I recently taught Learning Tree’s CompTIA Security+ test-prep course and a student asked a question I couldn’t answer.
This wasn’t a technical question. If it had been, I would have known the answer or else I could have found it. But he asked:
“Look, I do desktop support. I help set up and move desktop computers, run Ethernet cables to plug them into the network, and fix jams and replace the paper and toner in printers. Why does the DoD think that all this material on management decisions, contracts, web programming techniques, plus who knows what else, somehow makes me better at my job?”
I agree, and can’t explain the reasoning. Security+ is a mile wide, an inch deep, and tough to take. It can be hard to see its point. And it’s getting tougher.
I took the CISSP test in 2003. I was shocked by how faulty that exam was. Several questions contained obvious errors. Nonsense like: “An IP datagram (IP stands for ‘Internet Packet’), has a TTL field. What is …” No, not “Packet”, it’s “Protocol”!
I took the Security+ test for the first time in 2005. I started taking it roughly annually in 2008 when I started teaching Learning Tree’s then-new Security+ course.
At the time I saw that Security+ had a few quirks, but it was nowhere near as faulty as the CISSP exam. It was also more practical than CISSP. You can only accomplish a limited amount with a multiple-choice test, but Security+ really seemed to judge practical knowledge for the people doing the work.
Since then, the Security+ test has gone downhill. I’m sure that the changes are designed to drive the pass rate down. It wouldn’t seem very elite if people said that it wasn’t hard, they didn’t have to study much at all and passed it with no problem. CompTIA wants it to continue as a DoD Directive 8570.01-M requirement, and to spread out through government and industry.
Their problem is that the field just isn’t that difficult. So what do you do to drive down the pass rate? Find arbitrary ways to make the test harder. One technique is to add irrelevancies. A more powerful technique requires the test-taker to recite fictions.
As my student asked, how does it help cyber security if network technicians can recite the difference between a Business Partnership Agreement and a Memorandum Of Understanding?
A lot of Network+ material has leaked into Security+. What possible cyber security advantage is gained by knowing the data rate of Bluetooth? And if I really need to know that, why do I have to answer “1 Mbps” to get the point for the question? The real answer is 721 kbps for Bluetooth v1.2, 2.1 Mbps for v2.0.
Then there are the ancient history questions. Warchalking had a brief surge of interest in 2002. It’s uncertain that it ever really happened. Maybe it was just briefly discussed. CompTIA added questions about warchalking about 12 years after its brief quasi-appearance.
It gets worse. Most Thicknet (or 10BASE5) Ethernet had been replaced by the mid-1990s. Wikipedia describes it in the past tense. Two decades later, in 2015, questions appeared asking what might happen if you remove the terminator from the end of a section of Thicknet.
CompTIA designates the Security+ exam as SY0-x01. The SY0-301 exam was replaced by SY0-401 over the second half of 2014. SY0-401 was launched in May of that year, although you could take SY0-301 through December 31st. We’re due for another major change in the coming year.
CompTIA has ISO/IEC 17024 certification. ISO/IEC 17024 means that you are certified to run a certification program. This focuses on having well-documented processes including scheduled exam revisions.
CompTIA says that the Security+ exam “is scheduled to be updated to SY0-501 for the summer of 2017” and there will be an overlap of approximately six months in which you can choose to take either the SY0-401 or SY0-501 version. That’s vague enough to allow some wiggle room. My guess is that SY0-401 will end on December 31, 2017. End of year, end of the test, like SY0-301 and 2014. Meanwhile, the SY0-501 exam will appear sometime roughly “in the summer”.
I expect more questions about virtualization and cloud computing. SIEM (or Security Information and Event Management) is obviously missing from the exam. There are already questions about smartphones and tablets, but I expect more. UEFI firmware and Security have been the standard for about a decade, so they’re due to appear. Maybe more about phishing leading to ransomware.
Remember that saying, “Better the devil you know than the devil you don’t.” We have a pretty good idea of what the SY0-401 exam is like, warts and all. It will take a while to figure out SY0-501. Newly released exams tend to be volatile, with several unannounced additions and changes over the first year.
If you’re going to need Security+, do it now. Learning Tree’s test-prep course does a good job of preparing you. I say that as a happy user of the course material, as I have to re-take the exam roughly every year.