"Security+ Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2003,
%A Ronald L. Krutz
%A Russell Dean Vines
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%I John Wiley & Sons, Inc.
%O U$60.00/C$90.99/UK#39.95 416-236-4433 fax: 416-236-4448
%P 456 p. + CD-ROM
%T "Security+ Prep Guide"
The introduction is a quick outline of the Security+ domains and exam
structure. Chapter one, covering the general security concepts, has
parts that are better than the other Security+ guides, possibly due to
Krutz' and Vines' familiarity with the CISSP (Certified Information
Systems Security Professional) material. However, there are also
oddities such as a purported "Discretionary Security Property" of the
Bell-LaPadula model (might this be an idiosyncratic renaming of the
later tranquility property?) and an alleged "Axiom Three" of the Biba
model. In terms of the Clark-Wilson model, most of the space is
devoted to defining unneeded terms, and the three vital concepts are
dismissed in a single sentence. Kerberos is described well, but
perhaps with an excess of symbolic logic. The list of attacks mixes
types, and the virus explanation uses dated concepts. The sample
question given at the end of the chapter (and domain) are less
simplistic than other sets, but, ironically, may go too far in the
other direction. Experienced security professionals will be able to
understand the intent behind the answers (when looking at the answers
and explanations in Appendix A), but the careless wording will make
the questions unclear and confusing to novices (which, more or less by
definition, Security+ candidates are).
Chapter two deals with the communications security domain. Again,
there are some problems, such as a confusion of authentication
protocols with those of VPNs (Virtual Private Networks) and an odd
emphasis on a possible exploit based on the DOS "8.3" naming
convention. The material is piecemeal and without a logical structure
(the Perl programming language is discussed next to SMTP [Simple Mail
languages (although they are later distinguished). The pages of
screen shots for AirMagnet and NetStumbler don't seem to have any
purpose or value. The infrastructure material, in chapter three,
covers more telecommunications. (DSSS [Direct Sequence Spread
Spectrum] is not explained well.) Strangely, the sample questions ask
about RAID (Redundant Array of Inexpensive/Independent Disks), which
is not covered until domain five. Chapter four covers cryptography
basics reasonably, but the depth is uneven. Operational and
organizational security is a bit of a grab bag of a domain, and that
is amply reflected in the otherwise decent material in chapter five.
Despite the problems, overall I would have to recommend Krutz' and
Vines' entry into the Security+ field over Trevor Kay's "Mike Meyers'
Security+ Certification Passport" (cf. BKMMSCRP.RVW), the "Security+
Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), or "Security+
Certification for Dummies" (cf. BKSCRTPD.RVW).
copyright Robert M. Slade, 2003 BKSCRTPG.RVW 20030320
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
A fanatic is one who can't change his mind and won't change the
subject. - Winston Churchill