Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKSCRTYP.RVW 20030206 Security+ Study Guide and DVD Training System , Michael Cross et al, 2002, 1-931836-72-8, U$59.95/C$92.95 %A Michael Cross %A
    Message 1 of 1 , Feb 18, 2003
    • 0 Attachment
      BKSCRTYP.RVW 20030206

      "Security+ Study Guide and DVD Training System", Michael Cross et al,
      2002, 1-931836-72-8, U$59.95/C$92.95
      %A Michael Cross
      %A Norris L. Johnson
      %A Tony Piltzecker
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2002
      %G 1-931836-72-8
      %I Syngress Media, Inc.
      %O U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy@...
      %O http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1931836728/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20
      %P 823 p. + DVD
      %T "Security+ Study Guide and DVD Training System"

      The book admits that the Security+ certification from CompTIA
      (Computing Technology Industry Association) is, in comparison to the
      CISSP (Certified Information Systems Security Professional), an entry
      level designation. At the same time, Security+ has obviously been
      influenced by the CISSP. There are five "domains": general security
      concepts, communications, infrastructure, cryptography, and
      organizational security. (The book extends this a ways: in the same
      way that the CISSP has a triad (CIA, confidentiality, integrity, and
      availability) the general concepts domain has a triad: access control,
      authentication, and auditing.) Those who have experience in security
      can, I trust, already see some of the potential gaps in coverage.

      At the same time, I do not hold the Security+ designation, and
      therefore find it difficult to determine whether faults lie with the
      certification itself, or this book in particular.

      Domain one, as noted, deals with general concepts. Chapter one
      essentially discusses a variety of elements of access control, but
      does not do a good job on the concepts. There is, for example, little
      mention of either identification or authorization as separate ideas,
      and those mentions are confusing at best. The level of coverage
      varies greatly: I admire the elegance of Kerberos but it is hard to
      see that it rates more than three pages of explanation (while still
      managing not to explain that it uses symmetric encryption without ever
      sending keys in the clear over the net) when biometrics is dismissed
      in a single paragraph. Security+ is supposed to be vendor-neutral,
      but the book makes extensive reference (including pages of screen
      shots) to Microsoft products. The sample questions are intriguing.
      Despite attempts to make the questions seem to be complex (usually by
      burying the central point in a mass of verbiage), the answers really
      only turn on knowing the definitions of terms. However, the text of
      the book is not always clear in regard to definitions, and frequently
      uses either non-standard terms, or expressions used in non-standard
      ways. Authentication is often used in a context where authorization
      would be more appropriate, and auditing seems to be confused with
      accountability. A conglomeration of attacks are listed in chapter
      two, without much in the way of a framework in which to analyze or
      understand them.

      Domain two concerns communications. Chapter three enumerates a number
      of technologies related to remote access and email, again without much
      in the way of structure. The material on wireless networking and
      security demonstrates a profound lack of understanding of the
      cryptographic concepts necessary for discussing the weaknesses in WEP
      (Wired Equivalent Privacy). Pages of narrative mention relevant
      papers and the dates on which they were published, but the fundamental
      issues are buried in spurious and erroneous text. RC4 is faulted for
      being a known algorithm (Kerckhoff's Law, a foundational tenet in
      cryptography, states that the security of an algorithm cannot rely on
      it remaining unknown), DES is said to be superior to stream ciphers
      because it uses mathematical functions rather than XOR (the logical
      exclusive OR operation). (DES uses substitution and transposition
      rather than math functions, and has stream modes which use XOR.) Some
      of the confusion is more basic: one paragraph makes a big deal of the
      fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal
      representation translates four bits per digit that is simple
      arithmetic) and explains hexadecimal representation (sixteen possible
      digits, usually written 0 - F) as "0 through 9, a through f, or A
      through F." There is a compilation of web exploits in chapter five,
      which is, if possible, even more Microsoft-centric than prior
      material.

      Domain three deals with infrastructure. Chapter six lists security
      considerations with devices (a variety of hardware, mostly network
      components) and media (mostly network cabling). Network topologies
      and intrusion detection are discussed in chapter seven. Most of the
      advice about system hardening, in chapter eight, concerns the
      application of patches.

      Cryptography is reviewed in domain four. Chapter nine, entitled
      "Basics of Cryptography," lists the names of the most common
      algorithms, and a few broad concepts, but doesn't get into inner
      workings. The ingredients of a public key infrastructure are outlined
      in chapter ten.

      Domain five covers "operational and organization security." Incident
      response, in chapter eleven, contains a poor overview of physical
      security, a not quite as bad look at data recovery for investigations,
      and, oddly, some material on risk analysis. Chapter twelve,
      ostensibly about policies and disaster recovery, contains a grab bag
      of management topics.

      There is an appendix giving slightly more detailed answers to the
      sample questions: these don't clear up much of the confusion
      surrounding some questions. There is also a DVD with training video
      material. The video material appears to be an amateurishly shot
      "talking head" outline (very terse overview) of the material in the
      chapters.

      Probably most of those who would want to buy this book are solely
      concerned with whether or not it will help them pass the Security+
      exam, and, as noted previously, I can't speak to that. A review of
      the CompTIA Security+ objectives does show where some of the
      randomness in structure comes from, although the authors did not have
      to blindly follow the list in organizing the book. It is also true
      that the objectives don't give a lot of direction in terms of how much
      candidates need to know about particular topics. On the other hand,
      the list would not have prevented the authors from adding material
      that would have provided better explanations of the major points. I
      will say that, if this book can help you pass the exam, the value of
      the Security+ designation has to be questioned. A great deal of book
      space is devoted to screenshots and operating descriptions of programs
      and utilities which may already be irrelevant and which, in any case,
      do little to explain broader security concepts. In terms of the
      quality of information, this work ranks with the great mass of
      attempted (and, basically, failed) general low level security guides.

      copyright, Robert M. Slade, 2003 BKSCRTYP.RVW 20030206

      --
      ======================
      rslade@... rslade@... slade@... p1@...
      Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
      Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
      March 31, 2003 Indianapolis, IN
    Your message has been successfully submitted and would be delivered to recipients shortly.