Month: July 2016

CompTIA Security+: Fresh look at the Test

Early last week I mentioned that I would be sitting the CompTIA Security+ exam soon. Well, soon has passed and so did I. While I feel I could have done a little better, I’m more than satisfied with my score, but we’ll break down why I feel that way in a moment.

First, disclaimer! This article does not intend to teach any course nor do my opinions of the exam comprehensively address the topics or format of the CompTIA SYO-401 exam. Further, my only experience with taking this exam is in the 401 series exam current to only my experience. CompTIA’s website states that (paraphrasing) they reserve the right to change the exam at any time, and do so even between major revisions, to best keep the exam current.

Glad that’s over, both the exam and the disclaimer.

So, my plan was to go over my final review of annoying tidbits of deprecated protocols evening last, get to bed around 10, have a good night’s rest, and then go rock the test. Didn’t quite happen that way. My seven month old daughter got her six month vaccines a few days ago, so the little febrile ball of adorable decided we were staying up until half-after midnight. I have to give credit to my wife for addressing the baby’s fussiness for the rest of the night, she tried really hard to let me rest before the test, but I was still woken up by her cries every half hour until 4:30a.m. at which point I gave up. I plodded into my office and began to study drooled over the Homeseer home automation system for the next four hours. Trudged my way through the morning and to the testing center we go!

Nothing new to see here. Same place I went to take ICND1, same setup, so let’s get into the meat of it.

I have to hand it to CompTIA because that was one of the more difficult tests I’ve had the pleasure of taking. Yes, pleasure. The exam began with what would be the hardest 3 questions I can remember on any exam. These 3 consecutive lab-like scenarios easily covered two-thirds (objectives 1-4) of the information in my books. They were a very serious brain drain and time burner. No preparation, other than understanding the material, could get you through those. You may find more, less, or none of these questions when you sit, but seriously, do not underestimate the lab questions. I would say that real-world experience with packet analyzers, signing, network design and config, PKI, 802.1x, and Linux command line saved my butt on these. These three alone took a little more than 10 minutes.

After the brain-burners, the rest of the exam was all multiple choice and multiple answer. Let’s break down what I did and didn’t see.

Let me say again that your experience would likely be very different from mine. This was my experience with the question the engine generated for me. This isn’t a study guide.

Topics Encountered and Expected

  • Secure Network Design and Config (VLANs and Firewall/IPS/IDS placement)
  • Preventing Physical Breach, Mitigating Damage. These had really cool backstories to the questions. im deliberately obfuscating “Hackers drove a bulldozer through you data center to defeat K12 rated fence you implemented in response to a recent breach in which a greenpeace member drove a prius through the wall of your power hungry data-center. Which technique would you implement to stop this in the future?” Anti-tank Mines or High Explosive Mines. Anti-tank, which use shaped-charges resulting in a less powerful shockwave while still disabling locomotion; important because no one will authorize new hard drives and the HE mines may exceed the G rating of the bubblegum holding together your 20 gig disks, resulting in an outage.* In all seriousness, I actually would recommend knowing your physical controls in just a tad more detail than your study guide addresses.
  • Management Controls (literally addressed each control that show up in my books)
  • AAA systems and their appropriate use case. I think I saw LDAP, AD, multiple 802.1x strategies, radius v tacacs/+ v MS DC stuff, and a few questions about which wireless encryption best protects ____ authentication scenario.
  • A surprisingly high number of scenarios addressing wireless encryption and wireless MITM attacks.
  • Mobile Device Risks, in nearly all aspects, especially asset loss management and data leakage/theft management.
  • PKI/certs. A ton or PKI fundamentals, controls, architectures, on-wire identification. (If XXXXX data was captured, where the hash, key, data, etc.)

Topics Not Encountered, but Expected

  • Well Knows Ports. There may have been 1, but I wouldn’t bet anything on that. I really think there may not have been a single port question on the test. That’s disappointing, as the previously mentioned deprecated protocols were the ports I was reviewing the night before.
  • Input Validation Techniques. I expected to see a question or two addressing secure php forms or the like. Nope.
  • Data Sharing Relationships. I few years ago I would have told you I hate the corporate jargon and and goings-on of conducting business relations. On the contrary, I discovered that I’m so interested in the security side of this stuff, I was honestly looking forward to these questions.
  • Hardening…anything. Beyond “hey do you care if I put this heavy DMZ just anywhere?” which I wouldn’t quite call hardening anyways, and a round-about mention of port security, Nothing.
  • BYOD.

Topics Encountered and Unexpected

  • Is it foggy or is that just CLOUDS! From reviewing my score-sheet, this is the only area I struggles with, and I knew it when it happened. I used a plethora or different study techniques, guides, and self-study courses. I still did not know enough about cloud security methods. This bugs me so bad, I’ve already looked through 3 books, CompTIA Certmaster and Prof Messer’s vids. None, repeat none, make any mention of the slew of acronyms I’ve never seen before. I’ll have to dig into the Cloud+ and CCNA Cloud materials in my Safari Books Online to try and see where my deficiency is.
  • Fire Suppression Methods. Don’t know why but I didn’t expect to see it. Studied it, but honestly didn’t think it would make the exam.

Topics Not Encountered and Unexpected

Wait, what?

The Test in General

Overall, the test was actually quite well rounded. While not every buzzword and definition appeared as a choice, most of my materials either framed a question, fuzzed the question, or appeared as an answer. I get the feeling CompTIA fuzzed these questions quite a lot to both create confusion in those who spent a bit less time preparing and also just to try to get everything in the exam. I think the average question was 4-6 sentences with only one or two sentences of useful information.

Process of elimination would have also been hit or miss. Many potential answers were similarly worded, the correct acronym was often mixed into alphabetically alike groups, or there would be two or three very correct answers. With wordplay, I tend to do best going with my gut. On the other hand, when more than one answer is correct, often a small clue stood out on the fourth read through or the correct answers would all make up items in the more correct group. Some questions were very subjective, but I tried to imagine what the best practice would be if I was the IEEE and this critical production system could wait 10 years for RFCs to address the issue. I’m not joking. I tried to think “what would a room full of more experienced engineers likely do if no one was yelling at them.”

Other than what I mentioned above, the test and questions were well structured. I got the impression that the test become less difficult as I went on. It honestly seems to follow objectives 1-6 in order, but that’s probably all in my head. The questions managed to both camouflage the details while also somehow being very succinct and reasonable to comprehend. Challenging, but not hard as long as you understand the material. I am more than satisfied with my score, but I was very unsure when I ended the test. I feel like a test capable of vouching for skills should shake up the test-taker even if you score a perfect 900. That’s the hallmark of a test capable of conveying your skills to an employer.

That’s all I remember right now. As with A+ and CCENT, I used many study tools. The ones I recommend are at the bottom of this post, though I will go ahead and say to try finding the most recent references possible, assuming a reputable source, as I imagine my cloud deficiency has something to do with my 2 year old books. I cannot stress the importance of exposing yourself to security chatter, especially if you’re a more junior engineer, like myself, with a limited exposure to the material. There are a ton of Sec news sites, relays, and blogs like Krebs on Security, Daily Dave, CSO Online, etc., but my favorite way to stay current is by listening to podcasts. Details also below. I will likely annotate this post after looking back through some materials, so give yourself a reminder to check back in a couple weeks or you can always subscribe to my blog. I would be quite humbled, and I could use a good humbling.

*Don’t use mines. Bad form.

My Favorite Study Aids

I’m subjectively scoring them on how well they prepare you for the test including material, costs, and how closely the medium addresses/simulates the exam.

  • (7/10) Web – CompTIA Certmaster for Security+ SYO-401
  • (8/10) Web – Security+ Practice Quizes
  • (9/10) Android App – CompTIA Security+ SYO-401 Prep by Darril Gibson and Konnect L.L.C.
  • (8/10) CompTIA Security+ Certification Guide SYO-401, 2nd Edition by Glen E. Clarke
  • (6/10) Mike Meyers’ CompTIA Security+ Certification Guide Newer, but put me to sleep. Better cloud coverage and slightly more real-world relevance, but more detail than tested.
  • (infinite/10) 3 Podcasts: Risky Business, TWIT’s SecurityNow, and Defensive SecurityA great way to turn your commute into a general background and goings-on of IT Sec.

Supporting my Path

My desk bookshelf looks awesome. A+, Sec+, Network+, Linux+, CWTS, CEH, command line guides for Cisco and HP, python and html guides, a stack of LinuxUser magazines, MCSA 2012, O’Reilly, Cisco Press, ExamCram, Odom, Lammle, Tracy, a few printed comical RFCs, and that’s without getting into the mess that is my Safari Books Online queue. Am I going to get certified is each topic? No, likely not, but I really hope to use something from each.

I have my CCENT, next week I test for Security+, then after I will finish the second half of CCNA R&S. I have optimistic plans of getting both CCIE R&S and Sec as well as CASP in the next 8 years. I am very interested in ISP or Big Data network security right now, though I reserve the right to change my interest. Specifically I like learning about the configuration of those, distinctly different, networks and their threats. So, what’s with the rest of the alphabet soup plaguing my shelves?

The majority of my book collection is non-networking and non-security. My last full-time job was as a network/sysadmin, with a large portion of my time on the support and systems side. So why am I, as a driven and focused IT dude, wasting so much time on everything else? Simply: Understanding.

When I first moved into the Cisco world, I optimistically planned to have a CCNA in under 3 months. I was set-back a bit by medical issues in my family, but the biggest barrier has been my lack of knowledge around supporting systems. There’s no point in having a network without packets to move. With that in mind, each book focuses on a personally novel skill-set in my overall understanding of how the layer 1-4 network provides services to the layer 4-7 computing infrastructure. For example, My A+ books taught me far more about how all computer, from switches all the way to mainframes, actually work. Server+ and MCSA helped me with domain administration in my last job, which opened me up to light up a FreeRadius server in my home lab, expanding my understanding of AAA, on an Ubuntu 14.04 server I learned how to use from Linux+ books. That job also allowed me to build skills desktop virtualization, including VMware Player and Oracle Virtualbox; skills I would need to troubleshoot images in GNS3.

Now, I know what you’re thinking: “You can Google much of how to do this.” That’s true, very true, but on listening to Ethan, Greg, and Drew of the Packet Pushers Podcast, as well as Steve Gibson of TWIT’s Security Now, I’ve decided to try my best to be a well-rounded “Full-Stack” engineer. Yes, I’m tooting my own horn a bit, but I also think this is a requirement for the IT pros of the future, especially for small and medium sized companies. Will a company want to consult an expensive net engineer for each Vmotion? No, they will want their virtualization team to have the skills needed to complete the job. Do you as the IPS pro want to break something each time you tweak a rule? Of course not, so you have an understanding of the application traffic on your network and how that application interacts with supporting services both on your network and in the cloud. Best of all, what beautiful world would we live in if most Java or (god-forbid) Flash devs had an in-depth understanding of application attacks, defensive code, and security in depth? Imagine a corporate application designed to cooperate with NIPS, HIPS, host firewall/AV, the expensive black box, and everything in between. Told you it’s a beautiful image!

I want to be the network engineer who can sit at the table with the dev folks, systems guys, database team, and management and work together with an understanding of how my piece of the puzzle best fits together with not just the adjacent pieces, but the overarching picture. I’m young and naive, but I think my assortment of books supports that goal and it’s who I’m striving to be.