REVIEW: "Eleventh Hour CISSP Study Guide", Eric Conrad
- BK11HCSG.RVW 20120210
"Eleventh Hour CISSP Study Guide", Eric Conrad, 2011,
%A Eric Conrad
%C 800 Hingham Street, Rockland, MA 02370
%G 978-1-59749-566-0 1-59749-566-2
%I Syngress Media, Inc.
%O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 196 p.
%T "Eleventh Hour CISSP Study Guide"
"Eleventh Hour" would seem to imply that this is a last minute option.
I would not rely on this book as a last ditch option if you haven't
studied. It's a reviewers dream (or nightmare): an embarrassment of
riches in terms of errors. But I should keep this review to a
reasonable size, so I'll only mention a few illustrative goofs.
Chapter one addresses security management. The coverage of risk
management is superficial, facile, and disjointed. The author adds
extra factors into the CBK (Common Body of Knowledge). He stresses
"return on investment" without addressing the controversy over whether
"return on security investment" actually exists. There are some
references based on the NIST (US National Institute of Standards and
Technology) which are good, but insufficient. Each chapter ends with
a list of the "Top Five Toughest Questions" for that domain. Usually
one (20%) is flatly wrong, and the rest address trivia, missing the
concepts and ramifications which are the real objectives of the CISSP
Chapter two looks at access control. No, integrity concerns are not
limited to authorization issues. "Counter-based synchronous dynamic
token" makes no sense: both counter and dynamic obviate the need for
synchronization. No, most keyboard dynamics systems would not measure
pressure. In regard to cryptography, in chapter three, yes, CBC
(Cipher Block Chaining) would propagate errors, which is why it is
only used with self-correcting algorithms (which DES - Data Encryption
Standard - is). And, yes, using ECB (Electronic Code Book) identical
data blocks produce identical cipher blocks, but similar data blocks
produce vastly dissimilar cipher blocks. (That is part of the measure
of a good cipher algorithm.) Chapter five deals with physical
security. If you can still find a soda/acid extinguisher don't try to
use it on burning liquids: it doesn't produce much foam, mostly a
simple stream of water. And merely because a CRT (Cathode Ray Tube)
is analogue does not mean it is incompatible with digital devices such
as CCD (Charge Coupled Device) cameras: until I got my first laptop,
all the monitors for my (digital) computers were CRTs. Respecting
architecture (chapter five), "open systems" refers to the use of
standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use)
is not a race condition, and does not require a change of state.
Polyinstantiation is not related to entity integrity. Chapter six
reviews Business Continuity Planning: RPO (Recovery Point Objective)
is the minimal level of operation the business needs to function, not
the time taken to get there, and a hot site is not a mirror.
Studying telecommunications? It is the domain with the largest mass
of information, and chapter seven is pathetically small: there is no
mention of topologies, telephony, routing, and details of the
protocols are scant to the point of being non-existent. The OSI (Open
Systems Interconnection) model is a model, not a network protocol
(although there is, also, an OSI suite of protocols), and can
therefore be used to analyze any protocol suite. Neither ATM
(Asynchronous Transfer Mode) nor Ethernet are restricted to the
physical (which, in any case, does not deal with data, but with
Chapter eight takes a stab at applications security. SDL (System Life
Cycle) is not identical to SDLC (System Development Life Cycle) but
contains it. The explanations in this domain are particularly poor,
even by the low standards of this work. Similarly, the material on
operations security, in chapter nine, is more random than in other
chapters, and duplicates more content found elsewhere.
I was surprised to find that chapter ten, on law and investigations,
wasn't all that bad. There are still plenty of errors (no, only one
of the four points given is one of the seven basics of the European
Directives on privacy), but many of the base concepts are there, and
presented reasonably. There is, however, almost nothing on management
of investigations, and incident response isn't even mentioned.
There are at least a dozen other options I've reviewed at
http://victoria.tc.ca/techrev/mnbkscci.htm , and this actually isn't
the worst. But maybe I was a bit too hard at the beginning. You
could use this book for a bit of last minute studying. If you can
find at least one error per page, you are in good shape to write the
copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
Historically, four groups of people have used and contributed to
the art of cryptography: the military, the diplomatic corps,
diarists, and lovers. - Andrew S. Tanenbaum