BKSCRTPG.RVW 20030320 "Security+ Prep Guide", Ronald L. Krutz/Russell Dean Vines, 2003, 0-7645-2599-9, U$60.00/C$90.99/UK#39.95 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-7645-2599-9 %I John Wiley & Sons, Inc. %O U$60.00/C$90.99/UK#39.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764525999/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764525999/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764525999/robsladesin03-20 %P 456 p. + CD-ROM %T "Security+ Prep Guide" The introduction is a quick outline of the Security+ domains and exam structure. Chapter one, covering the general security concepts, has parts that are better than the other Security+ guides, possibly due to Krutz' and Vines' familiarity with the CISSP (Certified Information Systems Security Professional) material. However, there are also oddities such as a purported "Discretionary Security Property" of the Bell-LaPadula model (might this be an idiosyncratic renaming of the later tranquility property?) and an alleged "Axiom Three" of the Biba model. In terms of the Clark-Wilson model, most of the space is devoted to defining unneeded terms, and the three vital concepts are dismissed in a single sentence. Kerberos is described well, but perhaps with an excess of symbolic logic. The list of attacks mixes types, and the virus explanation uses dated concepts. The sample question given at the end of the chapter (and domain) are less simplistic than other sets, but, ironically, may go too far in the other direction. Experienced security professionals will be able to understand the intent behind the answers (when looking at the answers and explanations in Appendix A), but the careless wording will make the questions unclear and confusing to novices (which, more or less by definition, Security+ candidates are). Chapter two deals with the communications security domain. Again, there are some problems, such as a confusion of authentication protocols with those of VPNs (Virtual Private Networks) and an odd emphasis on a possible exploit based on the DOS "8.3" naming convention. The material is piecemeal and without a logical structure (the Perl programming language is discussed next to SMTP [Simple Mail Transfer Protocol]). There is a confusion of the Java and JavaScript languages (although they are later distinguished). The pages of screen shots for AirMagnet and NetStumbler don't seem to have any purpose or value. The infrastructure material, in chapter three, covers more telecommunications. (DSSS [Direct Sequence Spread Spectrum] is not explained well.) Strangely, the sample questions ask about RAID (Redundant Array of Inexpensive/Independent Disks), which is not covered until domain five. Chapter four covers cryptography basics reasonably, but the depth is uneven. Operational and organizational security is a bit of a grab bag of a domain, and that is amply reflected in the otherwise decent material in chapter five. Despite the problems, overall I would have to recommend Krutz' and Vines' entry into the Security+ field over Trevor Kay's "Mike Meyers' Security+ Certification Passport" (cf. BKMMSCRP.RVW), the "Security+ Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), or "Security+ Certification for Dummies" (cf. BKSCRTPD.RVW). copyright Robert M. Slade, 2003 BKSCRTPG.RVW 20030320