REVIEW: "Security+ Study Guide and DVD Training System", Michael Cross et al

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKSCRTYP.RVW   20030206

"Security+ Study Guide and DVD Training System", Michael Cross et al,
2002, 1-931836-72-8, U$59.95/C$92.95
%A   Michael Cross
%A   Norris L. Johnson
%A   Tony Piltzecker
%C   800 Hingham Street, Rockland, MA   02370
%D   2002
%G   1-931836-72-8
%I   Syngress Media, Inc.
%O   U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy () syngress com
%O  http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1931836728/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20
%P   823 p. + DVD
%T   "Security+ Study Guide and DVD Training System"

The book admits that the Security+ certification from CompTIA
(Computing Technology Industry Association) is, in comparison to the
CISSP (Certified Information Systems Security Professional), an entry
level designation.  At the same time, Security+ has obviously been
influenced by the CISSP.  There are five "domains": general security
concepts, communications, infrastructure, cryptography, and
organizational security.  (The book extends this a ways: in the same
way that the CISSP has a triad (CIA, confidentiality, integrity, and
availability) the general concepts domain has a triad: access control,
authentication, and auditing.)  Those who have experience in security
can, I trust, already see some of the potential gaps in coverage.

At the same time, I do not hold the Security+ designation, and
therefore find it difficult to determine whether faults lie with the
certification itself, or this book in particular.

Domain one, as noted, deals with general concepts.  Chapter one
essentially discusses a variety of elements of access control, but
does not do a good job on the concepts.  There is, for example, little
mention of either identification or authorization as separate ideas,
and those mentions are confusing at best.  The level of coverage
varies greatly: I admire the elegance of Kerberos but it is hard to
see that it rates more than three pages of explanation (while still
managing not to explain that it uses symmetric encryption without ever
sending keys in the clear over the net) when biometrics is dismissed
in a single paragraph.  Security+ is supposed to be vendor-neutral,
but the book makes extensive reference (including pages of screen
shots) to Microsoft products.  The sample questions are intriguing. 
Despite attempts to make the questions seem to be complex (usually by
burying the central point in a mass of verbiage), the answers really
only turn on knowing the definitions of terms.  However, the text of
the book is not always clear in regard to definitions, and frequently
uses either non-standard terms, or expressions used in non-standard
ways.  Authentication is often used in a context where authorization
would be more appropriate, and auditing seems to be confused with
accountability.  A conglomeration of attacks are listed in chapter
two, without much in the way of a framework in which to analyze or
understand them.

Domain two concerns communications.  Chapter three enumerates a number
of technologies related to remote access and email, again without much
in the way of structure.  The material on wireless networking and
security demonstrates a profound lack of understanding of the
cryptographic concepts necessary for discussing the weaknesses in WEP
(Wired Equivalent Privacy).  Pages of narrative mention relevant
papers and the dates on which they were published, but the fundamental
issues are buried in spurious and erroneous text.  RC4 is faulted for
being a known algorithm (Kerckhoff's Law, a foundational tenet in
cryptography, states that the security of an algorithm cannot rely on
it remaining unknown), DES is said to be superior to stream ciphers
because it uses mathematical functions rather than XOR (the logical
exclusive OR operation).  (DES uses substitution and transposition
rather than math functions, and has stream modes which use XOR.)  Some
of the confusion is more basic: one paragraph makes a big deal of the
fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal
representation translates four bits per digit that is simple
arithmetic) and explains hexadecimal representation (sixteen possible
digits, usually written 0 - F) as "0 through 9, a through f, or A
through F."  There is a compilation of web exploits in chapter five,
which is, if possible, even more Microsoft-centric than prior
material.

Domain three deals with infrastructure.  Chapter six lists security
considerations with devices (a variety of hardware, mostly network
components) and media (mostly network cabling).  Network topologies
and intrusion detection are discussed in chapter seven.  Most of the
advice about system hardening, in chapter eight, concerns the
application of patches.

Cryptography is reviewed in domain four.  Chapter nine, entitled
"Basics of Cryptography," lists the names of the most common
algorithms, and a few broad concepts, but doesn't get into inner
workings.  The ingredients of a public key infrastructure are outlined
in chapter ten.

Domain five covers "operational and organization security."  Incident
response, in chapter eleven, contains a poor overview of physical
security, a not quite as bad look at data recovery for investigations,
and, oddly, some material on risk analysis.  Chapter twelve,
ostensibly about policies and disaster recovery, contains a grab bag
of management topics.

There is an appendix giving slightly more detailed answers to the
sample questions: these don't clear up much of the confusion
surrounding some questions.  There is also a DVD with training video
material.  The video material appears to be an amateurishly shot
"talking head" outline (very terse overview) of the material in the
chapters.

Probably most of those who would want to buy this book are solely
concerned with whether or not it will help them pass the Security+
exam, and, as noted previously, I can't speak to that.  A review of
the CompTIA Security+ objectives does show where some of the
randomness in structure comes from, although the authors did not have
to blindly follow the list in organizing the book.  It is also true
that the objectives don't give a lot of direction in terms of how much
candidates need to know about particular topics.  On the other hand,
the list would not have prevented the authors from adding material
that would have provided better explanations of the major points.  I
will say that, if this book can help you pass the exam, the value of
the Security+ designation has to be questioned.  A great deal of book
space is devoted to screenshots and operating descriptions of programs
and utilities which may already be irrelevant and which, in any case,
do little to explain broader security concepts.  In terms of the
quality of information, this work ranks with the great mass of
attempted (and, basically, failed) general low level security guides.

copyright, Robert M. Slade, 2003   BKSCRTYP.RVW   20030206

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
          March 31, 2003           Indianapolis, IN



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.