Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Eleventh Hour CISSP Study Guide", Eric Conrad

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BK11HCSG.RVW 20120210 Eleventh Hour CISSP Study Guide , Eric Conrad, 2011, 978-1-59749-566-0, U$24.95 %A Eric Conrad %C 800 Hingham Street, Rockland, MA
    Message 1 of 1 , Jul 19 5:19 PM
    • 0 Attachment
      BK11HCSG.RVW 20120210

      "Eleventh Hour CISSP Study Guide", Eric Conrad, 2011,
      978-1-59749-566-0, U$24.95
      %A Eric Conrad
      %C 800 Hingham Street, Rockland, MA 02370
      %D 2011
      %G 978-1-59749-566-0 1-59749-566-2
      %I Syngress Media, Inc.
      %O U$24.95 781-681-5151 fax: 781-681-3585 www.syngress.com
      %O http://www.amazon.com/exec/obidos/ASIN/1597495662/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/1597495662/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/1597495662/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 196 p.
      %T "Eleventh Hour CISSP Study Guide"

      "Eleventh Hour" would seem to imply that this is a last minute option.
      I would not rely on this book as a last ditch option if you haven't
      studied. It's a reviewers dream (or nightmare): an embarrassment of
      riches in terms of errors. But I should keep this review to a
      reasonable size, so I'll only mention a few illustrative goofs.

      Chapter one addresses security management. The coverage of risk
      management is superficial, facile, and disjointed. The author adds
      extra factors into the CBK (Common Body of Knowledge). He stresses
      "return on investment" without addressing the controversy over whether
      "return on security investment" actually exists. There are some
      references based on the NIST (US National Institute of Standards and
      Technology) which are good, but insufficient. Each chapter ends with
      a list of the "Top Five Toughest Questions" for that domain. Usually
      one (20%) is flatly wrong, and the rest address trivia, missing the
      concepts and ramifications which are the real objectives of the CISSP
      examination.

      Chapter two looks at access control. No, integrity concerns are not
      limited to authorization issues. "Counter-based synchronous dynamic
      token" makes no sense: both counter and dynamic obviate the need for
      synchronization. No, most keyboard dynamics systems would not measure
      pressure. In regard to cryptography, in chapter three, yes, CBC
      (Cipher Block Chaining) would propagate errors, which is why it is
      only used with self-correcting algorithms (which DES - Data Encryption
      Standard - is). And, yes, using ECB (Electronic Code Book) identical
      data blocks produce identical cipher blocks, but similar data blocks
      produce vastly dissimilar cipher blocks. (That is part of the measure
      of a good cipher algorithm.) Chapter five deals with physical
      security. If you can still find a soda/acid extinguisher don't try to
      use it on burning liquids: it doesn't produce much foam, mostly a
      simple stream of water. And merely because a CRT (Cathode Ray Tube)
      is analogue does not mean it is incompatible with digital devices such
      as CCD (Charge Coupled Device) cameras: until I got my first laptop,
      all the monitors for my (digital) computers were CRTs. Respecting
      architecture (chapter five), "open systems" refers to the use of
      standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use)
      is not a race condition, and does not require a change of state.
      Polyinstantiation is not related to entity integrity. Chapter six
      reviews Business Continuity Planning: RPO (Recovery Point Objective)
      is the minimal level of operation the business needs to function, not
      the time taken to get there, and a hot site is not a mirror.

      Studying telecommunications? It is the domain with the largest mass
      of information, and chapter seven is pathetically small: there is no
      mention of topologies, telephony, routing, and details of the
      protocols are scant to the point of being non-existent. The OSI (Open
      Systems Interconnection) model is a model, not a network protocol
      (although there is, also, an OSI suite of protocols), and can
      therefore be used to analyze any protocol suite. Neither ATM
      (Asynchronous Transfer Mode) nor Ethernet are restricted to the
      physical (which, in any case, does not deal with data, but with
      signals).

      Chapter eight takes a stab at applications security. SDL (System Life
      Cycle) is not identical to SDLC (System Development Life Cycle) but
      contains it. The explanations in this domain are particularly poor,
      even by the low standards of this work. Similarly, the material on
      operations security, in chapter nine, is more random than in other
      chapters, and duplicates more content found elsewhere.

      I was surprised to find that chapter ten, on law and investigations,
      wasn't all that bad. There are still plenty of errors (no, only one
      of the four points given is one of the seven basics of the European
      Directives on privacy), but many of the base concepts are there, and
      presented reasonably. There is, however, almost nothing on management
      of investigations, and incident response isn't even mentioned.

      There are at least a dozen other options I've reviewed at
      http://victoria.tc.ca/techrev/mnbkscci.htm , and this actually isn't
      the worst. But maybe I was a bit too hard at the beginning. You
      could use this book for a bit of last minute studying. If you can
      find at least one error per page, you are in good shape to write the
      exam.

      copyright, Robert M. Slade 2012 BK11HCSG.RVW 20120210


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      Historically, four groups of people have used and contributed to
      the art of cryptography: the military, the diplomatic corps,
      diarists, and lovers. - Andrew S. Tanenbaum
      victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
      http://blogs.securiteam.com/index.php/archives/author/p1/
      http://twitter.com/rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.