
CompTIA Security+ Guidance
CompTIA Security+ Compressed into Zen Koans
The best way that I know of to prepare for the CompTIA Security+ certification exam is to take Learning Tree's test prep course. The most helpful thing of all is the quiz software you get with that course, as it is the most realistic simulation of the exam that I've seen. The next most helpful thing for final review is one of its handouts.
This page is just an overview of some of the philosophy of the design of that test. (hence the pictures from the Zen Buddhist temple in Japan...)
Be aware that CompTIA pretends that one major release of their exam is a long-term static document. They say that after over 3 years of the SY0-301 exam being the Security+ exam, in a form that never changed, the SY0-401 exam appeared and suddenly was the only form of the exam for the following four and a half years.
My rant about how horribly bad the SY0-401 exam wasNo. Not at all.
They release a major upgrade, such as SY0-301 to SY0-401, to SY0-501, every 3 to almost 5 years. But during that 3 to nearly 5 years of a given exam, it evolves through a series of entirely unannounced and unacknowledged updates.
These "mid-course adjustments" may be minor tweaks to what the exam covers, or they may be more significant. As a general rule, a given exam major release gets progressively worse during the time CompTIA says it's "the" current version.
SY0-501 was a much better exam than its predecessor, at least when it first came out.
See my detailed rant if you want to know just how bad the SY0-401 exam was. You had to memorize historical trivia that hadn't mattered for over two decades, and much of the rest of the exam required you to recite fiction.
Let's Move Forward!
I have compiled a list of distinctive CompTIA sayings you can use against them to easily get points for questions that otherwise are misleading or make little sense. Hopefully these can be succinct and thought-provoking like koans. The main goal is to get through that stupid test.
I also have a list of things you need to know that are not included in CompTIA study material.
I could imagine that a safe at CompTIA headquarters contains a book made up of a few hundred sentences, plus "Memorize this table of TCP and UDP port numbers", plus "we assume you know these parts of Network+". If you could memorize that book of sentences, like memorizing some ritual, you would know the answers to almost all of the questions. I know the exact form of some of those sentences. For example:
Acceptable use policy is enforced by URL and content filtering.
Yes, you could save two words and put it in the active voice, "URL and content filtering enforce acceptable use policy", but it's the first form that appears on the test.
Many are simple:
AES is the best symmetric cipher.
Kerberos is the best single-sign-on system.
Logs and audits enforce accountability.
Some take two sentences, the first will be in the question and the second is in the answer:
A manager wants to deploy a new application. Tell them "Refer to the risk analysis."
It can be helpful to know a little of the background:
Symmetric ciphers should be used on data. (Because they are efficient, and data can be large)
Asymmetric ciphers protect the negotiations and keys. (That is, they do the endpoint authentications and set up symmetric session keys)
This is not the study guide, this tells you how to use the study guide.
Take the course to get thequizzer, notes, handouts,
and the textbook
First use the quizzer software to see what you need to learn.
Then use the course notes to see if that jogs your memory. If not, read the relevant sections in the textbook.
Then mark Handout #1 to highlight what you need to review before the real test.

Suggestions
You can't take anything into the testing room, but make the crib sheet you would like to take in. The process of thinking back, "What do I need to know?", and organizing that and writing it down makes you learn it.
Think like a devious test writer. Let's say you're uncertain about this cluster of related concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer. Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.
Explain it to someone. Explain the concepts you find difficult to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them, and dogs are extremely tolerant. You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it.
Understand the test. Realize that the test does not try to measure if you are a skilled practitioner. The test is aimed at managers who need to communicate with technical experts. It's a vocabulary test to see if you can use the right words even if you don't really know much at all about what you're talking about.
CompTIA Security+ Philosophy
These aren't necessarily the answers themselves, but guidance for dealing with the exam questions.
A mile wide and an inch deep, go no deeper.
Pick the simple answer for the common case. No scenario is for you, it's for the mythical test-taker.
Reality helps with concepts, but not specifics.
He who says "At work we must do X and Y so that Z can then happen" has strayed from the path of wisdom.
He who says "I can imagine a scenario where X and then Y could lead to Z" has gone even further off the path.
Even a silly sounding policy is always correct.
Involve management.
Protocol analyzers have many important security uses.
Know the crypto flowcharts
to visualize the answer.
How do you do these, which key is used first by the
sender, and which key is used last by the receiver:
• Symmetric encryption for confidentiality
• Asymmetric encryption for confidentiality
• Asymmetric encryption for authentication
• Digital signature
• HMAC
Be able to put things into order.
"What is the first step ... last step in this process?"
"Which is the most ... least intrusive vulnerability analysis?"
"Order of volatility (OOV) is"
1: Memory/CPU registers and processes
2: Routing and ARP tables
3: Swap and temporary files
4: Disk drives read with a read-only controller
5: Logs
6: Physical configuration
7: Backups
Be able to put things into categories
within sets.
Detective, Preventative, Corrective
Technical, Management, Operational
Symmetric, Asymmetric
Encrypting, Encoding, Hashing
Authenticating, Authorizing, Auditing
and so on.
When you are told the name, job title, department, and the often-irrelevant current task of every player in a little story, read past those quickly. They're there to slow you down.
Language
The best way I can describe this is to warn you to be careful about language.
Some questions include a list of things that are true, that are useful, and they appear within the list of choices. Be careful to find what they are asking for within that list. For example, a question might look like this:
Question: You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?
A: TLS
B: CPS
C: OCSP
D: CRL
E: thumbprint
F: PFS
Each of the sentences in the above question refers to
one of the choices, and I have made it easy by
putting the choices in the same order:
"a system that can ..." = TLS or Transport Layer Security
"the rules" = CPS or Certificate Practices Statement
"a protocol" = OCSP or Online Certificate Status Protocol
"copy of the revoked keys" = CRL or Certificate Revocation List
"its hash" = thumbprint
"exposure today doesn't expose keys from the past" = PFS
or Perfect Forward Secrecy.
You have to work backward through the English. "What do you need?" is the actual question. All the choices are relevant and true, but only one answers the question.
One of the sentences says "You must have", versus stating that item X provides feature Y and so on.
That one corresponds to a local copy of the CRL, which is a relatively uncommon or unneeded step. This makes it a better question from the CompTIA point of view. Less common makes it more challenging.
Yes, the question is sort of about TLS in general. But the question, once we find it, is about a specific topic (having a list of invalid keys) rather than about TLS in general (authenticating the server and its public key).
Network+ Knowledge
I have heard from two sources that the U.S. Department of Defense and CompTIA have had some rather intense discussions.
The first story that I heard described how, around late 2017, US DoD told CompTIA to quit the nonsense with questions about mid-1990s concerns, like Thicknet and Teardrop and Smurf Amplifiers. And also, cut out all the fiction, all the questions where you have to pick a specific wrong answer to get the point.
The second story described CompTIA's exasperation at the number of test-takers who didn't know much at all about networking. OK, DoD people, realize that:
CompTIA expects that most people taking Security+ have already passed Network+, or they could pass it if they took it.
Know Basic Network Command Output
I think that CompTIA is trying to include some of the CEH (or Certified Ethical Hacker) requirement to recognize basic command output. Not much, just a little. But they want you to do some very introductory level CEH work of interpreting tool output.
You need to interpret the output of commands
showing IP address assignment,
ping
,
traceroute
,
and, I think,
netstat
.
This doesn't seem to be mentioned at all in CompTIA's description of their exam, so I will briefly explain.
IP Address Assignment
Linux
The old way on Linux
involves the ifconfig
command:
$ ifconfig enp3s0 Link encap:Ethernet HWaddr 42:01:0a:8a:00:03 inet addr:169.254.10.216 Bcast:169.254.255.255 Mask:255.255.0.0 inet6 addr: fe80::4001:aff:fe8a:3/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:148 errors:0 dropped:0 overruns:0 frame:0 TX packets:213 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:44485 (44.4 KB) TX bytes:32929 (32.9 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1840 errors:0 dropped:0 overruns:0 frame:0 TX packets:1840 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:554583 (554.5 KB) TX bytes:554583 (554.5 KB) wlo1 Link encap:Ethernet HWaddr 68:a3:c4:70:f1:73 inet addr:192.168.11.50 Bcast:192.168.11.255 Mask:255.255.255.0 inet6 addr: fe80::c87a:16ce:3a61:8f0c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:58124 errors:0 dropped:0 overruns:0 frame:0 TX packets:38160 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:74797563 (74.7 MB) TX bytes:3995897 (3.9 MB)
We can no longer trust ifconfig
,
the ip
command is the new way:
$ ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 42:01:0a:8a:00:03 brd ff:ff:ff:ff:ff:ff inet 169.254.10.216/16 brd 169.254.255.255 scope link enp3s0:avahi valid_lft forever preferred_lft forever inet6 fe80::4001:aff:fe8a:3/64 scope link valid_lft forever preferred_lft forever 3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 68:a3:c4:70:f1:73 brd ff:ff:ff:ff:ff:ff inet 192.168.11.50/24 brd 192.168.11.255 scope global dynamic wlo1 valid_lft 172742sec preferred_lft 172742sec inet6 fe80::c87a:16ce:3a61:8f0c/64 scope link valid_lft forever preferred_lft forever
What do you need to know about the above for the Security+ exam?
IPv4 addresses are 32-bit strings.
They are represented as four base-10 numbers
in the range 0-255, separated by dots.
In the above, the software loopback
or "localhost" interface lo
gets,
127.0.0.1,
the wired Ethernet inferface enp3s0
gets
169.254.10.216,
and the wireless interface wlo1
gets
192.168.11.50.
It's "lo" for loopback, "e" for Ethernet, "wl" for wireless.
In particular, you should recognize:
Loopback or lo
is assigned 127.0.0.1/8,
meaning that the first 8 bits or 127.*.*.*
define the network.
That means communication within this host only.
The wired Ethernet or enp3s0
was assigned
169.254.10.216/16,
meaning that 169.254.*.* is the network itself,
and 169.254.10.216 is this device in particular.
Know that 169.254.*.* is the "AutoConf"
address block.
An assignment here means that there is no DHCP
server on this network.
The wireless Ethernet or wlo1
was assigned 192.168.11.50/24.
192.168.*.*
means "inside only"
or private IP address space.
192.168.11.0/24 means a chunk within that.
Simplified, this means:
127.*.*.*
=
"localhost", communication only within this
one computer
169.254.*.*
=
"AutoConf", automatic configuration,
called Bonjour or Rendezvous among
other names by Apple.
Communication within the LAN,
there is no functioning DHCP server.
As for "link-only" or "inside-only" addresses,
these are private IP address spaces:
10/8 = 10.0.0.0/8 = 10.*.*.*
172.16/12 = 172.16.0.0/12 = 172.16.*.* - 172.31.*.*.*
192.168/16 = 192.168.0.0/16 = 192.168.*.*
You need a NAT router, or a proxy gateway doing NAT,
to communicate with external servers.
And CompTIA is fussy about the terms, it's actually
NAT/PAT for what you usually use.
IPv6
These addresses are 128 bits long, represented in base 16 or hexadecimal, 0-9 plus a-f, with colons between 16-bit or 4-character chunks that may be compressed together. You don't need to know much beyond:
::1
or ::1/128
=
localhost in IPv6
fe80::*/64
= link-local-only IPv6,
on the local LAN but not routable to the outside world.
ping
Recognize errors. In the following, we are directly connected, plugged into the same switch. However, that other host isn't up. Our host, 192.168.11.12, is reporting that the target, 192.168.11.88, is unreachable. It recognizes that the target is on the same LAN, so it should be able to use ARP to find the target hardware address, but it can't.
$ ping 192.168.11.88 PING 192.168.11.88 (192.168.11.88) 56(84) bytes of data. From 192.168.11.12 icmp_seq=1 Destination Host Unreachable From 192.168.11.12 icmp_seq=2 Destination Host Unreachable From 192.168.11.12 icmp_seq=3 Destination Host Unreachable From 192.168.11.12 icmp_seq=4 Destination Host Unreachable ^C
In the following, the host is a few router hops away and it isn't responding. Nothing came back. You might see some router between here and there reporting that it's unreachable. Here, it's silent failure.
$ ping whatever.example.com PING whatever.example.com (128.46.144.53) 56(84) bytes of data. --- whatever.example.com ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4079ms
In the following, we asked for a name that doesn't exist. Either we misspelled it, or the relevant DNS server is lacking a record.
$ ping foo.example.com ping: unknown host foo.example.com
traceroute
It's spelled tracert
on Windows.
Recognize DNS errors as above.
The output will resemble something like the following, with one line per router along the way, and three probes to each router. Line 1 is hop #1, line 2 is the router 2 hops away, and so on.
If you don't get a response within the timeout period, you see "*" instead of a time. A line with three stars means the router at that distance did not respond at all. If you see its names or IP addresses and then a mix of times and stars, it responded some and timed out some.
An unending series of probes that entirely timed out means either that it reached the target and the target didn't respond (very common for web servers), or that the network is broken beyond the last router that responded.
Finally, slightly inconsistent DNS configurations may makes things a little more confusing.
Here is an example. I was staying at a hostel in Fukuoka, Japan, when I updated this page. I asked for a trace to the Purdue Federal Credit Union in West Lafayette, Indiana, U.S.A. I explicitly asked for the IP addresses to be converted back to fully-qualified domain names. Depending on your version of the tool, it may provide nothing but IP addresses by default.
This example shows some of the potential DNS oddities.
The name www.purduefed.com
is an alias,
the canonical name is simply purduefed.com
.
Then, the hosting company has not changed the PTR record
mapping back from IP address to name.
It used to do business as Purdue Employees
Federal Credit Union, using the domain
purdueefcu.com
,
which appears as the last hop.
$ traceroute --resolve-hostnames www.purduefed.com traceroute to purduefed.com (72.12.218.18), 64 hops max 1 192.168.11.1 8.789 ms 5.242 ms 2.219 ms 2 r081.fkoknt01.ap.so-net.ne.jp (218.221.253.61) 11.886 ms 18.253 ms 9.495 ms 3 tn02gi6.fkoknt01.ap.so-net.ne.jp (210.132.216.89) 6.779 ms 7.018 ms 8.796 ms 4 note-13Vl638.net.so-net.ne.jp (202.223.119.213) 27.055 ms 54.929 ms 46.687 ms 5 202.213.194.61 23.846 ms 32.668 ms 27.771 ms 6 202.213.194.33 26.746 ms 31.092 ms 25.822 ms 7 ae-4.a01.tokyjp05.jp.bb.gin.ntt.net (120.88.53.9) 24.472 ms 29.946 ms 91.634 ms 8 ae-24.r03.tokyjp05.jp.bb.gin.ntt.net (129.250.6.83) 27.009 ms 32.079 ms 26.424 ms 9 * * * 10 ae-12-12.car1.Louisville1.Level3.net (4.69.140.213) 191.316 ms 430.565 ms 395.326 ms 11 WINTEK-CORP.car1.Louisville1.Level3.net (4.59.184.106) 392.432 ms 220.610 ms 203.536 ms 12 72.12.218.10 214.017 ms 374.270 ms 343.802 ms 13 www.purdueefcu.com (72.12.218.18) [open] 462.688 ms 263.595 ms 399.409 ms
Hop #1 is the wireless access point in the hostel. 192.168.0.0/16 is a private block of IP addresses commonly used by small routers.
Hops #2-4 are across the so-net.ne.jp
network in Japan.
Hops #5 and 6 are routers in the 202.213.194.0/24 network.
That network also belongs to so-net.ne.jp
,
but they have not set up DNS pointer records and so we only
see IP addresses, not names
(I used the whois
command to figure out
who owned those addresses).
You could say that this represents an error in
the form of missing DNS data.
It's really only a problem for easily interpreting
traceroute
output, so I would only select
that as an error if I couldn't find anything else.
Hops #7 and 8 are across ntt.net
,
a major network provider in Japan.
Hop #9 timed out all three times. That router dropped the timed-out packets, but it did not return ICMP error reports for that. Later steps returned results, so this router was not responding as expected although it could successfully forward packets. Again, I don't see this as an error, but I had to pick something, this seems to me to be a better choice than the lack of DNS pointer records for hops 5-6.
Hops #10 and 11 are across level3.net
routers,
a major world-wide provider.
The round-trip times generally increase, but look how much
larger they are for hop #10.
The router at hop #8 was in Japan, then hop #10 was
in the U.S.
Hop #12 is another router whose name doesn't resolve back to a name. The 72.12.192.0/192 range (that is, 72.12.192.0 through 72.12.223.255) belongs to Wintek, a network provider in Lafayette, Indiana.
Hop #13 is the destination.
Other than the three sent to hop #9, all the individual packets returned ICMP reports. Sometimes just 1 or 2 packets will time out, and you see "*" instead of a time.
Sometimes you will notice that every packet is routed individually. The 3 packets sent with a given TTL may take different routes, leading to 2 or 3 hostnames or IP addresses reported on the corresponding line.
netstat
The netstat
command can display many things,
depending on the command-line option.
Routing table with -r
,
Ethernet interface statistics with -i
,
and so on.
The -a
option asks for the state of all
services, and -n
means leave it numeric,
don't try to use DNS to map back to host names.
Here's a real example, from my server:
$ netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.138.0.3.22 184.16.205.240.50966 ESTABLISHED tcp4 0 0 127.0.0.1.9000 127.0.0.1.37632 TIME_WAIT tcp4 0 0 127.0.0.1.11628 127.0.0.1.9000 TIME_WAIT tcp4 0 0 10.138.0.3.443 62.231.124.172.42117 TIME_WAIT tcp4 0 0 10.138.0.3.443 62.231.124.172.42115 TIME_WAIT tcp4 0 0 127.0.0.1.12042 127.0.0.1.9000 TIME_WAIT tcp4 0 0 10.138.0.3.443 5.148.56.100.50820 TIME_WAIT tcp4 0 0 10.138.0.3.443 176.212.20.116.11111 FIN_WAIT_2 tcp4 0 185 10.138.0.3.443 176.212.20.116.11394 LAST_ACK tcp4 0 31 10.138.0.3.443 77.88.11.254.46154 LAST_ACK tcp4 0 0 10.138.0.3.443 61.146.63.211.5028 ESTABLISHED tcp4 0 0 10.138.0.3.443 46.229.168.84.48366 TIME_WAIT tcp4 0 0 10.138.0.3.443 46.229.168.75.58818 TIME_WAIT tcp4 0 0 10.138.0.3.443 92.84.229.82.55000 ESTABLISHED tcp4 0 4582 10.138.0.3.443 92.84.229.82.54999 ESTABLISHED tcp4 0 0 10.138.0.3.80 130.15.4.209.46944 TIME_WAIT tcp4 0 0 10.138.0.3.80 46.229.168.70.15234 TIME_WAIT tcp4 0 0 10.138.0.3.443 78.109.23.1.27269 TIME_WAIT tcp4 0 0 10.138.0.3.443 61.146.63.211.4989 TIME_WAIT tcp4 0 0 10.138.0.3.443 78.109.23.1.16889 TIME_WAIT tcp4 0 0 10.138.0.3.443 80.42.127.171.55336 ESTABLISHED tcp4 0 0 10.138.0.3.443 109.178.61.69.39398 FIN_WAIT_2 tcp4 0 0 *.443 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 127.0.0.1.9000 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 127.0.0.1.25 *.* LISTEN udp4 0 0 127.0.0.1.123 *.* udp4 0 0 10.138.0.3.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.514 *.*
"LISTEN" indicates that a service process is listening for connections. "ESTABLISHED" means that a client is currently connected and transferring data. Others TCP states including "LAST_ACK", "TIME_WAIT", "FIN_WAIT", "FIN_WAIT_2", and others, indicate that we caught a connection in the process of being established or shut down.
Notice in the above that SSH is listening for new connections
on TCP/22, and an SSH connection is currently
established.
That's me connected in from 184.16.205.240, running
the netstat
command.
My server accepts connections over HTTP (TCP/80), and immediately redirects the client to the same URL over HTTPS (TCP/443). That's called HTTPS redirect, it's best practice for security, you need to know that on the test.
Let's say you instead saw just this output:
$ netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 10.138.0.3.22 184.16.205.240.50966 ESTABLISHED tcp4 0 0 127.0.0.1.9000 127.0.0.1.37632 TIME_WAIT tcp4 0 0 127.0.0.1.11628 127.0.0.1.9000 TIME_WAIT tcp4 0 0 127.0.0.1.12042 127.0.0.1.9000 TIME_WAIT tcp4 0 0 10.138.0.3.80 130.15.4.209.46944 TIME_WAIT tcp4 0 0 10.138.0.3.80 46.229.168.70.15234 TIME_WAIT tcp4 0 0 10.138.0.3.80 173.187.65.22.50598 ESTABLISHED tcp4 0 0 10.138.0.3.80 212.3.84.1.55989 ESTABLISHED tcp4 0 0 10.138.0.3.80 212.3.84.1.55987 ESTABLISHED tcp4 0 0 10.138.0.3.80 212.3.84.1.55988 TIME_WAIT tcp4 0 0 10.138.0.3.80 212.3.84.1.55986 TIME_WAIT tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 127.0.0.1.9000 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 127.0.0.1.25 *.* LISTEN udp4 0 0 127.0.0.1.123 *.* udp4 0 0 10.138.0.3.123 *.* udp4 0 0 *.123 *.* udp4 0 0 *.514 *.*
The question might be:
Users are reporting that they can't access the
financial department's secure web page.
What is wrong?
A: The web server is down
B: The server is up but its web service isn't running
C: The certificate has expired
D: The certificate has been revoked
E: HTTPS isn't enabled
F: A firewall is blocking connections
The server is obviously running because I was able to run the command, so it isn't A.
The web service is running because one line shows that it's listening on port 80 and other lines show current connections on that port. So, it isn't B.
Problems with the certificate happen after the connection
is established.
They don't have anything to do with TCP connections,
which is what netstat
shows you.
C and D could be problems, and users might describe
their results as "can't access", but they're asking us
about netstat
output.
The netstat
tells what's happening on that one
system, so we don't see explicit information about what's
happening out on the network.
It won't tell us "a firewall is blocking connections".
F could be a problem, but...
The answer is E, the web server process is not listening on port 443. We expect to see at least the one line saying "LISTEN". It might happen to not have any active connections at the moment, but it should be listening.
Know Basic Linux and Windows File System Locations
There are now some questions where they give you lists of files and hashes at various times, and they ask you to identify which is the sign of an intrusion.
You have to know, at a very basic level, where some files are located and which will change during routine operation.
Windows File Tampering
They may show you that the hash for a file like one of the
following has changed, and ask you what it means:
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\boot\*
Those are parts of the operating system itself
or the boot loader,
so you have been seriously hacked.
If "root kit" is a choice, select that.
Linux File Tampering
Don't panic, you don't need to know very much! But you may be asked questions that require you to know:
The kernel, the core of the OS itself,
and how it boots,
is based on files under /boot/*
.
A file vmlinuz*
is the kernel itself,
grub.cfg
is the configuration file for the
GRUB boot loader.
It specifies how the kernel is loaded and started,
and an attacker might boot it strangely to completely
subvert security.
Executable programs
relied upon by everyone including
the system administrator and the operating system
have bin
(short for "binary")
in their first or second element.
That is:
/bin/*
/sbin/*
/usr/bin/*
/usr/sbin/*
Shared libraries, like DLL files in Windows,
provide "one-step hacking" opportunities for an attacker.
Modify a shared library, and you modify the behavior of
all the dynamically linked programs, which will be most
binaries on the system.
They have lib
(short for "library") in their first or second element.
That is:
/lib/*
/lib64/*
/usr/lib/*
/usr/lib64/*
None of the things I have listed so far should change unexpectedly!
System configuration goes under
/etc/*
For the most part, these files shouldn't change.
However...
Almost everything about a user except their password
is defined in /etc/passwd
,
and the hash of their current password is stored in
/etc/shadow
.
(Yes, everything was originally in passwd
,
then the password hash was moved to shadow
)
So, creating and modifying users changes
/etc/passwd
.
And, when a user changes their password,
/etc/shadow
changes.
We expect those changes.
So let's say they showed you this:
LAST WEEK: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842 TODAY: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 9a4fb74ef00824d6e84785ad53d6fed364947778 /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842
The file /etc/shadow
changed,
but we expect this, so the answer is that
there's probably nothing to worry about.
What about this:
LAST WEEK: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842 TODAY: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 7c6fa9266a5abfa03d685ea7f7164393c984b710 /etc/shadow: 9a4fb74ef00824d6e84785ad53d6fed364947778 /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842
Both /etc/shadow
and /etc/passwd
changed, you probably added a new user,
adding one new line to each file.
Or maybe you modified a user (changing passwd
)
and coincidentally someone changed their password
(changing shadow
).
Again, no worry.
What about this?
LAST WEEK: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842 TODAY: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 9c5bbcbdc2994a9835b8804b9ffa699935715a34 /bin/ls b79f70b18538de0199e6829e06b547e079df8842
Intrusion!
Someone has modified a system configuration file!
See /etc/hosts
.
What about this?
LAST WEEK: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842 TODAY: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: cfc34c90281bbed47540c6288ec975a4602ee3df /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/hosts: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842
This is worst of all! Someone has replaced the file containing the kernel. Once you reboot after such a change, you are running the intruder's operating system. This is a sign of a root kit.
Someone responded to this unannounced addition to the test by saying that CompTIA was probably just beta-testing potential Linux+ question. No. The Linux+ test doesn't get into these issues at all. It's much more about "which command does what?" and memorizing the synopsis line and first paragraph of a large number of manual pages.
CompTIA Wants You To Know Some Specific Sayings
I don't know exactly what CompTIA means by some of these distinctive phrases. But that doesn't matter because all I need to know is that these are the right answers.
"Business Continuity" means "3-4 days after and continuing from there."
"Contingency Planning" is for one very specific problem.
"The first step in Disaster Recovery Planning is a Business Impact Analysis."
"Job rotation" is preventative.
"Enforced vacation" is detective.
"Job rotation" might have kept Nixon and Agnew in office.
Impersonation is when a person pretends to be another person.
Warm sites can start in under a week.
Hot sites are always ready right now, so they're expensive.
Both behavior-based and anomaly-based IDS must observe for a while to learn the local baseline. They mention "exceptions or broken protocol rules" when they're talking about anomaly-based.
Privilege escalation is used to mean two very different things, use the context to figure out which one they're talking about:
- During an annual review of user rights, you notice someone has accumulated privileges while rotating through jobs. There's no attack, but they no longer need some of those privileges.
- During an attack, the intruder is replaying captured privileges or running a buffer overflow to transition from low-privileges user to sysadmin.
When they ask "What would be the very best way...",
they are implying
"...if expense and complexity don't matter."
For example: diesel generators, HSMs, Kerberos,
biometric door locks, and SELinux in full enforcing mode.
Kerberos and SELinux are free software, but complex to manage.
The others cost a lot of money.
What Color Is The Sky in the CompTIA Universe?
CompTIA consistently insists that a number of things are not the way they are in the real world. Shrug and mark the correct answer.
All routers have ACLs and all are default deny. Always.
The entire Internet contains nothing but Windows desktops,
plus a few Windows servers.
Except for once in a while Linux appears out of the blue:
ssh / scp / sftp
, root
,
SELinux (a.k.a. NSA Security-Enhanced Linux),
/etc/passwd
and /etc/shadow
,
plus the above about file system tampering.
NetStumbler is the only way to discover WLANs,
and AirSnort is the only way to break WEP.
Role-Based Access Control is an easy hierarchical way to
administer authorizations.
(Because CompTIA thinks that Windows group policies
are real RBAC)
CompTIA Likes to Confuse You
Here are some confusingly similar or overlapping topics ideal for setting up tricky multiple-choice questions:
CompTIA uses the phrase Rule-Based Access Control just so they confuse you about Role-Based Access Control, which is what the rest of the world means by RBAC.
OTP stands for both One-Time Password (at first login you must change it) and One-Time Pad (the only truly secure cipher). MAC stands for three very different security concepts.
People in hats: | White | Grey | Black |
Techniques in boxes: | White | Grey | Black (with Fuzzing) |
IDS and anti-malware errors: | False Positive | False Negative |
Biometric authentication errors: | False Acceptance | False Rejection |
Behavior upon an error: | Fail Safe | Fail Open |
What do digital certificates contain?
server's public key, or
server's private key, or
CA's public key, or
CA's private key.
With lost phone questions, are we trying to track down and recover the hardware asset, or remotely wipe the data, or keep the finder from making calls on our bill? Or some combination of those goals?
This isn't trickiness, but many questions are effectively two or more questions in one. For example:
Julie, a left-handed Episcopalian network engineer
in the software development department, needs
to encrypt some large files containing sensitive
customer data in order to fulfill compliance
requirements.
Her manager is emphasizing the importance because
these are medical records.
What should she use?
RSA
AES
DES
ECC
Once you have waded through the intentionally distracting and time-wasting clutter, you have the real question: How to encrypt large data sets? First part: The general answer is Symmetric ciphers but that isn't a choice. Second part: Now you have to look through the list for examples of those: AES and DES. Third part: Realize that AES is (by far) the better choice.
Security+ isn't Network+, except when it is
CompTIA assumes that this is your third certification. You probably got A+ (PC hardware and Windows desktop fundamentals) two or three years ago, and you did Network+ maybe a year ago, and you have been working in those areas since then, if not longer. Hmmm. Maybe.
This is despite Security+ being partly aimed at managers who need to talk to technical people without understanding the technology.
A glaring example is the presence of UDP and TCP port numbers plus three IP protocol numbers in the question pool. It just depends on luck, which questions you happen to draw. You might get no questions at all about these, but you might get 10 to 12 questions in which you need to know some of these numbers.
Protocol | TCP port |
UDP port |
IP proto |
CIFS | 445 | ||
DHCP | 67 / 68 | ||
DNS | 53 | 53 | |
FTP | 20 / 21 | ||
FTP/S | 990 / 989 | ||
HTTP | 80 | ||
HTTP/S | 443 | ||
IMAP2 | 143 | ||
IMAP/S | 993 | ||
Kerberos | 88 | 88 | |
LDAP | 389 | 389 | |
LDAP/s | 636 | 636 | |
MS SQL | 1433 | ||
NetBIOS | 139 | 139 | |
POP3 | 110 | ||
POP3/S | 995 | ||
RADIUS | 1812 | ||
RDP | 3389 | ||
SMTP | 25 | ||
SNMP | 161 | 161 | |
SNMP trap | 162 | 162 | |
SSH, sftp, scp | 22 | ||
TACACS | 49 | ||
Telnet | 23 | ||
ICMP | 1 | ||
IPsec ESP | 50 | ||
IPsec AH | 51 | ||
IKE | 500 | ||
SIP | 5060 | 5060 |
What about a study book?
The least bad one is the CompTIA Security+ Study Guide: Exam SY0-501 by Sybex. It's based on CompTIA's material, but that means that it only tells you some of the truth. I haven't noticed anything in that book that contradicts what they want you to say on the test, but:
- Some material on the test is not covered in the book.
- Some material in the book is not included in the test.
So you will waste some time, energy, and memory on things you don't really need to know, and you won't have seen some of the topics you need to know. And this is the best book available...
What About Other On-Line Practice Exams?
There are many on-line practice tests. Many of them contain many irrelevent things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.
There once was aiоtеstking.com, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnоw.com and then to briеfmеnоw.org. By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtеstking.com now directs you to еxamcollеction.com, which has a mix of paid and supposedly free content.
Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close.
Lead2Pass Cram.comLead2Pass also has had test questions with very good explanations.
Cram.com has questions in the form of a game or a puzzle. The format is very different from the real test, but that's good as it makes you think about the same thing a different way. It has a few things that aren't in the real test, but during the last year or two of the SY0-401 exam, most of it exactly covered the content.
www.briefmenow.org has had questions, but what they claim are the answers are often wrong.
Warning: As of June 2018, it appears that neither Lead2Pass nor Cram.com have SY0-501 material.
Further warning: While of course you would never look at "brain dump" sites with verbatim material, and therefore this warning is irrelevant... Some verbatim web sites have screen shots of actual questions, accompanied by wrong "explanations" of what the correct answers are.
QuizletA student from one course event got in touch with me later, saying that Quizlet.com had been very helpful.
The Pictures I Draw When Teaching
Picturesand lists
I draw several pictures when I teach the course. I also type up some lists. It's pretty much the same set of pictures and lists every time. If you took the course from me, you can download a typical set of them. But beware: these are from the SY0-401 version, I still need to capture a set from a SY0-501 course event.
Good luck!
Now you know a little more about how to think about the awful questions on this test.
Mark up Handout #1 to use it as your study guide. Go through the notes in the 3-ring binder and see what you highlighted. For the ones you don't yet know, highlight them on Handout #1. You might find some things mentioned on this page that you want to highlight or add to the handout.
Now you're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.
Re-do the Short Quiz A versions to see how it's going. Then read sections of the textbook or look back through the acronyms or whatever as needed. When Short Quiz A becomes too easy, try Short Quiz B. Then "All Questions" for that domain.

Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.