"Security+ Prep Guide", Ronald L. Krutz/Russell Dean Vines

      The introduction is a quick outline of the Security+ domains and exam
      structure. Chapter one, covering the general security concepts, has
      parts that are better than the other Security+ guides, possibly due to
      Krutz' and Vines' familiarity with the CISSP (Certified Information
      Systems Security Professional) material. However, there are also
      oddities such as a purported "Discretionary Security Property" of the
      Bell-LaPadula model (might this be an idiosyncratic renaming of the
      later tranquility property?) and an alleged "Axiom Three" of the Biba
      model. In terms of the Clark-Wilson model, most of the space is
      devoted to defining unneeded terms, and the three vital concepts are
      dismissed in a single sentence. Kerberos is described well, but
      perhaps with an excess of symbolic logic. The list of attacks mixes
      types, and the virus explanation uses dated concepts. The sample
      question given at the end of the chapter (and domain) are less
      simplistic than other sets, but, ironically, may go too far in the
      other direction. Experienced security professionals will be able to
      understand the intent behind the answers (when looking at the answers
      and explanations in Appendix A), but the careless wording will make
      the questions unclear and confusing to novices (which, more or less by
      definition, Security+ candidates are).

      Chapter two deals with the communications security domain. Again,
      there are some problems, such as a confusion of authentication
      protocols with those of VPNs (Virtual Private Networks) and an odd
      emphasis on a possible exploit based on the DOS "8.3" naming
      convention. The material is piecemeal and without a logical structure
      (the Perl programming language is discussed next to SMTP [Simple Mail
      Transfer Protocol]). There is a confusion of the Java and JavaScript
      languages (although they are later distinguished). The pages of
      screen shots for AirMagnet and NetStumbler don't seem to have any
      purpose or value. The infrastructure material, in chapter three,
      covers more telecommunications. (DSSS [Direct Sequence Spread
      Spectrum] is not explained well.) Strangely, the sample questions ask
      about RAID (Redundant Array of Inexpensive/Independent Disks), which
      is not covered until domain five. Chapter four covers cryptography
      basics reasonably, but the depth is uneven. Operational and
      organizational security is a bit of a grab bag of a domain, and that
      is amply reflected in the otherwise decent material in chapter five.

      Despite the problems, overall I would have to recommend Krutz' and
      Vines' entry into the Security+ field over Trevor Kay's "Mike Meyers'
      Security+ Certification Passport" (cf. BKMMSCRP.RVW), the "Security+
      Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), or "Security+
      Certification for Dummies" (cf. BKSCRTPD.RVW).

      copyright Robert M. Slade, 2003 BKSCRTPG.RVW 20030320

