Scan barcode
efemoh's review against another edition
3.0
A lot of fluff that makes the book too intimidating to read. Nonetheless, read it from cover to cover. I feel that the book should have been condensed with just the vitals.
jettison_m's review against another edition
4.0
Holy crap it's a biggun. About a thousand pages of information to cram into your brain.
I liked how this book was written. It was mostly conversational, easy to understand, and well formatted. I did pretty well on the review quizzes but I think, from what I've heard from others, is that they're a bit simplified compared to the test but they still help show you where you may be lacking. I plan on using the maroon/gold practice test book (4th ed) as well to supplement the reading to finish prepping for the exam. Here's hoping!
I liked how this book was written. It was mostly conversational, easy to understand, and well formatted. I did pretty well on the review quizzes but I think, from what I've heard from others, is that they're a bit simplified compared to the test but they still help show you where you may be lacking. I plan on using the maroon/gold practice test book (4th ed) as well to supplement the reading to finish prepping for the exam. Here's hoping!
jgn's review against another edition
4.0
I don't put much stock in certifications, but . . . In the last couple of years I've had to correspond with the CISOs of numerous companies, asking them to fill our security questionnaires, assessing their worthiness to be a business partners on security grounds, and so forth. And one thing I see is that a lot of these people have the CISSP credential. I have a related cert, Security+, but this one -- the Certified Information Systems Security Professional -- is what people seem to recognize as the one that has some meaning and value. So I decided to pursue it. The quantity of information reminds me of what is required for a master's degree. The exam used to be 6 hours and you had to get 70% or 75% of the questions right. Now it is adaptive and takes about 3 hours but that's still a big chunk of time. It's also not cheap: At $700, it's not one that I want to take twice. And people apparently fail. The Facebook group devoted to the CISSP exam is littered with posts from people who have significant experience in technology and yet have failed once, twice, etc.
This book seems to be the standard guide for getting it done. It's about 1,000 pages. I actually started with the 7th edition, and then, when trying a practice exam for the newest version of the exam, noticed a startling number of concepts not in that edition; so I bought this one, and indeed it is more current and up-to-date, even containing a citation of the great DevOps novel, [b:The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win|17255186|The Phoenix Project A Novel About IT, DevOps, and Helping Your Business Win|Gene Kim|https://i.gr-assets.com/images/S/compressed.photo.goodreads.com/books/1361113128l/17255186._SX50_.jpg|23848838].
I read the whole thing except for the last two chapters (on programming and software security) where I took a gamble and went straight to the chapter-ending quizzes, where I did OK. (More at the end on skipping chapters regarding what you think you know.) And yet this book is not enough: Based on what I read online, everyone does practice exams, online question drills, watches YouTube videos. (Tip: The primary author, Mike Chapple, has a decent video series regarding the CISSP on LinkedIn Learning [formerly Lynda.com] on this material -- though thinner.) This all suggests to me that there isn't a lot of intellectual coherence to the certification. But what can you do? ¯\_(ツ)_/¯ As a former professor, I'd suggest breaking the whole thing up and requiring, say, 5 out of 7 tight subjects for the cert.
So what about this book? It is maddening. It is loaded with useful information. For example, in a 40 page chapter, its compressed account of how to understand and manage risk seems to be about as good as anything out there (I've read a few) in such a brief compass. Elsewhere in the book, you will learn about business continuity planning and disaster recovery, security governance, cryptography, ethics, secure software development, and on and on. The book can most certainly serve as a reference and is worth keeping on your desk after your period of close study. The vast range of this book and certification suggest to me that our organizations are so profoundly insecure that there is a fantasy that it can all be understood and managed in one role. Under the hood, I think you could almost get by with a reading of the documentation for NIST 800-53 and a few other federal guidelines. Oh, that's something else I should mention: Some 25% of the book, I'd wager, comes out of Fed World: You learn a lot about military security classifications, hardened servers, etc.
Each chapter is followed by some 20 review questions, and they are pretty shallow. This is too bad, because supposedly the cert exam itself has questions that go somewhat deeper and ask for judgement and differentiation. (This is why people use supplements such as the questions from Boson.) The book is incredibly passive-aggressive. On the hand, the tome expects you to memorize the steps in both the SW-CMM and IDEAL software development models (and use the rather peculiar mnemonic "I ... I, Dr. Ed, am low(w)" [don't ask] (p. 887). Would you ever not look this kind of thing up were it ever relevant to your job? Me, neither. Elsewhere the book pointedly describes some detail and then says: The exam won't ask you for this level of information. On the other hand, there is detail you are going to have to know. For instance, the DES cryptography algorithm has 5 modes, and one of them is tolerant of a block being transmitted incorrectly, so that such errors are not propagated which would break decryption of the remainder. That's OFB mode. Remember that. You're welcome. You pretty much have no option but to try to memorize everything. And some of it is, at this point in 2019, genuinely "who cares?" The book seems to want you to know about WEP, but the real message should simply be to destroy any wifi devices that still use WEP. The book would be some 20% shorter were truly obsolete technologies left out. (They could replace all that stuff with an advisory that if you are evaluating something defined through acronyms you don't know . . . look 'em up!)
This kind of unevenness in approach to detail is maddening, and eventually you just go "f it" and try to keep as much in your head and hope for the best.
Another crazy thing about the book is that there are long lists of things you should do for various things, that seem to be in some order, but the order is not apparent. So, for example, on p. 67 there is a bullet list of some 30 "threats and vulnerabilities": Viruses . . . disgruntled employees . . . natural disasters . . . buffer overflows . . . This is ridiculous. How about grouping these things? This pattern is ubiquitous in the book. I pity the reader who doesn't already have a leg up on this material.
Now, as to skipping chapters if you think you know the topic. Don't do it. The bad news is that even for a topic you know, security world has a somewhat different vocabulary, and you are going to have to know their way of understanding things. For instance, they will use inkhorn/academic terms for concepts that of course you once knew through that vocabulary: While you know that a table's size in rows is a sometimes interesting metric, you're going to have to remember that the term is art is the "degree" of the table. After many years of programming, you probably have seen timing errors, where a timestamp on a file is checked, but then the file is changed before you use it and the timestamp is stale. Well, this is called a TOCTTOU or TOC/TOU vulnerability. Oh, you didn't know that? Well it's in the practice quizzes. You will have to know the different between a Gantt and a PERT chart. Etc.
I suppose I'll update this review if/when I pass the test. For now all I can say is that reading this doorstop has probably kept me from reading 6-8 books that would be more important and valuable for my life and career.
This book seems to be the standard guide for getting it done. It's about 1,000 pages. I actually started with the 7th edition, and then, when trying a practice exam for the newest version of the exam, noticed a startling number of concepts not in that edition; so I bought this one, and indeed it is more current and up-to-date, even containing a citation of the great DevOps novel, [b:The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win|17255186|The Phoenix Project A Novel About IT, DevOps, and Helping Your Business Win|Gene Kim|https://i.gr-assets.com/images/S/compressed.photo.goodreads.com/books/1361113128l/17255186._SX50_.jpg|23848838].
I read the whole thing except for the last two chapters (on programming and software security) where I took a gamble and went straight to the chapter-ending quizzes, where I did OK. (More at the end on skipping chapters regarding what you think you know.) And yet this book is not enough: Based on what I read online, everyone does practice exams, online question drills, watches YouTube videos. (Tip: The primary author, Mike Chapple, has a decent video series regarding the CISSP on LinkedIn Learning [formerly Lynda.com] on this material -- though thinner.) This all suggests to me that there isn't a lot of intellectual coherence to the certification. But what can you do? ¯\_(ツ)_/¯ As a former professor, I'd suggest breaking the whole thing up and requiring, say, 5 out of 7 tight subjects for the cert.
So what about this book? It is maddening. It is loaded with useful information. For example, in a 40 page chapter, its compressed account of how to understand and manage risk seems to be about as good as anything out there (I've read a few) in such a brief compass. Elsewhere in the book, you will learn about business continuity planning and disaster recovery, security governance, cryptography, ethics, secure software development, and on and on. The book can most certainly serve as a reference and is worth keeping on your desk after your period of close study. The vast range of this book and certification suggest to me that our organizations are so profoundly insecure that there is a fantasy that it can all be understood and managed in one role. Under the hood, I think you could almost get by with a reading of the documentation for NIST 800-53 and a few other federal guidelines. Oh, that's something else I should mention: Some 25% of the book, I'd wager, comes out of Fed World: You learn a lot about military security classifications, hardened servers, etc.
Each chapter is followed by some 20 review questions, and they are pretty shallow. This is too bad, because supposedly the cert exam itself has questions that go somewhat deeper and ask for judgement and differentiation. (This is why people use supplements such as the questions from Boson.) The book is incredibly passive-aggressive. On the hand, the tome expects you to memorize the steps in both the SW-CMM and IDEAL software development models (and use the rather peculiar mnemonic "I ... I, Dr. Ed, am low(w)" [don't ask] (p. 887). Would you ever not look this kind of thing up were it ever relevant to your job? Me, neither. Elsewhere the book pointedly describes some detail and then says: The exam won't ask you for this level of information. On the other hand, there is detail you are going to have to know. For instance, the DES cryptography algorithm has 5 modes, and one of them is tolerant of a block being transmitted incorrectly, so that such errors are not propagated which would break decryption of the remainder. That's OFB mode. Remember that. You're welcome. You pretty much have no option but to try to memorize everything. And some of it is, at this point in 2019, genuinely "who cares?" The book seems to want you to know about WEP, but the real message should simply be to destroy any wifi devices that still use WEP. The book would be some 20% shorter were truly obsolete technologies left out. (They could replace all that stuff with an advisory that if you are evaluating something defined through acronyms you don't know . . . look 'em up!)
This kind of unevenness in approach to detail is maddening, and eventually you just go "f it" and try to keep as much in your head and hope for the best.
Another crazy thing about the book is that there are long lists of things you should do for various things, that seem to be in some order, but the order is not apparent. So, for example, on p. 67 there is a bullet list of some 30 "threats and vulnerabilities": Viruses . . . disgruntled employees . . . natural disasters . . . buffer overflows . . . This is ridiculous. How about grouping these things? This pattern is ubiquitous in the book. I pity the reader who doesn't already have a leg up on this material.
Now, as to skipping chapters if you think you know the topic. Don't do it. The bad news is that even for a topic you know, security world has a somewhat different vocabulary, and you are going to have to know their way of understanding things. For instance, they will use inkhorn/academic terms for concepts that of course you once knew through that vocabulary: While you know that a table's size in rows is a sometimes interesting metric, you're going to have to remember that the term is art is the "degree" of the table. After many years of programming, you probably have seen timing errors, where a timestamp on a file is checked, but then the file is changed before you use it and the timestamp is stale. Well, this is called a TOCTTOU or TOC/TOU vulnerability. Oh, you didn't know that? Well it's in the practice quizzes. You will have to know the different between a Gantt and a PERT chart. Etc.
I suppose I'll update this review if/when I pass the test. For now all I can say is that reading this doorstop has probably kept me from reading 6-8 books that would be more important and valuable for my life and career.
More...