Tag Archives: CISSP

Does CISSP provide a false sense of security?

POST_8-IMG0I believe that beyond understanding the values of a CISSP certification, the Lebanese market should get used to the Infosec consulting/services concept. The latter is particularly important for bringing a high level view of security as a whole. One may have a plethora of security products (firewalls, IDS, etc.) but these won’t provide a true level of security unless they’re correctly configured, frequently updated, daily monitored and part of a homogeneous security policy. Why should a company invest in an expensive IDS if its technical staff doesn’t have the appropriate skills to set the appropriate alarms, be able to distinguish between legitimate TCP/IP traffic and malicious one, etc.? This will help prevent them from being flood with false positive alarms that would soon prompt them to turn the IDS off.

Information security is a rather young field of work that requires a “new school” way of thinking. Several years ago, I came across an assertion from Kevin Day that perfectly illustrates this:

“Security cannot be handled exclusively through expensive equipment, as many of us have been led to believe. Security is not a technology; it is a thought process and a methodology. Security within our technologies is nothing until security is within our minds.”

Back to CISSP, we notice that many security experts around the world are not CISSP certified which doesn’t lessen their expertise or ability to tackle security issues efficiently (remember: one has to think with a security mind and there are other security certifications out there, CISA, SANS, etc.).

You can also notice on several infosec discussion forums that the war is raging between security experts on the real value of the CISSP certification, some saying that it is too theoretical to be trustworthy in real world situations :

“… And for the record, a CISSP proves nothing. When I was a white hat I repeatedly tore apart the networks “secured” by CISSP “wizards”. The certification means nothing – it’s the actual hands on ability of the network managers and engineers that matter …» – Shane MacDougall

Here is another amusing excerpt from 2003 which unfairly (at least in my opinion) depicts CISSP as a trojan certification and presents it as security advisories would do for vulnerabilities notification:

Security Advisory MA-2003-01 CISSP - Trojan Security Certification

Original Release Date: Thursday January 16, 2003

Last Revised: --

Source: --

Systems Affected

- Information Security Community

- Information Technology Employers

- Information Security Consultants

Overview

It has recently been identified that The International Information Systems Security Certification Consortium (CISSP) has developed and released a potentially destructive trojan application, which masquerades as a valid standard for professional certification in the field of information security.

I. Description

Delivered in the benign form of a six hour examination, the CISSP prompts target user with a series of 250 questions regarding the following topics:

- Access Control Systems & Methodology

- Applications & Systems Development

- Business Continuity Planning

- Cryptography

- Law, Investigation & Ethics

- Operations Security

- Physical Security

- Security Architecture & Models

- Security Management Practices

- Telecommunications, Network & Internet Security

This rather large payload, commonly referred to as the Common Body of Knowledge (CBK), may cause a Denial of Service situation, leaving the target overwhelmed and unable to respond to further requests during the duration of the attack. If the target handles the Denial of Service attack appropriately, and is unaffected, the CISSP trojan discontinues this attack, and self-mutates into a certification of added IS credibility. If accepted by the target, this certification begins to cause the following symptoms:

- Increase in self-confidence

- Increase in salary requirements

- False sense of accomplishment

- False sense of self-improvement

Despite the symptoms, the target experiences no real benefit whatsoever. The affected target then is made to transfer funds in excess of $2,000 (US) to a remote bank account owned by ISC2. Finally, the affected target promotes itself to a "Certified Information Security Expert" sans authentication. The affected target may then infect others, eventually creating a massive army of unskilled, prefabricated, shrink-wrapped, not for resale, half-assed security engineers, consultants, and "research scientists".

II. Impact

An abundance of sub-par information security engineers, consultants, and "research scientists".

A negative impact on the economy, specifically within the Information Technology sector.

III. Solution

Avoid any certifications issued by ISC2 until a patch is distributed. Obtain information security related certifications from valid sources. Employers are encouraged to recognize the CISSP as a trojan certification.

Appendix A - Vendor Information

International Information Security Certification Consortium, Inc.

(ISC)2 is the premier organization dedicated to providing information security professionals and practitioners worldwide with the standard for professional certification.

That being said, companies and IT staff should remain vigilant since blindly believing in security certifications is like blindly trusting security products: it will provide them with a false sense of security.