As I grow in years the amount of time that passes is more difficult to perceive. The fact that I have been a CISSP for 13 years (October 2002) is cool but it also makes me realize, once again, that I’m no longer a spring chicken. It also puts me on high-alert because the older I get the more likely it is that I have been resting on old knowledge, unaware of myself becoming professionally dated. Vigilance is required in this industry; nobody gets to coast. Go paint houses or mow lawns for a living if you want a career field that doesn’t evolve on a month-to-month basis. The desire to not lose relevance frequently keeps me awake at night. Not because I’m stressed, though. Because I’m sitting at my computer into the wee hours of the morning, reading, trying, tinkering, failing, winning, …learning.
For all but seven months of my thirteen years as a CISSP, (ISC)² has used the “10 Domains of the Common Body of Knowledge (CBK)”. And because I have been teaching CISSP classes for several years I had grown very accustomed to them. As large swaths of you know, (ISC)² changed the old ten domains of the CBK to a re-aligned 8 domains back in April of this year (2015). Everything changed. And nothing changed. Per (ISC)², content was not removed; it was “reorganized and updated”. Included in this revamp is the addition of technical content to reflect what has been happening over the past few years. We expect exams to do that, right? I don’t really see why (ISC)² didn’t just update the content without updating the domains, though. A few of the new domain names are so vague you rarely see them without a list of what they include in parenthesis after the name.
A few days ago a student asked me, “What’s your favorite CBK domain?” For the most brief of moments I wondered if he was next going to ask my favorite color and whether or not I liked to go for long walks on the beach. After a careful moments pause I enthusiastically shot back, “Cryptography!” …Doh! Crypto isn’t a domain in the CBK anymore! Holding hands as we started walking along the beach, he and I both laughed at my micro-instance of diminished professional relevance.
The next day, having forgiven myself for my continued inability to internalize the new CBK domain structure, I thought a little more about my answer. Why is it that I, a guy who gushes over anything networking related, chose cryptography as my favorite [old] domain? One of the reasons is that I find math to be beautiful (yes, I know that’s kinda geeky). Prime & composite numbers, primitive roots of primes, the discrete logarithm problem, the Fibonacci sequence and Ulam’s spiral; they are amazing. Math is everywhere, every day. All around us. And it’s so easy not to notice it. And the same is true with computers. Math, its uses in cryptography in particular, is everywhere in modern computing. And, just like in nature, it should be difficult for the average user to notice.
According to (ISC)², the topic of cryptography is now a subsection of their new Security Engineering domain. Purely from a CISSP perspective I have always liked that it was a separate domain. It made sense. In a classroom/study scenario it gave us the ability to look at objectives we needed to achieve (confidentiality, integrity, original authentication, non-repudiation, etc.) and the ways cryptography could be used to achieve them. With the underlying mechanics better understood it is easier to broach higher-level topics like TLS, IPSec, Kerberos, WPA-PSK, forensic images, data de-duplication and EFS. With the necessary understanding of cryptography already under your belt, you are free to think about the when, where, how and why of these solutions without getting mentally bogged down in the crypto, too.
Concepts of cryptography are easier to digest and understand when discussed as a topic independent of their implementations. But they are easier to internalize when you match them up with scenarios that illustrate real world use.
- How do you know your email wasn’t modified in transit? Explain to me how cryptography can help achieve that objective.
- How do you know that the private data being passed over your wireless LAN is not easily ready by an unauthorized person? What types of cryptography help to achieve that?
- You need to make a forensic image of an entire disk, ensuring that the copy is identical to the original. Where does cryptography fit into this process?
- The server sent you a certificate for authentication. How can a certificate prove who a server is?
- How can two systems that need to communicate secretly establish a secure data pathway when everything they send can be seen by anyone within ‘earshot’? How does cryptography help us do that. How is the security established? How is it maintained?
In all of these topics there is a process; some steps to follow. And underneath many of those steps is cryptography.
Hashing, symmetric and asymmentric encryption, diffie-hellman, elliptic curve cryptography, one-time pads, etc. These things show up all around us every day and the overwhelming majority of the time they are invisible (as they should be). From a real-world perspective cryptography is dissolved into most of the other domains. It’s in Communications and Network Security because we use IPsec to secure OSPFv3 routing exchanges. It is in Identity and Access Management because it is used in Kerberos. It is in Software Development Security because we can digitally sign our code. The list goes on and on and on. That’s why I love cryptography so much. It’s everywhere these days. I love how integrated it is into these things I am so passionate about (computers of pretty much any kind).
So, what’s your favorite CBK domain? Old or new. Doesn’t matter.
If you liked this post, please consider sharing it. Thanks!