BKCISPCG.RVW 20030421 "CISSP: Certified Information Systems Security Professional Study Guide", Tittel et al, 2003, 0-7821-4175-7, U$69.99/C$111.95/UK#52.99 %A Ed Tittel etittel@jump.net %A Mike Chapple %A James Michael Stewart %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2003 %G 0-7821-4175-7 %I Sybex Computer Books %O U$69.99/C$111.95/UK#52.99 800-227-2346 info@sybex.com %O http://www.amazon.com/exec/obidos/ASIN/0782141757/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0782141757/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0782141757/robsladesin03-20 %P 783 p. + CD-ROM %T "CISSP: Certified Information Systems Security Professional Study Guide" Although the table of contents departs from the usual ten domains of the CISSP CBK (Common Body of Knowledge), the introduction points out that the nineteen chapters actually represent two chapters for each of the ten domains, except for physical security. While begging the question of why the domains need to be so divided, the structure doesn't quite follow the (ISC)^2 domains: security models, for example, are covered in the chapter on access control, rather than the chapter on security models. An interesting aspect of this book is an "assessment test," given at the beginning of the book. This is a good idea to focus the student on both the content and the type of questions likely to be on the CISSP exam--or, it would be, if the test was representative of the CISSP exam itself. Unfortunately, too many of the queries presented are the usual sad mix: strictly fact based and too simplistic. A number of others use nonstandard terminology, and the answers given in the key are correct only in the sense that they are the "least wrong" of the options provided. This quality of enquiry holds true for the other quizzes in the book. Chapter one deals with a part of access control, but the vital topic of controls themselves is only partially covered, neglecting, for example, deterrent, directive, and recovery controls. At the same time, idiosyncratic terms are added, such as a "Type 1," Type 2," and "Type 3" distinctions for different authentication factors. A number of topics, such as biometrics, Kerberos, and the Bell-LaPadula security model, are not explained in a depth appropriate to the level of the exam. Attacks and monitoring, in chapter two, provides too much space to the assaults, at the expense of detail in terms of intrusion detection (the difference between host and network based systems is not properly explained, and the four types are reduced to two). A standard overview of TCP/IP, with almost no reference to security, is given in chapter three. (The minimal mention of firewalls is very brief, confuses firewall types and topologies, and completely misses circuit-level proxies.) Chapter four covers a number of communications security technologies, but tersely, and without any organizational structure. I frequently note that security essentially *is* management, so the ludicrously inadequate list of random concepts and terminology in chapter five's dismissal of security management comes as a shock. Chapter six is better, with a review of the aspects of a security policy (though not much help in creating one) and a reasonably adequate overview of risk analysis and management. Data and application security, in chapter seven, has a very ragged structure, and an obvious lack of familiarity with basic issues. (Polyinstantiation is an aspect of object-oriented programming, rather than a risk of database security.) Malicious code gets a fair, but dated, examination, but chapter eight also contains a random assortment of other threats, many of which should be dealt with elsewhere. Chapter nine lists a number of basic concepts in cryptography, as well as major encryption systems, but the explanations clearly demonstrate that the authors do not understand the fundamental operations. (Modular arithmetic is not restricted to decimal representation, and the transposition example used does not require a keyword or alphabetical ordering.) As with the other "second chapters" in the book, chapter ten collects the random cryptography topics that haven't been dealt with. Chapter eleven presents a list of computer hardware basics, rather than the computer architecture that it should be discussing. Security models are mentioned briefly in chapter twelve (sometimes contradicting the earlier material), but most of the content is a grab bag of certification terms and some vulnerabilities missed in the prior compilations. Updating antivirals, performing backups, and protecting media passes for operations security in chapter thirteen, while auditing and monitoring are covered better in fourteen. Business continuity and disaster recovery are given the usual treatment in chapter fifteen and sixteen respectively. Law and investigation, in chapter seventeen, concentrates too much on specific US statutes, and far too little on legal principles and forensic examination. Chapter eighteen spends too much time on specific incidents, rather than process, and, predictably, allows ethics only two pages. At first glance, the material on physical security, in chapter nineteen, seems adequate, but closer examination reveals gaps and missing information. When physically lined up with the other CISSP guides, this one appears to be closest in size to Harris' leading "All-in-One" guide (cf. BKCISPA1.RVW). Appearances, and particularly shear physical bulk, can obviously be deceiving. The actual useful content, when stripped of the excessive verbiage, is only about the same as the lower ranked works, such as Harris' second attempt (cf. BKMMCISP.RVW), Endorf's (cf. BKSCDCMP.RVW), or Miller/Gregory (cf. BKCISPDM.RVW). Possibly it is equal to the similarly bulky, and unreliable, entry by Bragg (cf. BKCISPTG.RVW). Krutz and Vines' "Gold Edition" (cf. BKCIPGGE.RVW), comparable in size, has a greater breadth of coverage, although possibly less depth. Could this book get you through the CISSP exam? Well, that would depend upon your background. If you had a lot of experience in security, then possibly yes. But then, you wouldn't need the book, now would you? copyright Robert M. Slade, 2003 BKCISPCG.RVW 20030421