[ISN] REVIEW: "CISSP Training Guide", Roberta Bragg

From: InfoSec News (isnat_private)
Date: Tue Feb 11 2003 - 22:32:12 PST

  • Next message: InfoSec News: "Re: [ISN] If tech companies were liable for security holes, cyberspace would become safer"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    
    BKCISPTG.RVW   20030127
    
    "CISSP Training Guide", Roberta Bragg, 2003, 0-7897-2801-X,
    U$69.99/C$108.99/UK#50.99
    %A   Roberta Bragg Roberta.Braggat_private
    %C   201 W. 103rd Street, Indianapolis, IN   46290
    %D   2003
    %G   0-7897-2801-X
    %I   Macmillan Computer Publishing (MCP)
    %O   U$69.99/C$108.99/UK#50.99 800-858-7674 infoat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/078972801X/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/078972801X/robsladesinte-21
    %O   http://www.amazon.ca/exec/obidos/ASIN/078972801X/robsladesinterne
    %P   727 p. + CD-ROM
    %T   "CISSP Training Guide"
    
    The introduction and frontmatter appear to be much more concerned with
    the structure of the book (and this particular series of books) than
    the CISSP (Certified Information Systems Security Professional) exam. 
    The initial list of topics covered by the domains has notable gaps and
    some oddities in organization.
    
    Part one is entitled "Exam Preparation," and is divided into the ten
    standard domains of the CBK (Common Body of Knowledge).  Chapter one,
    on access control, shows problems right away.  The first paragraph
    tries to distinguish between access control and authentication, but
    doesn't really outline the relationship between the two concepts, let
    alone dealing with the broader and more usual interrelated ideas of
    identification, authentication, authorization, and accountability. 
    When discussing access models, the lattice content touches on advanced
    outcomes of the model, but not the basic principles.  The biometric
    material is simply inadequate.  There are sample questions at the end
    of the chapter, and this first set, at least, do appear to be crafted
    in order to avoid the usual "reading check" level of simplicity, but
    the wording is extremely poor and many answers are either flatly wrong
    or highly misleading.  Similar problems are evident with
    telecommunications and networking, in chapter two, which has excessive
    space given to topics like cabling characteristics, poor explanation
    of the relationship between tunnelling and virtual private networks,
    an overview of intrusion detection that contradicts the material in
    chapter one, and some completely idiosyncratic terminology.  The
    answers to sample question are more correct, but only because the
    questions themselves are overly simplistic.  The rudimentary factors
    of security management are discussed in chapter three, but in a
    confused fashion, not assisted by the fact that topics are repeated
    and sections from other domains are introduced for no apparent reason. 
    The central material is very brief, despite the sixty pages devoted to
    the topic, and entire sections, such as the various evaluation
    criteria, are missing.  Applications development, in chapter four,
    does possibly provide enough information to deal with the CISSP exam
    on this subject, but lists lots of problems without many solutions,
    and has a great deal of extraneous material such as lists of different
    types of memory (fast page mode [FPM] versus extended data out [EDO]
    dynamic random access memory, for example).  I thought the
    introduction to cryptography, in chapter five, wasn't all that bad
    (absent details such as the key in a one time pad having to be no
    shorter than the message being sent).  That is, until I realized that
    it was the entire chapter, and details about any form of encryption,
    digital signatures, and the requirements for certification and a
    public key infrastructure were completely missing.  Chapter six does
    cover the elemental points of security architecture, but in a
    disorganized manner, and has no material at all dealing with computer
    architecture.  Operations security is discussed in terms of details
    like specific logs in Windows 2000 and updating antiviral scanners,
    and chapter seven misses more general concepts and operating
    principles.  Business continuity and disaster recovery planning, in
    chapter eight, does provide most necessary information about the
    process, except for the recovery phase.  Law, in chapter nine,
    concentrates too heavily on US legislation, and the investigative
    process fails to address incident response, interviewing, and
    relations with outside agencies.  Chapter ten again covers physical
    security with specific details rather than underlying concepts.
    
    Part two is a review.  About half of the "Fast Facts" are useful and
    the rest aren't: it would be hard for an exam candidate to know which
    is which.  The study and exam prep tips are generic, and probably not
    much help.  The practice exam questions are, like most of the sample
    questions in the book, far too simplistic and particular to properly
    prepare candidates for the actual CISSP exam.
    
    Despite the size of this volume, it does not contain as much
    information as, say, Harris' "CISSP All-in-One Certification Exam
    Guide" (cf. BKCISPA1.RVW), nor is it organized as well as the Krutz
    and Vines work (cf. BKCISPPG.RVW).  It is closer to the Endorf (cf.
    BKSCDCMP.RVW), Miller/Gregory (cf. BKCISPDM.RVW), or the second Harris
    (cf. BKMMCISP.RVW) works, and therefore its utility as preparation for
    the CISSP exam is questionable.
    
    copyright, Robert M. Slade, 2003   BKCISPTG.RVW   20030127
    
    -- 
    ======================
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 00:31:07 PST