"Security+ Training Guide", Todd King, 2003, 0-7897-2836-2,
%A Todd King
%C 201 W. 103rd Street, Indianapolis, IN 46290
%I Macmillan Computer Publishing (MCP)
%O U$49.99/C$77.99/UK#36.50 800-858-7674 info@...
%P 699 p. + CD-ROM
%T "Security+ Training Guide"
Aside from the list of exam objectives, the introduction is an
extremely vague and generic document. The set of exam tips even
provides suggestions for a format that the text itself admits is
inappropriate to the CompTIA Security+ test.
Part one, the bulk of the book, breaks the exam topics into nine
sections, rather than the five domains proposed by CompTIA. Chapter
one supposedly deals with general security concepts. However, the
material is padded out with a great deal of gratuitous content and
confusing verbiage. The glossary contains such vital items as "lamer"
and "luser." The discussions of mandatory, discretionary, and role-
based access control do not make the distinctions clear. The review
of Kerberos really only mentions tickets, and does not deal with the
concepts that allow the use of symmetric encryption in a system that
never sends keys in cleartext. The description of "challenge" based
authentication systems provides a completely misleading idea of what a
challenge actually is or does. Some security factors, such as the
list of attacks (with the notable exception of the malware related
content), are reasonably well done, but even these tend to be
excessively verbose. The practice questions do not test for concepts:
they seem to be based strictly on wording in the text, and
carelessness in writing the questions makes one answer flatly wrong.
Similar problems are involved in the other material. Chapter two
demonstrates a fundamental lack of understanding of wireless LAN
security technologies and where they are applied. (Wired Equivalent
Privacy, dealing with encryption on LANs, and Wireless Access
Protocol, providing Web access for cellular telephones, seem to be
confused in the author's mind.) Again, a great deal of only
marginally relevant material seems to have been included. Devices,
media, and topologies, in chapter three, are packaged along with a
grab bag of disorganized topics. (Firewall technologies and
topologies are, in fact, covered in two separate sections of the same
chapter.) Intrusion detection, baselines, and hardening, in chapter
four, might be a bit better, but only because the topic is so large
that the lists of recommendations do all have some relation to the
subject. Chapter five, on cryptographic algorithms, seems to just
list them, without providing an understanding of basic concepts. PKI
(Public Key Infrastructure) is simply a list of cryptological terms
and technologies, and chapter six doesn't provide much in the way of
solid definitions for them. As a welcome relief, physical security is
covered quite well in chapter seven. Oddly, however, business
continuity planning is tacked on to the same chapter, and has numerous
gaps. The vital topic of security policy, in chapter eight, is
unfortunately treated with a random assortment of material.
Similarly, chapter nine's view of security management seems to be
primarily administrative (featuring a flurry of Windows 2000 dialogue
box screen shots) with a chaser of additional subjects (such as
Part two seems to bear almost no relation to the previous material.
The "Fast Facts" are arranged in the five CompTIA domains. The
questions in the practice exam are completely unlike those given at
the end of the chapters.
Given the plethora of unnecessary verbiage and the paucity of reliable
content, this book has to get the lowest recommendation of the
Security+ guides reviewed so far (cf. BKMMSCRP.RVW, BKSCRTYP.RVW,
BKSCRTPD.RVW, and BKSCRTPG.RVW).
copyright Robert M. Slade, 2003 BKSCRPTG.RVW 20030419
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
The used key is always bright. - Benjamin Franklin