[ISN] REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al

From: InfoSec News (isnat_private)
Date: Tue Feb 18 2003 - 23:59:13 PST

  • Next message: InfoSec News: "[ISN] Pentagon thwarts spoofed e-mail"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKSCRTYP.RVW   20030206
    "Security+ Study Guide and DVD Training System", Michael Cross et al,
    2002, 1-931836-72-8, U$59.95/C$92.95
    %A   Michael Cross
    %A   Norris L. Johnson
    %A   Tony Piltzecker
    %C   800 Hingham Street, Rockland, MA   02370
    %D   2002
    %G   1-931836-72-8
    %I   Syngress Media, Inc.
    %O   U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amyat_private
    %O  http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne
    %O   http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20
    %P   823 p. + DVD
    %T   "Security+ Study Guide and DVD Training System"
    The book admits that the Security+ certification from CompTIA
    (Computing Technology Industry Association) is, in comparison to the
    CISSP (Certified Information Systems Security Professional), an entry
    level designation.  At the same time, Security+ has obviously been
    influenced by the CISSP.  There are five "domains": general security
    concepts, communications, infrastructure, cryptography, and
    organizational security.  (The book extends this a ways: in the same
    way that the CISSP has a triad (CIA, confidentiality, integrity, and
    availability) the general concepts domain has a triad: access control,
    authentication, and auditing.)  Those who have experience in security
    can, I trust, already see some of the potential gaps in coverage.
    At the same time, I do not hold the Security+ designation, and
    therefore find it difficult to determine whether faults lie with the
    certification itself, or this book in particular.
    Domain one, as noted, deals with general concepts.  Chapter one
    essentially discusses a variety of elements of access control, but
    does not do a good job on the concepts.  There is, for example, little
    mention of either identification or authorization as separate ideas,
    and those mentions are confusing at best.  The level of coverage
    varies greatly: I admire the elegance of Kerberos but it is hard to
    see that it rates more than three pages of explanation (while still
    managing not to explain that it uses symmetric encryption without ever
    sending keys in the clear over the net) when biometrics is dismissed
    in a single paragraph.  Security+ is supposed to be vendor-neutral,
    but the book makes extensive reference (including pages of screen
    shots) to Microsoft products.  The sample questions are intriguing. 
    Despite attempts to make the questions seem to be complex (usually by
    burying the central point in a mass of verbiage), the answers really
    only turn on knowing the definitions of terms.  However, the text of
    the book is not always clear in regard to definitions, and frequently
    uses either non-standard terms, or expressions used in non-standard
    ways.  Authentication is often used in a context where authorization
    would be more appropriate, and auditing seems to be confused with
    accountability.  A conglomeration of attacks are listed in chapter
    two, without much in the way of a framework in which to analyze or
    understand them.
    Domain two concerns communications.  Chapter three enumerates a number
    of technologies related to remote access and email, again without much
    in the way of structure.  The material on wireless networking and
    security demonstrates a profound lack of understanding of the
    cryptographic concepts necessary for discussing the weaknesses in WEP
    (Wired Equivalent Privacy).  Pages of narrative mention relevant
    papers and the dates on which they were published, but the fundamental
    issues are buried in spurious and erroneous text.  RC4 is faulted for
    being a known algorithm (Kerckhoff's Law, a foundational tenet in
    cryptography, states that the security of an algorithm cannot rely on
    it remaining unknown), DES is said to be superior to stream ciphers
    because it uses mathematical functions rather than XOR (the logical
    exclusive OR operation).  (DES uses substitution and transposition
    rather than math functions, and has stream modes which use XOR.)  Some
    of the confusion is more basic: one paragraph makes a big deal of the
    fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal
    representation translates four bits per digit that is simple
    arithmetic) and explains hexadecimal representation (sixteen possible
    digits, usually written 0 - F) as "0 through 9, a through f, or A
    through F."  There is a compilation of web exploits in chapter five,
    which is, if possible, even more Microsoft-centric than prior
    Domain three deals with infrastructure.  Chapter six lists security
    considerations with devices (a variety of hardware, mostly network
    components) and media (mostly network cabling).  Network topologies
    and intrusion detection are discussed in chapter seven.  Most of the
    advice about system hardening, in chapter eight, concerns the
    application of patches.
    Cryptography is reviewed in domain four.  Chapter nine, entitled
    "Basics of Cryptography," lists the names of the most common
    algorithms, and a few broad concepts, but doesn't get into inner
    workings.  The ingredients of a public key infrastructure are outlined
    in chapter ten.
    Domain five covers "operational and organization security."  Incident
    response, in chapter eleven, contains a poor overview of physical
    security, a not quite as bad look at data recovery for investigations,
    and, oddly, some material on risk analysis.  Chapter twelve,
    ostensibly about policies and disaster recovery, contains a grab bag
    of management topics.
    There is an appendix giving slightly more detailed answers to the
    sample questions: these don't clear up much of the confusion
    surrounding some questions.  There is also a DVD with training video
    material.  The video material appears to be an amateurishly shot
    "talking head" outline (very terse overview) of the material in the
    Probably most of those who would want to buy this book are solely
    concerned with whether or not it will help them pass the Security+
    exam, and, as noted previously, I can't speak to that.  A review of
    the CompTIA Security+ objectives does show where some of the
    randomness in structure comes from, although the authors did not have
    to blindly follow the list in organizing the book.  It is also true
    that the objectives don't give a lot of direction in terms of how much
    candidates need to know about particular topics.  On the other hand,
    the list would not have prevented the authors from adding material
    that would have provided better explanations of the major points.  I
    will say that, if this book can help you pass the exam, the value of
    the Security+ designation has to be questioned.  A great deal of book
    space is devoted to screenshots and operating descriptions of programs
    and utilities which may already be irrelevant and which, in any case,
    do little to explain broader security concepts.  In terms of the
    quality of information, this work ranks with the great mass of
    attempted (and, basically, failed) general low level security guides.
    copyright, Robert M. Slade, 2003   BKSCRTYP.RVW   20030206
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Feb 19 2003 - 02:33:28 PST