[ISN] REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris

From: InfoSec News (isnat_private)
Date: Mon Jan 13 2003 - 22:54:28 PST

  • Next message: InfoSec News: "[ISN] What the heck is "leetspeek?""

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKMMCISP.RVW   20021106
    "Mike Meyers' Certification Passport CISSP", Shon Harris, 2002,
    0-07-222578-5, U$29.99/C$44.95
    %A   Shon Harris shonharrisat_private www.intenseschool.com
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2002
    %G   0-07-222578-5
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020
    %O  http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne
    %P   422 p.
    %T   "Mike Meyers' Certification Passport CISSP"
    There is a "Check-In" foreword, which seems to be about the series,
    and an introduction that provides a very terse overview of the CISSP
    (Certified Information Systems Security Professional) exam.
    The book consists of ten chapters, one for each of the CBK (Common
    Body of Knowledge) domains.  "Security Management Practices"
    demonstrates that the book is perhaps a bit too thin: illustrations
    and other materials from Harris' "All-in-One" guide (cf. BKCISPA1.RVW)
    appear, but most of the tutorial material is vague and generic.  (When
    covering "controls," a vital concept in this domain, the text provides
    an "exam tip" that controls should be visible enough to deter
    misdeeds, but not visible enough to be avoided, but completely
    neglects the second axis of the control matrix, which covers
    deterrence, detection, and so forth.)  The review questions at the end
    of the chapter are better than some, but still quite simplistic.  As
    well as being limited, the content is suspect in places: a "cognitive
    password" is very insecure, and why would a retina scanner blow air
    into your eye?  The "Computers 101" part of "Security Architecture and
    Models" is all right, although very brief and with significant gaps,
    but the formal models are simplified to a problematic extent (and the
    explanation of lattice models is flatly wrong).  The "Physical
    Security" chapter is probably adequate for study purposes.  Even after
    all of the above, I was surprised at how poor the material in
    "Telecommunications and Networking Security" was.  The TCP/IP content
    is definitely insufficient, and specific errors are made in a number
    of areas (such as the ability of PPTP [Point-to-Point Tunneling
    Protocol] to encrypt data).  "Cryptography" is limited to little more
    than the terms involved, and it is odd how much space is wasted on
    editorial comment.  (The text could also use a bit more organization:
    a number of topics appear, in isolation, at a fair distance away from
    related items.)  "Disaster Recovery and Business Continuity" is terse,
    but possibly sufficient for study purposes.  The material in "Law,
    Investigation, and Ethics" is problematic: it appears to be somewhat
    dated and has some important gaps, such as corporate liability,
    interviewing, and the process of incident response.  A great deal of
    the content in "Application Development" seems to have been parroted
    without any understanding: the iterative class of systems development
    models are not collected, the spiral model description is incorrectly
    described, the point of Java as a hybrid of compilation and
    interpretation seems to have been completely lost, and the malware
    text is rife with errors.  "Operations Security" doesn't have as many
    mistakes, but it seems to be pretty much of an unorganized grab bag of
    Yes, I can see the need (or desire) for a short and quick reference to
    the CISSP CBK.  However, if you are going to take on that task, you
    have to make every single word (and figure) count.  This book doesn't. 
    Since McGraw-Hill also published "CISSP All-in-One Certification Exam
    Guide" they should probably have heeded the old dictum that "if it
    ain't broke, don't fix it."  As it is, this work is well back in the
    CISSP pack, along with "Secured Computing" (cf. BKSCDCMP.RVW) and
    "CISSP for Dummies" (cf. BKCISPDM.RVW).
    copyright Robert M. Slade, 2002   BKMMCISP.RVW   20021106
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 01:16:36 PST