The CISSP Prep Guide: Mastering the Ten Domains of Computer Security
By Ronald L. Krutz & Russell Dean Vines
CISSP Exam Cram
By Mandy Andress
It shouldn't be a revelation that the primary goal of CISSP certification isn't to give security professionals another set of initials to place after their names. The multifold intent includes setting a minimum body of infosec knowledge and evaluating persons to provide evidence that they've conquered it. By setting a bar and encouraging people to jump over it, the International Information Systems Security Certification Consortium -- or (ISC)2 -- has inspired thousands of people to learn relevant information that they otherwise never would.
Although the certification would lack meaning if it could be passed after reading a single book, the demand for convenient test study materials is high. Are these two books -- The CISSP Prep Guide: Mastering the Ten Domains of Computer Security and CISSP Exam Cram -- useful in preparing a person to pass the exam, and do they address any of the CISSP program's loftier goals?
Andress's book is essentially a fleshed-out version of the common body of knowledge, expanding that outline's one-liners into paragraphs, resulting in sort of an "Idiot's Guide to Infosec." Ambitious CISSP candidates could compile this same primer from various Internet resources, which appears to be what the author did in many cases.
Whatever its source, most of the material in Andress's book is a useful review that can be read in a few hours during the week before the test. Each chapter includes test questions, but they're not very rigorous and don't represent the difficulty of the real exam. Minor and mostly harmless errors are sprinkled throughout the text, with the short discussion of digital signature being especially inaccurate. This book is meant to be a quick, last minute core dump on all 10 domains covered in the CISSP exam, but I wouldn't expect much of that information to be retained as useful knowledge.
Perhaps it's unfair to apply different standards to the Krutz and Vines's book, but its length (556 pages) and cost ($70) require a significant level of motivation from the reader. Nothing in this book detracts from the reader's ability to pass the CISSP exam -- quite the contrary -- I have to say that I disagree with a lot of it, both philosophically and factually. While the chapter on encryption was good, the one on telecommunications and network security is particularly bad, containing many imprecisions and inaccuracies.
The book is chock full of facts, but these are typically multiple unconnected factlets appearing in the same paragraph without explanation of their relevance. This may help you pass the test, but it won't help you in your career. There's a reasonable approach for a test preparation guide, but like the exam, the presentation should be neutral in cases where the infosec community hasn't reached internal agreement. The discussion on assessment and risk management, for example, builds a strong case for the superiority of quantitative over qualitative analysis. This is surprising given the prominent coverage the book gives to the relatively obscure Infosec Assessment Methodology, which the NSA's most experienced analysts designed as purely qualitative. The suggestion that firewalls are often described in terms of "generation" is yet another concept that's misleadingly presented as common practice.
More than one-third of the book consists of appendices. The answers to the test questions, which are generally representative of the CISSP exam, are helpful. However, a HIPAA assessment methodology that has nothing to do with the CISSP is one of two boring infomercials for the authors' consulting business. The glossary is useful, although inconsistent. Diagrams, such as a triangle illustrating "CIA," are often trivial, and the writing is sloppy and confusing-sometimes to the point of error.
Source(s) of Concern
The lack of proper citations is one reason why these books are just tactical study guides and not strategic infosec handbooks. Providing credit where it's due helps a reader with further research, enhances credibility and perhaps, most importantly, protects against plagiarism. Doing a Web search for a source of the unusual idea that firewalls had arrived in "generations," I discovered not only this concept, but entire sentences had crept into the Krutz/Vines book from Cisco white papers. Large sections of the glossary are word for word identical with a federal government site, and there are clear parallels with the (ISC)2 copyrighted material provided to the students of the CISSP CBK Review Seminar (for which Vines was once an instructor).
Even this level of borrowing seemed mild when I began looking for sources to Andress's material, and discovered page after page cut-and-pasted material from whatis.com. Other sentences were identical to sentences in documents written by Bill Cheswick and Steve Bellovin, Dorothy Denning, Rebecca Bace and Greg Shipley. I located all of this "parallel text" through some spot checks on the Web, but I didn't search on all the text in both books, nor is such a search method practical for locating paraphrases.
Given the lack of citations, and the ease with which I found identical material on the Internet, the only logical conclusion is that this is merely the tip of the iceberg. This seems inconsistent with the pledge of ethical behavior that the authors made when they applied to take the CISSP exam.
My recommendation is that you prepare yourself over a period of time by reading multiple books written by subject experts. This is both the best way to pass the test and improve your knowledge of the profession. Neither of these books will advance the state of the infosec profession, but if you're not well prepared and read these books shortly before taking the test, you'll undoubtedly answer more questions correctly.