Phone phreaking is absolutely fair game for the CISSP exam. I couldn’t tell you anymore how many phone phreaking questions I had to answer, but let me just say I’m glad I’d read those pages in the CBK about phone phreaking.
I wouldn’t say this 416-page book is necessary to answer the questions about phone phreaking that you’ll see on the exam–let’s face it, with all of the security issues out there, the exam can’t afford to dedicate half a dozen questions to the subject–and as such, I think it’s overkill to someone seeking to get a CISSP. But it sounds like an entertaining way to pick up some CPEs.
The author posits that phone phreaking is the predecessor to computer hacking, which is something worth remembering if you’re seeking any kind of security credential. (ISC)2 and CompTIA agree with the author on that point.
Lapsley also makes the distinction between people who were curious about how the phone system worked, and those who were merely interested in abusing it to make telephone calls, or call long-distance BBSs. That’s an important distinction, and one that lives on today. If you want to know the difference between a white-hat and black-hat hacker, that’s not a bad thing to keep in mind. A black-hat abuses; a white-hat is curious above all else.
He also answers a good question, which is, why would AT&T build such a vast, complex system so critical to its existence and allow such security holes in it? The answer is in the question: It was an incredibly difficult problem to solve, and such an inherently complex system will by nature have some weaknesses in it that will take time to discover and fix. That’s exactly like any other security question: Why would a software vendor spend billions of dollars writing software and allow security holes in it? As we all know, they fix the problems as they find them.