Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKCISPA1.RVW 20060808 CISSP All-in-One Certification Exam Guide, 3rd Ed. , Shon Harris, 2005, 0-07-225712-1, U$79.99/C$106.95/UK#45.99 %A Shon Harris
    Message 1 of 1 , Aug 31, 2006
    • 0 Attachment
      BKCISPA1.RVW 20060808

      "CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris,
      2005, 0-07-225712-1, U$79.99/C$106.95/UK#45.99
      %A Shon Harris shonharris@...
      %C 300 Water Street, Whitby, Ontario L1N 9B6
      %D 2005
      %G 0-07-225712-1
      %I McGraw-Hill Ryerson/Osborne
      %O U$79.99/C$106.95/UK#45.99 +1-800-565-5758 fax: 905-430-5020
      %O http://www.amazon.com/exec/obidos/ASIN/0072257121/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0072257121/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0072257121/robsladesin03-20
      %O Audience i Tech 2 Writing 2 (see revfaq.htm for explanation)
      %P 1001 p. + CD-ROM
      %T "CISSP All-in-One Certification Exam Guide, 3rd Ed."

      The first edition of the "CISSP All-in-One Certification Exam Guide"
      was, at the time it came out, the best single-volume resource. With
      the exception of the "Official (ISC)2 Guide to the CISSP Exam" (cf.
      BKOIGTCE.RVW) it had remained, standing above the many contenders by
      Krutz and Vines (cf. BKADCIPG.RVW, BKCIPGGE.RVW, BKCISPPG.RVW),
      Bragg
      (cf. BKCISPTG.RVW), Gregg (cf. BKCISPE2.RVW), Gregory (cf.
      BKCISPDM.RVW), Tittel (cf. BKCISPSG.RVW), and sundry others
      (http://victoria.tc.ca/techrev/mnbkscci.htm).

      Chapter one, of the new edition, is a very reasonable review of the
      CISSP (Certified Information Systems Security Professional)
      credential, and the (ISC)^2 (International Information Systems
      Security Certification Consortium) exam process, including
      recertification or maintenance with continuing professional education.
      As with most of the chapters in the book, it has a set of sample
      questions. The quiz covers a decent range of topics but not with a
      representative extent of difficulty. There are resources listed in
      this and other chapters, mostly Web sites: in this chapter the sites
      chosen are relatively stable ones. It is difficult to see the point
      of chapter two--an opinion-piece level overview of random security
      related topics.

      Chapter three begins the first of the ten domains of the Common Body
      of Knowledge (CBK) with security management practices. It is obvious
      that the material has been structured and based on the (ISC)^2 CBK
      review course, even to the use of specific tables and diagrams, but
      the content is, at least, enhanced and extended by summary discussion.
      (Some of the diagrams are not from the (ISC)^2 seminar, such as one
      that seems to imply that administrative controls are a special case of
      technical controls which are a special case of physical controls.)
      The narrative has been substantially improved, in terms of readability
      and flow, from the first edition, and the "direct lifts" of text from
      other essays are no longer apparent. (Some problems with conflation
      of the content from various sources still exist, such as the two
      contradictory definitions of the Delphi method.) Unlike the first
      chapter, the answers to sample questions here, and in following
      chapters, have some discussion. (Interestingly, the questions still
      show evidence of being obtained from commonly available sample sets.)
      The "humorous" comments that have been added do not add life to the
      text: as with many such attempts, they only serve to distract from the
      discussion at hand.

      Access control is explained clearly (and sometimes amusingly) in
      chapter four, although biometric concepts are not presented too well,
      and Kerberos gets a lot of storytelling with little content of fact.
      (Role-based access control is also equated with the archaic term "non-
      discretionary," and the history and implications of that are not
      resolved properly.) In general, the coverage of security architecture
      and models in chapter five is quite useful, and the chapter is well
      structured. However, some of the statements about the formal models
      are misleading, and the descriptions often make these models seem more
      difficult than they really are. In addition, there is too much
      emphasis on the old "Orange Book" TCSEC (Trusted Computer System
      Evaluation Criteria) and not enough on the newer Common Criteria.
      Chapter six has many of the blind spots about physical security common
      to most computer security types. The telecommunications and
      networking material, in chapter seven, presents the underlying
      concepts well, but for some reason fails to address many of the
      security technologies. The content is presented rather randomly, and
      there is an odd inclusion of sections on rootkits and spyware. The
      explanations of cryptography, in chapter eight, are problematic. The
      content is not necessarily wrong in all cases, but the author
      obviously is not familiar with this area, and the text in such areas
      as DES (Data Encryption Standard) modes and one way encryption doesn't
      make sense, although it does not necessarily misinform the reader. On
      the other hand, explanations such as the birthday paradox are
      completely wrong: Harris proposes a one-to-many comparison, which
      obviates the force behind the birthday attack. Chapter nine, dealing
      with business continuity and disaster recovery, is reasonable, with
      more detail than it used to have, but is still weak. Law,
      Investigation, and Ethics, in chapter ten, is rather weak and slightly
      disorganized. Chapter eleven, applications development, contains the
      basic information but does not always make the connections to
      security. The early sections are well structured, but later content
      is pretty haphazard. The section on malware is extremely weak, and
      there seems to have been a swap of material with chapter seven: some
      network attacks are detailed here. Operations security gets a review
      in chapter twelve, with a little more network padding.

      The material is much more reliable and better structured than the SRV
      Press books (cf. BKCISPET.RVW), and more complete than the Andress
      work (cf. BKCISPEC.RVW). Like the Krutz and Vines volumes it is quite
      obvious that the content and organization is copied from the old CBK
      course (sometimes slavishly), although Harris does put more
      explanatory and narrative substance into the text. (Interestingly,
      there are some indications that this is based on an even older version
      of the course than Krutz and Vines used, although I note more recent
      additions have been included in this version.) Even considering the
      noted weak areas in this book, it should provide a reasonable basis as
      a study guide for the CISSP exam, although those who use only this
      work should not expect to get a particularly high mark.

      copyright Robert M. Slade, 2002-6 BKCISPA1.RVW 20060808


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      It is a miracle that curiosity survives formal education
      - Albert Einstein
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.