Re: REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al

From: athegates (athegates@gate.com)
Date: 02/18/03


From: "athegates" <athegates@gate.com>
Date: Tue, 18 Feb 2003 20:06:37 GMT

I have not read the book due to I took the beta test and studied from other
sources. The idea behind Security + is not to compete with CISSP or higher
level certs, it was to give the person with hardware and network
certifications and real experience a starting place.

I get this from being a subject matter expert for CompTIA for certain
aspects of security and once again Securty + is not to compete with any
existing certs. Also if you go to there site the pass % required was higher
that most of there other certs. last time I looked (about 2 months ago).
Just my opinion.

"Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca> wrote in
message news:axs4a.4619$Wy1.35500@newscontent-01.sprint.ca...
> BKSCRTYP.RVW 20030206
>
> "Security+ Study Guide and DVD Training System", Michael Cross et al,
> 2002, 1-931836-72-8, U$59.95/C$92.95
> %A Michael Cross
> %A Norris L. Johnson
> %A Tony Piltzecker
> %C 800 Hingham Street, Rockland, MA 02370
> %D 2002
> %G 1-931836-72-8
> %I Syngress Media, Inc.
> %O U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy@syngress.com
> %O http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne
> http://www.amazon.co.uk/exec/obidos/ASIN/1931836728/robsladesinte-21
> %O http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20
> %P 823 p. + DVD
> %T "Security+ Study Guide and DVD Training System"
>
> The book admits that the Security+ certification from CompTIA
> (Computing Technology Industry Association) is, in comparison to the
> CISSP (Certified Information Systems Security Professional), an entry
> level designation. At the same time, Security+ has obviously been
> influenced by the CISSP. There are five "domains": general security
> concepts, communications, infrastructure, cryptography, and
> organizational security. (The book extends this a ways: in the same
> way that the CISSP has a triad (CIA, confidentiality, integrity, and
> availability) the general concepts domain has a triad: access control,
> authentication, and auditing.) Those who have experience in security
> can, I trust, already see some of the potential gaps in coverage.
>
> At the same time, I do not hold the Security+ designation, and
> therefore find it difficult to determine whether faults lie with the
> certification itself, or this book in particular.
>
> Domain one, as noted, deals with general concepts. Chapter one
> essentially discusses a variety of elements of access control, but
> does not do a good job on the concepts. There is, for example, little
> mention of either identification or authorization as separate ideas,
> and those mentions are confusing at best. The level of coverage
> varies greatly: I admire the elegance of Kerberos but it is hard to
> see that it rates more than three pages of explanation (while still
> managing not to explain that it uses symmetric encryption without ever
> sending keys in the clear over the net) when biometrics is dismissed
> in a single paragraph. Security+ is supposed to be vendor-neutral,
> but the book makes extensive reference (including pages of screen
> shots) to Microsoft products. The sample questions are intriguing.
> Despite attempts to make the questions seem to be complex (usually by
> burying the central point in a mass of verbiage), the answers really
> only turn on knowing the definitions of terms. However, the text of
> the book is not always clear in regard to definitions, and frequently
> uses either non-standard terms, or expressions used in non-standard
> ways. Authentication is often used in a context where authorization
> would be more appropriate, and auditing seems to be confused with
> accountability. A conglomeration of attacks are listed in chapter
> two, without much in the way of a framework in which to analyze or
> understand them.
>
> Domain two concerns communications. Chapter three enumerates a number
> of technologies related to remote access and email, again without much
> in the way of structure. The material on wireless networking and
> security demonstrates a profound lack of understanding of the
> cryptographic concepts necessary for discussing the weaknesses in WEP
> (Wired Equivalent Privacy). Pages of narrative mention relevant
> papers and the dates on which they were published, but the fundamental
> issues are buried in spurious and erroneous text. RC4 is faulted for
> being a known algorithm (Kerckhoff's Law, a foundational tenet in
> cryptography, states that the security of an algorithm cannot rely on
> it remaining unknown), DES is said to be superior to stream ciphers
> because it uses mathematical functions rather than XOR (the logical
> exclusive OR operation). (DES uses substitution and transposition
> rather than math functions, and has stream modes which use XOR.) Some
> of the confusion is more basic: one paragraph makes a big deal of the
> fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal
> representation translates four bits per digit that is simple
> arithmetic) and explains hexadecimal representation (sixteen possible
> digits, usually written 0 - F) as "0 through 9, a through f, or A
> through F." There is a compilation of web exploits in chapter five,
> which is, if possible, even more Microsoft-centric than prior
> material.
>
> Domain three deals with infrastructure. Chapter six lists security
> considerations with devices (a variety of hardware, mostly network
> components) and media (mostly network cabling). Network topologies
> and intrusion detection are discussed in chapter seven. Most of the
> advice about system hardening, in chapter eight, concerns the
> application of patches.
>
> Cryptography is reviewed in domain four. Chapter nine, entitled
> "Basics of Cryptography," lists the names of the most common
> algorithms, and a few broad concepts, but doesn't get into inner
> workings. The ingredients of a public key infrastructure are outlined
> in chapter ten.
>
> Domain five covers "operational and organization security." Incident
> response, in chapter eleven, contains a poor overview of physical
> security, a not quite as bad look at data recovery for investigations,
> and, oddly, some material on risk analysis. Chapter twelve,
> ostensibly about policies and disaster recovery, contains a grab bag
> of management topics.
>
> There is an appendix giving slightly more detailed answers to the
> sample questions: these don't clear up much of the confusion
> surrounding some questions. There is also a DVD with training video
> material. The video material appears to be an amateurishly shot
> "talking head" outline (very terse overview) of the material in the
> chapters.
>
> Probably most of those who would want to buy this book are solely
> concerned with whether or not it will help them pass the Security+
> exam, and, as noted previously, I can't speak to that. A review of
> the CompTIA Security+ objectives does show where some of the
> randomness in structure comes from, although the authors did not have
> to blindly follow the list in organizing the book. It is also true
> that the objectives don't give a lot of direction in terms of how much
> candidates need to know about particular topics. On the other hand,
> the list would not have prevented the authors from adding material
> that would have provided better explanations of the major points. I
> will say that, if this book can help you pass the exam, the value of
> the Security+ designation has to be questioned. A great deal of book
> space is devoted to screenshots and operating descriptions of programs
> and utilities which may already be irrelevant and which, in any case,
> do little to explain broader security concepts. In terms of the
> quality of information, this work ranks with the great mass of
> attempted (and, basically, failed) general low level security guides.
>
> copyright, Robert M. Slade, 2003 BKSCRTYP.RVW 20030206
>
> --
> ======================
> rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
> Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
> Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
> March 31, 2003 Indianapolis, IN
>



Relevant Pages

  • SecurityFocus Microsoft Newsletter #50
    ... Subject: SecurityFocus Microsoft Newsletter #50 ... Specialist in Microsoft's Security Services Partner Program, ... Network Monitoring for Intrusion Detection ... Relevant URL: ...
    (Focus-Microsoft)
  • [fw-wiz] Re: Best Practices
    ... No matter how you slice the Internet connected network space up (financial, ... any security setup or general 'rules of thumb' so to speak. ... Now let's publish and promote those lists (or the process to create the ... the context of infrastructure and worm/virus attacks because people are up ...
    (Firewall-Wizards)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)
  • << SBS News of the week - Sept 26 >>
    ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
    (microsoft.public.windows.server.sbs)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.windows.server.sbs)