REVIEW: "CISSP (Exam Cram)", Mandy Andress
- BKCISPEC.RVW 20020321
"CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6,
%A Mandy Andress
%C 14455 N. Hayden Road, Suite 220, Scottsdale, AZ 85260
%O U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193
%P 265 p.
%T "CISSP (Exam Cram)"
It is interesting, and somewhat disturbing, to note that while there
are a number of effusive quotes on and inside the cover extolling the
virtues of the Exam Cram series, none specifically mention this book.
Bound into the inside front cover is a cram sheet, with 50 points on
it that are obviously supposed to be vitally important to the exam.
Leaving aside both the simplistic nature of the information presented,
and the difficulty of answering a 250 question exam with a mere 50
points, we only have to get to the third point on the sheet before we
run into rather significant errors. (Role-based access control is not
an alternative to discretionary or mandatory controls, but can
implement either.) This does not bode well.
The introduction explains the CISSP (Certified Information Systems
Security Professional) designation. The text makes frequent
references to the (ISC)^2 web site, but, since the recent site
redesign, all these URLs are incorrect. There is also a short self-
assessment section, intended to help you determine whether or not you
are prepared for the exam, but the vague and generic metrics suggested
are unlikely to help determine your readiness.
Chapter one's discussion of the exam, and techniques for writing the
exam, does contain some useful recommendations (if you don't know,
answer anyway), but other advice is problematic, and may be
detrimental. Access control, in chapter two, is the first of the ten
domains of the Common Body of Knowledge (CBK) of the CISSP. The
material is presented as a list of key terms and phrases, and the
presentation might be helpful to the exam candidate were it not for
the extremely limited nature of the deliberation and frequent errors.
For some reason a significant amount of space is given to topics (like
SYN floods) that do not belong in this domain. There is a brief list
of questions at the end of the chapter, with answers and discussion
presented immediately afterward. Unfortunately, these questions are
so simplistic that they cannot be said to represent, in any way, the
exam itself, and the wording is so careless that it is often
impossible to say whether the answers given are, in fact, right or
Chapter three provides an almost random assortment of topics related
to telecommunications and networking. (There is a modicum of
structure in that subjects are grouped together, but there is no
logical flow: IPsec is discussed before the base IP concepts are
covered.) There are many problems with the material: it is difficult
to say whether the definition of a "circuit gateway" firewall means
anything, let alone is right or wrong, and we are told that SSL
(Secure Sockets Layer) is only used for host-to-host communications
and resides in the session layer. (The book contradicts itself:
chapter six does note that SSL is used between client browser and web
server.) Again, many irrelevant topics are included while important
areas are missed. (PPP (Point-to-Point Protocol) is listed, PPTP
(Point-to-Point Tunnelling Protocol) is not.) Security management
practices are not covered in chapter four: the vital areas of policies
and risk analysis are given brief mention at the end of a meandering
and incomplete list of management concerns. Another haphazard
catalogue of terms takes the place of the applications development
domain in chapter five. (The definition of a virus is that of a
trojan and the definition for a worm seems to fit payload.) That the
author is unfamiliar with basic concepts of cryptography is obvious
when, in chapter six, "strong encryption" is defined as the use of a
128-bit key. (In the discussion of triple DES (Data Encryption
Standard), the "meet-in-the-middle" attack is obviously confused with
"man-in-the-middle.") Chapter seven's review of security
architectures contains another arbitrary list of computer architecture
topics. There is some material that is security related, but in the
discussion of the Bell-La Padula model, about the only reliable
information is that it involves security levels. Operations security
is fairly straightforward, so chapter eight doesn't make any glaring
errors. (The content is, however, very terse.) Much the same holds
true for business continuity and disaster recovery in chapter nine.
Aside from an over-emphasis on US legislation, chapter ten does not do
a really bad job with law, investigation, and ethics. Chapter eleven
collates some checklists related to physical security, but has
numerous gaps in the discussion of the overall topic.
About the best that can be said for this book is that most of the
items in the common body of knowledge get a mention at some point.
Beyond that, the material is too scattered and unreliable to be used
either to study for the CISSP exam (unless you want to play "spot the
error"), or even as a quick guide for those charged with security.
copyright Robert M. Slade, 2002 BKCISPEC.RVW 20020321
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
The complete lack of evidence is the surest sign that
the conspiracy is working.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade