BKCISPA1.RVW 20060808 "CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris, 2005, 0-07-225712-1, U$79.99/C$106.95/UK#45.99 %A Shon Harris shonharris@hotmail.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2005 %G 0-07-225712-1 %I McGraw-Hill Ryerson/Osborne %O U$79.99/C$106.95/UK#45.99 +1-800-565-5758 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0072257121/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0072257121/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0072257121/robsladesin03-20 %O Audience i Tech 2 Writing 2 (see revfaq.htm for explanation) %P 1001 p. + CD-ROM %T "CISSP All-in-One Certification Exam Guide, 3rd Ed." The first edition of the "CISSP All-in-One Certification Exam Guide" was, at the time it came out, the best single-volume resource. With the exception of the "Official (ISC)2 Guide to the CISSP Exam" (cf. BKOIGTCE.RVW) it had remained, standing above the many contenders by Krutz and Vines (cf. BKADCIPG.RVW, BKCIPGGE.RVW, BKCISPPG.RVW), Bragg (cf. BKCISPTG.RVW), Gregg (cf. BKCISPE2.RVW), Gregory (cf. BKCISPDM.RVW), Tittel (cf. BKCISPSG.RVW), and sundry others (http://victoria.tc.ca/techrev/mnbkscci.htm). Chapter one, of the new edition, is a very reasonable review of the CISSP (Certified Information Systems Security Professional) credential, and the (ISC)^2 (International Information Systems Security Certification Consortium) exam process, including recertification or maintenance with continuing professional education. As with most of the chapters in the book, it has a set of sample questions. The quiz covers a decent range of topics but not with a representative extent of difficulty. There are resources listed in this and other chapters, mostly Web sites: in this chapter the sites chosen are relatively stable ones. It is difficult to see the point of chapter two--an opinion-piece level overview of random security related topics. Chapter three begins the first of the ten domains of the Common Body of Knowledge (CBK) with security management practices. It is obvious that the material has been structured and based on the (ISC)^2 CBK review course, even to the use of specific tables and diagrams, but the content is, at least, enhanced and extended by summary discussion. (Some of the diagrams are not from the (ISC)^2 seminar, such as one that seems to imply that administrative controls are a special case of technical controls which are a special case of physical controls.) The narrative has been substantially improved, in terms of readability and flow, from the first edition, and the "direct lifts" of text from other essays are no longer apparent. (Some problems with conflation of the content from various sources still exist, such as the two contradictory definitions of the Delphi method.) Unlike the first chapter, the answers to sample questions here, and in following chapters, have some discussion. (Interestingly, the questions still show evidence of being obtained from commonly available sample sets.) The "humorous" comments that have been added do not add life to the text: as with many such attempts, they only serve to distract from the discussion at hand. Access control is explained clearly (and sometimes amusingly) in chapter four, although biometric concepts are not presented too well, and Kerberos gets a lot of storytelling with little content of fact. (Role-based access control is also equated with the archaic term "non- discretionary," and the history and implications of that are not resolved properly.) In general, the coverage of security architecture and models in chapter five is quite useful, and the chapter is well structured. However, some of the statements about the formal models are misleading, and the descriptions often make these models seem more difficult than they really are. In addition, there is too much emphasis on the old "Orange Book" TCSEC (Trusted Computer System Evaluation Criteria) and not enough on the newer Common Criteria. Chapter six has many of the blind spots about physical security common to most computer security types. The telecommunications and networking material, in chapter seven, presents the underlying concepts well, but for some reason fails to address many of the security technologies. The content is presented rather randomly, and there is an odd inclusion of sections on rootkits and spyware. The explanations of cryptography, in chapter eight, are problematic. The content is not necessarily wrong in all cases, but the author obviously is not familiar with this area, and the text in such areas as DES (Data Encryption Standard) modes and one way encryption doesn't make sense, although it does not necessarily misinform the reader. On the other hand, explanations such as the birthday paradox are completely wrong: Harris proposes a one-to-many comparison, which obviates the force behind the birthday attack. Chapter nine, dealing with business continuity and disaster recovery, is reasonable, with more detail than it used to have, but is still weak. Law, Investigation, and Ethics, in chapter ten, is rather weak and slightly disorganized. Chapter eleven, applications development, contains the basic information but does not always make the connections to security. The early sections are well structured, but later content is pretty haphazard. The section on malware is extremely weak, and there seems to have been a swap of material with chapter seven: some network attacks are detailed here. Operations security gets a review in chapter twelve, with a little more network padding. The material is much more reliable and better structured than the SRV Press books (cf. BKCISPET.RVW), and more complete than the Andress work (cf. BKCISPEC.RVW). Like the Krutz and Vines volumes it is quite obvious that the content and organization is copied from the old CBK course (sometimes slavishly), although Harris does put more explanatory and narrative substance into the text. (Interestingly, there are some indications that this is based on an even older version of the course than Krutz and Vines used, although I note more recent additions have been included in this version.) Even considering the noted weak areas in this book, it should provide a reasonable basis as a study guide for the CISSP exam, although those who use only this work should not expect to get a particularly high mark. copyright Robert M. Slade, 2002-6 BKCISPA1.RVW 20060808