REVIEW: "Mike Meyers' Security+ Certification Passport", Trevor Kay

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

BKMMSCRP.RVW   20030207

"Mike Meyers' Security+ Certification Passport", Trevor Kay, 2003,
0-07-222741-9, U$29.99/C$44.95
%A   Trevor Kay trevor () trevorkay com
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2003
%G   0-07-222741-9
%I   McGraw-Hill Ryerson/Osborne
%O   U$29.99/C$44.95 800-565-5758 fax: 905-430-5020
%O  http://www.amazon.com/exec/obidos/ASIN/0072227419/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0072227419/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0072227419/robsladesin03-20
%P   363 + CD-ROM
%T   "Mike Meyers' Security+ Certification Passport"

Given the organization of the Security+ objectives, part one covers
general security concepts and chapter one is on access control.  Some
factors are dismissed a little bit too concisely: it is difficult to
justify the blanket statement that biometric authentication is
"extremely accurate and secure."  (Biometrics does get a bit more
explanation in the chapter on physical security, but there is no
indication of that in this location.)  For the first set of sample
questions, the emphasis is on simple definitions and fact recitation,
but later questions do become somewhat more complex.  A variety of
attacks are described in chapter two, generally reasonably.  The virus
material is unfortunately poor, concentrating on older viral
technologies (such as the almost extinct boot sector viruses and older
DOS precedence-based companions) and failing to provide proper
outlines of the basic antivirus technologies.

Part two looks at communications security.  Chapter three deals with
remote access, but the content has limited application to security. 
Technologies related to Internet application security are reviewed in
chapter four.  The highlights are touched on, but the lack of detail
can be troubling.  Cookies are discussed, with some mention of
privacy, but the potential problem of cross-site tracking is not dealt
with at all, and neither is the danger of HTML (HyperText Markup
Language) formatted messages when the topic turns to email.  The
material on wireless networking and security, in chapter five, is very
weak.  The explanation of direct-sequence spread spectrum is not clear
at all, a mention of SSL (Secure Sockets Layer) makes no reference to
the description in the previous chapter (and almost contradicts it),
and security itself gets short shrift in the haste to trot out the
alphabet soup of related technologies.

Part three deals with infrastructure security.  Chapter six runs
through a list of networking components, cabling, and storage media,
again with limited allusion to security.  Network topologies and
intrusion detection systems are discussed in chapter seven.  System
hardening, generally by applying patches and disabling functions, is
reviewed in chapter eight.

Cryptography is in part four.  Most of the basic content in chapter
nine is sensible, but it is clear from the paragraphs on double- and
triple-DES (Data Encryption Standard) that the author does not fully
understand the subject.  Chapter ten reviews key management, but it is
not clear why the topic was separated from that of PKI (Public Key
Infrastructure).

Part five deals with operational and organizational security. 
Physical security, in chapter eleven, is covered fairly well. 
Disaster recovery is confined to backups and fault tolerance: chapter
twelve supports Kenneth Myers contention (cf. BKMGTCPD.RVW) that most
people concentrate on recovering technology rather than the business,
and would be improved by a broader view that incorporated all aspects
of the operation.  Chapter thirteen lists some areas that should be
covered in a security policy.  Forensics is dealt with poorly, and
chapter fourteen also throws in education and training.

While the book still adheres, rather slavishly, to the arbitrary
structure of the Security+ list of objectives, the content is
generally pretty reasonable, providing background explanations for
important concepts, and keeping the descriptions of many of the
specific technologies limited to the fundamental ideas.  The text does
tend to be terse, given the size of the book, but most basic material
should be available to the student.  This does vary by chapter: some
seem to be merely going through the motions.  The work could be
improved with some removal of duplicated material.  For example, there
are three separate discussions of social engineering, and two could be
replaced with cross-references.  Despite its smaller size, I would
recommend this volume over the Syngress "Security+ Study Guide and DVD
Training System" (cf. BKSCRTYP.RVW), but not emphatically.

copyright, Robert M. Slade, 2003   BKMMSCRP.RVW   20030207

-- 
======================
rslade () vcn bc ca  rslade () sprint ca  slade () victoria tc ca p1 () canada com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
          March 31, 2003           Indianapolis, IN



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.