[ISN] REVIEW: "Mike Meyers' Security+ Certification Passport", Trevor Kay

From: InfoSec News (isnat_private)
Date: Fri Feb 21 2003 - 02:54:06 PST

  • Next message: InfoSec News: "[ISN] Attack Exposes ATM Vulnerabilities"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    BKMMSCRP.RVW   20030207
    "Mike Meyers' Security+ Certification Passport", Trevor Kay, 2003,
    0-07-222741-9, U$29.99/C$44.95
    %A   Trevor Kay trevorat_private
    %C   300 Water Street, Whitby, Ontario   L1N 9B6
    %D   2003
    %G   0-07-222741-9
    %I   McGraw-Hill Ryerson/Osborne
    %O   U$29.99/C$44.95 800-565-5758 fax: 905-430-5020
    %O  http://www.amazon.com/exec/obidos/ASIN/0072227419/robsladesinterne
    %O   http://www.amazon.ca/exec/obidos/ASIN/0072227419/robsladesin03-20
    %P   363 + CD-ROM
    %T   "Mike Meyers' Security+ Certification Passport"
    Given the organization of the Security+ objectives, part one covers
    general security concepts and chapter one is on access control.  Some
    factors are dismissed a little bit too concisely: it is difficult to
    justify the blanket statement that biometric authentication is
    "extremely accurate and secure."  (Biometrics does get a bit more
    explanation in the chapter on physical security, but there is no
    indication of that in this location.)  For the first set of sample
    questions, the emphasis is on simple definitions and fact recitation,
    but later questions do become somewhat more complex.  A variety of
    attacks are described in chapter two, generally reasonably.  The virus
    material is unfortunately poor, concentrating on older viral
    technologies (such as the almost extinct boot sector viruses and older
    DOS precedence-based companions) and failing to provide proper
    outlines of the basic antivirus technologies.
    Part two looks at communications security.  Chapter three deals with
    remote access, but the content has limited application to security. 
    Technologies related to Internet application security are reviewed in
    chapter four.  The highlights are touched on, but the lack of detail
    can be troubling.  Cookies are discussed, with some mention of
    privacy, but the potential problem of cross-site tracking is not dealt
    with at all, and neither is the danger of HTML (HyperText Markup
    Language) formatted messages when the topic turns to email.  The
    material on wireless networking and security, in chapter five, is very
    weak.  The explanation of direct-sequence spread spectrum is not clear
    at all, a mention of SSL (Secure Sockets Layer) makes no reference to
    the description in the previous chapter (and almost contradicts it),
    and security itself gets short shrift in the haste to trot out the
    alphabet soup of related technologies.
    Part three deals with infrastructure security.  Chapter six runs
    through a list of networking components, cabling, and storage media,
    again with limited allusion to security.  Network topologies and
    intrusion detection systems are discussed in chapter seven.  System
    hardening, generally by applying patches and disabling functions, is
    reviewed in chapter eight.
    Cryptography is in part four.  Most of the basic content in chapter
    nine is sensible, but it is clear from the paragraphs on double- and
    triple-DES (Data Encryption Standard) that the author does not fully
    understand the subject.  Chapter ten reviews key management, but it is
    not clear why the topic was separated from that of PKI (Public Key
    Part five deals with operational and organizational security. 
    Physical security, in chapter eleven, is covered fairly well. 
    Disaster recovery is confined to backups and fault tolerance: chapter
    twelve supports Kenneth Myers contention (cf. BKMGTCPD.RVW) that most
    people concentrate on recovering technology rather than the business,
    and would be improved by a broader view that incorporated all aspects
    of the operation.  Chapter thirteen lists some areas that should be
    covered in a security policy.  Forensics is dealt with poorly, and
    chapter fourteen also throws in education and training.
    While the book still adheres, rather slavishly, to the arbitrary
    structure of the Security+ list of objectives, the content is
    generally pretty reasonable, providing background explanations for
    important concepts, and keeping the descriptions of many of the
    specific technologies limited to the fundamental ideas.  The text does
    tend to be terse, given the size of the book, but most basic material
    should be available to the student.  This does vary by chapter: some
    seem to be merely going through the motions.  The work could be
    improved with some removal of duplicated material.  For example, there
    are three separate discussions of social engineering, and two could be
    replaced with cross-references.  Despite its smaller size, I would
    recommend this volume over the Syngress "Security+ Study Guide and DVD
    Training System" (cf. BKSCRTYP.RVW), but not emphatically.
    copyright, Robert M. Slade, 2003   BKMMSCRP.RVW   20030207
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
    Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
              March 31, 2003           Indianapolis, IN
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 05:39:04 PST