BKGSECPG.RVW 20030918 "The GSEC Prep Guide", Mike Chapple, 2003, 0-7645-3932-9, U$60.00/C$90.99/UK#41.95 %A Mike Chapple %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-7645-3932-9 %I John Wiley & Sons, Inc. %O U$60.00/C$90.99/UK#41.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764539329/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764539329/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764539329/robsladesin03-20 %P 448 p. + CD-ROM %T "The GSEC Prep Guide: Mastering SANS GIAC Security Essentials" The SANS (System administrators, Audit, Network, Security) Institute GIAC (Global Information Assurance Certification) Security Essentials Certification (GSEC) is supposed to be the "core" program for the various GIAC courses and exams. Chapter one covers some basic, but random, security concepts and topics. A list of sample questions, intended to help the student/candidate prepare for the GSEC exam, is given at the end of every chapter. If these truly represent the level and type of questions on the exam then getting the GSEC is a snap: quick, which type of situation is worse, one that has low threat and low vulnerability or high threat and high vulnerability? (On the other hand, you may have to know the party line: one question insists that you credit SANS with the concept of defence in depth, and there is a concept of "separation of privilege" that seems to be what everyone else refers to as separation of duties.) Security policies are discussed in a verbose but almost "content-free" manner in chapter two. Virtually nothing is said about the policy process and different functional types of policies. Again, there is a demand for idiosyncratic jargon: high level policies are "program" policies, whereas detailed policies (mostly procedural, given the list discussed) are "issue-specific." One term that might be worth adopting is "system-specific policy": those who deal with policies know that it is difficult to have exceptions documented. Using this term for deviations, as SANS does, may reduce the resistance to noting the irregularities. There are some basic ideas about risk assessment and management in chapter three, but most of the text reviews network scanning tools. Chapter four contains network nomenclature, Cisco equipment filtering command arguments, and miscellaneous IP (Internet Protocol) protocols in varying depth. There are a brief list of the titular "Incident Handling" factors contained in chapter five, as well as random legal terms. The discussion of cryptography in chapter six is reasonable up to the point of symmetric block ciphers, but subsequent material has errors (keystream data should *not* repeat during the course of a message), confusing diagrams, and unhelpful mathematics. There is no deliberation about the usage of public key cryptography, hashes, and digests until chapter seven, which, despite the title, has absolutely nothing to say about "Applications Security." Chapter eight provides a simple overview of firewalls and intrusion detection systems (IDSs) but is not overly detailed: no distinction is made between application and circuit-level proxies, and some of the statements made are clearly incorrect for circuit devices. There is a grab bag of malware, cryptanalysis, attack methods and more in chapter nine. The content on operations security is limited to assorted aspects and tools of Windows and UNIX that might be related to secure processing, in chapters ten and eleven respectively. Chapter twelve is a practice exam. It's pretty easy. The GSEC is sometimes said to be adequate preparation for the CISSP (Certified Information Systems Security Professional) exam, but there are significant gaps in GSEC's coverage of the security topic. Although risk assessment and policy are discussed, management issues and access controls get limited substance in GSEC. Security architecture, applications security, physical security, and business continuity are all missing, while operations are restricted to Windows and UNIX. This book does provide some useful direction in regard to information systems security, but readers should be warned that the missing pieces will probably be very important at some point. copyright Robert M. Slade, 2003 BKGSECPG.RVW 20030918