US Department of Energy (US DOE) and Computer Incident Advisory Capability (CIAC) on Internet Hoaxes and chain letters.

 

http://vmyths.com/

A useful “independent” site on virus myths, misconceptions, and hoaxes by a self-proclaimed expert.

 

MISCELLANEOUS

 

This is not an exhaustive list of the various security sites available.  However, the information provided on these web sites can be very useful.

 

 

http://www.attrition.org/

A web site for the collection, dissemination and distribution of information about computer security.   It is especially known as the largest mirror of web site defacements.

 

 

http://cnet.com/enterprise/0-9567.html?tag=dir

A very informative web site with information technology and commerce related information.  This is their security site.

 

 

http://cve.mitre.org/

A web site with a database of standardised names for Common Vulnerabilities and Exposures in information systems.  Becoming widely referenced in the industry when referring to recognised vulnerabilities.

 

 

http://www.infosecuritymag.com/

Information Security magazine is a recognised publication with news, analysis, insight and commentary on information security.  The web site also offers an information security e-mail newsletter and an information security news web site.

 

 

http://www.linuxsecurity.com/

A great web site for offering information about security and the open source Linux operating system.

http://www.oecd.org//dsti/sti/it/secur

Documents and events relating to information security and privacy issues.

 

http://www.zdnet.com/enterprise/filters/resources/0,10227,6007271,00.html

A very informative web site for people who want to buy, use, or learn more about technology.  This is their security site.

 

 

VENDORS

 

 

General

 

http://www.microsoft.com/security/

Microsoft Corporation is the world’s largest software producer and the number 1 company in the IT industry in terms of revenue and performance.  This is their IT security web site.

 

 

http://www.cisco.com/warp/public/779/largeent/issues/security/

Cisco Systems is the world-wide leading maker of data networking equipment for the Internet, and the second largest company in the IT industry in terms of revenue and performance.  This is their enterprise security web site.

 

 

http://www.ibm.com/services/e-business/security.html

IBM develops and manufactures computers, networking systems, software, and other IT devices.  They are the third largest company in terms of revenue and performance in the IT industry.  This is their security and privacy web site.

 

 

http://www.oracle.com/ip/solve/security/index.html

Oracle Corporation is a provider of software and services, primarily Internet enabled database, tools and application products.  They are the forth largest company in terms of revenue and performance in the IT industry.  This is their database security web site.

 

 

http://www.sun.com/products-n-solutions/software/security/index.html

Sun Microsystems is a provider of Unix networked systems and are the fifth largest company (in terms of revenue and performance) in the IT industry.  This is their computer security web site.

 

 

 

 

 

Security and Encryption

 

http://www.checkpoint.com/

Check Point is a commercial provider of Firewall software and security solutions.  They are the largest company in terms of revenue and performance in the security and encryption section of the IT industry.

 

 

http://www.verisign.com/

Verisign Incorporated is a commercial provider of Internet trust services including authentication, validation and payment needed to conduct secure electronic commerce and communications over the Internet.  They are the second largest company in terms of revenue and performance in the security and encryption section of the IT industry.

 

 

http://www.symantec.com/

Symantec Corporation is a commercial provider of a broad range of content and network security solutions, including anti-viral software.  They are the third largest company in terms of revenue and performance in the security and encryption section of the IT industry.

 

 

http://iss.net/

ISS Group is a commercial provider of security software and management solutions.  They are the forth largest company in terms of revenue and performance in the security and encryption section of the IT industry.  They have an excellent database (“X-Force”) and other resources for computer threats and vulnerabilities.

 

 

http://www.baltimore.com/

Symantec Corporation is a commercial provider of security products and services to develop trusted, secure systems for e-business, the Internet and mobile commerce.  They are the fifth largest company in terms of revenue and performance in the security and encryption section of the IT industry.

 

 

Electronic activism, etc

 

 

http://www.gn.apc.org/pmhp/ehippies/

The Electrohippies are not hackers per se. Instead they promote civil disobedience and electronic sit-ins (WTO was one of their targets) through denial of service attacks, etc

 

 

http://www.thehacktivist.com/

Website devoted to Electronic Civil Disobedience

 

 

http://www.thing.net/~rdom/ecd/ecd.html

Topics of Electronic Civil Disobedience

 

Hackers are remarkably well organised.  Their activities, tools, etc. are reported through many websites.  This list does not include any such sites.

 

Many companies offer security audit and certification services.  These are not included in this document.

 

Any comments or suggestions relating to this list would be greatly appreciated.  These should be e-mailed to Toby Felgenner, Security and Planning Officer, felgenner@unicc.org