Changes to the ISC2 CISSP CBK January 2012
*IMPORTANT* - ISC2 will release a new version of the CBK as of January 2012. Secure Ninja's CISSP curriculum fully supports these changes. See details of changes below:
Update: By Clement Dupuis, Owner of CCCURE.org February 15, 2012
Good day to all,
I am still receiving numerous inquiries about the changes that were introducted in the new CISSP® CBK® that was released as of January 2012.
As I have mentioned in my full review of the old CBK®compared with the new CBK® there is almost no changes that were introduced. The changes are mostly semantics, lots of the changes are rewording within the Candidate Information Bulletin (CIB). So there should be no worries, the material you currently have will still match perfectly well with the current exam offered by ISC2® and you don't need new books or new resources.
This is not just hearsay or rumors, the ISC2® website has a series of documents that talks about the process and this topic. They give you details on what to expect. The documents available on the ISC2® website all say very clearly:
- The candidates should not expect big changes in any examination (or test question)
- No domains were deleted or added to the CISSP® certification, only one domain was renamed
- The content changes mostly involved relocating and renaming of some of the topics
- There will be no new questions in the forms that will require major changes to any education programs
- All changes can be easily covered by instructors using the current education material
So it is business as usual. Do not let any rumors throw you off of your study plan. What you put in is what you will get out of it.
Remember to look at my tips and tricks before you start your studies. You will find them at:
A message from Clement Dupuis, Secure Ninja Chief Learning Officer and Maintainer of CISSP Exam Prep Portal CCCURE.ORG
Good day to all,
Lately I have received a lot of inquiries from members of the site about the announcement from ISC2 of a new CBK that will be released on January 2012. Of course many of you are wondering if this will severely affect them, and if the resources they are currently using still valid, many are wondering if they should stop their studies and wait for this new and improve CBK, or just what exactly is in store as far as changes are concerned. Do not get over excited, there is little to worry about regarding this new CBK that was announced.
Over the past twelve years I have lived through many such updates, every time I was expecting the spanking new CBK with the latest and greatest security issues being covered but most of the time the update would turn out to be only changes in the domains names, subjects being moved from one domain to another, and very minor changes made to the actual content of the CBK. This update seems to be no different looking at the present and future Candidate Information Bulleting (CIB) that was released by ISC2 which contains the current CIB and the future one to be used in January of 2012. A grand total of 66 pages all together.
NEW DOMAIN NAMES
There are only two domains that have changes in their names:
- Application Development Security will now be called Software Development Security
- Operations Security is now called Security Operations
As you can see those are VERY minor changes where only one word has been changed and for the second domain they simply flip flop two words.
You will not be lost with new names for the domains, they are basically the same except for those two changes.
INTRODUCTION PAGE TO THE CIB
The introduction page had very little changes done. In fact they mostly made it more precise and they used words that better represent information security instead of generic word that used to be within the text.
An intro paragraph was added to define what the CISSP is and as such what it provides and some of the key topics that are included within the CBK. On this page you find that most of the changes were made within the description of WHAT IS PROFESSIONAL EXPERIENCE.
- There are bullets that were redundant that have been combined together.
- They replace "Creative Writing" with "Professional Writing"
- They changed "Applicable titles" to say "Applicable Job Titles"
- They remove the title "Officer" and replaced it with "CISO"
- They replaced "Engineer" with "Information Assurance Engineer"
- Titles such as Leader and Designer have been removed
- The title Cryptographer is now replacing Cryptologist and Cryptanalysis
- The title Architect was replaced by "Cyber Architect"
- The titles of Consultant, Salesman, and Representative were all removed from the list of Titles
- The title of Lecturer was added to the list of applicable titles
In most of the domains the text would say the candidate should understand which has been replaced by "is expected" which clearly tells the candidate that he has to know and not only that he should know. This is a clear distinction within the text of the new CBK.
DOMAIN 1 - ACCESS CONTROL
The introduction portion was modified to better describe what falls into this domain. There is only one new area of knowledge that was added to this domain with a few sub-topics added to old subjects to better describe what they are.
Under Understanding Access Control Attackthe following sub-bullets were added:
- B.1 Threat Modeling
- B.2 Asset Valuation
- B.3 Vulnerability Analysis
- B.4 Access Aggregation
Under Assess Effectiveness of Access Controlsthe following was added:
- C.1 User Entitlement
- C.2 Access Review & Audit
A new bullet was added to this domain:
- D. Identify and Access Provisioning lifecycle (e.g. provisioning, review, revocation)
The changes in this domain are very minimal. Overall changes are by my estimate less than 1% of the current CIB content. Mostly there is nothing new that was not already covered in the old CBK.
DOMAIN 2 - TELECOMMUNICATION AND NETWORK SECURITY
The text portion describing this domain has been greatly reduced. The text portion used to be mostly a repeats of the topics listed under the text explanations. The introduction no longer mentions anything about Firewalls, VOIP, Detecting Network Based attacks. It was also noted the subject of Establish Secure Data Communications was removed as well.
Here are some of the changes in this domain:
- A.3 Implications of Multi-Layer protocols was added
- B.1 Wireless Access Points was added to the list of hardware devices
- B.3 The term Filtering Devices is now replace with the new buzzword Network Access Control (NAC) devices
- C.1 VOIP was replaced by simply the term Voice with examples such as POTS, PBX, and VOIP
- C.3 Under Remote Access the following examples were added: screen scraper, virtual application/desktop, and telecommuting
- D. Under Understand Network Attacks the following examples were added: Dodos, and Spoofing
Overall this is another domain with only about 1% of changes being introduced.
DOMAIN 3 - INFORMATION SECURITY GOVERNANCE & RISK MANAGEMENT
This domain has some new bullets that were added but no real major changes overall.
- B.1 Under organizational Processes some examples were added: Acquisition, Divestitures, and Governance Committees
- B.2 Used to be Define Security Roles and Responsibilities is now Security Roles and Responsibilities, the word define has been removed at the beginning.
- E. A new topic was added called: Manage the information life cycles with the following examples: classification, categorization, and ownership. It is a new bullet but all subjects that were already covered.
- F. A new topic called: Manage Third Party governance was added with the following examples: On-site assessment, document exchange and review, process/policy review.
- Under risk assessment they added Qualitative, Quantitative, and Hybrid risk assessments.
- Under Manage Personnel Security they added the following examples: reference checks, education verification.
- For some strange reason it seems they removed Background Check from employee management???
- ETHICS has been completely removed from this domain and moved back into the legal domain where it used to be a few years ago :-)
- Now the CBK says Manage Personnel Security instead of Evaluate Personnel Security.
- Overall about 1% of this domain was changed at the most.
DOMAIN 4 - SOFTWARE DEVELOPMENT SECURITY
- The text description of this domain was slightly changed.
- The biggest change is the replacement of the word APPLICATION by the work SOFTWARE everywhere within this domain. That makes it a more generic domain where any type of coding and development could apply.
- A.1 Development Life Cycle is now used instead of Software Development Life Cycle (SDLC)
- The topic of risk analysis was removed in the list of topics. However it still remains one of the major activities that would be done within software development. I am not sure WHY it was removed.
- Under issues in source code two new examples were added: escalation of privilege and Backdoor
- The following was removed: C&A, Audit & logging, and Corrective Actions
- Other than words being changed to new words, there were almost no changes to this domain. Only topics have been removed which makes the list even shorter for this domain.
DOMAIN 5 - CRYPTOGRAPHY
The text portion was changed to better define what cryptography is and how it is done. It used to be describe as a disguise method, now they are presenting it as applying mathematical algorithms and data transformation to information which is a lot more accurate and better describes what cryptography really is. Within the text they added a few lines on PKI and Key Management, those subjects were already being covered but not listed in the text description.
- A new topic was added:
- B. Understanding the Cryptography Life Cycle with the following examples: cryptography limitations, algorithm, and protocol governance. Those topics are NOT new to the CBK. They already existed in the old CBK.
The following examples of brute force were added: rainbow tables, specialized/scalable architecture
The topic of Employ Cryptography to maintain network security was replaced by Use Cryptography to maintain network security
The topic Use Cryptography to maintain Email Security has been replaced by Use Cryptography to maintain Application Security. The word application in this case was NOT replace by Software like elsewhere in the CBK.
This is all for Cryptography, overall a bit of semantic like the other domains but nothing really new in this domain.
DOMAIN 6 - SECURITY ARCHITECTURE & DESIGN
The initial text for this domain was greatly improved. However the content has almost nothing changed except a few subjects that I was glad to see added to this domain.
A reference to OWASP was added under vulnerabilities and Threats.
The topic of Cloud Computing, Grid Computing, and Peer to Peer was added to this domain. I think it is about time considering the level of usage and the trend regarding virtualization and cloud computing. Finally some of the current concerns are being added.
Overall I would say about 1 to 2% was added to this domain if the instructor or your training company takes the time to really explain what is cloud computing, what services it can provides, and what are the security issue.
Of course many people will cover this in one slide and get it over with, in such case less than 1% would be added.
DOMAIN 7 - SECURITY OPERATIONS
The text describing this domain was improved but the topic list is almost verbatim.
The subject of Personnel Privacy and Safety was completely removed.
On the last topic they added System Resilience to Fault Tolerance requirements.
Overall zero percent of changes in this domain. It is the same as the old one except the name where the words were turned around.
DOMAIN 8 - BCP and DRP
In the text describing the domain they changed Business Impact Assessment to the proper term of Business Impact Analysis (BIA)
As mention previously they change the candidate will beexpected to know to clearly state the candidate is expected to know
Nothing has changed within the topics of this domain except the last bullet which used to say Test & Update the plan which has been changed to Exercise, Assess, and maintain the plan with the examples of Version Control, Distribution
Overall no there are no changes within this domain.
DOMAIN 9 - LEGAL, REGULATIONS, INVESTIGATION, AND COMPLIANCE
The text describing this domain has changed quite a bit. Incident Handling has been removed from the text. They added Ethical Behavior to the text because Ethics is now back within this domain. The description no longer talks about laws, Computer Crimes, and Regulations.
As mentioned already the subject of ethics has been added to this domain where it really belongs. It lists specifically the ISC2 code of ethics and organizations code of ethics which needs to be supported.
Of note is the subject of Advanced Persistent Threats which is a really nice way of describing attacks that many people do not understand. The candidate needs to understand how to identify Advanced Persistent Threats. Another up to date subject added to the CBK without any details.
Under forensics they added the subject of Hardware/Embedded Devices forensics
Finally they added:
F. Ensure security in contractual agreements and procurement processes and they list as examples: cloud computing, outsourcing, vendor governance
DOMAIN 10 - PHYSICAL (ENVIRONMENTAL) SECURITY
The description for this domain was expanded by a few lines.
A few examples were added to the topics.
The acronym HVAC is now spelled out.
The topic of Personal privacy and Safety which was removed in a previous domain is now within Physical Security.
This is all. So no new content but only a bit of content from another domain has been added
Overall mostly no changes for this domain.
LIST OF REFERENCES
Something is definitively wrong with the list of reference. The list is a carbon copy of the 2009 list less once book from Doctor McGraw on Software Security. A book which is by the way still applicable and good for today’s issues.
I cannot believe that between 2009 and now there was no references added to the list of reference.
Either ISC2 has not added any questions to the CBK using new references or the list has not been maintained.
Only a few of the references are 2010 and most of them are very old.
This does not seem right to me considering that new questions are being added all the time to the exam.
SAMPLE QUESTIONS (Ouch!)
There are 3 sample questions presented. Just like the list of references it seems they are getting dated in at least 33.3% percent of them.
Question number 3 is about the usage of SSL under WAP. The question does not specify which version of WAP.
WAP 2.0 was release around 2002, it no longer required a WAP gateway. It is amazing to see that this question is still being used as an example. The question is dated and no longer valid today. Modern Handset mostly no longer uses WAP at all.
This is very disappointing to see this was there in 2009 almost 7 years after it WAP 1.0 was no longer use and it is still there today 10 years after WAP 1.0 is no longer in use.
I think it is REALLY time to retire this question and come up with a better sample question.
There is nothing changed within the examination information. They only changed the end time to exam, it used to say 3 PM for the CISSP but now they simply state the exam will be 6 hours long. They no longer take for granted that exams all start exactly at 9 AM.
The CIB is still lacking as far as details are concerned. The CIB initially used to have a LOT of details about the sub-topics under each of the domains subjects.
More details would better guide any students wanting to become a CISSP. ISC2 should at least as a minimum specific what percentage of the exam is within each of the ten domains. CompTIA does this for their certifications. It is not some type of secret. What good is a CBK if it is some type of secret?
This is not what I would call an update. As mentioned above there is at the most 2 to 3% of new material added. I have not seen anything specific to IP Version 6, thorough coverage of Cloud Computing and Virtualization, DNSSEC, BGPSEC, Internal threats, Remote Access Trojan, new social engineering techniques, skimming, vishing, and other projects that have all been fielded to improve security.
Overall this is very disappointing and mostly what I would call the "status quo".
Best regards to all