|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
|CISSP for Dummies||The CISSP Prep Guide|
CISSP for Dummies
Lawrence C. Miller (Author), Peter H. Gregory (Author),
Taking into account an extremely weak book "Solaris Security" by the second author I was pleasantly surprised. The book is very practical and is definitely useful "exam-cram" book.
October 16, 2002
Everyone knows that the CISSP exam is not for dummies, but don't let the title of this book put you off.
It was great as a review/final cram before I took the exam. I think it would make an excellent first read, too. I studied using The CISSP Prep Guide and an online study group and then bought this book on the recommendation of someone in my study group. There is a chapter for each of the ten domains. There are no frills here, but the coverage is accurate, balanced, and matched pretty closely what I found on the exam. I particularly appreciated the study tools on the CD-ROM. The flash cards were pure genius. I was able to download them to my Palm, and I quizzed myself in the car all the way to the testing location. I definitely got my money's worth out of this book and highly recommend it to others sitting or considering sitting for the CISSP exam.
CISSP All-in-One Exam Guide
- Hardcover: 977 pages ; Dimensions (in inches): 2.32 x 9.32 x 7.78
- Publisher: McGraw-Hill Osborne Media; ; Book and CD-ROM edition (December 26, 2001)
- ISBN: 0072193530
- Average Customer Review: Based on 48 reviews. Write a review.
- Amazon.com Sales Rank: 4,401
The author is an CISSP instructor and it's clear that she luck practical experience in many areas of the exam. That was notices by several reviewers here and should be taken into account.
But as an instructor and member of "CISSP gang" she probably knows quite a lot about exam kitchen and there are several reviews here, which claim that the book was the only one they used to pass exam.
CD ROM exam questions are sometimes pathetic with some as close to nonsense as one can get and many qustionable "right" answers presented. But CISSP is a very immature exam and people claim that they are improving.
The English, from both a grammatical and style perspective, is very poor. This book is simply one of the worst written technical books I have ever read.
The superfluous content should be reviewed and placed in an appendix.
The facts should be accurate and reflected by accurate exam questions.
This final point is the most worrying. As an IT professional with extensive experience in certain areas, I was able to recognise when something was incorrect, in those areas. However, the CISSP covers the full spectrum of security from IT security to classical security and the laws pertaining to them. How am I to know the specifications of a PIDAS? In these areas one needs to be able to trust the book and I found myself not able to do that.
It is worth buying as a resource for passing the exam, but you would need to have other sources (Krutz & SRV are probably complimentary). The problem in this area is there are too few books providing the information that is really needed and to the level required, without additional non-relevant text.
***The quesitons on the CD are extremely useful and around the level of the questions on the real exam.
**** Do them several times until you get an idea of the tricky style of questions asked. The real exam questions are designed to lure you into a wrong answer and the CD questions help you get used to that.
If you want to pass the test read this book, January 2, 2003
No kidding. I have a networking background of 20 years, but I would have
failed the test if I hadn't reviewed this book. I spent 6 hours/day,
for 6 days studying this book and taking the exam questions at the end of
each chapter. I also recommend buzzing around the web for searches
on test taking strategies for the cissp. Other than that I would contradict
other reviewers and say that in addition to a good networking background
(general knowledge of security wouldn't hurt either) this book is all you
need. And yes I did pass the test!!
Good, contains errors, reads easily, December 11, 2002
This is a book I very much enjoyed reading. The content is not always correct or complete, but I guess that is a problem that is found in most "all-in-one" books. While reading this book I very often got distracted by the way the author got me involved in examples that take away the attention from the important information. The chapter about Cryptography is not complete.
I do not believe it is possible to pass the CISSP exam with just this book. It is a pity that there is no motivation with the solutions for the test questions. The solutions sections consist of a list of letters. If a question is troubling, this approach doesn't help.
Overall, this is a nice book. But it should not be the only reference you
read on the subject.
Author lacks understanding, too much fluff, a casual read, November
I purchased and read this book based on recommendations from others in
the posting community here on Amazon.[com]. My good first impression of the
book was quickly muddled when I realized the lack of understanding expressed
in many of the subject areas presented in the book. A book with a [high]
price tag should be written by an expert! As I read this book by
Harris, I kept getting the impression that she simply copied and pasted
information from the Web into her publishing application and left credit for
her references in the sidebar. Look to the Wiley book for a text
written by true experts in the field. The amount of typos and grammatical
errors in the book also exceeds the acceptable level for a book in this
price range. Also, (and this shouldn't influence your decision to buy this
book) it is HIGHLY annoying to read a book that has all third person
references expressed as "her" and "she." Harris should leave her political
agenda aside when writing a book on any other subject.
Editor? What's an editor?, November 9, 2002
|Reviewer: A reader from Dobbstown, Malaysia|
No, I am not referring to vi or emacs. I am referring to the human being who, nominally, is there to guide the author. Well, not in this case. The CISSP certification is a professional certification (that's what the 'P' stands for, folks). Unfortunately, the author seems to think that writing in an excessively colloquial, familiar, and almost "slangy" style is just what is needed to help her readers stay awake thru this kilopage tome.
Admittedly, the CISSP exam is a mile wide and an inch deep, so one cannot fault the author for the depth (none) with which things are treated.
HOWEVER, the cutesy way the book is written, with cheesy jokes to "help you remember" the material borders on the insulting for anyone who isn't looking to just cram for the exam, get the "cert", and move on.
For readers who actually do have infosec experience, and who are looking for a review guide, this book works well enough, but you have to read it defensively -- the style is actually an obstacle to readbility, which is why the editor needs a clue. Also - there are typos and grammatical errors that a book at this price point should NOT have.
On the plus side, it is trivial to resell the puppy once it has served its purpose -- mine was gone three hours after I got home from the exam -- and the practice questions actually are somewhat helpful.
In a nutshell -- grind your teeth thru the style and the sloppiness, augment the practice stuff with the Boson practice questions (for example), and this book might be worth keeping long enough to help you remember what you read in other vastly better books covering any of the 10 domains.
NOT A GOOD EXAM PREP TOOL, October 9, 2002
I agree with the other reviewer who said there was too much fluff in
here. I had already bought many of the recommended texts listed by ISC2.
What I needed was focused preparation materials that took me through,
approximately, what I could expect to find on the exam. What I got
here was a rather poor rehash of the dozens of better written, classic,
professional texts that have been written by others. I even found
topics on the exam that were definitely NOT addressed by this book. Bigger
is not always better.
Took the CISSP exam 9/31/02 and PASSED., September 1, 2002
|Reviewer: A reader from St. Louis, MO USA|
The CISSP All-in-One Exam Guide was the best of the half-dozen sources that I used. I'd rate it a must-have if you want to take the exam. I also used the The CISSP Prep Guide but switched to Shon's book halfway through.
The CISSP exam is immature; that is, many of the questions appear convoluted for the sake of being obtuse. I doubt seriously if your score on this exam correlates to your true ability. That said, it is a necessary benchmark of a very broad subject. And having talked to people taking the test for second time, I'm told the test is improving. That's about all I can say about the test; you have to sign in blood not to discuss it once you take it. Most people walk out having no idea if they did well; my peers were no exception.
I took the course that Shon teaches at the Intense School (see cccure.org for a link and useful study materials). It is a great course and a terrific value. Everything is taken care of in the course cost (hotel, food, snacks - and they don't skimp). Shon is an excellent and patient instructor with an in-depth understanding. Her pointers on the test were worth about 15 extra questions right; possibily the difference between passing and not for many of us. But the course is not for the meek. It is 8:30 to 6:30 for 6 days, followed by the exam. By the 3rd day most of us (including kids 15 years younger than me) were feeling beat -- only 500 pages and halfway thru the course material. But everyone I talked with though that it was well worth it.
The only critism of Shon's book is that her sample test questions were far easier than the actual test. She admits it; her questions are to help you know if you understand the material. If her questions were like the test, everyone would think she couldn't write a decent test question (and they would be right!). But her material is dead-on.
I should have studied operational security more than I did. There was far less on cryptography - the hardest subject - than I expected. With over 20 year experience in 9 of of the 10 domains, the exam wasn't a cakewalk. But Shon's CISSP All-in-One Exam Guide did make me much more confident about passing the exam.
I have no financial or other interest in the Intense School or Shon's book. I'm just a very satisfied customer (and hopefully a CISSP now!).
Update: Got my CISSP and so did everyone is my 4 person study clique - including one person who was sure that she wouldn't pass becuase she didn't have a strong security background. So the Intense School course was a big gain for her.
Good, but not comprehensive, August 27, 2002
|Reviewer: beamthis (see more about me) from Croton-on-Hudson, NY USA|
There is some great content in this book and it definitely gives you an understanding of the basics in the 10 Domains. It, by no means, is enough to be able to pass the exam.
After having taken the exam, you realize that you are recalling a great deal of information not included in this particular book.
It is a good cornerstone to your study collection, but is not detailed enough.
This book is also tougher reading than the CISSP Prep Guide, but I feel it helped more (having gone through both).
Could be better ..., August 19, 2002
The book was a fairly easy read, but lacked some crucial content. This
was apparent when taking the actual exam. I encountered numerous
questions that were not addressed in this book. Overall, this title
could be used as a sole source, but I would recommend finding at least one
more good reference to use. The included CD of sample questions was rather
The best could be better, easily, July 24, 2002
|Reviewer: A reader from Reston, Va USA|
This book, along with the CISSP Exam Prep Guide by Kurtz and Vines, provided me a great deal of insight into the 10 domains of computer security and it was instrumental in assisting me to pass the CISSP exam on the first try.
No book alone can inform a candidate to the level of familiarity with this topic needed to pass this very broadly scoped exam. But, this book helped me put my 20+ years of IS experience into perspective from the point of view of the ten domains of computer security. It helped provide the context and framework for organizing and thinking about the issues, helped to sort-out and standardize my terminology, informed me in some areas where I was weak and provided pointers to additional resources to supplement my understanding.
This book was helpful in spite of considerable shortcomings, including errors of fact, errors in logic, and an appalling number of typographical errors that must reflect a rush to publish and a lack of interest in quality control. Errors of fact included erroneous definitions of important terms, e.g., MTTR - improperly defined as the mean time between repairs rather than the mean time to repair. Some sample questions at the chapter ends included duplicate answers, and offered wrong answers as correct ones. While this occurred infrequently, it shouldn't happen at all. Without prior knowledge, the reader wouldn't know what was true and what was in error. The book was laced with exasperatingly trite examples that distracted from the theme development in the chapters. Moreover, many of the book's sections were far too wordy and could have been distilled or provided as an appendix for those who are interested in the tutorial material, e.g., over 150 pages on the telecom and security domain alone.
The sample test S/W included informative questions, but was unwieldy, error-filled and did not permit the user to suspend the exercise until later nor did it provide for printing the Q&A's in any useful way.
All in all I believe the book was a considerable help to me. If you can get by the multiplicity of errors and deal with the frustrating sample test software, it could be a helpful tool in preparing for the CISSP exam.
can you say typo?, July 22, 2002
this one is a poorly written book with lots of typos. Things that could
have been easily caught by a spell/grammer checker. I "cannot not" believe
that some one proof read this book and did not find something wrong with
"that0" book. :-)
A (probably) good book badly in need of editing, June 27, 2002
|Reviewer: Richard Stack from Golf, IL USA|
I seem to be in the minority here, but I found this book very disappointing, primarily because it apparently never was edited at all. It contains literally (I mean literally) hundreds of typos, grammatical errors, poorly organized sections, and awkwardly worded phrases. The content may be good, but I find the lack of care in assembling this book insulting. The result appears to have been created by hastily transcribing dictated material and taking it directly to press.
The "dictation" style requires careful use of headings to guide the reader/learner through the hierarchy of presentation. Intelligent heading use is largely absent, e.g., in a section starting on pg. 266, (A Few Threats to Security Models and Architectures), Covert Channels, Countermeasures, Back Doors, Countermeasures, Timing Issues, Countermeasures, Buffer Overflows, and Countermeasures are all presented at the same heading level. It is clear that the countermeasure item should be subsidiary to the threat preceeding it in each case. (This is an easy example to see and correct, but others are more obscure).
The conversational but awkward wording, e.g., "A covert storage channel is when a process writes data to..." can be repaired easily by someone with minimal experience.
Disagreements in number between verb and subject are too numerous to mention.
I don't mean to sound like an English teacher (I'm not), but I think shoddy work should not be rewarded. McGraw-Hill Osbourne can do (and has done) better. We should encourage them to spend more time in preparing an expensive book by buying the competition.
Although the examples were presented from one section, I have in fact read three-quarters of the book. I just happened to be in chapter 5 when my frustration peaked.
Is English Shon Harris' mother tounge? More than 110 errors!, June 22,
|Reviewer: Mark Fyvie from Zurich, Switzerland|
First some basics before I get down to the things that really tick me off.
1. Check the ISC2 blueprint for the exam, and then check the contents or index pages of this book. You will see that there are a LOT of things which this book does not cover. It is certainly not an "all in one" study guide.
2. The pages are padded out with large text and absolutely pathetic clip art. If you think you are getting 800 or so pages of good reference material, think again.
3. The author is obviously not well versed in some of the domains she covers, it seems as though she has just paraphrased a lot of material from other sources. Many sections contain technical errors, or demonstrate small points which show that she didn't know the subject she was writing about as well as she should have.
But what really bugged me the most was the absolutely poor quality control which permitted this book to be published with so many (110+) errors! I complained to the publisher who said that they had contracted out the proof reading (presumably to the local zoo).
What amazes me even more is the number of reviews here that praise the book for being well written! My advice is as follows:
If your reading experience is limited to the sport pages of your local tabloid paper, buy this book, it is perfect for you.
Or, if you prefer to read the more serious parts of a broadsheet paper, don't buy this book, it will irritate you. Buy Krutz's book instead. It also doesn't cover everything you need, but at least you won't feel the need to correct it as one might when reading a school child's essay.
In conclusion: This book isn't cheap, I think that if someone pays top dollar
for a technical book they should expect that the author knows the difference
between terms such as "regimen" and "regime", or that NAT doesn't run at layer
7, or that ARP is not a layer 1 protocol (just check the diagram on page 48 for
an example). To summarise in one word: shameful.
The CISSP Prep Guide
The CISSP exam covers multiple fields in security and for those of you who are in a technical field will see how lacking the authors are there.
Tear out chapter 3, and you have a useful CISSP study guide, December
I am a senior engineer for network security operations. I read "The CISSP Prep Guide" (TCPG) as a study aid for the CISSP exam, which I completed yesterday.
CISSP candidates are not allowed to discuss the contents of the test, but I can comment on the quality of TCPG's text. If you tear out chapter 3 (Telecommunications and Network Security), the remaining content is informative and applicable. If you rely on chapter 3 to learn about network security, you'll be sorely disappointed.
By performing network security monitoring, I am intimately familiar with defensive tools and tactics, and adequately informed of offensive operations. I observe network defense and offense on a daily basis.
Unfortunately, chapter 3 of TCPG demonstrates almost no understanding of these important concepts. The authors do not correctly explain network attacks. ("Ping of death" is the most common buffer overflow?) Their firewall deployment strategies are wrong, and their examples of "protocols" at each OSI layer are false. (Since when is SQL a session layer protocol?)
The authors should have consulted someone with real knowledge of network security before publishing this poor material.
Thankfully, beyond chapter 3, the majority of the book is helpful and reliable. The authors cover each domain of the Common Body of Knowledge, and present information in a humorless but well-organized manner. TCPG introduced me to management concepts I hadn't formally studied elsewhere, such as risk management, risk assessment, business continuity planning, and disaster recovery planning. TCPG also offered helpful quizzes at the end of each chapter. The appendices, covering the RAINBOW series, HIPPA, NSA assessments, and the Common Criteria, were also enlightening.
Great all around CISSP Prep Guide, August 12, 2002
|Reviewer: oishi_ushi from Albany, NY United States|
I purchased two books - this book and the Shon Harris book - and I thought this book was very detailed, more organized, and overall a better preparation for the exam than the Shon Harris book. There were a lot of things in the Shon Harris book that were not explained, that I only understood after reading the Ten Domains of Computer Security. The examples in The CISSP Prep Guide were relevant and supportive of all the information that was tested on the CISSP.
Overall - between the two books - I highly recommend the CISSP prep guide. It is an all inclusive guide to the information that you need to know when taking the CISSP. It wasn't confusing, it more organized and well thought out comparatively to the Shon Harris book.
Well presented, but not deep, May 10, 2002
|Reviewer: Wilfred Wong from Hong Kong|
This book gives a good introduction to one interested in security related works. It covers most aspects in information security, and cover all area of CISSP exam. This book gives you good knowledge but seems cannot help you practice securing your system as this book does not give you good technical knowledge implementing security on systems. You must have many other reference books for specific topics if you want to have in-deep knowledge on security.
In short, it's a good book for one seeking basic and general knowledge on information security, but don't expect you can find in-deep information inside.
Worth reading but watch the errors, April 1, 2002
I recently took and passed the CISSP exam. My two main study guides were this book and the Information Security Management Handbook. I also used the CISSP Exam Cram. The main benifit to this book is that it gave some background on topics that are useful to know for the exam and exposed me to areas I was unfamiliar with. Note, the above info is all I can say in relation to the exam, the rest of the review just contains general opinions about the book. One good thing about this book is that it has lots of definitions. The glossary is good and the index is great.
I particularly enjoyed chapter 10. Chapters 4 and 8 were pretty good too.
The reason I'm giving this book 3 stars is that it has some glaring failures.
It's not a good place to learn about forensics, risk management, computer crime law or technical aspects of computer network security. Chapter 3 in particular is littered with errors.
Perhaps the most offensive is the description of a buffer overflow on page 76. It's listed under denial of service attacks and a "Ping of Death" is described as typical. Check out Aleph One's "Smashing the Stack for Fun and Profit" (Phrack 49...) or the definition in Hacking Exposed for the real scoop.
Good material, poorly presented, November 13, 2001
|Reviewer: Alan from Atlanta|
This book is apparently right on target in terms of content. However it is in serious need of a good editor. I estimate it is taking me twice as long to read and understand the text because of poor grammer and ambiguities. For example, on pages 5-6, under the heading "Information Classification Objectives":
".. it is obvious that information classification has a higher, enterprise-level benefit. Information can have an impact on a business globally, not just on the business unit or operations levels. Its primary purpose is to enhance confidentiality, integrity, and availability..."
Ok, after reading that a couple of times, it is clear that "Its primary purpose" refers back to "information classification" in the first sentence, not to "Information" in the immediately preceding sentence. But it certainly would be easier to read if you didn't have to decipher things like this on every page.
Also, in the Introduction, page xiv, it says about the test, "No acronyms are used without being explained". Yet, in the sample questions at the end of chapeter 1, there are half a dozen or more questions that in essence are testing your knowledge of certain acronyms. So, do I need to memorize the acronyms or not?
I'm grateful that a text is available designed to focus my preparation for the test. It is probably the best available, but it just needs more work.
Handbook of Information Security Management Table of Contents online book
Trafford Publishing Secured Computing, A CISSP Study Guide
Table of Contents
Overview of CISSP and the Exam vii
How to Use This Book viii
The Study Plan viii
Test Day Tips ix
Domain 1 - Access Control Systems and Methodology
Access Control Layers 4
Types of Access Control 5
Access Control Techniques 7
Access Control Administration 9
Data Owner, Custodian, and User Responsibilities 9
Access Control Models 10
Identification and Authentication Techniques 13
Access Controls Methodologies and Implementations 17
Test Your Knowledge 24
Domain 2 - Telecommunications & Network Security
ISO/OSI Model 31
Communications and Network Security 33
Identification and Authentication 46
Data Communications 48
Network Components 53
Network Availability 54
Test Your Knowledge 59
Domain 3 - Security Management Practices
Security Management Concepts and Principles 67
Change/Control Management 68
Data Classification Schemes 69
Employment Policies and Practices 72
Policies, Standards, Guidelines, and Procedures 74
Risk Management 75
Roles and Responsibilities 83
Security Awareness 84
Security Management Planning 85
Test Your Knowledge 87
Domain 4 - Applications & Systems Development
Application Issues 93
Local/Non Distributed Environment 98
Data Information Storage 102
Knowledge Based Systems 103
System Development Controls 107
Test Your Knowledge 113
Domain 5 - Cryptography
Uses of Cryptography 118
Cryptographic Concepts, Methodologies, and Practices 120
Types of Encryption Systems 126
Public Key Infrastructure 136
Application and Network Based Protocols 140
Methods of Attack 142
Test Your Knowledge 144
Domain 6 - Security Architecture and Models
Principles of Common Computer and Network Architecture and Design 149
Principles of Common Security Models, Architectures, and Evaluation Criteria 153
NSA/NCSC Rainbow Series 158
Objects and Subjects 165
Common Flaws in Security Architecture 166
Test Your Knowledge 169
Domain 7 - Operations Security
Administrative Management 174
Computer Operations Concepts 175
Test Your Knowledge 179
Domain 8 - Business Continuity Planning and Disaster Recovery
Business Continuity Planning 185
Disaster Recovery Planning 187
Recovery Planning Development 188
Test Your Knowledge 193
Domain 9 - Laws, Investigations, and Ethics
Types of Laws 201
U.S. Laws 203
International Computer Crime Related Laws 205
Types of Computer Crime 211
Incident Handling/Response 212
ISC2 Code of Ethics 213
Domain 10 - Physical Security
Administrative and Physical Controls 221
Elements of Physical Security 226
Facility Requirements 226
Fire Access and Controls 229
Physical Access Controls 230
Technical Controls 231
Environment/Life Safety 231
Test Your Knowledge 233
Methods of Attacks
Other Attacks 241
CISSP Practice Exam 245
Recommended Study Aids 258
Glossary Terms 259
Copyright 1996-2004 by Dr. Nikolai Bezroukov
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SNDP or any other organization the author may be associated with.
We do not warrant the correctness of the information provided or its fitness for any purpose.
Links and bibliographical information about the books are prepared in association with Amazon.com. You can buy any book listed here from Amazon.com simply by following the link for the book.
This document is an industrial compilation created for educational purposes only and is placed under
the copyright of the Open Content
License(OPL). Original materials copyright belong to respective owners.
Quotes are made for educational purposes only in compliance with the fair use
www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time.
Click here to submit your comments!
Last modified: March 12, 2019