A 'cheat
sheet' is bound into the front of the book. It offers
some
general advice for taking the CISSP (Certified Information
Systems
Security Professional) exam, the most useful aspect of
which is to
prepare. Most of the tips are vague, such as the suggestion
to budget
your time, or review CISSP resources, without any information
about
what factors should be considered in time management
or where to find
resources. Some tips are overly specific, such as the
recommendation
that you bring a big bottle of water. (Yes, six hours
is a long time
for the exam, and, yes, you may need refreshment. The
tip does not
mention that proctors vary in rigour when applying the
exam
regulations, and may not allow bottles of water at the
test tables.
Besides which, only one person may be excused from the
room at any one
time.)
Part
one reviews the CISSP exam itself. At the beginning
of chapter
one, the authors point out that some CISSP study guides
are too hard,
and some CISSP study guides are too soft, but this book
is just right.
Then it moves on to information about (ISC)^2 (the International
Information Systems Security Certification Consortium),
arrangements
for the exam, and some study tips. The material is more
up-to-date
than in other CISSP study guides, but the text is badly
written,
duplicating content and repeating itself, possibly because
the structure and organization
is weak. The suggestions and information
are reasonable, although occasionally questionable: the
recommendations for study guides and practice exams are
rather weak.
Chapter two briefly lists the ten domains of the common
body of
knowledge (CBK), and is really only an expanded table
of contents for
the chapters in the next section.
Part
two describes the ten domains in detail. Chapter three
covers
most of access control, but unevenly. Given the constraints
that the
authors themselves mention (the CISSP CBK is a mile wide
and an inch
deep), too much space is devoted to a simplistic set
of password
choice rules, an excellent (but, in this situation, overlong)
review
of Kerberos, and a number of jokes which are not going
to help
candidates remember important points, and may very well
confuse the
issues. Some material is problematic, such as the discussion
of
security "domains" that follows the Microsoft
networking model rather
than the Bell-LaPadula derived structure that the CBK
requires, and a
baffling non-explanation of the lattice model. (There
are also a
number of perplexing inclusions, such as a cross-reference
to
cryptography in the introduction to single sign-on systems.)
Telecommunications and network security is presented
in chapter four.
The authors have used the OSI (Open Systems Interconnection)
model to
structure the discussion of various technologies: an
interesting
concept, but one which is flawed by the fact that a number
of topics
are placed in the wrong level. (Media access and packet
switching,
for example, are listed in the data link layer, rather
than the
physical and network layers, respectively.) There are
also
problematic references to "native" PPP (Point-to-Point
Protocol)
encryption, and an assertion that ICMP (Internet *Control*
Message
Protocol) packets are not required for network operations.
The basics
of security management are covered in chapter five, but
very tersely.
The major standards are not listed here: the Common Criteria
is
mentioned briefly in chapter eight (security architecture)
but British
Standard 7799/ISO (International Standards Organization)
17799 is not
listed at all. The set of roles and responsibilities
is short and
risk analysis terms are not well defined. This must be
considered a
serious weakness in the book, since security management
is very
important in the CISSP exam. Application development
is dealt with
briefly and poorly: again, this is an area where many
CISSP candidates
do need extra help, and they won't get it here. System
development
methods are not discussed at all, and the malware section
is full of
errors. (Each chapter lists a set of books for extra
research: I
should note that neither of the virus books listed at
the ISC2 site
appear on the list for this chapter. In fact, the bibliography
is
rather short overall: Krutz and Vines "The CISSP
Prep Guide" (cf.
BKCISPPG.RVW) which is not much better than the current
work, is
listed in every set.) There are also odd inclusions from
other
domains, such as almost a full page devoted to the SYN
flood attack,
which was adequately explained in a paragraph in chapter
four. The
material on cryptography, in chapter seven, lists all
the terms and
technologies, but has poor or non-existent explanations,
mathematical
errors, and the authors obviously do *not* understand
S-boxes. (The
process described would not allow for decryption.) There
is too much
text about CPUs (Central Processing Units), and too little
on
distributed systems, formal models, and the various evaluation
criteria in chapter eight's review of security architecture.
Operations security, in chapter nine, seems to be a collection
of
random topics, with a fair concentration on audit logs.
Chapter ten's
overview of Business Continuity Planning (BCP) is not
bad, although a
bit shy on details. (The vital topic of backups, for
example, is
mentioned only long enough to say that you should have
one, and the
various types, with varying strengths and weaknesses,
are not
discussed at all.) Law, investigation, and ethics is
reasonable,
although the list of specific privacy laws is probably
not too helpful (and I rather suspect that the authors got taken in by
the "Desert
Storm Virus" myth). Most of the material on physical
security, in
chapter twelve, appears to have been copied from some
other source
without much understanding: the sections on visibility,
capacitance
sensors, and UPSes (Uninterruptable Power Supplies) are
among those
that contain errors or seem to miss the major points.
Part
three is the usual "dummies" "part
of tens." Chapter thirteen
relists the ten domains. (Didn't we do this already?)
Ten other
security certifications are recorded in chapter fourteen.
Websites
are given in chapter fifteen: three are actually useful.
The cheat
sheet and chapter one are reprised in sixteen and seventeen.
One of
the books listed in chapter eighteen ("Security
Engineering," by Ross
Anderson, cf. BKSECENG.RVW) would be very useful for
exam candidates.
Sample
test questions are a big part of every CISSP study
book (in the
case of Peltier and Howard's "The Total CISSP Exam
Prep Book," in
fact, the *only* part). This book has both its own set
of questions,
and a set from the Boson exams. As I have said elsewhere,
the Boson
exams are not necessarily wrong, but they are far too
simplistic to be
considered adequate preparation for the CISSP exam, and
the answer
guides are completely tied to "Secured Computing" (cf.
BKSCDCMP.RVW).
If any set of questions are simpler, and therefore less
useful, than
the Boson set, they are the ones listed in this book.
And, like the
Boson collection, the answers are completely self-referential.
Like
Andress' "CISSP Exam Cram" (cf.
BKCISPEC.RVW), this text does
sometimes simply list the terminology, although Miller
and Gregory are
somewhat more complete and do provide greater explanations
of the
domains themselves. It would be hard to make a distinction
between
this volume and "Secured Computing": Miller
and Gregory provide *some*
outside references but Endorf makes fewer errors. As
previously
noted, Krutz and Vines do not give the reader much in
the way of
explanatory material, but they do cover the domains more
comprehensively than the current work. Harris' "CISSP
All-in-One
Certification Exam Guide" is, as noted (cf. BKCISPA1.RVW),
the one
guide that might get you through the CISSP exam, albeit
not
necessarily with high marks: Miller and Gregory might
get you through,
but only if you stood a pretty good chance without the
volume.
copyright Robert M. Slade, 2002 BKCISPDM.RVW 20021029
|
