| Abstract: |
Many security job ads mention that security certificates are regarded as assets, giving the candidate an advantage. For some high-profile jobs, certification may even be required. No matter
where one stands on the subject of certification, the assumption is that the imparted knowledge is at least factually correct. We examine the cryptography section in the Common Body of Knowledge
(CBK) underlying the most sought-after certification, the CISSP, issued by the International Information Systems Security Certification Consortium, Inc., or (ISC)^2. We find many mistakes, some
positively dangerous: people who believe what they read there will build systems that are less secure than they would have built if they had looked to, say, Wikipedia instead. They include: a
confusion of encryption and authentication; an unconditional recommendation of RC4 for key sizes over 128 bits; a belief that block ciphers are inherently stronger than stream ciphers; and many
more. These mistakes are elementary and appear in the third edition of the CBK, indicating that two preceding editing cycles were not enough to remove them. This shows that no one knows or cares
that the material is wrong. This poses dilemmas for graduates and companies. Graduates can either obtain a CISSP despite the factual inaccuracies, thereby surrendering at least part of their
professional integrity; or they can try to tough it out, thereby lowering their chances of getting a high-profile security job. Companies must either keep using the CISSP, knowing that they have
been taught some dangerous nonsense, or find another way to assess the security knowledge of candidates. |
