[ Book Review ] :: CISSP Training Kit (Microsoft Press Training Kit) 1st Edition

This year (2015) is the year the CISSP changes from a 10-domain test to an 8-domain test, beginning April 15, 2015. I teach certifications, and always find these updates tricky: often the new materials don’t come until six months later. As I write almost all the new CISSP books are only “Available for pre-order.” So while I’m considering the CISSP certification, I’m looking at books for the 2012 version of the test (10 domains).


What’s nice is that a book selling for $70 a few months ago now costs a little over $40. And though this one uses the “old” domains, the infosec information itself is still completely relevant, and the practice questions alone are worth the price. (One of my top pieces of advice to students is to take lots of sample tests. They’ll point you to your weak areas faster than any other method.)


The book itself is hefty: 700+ pages of dense, small-font text and many, many long bullet lists. For better or worse, that’s the nature of the game in this area of expertise. At this level of certification, most readers are going to be able to deal with this kind of prose, though not necessarily everyone will love it. Consider:


The determination of value of the company’s good reputation is somewhat subjective, but it is certainly a valuable asset that needs protection and can be damaged by breaches of security. It is therefore a component of the risk assessment that must be quantified in order to establish an appropriate (cost-justified) level of protection. As each threat to each asset is identified and quantified, you must also determine any possible damage to the company’s reputation for the threat-related breach and additionally quantify the potential losses due to the (qualitative) damage to the company’s good reputation.


I guess some people will like that kind of prose, if that’s the kind of prose they like. I can deal with it, and I appreciate the effort for extreme clarity. Generally, though, I prefer to read – and write – text that says what’s important, simply.


When it comes to issues other than the writing style, I have to praise this book as wildly comprehensive. If you’re a network person the discussion of Layer 3 devices will be familiar ground, but accounting and patents and intellectual property protections likely won’t be. You can be versed in fire suppression issues and still be surprised by the provisions of Sarbanes-Oxley. Do one good, deep pass through the book (I recommend frequent, small chunks) followed by a pass doing spot-study of as many high points as you can identify. Then beat yourself with sample tests until you’re passing them consistently.


On the tests and questions: each certification organization has their own take on how to make things hard, ISC2 included. CompTIA questions, for example, are frequently tricky simply because of poor grammar or garbled syntax. ISC2 questions are generally quite sharp, crystal clear, and often followed by a set of choices for which you’ll need a razor to parse out the fine distinctions. Microsoft’s sample test sticks to this format beautifully, though there is only one on the included CD. But with 250 questions you can do lots of practices with 20-50 randomized questions and get the benefit of seeing familiar things side-by-side with new questions. This is definitely the high point of the kit for me; taking lots of sample tests, particularly good ones like this one, is the top technique for passing these certifications.


For any certification, I recommend not one but two books, at least. Since the newer material is still on its way, this book would be a good way to get strongly warmed up on the CISSP. Then get the best new book you can (for the 8-domain test) to finish your studies, thus buying only one top-dollar book. But that’s just my suggestion.


Full disclosure: I get textbooks for review from several sources, in this case from Pearson IT Certifications. I also work for a certifying organization (ISECOM), participate in building certifications (the OPST and SAI), write textbooks and teach at two universities (UNM and NMSU), so while I’m not the usual test subject, I am frequently the instructor.

* * *


[ Hacking Tools ] : sqlmap

sqlmap (yes, all lower-case) is a “Automatic SQL injection and database takeover tool” and a great example for my students of the goodies on GitHub.

On the hacking side, this impressive tool wraps a lot of functionality into one package. From their website:

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

From the teacher’s perspective (mine), it offers a great roadmap to the ways a database can be exploited, and not just one breed of database, but practically any DBMS in use today. And it’s a good time to teach students what git is, what a repo is and how to clone a git repo (at the very least). See it at:


* * *