BKSCRTYP.RVW 20030206 "Security+ Study Guide and DVD Training System", Michael Cross et al, 2002, 1-931836-72-8, U$59.95/C$92.95 %A Michael Cross %A Norris L. Johnson %A Tony Piltzecker %C 800 Hingham Street, Rockland, MA 02370 %D 2002 %G 1-931836-72-8 %I Syngress Media, Inc. %O U$59.95/C$92.95 781-681-5151 fax: 781-681-3585 amy@syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1931836728/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1931836728/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1931836728/robsladesin03-20 %P 823 p. + DVD %T "Security+ Study Guide and DVD Training System" The book admits that the Security+ certification from CompTIA (Computing Technology Industry Association) is, in comparison to the CISSP (Certified Information Systems Security Professional), an entry level designation. At the same time, Security+ has obviously been influenced by the CISSP. There are five "domains": general security concepts, communications, infrastructure, cryptography, and organizational security. (The book extends this a ways: in the same way that the CISSP has a triad (CIA, confidentiality, integrity, and availability) the general concepts domain has a triad: access control, authentication, and auditing.) Those who have experience in security can, I trust, already see some of the potential gaps in coverage. At the same time, I do not hold the Security+ designation, and therefore find it difficult to determine whether faults lie with the certification itself, or this book in particular. Domain one, as noted, deals with general concepts. Chapter one essentially discusses a variety of elements of access control, but does not do a good job on the concepts. There is, for example, little mention of either identification or authorization as separate ideas, and those mentions are confusing at best. The level of coverage varies greatly: I admire the elegance of Kerberos but it is hard to see that it rates more than three pages of explanation (while still managing not to explain that it uses symmetric encryption without ever sending keys in the clear over the net) when biometrics is dismissed in a single paragraph. Security+ is supposed to be vendor-neutral, but the book makes extensive reference (including pages of screen shots) to Microsoft products. The sample questions are intriguing. Despite attempts to make the questions seem to be complex (usually by burying the central point in a mass of verbiage), the answers really only turn on knowing the definitions of terms. However, the text of the book is not always clear in regard to definitions, and frequently uses either non-standard terms, or expressions used in non-standard ways. Authentication is often used in a context where authorization would be more appropriate, and auditing seems to be confused with accountability. A conglomeration of attacks are listed in chapter two, without much in the way of a framework in which to analyze or understand them. Domain two concerns communications. Chapter three enumerates a number of technologies related to remote access and email, again without much in the way of structure. The material on wireless networking and security demonstrates a profound lack of understanding of the cryptographic concepts necessary for discussing the weaknesses in WEP (Wired Equivalent Privacy). Pages of narrative mention relevant papers and the dates on which they were published, but the fundamental issues are buried in spurious and erroneous text. RC4 is faulted for being a known algorithm (Kerckhoff's Law, a foundational tenet in cryptography, states that the security of an algorithm cannot rely on it remaining unknown), DES is said to be superior to stream ciphers because it uses mathematical functions rather than XOR (the logical exclusive OR operation). (DES uses substitution and transposition rather than math functions, and has stream modes which use XOR.) Some of the confusion is more basic: one paragraph makes a big deal of the fact that a 104 bit key has 26 hexadecimal digits (since hexadecimal representation translates four bits per digit that is simple arithmetic) and explains hexadecimal representation (sixteen possible digits, usually written 0 - F) as "0 through 9, a through f, or A through F." There is a compilation of web exploits in chapter five, which is, if possible, even more Microsoft-centric than prior material. Domain three deals with infrastructure. Chapter six lists security considerations with devices (a variety of hardware, mostly network components) and media (mostly network cabling). Network topologies and intrusion detection are discussed in chapter seven. Most of the advice about system hardening, in chapter eight, concerns the application of patches. Cryptography is reviewed in domain four. Chapter nine, entitled "Basics of Cryptography," lists the names of the most common algorithms, and a few broad concepts, but doesn't get into inner workings. The ingredients of a public key infrastructure are outlined in chapter ten. Domain five covers "operational and organization security." Incident response, in chapter eleven, contains a poor overview of physical security, a not quite as bad look at data recovery for investigations, and, oddly, some material on risk analysis. Chapter twelve, ostensibly about policies and disaster recovery, contains a grab bag of management topics. There is an appendix giving slightly more detailed answers to the sample questions: these don't clear up much of the confusion surrounding some questions. There is also a DVD with training video material. The video material appears to be an amateurishly shot "talking head" outline (very terse overview) of the material in the chapters. Probably most of those who would want to buy this book are solely concerned with whether or not it will help them pass the Security+ exam, and, as noted previously, I can't speak to that. A review of the CompTIA Security+ objectives does show where some of the randomness in structure comes from, although the authors did not have to blindly follow the list in organizing the book. It is also true that the objectives don't give a lot of direction in terms of how much candidates need to know about particular topics. On the other hand, the list would not have prevented the authors from adding material that would have provided better explanations of the major points. I will say that, if this book can help you pass the exam, the value of the Security+ designation has to be questioned. A great deal of book space is devoted to screenshots and operating descriptions of programs and utilities which may already be irrelevant and which, in any case, do little to explain broader security concepts. In terms of the quality of information, this work ranks with the great mass of attempted (and, basically, failed) general low level security guides. copyright, Robert M. Slade, 2003 BKSCRTYP.RVW 20030206