Your job may require you to get CompTIA’s Security+ certification. The U.S. Department of Defense has their DOD 8570 requirement for their personnel and that of many of their contractors, and I am seeing other employees of other government agencies (U.S. and foreign) and private industry needing the certification.
The bad news is that it’s a difficult exam that is getting more difficult.
I enjoy teaching Learning Tree’s Security+ test prep course, but in order to teach the course I must pass the exam every year. It’s getting tougher and tougher. Here are my suggestions for getting through it.
First, consider taking Learning Tree’s course. I’m not saying this to round up business for Learning Tree or teaching opportunities for myself. It’s simply that it’s the best preparation I know of.
Now, why do I say that?
The exam, to be frank, is awful. The more you know about actual cybersecurity, the harder the exam gets. You know how the technology works, but you must spend your limited exam time anguishing over CompTIA’s horribly written, vague, confused and confusing questions.
They ask about extremely outdated topics, like the importance of terminators on Thicknet or 10BASE5 Ethernet. Notice that the Wikipedia page on 10BASE5 is written in the past tense and gets some of its illustrations from a history museum. Or Warchalking, something briefly of interest in 2002 and seldom used since.
In other questions, in order to get the points you must select something that is true but not the major point to cybersecurity practitioners. Yes, spyware could reveal the sequence of web sites you visited, but I would be far more concerned about theft of stored data or capture of keystrokes.
Then there are the truly awful questions where the answer they accept as correct is the one most at odds with reality, like what they think dipole antennas can do.
I first took the Security+ exam in 2005, and it wasn’t nearly this bad. You were tested for your knowledge of real-world security issues that, for the most part, were reasonably recent and relevant. The question quality has gotten worse over time.
So, how to prepare for the current mess of an exam?
Take the Security+ exam prep course. That provides you with software that is an excellent simulation of the real exam, including all its flaws. It is not a verbatim “brain-dump” of the actual material, as that is not allowed. But it very realistically exposes you to the format, the areas of coverage, and the awkward and vague wording of the real exam.
In the class we discuss each domain in depth and then do a practice exam using the same quiz software you use in your self-study. This shows you the areas you still don’t know after one pass through the material.
Now go back into the course notes. Hopefully that will jog your memory, you will remember how your instructor explained it and possibly provided a real-world example or analogy. We humans do well with stories. We’re not so good with tables of TCP port numbers, although there’s a little of that in preparing for the exam.
If you still don’t get it, don’t worry, there’s a handout textbook that accompanies the course notes. You don’t want to sit down and try to read straight through that textbook. Use it just to get a second explanation of the topics that are more difficult for you.
Now have a look at the study guide handout from the course. Highlight this difficult topic if it’s already in there, add it and highlight it if needed. Here comes my unexpected suggestion:
You are not allowed to take anything into the testing center. But make the crib sheet you would like to take in.
You can’t take it into the test room, but the process of making that sheet will teach it to you. You have to think back through the material, select what matters, narrow that down to what really matters (because you have to write that on your sheet), and then organize all that into whatever collection of lists and tables and sketches that works for you.
Get to the testing center early, and sit in the waiting area for one last pass through your annotated study guide and crib sheet. You only have to remember things long enough to get into the testing room and write them on the provided note pad.
Don’t ask me what TCP ports are used by FTP tunneled through SSL/TLS. Like the rest of the world I use SFTP for secure file transfer. But since CompTIA insists that I be able to tell them that FTP/S uses 990/TCP and 989/TCP, about once a year I “know” that for about 10 minutes. (Full disclosure: I had to look that up, my OpenBSD
/etc/services file doesn’t even list such an obscure and seldom-used thing!)
Good luck on the exam, and I’ll see you in the course!
PS – If you are looking at CompTIA’s A+, Network+ or Cloud Essentials Certifications, learn more about our exam prep courses here.