Security Advisory MA-2003-01 CISSP - Trojan Security Certification
Original Release Date: Thursday January 16, 2003
Last Revised: --
Source: --
Systems Affected
o Information Security Community
o Information Technology Employers
o Information Security Consultants
Overview
It has recently been identified that The International Information Systems Security
Certification Consortium (CISSP) has developed and released a potentially destructive
trojan application, which masquerades as a valid standard for professional
certification in the field of information security.
I. Description
Delivered in the benign form of a six hour examination, the CISSP prompts target user
with a series of 250 questions regarding the following topics:
o Access Control Systems & Methodology
o Applications & Systems Development
o Business Continuity Planning
o Cryptography
o Law, Investigation & Ethics
o Operations Security
o Physical Security
o Security Architecture & Models
o Security Management Practices
o Telecommunications, Network & Internet Security
This rather large payload, commonly referred to as the Common Body of
Knowledge (CBK), may cause a Denial of Service situation, leaving the target
overwhelmed and unable to respond to further requests during the duration of the
attack. If the target handles the Denial of Service attack appropriately, and is
unaffected, the CISSP trojan discontinues this attack, and self-mutates into a
certification of added IS credibility. If accepted by the target, this certification
begins to cause the following symptoms:
o Increase in self-confidence
o Increase in salary requirements
o False sense of accomplishment
o False sense of self-improvement
Despite the symptoms, the target experiences no real benefit whatsoever. The affected
target then is made to transfer funds in excess of $2,000 (US) to a remote bank
account owned by ISC2. Finally, the affected target promotes itself to a "Certified
Information Security Expert" sans authentication. The affected
target may then infect others, eventually creating a massive army of unskilled,
prefabricated, shrink-wrapped, not for resale, half-assed security engineers,
consultants, and "research scientists".
II. Impact
An abundance of sub-par information security engineers, consultants, and "research
scientists".
A negative impact on the economy, specifically within the Information
Technology sector.
III. Solution
Avoid any certifications issued by ISC2 until a patch is distributed.
Obtain information security related certifications from valid sources.
Employers are encouraged to recognize the CISSP as a trojan certification.
Appendix A - Vendor Information
International Information Security Certification Consortium, Inc.
(ISC)2 is the premier organization dedicated to providing information security
professionals and practitioners worldwide with the standard for professional
certification.
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
