Bibliography This bibliography of computer security documents was prepared by the National Computer Security Association. Corrections and additions will be appreciated. Please write us at Suite 309, 4401-A Connecticut Avenue, NW, Washington DC 20008. Or call voice at (202) 364-1304. Our BBS number: (202) 364-8252. Access Control/Fence Industry Monthly Newsletter From Communication Channel Inc. 6255 Barfield Road Atlanta, GA 30328 (404) 256-9800 $26.95 This newsletter provides a listing of products and suppliers for the access control industry. Adler, Stacy "7 Myths of Computer Security." Security vol 24 no. 1 January 1987 pp. 50-52 This article covers consultants that clear misconceptions about data protection software. Armstrong, James R. "Protecting the Corporate Data." Data Processing & Communications Security vol 9 no. 4 March/April, 1985 pp. 16-17 This article discusses how most alternative off-site lack the environmental control, security and accessibility needed. Includes a discussion on things to consider in selecting an off-site storage facility. American Society for Industrial Security, Washington, D.C. Chapter Newsletter Monthly Newsletter From American Society for Industrial Security 1655 N. Ft. Myer Drive Suite 1200 Arlington, VA 22209 (703) 522-5800 Free to members only. This newsletter provides current information on industrial security. Anon. "Computer "Hacking" is No Longer Just a Lark." Office vol 102 no. 3 September 1985 pp. 90-95 Computer hackers will use computers to obtain information and resell it, use it for blackmail, extortion, and espionage. This article discusses techniques for preventing hackers from getting on a system, and monitoring them if they are discovered. Anon. "Computer Security: The Menace is Human Error." Office vol 99 no. 3 March 1984 pp. 119-120 This article stresses that managers should understand that data security is a people problem and not a computer problem. People are the ones that either accidentally or intentionally misuse a computer system. Anon. "Internal Security." PC Week vol 2 no. 18 May 1985 pp. 89-91, 106-107 Experts feel that local computer access is more prone to intrusion than long-distance access. This article discusses how insiders in a company are the ones most likely to abuse a computer system. Anon. "Reporting Computer Crime." Data Processing & Communications Security vol 8 no. 6 July/August 1984 pp. 20-21 This article presents a suggested format for a final report to use in documenting actions surrounding a computer crime. Anon. "Communications and Systems Security." Data Processing & Communications Security vol 9 no. 3 1985 Buyer's Directory pp. 11-13 This article discusses a wide variety of communications and system security protection methods. Includes encryption, fiber optics, key management, optical links, electrical emanations, and dial-up access protection devices. Anon. "Computer Communications Security Lexicon." Data Processing & Communications Security vol 11 no. 2 Spring 1987 pp. 22-23 This article is an update containing some new added security definitions of terms and phrases. Anon. "Controlling Access To Your Data." Personal Computing vol 9 no. 9 September 1985 pp. 60-72 Explains measures that can be taken to protect what's in a computer. Focuses not only on vandals, but also on people who accidentally harm the computer. Anon. "Dial-Up Access Security Products." Data Processing & Communications Security vol 9 no. 2 November/December 1984 pp. 21-24 This article presents some new dial-up access security products and their major features. Anon. "Enhancements Out For Barrier Security Devices." Computerworld vol 18 no. 35 August 1984 pp. 51 This article discusses the password protection device designed by International Anasazi, Inc. that will limit access on dial-up lines. Anon. "Firesign Unwraps Security Feature." MIS Week vol 5 no. 23 June 1984 pp. 24 This article discusses Firesign Computer Company's product that provides for network security by its password system. Anon. "Security Computer Outsmarts Colorado Bandits." Data Management vol 19 no. 7 July 1981 pp. 17-18 This article looks at the effectiveness of a security system that controls access to several high-rise buildings in Colorado. Anon. "Security Lock Ready for PCs." MIS Week vol 6 no. 26 July 1985 pp. 30 The hard disk security product "Knight Data Security Manager" is discussed. This product allows password protection in a PC. Anon. "Automated Contingency Planning." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 22 This article presents a special purpose software package CHI/COR that deals with the job of documenting the resources needed to implement a disaster recovery plan. Anon. "Contingency Planning and the Law." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 17-18 This article reviews the Foreign Corrupt Practices Act and its requirement for record keeping and internal controls. Other potential legal liabilities are also reviewed. Anon. "Computer Power and Environmental Controls." Data Processing & Communications Security vol 9 no. 3 1985 Buyer's Directory pp. 13 This article discusses common power anomalies and equipment available to overcome them. Anon. "Computer Back-up Facilities." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 19-22 This article discusses the options of back-up sites including cold sites, hot sites, or empty shell, or fully equipped recovery sites. Also refers to the extent of equipment, space, and services provided by these back-up facilities. Anon. "Computer Security: Issues and Answers." Datamation vol no. September 15, 1984 pp. 16 Pages This 16-page section sponsored by the Computer Security Institute contains several articles that cover a variety of computer security issues. Anon. "Computer Security: Issues and Answers." Datamation vol no. September 15 1985 pp. 24 Pages This advertisement section contains eight articles that discuss a variety of computer security issues. The authors include FBI Director William Webster and Department of Defense Computer Security Center Director Robert Brotzman. Anon. "Making The Case For Computer Security Pure and Simple." Datamation vol no. September 1983 pp. This section of Datamation is sponsored by the Computer Security Institute and covers a broad range of computer security issues in several different articles. Anon. "Personal Computers vs. Data Security: the Two Need Not Be Incompatible." Data Processing & Communications Security vol 12 no. 1 Winter 1988 pp. 24-26 This article discusses the threat of data loss either intentional or unintentional. It examines the significant risks and the data security policies to lower these risks. Anon. "Protecting Information and Interest." Computer Management vol no. October 1981 pp. 33-34, 36 Suppliers, consultants, and services related to computer security are listed in this directory. Anon. "Simple Security Precautions Ensure Information Safety." Computerworld vol 19 no. 17 April 1985 pp. SR-38 This article applies many of the security precautions for mainframes to the microcomputer. MICROCOMPUTER SECURITY Anon. "Memo: Disaster Plan For Microcomputer Users." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 27-29 This article is in the form a memo containing a microcomputer disaster recovery checklist. It address issues that should be taken in contingency plans. Anon. "Media Safes: Countering the Threats of Fire." Data Processing & Communications Security vol 9 no. 6 July/August 1985 pp. 18-20 This article is a review of critical basic information on how to select fire resistant media safes. Anon. "Protecting The World's Largest Computer User." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 25-26 This article discusses a new high security off-site storage facility opening in Beltsville, Maryland. It also address concern with the lack of proper security storage today. Anon. "Computer Security Awareness: Organizations and Senior." Management Concerns Data Processing & Communications Security vol 8 no. 5 May/June 1984 pp. 12-13 This article gives the result of a survey of general security and computer security personnel, EDP auditors, and internal auditors to determine the computer security awareness of their company and senior management. Anon. "Records Storage and Management." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 23-25 This article addresses the questions which records should be stored off-site, and how can an off-site facility be evaluated? It also provides an overview of areas to consider. Anon. "Computer Security Software." Data Processing & Communications Security vol 9 no. 1 September/October 1984 pp. 19-24 This article provides information for using access control software to protect the terminals, the data and the system itself from unauthorized use. Anon. "Computer Security Software." Data Processing & Communications Security vol 9 no. 3 1985 Buyer's Directory pp. 17-18 This article addresses a wide variety of computer security software programs and their different uses. Anon. "Protecting Software With Escrow Services." Data Processing & Communications Security vol 8 no. 5 May/June 1984 pp. 22-24 This article addresses some of the problems and answers for protecting software that concerns major management today. Ashley, Cliff and Story, Frank Automatic Data Processing Security Program From Kaiser Engineers Hanford, ATTN: Cliff Ashley, SAS Manager February 11, 1987 Training & Awareness Free This manual describes the computer security program used at Kaiser Engineers Hanford. Associated Press "Jury Selection In 1st "Virus" Trial Begins." Washington Post vol no. 277 September 7, 1988 pp. C1 This article is about a programmer accused of using a computer "virus" to sabotage thousands of records at his former work place. Atkinson, L.V. "Fraud: Input Data Most Vulnerable." Computerworld UK vol 2 no. 21 September 2, 1981 pp. 10 Article discusses a survey which found that the major danger to computers was the alteration of input data. Auerbach Data Security Management Bimonthly Journal From Auerbach Publishers Inc. 6560 N. Park Drive Pennsauken, NJ 08109 (609) 662-5599 $265.00 Annually This journal deals with issues related to data security management. Auerbach Information Management Series Monthly Journal From Auerbach Publishers, Inc. 6560 N. Park Drive Pennsauken, NJ 08109 (609) 662-2070 $750.00 Annually This journal on information security provides insights, approaches, and products related to security. Avarne, Simon "How to Find Out a Password." Data Processing & Communications Security vol 12 no. 2 Spring 1988 pp. 16-17 This article gives examples of how to discover someones password and discusses weaknesses of traditional passwords. Baker, R.H. "Lining Up Computer Crooks." Micro Communications vol 2 no. 5 May 1985 pp. 18-22 This article looks at crime patterns of microcomputer users breaking into mainframes. Ways in which these patterns can be learned and then stopped is discussed. Bailey, Cynthia "Information Security: A Pressing Need" Computer Digest, September, 1989, p. 30, 32. Bass, Brad "Security Teams Fight Network Invaders" Government Computer News, September 4, 1989, p. 87. Beitman, L. "A Practical Guide To Small Business Computer Security." Office vol 96 no. 2 August 1982 pp. 86, 90 This article gives advice on how to obtain computer security in a small business environment. A checklist is included that will help to prevent accidental and intentional harm to a system. ben-Aaron, Diana. "Mailsafe Signs, Seals, and Delivers Files" InformationWeek, September 15, 1986. Bequai, A. "What to do About Crime in the Electronic Office." Office vol 101 no. 1 January 1985 pp. 101-104 This article discusses the important role that auditing computer systems plays in preventing crimes and abuse. Bequai, August "Federal Computer Crime Legislation is Needed." Data Management vol no. May 1981 pp. 22-24 The ways criminals use loopholes in our present criminal justice system is discussed along with a history of computer crime legislation. Berman, A. "Evaluating On-Line Computer Security." Data Communications vol 12 no. 7 July 1983 pp. 145-152 The security problems that have arisen because of on-line processing are discussed in this article. Covered are the two ways to obtain a secure on-line system. Betts, M. "Government's Computers "Highly Vulnerable" to Abuse." Computerworld vol 18 no. 40 October 1984 pp. 4 Discusses how highly vulnerable the federal government's computers are to abuse, and a congressman who is seeking to change that vulnerability. Betts, M. "NBS Releases Standards For Managing Password Security." Computerworld vol 19 no. 28 July 1985 pp. 19 This article talks about how the National Bureau of Standards has completed a two- part publication dealing with password systems. Betts, M. "U.S. Agency Faces Probes, Boosts Security After Audit." Computerworld vol 19 no. 24 June 1985 pp. 8 This article discusses an audit report issued by the inspector general of the U.S. Department of the Interior in March 1985 which revealed inadequate controls over passwords, faulty operating procedures, and lack of audit trails by the Denver Service Center. Betts, M. "Reagan Systems Security Directive Under Attack." Computerworld vol 19 no. 27 July 1985 pp. 1 This article discusses why members of congress are concerned over how the National Security Decision Directive 145 on computer security could be abused by military and intelligence officials. Betts, Kellyn S. "Foiling Data Thieves" Modern Office Technology April 1985, pp 112 ff. Bezdek, J. "Across-the-Board Training Protects Data." Computerworld vol 18 no. 44 October 1984 pp. SR-10 This special report covers the four areas that a training program in computer security needs to include. These are plant physical security, logical security, administrative security, and the legal and social aspects of security training. Bigelow, R.P. "Computer Security And Law." Infosystems vol 29 no. 12 December 1982 pp. 84 This article looks at how a memo from the legal department should be structured concerning the protection of assets. Blakeney, S. "Computer Crime: A Worldwide Concern." Computerworld vol 17, 18 no. 52, 1 December 26, 1983, January 1984 pp. 57-60 This article looks at computer crime as a worldwide problem. The most common types of computer crimes are given along with the estimated losses in various countries throughout the world. Blakeney, S. "Micro Market Going Full Steam Ahead; IDC Predicts Installed Base of $41.9 Billion by '86" Computerworld March 28, 1983. Boebert, W. E., Kain, R.Y. A Practical Alternative to Hierarchical Integrity Policies Proceeding of the 8th National Computer Security Conference, Gaithersburg MD, Oct 1985 Boebert, W. E., Ferguson, C.T. A Partial Solution to the Discretionary Trojan Horse Problem Proceeding of the 8th National Computer Security Conference, Gaithersburg MD, Oct 1985 Bologna, Jack "Computer Related Crime: The Who, What, Where, When, Why and How." Data Processing & Communications Security vol 10 no. 1 Winter 1986 pp. 19-23 This article looks at computer related crime from the perspectives of the individual criminal, environmental factors, organization cultures, incidence rate, and security countermeasures. Bologna, Jack Computer Crime: Wave of the Future Intended to demonstrate that the current state of computer technology exceeds by an order of magnitude our ability to secure our equipment. 102 pp $15. Computer Protection Systems. Bologna, Jack The Security Manager's Handbook 167 pp. $35 Computer Protection Systems. Bologna, Jack Strategic Planning for Corporate Directors of Security and Risk Management. 28 pp $10 Computer Protection Systems. Bologna, Jack "Forensic Accounting." Data Processing & Communications Security vol 8 no. 6 July/August 1984 pp. 16-20 This article identifies the skills and competency of a forensic accountant. Bologna, Jack "Disaster/Recovery Planning: A Qualitative Approach." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 11-15 Developing a disaster/recovery plan usually involves a detailed quantitative risk analysis; the author offers a more qualitative approach that is less time consuming and will obtain a higher level of commitment from management, D/P staff, and users. Bologna, Jack "Industrial Security In a Nutshell: A Risk by any Other." Name Data Processing & Communications Security vol 9 no. 5 May/June 1985 pp. 12-13 This article discusses properly understanding risk and how the opposite side of risk is opportunity for growth and development. Bologna, Jack "Risk Assessment Guidelines for Fidelity Insurance." Data Processing & Communications Security vol 9 no. 4 March/April, 1985 pp. 18-20 This article is a review of the adequacy of asset protection plans, policies, procedures and controls to enlighten top management. Bologna, Jack "Security Planning: The "Tapps" Method." Data Processing & Communications Security vol 10 no. 4 Fall 1986 pp. 7-11 This article covers a system approach to assets protection. It discusses an analytical process called Total Assets Protection Planning System (TAPPS) which consist of organization, structure and mandate of the security function. Bologna, Jack "Selling Computer Security to Top Management." Data Processing & Communications Security vol 8 no. 5 May/June 1984 pp. 13-16 This article discusses positive motivational impact, minimizing risk, and cost feasibility in selling computer security to top managers. Bologna, Jack "Why the Corporate Security Function is Being Downsized." Data Processing & Communications Security vol 11 no. 2 Spring 1987 pp. 20-21 This article discusses the disbanding and dilution of corporate security functions and how this effects the security of a firm. Bound, W.A.J. "Security Protecting Information Resources and Media." Information Management vol 18 no. 8 August 1984 pp. 18-19 This article discusses what a manager must consider when designing an office security program to protect against the four vulnerabilities of a system: personnel, physical, administrative, and technical. Bowmen, Terry "Undercarpet Fiber Optics." Data Processing & Communications Security vol 11 no. 2 Spring 1987 pp. 23-26 This article discusses how fiber optics offer better security than copper cable undercarpet. It also includes how to plan an undercarpet system. Bramer, W.L. "Computer and Data Security is Battle Cry to the '80s." Office vol 103 no. 3 March 1986 pp. 78-82 This article discusses the number of organizations that are looking at their security procedures and programs to deter computer abuse. The three main causes of security problems are described. Branstad, Dennis (editor) Computer Security And The Data Encryption Standard February 1978 NBS SPEC PUB 500-27 Includes papers and summaries of presentations made at a l978 conference on computer security. Subject areas are physical security, risk assessment, software security, computer network security, applications and implementation of the Data Encryption Standard. Brenner, Aaron. "LAN Security". LAN Magazine, Aug 1989. Bunzel, Rick. "Flu Season" Connect, Summer 1988. Burger, Ralf .Computer Viruses:a High-Tech Disease Abacus Software, 1989. For some reason, this book contains virus source code! Cabell, D. "Network Backups." Micro Communications vol 2 no. 6 June 1985 pp. 14-18 This article describes how the only way to protect a LAN, micro, mini, or mainframe from a complete system crash is adequate backup. Call, B. "Buttress Against Computer Crime." PC Week vol 2 no. 18 May 1985 pp. 111, 115 The physical protection of computers is becoming an area of interest for more organizations. The increased number of physical security devices illustrates this point and is discussed in this article. Carey, Cameron "Data Access Control: Help or Hindrance." Data Processing & Communications Security vol 11 no. 4 Fall 1987 pp. 18-20 This article discusses limiting access to data and how to make access control protection more of a help than a hindrance by developing a set of priorities about various classes of data. Cipher Irregular Newsletter From Institute of Electrical and Electronic Engineers 9800 Savage Road Fort Meade, MD 20755 (301) 859-4376 This newsletter looks at security and privacy from a technical view. Ciura, J.M. "Vital Records Protection: Identifying Essential Information." Information Management vol 19 no. 2 February 1985 pp. 11 This article suggest that the best way to resume business activity after an emergency or disaster is to have a vital records protection program. Clauss, Karl H. "How To Move A Data Center and Avoid a Disaster." Infosystems vol no. December 1981 pp. 46-48, 50 This article describes how ARCO Oil and Gas Company moved their computer center to a new location and the points a company should consider when moving a data center. Clyde, Allen R. "Insider Threat on Automated Information Systems." Data Processing & Communications Security vol 11 no. 4 Fall 1987 pp. 11-14 This articles discusses activities to detect sources of abuse that are not widely implemented. CM Bulletin Bimonthly Bulletin From National Classification Management Society, Inc. 6116 Roseland Drive Rockville, MD 20852 (301) 231-9191 Free to members, non-members $15.00 annually This bulletin contains articles pertaining to information security management. Cohen, Fred. Computer Viruses, Theory and Experiments. 7th Security Conference, DOD/NBS Sept 1984. Cohen, Fred. "Computer Viruses: Theory and Experiment." Computers & Security, Vol. 6 (1987), pp. 22-35. Cohen, Fred. "On the Implications of Computer Viruses and Methods of Defense," Computers & Security, Vol. 7 (1988), pp. 167-184. Cole, Gerald D. and Frank Heinrich Design Alternatives For Computer Network Security (vol. 1) The Network Security Center: A System Level Approach To Computer Network Security (vol. 2) January 1978 NBS SPEC PUB 500-21 This two-volume study covers network security requirements and design and implementation requirements of a special computer dedicated to network security. The approach utilizes a dedicated minicomputer to check authentication of network users, and, to some extent, to check authorization. The study focuses on use of the Data Encryption Standard to protect network data and recommends procedures for generating, distributing and protecting encryption keys. Collins, J.A. "Continuous Security Control Clamps Down on Abuse." Data Management vol 23 no. 5 May 1985 pp. 56-59 The need for computer access is discussed in this article that suggest that such access should be a management, security-oriented process. Computer security guidelines are also given. COM-AND (Computer Audit News and Developments) Bimonthly Newsletter From Management Advisory Services P.O. Box 151 57 Greylock Road Wellesley Hills, MA 02181 (617) 235-2895 $56.00 Annually This newsletter provides auditors with current trends, practices, and developments in their field. Computer Age: EDP Weekly Weekly Newsletter From EDP News Services, Inc. 7043 Wimsatt Road Springfield, VA 22151 (703) 354-9400 $225.00 Annually Weekly roundup of computer industry news. Provides analysis of computer events and trends. Articles include coverage of computer security news. Computer Fraud & Security Bulletin Monthly Newsletter From Elsevier International 52 Vanderbilt Avenue New York, NY 10017 (212) 916-1250 $240.00 Annually This monthly newsletter deals with computer crime and preventive measures that can be taken to avoid misuse. Computer Law Journal None Specified Journal From Center for Computer Law Box 3549 Manhattan Beach, CA 90266 (213) 372-0198 $72.00 Annually This journal deals with all aspects of computer law from copyright protection of software to penalties for abusing computers. Computer Law Newsletter Bimonthly Newsletter From Warner & Stackpole 28 State Street Boston, MA 02109 (617) 725-1400 Free Various subjects dealing with computer law including computer crime are covered. Computer Security Buyers Guide From Computer Security Institute 1988 General Security Members of CSI - Free; Non-members - $75.00 A buyers guide for a wide variety of of computer security products and services. Computer Security Digest Monthly Digest From Computer Protection Systems, Inc. 150 N. Main Street Plymouth, MI 48170 (313) 459-8787 $110.00 Annually This digest addresses issues of current interest in the area of computer security matters and related crime. Computer Security Guidelines For Implementing The Privacy Act Of 1974 FIPS PUB 41 May 1975 Provides guidance in the selection of technical and related procedural methods for protecting personal data in automated information systems. Discusses categories of risks and the related safeguards for physical security, information management practices, and system controls to improve system security. Computer Security Journal Twice A Year Journal From Computer Security Institute 360 Church Street Northborough, MA 01532 (617) 393-2600 $60.00 members, $65.00 non-members annually This journal contains technical papers on a wide variety of computer security related topics including software, contingency planning, and security management. Computer Security Manual for Unclassified Systems From EG&G Idaho, Inc. Information and Technical Services P.O. Box 1625 Idaho Falls, ID 83415 April 30, 1987 General Security Call for current cost (TBD) Discusses a variety of unclassified computer security issues. Includes password usage, certification and other categories. Computer Security Newsletter Bimonthly Newsletter Computer Security Institute 360 Church Street Northborough, MA 01532 (617) 393-2600 $95.00 Annually, for members only. This newsletter covers a broad range of computer security topics. Computer Viruses - Proceedings of an Invitational Symposium, Oct 10/11, 1988; Deloitte, Haskins, and Sells; 1989 Computers & Security Six Times a Year Journal From Elsevier International 52 Vanderbilt Avenue New York, NY 10017 (212) 916-1250 $89.00 Annually This technically oriented journal covers a variety of topics concerning computer security. COM-SAC (Computer Security, Audit, and Control) Twice A Year Journal From Management Advisory Services & Publications P.O. Box 151 57 Greylock Road Wellesley Hills, MA 02181 (617) 235-2895 $55.00 Annually Most of this journal contains brief digests of articles on computer security that have appeared in other publications, although it does include some original articles. Coontz, Constance "Protection through Isolation." Security Management vol 31 no. 11 November 1987 pp. 53-55 This article discusses compartmentalizing valuable data on dedicated PCs or small computer systems to help protect it from hackers and moles. CPR-R (Contingency Planning & Recovery Report) Quarterly Journal From Management Advisory Services P.O. Box 151 57 Greylock Road Wellesley Hills, MA 02181 (617) 235-2895 $75.00 annually This journal is solely devoted to issues, practices and developments in contingency planning, disaster recovery and business continuity. Data Encryption Standard FIPS PUB 46 January 1977 Specifies an algorithm to be implemented in electronic hardware devices and used for the cryptographic protection of sensitive, but unclassified, computer data. The algorithm uniquely defines the mathematical steps required to transform computer data into a cryptographic cipher and the steps required to transform the cipher back to its original form. Datapro Reports on Information Security (2 Volumes) From Datapro Research Corporation (609) 764-0100 1985 General Security $790.00 Annualy Includes management information, market surveys, and product reports. Data Processing & Communications Security Quarterly Magazine From Assets Protection Publishing Box 5323 Madison, WI 53704 (608) 274-7751 $48.00 Annually This magazine covers a wide variety of computer and communications security related topics. Data Processing Digest Monthly Digest From Data Processing Digest, Inc. P.O. Box 1249 Los Angelas, CA 90078 (916) 756-5138 This digest covers more than 130 scientific, business trade, educational, and computer journals. Articles are selected for the specific needs of DP and IS management, computer professionals, and corporate executives. Davidson, Thomas L. and White, Clinton E. Jr. "How to Improve Network Security." Infosystems vol 30 no. 6 June 1983 pp. 110-112 This article discusses the need to protect network systems using software locks, authorization schemes, logs, and data encryption. Daview, D.W. & W.L. Price Security for Computer Networks: An Introduction to Data Security in Teleprocessing and Electronic Funds Transfer. John Wiley & Sons. 416 pp 1984. $34.95 Deitz, Larry "Computer Security in the Micro Age" Computers and Electronics, June 1984, pp 68 ff Denning D. E. Cyptography and Data Security Addison Wesley, 1982 Denning, D. E. An Intrusion-Detection Model IEEE Symposium on Security and Privacy, April 1986. Denning, Peter J.. "Computer Viruses". American Scientist, Vol 76, May-June, 1988. Denning, Peter J. "The Internet Worm". American Scientist, Vol 77, March-April, 1989. DES Modes Of Operation FIPS PUB 81 December 1980 Defines four modes of operation for the Data Encryption Standard which may be used in a wide variety of applications. The modes specify how data will be encrypted (cryptographically occurrence and the damage protected) and decrypted (returned to original form). The modes included in this standard are the Electronic Codebook (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the Output Feedback (OFB) mode. Dewdney, A. K. "Computer Recreations - In the game called Core War hostile programs engage in a battle of bits". Scientific American Mar 1984. Dewdney, A. K. "Computer Recreations - A Core War bestiary of viruses, worms and other threats to computer memories". Scientific American Mar 1985. Diamond, F.H. "Computer Network Security: The Need Was Never Greater." Office vol 102 no. 2 August 1985 pp. 94-99 This article discusses the advantages of using the callback approach in computer networks to prevent hackers from getting onto a system. Dobberstein, M. "To Have and Not to Have a Disaster." Computer Decisions vol 17 no. 18 September 1985 pp. 102-126 This article deals with the importance of actually testing contingency plans to see if they work. DoD Department of Defense Trusted Computer System Evaluation Criteria, December, 1985. DOD 5200.28-STD. Library No. S225,711. (the "Orange Book") DoD Computer Security Center Computer Security Requirements: Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments DoD. CSC-STD-003-85. 25 June, 1985, 13pp. * Dvorak, John "Virus Wars: A Serious Warning". PC Magazine Feb 29, 1988. EDP Security Bulletin Irregular Bulletin From Royal Canadian Mounted Police Systems Branch 1200 Alta Vista Drive Ottawa, ON KIA OR2 Canada This bulletin provides current information in the field of electronic data processing security. edpacs: The EDP Audit, Control and Security Newsletter Monthly Newsletter From Auerbach Publishers 210 South Street Boston, MA 02111 (617) 292-8360 $96.00 Annually This newsletter is meant primarily for the auditor, although it will benefit others with computer security responsibility. EDP Analyzer Monthly Journal From United Communications Group 4550 Montgomery Avenue Ste. 700N Bethesda, MD 20814 (301) 961-8700 Doug O'Boyle $159.00 annually The EDP Auditor Quarterly Journal From EDP Auditors Association P.O. Box 88180 373 S. Schmale Road Carol Stream, IL 60188-0180 (312) 682-1200 Available as part of annual membership. This journal is intended for the EDP auditor and focuses on education and research. Edwards, M. "The Sting in a Micro's Tail." Practical Computing vol 6 no. 12 December 1983 pp. 108-109 How criminals exploit information technology is described in this article along with ways to stop them. Elmer-Dewitt, Phillip "Invasion of the Data Snatchers!." Time Magazine vol 123 no. 13 September 26, 1988 pp. 62-67 Discusses the current threat to computer systems posed by computer viruses. Computer viruses are defined and several examples of viruses are given. Epner, S.A. "Computer Security: Plenty of Questions but No Easy Answers." Office vol 101 no. 3 March 1985 pp. 74-76 This article covers the physical security of computer equipment including air conditioning and power to pass cards and security guards. Edwards, J. "Ends in Sight for the Copy-Protection Debate." PC Week vol 3 no. 1 January 1986 pp. 101 & 105 This protection of software from unauthorized use may be coming to an end as Microsoft Corporation has decided to lift the protection from several of its software programs. Federal Information Processing Standards Publication 83, Guideline on User Authentication Techniques for Computer Network Access Control. National Bureau of Standards, Sept, 1980. Federal Information Processing Standards Publication 73, Guidelines for Security of Computer Applications; National Bureau of Standards, June, 1980. Federal Information Processing Standards Publication 112, Password Usage. National Bureau of Standards, May, 1985. Federal Information Processing Standards Publication 87, Guidelines for ADP Contingency Planning; National Bureau of Standards, March, 1981. Fiedler, David and Hunter, Bruce M. UNIX System Administration. Hayden Books, 1987 Fisher, M.J. "New Security Device "Fingers" Culprit." MIS Week vol 6 no. 35 September 1985 pp. 12 This article describes a new product that uses a fingerprint device to verify a user's identity and then allow access on the computer system. Fisher, Sharon "DARPA Sets Up Response Teams to Tackle ARPANET Emergencies" InfoWorld, March 20, 1989, p. 43. Fitzgerald, Jerry. Business Data Communications: Basic Concepts, Security, and Design. John Wiley and Sons, Inc., 1984 Flach, Joseph P. "Increasing Programming Efficiency While Preventing the "F" Word." Data Processing & Communications Security vol 11 no. 4 Fall 1987 pp. 15-17 This article gives examples of ways to identify fraudulent code in a production program. Flynn, L. "Data Security: How Much is Too Much?" InfoWorld, March 20, 1989, p. 41-43. Fong, Elizabeth A Data Base Management Approach To Privacy Act Compliance June 1977 NBS SPEC PUB 500-10 Discusses how commercially available data base management systems can be used to implement Privacy Act requirements for the handling of personal data. Forensic Accounting Review Monthly Newsletter From Computer Protection Systems, Inc. 150 N. Main Street Plymouth, MI 48170 (313) 459-8787 $110.00 Annually This newsletter takes an in-depth look at the problems of computer fraud and provides possible solutions. Gait, Jason Maintenance Testing For The Data Encryption Standard August 1980 NBS SPEC PUB 500-61 Describes four tests that can be used by manufacturers and users to check the operation of data encryption devices. These tests are simple, efficient, and independent of the implementation of the Data Encryption Standard (FIPS 46). Gait, Jason Validating The Correctness Of Hardware Implementations Of The Nbs Data Encryption Standard November 1977 NBS SPEC PUB 500-20 Describes the design and operation of the NBS testbed that is used for the validation of hardware implementations of the Data Encryption Standard (DES). This report provides the full specification of the DES algorithm, a complete listing of the DES test set and a detailed description of the interface to the testbed. GAO: "Financial Integrity Act: Actions Needed to Correct ADP Internal Control Weaknesses" GAO: "Computer Security: Compliance with Training Requirements of the Computer Security Act of 1987" Gasser, Morrie. Building a Secure Computer System. Van Nostrand Reinhold, New York, 1988. Gaydasch, Alexander "Postimplementation Audits - A Quick, Easy Approach." Data Management vol no. February 1983 pp. 54, 55, 69 This article describes post- implementation audits and how they help to determine whether a computer system has met its original criteria. Gazarek, Kenneth F. "Cabinets for Electromagnetic Interference/Radio-Frequency Interference and TEMPEST Shielding." Data Processing & Communications Security vol 9 no. 6 July/August 1985 pp. 12-13 This article discusses the electromagnetic interference and radio-frequency interference control options, designing and building metal cabinets that provide effective shielding. Gilgor, V.D. On the Design and the Implementation of Secure Xenix Workstation IEEE Symposium on Security and Privacy, April 1987. Glossary For Computer Systems Security February 1974 FIPS PUB 39 Evaluating security of computer systems. A reference document containing approximately 170 terms and definitions pertaining to privacy and computer security. Goldstein, Bruce "Information Security: The Information Resource Management." Approach Data Processing & Communications Security vol 8 no. 5 May/June 1984 pp. 18-22 This article addresses information as a asset that must be protected as any other asset. It also discusses information research management providing the framework for a comprehensive information security program. Grampp, F.T. and Morris, R. H. "UNIX Operating System Security". AT&T Bell Laboratories Technical Journal, Oct 1984. Guidelines For Adp Contingency Planning FIPS PUB 87 March 1981 Describes what should be considered when developing a contingency plan for an ADP facility. Provides a suggested structure and format which may be used as a starting point from which to design a plan to fit each specific operation. Guidelines For Adp Physical Security And Risk Management June 1974 FIPS PUB 31 Provides guidance to Federal organizations in developing physical security and risk management programs for their ADP facilities. Covers security analysis, natural disasters, failure of supporting utilities, system reliability, procedural measures and controls, protection of off-site facilities, contingency plans security awareness, and security audit. Can be used as a checklist for planning. Guidelines For Automatic Data Processing Risk Analysis FIPS PUB 65 August 1979 Presents a technique for conducting a risk analysis of an ADP facility and related assets. Provides guidance on collecting, quantifying, and analyzing data related to the frequency of caused by adverse events. This guideline describes the characteristics and attributes of a computer system that must be known for a risk analysis and gives an example of the risk analysis process. Guideline For Computer Security Certification And Accreditation FIPS PUB 102 September 1983 Describes how to establish and how to carry out a certification and accreditation program for computer security. Certification consists of a technical evaluation of a sensitive system to see how well it meets its security requirements. Accreditation is the official management authorization for the operation of the system and is based on the certification process. Guideline On Electrical Power For Adp Installations FIPS PUB 94 September 1982 Provides information on factors in the electrical environment that affect the operation of ADP systems. Describes the fundamentals of power, grounding, life-safety, static electricity, and lightning protection requirements, and provides a checklist for evaluating ADP sites. Guidelines On Evaluation Of Techniques For Automated Personal Identification FIPS PUB 48 April 1977 Discusses the performance of personal identification devices, how to evaluate them and considerations for their use within the context of computer system security. Guidelines For Security Of Computer Applications FIPS PUB 73 June 1980 Describes the different security objectives for a computer application, explains the control measures that can be used, and identifies the decisions that should be made at each stage in the life cycle of a sensitive computer application. For use in planning, developing and operating computer systems which require protection. Fundamental security controls such a data validation, user identity verification, authorization, journalling, variance detection, and encryption are discussed. Guidelines For Implementing And Using The Nbs Data Encryption Standard FIPS PUB 74 April 1981 Provides guidance for the use of cryptographic techniques when such techniques are required to protect sensitive or valuable computer data. For use in conjunction with FIPS PUB 46 and FIPS PUB 81. Guidelines On Integrity Assurance And Control In Database Applications FIPS PUB 88 August 1981 Provides explicit advice on achieving database integrity and security control. Identifies integrity and security problems and discusses procedures and methods which have proven effective in addressing these problems. Provides an explicit, step-by-step procedure for examining and verifying the accuracy and completeness of a database. Guidelines On User Authentication Techniques For Computer Network Access Control FIPS PUB 83 September 1980 Provides guidance in the selection and implementation of techniques for authenticating the users of remote terminals in order to safeguard against unauthorized access to computers and computer networks. Describes use of passwords, identification tokens, verification by means of personal attributes, identification of remote devices, role of encryption in network access control, and computerized authorization techniques. Hagopian, Greg "Planning and Implementing a Security Package." Data Processing & Communications Security vol 10 no. 4 Fall 1986 pp. 17-20 This article discusses vendor selection and legal issues. Harris, N.L. "Rigid Administrative Procedures Prevent Computer Security Failure." Data Management vol 22 no. 12 December 1984 pp. 13-14, 16 The best way to keep a security program from failing is the use of strict administrative procedures. This article also discusses why some systems fail. Harrison, M.A. and Ruzzo, W.L. Protection in Operating Systems Comm of the ACM, Aug 1976. Helsing, Cherly W. "Disaster Recovery Options." Security vol 24 no. 7 July 1987 pp. 100-103 This article has suggestions on how to find a recovery plan that fits your firm without damaging your profits. Highland, Harold J. "From the Editor -- Computer Viruses." Computers & Security, Aug 1987. Holtzman, Henry "Keeping Your Offices Safe and Sound" Modern Office Technology, May 1985 pp 92 ff. Highland, Harold J. Protecting Your Microcomputer System. John Wiley & Sons, Inc. N.Y.1984 Horgan, J. "Thwarting The Information Thiefs." IEEE Spectrum vol 22 no. 7 July 1985 pp. 30-41 Many organizations are protecting their communication output from electronic interception by trying to detect and foil the surveillance using a variety of methods. Hutton's Building System and Controls Catalog From Hutton Publishing Co., Inc. 1988 Environmental Security Free This catalog provides a wide variety of environmental computer security related products and services. Industrial Security Letter Irregular Newsletter From Defense Investigative Service Directorate for Industrial Security 1900 Half Street, SW Washington, D.C. 20324 Free to qualified readers. This newsletter provides operating procedures for the Defense Industrial Security Program (DISP) operations at cleared facilities. Inglesby, Tom "Fighting Flash 'n' Flicker" Infosystems November, 1984, pp 88 ff. Internal Auditor Bimonthly Journal From Institute of Internal Auditors 249 Maitland Avenue Altamonte Springs, FL 32701 (305) 830-7600 $24.00 Annually This journal looks at techniques and principles of internal control and auditing. Israel, Howard "Computer Viruses: Myth or Reality?". Proceeding of the 10th National Computer Security Conference, Gaithersburg MD, Sept 1987. Isaac, Irene Guide On Selecting Adp Backup Process Alternatives NBS SPEC PUB 500-134 November 1985 Discusses the selection of ADP backup processing support in advance of events that cause the loss of data processing capability. Emphasis is placed on management support at all levels of the organization for planning, funding, and testing of an alternate processing strategy. The alternative processing methods and criteria for selecting the most suitable method are presented, and a checklist for evaluating the suitability of alternatives is provided. Jackson, Carl B. "Passwords: Comments from the Information Systems Security Association." Security vol 24 no. 7 July 1987 pp. 105 Discusses relevant security issues and how to bring an appropriate degree of LAN information security to your organization. Johnson, B. "Criminal Minds Keep Pace with Technology. Stop, Thief!." Computerworld vol 15, 16 no. 52, 1 December 28, 1981, January 4, 1982 pp. This article looks at some of the common problems that the DP industry faces today including computer security, asset protection, and computer fraud prevention. Johnston, R.E. "What You Need To Know." Infosystems vol 32 no. 1 January 1985 pp. 56 Outlined in this article are those things that should be considered when establishing a computer security program or updating an existing program. Johnston, Stuart J. "Microsoft OS/2 LAN Manager: Network Access Control Issues Remain" InfoWorld, March 20, 1989, p. 42. Jordan, Halmuth "The Search for Privacy." Security Management vol 31 no. 11 November 1987 pp. 32-36 This article focuses on some of the difficulties the legal profession is having by looking at American and West German law regarding electronic surveillance. Joseph, Mark K. "Toward the Elimination of the Effects of Malicious Logic: Fault Tolerance Approaches" Proceeding of the 10th National Computer Security Conference, Gaithersburg MD, Sept 1987 Journal of the National Classification Management Society Annually Journal From National Classification Management Society, Inc. 6116 Roseland Drive Rockville, MD 20852 (301) 231-9191 Free to Members Only Identifies communications and information processing systems their vulnerabilities and a range of methods for improving the security of these systems. Karser, Paul A. "Limiting the Damage Potential of Discretionary Trojan Horses" Proceedings of the Symposium on Security and Privacy 1987 Oakland CA, Published by the IEEE. Kluepfel, Henry M. "Computer Security for the Abuser Friendly Environment." Data Processing & Communications Security vol 9 no. 2 November/December 1984 pp. 16-20 This article discusses the underlying lack of adequate controls in computer systems and their relation to computer abuse and crime. Koelle, Jim "What's in the Cards?." Security vol 23 no. 12 December 1986 pp. 42-44, and 46 This article discusses microchips and how they promise to revolutionize access card technology with fast, calculating, and advanced memories. Kontur, J.S. and Letham, L. "Locking Up System Security." Electronic Week vol 58 no. 7 February 18, 1985 pp. 68-72 This article describes a system that cannot be broken into by unauthorized users. It uses a random-number generator and encryption logic. Korzeniowski, P. "Security Dynamics Releases Two-Part Security System." Computerworld vol 19 no. 42 October 1985 pp. 19, 23 This article discusses a product Security Dynamics has designed that is an inexpensive security protection device which keeps hackers out of systems. Korzeniowski, P. "ADAPSO Making Progress on Software Protection Device." Computerworld vol 19 no. 24 June 1985 pp. 8 This article discusses how the Association of Data Processing Service Organizations (ADAPSO) is getting ready to announce its progress in creating a software authorization mechanism. Kull, D. "How to Make Even E.F. Hutton Listen." Computer Decisions vol 17 no. 18 September 1985 pp. 42-50 The most effective way for an organization to prevent breaches in a computer system is to plug the holes that have already been used to violate the system and identify the intruders. Lapid, Ahituv, and Newmann "Approaches to Handling 'Trojan Horse' Threats" Computer & Security Sept 1986. LaPlante, Alice "Study Finds IS Managers Are More People-Oriented" InfoWorld, March 20, 1989, p.5 Lasden, Martin "Computer Crime." Computer Decisions vol no. June 1981 pp. 104-106, 108 112, 116, 118, 120, 122, 124 This article discusses actual computer crimes that have taken place and the factors that escalate the risk of an organization from these types of crime. Lemke, Fred H. "Blackouts and Computer Power Protection." Data Processing & Communications Security vol 12 no. 2 Spring 1988 pp. 19-23 This article is a study that was taken to see emerging patterns of blackouts that may be useful in helping evaluate your level of blackout vulnerability and then set up appropriate levels of power protection for your electronic systems. Lemke, Fred H. "Computer Power Protection." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 31-33 This article gives examples of how to protect your facility against the harmful effects of an electrical power outage. Leuser, K.G. "Security Programs: Only as Good as We Make Them." Office vol 100 no. 2 August 1984 pp. 91-92 Discusses how an effective security program helps to foil or discourage people with dishonest intentions. Looks at the office administrator's domain to identify areas of potential vulnerability. Levitt, Karl N., Peter Neumann, and Lawrence Robinson The SRI Hierarchical Development Methodology (HDM) And Its Application To The Development Of Secure Software October 1980 NBS SPEC PUB 500-67 Describes the SRI Hierarchical Development Methodology for designing large software systems such as operating systems and data management systems that must meet stringent security requirements. Linden, Jack "Automated EDP Risk Analysis and Management." Data Processing & Communications Security vol 9 no. 1 September/October 1984 pp. 16-18 This article gives a cost effective first step in developing a successful computer security program using a cost benefit analysis approach. Lobel, J. "Third Decade of Concern." Computerworld vol 16 no. 6 February 8, 1982 pp. 1D/31-34 & 36 The author looks at some of the issues associated with distributed data processing including privacy, crime, and security. Longley, Dennis and Shain, Michael. Data and Computer Security Lucas, D. "The Invisible Enemy." Business Computing and Communication vol no. February 1985 pp. 18-20 This article describes how home computer users are breaking into some of Britain's mainframe computers. Various procedures that can protect against intrusion are also discussed by the author. Lundell, Allan. A video based on his book VIRUS! called VIRUS! The Video. Write him at 175 Flintrock Lane, Ben Lomond, CA 95005. McCarthy, Charles J. "Passwords." Data Processing & Communications Security vol 10 no. 4 Fall 1986 pp. 13-14 This article discusses the two primary password configurations passwords defined by user, and passwords assigned to a user. It shows the differences between these two from a security view. McGowan, Kevin J. "Computer Power Protection." Data Processing & Communications Security vol 9 no. 5 May/June 1985 pp. 21-25 This article looks at understanding AC power conditions in data processing site preparation and its criticality for preventing future computer downtime and disruptions. McKibbin, W.L. "Who Gets The Blame For Computer Crime." Infosystems vol 30 no. 7 July 1983 pp. 34-36 MIS managers are ultimately responsible for the security of their computers. Since they are responsible they should make sure upper management is aware of the vulnerabilities of their computers. McLellan, Vin "Computer Systems Under Siege" The New York Times, January 31, 1988. Meason, Robert "System Security at the Terminal." Data Processing & Communications Security vol 10 no. 4 Fall 1986 pp. 16-17 This article discusses considerations of MIS management protection of the processor from access by unauthorized users. Menkus, Belden "Agencies Fail to Appreciate Threat to Data Security" Government Computer News, April 29, 1988, p. 36. Miskiewicz, J. "DP Security: A Delicate Balance." Computer Decisions vol 17 no. 8 April 1985 pp. 104-106 This article discusses the delicate balance between protecting vital resources in a data processing facility and enhancing productivity. Minoli, D. "Backup Needs Merit Special Attention." Computerworld vol 19 no. 15 April 1985 pp. 91, 96 This article focuses on the merits of backing up a data center to prevent a major disaster from critically affecting a company. Moore, Gwendolyn B., John L. Kuhns, Jeffrey L. Treffzs and Christine A. Montgomery Accessing Individual Records From Personal Data Files Using Nonunique Identifiers NBS SPEC PUB 500-2 February 1977 Analyzes methodologies for retrieving personal information using nonunique identifiers such as name, address, etc. This study presents statistical data for judging the accuracy and efficiency of various methods. Moulton, R. "Prevention: Better Than Prosecution." Government Data Systems vol 10 no. 6 November/December 1981 pp. 20 & 22-23 The focus of this paper is on deterrence of computer abuse, whether it is unintentional or intentional. Munro, N. & Danca, R.A. "Federal Officials Puzzled by Computer Virus Attacks", Government Computer News, April 29, 1988. Murray, W.H. "Security Considerations for Personal Computers," IBM System Journal, Vol. 23, No. 3 (1984), pp. 297-304. Murray, W.H. "Security Risk Assessment in Electronic Data Processing Systems," IBM Publication Number G320-9256-0 (1984). Murray, W.H. "Good Security Practices for Information Systems Networks," IBM Publication Number G360-2715-0 (1987). Murray, W.H. "An Executive Guide to Data Security," IBM Publication Number G320-5647-0 (1975). Murray, W.H. "Security, Auditability, System Control Publications Bibliography," IBM Publication Number G320-9279-2 (1987). Muzerall, Joseph V. and Carty, Thomas J. "COMSEC and Its Need for Key Management." Data Processing & Communications Security vol 11 no. 2 Spring 1987 pp. 11-14 This article explains the establishment of a standard set of protection mechanisms for both the classified and private user communities. Mylott, T.R. "Computer Security and the Threats from Within." Office vol 101 no. 3 March 1985 pp. 45-46, 190 This article explains that the greatest computer-related danger to a company may be from internal threats by employees. National Computer Security Center, Personal Computer Security Considerations December, 1985. NCSC-WA-002-85. National Institute of Justice NIJ Reports Bimonthly Journal From National Criminal Justice Reference Service Box 6000 Rockville, MD 20850 (301) 251-5500 Free to registered users of the NIJ. This journal provides summaries of research reports to help keep you up to date with advances in the field of criminal justice. NBS Special Publication 500-120. Security of Personal Computer Systems: A Management Guide. National Bureau of Standards, Jan 1985. Neugent, William, John Gilligan, Lance Hoffman, and Zella G. Ruthberg Technology Assessment; Methods For Measuring The Level Of Computer Security October 1985 NBS SPEC PUB 500-133 The document covers methods for measuring the level of computer security, i.e. technical tools or processes which can be used to help establish positive indications of security adequacy in computer applications, systems, and installations. The report addresses individual techniques and approaches, as well as broader methodologies which permit the formulation of a composite measure of security that uses the results of these individual techniques and approaches. Nicolai, Carl "Encryption Decyphered" Computers and Electronics, June 1984, pp 64 ff. NIST Special Publication 500-166. Computer Viruses and Related Threats: A Management Guide. National Institute of Standards and Technology, Aug 1989. Available from Superintendent of Documents, U.S. Government Printing Office, Washington, D.C. 20402. Order by stock no. 003-003-02955-6 for $2.50 prepaid. Editors and reporters can get a copy from the NIST Public Information Division, 301/975-2762. The guide is intended to help managers prevent and deter virus attacks, detect when they occur, and contain and recover from an attack. It provides general guidance for management and users, plus more specific guidance for multi-user computer environments and for personal computer environments. It also contains a list of suggested readings. Orceyre, Michel J. and Robert H. Cortney, Jr. Edited by Gloria R. Bolotsky Considerations In The Selection Of Security Measures Of Automatic Data Processing Systems Details methods and techniques for protecting data NBS SPEC PUB 500-33 processed by computer and transmitted via telecommunications lines. This report identifies the controls that can be instituted to protect ADP systems when risks and potential losses have been identified. Parker, D.B. "The Many Faces of Data Vulnerability." IEEE Spectrum vol 21 no. 5 May 1984 pp. 46-49 Discussed in this paper are both the need for new computer security methods and the attainable limits that can be reached by computer security. Parker, T. "Public domain software review: Trojans revisited, CROBOTS, and ATC." Computer Language. April 1987. Patrick, Robert L. Performance Assurance And Data Integrity Practices January 1978 NBS SPEC PUB 500-24 Details practices and methods that have been successful in preventing or reducing computer system failures caused by programming and data errors. The methods described cover large data processing applications, scientific computing applications, programming techniques and systems design. Personal Identification News Monthly Newsletter From Personal Identification News P.O. Box 11018 Washington, DC 20008 (202) 364-8586 $265.00 Annually This newsletter discusses advanced access control technologies including plastic cards and authentication to biometrics. Pieper, Oscar R. "Voice Authentication Wages A War on Data Base Fraud." Data Processing & Communications Security vol 8 no. 6 July/August 1984 pp. 12-13 This article reviews the present state of voice authentication technology and how it applies to secure data bases from bogus intruders. Police & Security Bulletin Monthly Newsletter From Lomond Publications P.O. Box 88 Mt.Airy, MD 21771 (301) 829-1496 $72.00 Annually This newsletter is designed for specialist in law enforcement, criminal justice and security. Power, Kevin "Over Half of Agencies Meet Security Training Deadline" Government Computer News, May 15, 1989, p. 85. Pozzo, M.M., Gray, T.E. "An approach to containing computer viruses" Computer & Security, Aug 1987. Pozza, M.M., Gray, T.E. "Managing Exposure to Potentially Malicious Rograms" Proceeding of the 9th National Computer Security Conference, Gaithersburg MD, Sept 1986. Privacy Journal Monthly Journal From Privacy Journal P.O. Box 15300 Washington, DC 20003 (202) 547-2865 $89.00 Annually This journal looks at privacy issues and how they relate to all levels of government and private sectors. Pujals, J.M. "What is a Contingency Plan?." Data Processing & Communications Security vol 12 no. 1 Winter 1988 pp. 19-23 This article tells how to construct a contingency plan and goes over the major mandatory steps that have to be taken to end up with a workable product. Raimondi, D. "E.F. Hutton Underscores Practicality in Backup Plan." Computerworld vol 19 no. 15 April 1985 pp. 19 Describes how E.F. Hutton has built a new computer room as part of its disaster recovery plan. Rames, David "Recovering From Disasters." Computer Decisions vol no. September 1981 pp. 108-110, 112, 114, 120, 122, 124, 126-131, 188-189 Described in this article are criteria for developing an emergency backup plan and examples of emergency backup alternatives. Reber, Jan "The Essence of Industrial Espionage." Data Processing & Communications Security vol 10 no. 1 Winter 1986 pp. 24-25 This article discusses understanding espionage by a characteristic all spies have in common "access to the target". Reeds, J. A. and Weinberger, P. J. "File Security and the UNIX Systems Crypt Command" AT&T Bell Laboratories Journal, Oct 1984 Reid, T. R. "Fending Off a 'Computer Virus' Means Taking Only a Few Precautions" Washington Post, Feb 15, 1988. Rhodes, B. "Micro Security That Makes Sense." Computer Decisions vol 17 no. 9 May 1985 pp. 72, 74-76 This article describes security procedures that can be used by employees to solve microcomputer security problems. Risk Management Manual (3 Volumes) From The Merrit Company 1985 (Bimonthly Supplements) Risk Management $283.00 This manual provides easy-to-understand fundamentals and specifics for initiating and maintaining a risk management program. Roberts, J.E. "Filing Software Copyrights." Computerworld vol 19 no. 36 September 1985 pp. 116 This article describes how copyrighting software is accomplished and what copyrighted software means. Roberts, Ralph. Computer Viruses COMPUTE! Publications Inc., 1989. Rosch, W. "Three Products Help Cork Computer Leaks, Feature Blocked Access, Disk-File Encryption." PC Week vol 2 no. 18 May 1985 pp. 122-124 This article discusses a trio of products to help prevent unauthorized access to a computer system. Rosch, Winn L. "Internal Security" PC Week May 7, 1985 pp 89 ff. Rosen, Richard D. and Dvorsky, James "Portable Data Carrier Technology." Data Processing & Communications Security vol 12 no. 1 Winter 1988 pp. 9-19 This article presents an overview of the general field of portable data carrier technology. Included are not only smart cards but other devices and systems that are beginning to emerge in the marketplace. Rosenthal, Lynne S. Guideline on Planning and Implementing Computer Systems Reliability NBS Spec PUB 500-121 January 1985 This report presents guidance to managers and planners on the basic concepts of computer system reliability and on the implementation of a management program to improve system reliability. Topics covered include techniques for quantifying and evaluating data to measure system reliability, designing systems for reliability, and recovery of a computer system after it has failed or produced erroneous output. An appendix contains references and a list of selected readings. Ruder, Brian and J. D. Madden An Analysis Of Computer Security Safeguards For Detecting And Preventing Intentional Computer Misuse January 1978 NBS SPEC PUB 500-25 Analyzes 88 computer safeguard techniques that could be applied to recorded actual computer misuse cases. Presents a model for use in classifying and evaluating safeguards as mechanisms for detecting and preventing misuse. Ruthberg, Zella G. Audit And Evaluation Of Computer Security Ii: System Vulnerabilities And Controls April 1980 NBS SPEC PUB 500-57 Proceedings of the second NBS/GAO workshop to develop improved computer security audit procedures. Covers eight sessions: three sessions on managerial and organizational vulnerabilities and controls and five technical sessions on terminals and remote peripherals, communication components, operating systems, applications and non-integrated data files, and data base management systems. Ruthberg, Zella and Bonnie Fisher Work Priority Scheme For Edp Audit And Computer Security Review August 1986 NBSIR 86-338 This publication describes a methodology for prioritizing the work performed EDP auditors and computer security reviewers. Developed at an invitational workshop attended by government and private sector experts, the work plan enables users to evaluate computer systems for both EDP audit and security review functions and to develop a measurement of the risk of the systems. Based on this measure of risk, the auditor can then determine where to spend review time. Ruthberg, Zella and Robert McKenzie (editors) Audit And Evaluation Of Computer Security October 1977 NBS SPEC PUB 500-19 Reports on the recommendations of audit and computer experts to improve computer security audit procedures. Subjects covered include audit standards, administrative and physical controls, program and data integrity, and audit tools and techniques. Ruthberg, Zella G. and William Neugent Overview Of Computer Security Certification And Accreditation April 1984 NBS SPEC PUB 500-109 This publication is a summary of and a guide to FIPS PUB 102, Guideline to Computer Security Certification and Accreditation. It is oriented toward the needs of ADP policy managers, information resource managers, ADP technical managers, and ADP staff in understanding the certification and accreditation process. Rutz, Frank "DOD Fights Off Computer Virus" Government Computer News Feb 5, 1988. Samuel, J. "Defense Net Broken Into - Again", Communications Week, December 5, 1988, p.1 Schabeck, Timothy A. Computer Crime Investigation Manual From Assets Protection 1980 Abuse/Misuse/Crime $39.95 Clear and precise overview of computer hardware, software, operations, and job functions. Schiller, Michael "Security at the Touch of a Finger." Data Processing & Communications Security vol 9 no. 6 July/August 1985 pp. 15-17 This article discusses using biometric security systems for high-tech solutions to access control problems. Schmonsees, Robert J. "Identification and Authentication: The Security Challenge of the 80's." Data Processing & Communications Security vol 9 no. 4 March/April, 1985 pp. 22-23 This article discusses the computer security issues of identification and authentication showing the common problems and offering some suggestions for improving by random passcode. Schnaidt, Patricia. "Fasten Your Safety Belt". LAN Magazine, Oct 1987. Schriever, Joe F. "Structuring for Security." Data Processing & Communications Security vol 9 no. 1 September/October 1984 pp. 14-16 This article is a set of guidelines that will remove ambiguities as to what will be done by whom to provide system security. Schweig, Barry B. "Decision Matrix: A Risk Handling Decision Aid." Data Processing & Communications Security vol 8 no. 4 March/April 1984 pp. 16-18 This article discusses conceptualizing a decision-matrix as an integral component of a risk management process. Scoma, Louis "How Secure Is Your Computer Operation From A Disaster." Office vol no. August 1981 pp. 96, 98 The failures of companies to protect their computer centers is discussed along with the need for recovery systems to serve as backup security. Security Monthly Magazine From Cahners Publishing Company 275 Washington Street Newton, MA 02158 (617) 964-3030 Free to qualified readers. This magazine is written for the industrial and commercial loss-prevention specialist. Security Awareness Bulletin Irregular Bulletin From Department of Defense Security Institute (DoDSI) C/O Defense General Supply Richmond, VA 23297-5091 Free Discusses security awareness and compliance with security procedures through dissemination of information to security trainers. Security Dealer Monthly Magazine From PTN Publishing Co. 210 Crossways Park Drive Woodbury, NJ 11797 (517) 496-8000 $10.00 Annually This magazine contains articles relating to security products and general security procedures. Security Distributing & Marketing Monthly Magazine From Cahners Publishing Company 275 Washington Street Newton, MA 02158 (617) 964-3030 Free to qualified readers. This magazine is written for dealers, distributors, and installers of loss prevention equipment, including crime and fire prevention and detection products and services. Security Letter Biweekly Newsletter From Security Letter, Inc. 166 East 96th Street New York, NY 10128 (212) 348-1553 $147.00 Annually This newsletter looks at industrial and commercial security, and emphasizes not only corporate security planning but also physical security systems and personnel security. Security Management Monthly Magazine From American Society for Industrial Security 1655 N. Ft. Meyer Drive Suite 1200 Arlington, VA 22209-3198 (703) 522-5800 $65.00 Annually This magazine was written for managers in charge of both security and loss prevention. Security Systems Monthly Magazine From PTN Publishing Company 210 Crossways Park Drive Woodbury, NJ 11797 (516) 496-8000 Free to qualified readers. This magazine covers topics of interest to the professional security director- industrial, governmental, institutional, or retail. Security Systems Digest Biweekly Digest From Washington Crime News Service 7043 Wimsatt Road Springfield, VA 22151-4070 (703) 941-6600 $95.00 Annually This digest provides news on the latest developments in security systems. Shaw, James K. and Stuart W. Katzke Executive Guide To Adp Contingency Planning July 1981 NBS SPEC PUB 500-85 This document provides, in the form of questions and answers, the background, and basic essential information required to understand the developmental process for automatic data processing (ADP) contingency plans. The primary intended audience consists of executives and managers who depend on ADP resources and services, yet may not be directly responsible for the daily management or supervision of data processing activities or facilities. Shoch, J.F and Hupp, J.A. "The 'Worm' Programs: Early Experience with a Distributed Computation". Communications of the ACM, Mar 1982. Shabeck Computer Crime Investigation A comprehensive manual for investigating computer crimes. 380 pp $39.95 Computer Protection Systems. Shabeck Emergency Planning Guide for Data Processing Centers Provides information necessary for preparing an effective emergency/disaster plan for your organization. 92 pp $10. Computer Protection Systems. Shabeck Managing Microcomputer Security Addresses security in a wide variety of micro settings. 180 pp $25. Computer Protection Systems. Shannon, Terry C., Technical Editor Computer Security Handbook: The Practitioner's "Bible" From Computer Security Institute 1985 General Security $95.00 Contains a number of articles and technical papers dealing with computer security issues such as training and security safeguards. Sharp, Brown "Computer Viruses Invade a Low-Immunity Congress. Government Computer News, September 4, 1989, p. 11. Shoch, J. F. and Hupp, J. A. "The Worm Programs: Early Experience with a Distributed Computation" Communications of the ACM, Mar 1982. Shoop, Tom & David J. Stang "Beating Back a Virus Attack" Government Executive, April, 1990, p. 40 ff. Smid, Miles E. A Key Notarization System For Computer Networks October 1979 NBS SPEC PUB 500-54 Describes a system for key notarization, which can be used with an encryption device, to improve data security in computer networks. The key notarization system can be used to communicate securely between two users, communicate via encrypted mail, protect personal files, and provide a digital signature capability. Software Protection Monthly Journal From Law and Technology Press P.O. Box 3280 Manhattan Beach, CA 90266 (213) 470-9976 $187.00 This journal provides current developments oriented around software protection methods, products, and services. Spafford, Eugene H. "The Internet Worm Program: An Analysis". Purdue Technical Report CSD-TR-823, Nov 28, 1988. Srinivasan, C.A. and Dascher, P.E. "Computer Security and Integrity: Problems and Prospects." Infosystems vol 28 no. 5 May 1981 pp. 5 Pages Various aspects of computer security are discussed including data security, data privacy, data integrity, etc. Standard On Computer Data Authentication FIPS PUB 113 May 1985 This standard specifies a Data Authentication Algorithm (DAA) which, when applied to computer data, automatically and accurately detects unauthorized modifications, both intentional and accidental. Based on the Data Encryption Standard (DES), this standard is compatible with requirements adopted by the Department of Treasury and the banking community to protect electronic fund transfer transactions. Standard On Password Usage FIPS PUB 112 May 1985 This standard defines ten factors to be considered in the design, implementation and use of access control systems that are based on passwords. It specifies minimum security criteria for such systems and provides guidance for selecting additional security criteria for password systems which must meet higher security requirements. Stang, David J. Computer Security National Computer Security Association, Washington, D.C. 1990. Revised every three months or more often. Stang, David J. Computer Viruses National Computer Security Association, Washington, D.C. 1990. Revised every three months or more often. Stang, David J. Defend Your Data! A Guide to Data Recovery National Computer Security Association, Washington, D.C. 1990. Revised every three months or more often. Stang, David J. "How to Sell Data Integrity" Reseller Management, March 1990, p. 131ff. Stang, David J. "PC Viruses: The Desktop Epidemic" The Washington Post, January 14, 1990, p. B3. Steinauer, Dennis D. Security Of Personal Computer Systems - A Management Guide NBS SPEC PUB 500-120 This publication provides practical advice on the following issues: physical and environmental protection system and data access control; integrity of software and data; backup and contingency planning; auditability; communications protection. References to additional information, a self-audit checklist, and a guide to security products for personal computers are included in the appendices. Stieglitz, M. "Security For Shared Resources." Micro Communications vol 2 no. 6 June 1985 pp. 19-26 This article discusses data security products and procedures for network use. Includes description of encryption techniques that are now popular. Sugawara, S. "Report Says Computers Are at Risk. Government Told to Tighten Security" The Washington Post, November 22, 1988, p. C1, C2. Taft, Darryl K. "Computer Security Center Sees Opportunity in UNIX" Government Computer News, September 4, 1989, p. 68. Thompson, Ken. "Reflections on Trusting Trust (Deliberate Software Bugs)" Communications of the ACM, Vol 27, Aug 1984. Tinto, Mario. "Computer Viruses: Prevention, Detection, and Treatment." National Computer Security Center C1 Tech. Rpt. C1-001-89, June 1989. Troy, Eugene F. Security For Dial-up Lines May 1986 NBS SPEC PUB 500-137 Ways to protect computers from intruders via dial- up telephone lines are discussed in this guide. Highlighted are hardware devices which can be fitted to computers or used with their dial-up terminals to provide communications protection for non-classified computer systems. Six different types of hardware devices and the ways that they can be used to protect dial-up computer communications are described. Also discussed are techniques that can be added to computer operating systems or incorporated into system management or administrative procedures. U.S. Government Telecommunications: General Security Requirements for Equipment Using the Data Encryption Standard Federals Standard 1027. Vernick, Paul R. "Providing Data Processing Recovery Backup." Data Processing & Communications Security vol 9 no. 4 March/April, 1985 pp. 14-16 This article covers some of the major emergency and recovery planning options available that need to be considered prior to the occurrence of any serious emergency. Walsh, Timothy J. and Healy, Richard J. Protection of Assets (4 Volumes) From The Merrit Company 1974 (Updated Monthly) General Security $285.00 This manual helps you design and maintain an effective, cost saving, on-going program for total assets protection. Weber, A. "Effective Security Programs Start with Awareness." Data Management vol 23 no. 11 November 1985 pp. 34-35 Educating end users is the key to helping prevent crime and computer abuse in an organization. Weixel, S. "Most accidents happen when companies neglect the basics." ComputerWorld, March 13, 1989, p.83. Weller, Reginald H. "Off-Site Data Storage: A Changing Industry." Data Processing & Communications Security vol 9 no. 5 May/June 1985 pp. 18-20 This article discusses selecting a backup site while meeting the criteria of integrity, reliability, access, reasonable cost, appropriate location, good security, and comprehensive insurance coverage. Westin, Alan F. ERS, Personnel Administration, And Citizen Rights NBS SPEC PUB 500-50 July 1979 Reports on the impact of computers on citizen computer rights in the field of personnel record keeping. This study traces the changing patterns of employment and personnel administration and examines the trends in computer use in personnel administration. It recommends policy actions to guide the management of personnel systems that respect citizen rights. White, Steve, David Chess, & Jimmy Kuo "Coping with Computer Viruses and Related Problems" IBM, Thomas J. Watson Research Center, Distribution Services F-11 Stormytown, Post Office Box 218, Yorktown Heights, New York 10598. 1989. White, L. "Data Security - You Can't Work Without It." Computerworld vol 19 no. 11A March 1985 pp. 27-30 The problem of the disgruntled employee or ex-employee who sabotages a computer system is seen as more of a threat than an outside hacker. Withrow, J.B. Security Handbook for Small Computer Users From National Technical Information Service April 1985 Microcomputer Security $13.95 This manual discusses various security issues dealing with small computers and the responsibilities users of small computers have towards security. Witten, I. H. "Computer (In)security: infiltrating open systems." Abacus (USA) Summer 1987. Wolbrecht, J.E. "Can Your Records Storage Center Stand a Disaster." Office vol 102 no. 3 September 1985 pp. 112-113 A manager's responsibility to protect a records storage center by recognizing vulnerable areas and making them more secure is discussed. Wood, Helen The Use Of Passwords For Controlled Access To Computer Resources May 1977 NBS SPEC PUB 500-9 Describes the need for and uses of passwords. Password schemes are categorized according to selection technique, lifetime, physical characteristics and information content. Password protection and cost considerations are discussed. A glossary and annotated bibliography are included. Wood, Charles Cresson "A New Approach to Computer User Authentication." Data Processing & Communications Security vol 10 no. 4 Fall 1986 pp. 21-26 This article gives a new approach to authentication called dial-guard. It addresses the two problems of password/users IDs not providing sufficient security and identifying the location of dial-up users. Wood, Charles Cresson "Information Security with One-Way Functions." Data Processing & Communications Security vol 9 no. 5 May/June 1985 pp. 14-16 This article explains how one-way functions can be used to safeguard information that is too sensitive to be protected via encryption. Wright, J.R. Jr. "User Responsibility for Security." Government Data Systems vol 15 no. 1 December 1985 through January 1986 pp. 52-55 This article looks at the circular "Management of Federal Information Resources" printed by the Office of Management and Budget. This circular provides guidance to Federal Managers concerning computer security and the associated responsibilities. Young, Catherine L. "Taxonomy of Computer Virus Defense Mechanisms" Proceeding of the 10th National Computer Security Conference, Gaithersburg MD, Sept 1987. Zalud, Bill "Security and DP Cooperate to Attack Computer Crime." Security vol 24 no. 10 October 1987 pp. 52-56, & 58 This article stresses teamwork as computer crime becomes a company fact of life by effectively cuts across a number of functional areas. Zimmerman, J.S. "P.C. Security: So What's New." Datamation vol 31 no. 21 November 1985 pp. 89-92 This article looks at the problems data security officers are going to encounter even as they implement safeguards for micros. Zimmerman, J.S. "Is Your Computer Insecure?" Datamation vol 31 no. 10 May 1985 pp. 119-120 This article challenges widely accepted notions concerning computer security. It suggest that people's views should be changed so that the challenge will be making a security system work instead of beating it. How to order ICST publications These publications are available through the Government Printing Office (GPO) and the National Technical Information Service (NTIS). The source and price for each publication are indicated. Orders for publications should include title of publication, NBS publication number (Spec. Pub. 000, Tech. Note 000, etc.) and NTIS or GPO number. Your may order at the price listed; however, prices are subject to change without notice. Submit payment in the form of postal money order, express money order or check made out to the Superintendent of Documents for GPO-stocked documents or to the National Technical Information Service for NTIS-stocked documents. Mailing addresses are: Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 National Technical Information Service, 5285 Port Royal Road, Springfield, VA 22161 Telephone numbers for information are: GPO Order Desk: (202) 783-3238; NTIS Orders: (703) 487-4780; NTIS Information: (703) 487-4600 About FIPS (Federal Information Processing Standards) Publications FIPS PUBS are sold by the National Technical Information Service (NTIS), U.S. Department of Commerce. A list of current FIPS covering all ICST program areas is available from: Standards Processing Coordinator (ADP), Institute for Computer Sciences and Technology Technology Building, B-64, National Bureau of Standards, Gaithersburg, MD 20899 (30l) 975-2817 Downloaded From P-80 International Information Systems 304-744-2253