Good day to all,

Lately I have been received a lot of inquiries from members of the site about the announcement from ISC2 of a new CBK that will be released on January 2012.   Of course many are wondering if this will severely affect them, are the resources they are currently using still valid,  many are wondering if they should stop their studies and wait for this new and improve CBK, or what exactly is in stock as far as changes are concerned.  Do not get over excited, there is little to worry about this new CBK that was announced.

Over the past twelve years I have lived through many such updates, every time I was expecting the spanking new CBK with the latest and greatest security issues being covered but most of the time the update would turn out to be only changes in the domains names, subjects being moved from one domain to another, and very minor changes made to the actual content of the CBK.  This update seems to be no different looking at the present and future Candidate Information Bulleting (CIB) that was released by ISC2 which contains the current CIB and the future one to be used in January of 2012.  A grand total of 66 pages alltogether.

I have read through this new CIB and compared it with the current one.   I will give you a resume below of my findings and what is new and in some case whast has not changed at all unfortunately.

NEW DOMAIN NAMES

There are only two domains that have changes in their names:

Application Development Security will  now be called Software Development Security

Operations Security is now called Security Operations

As you can see those are VERY minor changes where only one word has been changed and for the second domain they simply flip flop two words. 

You will not be lost with new names for the domains, they are basically the same except for those two chanes.

INTRODUCTION PAGE TO THE CIB

The introduction page had very little changes done.  In fact they mostly made it more precise and they used words that better represent information security instead of generic word  that used to be within the text.

An intro paragraph was added to define what is the CISSP and as such what it provides and some of the key topics that are included within the CBK.  On this page you find that most of the changes were made within the description of WHAT IS PROFESSIONAL EXPERIENCE.

There are bullets that were redundants that have been combined together.
They replace "Creative Writing" with "Professional Writing"
They changed "Applicable titles" to say "Applicable Job Titles"
They remove the title "Officer" and replaced it with "CISO"
They replaced "Engineer" with "Information Assurance Engineer"
Titles such as Leader and Designer have been removed
The title Cryptographer is now replacing Cryptologist and Cryptanalysis
The title Architect was replaced by "Cyber Architect"
The titles of Consultant, Salesman, Representative were all removed from the list of Titles
The title of Lecturer was added to the list of applicable titles

POSITIVE ENFORCEMENT

In most of the domain the text would says the candidate should understand which has been replaced by "is expected" which clearly tells the candidate that he has to know and not only that he should know.  This is a clear distinction within the text of the new CBK.

DOMAIN 1 - ACCESS CONTROL

The introduction portion was modified to better describe what falls into this domain.  There is only one new area of knowledge that was added to this domain with a few sub-topics added to old subjects to better describe what they are.

Under Understanding Access Control Attack the following sub-bullets were added:

B.1 Threat Modeling
B.2 Asset Valuation
B.3 Vulnerability Analysis
B.4 Access Aggregation 

Under Assess Effectiveness of Access Controls the following was added:

C.1 User Entitlement
C.2 Access Review & Audit

A new bullet was added to this domain:

D. Identify and Access Provisioning lifecycle (e.g. provisioning, review, revocation)

The changes in this domain are very minimal.  Overall changes is by my estimate less than 1% of the current CIB content.  Mostly there is nothing new that was not already covered in the old CBK.

DOMAIN 2 - TELECOMMUNICATION AND NETWORK SECURITY

The text portion describing this domain has been greatly reduced.  The text portion used to be mostly a repeats of the topics listed under the text explanations.   The introduction no longer mentions anything about Firewalls, VOIP, Detecting Network Based attacks.  It was also noted the subject of Establish Secure Data Communications was removed as well.

Here are some of the changes in this domain:

A.3 Implications of Multi-Layer protocols was added

B.1 Wireless Access Points was added to the list of hardware devices

B.3 The term Filtering Devices is now replace with the new buzzword Network Access Control (NAC) devices

C.1 VOIP was replaced by simply the term Voice with examples such as POTS, PBX, and VOIP

C.3 Under Remote Access the following examples were added: screen scraper, virtual application/desktop, telecommuting

D.  Under Understand Network Attacks the following examples were added:  DDos, Spoofing

Overall this is another domain with only about 1% of changes being introduced.

DOMAIN 3 - INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT

This domain has some new bullets that were added but no real major changes overall.

B.1 Under organizational Processes some example were added:  Acquisition, Divestitures, Governance Committees

B.2 Used to be Define Security Roles and Responsibilities is now Security Roles and Responsibilities, the word define has been removed at the beginning.

E.  A new topic was added called:  Manage the information life cycles with the following examples:  classification, categorization, and ownership.  It is a new bullet but all subjects that were already covered.

F. A new topic called: Manage Third Party governance was added with the following examples: On-site assessment, document exchange and review, process/policy review.

Under risk assessment they added Qualitative, Quantitative, and Hybrid risk assessments. 

Under Manage Personel Security they added the following examples: reference checks, education verification.

For some strange reason it seems they removed Background Check from employee management???

ETHICS has been completely removed from this domain and moved back into the legal domain where it used to be a few years ago :-)

Now the CBK says Manage Personel Security instead of Evaluate Personel Security.

Overall about 1% of this domain was changed at the most.

DOMAIN 4 - SOFTWARE DEVELOPMENT SECURITY

The text description of this domain was slightly changed.

The biggest change is the replacement of the word APPLICATION by the work SOFTWARE everywhere within this domain.  That makes it a more generic domain where any type of coding and development could apply.

A.1 Development Life Cycle is now used instead of Software Development Life Cycle (SDLC)

The topic of risk analysis was removed in the list of topics.  However it still remain one of the major activity that would be done within software development. I am not sure WHY it was removed.

Under issues in source code two new examples were added:  escalation of privilege and Backdoor

The following was removed: C&A, Audit & logging, and Corrective Actions

Other than word being changed to new words, there was almost no changes to this domain.  Only topics have been removed which makes the list even shorter for this domain.

DOMAIN 5 - CRYPTOGRAPHY

The text portion was changed to better define what cryptography is and how it is done.  It used to be describe as a disguise method,  now they are presenting it as applying mathematical algorithms and data transformation to information which is a lot more accurate and better describes what cryptography really is.   Within the text they added a few lines on PKI and Key Management,  those subjects were already being covered but not listed in the text description.  

A new topic was added:

B. Understanding the Cryptography Life Cycle with the following examples: cryptography limitations, algorithm, protocol governance.     Those topics are NOT new to the CBK.  They already existed in the old CBK.

The following examples of brute force were added:  rainbow tables, specialized/scalable architecture

The topic of Employ Cryptography to maintain network security was replaced by Use Cryptography to maintain network security

The topic Use Cryptography to maintain Email Security has been replaced by Use Cryptography to maintain Application Security.   The word application in this case was NOT replace by Software like elsewhere in the CBK.

This is all for Cryptography,  overall a bit of semantic like the other domains but nothing really new in this domain.

DOMAIN 6 - SECURITY ARCHITECTURE & DESIGN

The initial text for this domain was greatly improved.  However the content has almost nothing changed except a few subjects that I was glad to see added to this domain.

A reference to OWASP was added under vulnerabilities and Threats. 

The topic of Cloud Computing, Grid Computing, and Peer to Peer was added to this domain.  I think it is about time considering the level of usage and the trend regarding virtualization and cloud computing.  Finally some of the current concerns are being added.

Overall I would say about 1 to 2% was added to this domain if the instructor or your training company takes the time to really explain what is cloud computing, what services it can provides, and what are the security issue. 

Of course many people will cover this in one slide and get it over with, in such case less than 1% would be added.

DOMAIN 7 - SECURITY OPERATIONS

The text describing this domain was improved but the topic list is almost verbatim.

The subject of Personel  Privacy and Safety was completely removed.

On the last topic they added System Resilience to Fault Tolerance requirements.

Overall zero percent of changes in this domain.  It is the same as the old one except the name where the words were turned around. 

DOMAIN 8 - BCP and DRP

In the text describing the domain they changed Business Impact Assessment to the proper term of Business Impact Analysis (BIA)

As mention previously they change the candidate will be expected to know to clearly state the candidate is expected to know

Nothing has changed within the topics of this domain except the last bullet which used to say Test & Update the plan which has been changed to Exercise, Assess, and Maintain the plan with the examples of Version Control, Distribution

Overall no  changes within this domain.

DOMAIN 9 - LEGAL, REGULATIONS, INVESTIGATION, AND COMPLIANCE

The text describing this domain has changed quite a bit.  Incident Handling has been removed from the text.  They added Ethical Behavior to the text because Ethics is now back within this domain.  The description no longer talks about laws, Computer Crimes, and Regulations. 

As mentioned already the subject of ethics has been added to this domain where it really belongs.  It lists specifically the ISC2 code of ethics and organizations code of ethics which needs to be supported.

Of note is the subject of Advanced Persistent Threats which is a really nice way of describing attacks that many people do not understand.  The candidate needs to understand how to identify Advanced Persistent Threats.  Another up to date subject added to the CBK without any details.

Under forensics they added the subject of Hardware/Embedded Devices forensics

Finally they added:

F. Ensure security in contractual  agreements and procurement processes and they list as examples:  cloud computing, outsourcing, vendor governance

DOMAIN 10 - PHYSICAL (ENVIRONMENTAL) SECURITY

The description for this domain was expanded by a few lines.

A few examples were added to the topics.

The acronym HVAC is now spelled out.

The topic of Personal privacy and Safety which was removed in a previous domain is now within Physical Security.

This is all.  So no new content but only a bit of content from another domain.

Overall mostly no changes for this domain.

LIST OF REFERENCES

Something is definitively wrong with the list of reference.   The list is a carbon copy of the 2009 list less once book from Doctor McGraw on Software Security.   A book which is by the way still applicable and good for todays issues.

I cannot believe that between 2009 and now there was no references added to the list of reference. 

Either ISC2 has not added any questions to the CBK using new references or the list has not been maintained.

Only a few of the references are 2010 and most of them are very old.

This does not seem right to me considering that new questions are being added all the time to the exam.

Very bizarre.....

SAMPLE QUESTIONS (Ouch!)

There are 3 sample questions presented.  Just like the list of references it seems they are getting dated in at least 33.3% percent of them.  

Question number 3 is about the usage of SSL under WAP.  The question does not specify which version of WAP.

WAP 2.0 was release around 2002,  it no longer required a WAP gateway.  It is amazing to see that this questions is still being used as an example.  The question is dated and no longer valid today.  Modern Handset mostly no longer use WAP at all.

This is very disappointing to see this was there in 2009 almost 7 years after it WAP 1.0 was no longer use and it is still there today 10 years after WAP 1.0 is no longer in use.

I think it is REALLY time to retire this question and come up with a better sample question.

EXAMINATION INFORMATION

There is nothing changed withing the examination information.  They only changed the end time to exam,  it used to say 3 PM for the CISSP but now they simply state the exam will be 6 hours long.   They no longer take for granted that exams all start exactly at 9 AM.

DISAPPOINTMENT

The CIB is still lacking as far as details are concerned.  The CIB initially used to have a LOT of details about the sub-topics under each of the domains subjects.  

More details would better guide any students wanting to become a CISSP.   ISC2 should at least as a minimum specific what percentage of the exam is within each of the ten domains.  CompTIA does this for their certifications.  It is not some type of secret.  What good is a CBK if it is some type of secret?

CONCLUSION

This is not what I would call an update.  As mentioned above there is at the most 2 to 3% of new material added.  I have not seen anything specific to IP Version 6,  thorough coverage of Cloud Computing and Virtualization,  DNSSEC, BGPSEC, Internal threats, Remote Access Trojan, new social engineering techniques, skimming, vishing, and other projects that have all been fielded to improve security.

Overall this is very disappointing  and mostly what I would called statu quo. 

Best regards to all

Clement