Re: REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al
From: athegates (athegates@gate.com)
Date: 02/18/03
- Next message: phn@icke-reklam.ipsec.nu: "Re: Secure DLL"
- Previous message: Michael: "List of known bad-boys?"
- In reply to: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al"
- Next in thread: Lik Mai Sak: "Re: REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "athegates" <athegates@gate.com> Date: Tue, 18 Feb 2003 20:06:37 GMT
I have not read the book due to I took the beta test and studied from other
sources. The idea behind Security + is not to compete with CISSP or higher
level certs, it was to give the person with hardware and network
certifications and real experience a starting place.
I get this from being a subject matter expert for CompTIA for certain
aspects of security and once again Securty + is not to compete with any
existing certs. Also if you go to there site the pass % required was higher
that most of there other certs. last time I looked (about 2 months ago).
Just my opinion.
"Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca> wrote in
message news:axs4a.4619$Wy1.35500@newscontent-01.sprint.ca...
> BKSCRTYP.RVW 20030206
>
> "Security+ Study Guide and DVD Training System", Michael Cross et al,
> 2002, 1-931836-72-8, U$59.95/C$92.95
> %A Michael Cross
> %A Norris L. Johnson
> %A Tony Piltzecker
> %C 800 Hingham Street, Rockland, MA 02370
> %D 2002
> %G 1-931836-72-8
> %I Syngress Media, Inc.
> %O U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy@syngress.com
> %O http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne
> http://www.amazon.co.uk/exec/obidos/ASIN/1931836728/robsladesinte-21
> %O http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20
> %P 823 p. + DVD
> %T "Security+ Study Guide and DVD Training System"
>
> The book admits that the Security+ certification from CompTIA
> (Computing Technology Industry Association) is, in comparison to the
> CISSP (Certified Information Systems Security Professional), an entry
> level designation. At the same time, Security+ has obviously been
> influenced by the CISSP. There are five "domains": general security
> concepts, communications, infrastructure, cryptography, and
> organizational security. (The book extends this a ways: in the same
> way that the CISSP has a triad (CIA, confidentiality, integrity, and
> availability) the general concepts domain has a triad: access control,
> authentication, and auditing.) Those who have experience in security
> can, I trust, already see some of the potential gaps in coverage.
>
> At the same time, I do not hold the Security+ designation, and
> therefore find it difficult to determine whether faults lie with the
> certification itself, or this book in particular.
>
> Domain one, as noted, deals with general concepts. Chapter one
> essentially discusses a variety of elements of access control, but
> does not do a good job on the concepts. There is, for example, little
> mention of either identification or authorization as separate ideas,
> and those mentions are confusing at best. The level of coverage
> varies greatly: I admire the elegance of Kerberos but it is hard to
> see that it rates more than three pages of explanation (while still
> managing not to explain that it uses symmetric encryption without ever
> sending keys in the clear over the net) when biometrics is dismissed
> in a single paragraph. Security+ is supposed to be vendor-neutral,
> but the book makes extensive reference (including pages of screen
> shots) to Microsoft products. The sample questions are intriguing.
> Despite attempts to make the questions seem to be complex (usually by
> burying the central point in a mass of verbiage), the answers really
> only turn on knowing the definitions of terms. However, the text of
> the book is not always clear in regard to definitions, and frequently
> uses either non-standard terms, or expressions used in non-standard
> ways. Authentication is often used in a context where authorization
> would be more appropriate, and auditing seems to be confused with
> accountability. A conglomeration of attacks are listed in chapter
> two, without much in the way of a framework in which to analyze or
> understand them.
>
> Domain two concerns communications. Chapter three enumerates a number
> of technologies related to remote access and email, again without much
> in the way of structure. The material on wireless networking and
> security demonstrates a profound lack of understanding of the
> cryptographic concepts necessary for discussing the weaknesses in WEP
> (Wired Equivalent Privacy). Pages of narrative mention relevant
> papers and the dates on which they were published, but the fundamental
> issues are buried in spurious and erroneous text. RC4 is faulted for
> being a known algorithm (Kerckhoff's Law, a foundational tenet in
> cryptography, states that the security of an algorithm cannot rely on
> it remaining unknown), DES is said to be superior to stream ciphers
> because it uses mathematical functions rather than XOR (the logical
> exclusive OR operation). (DES uses substitution and transposition
> rather than math functions, and has stream modes which use XOR.) Some
> of the confusion is more basic: one paragraph makes a big deal of the
> fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal
> representation translates four bits per digit that is simple
> arithmetic) and explains hexadecimal representation (sixteen possible
> digits, usually written 0 - F) as "0 through 9, a through f, or A
> through F." There is a compilation of web exploits in chapter five,
> which is, if possible, even more Microsoft-centric than prior
> material.
>
> Domain three deals with infrastructure. Chapter six lists security
> considerations with devices (a variety of hardware, mostly network
> components) and media (mostly network cabling). Network topologies
> and intrusion detection are discussed in chapter seven. Most of the
> advice about system hardening, in chapter eight, concerns the
> application of patches.
>
> Cryptography is reviewed in domain four. Chapter nine, entitled
> "Basics of Cryptography," lists the names of the most common
> algorithms, and a few broad concepts, but doesn't get into inner
> workings. The ingredients of a public key infrastructure are outlined
> in chapter ten.
>
> Domain five covers "operational and organization security." Incident
> response, in chapter eleven, contains a poor overview of physical
> security, a not quite as bad look at data recovery for investigations,
> and, oddly, some material on risk analysis. Chapter twelve,
> ostensibly about policies and disaster recovery, contains a grab bag
> of management topics.
>
> There is an appendix giving slightly more detailed answers to the
> sample questions: these don't clear up much of the confusion
> surrounding some questions. There is also a DVD with training video
> material. The video material appears to be an amateurishly shot
> "talking head" outline (very terse overview) of the material in the
> chapters.
>
> Probably most of those who would want to buy this book are solely
> concerned with whether or not it will help them pass the Security+
> exam, and, as noted previously, I can't speak to that. A review of
> the CompTIA Security+ objectives does show where some of the
> randomness in structure comes from, although the authors did not have
> to blindly follow the list in organizing the book. It is also true
> that the objectives don't give a lot of direction in terms of how much
> candidates need to know about particular topics. On the other hand,
> the list would not have prevented the authors from adding material
> that would have provided better explanations of the major points. I
> will say that, if this book can help you pass the exam, the value of
> the Security+ designation has to be questioned. A great deal of book
> space is devoted to screenshots and operating descriptions of programs
> and utilities which may already be irrelevant and which, in any case,
> do little to explain broader security concepts. In terms of the
> quality of information, this work ranks with the great mass of
> attempted (and, basically, failed) general low level security guides.
>
> copyright, Robert M. Slade, 2003 BKSCRTYP.RVW 20030206
>
> --
> ======================
> rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
> Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
> Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
> March 31, 2003 Indianapolis, IN
>
- Next message: phn@icke-reklam.ipsec.nu: "Re: Secure DLL"
- Previous message: Michael: "List of known bad-boys?"
- In reply to: Rob Slade, doting grandpa of Ryan and Trevor: "REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al"
- Next in thread: Lik Mai Sak: "Re: REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
