Saturday, March 21, 2015
Why I'm Not Sitting for the CISSP Exam (for now)
March 21, 2015
Why I’m Not Sitting for the CISSP Exam (for now)
Regular followers of this blog will note that I often bounce around between current events, issues within digital forensics and even touch on some information security topics. Sometimes, a case or a related experience gives me cause to write about one of these topics with a little opinion thrown in. While the old adage about opinions is quite true, it seems that some of the more opinionated pieces are also more provocative and interesting.
Toward the goal of being at least somewhat provocative and interesting, I would like to relay a recent experience. Being that information security is a very hot-button topic and loosely related to digital forensics, I took advantage of a local opportunity in Richmond, Virginia.
The Central Virginia Chapter of the Information Systems Security Association (ISSA) offers a 10-week course of instruction and study toward preparation for the industry-standard Certified Information Systems Security Professional (CISSP) exam. The local ISSA chapter offers this at a very reasonable rate and they even provide dinner during the weekly class, so I saw it as a very good deal, a great way to get me more exposure to the field of information security and possibly increase the value Pro Digital can add to potential clients. The ultimate goal of this course is to sit for the CISSP exam, which offers one the CISSP designation, if passed. After completion of the course, I’ve decided not to sit for the exam (for now) and here’s why…
Backing up a Bit
Before I dive into my opinion about the CISSP, it might be appropriate to give readers who aren’t in the information security sector some background information. The CISSP is one of several certifications offered by the International Information Systems Security Certification Consortium or the (ISC)². This governing body offers numerous information system & security-oriented certification programs that are generally considered industry-standard. The CISSP covers 10 “domains” or subject areas that all have some specific bearing on information security. The domains range from networking to cryptography to legal matters, including digital forensics. To sit for the CISSP exam, a candidate needs to have several year’s experience in one or more of the domains and/or some formal education to equal a specific number of points on a rating scale. Being that my years of criminal investigation and digital forensics combined with a 4-year degree met the requirements, I went into the process thinking I would sit for the exam.
What Changed My Mind
I will start by saying that I’ve been through hundreds of hours of digital forensic training, perhaps more. Some of it was very timely & topical and some of it was outdated and quite dull. Nevertheless, even the outdated courses offered something in the way of education as to how technology evolved into what it is today. I’ve also had a fair amount of exposure to things like cryptography and networking, both domains covered by the CISSP, but only on a functional level and as part of an overall course related to either high-tech investigation or digital forensics. All that being said, I was a sponge during our 10-week course for everything I didn’t already know or have some hands-on experience with. Then we got to the legal portion, which also dealt with digital forensics.
Even though most of my classmates were bored to death learning about different types of law, cases, regulations and forensics, I was really eager to see what this domain covered. Bear in mind, all of my digital forensic training has been geared toward professional investigators, not information system professionals, so I was expecting a little bit of a different flavor. The instructor did a good job getting through what was, by his own admission, a dry subject. But again, I’m a legal nerd, so it was mostly interesting to me.
After the PowerPoint presentation, the instructor plugged in the sample CISSP test questions taken right out of the CISSP Common Body of Knowledge (CBK) book. As a class, we went through 83 questions dealing with legal matters, incident response and how to handle sensitive data legally. I was NOT impressed. Not only was I not impressed with the obvious confusing nature of how some of the questions are written, but some of the answers were just plain wrong. For example, a question about the first steps in a digital forensic examination offered 4 multiple choice answers, none of which were correct. The CBK told us the correct answer was to image the system first, but that’s actually several steps down the road. The first step is to document the scene through notes and photographs as much as possible. Especially if a crime has occurred, documentation of how the scene was found is vital to a proper chain-of-evidence. That is just one example and I truly wish I would have written down how many were like that, but I didn’t. I can tell you there were several, however.
This disturbed me quite a bit because this very well-respected certification is giving people incorrect information. Not only that, but some participants may go through this certification and think they can adequately and appropriately respond to these incidents when that is certainly not the case. As I’ve repeatedly stated in this blog, taking the right steps from the beginning is paramount in any digital forensic case. It doesn’t matter if it’s a minor violation or a major crime. Adhering to best practices of documentation, acquisition, analysis, reporting and testimony is appropriate in ALL cases and what the CBK, and by virtue of it’s reference, the CISSP itself is telling those that go through the certification is wrong and certainly not within best practices.
This led me to wonder, what else have we gone over in this course that is incorrect, bad information or contrary to best practices? You don’t know what you don’t know, but the obvious lapses in this one domain covered during this course lead me to believe this can’t be isolated. There’s an old rule in police work – the “plus one” rule. If you find one bad guy, look for another until you prove there isn’t one. The rule applies to this experience as well – if there are that many errors in the CBK with regard to legal considerations & digital forensics, how many others are there? There are bound to be more and that really turns me off to the entire certification.
I was grateful for the opportunity to take this course and I met some great professionals along the way. The instruction was top-notch and given by individuals in the field who have the experience and knowledge to relay real-world information, not just what’s in the book. I can’t say enough good things about the Central Virginia ISSA for making this course available and about the instructors for the time, effort and advice they offered us as prospective CISSPs.
All that aside, I think the CISSP as it is now is outdated and may contain some very incorrect information. Even though the subject is dry, adhering to legal best practices and doing the right things when an incident occurs could possibly be the most important domain in all of the CISSP. After all, if you don’t do the right things at the right times within the law, you could open yourself up to civil or criminal liability and no one wants that. But the apparent construction of the questions to which candidates are tested is downright horrible and it makes me question the validity of the entire certification.
In fairness, the (ISC)² is re-vamping the domains in the CISSP course and re-doing the test later this year. I can only hope that the new information is more relevant and more correct. And maybe I’ll sit for the new exam, but we’ll see…
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia