printlogo
ETH Zuerich - Homepage
Computer Engineering and Networks Laboratory (TIK)
 
ETH Zurich - ITET - TIK - Publications
print
  

Publication Details for Inproceedings "POSTER: Critique of the CISSP Common Body of Knowledge of Cryptography"

 

 Back

 New Search

 

Authors: Stephan Neuhaus and Gabriela Gheorghe
Group: Communication Systems
Type: Inproceedings
Title: POSTER: Critique of the CISSP Common Body of Knowledge of Cryptography
Year: 2013
Month: November
Book Titel: Proceedings of the 2013 Conference on Computer and Communications Security (CCS 13)
Keywords: CCS, security, CISSP
Publisher: ACM Press
Abstract: Many security job ads mention that security certificates are regarded as assets, giving the candidate an advantage. For some high-profile jobs, certification may even be required. No matter where one stands on the subject of certification, the assumption is that the imparted knowledge is at least factually correct. We examine the cryptography section in the Common Body of Knowledge (CBK) underlying the most sought-after certification, the CISSP, issued by the International Information Systems Security Certification Consortium, Inc., or (ISC)^2. We find many mistakes, some positively dangerous: people who believe what they read there will build systems that are less secure than they would have built if they had looked to, say, Wikipedia instead. They include: a confusion of encryption and authentication; an unconditional recommendation of RC4 for key sizes over 128 bits; a belief that block ciphers are inherently stronger than stream ciphers; and many more. These mistakes are elementary and appear in the third edition of the CBK, indicating that two preceding editing cycles were not enough to remove them. This shows that no one knows or cares that the material is wrong. This poses dilemmas for graduates and companies. Graduates can either obtain a CISSP despite the factual inaccuracies, thereby surrendering at least part of their professional integrity; or they can try to tough it out, thereby lowering their chances of getting a high-profile security job. Companies must either keep using the CISSP, knowing that they have been taught some dangerous nonsense, or find another way to assess the security knowledge of candidates.
Location: Berlin, Germany
Resources: [BibTeX] [Paper as PDF]

 

 Back

 New Search

top
© 2019 Laboratory TIK, ETH Zurich | Imprint | Last updated on Wed, 16 May, 2018 17:35 | t=0.0056s | Valid HTML 4.01