Busting Through the Myths About the CISSP Exam
For years, I have heard people complain about having to learn things for the CISSP exam that they would never use in their lives. When I was studying for this exam several years ago, I said the same things. I also hear people saying that they have to learn security through (ISC)2's view for this exam, which does not match with reality. The thought on both of these statements is that someone would have to memorize items for the test that are not helpful in their career—thus a waste of time. Again, I fell into this bucket when I studied and took the exam forever ago. Now I see it completely differently.
I have found that because I have written books and taught CISSP classes for many years, I understand the material in much more depth than I would have if I just studied, took the test, and moved on with life.
The information that people complain about having to learn (Bell Lapadula, Biba, Clark-Wilson, etc.) is very beneficial to their understanding of security in a holistic manner instead of just focusing on their original thought of what makes up security.
Many technical people seem to think that learning anything above technology is a waste of their time. This is because they have a desire to stay in the technology realm and learn their trade at a much deeper level instead of understanding that security is certainly not all about technology.
Although I am pretty disappointed with the way that the questions on the CISSP exam are worded (confusing, vague, subjective), I have a great appreciation for the actual Common Body of Knowledge (CBK). I was a security consultant before I took the exam, wrote books, and taught CISSP, and I am still a security consultant, but the difference in my knowledgebase and view on security has drastically changed.
Like most people, I focused on what security topics I was to perform in my specific job. At the time, on-line banking was just coming to the market (yes, I am that old), and I worked with programmers, software architects, project managers, analysts, and end customers—all focusing on on-line banking . I sure as hell was not interested in the different types of fire suppression, access control models, trusted computing base, or anything outside of my domain of topics that I lived, worked, and breathed in.
When I took my CISSP exam, I was like most people who take it—I knew just enough to pass the exam, but I had to memorize things because I did not fully understand them. This made me very disappointed. My goal has never been to get as many certifications following my name as possible. In fact, my personal opinion of someone who lists 10 certification credentials after their name in an e-mail, on a business card, or resume is that the person may have an ego issue that requires showing off and bragging about their talent for passing tests. So this type of person may be great at taking tests, but I have yet to run into a situation in real life where answering A, B, C, or D was required to get a job done.
At the time I took my CISSP exam, there were no study guides, books, or websites for the CISSP exam. At that time, (ISC)2 was the only one that offered training for CISSP, which took four days a week for two weeks at that time. The first week I could tell that my instructors did not really fully understand the topics that they were teaching. I remember asking one of the instructors a question about Kerberos and instead of explaining the answer to me, he said, "You don't need to know that for the test." I was in shock. I could tell not only did he not know the answer, but his main focus was to help people memorize things that were going to be on the exam.
After getting the same type of response to a few more questions, I just stopped asking. On the third of the eight days of class, I left. We were going over a ton of topics at the speed of light that I did not know, and spending more time in the class meant that I would just sit through more lectures and learn nothing and get more frustrated.
As an interesting side note, the two (ISC)2 instructors who taught my class have boasted over the years that they "taught Shon Harris," and (ISC)2 sales people say the same thing today to fill more seats in their class. I have heard about these comments for years now. What the (ISC)2 instructors and salespeople do not tell their customers is that I quit the class because it was of no use.
So after passing the CISSP exam and still not really knowing much about the various topics, I thought that someone should write a book about it. So I did. The first book I ever published was close to 1,000 pages long.
There is a great difference in having to know topics to be able to choose the right answer to pass a test versus knowing the topics to be able to write a huge book and teach courses on them. I honestly feel very lucky and honored that I have had the opportunity to do both.
Now when I do consulting work, I often understand topics that my fellow consultants do not and I can "see" the topics at a greater level and how it affects surrounding issues. I commonly bring up dependencies of certain solutions that the team has not thought about. And for years I have understood what a security program is truly made up of, which the industry now finally understands.
I am certainly not the brightest bear in the bunch, but the level of research I have had to do on the topics within the CBK allows me to view security holistically and not be stuck in understanding security from only one point of view.
So to get back to the crux of this message, I still hear people complain about having to learn things that they don't have to know for their jobs and having to learn topics the way that (ISC)2 defines them. When I am teaching a class, I cover these complaints in-depth because students can erect these barriers, which will stand in the way of truly being educated.
For example, most students complain about the access control models that they have to learn about (Bell Lapadula, Biba, Brewer & Nash, Clark Wilson, etc.) for the exam. Now, if the student would take the time to really understand where these models fit in life, they would have much more appreciation for them.
Access control models are made up of formal or semiformal rules that a software architect can follow to ensure that security is built into the foundation of an application or operating system and that a certain level of security is provided throughout the software, no matter what procedure that is carried out by the code.
You might say, "I have never even heard of these models and they are old and out of date, anyway." My response would be, "You don't know these models because you have never worked as a software architect who is responsible for building these types of products. And if you don't know these models, how would you know that they are out of date?"
One reason why most people are unfamiliar with these access control models is because the software we commonly use day in and day out is not built on formal or semiformal models. Windows grew up from MS-DOS. Security was not an issue when we were using Windows 3.1, Windows 95, and even Windows 98. The code was developed to provide functionality—period.
The evolution of Windows has brought about ways to ensure that the user could not make mistakes by adding a ton of code that keeps the user from the critical pieces of the operating system, as in the kernel. And as Windows became more popular, more nontechnical people had to use these systems, so a requirement for "idiot-proofing" the software increased, and today we have a ton of wizards, help files, icons, and so on.
So is Windows or UNIX built on one of the models you need to know for the CISSP exam? Nope, they were built with only functionality in mind. Does that mean that these models are not used? Nope. The access control models are used in specialized software products that require a specific type and level of security. Are the access control models obsolete? Nope. These models are becoming more popular specifically because the industry needs more secure products. (For example, SELinux is based on the Bell-Lapadula model.) If you attend a graduate security program at a university, you will have to know these models in-depth. So just because you are not aware of something does not mean that it is not important.
I could go on and on about specific topics that students commonly poo-poo and think it is a waste of their time to learn. This attitude, although common, occurs from ignorance. These students have yet to fully understand how security covers an amazing spectrum in every organization in every industry. It isn't just about firewalls and packets anymore.
The other common statement is just as crucial to understand, which is that you have to learn security how (ISC)2 sees security. I have heard this a million times when teaching CISSP courses and from e-mail to me, CISSP forums, and other places. Again, I do not like and cannot fully support the way the CISSP exam questions are written, but the material that you have to learn for the exam is not something that has been made up by (ISC)2.
If you research each and every topic within the CBK as I have, you will quickly find that almost all the material comes straight from NIST documents and other "best practices" resources in the industry. The reason that I hear this complaint so much is because people have not fully read all the NIST documents out there or are not tuned into what correct and structured security actually requires. People are used to seeing security through the lens of their job and the company that they work in. Many companies have their own definitions for specific terms and have ways that security is practiced in a type of proprietary manner. Each company morphs terms and concepts to best fit its environment, but that does not mean that those are the standard practices in security for the industry as a whole.
I deal with this issue at the beginning of any class I teach. I do this because from years of experience I understand that people have learned different "dialects" of security and since that is what they are most used to, they fully believe that their view is the right view.
What makes this issue even more complicated is that a lot of resources do not teach CBK topics to the necessary depth of understanding. This means that the people's notions of what security is and its definitions of terms are not challenged properly. Let me give you an example that makes some students' head explode.
Most people are familiar with the OSI model, which is a model that describes the various functionalities at different layers in a network stack. Most people know the "canned" definition of what takes place at the seven layers of a network stack, but really do not understand the model or what each layer truly represents. So two things that I have seen students almost go through a nervous breakdown about is SSL working at the Transport layer and ARP working at the Data Link layer. The canned definition of the functionality that takes place at the Transport layer is "end-to-end transmission." The canned definition for what takes place at the Session layer is "a connection is built, maintained and torn down." These two definitions sound as though they are the same—what is the difference?
A Session layer protocol builds a connection to an application on another system. In the client/server model, a small part of an application is the client, and the larger part of the application resides on another computer and does a lot of the work for the client. So how does the client and server portion of an application communicate? Through some type of Session layer protocol, NFS, RPC, NetBIOS, SQL, and so on. These protocols keep track of the dialog connections between the two pieces of software and carry out a variety of functions as in checkpointing, session recovery, opening and terminating connections, access control, and more.
Simply put, protocols at the Transport level provide connections between computers, and protocols at the Session layer provide connections through applications. So, what does this have to do with SSL and ARP?
Some people have learned that SSL works in the Session layer and when I say that for the CISSP exam it works at the Transport layer they want to throw a book at me. (This is one example of why people think that they have to learn security through the view of CISSP versus reality.) What people do not fully understand is that the SSL is made up of two protocols that carry out the functionality of the Session layer and the Transport layer. So some resources say that SSL works at the Session layer and another resource says it works in the Transport layer and they are both right—but neither of the resources goes deep enough within the protocol to explain how it works. So we just memorize what layer we are told that it works in.
The reason why many people have a difficulty with conflicting resources is because the OSI model does not actually exist. It is a conceptual model to allow people to understand the different pieces of a network stack. You will never open your hard drive and see where the OSI model is; you will never find an actual file that has OSI in it. The OSI model is taking reality (a network stack) and virtually cutting it up into understandable and digestible chunks. This is like trying to put boxes on top of your life so that your life can be explained in discreet levels of activities. There are things that you do in your life that do not fit well in just one box; maybe it takes two boxes to cover a certain aspect of your life. The same goes for a network protocol stack. The OSI model is attempting to break the network stack down into specific layers, but some protocols cover more than one layer. (ARP is made up of code that provides the functionality of the Network and Data Link layer. This is another one of those issues that can result in a lively debate.)
So, if you learned that SSL works at the Session layer instead of the Transport layer, and ARP works at the Network layer instead of the Data Link layer—you have memorized the functionality of the layers within the OSI model. This in no way means that you actually understand what is going on in the network stack.
This is just one example of why people think that they are being taught incorrectly; that they just have to answer the question on the exam the way that (ISC)2 wants them to answer and then get back to their real lives. In reality, you just don't fully understand the OSI model and how it relates to the protocols that make up a network stack.
Another piece that contributes to the thinking that you have to learn security incorrectly for the exam is the instructor. I cannot tell you how livid I have become over the years when I hear instructors tell students that they just need to memorize the CISSP-type of answers, even though that is not really how it works in real life. This is a case of the blind leading the blind. Many people have wanted to work as CISSP instructors for my company over the years, and many failed because of this exact issue. The instructor does not fully understand the specific topic, so he takes a copout and says that it is wrong but you have to know it anyway for the exam. Unbelievable, but this is a common practice in CISSP courses.
So is the CISSP exam is out of date, irrelevant, and subjective? Only if you do not put the effort into actually understanding the concepts that are covered on the exam. For example, you may have learned the "canned" definition of the TCB and security perimeter, but what do they have to do with the real world? You can know and understand only if you put in the effort. If you just want to just get your CISSP and memorize the "canned" definitions, don't ask me for a job—and I hope I don't work on any consulting team with you.
The best compliment I have received over the years is when someone comes up to me after my class and says, "It doesn't matter whether I get my CISSP or not; this class really opened my eyes to the world of security."
For more information visit http://www.logicalsecurity.com.