Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "CISSP: Certified Information Systems Security Professional Study Guide", Tittel et al

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCISPCG.RVW 20030421 CISSP: Certified Information Systems Security Professional Study Guide , Tittel et al, 2003, 0-7821-4175-7, U$69.99/C$111.95/UK#52.99
    Message 1 of 1 , Jun 24, 2003
      BKCISPCG.RVW 20030421

      "CISSP: Certified Information Systems Security Professional Study
      Guide", Tittel et al, 2003, 0-7821-4175-7, U$69.99/C$111.95/UK#52.99
      %A Ed Tittel etittel@...
      %A Mike Chapple
      %A James Michael Stewart
      %C 1151 Marina Village Parkway, Alameda, CA 94501
      %D 2003
      %G 0-7821-4175-7
      %I Sybex Computer Books
      %O U$69.99/C$111.95/UK#52.99 800-227-2346 info@...
      %O http://www.amazon.com/exec/obidos/ASIN/0782141757/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/0782141757/robsladesin03-20
      %P 783 p. + CD-ROM
      %T "CISSP: Certified Information Systems Security Professional Study

      Although the table of contents departs from the usual ten domains of
      the CISSP CBK (Common Body of Knowledge), the introduction points out
      that the nineteen chapters actually represent two chapters for each of
      the ten domains, except for physical security. While begging the
      question of why the domains need to be so divided, the structure
      doesn't quite follow the (ISC)^2 domains: security models, for
      example, are covered in the chapter on access control, rather than the
      chapter on security models. An interesting aspect of this book is an
      "assessment test," given at the beginning of the book. This is a good
      idea to focus the student on both the content and the type of
      questions likely to be on the CISSP exam--or, it would be, if the test
      was representative of the CISSP exam itself. Unfortunately, too many
      of the queries presented are the usual sad mix: strictly fact based
      and too simplistic. A number of others use nonstandard terminology,
      and the answers given in the key are correct only in the sense that
      they are the "least wrong" of the options provided. This quality of
      enquiry holds true for the other quizzes in the book.

      Chapter one deals with a part of access control, but the vital topic
      of controls themselves is only partially covered, neglecting, for
      example, deterrent, directive, and recovery controls. At the same
      time, idiosyncratic terms are added, such as a "Type 1," Type 2," and
      "Type 3" distinctions for different authentication factors. A number
      of topics, such as biometrics, Kerberos, and the Bell-LaPadula
      security model, are not explained in a depth appropriate to the level
      of the exam. Attacks and monitoring, in chapter two, provides too
      much space to the assaults, at the expense of detail in terms of
      intrusion detection (the difference between host and network based
      systems is not properly explained, and the four types are reduced to
      two). A standard overview of TCP/IP, with almost no reference to
      security, is given in chapter three. (The minimal mention of
      firewalls is very brief, confuses firewall types and topologies, and
      completely misses circuit-level proxies.) Chapter four covers a
      number of communications security technologies, but tersely, and
      without any organizational structure. I frequently note that security
      essentially *is* management, so the ludicrously inadequate list of
      random concepts and terminology in chapter five's dismissal of
      security management comes as a shock. Chapter six is better, with a
      review of the aspects of a security policy (though not much help in
      creating one) and a reasonably adequate overview of risk analysis and
      management. Data and application security, in chapter seven, has a
      very ragged structure, and an obvious lack of familiarity with basic
      issues. (Polyinstantiation is an aspect of object-oriented
      programming, rather than a risk of database security.) Malicious code
      gets a fair, but dated, examination, but chapter eight also contains a
      random assortment of other threats, many of which should be dealt with
      elsewhere. Chapter nine lists a number of basic concepts in
      cryptography, as well as major encryption systems, but the
      explanations clearly demonstrate that the authors do not understand
      the fundamental operations. (Modular arithmetic is not restricted to
      decimal representation, and the transposition example used does not
      require a keyword or alphabetical ordering.) As with the other
      "second chapters" in the book, chapter ten collects the random
      cryptography topics that haven't been dealt with. Chapter eleven
      presents a list of computer hardware basics, rather than the computer
      architecture that it should be discussing. Security models are
      mentioned briefly in chapter twelve (sometimes contradicting the
      earlier material), but most of the content is a grab bag of
      certification terms and some vulnerabilities missed in the prior
      compilations. Updating antivirals, performing backups, and protecting
      media passes for operations security in chapter thirteen, while
      auditing and monitoring are covered better in fourteen. Business
      continuity and disaster recovery are given the usual treatment in
      chapter fifteen and sixteen respectively. Law and investigation, in
      chapter seventeen, concentrates too much on specific US statutes, and
      far too little on legal principles and forensic examination. Chapter
      eighteen spends too much time on specific incidents, rather than
      process, and, predictably, allows ethics only two pages. At first
      glance, the material on physical security, in chapter nineteen, seems
      adequate, but closer examination reveals gaps and missing information.

      When physically lined up with the other CISSP guides, this one appears
      to be closest in size to Harris' leading "All-in-One" guide (cf.
      BKCISPA1.RVW). Appearances, and particularly shear physical bulk, can
      obviously be deceiving. The actual useful content, when stripped of
      the excessive verbiage, is only about the same as the lower ranked
      works, such as Harris' second attempt (cf. BKMMCISP.RVW), Endorf's
      (cf. BKSCDCMP.RVW), or Miller/Gregory (cf. BKCISPDM.RVW). Possibly it
      is equal to the similarly bulky, and unreliable, entry by Bragg (cf.
      BKCISPTG.RVW). Krutz and Vines' "Gold Edition" (cf. BKCIPGGE.RVW),
      comparable in size, has a greater breadth of coverage, although
      possibly less depth.

      Could this book get you through the CISSP exam? Well, that would
      depend upon your background. If you had a lot of experience in
      security, then possibly yes. But then, you wouldn't need the book,
      now would you?

      copyright Robert M. Slade, 2003 BKCISPCG.RVW 20030421

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Human beings, who are almost unique in having the ability to
      learn from the experience of others, are also remarkable for
      their apparent disinclination to do so. - Douglas Adams
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.