Given
the organization of the Security+ objectives, part
one covers
general security concepts and chapter one is on access
control. Some
factors are dismissed a little bit too concisely: it
is difficult to
justify the blanket statement that biometric authentication
is"
extremely accurate and secure." (Biometrics does
get a bit more
explanation in the chapter on physical security, but
there is no
indication of that in this location.) For the first set
of sample
questions, the emphasis is on simple definitions and
fact recitation,
but later questions do become somewhat more complex.
A variety of
attacks are described in chapter two, generally reasonably.
The virus
material is unfortunately poor, concentrating on older
viral
technologies (such as the almost extinct boot sector
viruses and older
DOS precedence-based companions) and failing to provide
proper
outlines of the basic antivirus technologies.
Part
two looks at communications security. Chapter three
deals with
remote access, but the content has limited application
to security.
Technologies related to Internet application security
are reviewed in
chapter four. The highlights are touched on, but the
lack of detail
can be troubling. Cookies are discussed, with some mention
of
privacy, but the potential problem of cross-site tracking
is not dealt
with at all, and neither is the danger of HTML (HyperText
Markup
Language) formatted messages when the topic turns to
email. The
material on wireless networking and security, in chapter
five, is very
weak. The explanation of direct-sequence spread spectrum
is not clear
at all, a mention of SSL (Secure Sockets Layer) makes
no reference to
the description in the previous chapter (and almost contradicts
it),
and security itself gets short shrift in the haste to
trot out the
alphabet soup of related technologies.
Part
three deals with infrastructure security. Chapter six
runs
through a list of networking components, cabling, and
storage media,
again with limited allusion to security. Network topologies
and
intrusion detection systems are discussed in chapter
seven. System
hardening, generally by applying patches and disabling
functions, is
reviewed in chapter eight.
Cryptography
is in part four. Most of the basic content in chapter
nine is sensible, but it is clear from the paragraphs
on double- and
triple-DES (Data Encryption Standard) that the author
does not fully
understand the subject. Chapter ten reviews key management,
but it is
not clear why the topic was separated from that of PKI
(Public Key
Infrastructure).
Part
five deals with operational and organizational security.
Physical security, in chapter eleven, is covered fairly
well.
Disaster recovery is confined to backups and fault tolerance:
chapter
twelve supports Kenneth Myers contention (cf. BKMGTCPD.RVW)
that most
people concentrate on recovering technology rather than
the business,
and would be improved by a broader view that incorporated
all aspects
of the operation. Chapter thirteen lists some areas that
should be
covered in a security policy. Forensics is dealt with
poorly, and
chapter fourteen also throws in education and training.
While
the book still adheres, rather slavishly, to the arbitrary
structure of the Security+ list of objectives, the content
is
generally pretty reasonable, providing background explanations
for
important concepts, and keeping the descriptions of many
of the
specific technologies limited to the fundamental ideas.
The text does
tend to be terse, given the size of the book, but most
basic material
should be available to the student. This does vary by
chapter: some
seem to be merely going through the motions. The work
could be
improved with some removal of duplicated material. For
example, there
are three separate discussions of social engineering,
and two could be
replaced with cross-references. Despite its smaller size,
I would
recommend this volume over the Syngress "Security+
Study Guide and DVD
Training System" (cf.
BKSCRTYP.RVW), but not emphatically.
copyright, Robert M. Slade, 2003 BKMMSCRP.RVW 20030207
|
