[ISN] REVIEW: "CISSP for Dummies", Lawrence Miller/Peter Gregory

From: InfoSec News (isnat_private)
Date: Wed Dec 11 2002 - 00:20:33 PST

  • Next message: InfoSec News: "Re: [ISN] Complex Networks Too Easy to Hack"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKCISPDM.RVW   20021029
    "CISSP for Dummies", Lawrence Miller/Peter Gregory, 2002,
    0-7645-1670-1, U$39.99/C$59.99/UK#29.95
    %A   Lawrence Miller
    %A   Peter Gregory peter.gregoryat_private
    %C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
    %D   2002
    %G   0-7645-1670-1
    %I   John Wiley & Sons, Inc.
    %O   U$39.99/C$59.99/UK#29.95 416-236-4433 fax: 416-236-4448
    %O  http://www.amazon.com/exec/obidos/ASIN/0764516701/robsladesinterne
    %P   408 p. + CD-ROM
    %T   "CISSP for Dummies"
    A 'cheat sheet' is bound into the front of the book.  It offers some
    general advice for taking the CISSP (Certified Information Systems
    Security Professional) exam, the most useful aspect of which is to
    prepare.  Most of the tips are vague, such as the suggestion to budget
    your time, or review CISSP resources, without any information about
    what factors should be considered in time management or where to find
    resources.  Some tips are overly specific, such as the recommendation
    that you bring a big bottle of water.  (Yes, six hours is a long time
    for the exam, and, yes, you may need refreshment.  The tip does not
    mention that proctors vary in rigour when applying the exam
    regulations, and may not allow bottles of water at the test tables. 
    Besides which, only one person may be excused from the room at any one
    Part one reviews the CISSP exam itself.  At the beginning of chapter
    one, the authors point out that some CISSP study guides are too hard,
    and some CISSP study guides are too soft, but this book is just right. 
    Then it moves on to information about (ISC)^2 (the International
    Information Systems Security Certification Consortium), arrangements
    for the exam, and some study tips.  The material is more up-to-date
    than in other CISSP study guides, but the text is badly written,
    duplicating content and repeating itself, possibly because the
    structure and organization is weak.  The suggestions and information
    are reasonable, although occasionally questionable: the
    recommendations for study guides and practice exams are rather weak. 
    Chapter two briefly lists the ten domains of the common body of
    knowledge (CBK), and is really only an expanded table of contents for
    the chapters in the next section.
    Part two describes the ten domains in detail.  Chapter three covers
    most of access control, but unevenly.  Given the constraints that the
    authors themselves mention (the CISSP CBK is a mile wide and an inch
    deep), too much space is devoted to a simplistic set of password
    choice rules, an excellent (but, in this situation, overlong) review
    of Kerberos, and a number of jokes which are not going to help
    candidates remember important points, and may very well confuse the
    issues.  Some material is problematic, such as the discussion of
    security "domains" that follows the Microsoft networking model rather
    than the Bell-LaPadula derived structure that the CBK requires, and a
    baffling non-explanation of the lattice model.  (There are also a
    number of perplexing inclusions, such as a cross-reference to
    cryptography in the introduction to single sign-on systems.) 
    Telecommunications and network security is presented in chapter four. 
    The authors have used the OSI (Open Systems Interconnection) model to
    structure the discussion of various technologies: an interesting
    concept, but one which is flawed by the fact that a number of topics
    are placed in the wrong level.  (Media access and packet switching,
    for example, are listed in the data link layer, rather than the
    physical and network layers, respectively.)  There are also
    problematic references to "native" PPP (Point-to-Point Protocol)
    encryption, and an assertion that ICMP (Internet *Control* Message
    Protocol) packets are not required for network operations.  The basics
    of security management are covered in chapter five, but very tersely. 
    The major standards are not listed here: the Common Criteria is
    mentioned briefly in chapter eight (security architecture) but British
    Standard 7799/ISO (International Standards Organization) 17799 is not
    listed at all.  The set of roles and responsibilities is short and
    risk analysis terms are not well defined.  This must be considered a
    serious weakness in the book, since security management is very
    important in the CISSP exam.  Application development is dealt with
    briefly and poorly: again, this is an area where many CISSP candidates
    do need extra help, and they won't get it here.  System development
    methods are not discussed at all, and the malware section is full of
    errors.  (Each chapter lists a set of books for extra research: I
    should note that neither of the virus books listed at the ISC2 site
    appear on the list for this chapter.  In fact, the bibliography is
    rather short overall: Krutz and Vines "The CISSP Prep Guide" (cf.
    BKCISPPG.RVW) which is not much better than the current work, is
    listed in every set.)  There are also odd inclusions from other
    domains, such as almost a full page devoted to the SYN flood attack,
    which was adequately explained in a paragraph in chapter four.  The
    material on cryptography, in chapter seven, lists all the terms and
    technologies, but has poor or non-existent explanations, mathematical
    errors, and the authors obviously do *not* understand S-boxes.  (The
    process described would not allow for decryption.)  There is too much
    text about CPUs (Central Processing Units), and too little on
    distributed systems, formal models, and the various evaluation
    criteria in chapter eight's review of security architecture. 
    Operations security, in chapter nine, seems to be a collection of
    random topics, with a fair concentration on audit logs.  Chapter ten's
    overview of Business Continuity Planning (BCP) is not bad, although a
    bit shy on details.  (The vital topic of backups, for example, is
    mentioned only long enough to say that you should have one, and the
    various types, with varying strengths and weaknesses, are not
    discussed at all.)  Law, investigation, and ethics is reasonable,
    although the list of specific privacy laws is probably not too helpful
    (and I rather suspect that the authors got taken in by the "Desert
    Storm Virus" myth).  Most of the material on physical security, in
    chapter twelve, appears to have been copied from some other source
    without much understanding: the sections on visibility, capacitance
    sensors, and UPSes (Uninterruptable Power Supplies) are among those
    that contain errors or seem to miss the major points.
    Part three is the usual "dummies" "part of tens."  Chapter thirteen
    relists the ten domains.  (Didn't we do this already?)  Ten other
    security certifications are recorded in chapter fourteen.  Websites
    are given in chapter fifteen: three are actually useful.  The cheat
    sheet and chapter one are reprised in sixteen and seventeen.  One of
    the books listed in chapter eighteen ("Security Engineering," by Ross
    Anderson, cf. BKSECENG.RVW) would be very useful for exam candidates.
    Sample test questions are a big part of every CISSP study book (in the
    case of Peltier and Howard's "The Total CISSP Exam Prep Book," in
    fact, the *only* part).  This book has both its own set of questions,
    and a set from the Boson exams.  As I have said elsewhere, the Boson
    exams are not necessarily wrong, but they are far too simplistic to be
    considered adequate preparation for the CISSP exam, and the answer
    guides are completely tied to "Secured Computing" (cf. BKSCDCMP.RVW). 
    If any set of questions are simpler, and therefore less useful, than
    the Boson set, they are the ones listed in this book.  And, like the
    Boson collection, the answers are completely self-referential.
    Like Andress' "CISSP Exam Cram" (cf. BKCISPEC.RVW), this text does
    sometimes simply list the terminology, although Miller and Gregory are
    somewhat more complete and do provide greater explanations of the
    domains themselves.  It would be hard to make a distinction between
    this volume and "Secured Computing": Miller and Gregory provide *some*
    outside references but Endorf makes fewer errors.  As previously
    noted, Krutz and Vines do not give the reader much in the way of
    explanatory material, but they do cover the domains more
    comprehensively than the current work.  Harris' "CISSP All-in-One
    Certification Exam Guide" is, as noted (cf. BKCISPA1.RVW), the one
    guide that might get you through the CISSP exam, albeit not
    necessarily with high marks: Miller and Gregory might get you through,
    but only if you stood a pretty good chance without the volume.
    copyright Robert M. Slade, 2002   BKCISPDM.RVW   20021029
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
        December 16, 2002   December 20, 2002   San Francisco, CA
        February 10, 2003   February 14, 2003   St. Louis, MO
        March 31, 2003      April 4, 2003       Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 02:38:08 PST