March 21, 2015
Why I’m Not Sitting for the CISSP Exam (for now)
Regular followers of this blog will note that I often bounce
around between current events, issues within digital forensics and even touch
on some information security topics.
Sometimes, a case or a related experience gives me cause to write about
one of these topics with a little opinion thrown in. While the old adage about opinions is quite true,
it seems that some of the more opinionated pieces are also more provocative and
interesting.
Toward the goal of being at least somewhat provocative and
interesting, I would like to relay a recent experience. Being that information security is a very
hot-button topic and loosely related to digital forensics, I took advantage of
a local opportunity in Richmond, Virginia.
The Central Virginia Chapter of the Information Systems Security
Association (ISSA) offers a 10-week course of instruction and study toward
preparation for the industry-standard Certified Information Systems Security
Professional (CISSP) exam. The local
ISSA chapter offers this at a very reasonable rate and they even provide dinner
during the weekly class, so I saw it as a very good deal, a great way to get me
more exposure to the field of information security and possibly increase the
value Pro Digital can add to potential clients.
The ultimate goal of this course is to sit for the CISSP exam, which
offers one the CISSP designation, if passed.
After completion of the course, I’ve decided not to sit for the exam
(for now) and here’s why…
Backing up a Bit
Before I dive into my opinion about the CISSP, it might be
appropriate to give readers who aren’t in the information security sector some
background information. The CISSP is one
of several certifications offered by the International Information Systems
Security Certification Consortium or the (ISC)². This governing body offers numerous
information system & security-oriented certification programs that are
generally considered industry-standard.
The CISSP covers 10 “domains” or subject areas that all have some
specific bearing on information security.
The domains range from networking to cryptography to legal matters,
including digital forensics. To sit for
the CISSP exam, a candidate needs to have several year’s experience in one or
more of the domains and/or some formal education to equal a specific number of
points on a rating scale. Being that my
years of criminal investigation and digital forensics combined with a 4-year
degree met the requirements, I went into the process thinking I would sit for
the exam.
What Changed My Mind
I will start by saying that I’ve been through hundreds of
hours of digital forensic training, perhaps more. Some of it was very timely & topical and
some of it was outdated and quite dull.
Nevertheless, even the outdated courses offered something in the way of
education as to how technology evolved into what it is today. I’ve also had a fair amount of exposure to
things like cryptography and networking, both domains covered by the CISSP, but
only on a functional level and as part of an overall course related to either
high-tech investigation or digital forensics.
All that being said, I was a sponge during our 10-week course for everything
I didn’t already know or have some hands-on experience with. Then we got to the legal portion, which also
dealt with digital forensics.
Even though most of my classmates were bored to death
learning about different types of law, cases, regulations and forensics, I was
really eager to see what this domain covered.
Bear in mind, all of my digital forensic training has been geared toward
professional investigators, not information system professionals, so I was
expecting a little bit of a different flavor.
The instructor did a good job getting through what was, by his own
admission, a dry subject. But again, I’m
a legal nerd, so it was mostly interesting to me.
After the PowerPoint presentation, the
instructor plugged in the sample CISSP test questions taken right out of the
CISSP Common Body of Knowledge (CBK) book.
As a class, we went through 83 questions dealing with legal matters,
incident response and how to handle sensitive data legally. I was NOT impressed. Not only was I not impressed with the obvious
confusing nature of how some of the questions are written, but some of the
answers were just plain wrong. For example, a question about the first steps
in a digital forensic examination offered 4 multiple choice answers, none of which
were correct. The CBK told us the
correct answer was to image the system first, but that’s actually several steps
down the road. The first step is to
document the scene through notes and photographs as much as possible. Especially if a crime has occurred, documentation
of how the scene was found is vital to a proper chain-of-evidence. That is just one example and I truly wish I
would have written down how many were like that, but I didn’t. I can tell you there were several,
however.
This disturbed me quite a bit because this very
well-respected certification is giving people incorrect information. Not only that, but some participants may go
through this certification and think they can adequately and appropriately
respond to these incidents when that is certainly not the case. As I’ve repeatedly stated in this blog,
taking the right steps from the beginning is paramount in any digital forensic
case. It doesn’t matter if it’s a minor
violation or a major crime. Adhering to
best practices of documentation, acquisition, analysis, reporting and testimony
is appropriate in ALL cases and what the CBK, and by virtue of it’s reference,
the CISSP itself is telling those that go through the certification is wrong
and certainly not within best practices.
This led me to wonder, what else have we gone over in this
course that is incorrect, bad information or contrary to best practices? You don’t know what you don’t know, but the
obvious lapses in this one domain covered during this course lead me to believe
this can’t be isolated. There’s an old
rule in police work – the “plus one” rule.
If you find one bad guy, look for another until you prove there isn’t
one. The rule applies to this experience
as well – if there are that many errors in the CBK with regard to legal
considerations & digital forensics, how many others are there? There are bound to be more and that really
turns me off to the entire certification.
Conclusions
I was grateful for the opportunity to take this course and I
met some great professionals along the way.
The instruction was top-notch and given by individuals in the field who
have the experience and knowledge to relay real-world information, not just what’s
in the book. I can’t say enough good
things about the Central Virginia ISSA for making this course available and
about the instructors for the time, effort and advice they offered us as
prospective CISSPs.
All that aside, I think the CISSP as it is now is outdated
and may contain some very incorrect information. Even though the subject is dry, adhering to
legal best practices and doing the right things when an incident occurs could
possibly be the most important domain in all of the CISSP. After all, if you don’t do the right things
at the right times within the law, you could open yourself up to civil or
criminal liability and no one wants that.
But the apparent construction of the questions to which candidates are
tested is downright horrible and it makes me question the validity of the
entire certification.
In fairness, the (ISC)² is re-vamping the domains in the
CISSP course and re-doing the test later this year. I can only hope that the new information is
more relevant and more correct. And
maybe I’ll sit for the new exam, but we’ll see…
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: ProDigital4n6
