1

SRA111: Introduction to Security and Risk Analysis

Course Description SRA 111 is an introductory course with a broad focus, spanning primarily the areas of security, risk, and risk analysis. In addition to familiarizing the student with basic security terminology, it will also touch upon social and legal issues, risk analysis and mitigation, crime intelligence and forensics, and information warfare and assurance. This course will motivate students to understand the requirements for security in any government agency or business organization through the use of case studies. Included in this segment are cases related to cyberterrorism, bioterrorism, and critical infrastructure protection. Some concepts to be covered in the area of information security are: confidentiality, integrity, availability, and non-repudiation. Various methods of safeguarding these security concerns will be discussed, such as: single- and multi-factor authentication, encryption, digital signatures, prevention of denial of service attacks, and so forth. This course also covers social and legal issues related to security, in particular identity theft and social engineering. Topics in this section include identity theft, spam, spyware, and adware. This course also covers the basic principles and the approaches to risk analysis. Here students study vulnerability analysis, crime and intelligence analysis, forensics, techniques for risk assessment and risk mitigation. The course will prepare students for more in-depth courses such as SRA 211, SRA 221 and SRA 311. This course will incorporate collaborative and action-learning experiences wherever appropriate. Emphasis will be placed on developing and practicing writing and speaking skills through application of the concepts that define the course.

Course Objectives

Upon completion of the course, the student will: • Understand basic security concepts, terminology and possible solutions. • Develop an understanding of the social and legal issues of security and privacy. • Understand the basics of crime intelligence and forensics analysis. • Be able to apply risk analysis, evaluation and mitigation methods. • Understand information warfare and information assurance. • Have an awareness of current and future trends in information and cyber security.

2

Classes Information Section: 001 Class Time: MWF 11:00-11:50am Class Room: Frable 227

About the Instructor Instructor: Galen A. Grimes, Associate Professor of IST Office: Frable 213 Office Hours: See faculty website Phone/Fax: 412-675-9479 E-mail: gagrimes@psu.edu Web Site: http://www.personal.psu.edu/faculty/g/a/gag5/

3

Course Materials

• Security Awareness—Applying Practical Security in Your World, 4th Ed. Mark Ciampa Copyright © 2014 Course Technology ISBN-13: 978-1-111-64418-5

• Computer Forensics And Cyber Crime, An Introduction, 3rd Ed. Marjie Britz Copyright © 2013 Pearson/Prentice Hall ISBN-13: 978-0-13-267771-4

• Supplemental reading materials at the discretion of the instructor • The New York Times (newspaper)

4

Course Policies • (Any policies implemented by the instructor or campus).

• Quizzes will be given throughout the semester, at a rate of approximately 1 per chapter. Quizzes will always cover the material covered since the last Quiz or Exam. The quizzes will be combinations of objective and/or short-answer questions. Makeup quizzes will not be given. Any class material missed by the student is the student's responsibility to acquire.

• Students with disabilities. The Pennsylvania State University is committed to providing access to a quality education for all students. Penn State welcomes students with disabilities into the University's educational programs. If a student has a disability-related need for modifications or reasonable accommodations in this course, it is the responsibility of the student to first obtain a University accommodation letter confirming the disability and suggesting appropriate remedies. This letter should be obtained from the campus Disability Contact Liaison. The contact person at Penn State Greater Allegheny is Victoria Garwood (Frable 103, 412-675-9070, vkg2@psu.edu). Students from other Penn State campuses can find their contact person at http://www.equity.psu.edu/ods/dcl.asp. It is encouraged that students request their accommodation needs early in the semester, and once identified, a reasonable accommodation will be implemented in a timely manner. Students may also access the web site for the Office of Disability Services at University Park for more information: http://www.equity.psu.edu/ods/.

• PSU Statement on Academic Integrity. According to the University Advising Handbook: "Academic integrity is the pursuit of scholarly activity free from fraud and deception, and is the educational objective of this institution. Academic dishonesty includes, but is not limited to cheating, plagiarism, fabrication of information or citations, facilitating acts of academic dishonesty by others, unauthorized possession of examinations, submitting work of another person, or work previously used without informing the instructor, or tampering with the academic work of other students. Any violation of academic integrity will be thoroughly investigated, and where warranted, punitive action will be taken." Students should be aware that standards for documentation and intellectual contribution may depend on the course content and method of teaching, and should consult instructors for guidance.

5

Tentative Schedule Week Topics Readings Assignments/Tests

1 Introduction to Information Security— Wired Magazine: “Hackers Remotely Kill a Jeep on the Highway—With Me In It:”, July 21, 2015 http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ Reuters: Researcher says can hack GM OnStar app, open vehicle, start engine, July 30, 2015, http://www.reuters.com/article/2015/07/30/us-gm-hacking-idUSKCN0Q42FI20150730 NPR: All Tech Considered, “Major Flaw In Android Phones Would Let Hackers In With Just A Text”, July 27, 2015 http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

VIDEO: Bruce Schneier: The Security Mirage (21:05): [cc/t] http://www.ted.com/talks/bruce_schneier.html

NPR/On Point, July 26, 2012, A Trade Show for Hackers—Black Hat Conference, http://onpoint.wbur.org/2012/07/26/hackers

2 ***Labor Day*** VIDEO: Nerds 2.0 Volume 1, “Networking the Nerds”, Part 1 [cc] Discussion Activity 1—

Personal Security Risks VIDEO: Nerds 2.0 Volume 1, “Networking the Nerds”, Part 2 [cc]

3 Introduction to Security Chapter 1—Ciampa

Discussion Activity 2—Malicious Code

VIDEO: Mikko Hypponen—Fighting Viruses, Defending the Net (17:36): [cc/t] http://www.ted.com/talks/lang/eng/mikko_hypponen_fighting_viruses_defending_the_net.html [VIDEO-MikkoHypponen_2011g.mp4] NPR: Marketplace, How One Hack Got to Engineers with Security Clearance, Sept 10 2013, http://www.marketplace.org/topics/tech/how-one-hack-got-engineers-security-clearances

6

NPR: All Things Considered, Security Firm Hacks a Car With a Text—August 29, 2011 [cc/t], http://www.npr.org/2011/08/29/140042759/security-firm-hacks-a-car-with-a-text

NPR: All Tech Considered, With Smarter Cars, The Doors Are Open To Hacking Dangers—July 30, 2013, http://www.npr.org/blogs/alltechconsidered/2013/07/30/206800198/Smarter-Cars-Open-New-Doors-To-Smarter-Thieves

Chapter Review Questions—Chapter 1—Ciampa

4 Introduction and Overview of Computer Forensics and Cybercrime Chapter 1—Britz

Discussion Activity 3—Security Access Controls

Discussion Questions—Chapter 1 (Britz) Discussion Questions 1-5, p.22 NPR: Morning Edition, Dear Apple: Good Luck Against The

Smartphone Black Market—Sept 16 2013, http://www.npr.org/blogs/alltechconsidered/2013/09/16/222125010/dear-apple-good-luck-against-the-smartphone-black-market

Quiz—Chapter 1 (Ciampa)

5 Desktop Security Chapter 2—Ciampa

Discussion Activity 4—Security Policy

NPR: All Things Considered/All Tech Considered, Hunting for a Password That Only You Will Know [cc/t] http://www.npr.org/2011/07/25/138672758/hunting-for-a-password-that-only-you-will-know NPR: All Things Considered/All Tech Considered, How to Protect Yourself From Hacking [cc/t] http://www.npr.org/templates/rundowns/rundown.php?prgId=2&prgDate=7-25-2011

60 Minutes: Cyber War, JUN 13 2010, http://www.cbsnews.com/video/watch/?id=6578069n&tag=mncol;lst;1 NPR: All Things Considered, Your PIN May Not be Uncrackable After All, [cc/t] Sept 20, 2012, http://www.npr.org/player/v2/mediaPlayer.html?action=1&t=1&islist=false&id=161502081&m=161502066

Chapter Review Questions—Chapter 2 (Ciampa)

7

www.passfault.com NPR, All Things Considered, The Most Secure Password in the World Might Be You, http://www.npr.org/blogs/alltechconsidered/2013/11/05/243060103/the-most-secure-password-in-the-world-might-be-you

6 Contemporary Computer Crime Chapter 4—Britz

Discussion Activity 5—Risk Assessment

Discussion Question—Chapter 4 (Britz) NPR: Morning Edition, FEB 12, 2013, “In Cyberwar, Software Flaws Are A Hot Commodity”, http://www.npr.org/2013/02/12/171737191/in-cyberwar-software-flaws-are-a-hot-commodity NPR: Morning Edition, FEB 13, 2013, “Victims Of Cyberattacks Get Proactive Against Intruders”, http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders NPR:  The  Diane  Rehm  Show,  FEB  13,  2013,  “The  Growing  Threat  Of  Cyber-­‐Espionage”,  http://thedianerehmshow.org/    

Discussion Question 1-5, p.111

Quiz—Chapter 2 (Ciampa)

7 Internet Security Chapter 3—Ciampa

Discussion Activity 6—Encryption

Chapter Review Questions—Chapter 3 (Ciampa)

NPR: All Things Considered: Does iCloud Pose Security Risks to Users, http://www.npr.org/2011/06/09/137089307/does-icloud-pose-security-risks-to-users

8 The Fourth Amendment and Other Legal Issues SOPA Virus Kidnaps Computers for Ransom, http://betabeat.com/2012/10/sopa-virus-kidnaps-computers-for-ransom-video/ ABC News Tracks Missing iPad to Florida Home of TSA Officer,

Chapter 9—Britz

Discussion Activity 7—Spam

8

http://abcnews.go.com/Blotter/abc-news-tracks-missing-ipad-florida-home-tsa/story?id=17331937

Surveillance of IT Technology— NPR: Fresh Air: The Technology Helping Repressive Regimes Spy, http://www.npr.org/2011/12/14/143639670/the-technology-helping-repressive-regimes-spy NPR: Fresh Air: Tracking The Companies That Track You Online, [cc/t] http://www.npr.org/templates/story/story.php?storyId=129298003 NPR/Fresh  Air,  Interpreting  the  Constitution  in  the  Digital  Age,  http://www.npr.org/2011/11/30/142714568/interpreting-­‐the-­‐constitution-­‐in-­‐the-­‐digital-­‐era   Cyber Terrorism CBS News 60 Minutes: Stuxnet: Computer Worm Opens new era of Warfare, http://www.cbsnews.com/video/watch/?id=7400904n&tag=contentBody;storyMediaBox

Discussion Questions 1-5, p.264

Quiz—Chapter 3 (Ciampa)

9 Personal Security CBS News 60 Minute, The Data Brokers-Selling Your Information, http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/

Chapter 4—Ciampa

Discussion Activity 8—Network Security

Authentication—1FA and 2FA VIDEO: Nigerian 419 Scam NPR: Morning Edition, July 12, 2012, Mobile Ad Networks Accused of Invasive Apps NPR: Weekend All Things Considered, FEB 17, 2013, Want To Keep Your Messages Private? There's An App For That, http://www.npr.org/blogs/alltechconsidered/2013/02/17/172258256/

Chapter Review Questions—Chapter 3 (Ciampa)

9

want-to-keep-your-messages-private-theres-an-app-for-that

NPR: All Things Considered, Study May Shed Light on How to Stop Spam, http://www.npr.org/2011/05/26/136690513/study-may-shed-light-on-how-to-stop-spam NBC Dateline—To Catch a Con Man: http://www.msnbc.msn.com/id/17697615/

10 Identity Theft and Identity Fraud CBS 60 Minutes, “Biggest IRS Scam Around: Identity Tax Refund Fraud”, http://www.cbsnews.com/videos/biggest-irs-scam-around-identity-tax-refund-fraud/

Chapter 5—Britz

Discussion Activity 9—Mitigation of Risks and Threats

Discussion—Case Studies Chapter 4 NPR: All Tech Considered, Woman Invokes 5th Amendment to Avoid Disclosing Laptop Password, http://www.npr.org/2011/07/11/137773335/when-asked-to-disclose-laptop-password-woman-invokes-5th-amendment NPR: Morning Edition, E-Mail, To Encrypt or Not to Encrypt, http://www.npr.org/templates/story/story.php?storyId=91666556 VIDEO: NBC Dateline, “To Catch and ID Thief” (YouTube) VIDEO: NBC Dateline, “Putting a Face on ID Theft” (YouTube)

Discussion Questions 1-5, p.143

Quiz—Chapter 4

11 Wireless Network Security NPR: All Things Considered, McAfee Releases Report on Hacking Project, http://www.npr.org/2011/08/03/138962415/mcafee-releases-report-on-hacking-project

Chapter 5—Ciampa

Discussion Activity 10—Policies and Laws

How to Crack a WPA Wireless Network http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver DD-WRT http://dd-wrt.com/site/index

Chapter Review Questions—Chapter 5 (Ciampa)

12 Avenues for Prosecuting and Government Efforts NPR, All Things Considered, “Laboring in the Shadows to Keep the Web Free of Child Porn”, http://www.npr.org/2013/11/17/245829002/laboring-in-the-shadows-to-keep-

Chapter 7—Britz

10

the-web-free-of-child-porn Discussion Questions—Chapter 7

CBS News 60 Minutes, “FBI Director on threat of ISIS, Cybercrime”, http://www.cbsnews.com/news/fbi-director-james-comey-on-threat-of-isis-cybercrime/

Discussion Questions 1-5, p.213

Quiz—Chapter 5 (Ciampa)

13 Enterprise Security VIDEO: How Online Gamblers Unmasked Cheaters—http://www.cbsnews.com/stories/2008/11/25/60minutes/main4633254.shtml NPR: On the Media, Government Reverses Itself on Online Gambling, http://www.onthemedia.org/2012/jan/06/government-reverses-itself-line-gambling/ VIDEO: TJ Maxx Break-in (Hi Tech Heist) http://www.cbsnews.com/video/watch/?id=4649240n http://www.youtube.com/watch?v=MxG2J3bf1BQ&feature=related

Chapter 6—Ciampa

VIDEO: To Catch a Con Man—(YouTube) Chapter Review Questions—Chapter 6 (Ciampa)

VIDEO: To Catch an ID Thief—(YouTube)

VIDEO: To  Catch  a  Lotto  Scammer—(YouTube)

14 Computer Forensics: Terminology and Requirements

Chapter 10—Britz

Video: To Catch a Predator - http://www.msnbc.msn.com/id/21134540/vp/22412084#22424498 To Catch a Predator—YouTube http://www.youtube.com/results?search_query=dateline+nbc+to+catch+a+predator&aq=1

Discussion Questions 1-5, p.299

Quiz—Chapter 6 (Ciampa)

15 Semester Project Presentations

Final Exam—Chapters 1-6 (Ciampa); Chapters 1, 4, 5, 7, 9, 10 (Britz)

11

NOTE: Syllabus subject to change without notice. Grading  

A   100.0%—93.0%  A-­‐   92.9%—90.0%  B+   89.9%—88.0%  B   87.9%—82.0%  B-­‐   81.9%—80.0%  C+   79.9%—78.0%  C   77.9%—70.0%  D   69.9%—60.0%  F   59.9%—00.0%  

Assignments   Points  Chapter  Review  Questions   120  (20  points/each  x  6)  Quizzes   180-­‐300  (30-­‐50  points/each  x  6)  Lab  participation   120  (20  points/each  x  6)  Discussion  Activities   100  (10  points/each  x  10)  Risk  Assessment  Project   150  Group  Video  Project   150  In  Class  Discussion/Participation   15%  Final  Exam   100   Assignments  are due  the  Sunday  evening  of  the  week  they  are  assigned.  

12

Use the following advice to receive maximum learning benefits from your participation in this course:

DO DON’T

§ Do take a proactive learning approach

§ Do share your thoughts on critical issues and potential

problem solutions

§ Do plan your course work in advance

§ Do explore a variety of learning resources in addition to the

textbook

§ Do offer relevant examples from your experience

§ Do make an effort to understand different points of view

§ Do connect concepts explored in this course to real-life

professional situations and your own experiences

§ Don’t assume there is only one correct answer to a question

§ Don’t be afraid to share your perspective on the issues

analyzed in the course

§ Don’t be negative towards points of view that are different

from yours

§ Don’t underestimate the impact of collaboration on your

learning

§ Don’t limit your course experience to reading the textbook

§ Don’t postpone your work on the course deliverables –

work on small assignment components every day

Appendix A: Reading List Module 1: Motivation • CSI/FBI Computer Crime and Security 2004 Survey. (M1-1) http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf • Michael E. Whitman, “Enemy at the Gate: Threats to Information Security,” Communications of the ACM, Vol. 46, No. 8, August

2003, pp. 91-95. (M1-2) • The National Strategy to Secure Cyberspace, The Whitehouse, US, February 2003. (M1-3)

http://www.whitehouse.gov/pcipb/cyberspace_strategy.pdf • Critical Infrastructure Protection: Challenges and Efforts to Secure Systems, GAO-04-354, March 15, 2004. (M1-4)

http://www.gao.gov/new.items/d04354.pdf Module 2: Basic Concepts of Information Security

13

• Kevin D. Mitnick, “Are You the Weak Link?” Harvard Business Review, April 2003, pp. 18-20. (M2-1) • Information Assurance Technical Framework, NSA. (M2-2) http://www.iatf.net/framework_docs/version-3_1/index.cfm • The Orange Book, DoD (M2-3). http://www.fas.org/irp/nsa/rainbow/std001.htm • Common Criteria Documentation. (M2-4). http://niap.bahialab.com/cc-scheme/cc_docs/index.cfm Module 3: Social and Legal Issues • Bill Arbaugh, “Security: Technical, Social, and Legal Challenges,” Computers, February 2002, pp. 109-111. (M3-1) • Michael Clarkson, Beating the Superbug: Recent Developments in Worms and virus, SANS Institute, 2002. (M3-2).

https://www.sans.org/rr/whitepapers/malicious/146.php • A&T, A Social Engineering Example (M3-3). http://www.searchlores.org/social_1.htm • LabMice.net, Social Engineering. (M3-4) http://labmice.techtarget.com/security/socialengineering.htm Module 4: Analysis Methods • SANS Top 20 Internet Vulnerabilities. (M4-1) http://www.sans.org/top20/#w1 • SANS Institute, A Model for Peer Vulnerability Assessment, 2001. (M4-2). www.sans.org/rr/whitepapers/testing/263.php. • Ashcroft, J., Daniels, D. J. and Hart, S. V., Method to Assess the Vulnerability of US Chemical Facilities, Special report, NCJ

195171, The National Institute of Justice, Nov., 2002. (M4-3). http://www.ncjrs.gov/pdffiles1/nij/195171.pdf. • Cathleen Brackin, Vulnerability Management: Tools, Challenges and Best Practices, SANS Institute, December 13, 2003. (M4-4).

http://www.sans.org/rr/whitepapers/threats/1267.php • Jeffrey King, 10 Vulnerabilities a Scanner Might Not Find, SANS Institute, May 12, 2003. (M4-5).

http://www.sans.org/rr/whitepapers/threats/1030.php • Robert Rowlingson, A Ten Step Process for Forensics Readiness, International Journal of Digital Evidence, Winter 2004. (M4-6).

http://www.dfrws.org/2001/dfrws-rm-final.pdf • Warren Harrison et al, A Lessons Learned Repository for Computer Forensics, International Journal of Digital Evidence, Fall

2002. (M4-7). http://www.utica.edu/academic/institutes/ecii/publications/articles/A0B13342-B4E0-1F6A- • Michael Potaczala, Computer Forensics, Term Paper, 2001. (M4-8). http://chantry.acs.ucf.edu/~mikep/cf/CHS5937-

TermPaper.pdf • Timothy J. Shimeall, Casey J. Dunlevy, and Phil Williams, Intelligence Analysis for Internet Security: Ideas, Barriers and

Possibilities, CERT Analysis Center, Software Engineering Institute, Carnegie Mellon University. (M4-9). http://www.cert.org/archive/html/spie.html

• Preparing for the 21st Century: An Appraisal of US Intelligence, INT-Report, March 1, 1996. (M4-10). http://www.fas.org/irp/offdocs/report.html

14

• Introduction to Security Risk Analysis & Security Risk Assessment (http://www.security-risk-analysis.com/introduction.htm) (M4-11)

• Security Scanning is not Risk Analysis (http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html) (M4-12)/ Module 5: Information Warfare & IA • Manic Velocity, Footprinting: The Basics of Hacking, Hack in the Box. ()-1). http://www.hackinthebox.org/article.php?sid=5359 • Tony Bradley, Introduction to Packet Sniffing. (M5-2). http://netsecurity.about.com/cs/hackertools/a/aa121403.htm • Tony Bradley, Introduction to Port Scanning. (M5-3). http://netsecurity.about.com/cs/hackertools/a/aa121303.htm • Joanne Cummings, From Intrusion Detection to Intrusion Prevention, Network World, 09/23/02. (M5-4).

http://www.networkworld.com/buzz/2002/intruder.html • Whatis.Com, Denial of Service. (M5-5). http://whatis.techtarget.com/definition/0,289893,sid9_gci213591,00.html • Denial of Service Attacks, CERT® Coordination Center. (M5-6). http://www.cert.org/tech_tips/denial_of_service.html • Wardriving, Wikipedia, the Free Encyclopedia. (M5-7). http://en.wikipedia.org/wiki/Wardriving Module 6: Securing the Future • Cyber Security: A Crisis of Prioritization, President’s IT Advisory Committee, Feb. 2005. (M6-1)

http://www.nitrd.gov/pitac/reports/20050301_cybersecurity/cybersecurity.pdf • Amitava Dutta and Kevin McCrohan, “Management’s Role in Information Security in a Cyber Economy,” California Management

Review, Vol.45, No.1, Fall 2002, pp. 67-87. (M6-2) • Mark Lum, Offshore Outsourcing and Information Confidentiality, SANS Institute, April 2004. (M6-3).

http://www.sans.org/rr/whitepapers/legal/1438.php • Vadalasetty, S.R., Security Concerns in Using Open Source Software for Enterprise Requirements, SANS Institute, October 2003.

(M6-4). http://www.sans.org/rr/whitepapers/awareness/1305.php • Scott Byrum, The Impact of the Sarbanes Oxley Act on IT Security, SANS Institute, October 2003. (M6-5).

http://www.sans.org/rr/whitepapers/casestudies/1344.php Appendix B: Video List • Businessweek video library: http://feedroom.businessweek.com/ • Information Assurance Video, NIATEC, Idaho State University. http://niatec.info/videos.htm • Security Awareness Program Contest. http://www.educause.edu/content.asp?page_id=7103&bhcp=1 • Security on ZDNet: Video and Audio: http://zdnn.search.com/search?cat=230&int.1273=on&q=Security • ZDNet Video at the Whiteboard: http://news.zdnet.com/2036-2_22-5718923.html

15

Appendix C: Selected Web Links

• Center for Information Assurance at Penn State. http://net1.ist.psu.edu/cica/ • CERT Coordination Center, Carnegie Mellon University. http://www.cert.org/ • CERT Virtual Training Environment. https://vte.cert.org/aboutvte.html • CIA, Criminal Intelligence Analysis, Interpol. http://www.interpol.int/Public/cia/default.asp. • CIA, Financial and high-tech crimes, Interpol. http://www.interpol.int/Public/FinancialCrime/Default.asp • Computer Forensics, Cybercrime and Steganography Resources. http://www.forensics.nl/ • Computer Security Resources Center (CSRC), National Institute of Standard and Technology (NIST). http://csrc.nist.gov/ • Dan Farmer and Wietse Venema, Forensic Discovery, Addison-Wesley, http://www.porcupine.org/forensics/forensic-discovery/ • History of Computer Security, Computer Security Division, National Institute of Standards and Technology (NIST).

http://csrc.nist.gov/publications/history/ • IAPP – International Association of Privacy Professionals: https://www.privacyassociation.org/ • ICSA Information Security Magazine. http://informationsecurity.techtarget.com/ • Identity Theft Resources. http://www.privacyrights.org/identity.htm • Information and Computer Security Resources, SANS.org. http://www.sans.org/resources/ • ISACA: http://www.isaca.org/ • IT Audit – The Institute of Internal Auditors, http://www.theiia.org/ITAudit/ • IWS- The Information Warfare Site. http://www.iwar.org.uk/cip/ • Network Security Library. http://www.windowsecurity.com/whitepaper/ • National Coordination Office for Networking and Information Technology Research and Development (NITRD).

http://www.nitrd.gov/pubs/ • Privacy.Org: http://privacy.org/ • Richards J. Heuer, Jr., Psychology of Intelligence Analysis, Center for the Study of Intelligence, Central Intelligence Agency,

1999. http://www.cia.gov/csi/books/19104/index.html • Security and Risk Analysis (http://www.cert.org/octave/methodintro.html) • Wikipedia, the Free Encyclopedia. http://en.wikipedia.org/wiki/ • Wireless LAN Security & Wardriving (http://www.wardrive.net/) • ZDNet: Security White Papers, Webcast, and Case Studies. http://whitepapers.zdnet.com/search.aspx?kw=Security

http://whitepapers.zdnet.com/search.aspx?&kw=Security&dtid=2