Friday, March 17, 2006

Four Pre-Reviews

My friends at Pearson sent me four new books from their various imprints. The first is Penetration Testing and Network Defense by Andrew Whitaker and Daniel Newman. This book has received high marks at Amazon.com and it seems more coherent than a similar book I just reviewed. This is my first Cisco Press security book. The last Cisco Press book I reviewed was Cisco Router Firewall Security.

Next is VPNs Illustrated: Tunnels, VPNs,, and IPsec by Jon C. Snader. This book is unique in that it looks and communicates like Richard Stevens' TCP/IP Illustrated, Volume 1: The Protocols. I wanted to read this book after seeing the diagrams, code snippets, and Tcpdump traces. I've also never found a really satisfying analysis of IPsec, which is covered by this book. The Amazon.com reviews are mixed, but I am hopeful.

The next book is High-Assurance Design: Architecting Secure and Reliable Enterprise Applications by Clifford J. Berg. This is a book of design principles and patterns to build high-assurance applications. I like books on security engineering, and I plan to read this book in concert with Security Patterns: Integrating Security and Systems Engineering.

Last but definitely not least is the new edition of Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses, 2nd Ed by Ed Skoudis with Tom Liston. I loved the first edition of this book, which was on my list of favorite 10 books from the past 10 years. This is the perfect book for anyone starting the information security career, because it covers all of the significant technical issues which a security operator should know.

Thinking about Ed's book made me consider the following point. To the degree that the CISSP has any value at all, it should be a management-oriented certification focusing on broad security themes. As I wrote previously, I believe the CISSP should be based on NIST SP 800-27, Rev. A (.pdf), Engineering Principles for Information Technology Security (A Baseline for Achieving Security).

If someone wanted to build a real technical information security certification, they should base it on Counter Hack.

On a related note, someone asked me recently if my first book was "CISSP compliant". After calming myself, I replied that the CISSP should be compliant with best practices -- best practices should not "comply" with the CISSP. That sort of question raised problems with teaching and learning "for the test," instead of teaching and learning the best material. I am not opposed to teaching and learning for the test if the test is sound. Unfortunately, as I've written before, I think the CISSP test is utterly worthless.

3 comments:

Anonymous said...

I am, of course, excited to hear what you think on a couple of the books above. Cisco Press' Penetration Testing and Network Defense I flipped through a few months ago and thought it looked awesome. It has been sitting on my shelf awaiting its turn in my reading queue with quiet excitement.

Also, being fairly new into security and networking (only really been interested for about 4-5 years), I have been waiting, with baited breath, for an updated version of Skoudis' Counterhack. I pick this book up often at the store and flip through it, or sit down and browse a few sections, but knowing the publish date, I've been awaiting a new edition like this. I'm quite happy!

Keep up the good reviewing work!

-LonerVamp

Anonymous said...

I think it's sad that people have to belittle other people's qualifications to make themselves feel more important.

You're quite right to say that CISSPs should be compliant with best practices, but if you had any idea about the requirements of the CISSP exam you'd know that that was the idea...

In my experience the people who are anti-CISSP are usually engineers who don't get the management side of the whole deal. I would have expected more from someone who runs their own security company, but then I've never heard of it before, so it might just be a made up one. It's easy to call yourself a director after all.

Most of the people who value the CISSP are engineers who realise that there is a more exciting world than reading manuals for qualifications.

Granted, the CISSP isn't the deepest of exams, but it does prove ability to a certain point, and that's its broad appeal. It sorts the men from the boys, not the cream from the crap.

Really though, the secret of a good reviewer is impartiality, not to mention humility. If you don't have the experience, don't knock those who have please.

Richard Bejtlich said...

Anonymous,

I think it's sad that people like you hide behind an "anonymous" comment while questioning my experience.