Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "CISSP (Exam Cram)", Mandy Andress

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCISPEC.RVW 20020321 CISSP (Exam Cram) , Mandy Andress, 2001, 1-58880-029-6, U$34.99/C$53.99/UK#24.49 %A Mandy Andress %C 14455 N. Hayden Road, Suite
    Message 1 of 1 , May 13 12:56 PM
    • 0 Attachment
      BKCISPEC.RVW 20020321

      "CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6,
      U$34.99/C$53.99/UK#24.49
      %A Mandy Andress
      %C 14455 N. Hayden Road, Suite 220, Scottsdale, AZ 85260
      %D 2001
      %G 1-58880-029-6
      %I Coriolis
      %O U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193
      %P 265 p.
      %T "CISSP (Exam Cram)"

      It is interesting, and somewhat disturbing, to note that while there
      are a number of effusive quotes on and inside the cover extolling the
      virtues of the Exam Cram series, none specifically mention this book.

      Bound into the inside front cover is a cram sheet, with 50 points on
      it that are obviously supposed to be vitally important to the exam.
      Leaving aside both the simplistic nature of the information presented,
      and the difficulty of answering a 250 question exam with a mere 50
      points, we only have to get to the third point on the sheet before we
      run into rather significant errors. (Role-based access control is not
      an alternative to discretionary or mandatory controls, but can
      implement either.) This does not bode well.

      The introduction explains the CISSP (Certified Information Systems
      Security Professional) designation. The text makes frequent
      references to the (ISC)^2 web site, but, since the recent site
      redesign, all these URLs are incorrect. There is also a short self-
      assessment section, intended to help you determine whether or not you
      are prepared for the exam, but the vague and generic metrics suggested
      are unlikely to help determine your readiness.

      Chapter one's discussion of the exam, and techniques for writing the
      exam, does contain some useful recommendations (if you don't know,
      answer anyway), but other advice is problematic, and may be
      detrimental. Access control, in chapter two, is the first of the ten
      domains of the Common Body of Knowledge (CBK) of the CISSP. The
      material is presented as a list of key terms and phrases, and the
      presentation might be helpful to the exam candidate were it not for
      the extremely limited nature of the deliberation and frequent errors.
      For some reason a significant amount of space is given to topics (like
      SYN floods) that do not belong in this domain. There is a brief list
      of questions at the end of the chapter, with answers and discussion
      presented immediately afterward. Unfortunately, these questions are
      so simplistic that they cannot be said to represent, in any way, the
      exam itself, and the wording is so careless that it is often
      impossible to say whether the answers given are, in fact, right or
      wrong.

      Chapter three provides an almost random assortment of topics related
      to telecommunications and networking. (There is a modicum of
      structure in that subjects are grouped together, but there is no
      logical flow: IPsec is discussed before the base IP concepts are
      covered.) There are many problems with the material: it is difficult
      to say whether the definition of a "circuit gateway" firewall means
      anything, let alone is right or wrong, and we are told that SSL
      (Secure Sockets Layer) is only used for host-to-host communications
      and resides in the session layer. (The book contradicts itself:
      chapter six does note that SSL is used between client browser and web
      server.) Again, many irrelevant topics are included while important
      areas are missed. (PPP (Point-to-Point Protocol) is listed, PPTP
      (Point-to-Point Tunnelling Protocol) is not.) Security management
      practices are not covered in chapter four: the vital areas of policies
      and risk analysis are given brief mention at the end of a meandering
      and incomplete list of management concerns. Another haphazard
      catalogue of terms takes the place of the applications development
      domain in chapter five. (The definition of a virus is that of a
      trojan and the definition for a worm seems to fit payload.) That the
      author is unfamiliar with basic concepts of cryptography is obvious
      when, in chapter six, "strong encryption" is defined as the use of a
      128-bit key. (In the discussion of triple DES (Data Encryption
      Standard), the "meet-in-the-middle" attack is obviously confused with
      "man-in-the-middle.") Chapter seven's review of security
      architectures contains another arbitrary list of computer architecture
      topics. There is some material that is security related, but in the
      discussion of the Bell-La Padula model, about the only reliable
      information is that it involves security levels. Operations security
      is fairly straightforward, so chapter eight doesn't make any glaring
      errors. (The content is, however, very terse.) Much the same holds
      true for business continuity and disaster recovery in chapter nine.
      Aside from an over-emphasis on US legislation, chapter ten does not do
      a really bad job with law, investigation, and ethics. Chapter eleven
      collates some checklists related to physical security, but has
      numerous gaps in the discussion of the overall topic.

      About the best that can be said for this book is that most of the
      items in the common body of knowledge get a mention at some point.
      Beyond that, the material is too scattered and unreliable to be used
      either to study for the CISSP exam (unless you want to play "spot the
      error"), or even as a quick guide for those charged with security.

      copyright Robert M. Slade, 2002 BKCISPEC.RVW 20020321


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      The complete lack of evidence is the surest sign that
      the conspiracy is working.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.