The other common statement is just as crucial to understand, which is that you have to learn security how (ISC)2 sees security. I have heard this a million times when teaching CISSP courses and from e-mails to me, CISSP forums, etc. Again, I do not like and cannot fully support the way the CISSP exam questions are written, but the material that you have to learn for the exam is not something that has been made up by (ISC)2. If you research each and every topic within the CBK as I have, you will quickly find that almost all of the material come straight from NIST documents and other “best practices” resources in the industry. The reason that I hear this complaint so much is because people have not fully read all of the NIST documents that are out there or are not tuned into what correct and structured security actually requires. People are used to seeing security through the lens of their job and the company that they work in. Many companies have their own definitions for specific terms and have ways that security is practiced in a type of proprietary manner.  Each company morphs terms and concepts to best fit its environment, but that does not mean that those are the standard practices in security for the industry as a whole.

I approach this issue at the beginning of any class I teach. I do this because out of years of experience I understand that people have learned different ‘dialects’ of security and since that is what they are most used to they fully believe that their view is the right view.

What makes this issue even more complicated is that a lot of resources do not teach the CBK topics to the necessary depth of understanding. This means that the people’s notion of what security is and its definitions of terms are not challenged properly. Let me give you an example that makes some students’ head explode. Most people are familiar with the OSI model, which is a model that describes the various functionalities at different layers in a network stack. Most people know the ‘canned’ definition of what takes place at the seven layers of a network stack, but really do not understand the model or what each layer truly represents. So two things that I have seen students almost go through a nervous breakdown about is SSL working at the Transport layer and ARP working at the Data Link layer. The canned definition of the functionality that takes place at the Transport layer is “end-to-end transmission”. The canned definition for what takes place at the Session layer is “a connection is built, maintained and torn down”.  These two definitions sound as though they are the same – what is the difference?

A Session layer protocol builds a connection to an application on another system. In the client\server model, a small part of an application is the client and the larger part of the application resides on another computer and does a lot of the work for the client. So how does the client and server portion of an application communicate? Through some type of Session layer protocol, NFS, RPC, NetBIOS, SQL, etc. These protocols keep track of the dialog connections between the two pieces of software and carries out a variety of functions as in checkpointing, session recovery, opening and terminating connections, access control and more.

Simply put, protocols at the Transport level provide connections between computers and protocols at the Session layer provide connections through applications. So, what does this have to do with SSL and ARP?

Some people have learned that SSL works in the Session layer and when I tell that for the CISSP exam it works at the Transport layer they want to throw a book at me. (This is one example of why people think that they have to learn security through the view of CISSP versus reality.) What people do not fully understand is the SSL is made up of two protocols that carry out the functionality of the Session layer and the Transport layer. So some resources say that SSL works at the Session layer and another resource says it works in the Transport layer and they are both right - but neither of the resources goes down deep enough within the protocol to explain how it works, so we just memorize what layer we are told that it works in.

The reason that many people have a difficulty with conflicting resources is because the OSI model does not actually exist. It is a conceptual model to allow people to understand the different pieces of a network stack. You will never open your hard drive and see where the OSI model is, you will never find an actual file that has OSI in it. The OSI model is taking reality (a network stack) and virtually cutting it up into understandable and digestible chunks.  This is like trying to put boxes on top of your life so that your life can be explained in discreet levels of activities. There are things that you do in your life that does not fit well in just one box; maybe it takes two boxes to cover a certain aspect of your life. The same goes for a network protocol stack. The OSI model is attempting to break the network stack down into specific layers, but some protocols cover more than one layer.

(ARP is made up of code that provides the functionality of the Network and Data Link layer. This is another one of those issues that can result in a lively debate.)

So, if you learned that SSL works at the Session layer, instead of the Transport layer and ARP works at the Network layer, instead of the Data Link layer – you have memorized the functionality of the layers within the OSI model. This in no way means that you actually understand what is going on in the network stack.

This is just one example of why people think that they are being taught incorrectly and that they just have to answer the question on the exam the way that (ISC)2 wants them to answer and then get back to their real life. In reality, you just don’t fully understand the OSI model and how it relates to the protocols that make up a network stack.

Part 4 of 5 extracted from an original article written by Shon Harris entitled:

The CISSP Exam is Out of Date, Irrelevant, and Subjective
Busting through the Myths of the CISSP Exam

Read Part 1 - CISSP Exam – Learning Above Technology And Understanding Security In A Holistic Manner

Read Part 2 - Training For CISSP – The Early Days

Read Part 3 - Preparing For CISSP Exam – Is It Really A Waste Of Time To Learn About The Wide Spectrum Of Topics Covering Security?

Read Part 5 - CISSP Exam – Having The Right Perspective On The World Of Security