Hacker News new | comments | show | ask | jobs | submit login
The Cyber Security Body of Knowledge (cybok.org)
89 points by MrEliasen 4 months ago | hide | past | web | favorite | 18 comments



As someone who has been in this game for 15 years, I have to say that by the time anyone has infosec written down and categorized it is obsolete. The CISSP, for example, bombards you with questions about thoroughly obsolete attacks. I let mine expire and allow my resume to speak for itself.

Furthermore, after a couple hundred interviews over the course of my career, use of the term "cyber" is a huge red flag. Very few such people with "cyber" on their resumes are hired where I work.


I'm not Internet famous like some of the security guys around here, but I'm good enough to get a job nearly anywhere I want. I wouldn't want to work for a place that harbors illogical grudges against benign words that over time have become used by almost everyone working in the industry. It makes me wonder what other petty things the company would be needlessly elitist and toxic about.

I've only been conducting interviews for a few years, but I haven't noticed a correlation between a lack of ability and the use of the term cyber. I don't think its on my resume (haven't had to update in a few years), but I wouldn't make assumptions about anyone that did.


In all my years I’ve never seen a single resume using the word cyber. But I wouldn’t hold it against anyone. that’s silly


I feel like your second paragraph is getting the focus of everyone's ire, whilst your first point is being missed (and is a much better one):

>I have to say that by the time anyone has infosec written down and categorized it is obsolete

It's a worthy goal for CyBoK to try to write this down, but having skimmed over the AppSec one it immediately feels like it's something that will get finished one day, and then people will get round to reading it one day by which point it will be little more than an academic curiosity.

My first impression is that it is broadly an academic exercise and not a practical one. This type of knowledge needs to be documented in more dynamic format if it is to stand any chance of being relevant, let alone remaining relevant. It needs the funding and the community support, but on top of academics cogitating over it, it needs real-world, real-time input, maintenance, and updates.


> Furthermore, after a couple hundred interviews over the course of my career, use of the term "cyber" is a huge red flag. Very few such people with "cyber" on their resumes are hired where I work.

Sounds like a workplace one should avoid. It seems quite petty that one would consider a harmless and a completely acceptable word to be a reason to look at a potential candidate with a negative bias.

Maybe I should start including the word "cyber" in my resume going forward to filter out petty employers like yours.


It's not the use of the word, it's the background that comes with it. Seeing "cyber" all over a resume usually means the candidate has been a contractor for some government agency where they run a vuln scanner and deliver the reports to someone, but don't really have any understanding of the results, or any real responsibility at all, usually.


The principles of security have not changed in thousands of years(Least Privilege, fix vulnerabilities/gaps, understand methods of attack...) as those principles apply to the world of IT they have not changed since IT happened. Specific events and vulnerabilities may have come and gone but the principles of design, and all such like things, have not changed at all. What has changed about trying to maintain Confidentiality, Integrity, Availability, Accountability, etc.?


Perhaps I misunderstand what you're saying, but it seems that I frequently hear of people's systems being compromised because they didn't, for example, install security patches and the like. Because they didn't sanitise SQL queries from untrusted sources. Because of a buffer overflow. They've been written down for years, and they're still regularly used to compromise people's systems.


Couldn’t agree more. Unfortunately however, my Masters degree was renamed from Information Assurance to Cybersecurity half-way through my program, so I have one instance of the word “cyber” on my resume, despite the eye-roll it gives me. The rest of my experience speaks for itself though.


In web dev there is the OWASP top 10, which is made of relatively old but still widespread vulnerabilities, right?


> Furthermore, after a couple hundred interviews over the course of my career, use of the term "cyber" is a huge red flag. Very few such people with "cyber" on their resumes are hired where I work.

You said the word! Take a shot!


Whilst I'm not a fan of it, the term "cyber" is part of the lexicon now, and if you want to communicate to people outside the security industry about it, you'll find it easier when using that term..

It's like the old debates about the term hacker, eventually things become part of common parlance...

As to old knowledge, I'd say it very much depends. Basic principles from 20 years ago apply very much now. The specific attacks may have changed (although in some cases they're still the same) but the underlying concepts remain.


> It's like the old debates about the term hacker, eventually things become part of common parlance...

Or different usages of the word "hacker" become a shibboleth for showing which of the groups (with very different agendas) you belong to.


Ouch. Doing cyber related software for years, can't really avoid the word. Though I don't think it's different from safety, reliability in the sense of good engineering goals. I wasn't expect being judged for using a word. Sadly, many engineers are quite biased, so don't beat yourself up.


I think that it depends. Computer security basic and concepts maybe old but are still valid such as security models, security (engineering) principles and other security related concepts (e. g. reference monitor).

Understanding attacks can be helpful to understand vulnerabilities and wrongly implemented security principles.


In the immortal words of the sadly departed J.D. Falk: "Nothing is cooler because it is cyber."


Page 4 of the Scope[0] document looks particularly useful in broadly (albeit briefly) highlighting the various domains inside computer security.

Could be a nice 1 pager for highlighting some of the things I do to outsiders. Would be useful to those looking to get into this field (i.e. CS undergrad) too.

[0] https://www.cybok.org/media/downloads/CyBOKScopeV2.pdf


this is a draft? at this stage of the game in 2018 this is all they have? one would do better to invest time in the 8 domains as developed by ISC2 (CISSP).




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: