| URLs in this document have been updated. Links enclosed in {curly brackets} have been changed. If a replacement link was located, the new URL was added and the link is active; if a new site could not be identified, the broken link was removed. |
![[Refereed]](http://www.istl.org/graphics/r2.gif){kind=small}
Science and Technology Resources on the Internet
Computer Security
Mathematical Sciences Librarian
Purdue University
jkinkus@purdue.edu
The term computer security is used frequently, but the content of a computer is vulnerable to few risks unless the computer is connected to other computers on a network. As the use of computer networks, especially the Internet, has become pervasive, the concept of computer security has expanded to denote issues pertaining to the networked use of computers and their resources.
The major technical areas of computer security are usually represented by the initials CIA: confidentiality, integrity, and authentication or availability. Confidentiality means that information cannot be access by unauthorized parties. Confidentiality is also known as secrecy or privacy; breaches of confidentiality range from the embarrassing to the disastrous. Integrity means that information is protected against unauthorized changes that are not detectable to authorized users; many incidents of hacking compromise the integrity of databases and other resources. Authentication means that users are who they claim to be. Availability means that resources are accessible by authorized parties; "denial of service" attacks, which are sometimes the topic of national news, are attacks against availability. Other important concerns of computer security professionals are access control and nonrepudiation. Maintaining access control means not only that users can access only those resources and services to which they are entitled, but also that they are not denied resources that they legitimately can expect to access. Nonrepudiation implies that a person who sends a message cannot deny that he sent it and, conversely, that a person who has received a message cannot deny that he received it. In addition to these technical aspects, the conceptual reach of computer security is broad and multifaceted. Computer security touches draws from disciplines as ethics and risk analysis, and is concerned with topics such as computer crime; the prevention, detection, and remediation of attacks; and identity and anonymity in cyberspace.
While confidentiality, integrity, and authenticity are the most important concerns of a computer security manager, privacy is perhaps the most important aspect of computer security for everyday Internet users. Although users may feel that they have nothing to hide when they are registering with an Internet site or service, privacy on the Internet is about protecting one's personal information, even if the information does not seem sensitive. Because of the ease with which information in electronic format can be shared among companies, and because small pieces of related information from different sources can be easily linked together to form a composite of, for example, a person's information seeking habits, it is now very important that individuals are able to maintain control over what information is collected about them, how it is used, who may use it, and what purpose it is used for.
Scope of this Guide
This guide is intended to present a selected list of sites that cover the basic issues of computer security and which provide useful information for the non-expert (librarian, undergraduate student, office manager, etc.) who wants to learn more about this increasingly important subject. The categories are intended to offer points of departure for some of the many aspects of computer security. For the sake of brevity, this guide stops short of entering the vast realm of commercial software products, consulting firms, and the like. The individual who is in the market for security products or services should have no trouble finding descriptions, reviews, and comparisons on the web and through other media.
Methods
The web sites in this list were collected through various methods, including searches of Internet directories such as Google and Yahoo, the Librarian's Index to the Internet, the {Scout Report}, and the World Cat database (userid and password are required); burrowing through information security portals such as {InfoSysSec} and {Packet Storm Security}; and exploring links from within quality sites as they were encountered. Emphasis has been placed on sites that provide practical information rather than merely advertise products; accordingly, most of the sites selected are hosted in .edu, .gov, and .org domains. However, commercial sites were not discounted if they provided substantive information in addition to product information.
General Sources
- Center for Education and Research in Information Assurance
and Security
http://www.cerias.purdue.edu/ - CERIAS's mission is to be recognized as the leader in information
security and assurance research, education, and community service. To
these ends, CERIAS offers a free security seminar on diverse security
topics on Wednesday afternoons during the fall and spring semesters;
attendees may show up in person or through a live internet stream. The
CERIAS web site also includes extensive computer security resources for
K-12 teachers, including background information, lesson plans, and links
to other web resources.
- TECS: The Encyclopedia of Computer Security
http://www.itsecurity.com/ - TECS provide a forum for visitors to seek the opinions of one or several
security experts on a broad scope of security questions. Users range
from individuals asking about their home computers to students working on
projects to IT professionals; TECS's panel of volunteer security experts
tend to work for computer or security consulting companies. Questions
are sent via listserv to the experts, whose answers are then published,
along with the question, on the web site. The site owners request that
the experts try to provide balanced answers that do not gratuitously
advertise specific products; vendors are free to list full product
descriptions in the TECS Security Product Database.
- CYBERCRIME
http://www.cybercrime.gov/ - This site is maintained by the Computer Crime and Intellectual Property
Section (CCIPS) of the Criminal Division of the U.S. Department of
Justice; the information available at this site is presented from a
legal, rather than technical, perspective. It provides a plethora of
information about the various ways computers can be used to commit
crimes, how and to whom to report computer crimes, and what to do if you
are the victim of computer crime. It includes links to cases, laws,
legal issues, and policy issues surrounding hacking, intellectual
property infringements, and other online offenses.
- Common Vulnerabilities and Exposures
http://www.cve.mitre.org/ - MITRE, a not-for-profit national resource that provides systems
engineering, research and development, and information technology support
to the government, has created CVE in an attempt to standardize the names
of vulnerabilities and other information security exposures. MITRE's
goal is to increase data communication across network tools by
encouraging software companies and developers to use the common names
found at the CVE web site; according to CERIAS, "CVE is the key to
vulnerability database compatibility." To date, over 60 major
organizations have agreed to make their products and services CVE
compliant.
- Stay Safe Online
{http://www.staysafeonline.info/} - The National Cyber Security Alliance, comprised of corporate and
government organization members, sponsors Stay Safe Online to educate
home and small business computer users in basic computer security
practices, thereby helping to protect the nation's internet
infrastructure. The site offers a personal computer security self-test,
beginner's guides on various security topics, and a one-hour online
course on security fundamentals.
- Security Statistics
{http://www.securitystats.com/} - Because online banks, retailers, and other businesses may wish to protect their reputations by not reporting problems associated with online attacks, statistics about such can be difficult to find. The Security Statistics site is a portal to data on computer security incidents. Statistics are pooled from a wide range of sources, and includes information about security spending, known vulnerabilities, numbers of reported security breaches, economic impact of incidents, arrests and convictions, and more. The site does not guarantee the accuracy of reported statistics, but the sources of each statistic are included.
Ethics
- Computer and Information Ethics on WWW
{http://www.ethics.ubc.ca/resources/computer/} - This site is a subdivision of a website on ethics resources which is maintained by the University of British Columbia's Centre for Applied Ethics. The site provides lists of web sites, as well as lists of electronic and print publications, pertaining to various ethical issues in computing. There is a section on courses in computer ethics, which provides links to online syllabi to classes taught at other institutions, and a list of links to relevant organizations. The breadth of this site is limited, but it's a good place to begin exploring the ethical issues of network computing.
- Ethics in Computing
{http://ethics.csc.ncsu.edu//} - This site is administered by Dr. Edward F. Gehringer, an NCSU
professor in Electrical & Computer Engineering and Computer Science who
teaches several undergraduate and graduate classes in computer science and
computer ethics. The site organizes computer ethics into a simple
hierarchy of topics, starting with basic information on ethics. The
articles are not necessarily recent, although many concepts pertaining to
ethics may remain constant over time. An interesting feature is the site
map, which looks like a real map, which offers a graphical representation
of how the concepts are related.
Privacy
- EFF Privacy Now! Campaign
{http://www.eff.org/issues/privacy} - The Electronic Frontier Foundation was founded in 1990 to confront civil
liberties issues raised by new technologies. EFF's interest in privacy
issues runs the gamut from Internet anonymity and pseudonymity to medical
privacy to the privacy risks posed by the nation's post-9/11 increased
interest in surveillance, biometrics, and a national identification
system. This site goes beyond mere tips and offers a thoughtful analysis
of the privacy (and social) consequences of our increasingly automated
society. Look for Carabella-an interactive adventure game that
illustrates some of the privacy and fair use issues associated with
online music shopping.
- Privacy Rights Clearinghouse
http://www.privacyrights.org/ - The Privacy Rights Clearinghouse is a nonprofit consumer advocacy
organization. Their web site is full of information on privacy rights in
an online environment. The main issues addressed on this site include
personal privacy, financial privacy, and identity theft. Information
sources include fact sheets covering specific privacy issues, news items
and articles about privacy, and transcripts of PRC speeches and testimony
from conferences and legislative hearings.
- The Privacy Foundation
{http://www.privacyfoundation.org/} - The Privacy Foundation's main privacy concerns are data that is
collected surreptitiously by companies about web surfers and their
browsing habits, and employer surveillance of computer activity in the
workplace. Users can sign up for free email delivery of the Foundation's
TipSheets and Privacy Watch advisories and commentaries. An interesting
free download available at this site is Bugnosis, software which alerts
Internet Explorer users to web bugs, tiny or invisible web page graphics
that have been encoded to collect information about who is browsing the
web page.
- Platform for Privacy Preferences (P3P) Project
http://www.w3.org/P3P/ - The Worldwide Web Consortium, an organization promoting greater
interoperability for web technologies, has developed P3P, a proposed
standard that allows web sites to state their privacy policies using
special keywords so that other P3P-enabled utilities (e.g., web browsers)
can interpret them and compare them to a user's privacy preferences. P3P
offers users greater control over how their personal information might be
used on the Internet by giving them more opportunities to avoid offending
sites.
Consumer Information
- Better Business Bureau Online
{http://www.bbb.org/} - The Better Business Bureau system, which extends over most of the United States and Canada, has for many years mediated consumer problems by advocating voluntary self-regulation for businesses combined with increased education for consumers. The BBB now extends its services to the e-commerce arena, offering a BBB seal of reliability for qualified businesses to place on their web sites. For consumers, BBBOnline offers a "safe shopping list" of companies which merit the BBB's seal, as well as information on web safety and privacy, and online forms for lodging complaints.
- Shopping Safely Online
{http://www.cnlnet.org/shoppingonline/index.htm} - The National Consumer League offers Shopping Safely Online as part of
its larger web site of general consumer information. In addition to online
shopping tips, this site provides "e-ssentials" of online privacy and
security for the consumer, and advice for using online auctions.
Shopping Safely Online provides a link to the NCL's National Fraud
Information Center, where users can report suspected fraud and access a
wealth of other sources about the risks of doing business online.
- Internet Fraud Complaint Center
{http://www.ic3.gov/} - The IFCC, a partnership between the FBI and the National White Collar
Crime Center, offers this web site as a place for consumers to learn
about Internet fraud, which is largely comprised of incidents relating to
online auctions, credit card misuse, and other consumer-related
activity. The site provides an easy-to-complete form for reporting
Internet fraud. Of special interest is the IFCC's annual report on the
numbers, types, and economic impacts of crimes reported through the
site.
Kids
- NetzSmartz Workshop
http://www.netsmartz.org/ - This site is published by the National Center for Missing and Exploited
Children. Through games and other online activities, it introduces kids
to some of the "outlaws of Webville," and instructs kids on how to
respond to inappropriate behavior they might encounter online. The
Netsmartz site for parents and educators provides suggestions for online
and offline activities and is designed to increase communication between
parents and children about Internet safety.
- CyberSmart!
{http://www.cybersmart.org/home/} - The CyberSmart! School Program is a non profit corporation that
advocates Internet education by empowering children rather than simply
monitoring them. The CyberSmart web site provides brief lessons for
teens, printable color posters for parents to hang near the family
computer, and a curriculum of 65 standards-based lesson plans for K-8
teachers. The curriculum is centered around the SMART model, focusing on
safety, manners, advertising, research, and technology. Lessons plans
have been designed to stand alone, can be taught in any order, and can be
taught by a technology teacher, librarian or media specialist, or science
or social studies teacher as appropriate for the subject matter.
Antivirus
- Virus Bulletin
http://www.virusbtn.com/ - Virus Bulletin is a fee-based, monthly magazine that provides
information, reviews, and comparisons of antivirus products. The Virus
Bulletin website offers the latest virus-related news, description of
recent viruses, and monthly prevalence tables of known virus activity.
Consumers can see which antivirus products have earned the VB100% award,
which is awarded to products that detect all In The Wild Viruses (see
WildList Organization, below) in test scans. Of particular practical use
are four step-by-step DOS tutorials for recovering from some of the more
common problems of virus infection.
- The WildList Organization International
http://www.wildlist.org/ - The WildList Organization's mission is "to provide accurate, timely and
comprehensive information about 'In the Wild' computer viruses to both
users and product developers." "In the wild" viruses are viruses that
have been cited by two or more of the organization's panel of computer
experts as spreading in the real world and therefore pose a real threat
to computers and networks. The WildList is made available free of charge
by the organization and is considered a standard against which the
effectiveness of antivirus programs is measured. The WildList
Organization has retained its independence from any one antivirus
developer and encourages all users to find an antivirus vendor and
develop a relationship with its customer support service.
- Hoax Busters
{http://hoaxbusters.ciac.org/} - Hoax Busters is a public service of the Department of Energy's Computer
Incident Advisory Capability (CIAC). Hoax Busters posits that dealing
with hoax emails is annoying and time-consuming at best, and costly at
worst. The Hoax Busters web is a clearinghouse of information about
various types of Internet hoaxes, and strives to debunk dire warnings
about various fake viruses and other malicious code that have no basis in
fact. The site also confronts chain letters, urban myths, sympathy
letters, and other cons, and offers suggestions for how to recognize
hoaxes and what to do about them.
- F-Secure: Security Information Center
http://www.f-secure.com/virus-info/ - The self described "industry standard source for up-to-date information
on new viruses and hoax alerts," this site provides long, easily readable
descriptions and screen shots of known viruses, including their
variations, and information on how to recover if you're hit. While
F-Secure naturally promote the sale of their commercial products, they
also offers a few dozen free downloads to fix specific virus problems.
Also of interest are a six-minute video entitled "Virus Summary 2001," an
account of the most notable (i.e., destructive) virus attacks of 2001,
and a list of tips to avoid those pesky, and increasingly popular, email
worms.
Security Policies
- Security Policy Issues
{http://www.sans.org/rr/whitepapers/policyissues/} - The Systems Administration, Networking, and Security Institute (SANS) is
an organization comprised of computer security practitioners from
government agencies, corporations, and universities. The SANS reading
room provides access to over 1300 research articles across the spectrum
of computer security; the Security Policy Issues section features over
60 articles, many of which were written by IT professionals to fulfill
part of the requirements for the Global Information Assurance
Certification. This site also contains an information security policy
primer and policy examples and templates. Access to the SANS reading
room is free, but users must register to receive a password.
- EDUCAUSE/Cornell Institute for Computer Policy and
Law
http://www.educause.edu/icpl/ - The ICPL is a collaboration between Cornell, which began its Computer Policy
and Law program in 1996, and EDUCAUSE, which promotes intelligent use of
information technology in higher education. The Library Resources section
provides access to hundreds of computer policies collected from educational
institutions of all sorts, companies and corporations, networks, and municipalities.
The policies pertain to virtually every aspect of campus technology use,
from acceptable/responsible use to library policies to security and privacy
policies. Users are invited to submit their own policies to the collection.
Cryptography
- Cryptology ePrint Archive
http://eprint.iacr.org/ - The International Association for Cryptologic Research (IACR) is a
non-profit scientific organization whose purpose is to further research
in cryptology and related fields. IACR's Cryptology ePrint Archive
accepts clear and readable submissions from authors which "look somewhat
new and interesting," and "contain proofs or convincing arguments for any
claims." The archive begins in 1996, and as of this writing, there are
136 articles posted for 2002. While many of the newer articles are
available as .pdf files, many files are available in postscript format
only.
- The International PGP Home Page
http://www.pgpi.org/ - Pretty Good Privacy (PGP) is a cryptographic device for protecting
digital information, including the contents of email messages, developed
by Phil Zimmerman in 1991 and distributed as freeware for non-commercial
use. The purpose of this web site is to promote the use of PGP worldwide
by providing downloads, documentation, FAQs, lists of known bugs, links
to web sites, and the latest news and other information about PGP in
English and other languages.
Intrusion Detection
- DShield-Distributed Intrusion Detection System
http://www.dshield.org/ - Dshield.org collects information about cracking, or penetration of
computer systems by unauthorized parties, from all over the Internet.
Systems administrators are encouraged to share their firewall logs so
that patterns of intrusion activity can be analyzed; Dshield will
contact an Internet service provider if it appears to be the origin of
suspicious activity. Dshield provides a geographic distribution of
reported attack sources from the past five days, as well as the IP
addresses of the 10 most probed ports and the top 10 offending ports.
The site also provides an "Are you cracked?" utility, which compares the
user's IP address with a list of known attackers; if an IP address is
matched, it is possible that the user's computer has been used by
crackers to attack other machines.
Operating System Security
- Network Security Library
{http://www.windowsecurity.com/whitepaper/} - This is a site providing articles on general network and system
security, and no emphasis is placed on any one OS. Due to the large
number of articles available on Unix and Windows, these systems have
their own links; articles on other operating systems, such as Macintosh
or Linux, can be found through keyword searches. Articles come from a
variety of sources, including individual submissions as well as published
book chapters. Readers are invited to rate articles on a scale of one to
ten, and the average score and number of votes are listed with each
article title.
- Windows Security Guide
http://www.winguides.com/security/ - This site lists security vulnerabilities and fixes for all Microsoft
operating systems, as well as for network-related utilities such as MS
Internet Explorer and Internet Information Server. Other services
include a free newsletter of alerts and updates, and "support forums" for
discussion of security topics. There are two levels of membership: the
basic free membership allows access to the forums and newsletters, while
a fee-based premium subscription option allows access to help files, free
downloads, and the ability to turn off advertisements.
- Macintosh Security Site
http://www.securemac.com/ - The Macintosh Security Site contains several informative articles on
Macintosh security, and reviews of many security products for Macs and
Mac servers. While the site is supported through paid advertisements,
the ads are rather unobtrusive. Of interest is the fact the Macintosh
Security Site is maintained as the "white side" of Freak's Macintosh
Archive, a "hacking" site devoted to announcing and exploiting
security vulnerabilities in Macintosh software & utilities.
- Linux Security
http://www.linuxsecurity.com/ - This site is sponsored by Guardian Digital, Inc., an Open Source
security company which produces EnGarde Linux products. The site is not
used solely to advertise EnGarde products, and other vendors and products
are represented through their sponsorship of the site as well as in articles
and advisories posted at the site. The News section of the site provides
full-text articles, reprinted from a variety of external sources, on a
wide range of general and Linux-specific security topics; the
Documentation section features numerous practical "how-to" articles.
Users can subscribe to free weekly Linux security newsletters and
advisories and participate in an online mailing list.
Certification
- CISSP and SSCP Open Study Guides
http://www.cccure.org/ - The International Information Systems Security Certification Consortium,
Inc (http://www.isc2.org) offers two security certifications, the
Certified Information Systems Security Professional (CISSP) and the
Systems Security Certified Practitioner (SSCP). This site offers study
guides, tips for taking the certification tests, newsletters, chat rooms,
book reviews, and more, all written by volunteers who are preparing for
or have passed the exams. Study guides address particular sections
included in the exams. Free registration is required to access the full
content of this site.
Information Warfare
- Information Warfare Site
http://www.iwar.org.uk/ - Because of
the increasing interconnectedness of critical systems such as
telecommunications, banking and finance, energy, and transportation,
national infrastructures have become increasingly vulnerable to online
terrorist threats. The Information Warfare Site "aims to stimulate debate
about a range of subjects from information security to information
operations and e-commerce." While the site's domain name denotes United
Kingdom, much of the content is derived from government and news sources
of the United States and other countries. Online discussion forums cover
topics such as e-commerce, terrorism, critical infrastructure protection,
and others.
Biometrics
- Biometrics Research
http://biometrics.cse.msu.edu/ - This site, run by Michigan State University's Department of Computer
Science and Engineering, is a good beginning point for learning more
about biometrics. It includes a brief but informative overview of
biometrics, and descriptions of various biometric technologies, such as
fingerprint matching, hand geometry, voice recognition, and so on. The
"Projects" and "Publications" lists are limited to work by MSU people,
but there is also a short list of external web links leading to biometric
companies, consulting firms, and research centers.
- International Biometric Group
{http://www.ibgweb.com/} - International Biometric Group LLC is a biometrics consulting firm which considers itself to be "vendor-independent and technology-neutral, allowing it to objectively and independently assess companies, technologies, products, and projects." Of special interest at IBG's web site is the "Research and Reports" section, where IBG provides information on biometrics basics, specific biometric technologies and their applications, accuracy and performance, as well as vendor and industry information. Users must register with the site to gain access to the full reports, but registration is free and is activated immediately.
- Biometrics Catalog
{http://www.biometricscatalog.org/} - This is a database of biometric technologies maintained by the U.S.
Department of Justice. Users can search for information about biometric
products by biometric type, keyword, and date, as well as vendor category
(commercially available products, products in government testing,
products in non-government testing, etc.). Vendors can add information
about their products, but forms that do not contain complete contact
information will not be posted to the site.
| Previous | Contents | Next |
