REVIEW: "CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris
- BKCISPA1.RVW 20060808
"CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris,
2005, 0-07-225712-1, U$79.99/C$106.95/UK#45.99
%A Shon Harris shonharris@...
%C 300 Water Street, Whitby, Ontario L1N 9B6
%I McGraw-Hill Ryerson/Osborne
%O U$79.99/C$106.95/UK#45.99 +1-800-565-5758 fax: 905-430-5020
%O Audience i Tech 2 Writing 2 (see revfaq.htm for explanation)
%P 1001 p. + CD-ROM
%T "CISSP All-in-One Certification Exam Guide, 3rd Ed."
The first edition of the "CISSP All-in-One Certification Exam Guide"
was, at the time it came out, the best single-volume resource. With
the exception of the "Official (ISC)2 Guide to the CISSP Exam" (cf.
BKOIGTCE.RVW) it had remained, standing above the many contenders by
Krutz and Vines (cf. BKADCIPG.RVW, BKCIPGGE.RVW, BKCISPPG.RVW),
(cf. BKCISPTG.RVW), Gregg (cf. BKCISPE2.RVW), Gregory (cf.
BKCISPDM.RVW), Tittel (cf. BKCISPSG.RVW), and sundry others
Chapter one, of the new edition, is a very reasonable review of the
CISSP (Certified Information Systems Security Professional)
credential, and the (ISC)^2 (International Information Systems
Security Certification Consortium) exam process, including
recertification or maintenance with continuing professional education.
As with most of the chapters in the book, it has a set of sample
questions. The quiz covers a decent range of topics but not with a
representative extent of difficulty. There are resources listed in
this and other chapters, mostly Web sites: in this chapter the sites
chosen are relatively stable ones. It is difficult to see the point
of chapter two--an opinion-piece level overview of random security
Chapter three begins the first of the ten domains of the Common Body
of Knowledge (CBK) with security management practices. It is obvious
that the material has been structured and based on the (ISC)^2 CBK
review course, even to the use of specific tables and diagrams, but
the content is, at least, enhanced and extended by summary discussion.
(Some of the diagrams are not from the (ISC)^2 seminar, such as one
that seems to imply that administrative controls are a special case of
technical controls which are a special case of physical controls.)
The narrative has been substantially improved, in terms of readability
and flow, from the first edition, and the "direct lifts" of text from
other essays are no longer apparent. (Some problems with conflation
of the content from various sources still exist, such as the two
contradictory definitions of the Delphi method.) Unlike the first
chapter, the answers to sample questions here, and in following
chapters, have some discussion. (Interestingly, the questions still
show evidence of being obtained from commonly available sample sets.)
The "humorous" comments that have been added do not add life to the
text: as with many such attempts, they only serve to distract from the
discussion at hand.
Access control is explained clearly (and sometimes amusingly) in
chapter four, although biometric concepts are not presented too well,
and Kerberos gets a lot of storytelling with little content of fact.
(Role-based access control is also equated with the archaic term "non-
discretionary," and the history and implications of that are not
resolved properly.) In general, the coverage of security architecture
and models in chapter five is quite useful, and the chapter is well
structured. However, some of the statements about the formal models
are misleading, and the descriptions often make these models seem more
difficult than they really are. In addition, there is too much
emphasis on the old "Orange Book" TCSEC (Trusted Computer System
Evaluation Criteria) and not enough on the newer Common Criteria.
Chapter six has many of the blind spots about physical security common
to most computer security types. The telecommunications and
networking material, in chapter seven, presents the underlying
concepts well, but for some reason fails to address many of the
security technologies. The content is presented rather randomly, and
there is an odd inclusion of sections on rootkits and spyware. The
explanations of cryptography, in chapter eight, are problematic. The
content is not necessarily wrong in all cases, but the author
obviously is not familiar with this area, and the text in such areas
as DES (Data Encryption Standard) modes and one way encryption doesn't
make sense, although it does not necessarily misinform the reader. On
the other hand, explanations such as the birthday paradox are
completely wrong: Harris proposes a one-to-many comparison, which
obviates the force behind the birthday attack. Chapter nine, dealing
with business continuity and disaster recovery, is reasonable, with
more detail than it used to have, but is still weak. Law,
Investigation, and Ethics, in chapter ten, is rather weak and slightly
disorganized. Chapter eleven, applications development, contains the
basic information but does not always make the connections to
security. The early sections are well structured, but later content
is pretty haphazard. The section on malware is extremely weak, and
there seems to have been a swap of material with chapter seven: some
network attacks are detailed here. Operations security gets a review
in chapter twelve, with a little more network padding.
The material is much more reliable and better structured than the SRV
Press books (cf. BKCISPET.RVW), and more complete than the Andress
work (cf. BKCISPEC.RVW). Like the Krutz and Vines volumes it is quite
obvious that the content and organization is copied from the old CBK
course (sometimes slavishly), although Harris does put more
explanatory and narrative substance into the text. (Interestingly,
there are some indications that this is based on an even older version
of the course than Krutz and Vines used, although I note more recent
additions have been included in this version.) Even considering the
noted weak areas in this book, it should provide a reasonable basis as
a study guide for the CISSP exam, although those who use only this
work should not expect to get a particularly high mark.
copyright Robert M. Slade, 2002-6 BKCISPA1.RVW 20060808
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
It is a miracle that curiosity survives formal education
- Albert Einstein
Dictionary of Information Security www.syngress.com/catalog/?pid=4150