BKCISPEC.RVW 20020321 "CISSP (Exam Cram)", Mandy Andress, 2001, 1-58880-029-6, U$34.99/C$53.99/UK#24.49 %A Mandy Andress mandy@arcsec.com %C 14455 N. Hayden Road, Suite 220, Scottsdale, AZ 85260 %D 2001 %G 1-58880-029-6 %I Coriolis %O U$34.99/C$53.99/UK#24.49 800-410-0192 fax: 602-483-0193 %O http://www.amazon.com/exec/obidos/ASIN/1588800296/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1588800296/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1588800296/robsladesin03-20 %P 265 p. %T "CISSP (Exam Cram)" It is interesting, and somewhat disturbing, to note that while there are a number of effusive quotes on and inside the cover extolling the virtues of the Exam Cram series, none specifically mention this book. Bound into the inside front cover is a cram sheet, with 50 points on it that are obviously supposed to be vitally important to the exam. Leaving aside both the simplistic nature of the information presented, and the difficulty of answering a 250 question exam with a mere 50 points, we only have to get to the third point on the sheet before we run into rather significant errors. (Role-based access control is not an alternative to discretionary or mandatory controls, but can implement either.) This does not bode well. The introduction explains the CISSP (Certified Information Systems Security Professional) designation. The text makes frequent references to the (ISC)^2 web site, but, since the recent site redesign, all these URLs are incorrect. There is also a short self- assessment section, intended to help you determine whether or not you are prepared for the exam, but the vague and generic metrics suggested are unlikely to help determine your readiness. Chapter one's discussion of the exam, and techniques for writing the exam, does contain some useful recommendations (if you don't know, answer anyway), but other advice is problematic, and may be detrimental. Access control, in chapter two, is the first of the ten domains of the Common Body of Knowledge (CBK) of the CISSP. The material is presented as a list of key terms and phrases, and the presentation might be helpful to the exam candidate were it not for the extremely limited nature of the deliberation and frequent errors. For some reason a significant amount of space is given to topics (like SYN floods) that do not belong in this domain. There is a brief list of questions at the end of the chapter, with answers and discussion presented immediately afterward. Unfortunately, these questions are so simplistic that they cannot be said to represent, in any way, the exam itself, and the wording is so careless that it is often impossible to say whether the answers given are, in fact, right or wrong. Chapter three provides an almost random assortment of topics related to telecommunications and networking. (There is a modicum of structure in that subjects are grouped together, but there is no logical flow: IPsec is discussed before the base IP concepts are covered.) There are many problems with the material: it is difficult to say whether the definition of a "circuit gateway" firewall means anything, let alone is right or wrong, and we are told that SSL (Secure Sockets Layer) is only used for host-to-host communications and resides in the session layer. (The book contradicts itself: chapter six does note that SSL is used between client browser and web server.) Again, many irrelevant topics are included while important areas are missed. (PPP (Point-to-Point Protocol) is listed, PPTP (Point-to-Point Tunnelling Protocol) is not.) Security management practices are not covered in chapter four: the vital areas of policies and risk analysis are given brief mention at the end of a meandering and incomplete list of management concerns. Another haphazard catalogue of terms takes the place of the applications development domain in chapter five. (The definition of a virus is that of a trojan and the definition for a worm seems to fit payload.) That the author is unfamiliar with basic concepts of cryptography is obvious when, in chapter six, "strong encryption" is defined as the use of a 128-bit key. (In the discussion of triple DES (Data Encryption Standard), the "meet-in-the-middle" attack is obviously confused with "man-in-the-middle.") Chapter seven's review of security architectures contains another arbitrary list of computer architecture topics. There is some material that is security related, but in the discussion of the Bell-La Padula model, about the only reliable information is that it involves security levels. Operations security is fairly straightforward, so chapter eight doesn't make any glaring errors. (The content is, however, very terse.) Much the same holds true for business continuity and disaster recovery in chapter nine. Aside from an over-emphasis on US legislation, chapter ten does not do a really bad job with law, investigation, and ethics. Chapter eleven collates some checklists related to physical security, but has numerous gaps in the discussion of the overall topic. About the best that can be said for this book is that most of the items in the common body of knowledge get a mention at some point. Beyond that, the material is too scattered and unreliable to be used either to study for the CISSP exam (unless you want to play "spot the error"), or even as a quick guide for those charged with security. copyright Robert M. Slade, 2002 BKCISPEC.RVW 20020321