IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled



BKMMSCRP.RVW 20030207

"Mike Meyers' Security+ Certification Passport", Trevor Kay, 2003, 0-07-222741-9, U$29.99/C$44.95
%A Trevor Kay trevor@trevorkay.com
%C 300 Water Street, Whitby, Ontario L1N 9B6
%D 2003
%G 0-07-222741-9
%I McGraw-Hill Ryerson/Osborne
%O U$29.99/C$44.95 800-565-5758 fax: 905-430-5020
%O http://www.amazon.com/exec/obidos/ASIN/0072227419/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0072227419/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0072227419/robsladesin03-20
%P 363 + CD-ROM
%T "Mike Meyers' Security+ Certification Passport"

Given the organization of the Security+ objectives, part one covers general security concepts and chapter one is on access control. Some factors are dismissed a little bit too concisely: it is difficult to justify the blanket statement that biometric authentication is" extremely accurate and secure." (Biometrics does get a bit more explanation in the chapter on physical security, but there is no indication of that in this location.) For the first set of sample questions, the emphasis is on simple definitions and fact recitation, but later questions do become somewhat more complex. A variety of attacks are described in chapter two, generally reasonably. The virus material is unfortunately poor, concentrating on older viral technologies (such as the almost extinct boot sector viruses and older DOS precedence-based companions) and failing to provide proper outlines of the basic antivirus technologies.

Part two looks at communications security. Chapter three deals with remote access, but the content has limited application to security. Technologies related to Internet application security are reviewed in chapter four. The highlights are touched on, but the lack of detail can be troubling. Cookies are discussed, with some mention of privacy, but the potential problem of cross-site tracking is not dealt with at all, and neither is the danger of HTML (HyperText Markup Language) formatted messages when the topic turns to email. The material on wireless networking and security, in chapter five, is very weak. The explanation of direct-sequence spread spectrum is not clear at all, a mention of SSL (Secure Sockets Layer) makes no reference to the description in the previous chapter (and almost contradicts it), and security itself gets short shrift in the haste to trot out the alphabet soup of related technologies.

Part three deals with infrastructure security. Chapter six runs through a list of networking components, cabling, and storage media, again with limited allusion to security. Network topologies and intrusion detection systems are discussed in chapter seven. System hardening, generally by applying patches and disabling functions, is reviewed in chapter eight.

Cryptography is in part four. Most of the basic content in chapter nine is sensible, but it is clear from the paragraphs on double- and triple-DES (Data Encryption Standard) that the author does not fully understand the subject. Chapter ten reviews key management, but it is not clear why the topic was separated from that of PKI (Public Key Infrastructure).

Part five deals with operational and organizational security. Physical security, in chapter eleven, is covered fairly well. Disaster recovery is confined to backups and fault tolerance: chapter twelve supports Kenneth Myers contention (cf. BKMGTCPD.RVW) that most people concentrate on recovering technology rather than the business, and would be improved by a broader view that incorporated all aspects of the operation. Chapter thirteen lists some areas that should be covered in a security policy. Forensics is dealt with poorly, and chapter fourteen also throws in education and training.

While the book still adheres, rather slavishly, to the arbitrary structure of the Security+ list of objectives, the content is generally pretty reasonable, providing background explanations for important concepts, and keeping the descriptions of many of the specific technologies limited to the fundamental ideas. The text does tend to be terse, given the size of the book, but most basic material should be available to the student. This does vary by chapter: some seem to be merely going through the motions. The work could be improved with some removal of duplicated material. For example, there are three separate discussions of social engineering, and two could be replaced with cross-references. Despite its smaller size, I would recommend this volume over the Syngress "Security+ Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), but not emphatically.

copyright, Robert M. Slade, 2003 BKMMSCRP.RVW 20030207