The magazine of the Melbourne PC User Group Protecting Information Systems For the bookshelf Major Keary |
|
Security of information systems is becoming more important and more complex to the point of speciality. There was a time when security was just another - somewhat minor - task in the job description of a system or network administrator. What used to be a fairly straightforward, single task is now likely to involve a wide range of issues that are the responsibility of an information systems security administrator (or some fancy title that means just that).
It is not surprising that the ubiquitous certification circus has added a new act: Certified Information Systems Security Professional (CISSP). The program has, in fact, been around for a decade, but has only recently attracted wide attention; publishers have begun releasing CISSP texts in response. The CISSP program was established by the International Information Systems Security Certification Consortium, which goes under the style, (ISC)2. I must admit to having found that confusing, instinctively looking for footnote #2 before associating it with a device used in the written form of some languages. Using IISSCC might lead readers to think they have double vision.
The CISSP examination runs for six hours straight and consists of multiple-choice, tick-a-box questions. That suggests the field is very broad, but not have significant depth. Of course, candidates are required to have three years of employment in at least one of the domains.
CISSP for Dummies
This is a good introduction to CISSP in that it explains what it is about, how the subjects are classified, what the various topics cover, and provides sample tests. A companion CD has "hundreds of sample questions" that run under the Dummies Test Engine, which is a customisable application. There is also an archive of RFC documents from the Internet Engineering Task Force.
There will be many professionals who already know everything, or nearly everything, required for certification; this is a useful resource for reviewing one's knowledge and putting it into CISSP context. Others may have backgrounds that give them varying degrees of CISSP relevant knowledge and experience; the book will help identify the topics they need to study, and where it is necessary to increase the depth of their current knowledge. It also explains how the certification exams are conducted and the prerequisites for candidature.
The CISSP certification is based on what is called the Common Book of Knowledge (Archbishop Thomas Cranmer would turn in his grave) and which is divided into ten domains: Access Control Systems and Methodology; Telecommunications and Network Security; Security Management Practices; Applications and Systems Development Security; Cryptography; Security Architecture and Models; Operations Security; Business Continuity Planning and Disaster Recovery Planning; Law, Investigation, and Ethics; and Physical Security.
Each domain has its own chapter that effectively outlines the topic; discussions are concise and much use is made of the bulleted lists. Some of the information is America-centric; for example, under Government data classification is a description of the U.S. scheme, and the chapter on the Law, Investigation, and Ethics domain is about U.S. legislation and regulation. Anyone outside North America should enquire if the exams are localised, especially in respect of legal and ethical subjects.
There are self-test questions (answers at the back of the book) that provide a yardstick by which readers can assess their respective levels of knowledge. Also at the end of each chapter is a reading list that points to more detailed sources of information.
This is not a highly technical book; anyone with a general interest in information system security should find it easy to follow. It is a good, plain language orientation for anyone who wants to know more about CISSP.
|
Lawrence Miller and Peter Gregory: CISSP for Dummies ISBN 0-7645-1670-1 Published by Wiley, 408 pp. + CD, RRP $83.95 incl. GST |
 |
CISSP Prep Guide
This is a professional guide to the CISSP examination, presented in a more
formal style than the Dummies title. It has an academic feel, so to speak, which
is consistent with the authors' intention to provide a text for use in
university courses and classroom tuition for CISSP candidates.
The sheer breadth of subjects covered in CISSP makes it impractical to bring
everything within a single volume and maintain significant technical depth.
Hence the title of this text: The CISSP Prep Guide. It lays out what candidates
are expected to know in each of the domains and presents tutorial-style
discussions with good use of bulleted lists. At the end of each chapter there
are sample questions (answers provided in an appendix).
About a third of the book is given to appendices that include a useful glossary
of terms and acronyms, National Institute of Standards and Technology Minimum
Security Requirements for Multi-user Operating Systems, a discussion on The Case
for Ethical Hacking, excerpts from The Common Criteria for Information
Technology Security Evaluation, references for further study (including URLs),
and British Standard 7799.
A well presented and comprehensive text. Even though intended for CISSP
candidates, it is a useful resource for anyone with a general interest in
information system security issues. People involved with training in respect of
any of the CISSP domains (especially cryptography and network security) should
find useful models for their own presentations.
I noticed one typographical error that could cause confusion. 'Stenanography' is
used instead of 'steganography', and appears in the index. A fairly minor
matter, as the subject is barely mentioned.
|
Ronald Krutz and Russell Vines: The CISSP Prep Guide ISBN 0-471-41356-9 Published by Wiley, hard cover, 556 pp., RRP $146.95 incl. GST |
 |
Information Warfare
Americans - and some Australian politicians - seem to have a passion for using
the analogy of war as a framework for their rhetorical attacks on anything or
anyone that upsets them or opposes their views. It is a pity that Michael
Erbschloe's publishers hadn't thrown a bucket or two of cold water over him
before he got his hands on a keyboard. If one can filter out the hyperbole
Information Warfare: How to Survive Cyber Attacks contains some useful notes for
anybody with a responsibility for making risk assessments. I am not sure that
inserting a novella (a doomsday scenario) helps the book's claim to be a serious
treatment of an important subject: security of information and communications
systems.
An essential element of protective security is an adequate threat assessment,
which is not the same as risk management. Risk management is a euphemism for
'what is the very least we have to do'. The CISSP curriculum does include 'risk
analysis' in the security management practices domain, and books such as
The CISSP Prep Guide deal with the subject in some depth, but mainly in the context
of quantification.
This book mentions, briefly, risk management; it does not discuss risk
assessment. It talks about 'participating in defensive preventative information
warfare planning' (a grand concept, indeed), but simply to introduce an American
government agency, the National Infrastructure Protection Center, which has an
Analysis and Warning Section that is "the primary hub for public/private sector
information sharing".
If you are someone who likes to use nonsense terms such as cyber attack,
information warrior, or martial law in cyberspace, then this is a book for you.
If you are in the business of providing threat or risk assessments and advising
on appropriate security procedures, then you should read the book in order to be
forearmed in case some executive or systems manager has, perchance, been
influenced by its alarmist language.
We all know the likely consequences of communications systems being disabled;
who hasn't been a victim? Most people appreciate the vulnerability of
computer-based systems. There is a need to re-assess the corporate risk in the
light of recent events, but that should be a sober, rational process and not a
reason to become hysterical, fall victim to the politics of fear, or be conned
by people describing themselves as information warriors.
|
Michael Erbscheloe: Information Warfare ISBN 0-07-213260-4 Published by Osborne/McGraw-Hill, hc., 315 pp., RRP $49.95 incl. GST. |
 |
Reprinted from the June 2003 issue of PC Update, the magazine of Melbourne PC User Group, Australia
 |