Fountain and plaques at a Buddhist temple.

CompTIA Security+ Guidance

CompTIA Security+ Compressed into Zen Koans

The best way that I know of to prepare for the CompTIA Security+ certification exam is to take Learning Tree's test prep course. The most helpful thing of all is the on-line quiz you get with that course. It is the most realistic simulation of the exam that I've seen. I have just a few example questions here, nothing like the 900+ questions in the on-line tool.

Jump to:
Example
Questions

Be aware that CompTIA pretends that one major release of their exam is a long-term static document. They say that after over 3 years of the SY0-301 exam being the Security+ exam, in a form that never changed, the SY0-401 exam appeared and suddenly was the only form of the exam for the following four and a half years.

No. Not at all.

They release a major upgrade, such as SY0-301 to SY0-401, to SY0-501, every 3 to almost 5 years. But during that 3 to nearly 5 years of a given exam, it evolves through a series of entirely unannounced and unacknowledged updates.

My rant about how horribly bad the SY0-401 exam was

These "mid-course adjustments" may be minor tweaks to what the exam covers, or they may be more significant. As a general rule, a given exam major release gets progressively worse during the time CompTIA says it's "the" current version.

SY0-501 was a much better exam than its predecessor, at least when it first came out.

See my detailed rant if you want to know just how bad the SY0-401 exam was. You had to memorize historical trivia that hadn't mattered for over two decades, and much of the rest of the exam required you to recite fiction.

Let's Move Forward!

I have compiled a list of distinctive CompTIA sayings you can use against them to easily get points for questions that otherwise are misleading or make little sense. Hopefully these can be succinct and thought-provoking like koans. The main goal is to get through that stupid test.

I also have a list of things you need to know that are not included in CompTIA study material.

I could imagine that a safe at CompTIA headquarters contains a book made up of a few hundred sentences, plus "Memorize this table of TCP and UDP port numbers", plus "we assume you know these parts of Network+". If you could memorize that book of sentences, like memorizing some ritual, you would know the answers to almost all of the questions. I know the exact form of some of those sentences. For example:

Acceptable use policy is enforced by URL and content filtering.

Yes, you could save two words and put it in the active voice, "URL and content filtering enforce acceptable use policy", but it's the first form that appears on the test.

Many are simple:

AES is the best symmetric cipher.

Kerberos is the best single-sign-on system.

Logs and audits enforce accountability.

It can be helpful to know a little of the background:

Symmetric ciphers should be used on data. (Because they are efficient, and data can be large)

Asymmetric ciphers protect the negotiations and keys. (That is, they do the endpoint authentications and set up symmetric session keys)

This is not the study guide, this tells you how to use the study guide.

Take the course to get the quizzer, notes, handouts, and the textbook

First use the quizzer software to see what you need to learn.

Then use the course notes to see if that jogs your memory. If not, read the relevant sections in the textbook.

Then build your study guide to highlight what you need to learn, and then review right before the real test.

Fountain and plaques at a Buddhist temple.

Suggestions

You can't take anything into the testing room, but make the crib sheet you would like to take in. The process of thinking back, "What do I need to know?", and organizing that and writing it down makes you learn it.

Think like a devious test writer. Let's say you're uncertain about this cluster of related concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer. Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.

Explain it to someone. Explain the concepts you find difficult to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them, and dogs are extremely tolerant. You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it.

Understand the test. Realize that the test does not try to measure if you are a skilled practitioner. The test is aimed at managers who need to communicate with technical experts. It's a vocabulary test to see if you can use the right words even if you don't really know much at all about what you're talking about.

CompTIA Security+ Philosophy

These aren't necessarily the answers themselves, but guidance for dealing with the exam questions.

A mile wide and an inch deep, go no deeper.

Pick the simple answer for the common case. No scenario is for you, it's for the mythical test-taker.

Reality helps with concepts, but not specifics.

He who says "At work we must do X and Y so that Z can then happen" has strayed from the path of wisdom.

He who says "I can imagine a scenario where X and then Y could lead to Z" has gone even further off the path.

Even a silly sounding policy is always correct.

Involve management.

Protocol analyzers have many important security uses.

Know the crypto flowcharts to visualize the answer. How do you do these, which key is used first by the sender, and which key is used last by the receiver:
• Symmetric encryption for confidentiality
• Asymmetric encryption for confidentiality
• Asymmetric encryption for authentication
• Digital signature
• HMAC

Be able to put things into order.
"What is the first step ... last step in this process?"
"Which is the most ... least intrusive vulnerability analysis?"
"Order of volatility (OOV) is"
 1: Memory/CPU registers and processes
 2: Routing and ARP tables
 3: Swap and temporary files
 4: Disk drives read with a read-only controller
 5: Logs
 6: Physical configuration
 7: Backups

Be able to put things into categories within sets.
Detective, Preventative, Corrective
Technical, Management, Operational
Symmetric, Asymmetric
Encrypting, Encoding, Hashing
Authenticating, Authorizing, Auditing
and so on.

When you are told the name, job title, department, and the often-irrelevant current task of every player in a little story, read past those quickly. They're there to slow you down.

Language

Be careful about language.

Some questions include a list of things that are true, that are useful, and they appear within the list of choices. Be careful to find what they are asking for within that list.

Example Question #1

Question: You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?

A: TLS
B: CPS
C: OCSP
D: CRL
E: thumbprint
F: PFS

See the answer

Example Question #2

Question: Your CEO has met with the CEO of another company, and they have agreed to work together to develop a new service. Authentication and identity management will be connected across the two organizations. Given the sensitivity of the development project, User authentication and authorization will use a centralized server running the best available trusted third-party service. Users will receive identity and service tokens from a unified authentication and authorization service, which requires that system clocks be synchronized across the organizations. Applications will be limited to those written with the API of that service. What do you need?

A: BPA
B: Federation
C: Kerberos
D: KDC
E: NTP
F: Kerberization

See the answer

Network+ Knowledge

Jump to:
Networking
Example
Questions

I have heard from two sources that the U.S. Department of Defense and CompTIA have had some rather intense discussions.

The first story that I heard described how, around late 2017, US DoD told CompTIA to quit the nonsense with questions about mid-1990s concerns, like Thicknet and Teardrop and Smurf Amplifiers. And also, cut out all the fiction, all the questions where you have to pick a specific wrong answer to get the point.

The second story described CompTIA's exasperation at the number of test-takers who didn't know much at all about networking. OK, DoD people, realize that:

CompTIA expects that most people taking Security+ have already passed Network+, or they could pass it if they took it.

Know Basic Network Command Output

Jump to:
Network
Example
Questions

I think that CompTIA is trying to include some of the CEH (or Certified Ethical Hacker) requirement to recognize basic command output. Not much compared to CEH, just a little. But they want you to do some very introductory level CEH work of interpreting tool output.

Far more than you need to know about network commands

You need to interpret the output of commands showing IP address assignment, ping, traceroute, and netstat.

This doesn't seem to be mentioned at all in CompTIA's description of their exam, so I will briefly explain.

IP Address Assignment

Linux

The old way on Linux involves the ifconfig command:

$ ifconfig
enp3s0    Link encap:Ethernet  HWaddr 42:01:0a:8a:00:03
          inet addr:169.254.10.216  Bcast:169.254.255.255  Mask:255.255.0.0
          inet6 addr: fe80::4001:aff:fe8a:3/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:148 errors:0 dropped:0 overruns:0 frame:0
          TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44485 (44.4 KB)  TX bytes:32929 (32.9 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1840 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1840 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:554583 (554.5 KB)  TX bytes:554583 (554.5 KB)

wlo1      Link encap:Ethernet  HWaddr 68:a3:c4:70:f1:73  
          inet addr:192.168.11.50  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fe80::c87a:16ce:3a61:8f0c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:74797563 (74.7 MB)  TX bytes:3995897 (3.9 MB)

We can no longer trust ifconfig, the ip command is the new way:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 42:01:0a:8a:00:03 brd ff:ff:ff:ff:ff:ff
    inet 169.254.10.216/16 brd 169.254.255.255 scope link enp3s0:avahi
       valid_lft forever preferred_lft forever
    inet6 fe80::4001:aff:fe8a:3/64 scope link 
       valid_lft forever preferred_lft forever
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 68:a3:c4:70:f1:73 brd ff:ff:ff:ff:ff:ff
    inet 192.168.11.50/24 brd 192.168.11.255 scope global dynamic wlo1
       valid_lft 172742sec preferred_lft 172742sec
    inet6 fe80::c87a:16ce:3a61:8f0c/64 scope link 
       valid_lft forever preferred_lft forever

What do you need to know about the above for the Security+ exam?

IPv4 addresses are 32-bit strings. They are represented as four base-10 numbers in the range 0-255, separated by dots. In the above, the software loopback or "localhost" interface lo gets, 127.0.0.1, the wired Ethernet inferface enp3s0 gets 169.254.10.216, and the wireless interface wlo1 gets 192.168.11.50. It's "lo" for loopback, "e" for Ethernet, "wl" for wireless.

My page on IP addresses and subnets has far more than you need to know for Security+

In particular, you should recognize:

Loopback or lo is assigned 127.0.0.1/8, meaning that the first 8 bits or 127.*.*.* define the network. That means communication within this host only.

The wired Ethernet or enp3s0 was assigned 169.254.10.216/16, meaning that 169.254.*.* is the network itself, and 169.254.10.216 is this device in particular. Know that 169.254.*.* is the "AutoConf" address block. An assignment here means that there is no DHCP server on this network.

The wireless Ethernet or wlo1 was assigned 192.168.11.50/24. 192.168.*.* means "inside only" or private IP address space. 192.168.11.0/24 means a chunk within that.

Simplified, this means:

127.*.*.* = "localhost", communication only within this one computer

169.254.*.* = "AutoConf", automatic configuration, called Bonjour or Rendezvous among other names by Apple. Communication within the LAN, there is no functioning DHCP server.

As for "link-only" or "inside-only" addresses, these are private IP address spaces written in three equivalent ways:

10/8
10.0.0.0/8
10.*.*.*

172.16/12
172.16.0.0/12
172.16.*.* - 172.31.*.*

192.168/12
192.168.0.0/12
192.168.*.*

You need a NAT router, or a proxy gateway doing NAT, to communicate with external servers. And CompTIA is fussy about the terms, it's actually NAT/PAT for what you usually use.

IPv6

These addresses are 128 bits long, represented in base 16 or hexadecimal, 0-9 plus a-f, with colons between 16-bit or 4-character chunks that may be compressed together. You don't need to know much beyond:

::1 or ::1/128 = localhost in IPv6
fe80::/64 = link-local-only IPv6, on the local LAN but not routable to the outside world.

ping

Recognize errors. In the following, we are directly connected, plugged into the same switch. However, that other host isn't up. Our host, 192.168.11.12, is reporting that the target, 192.168.11.88, is unreachable. It recognizes that the target is on the same LAN, so it should be able to use ARP to find the target hardware address, but it can't.

$ ping 192.168.11.88
PING 192.168.11.88 (192.168.11.88) 56(84) bytes of data.
From 192.168.11.12 icmp_seq=1 Destination Host Unreachable
From 192.168.11.12 icmp_seq=2 Destination Host Unreachable
From 192.168.11.12 icmp_seq=3 Destination Host Unreachable
From 192.168.11.12 icmp_seq=4 Destination Host Unreachable
^C 

In the following, the host is a few router hops away and it isn't responding. Nothing came back. You might see some router between here and there reporting that it's unreachable. Here, it's silent failure.

$ ping whatever.example.com
PING whatever.example.com (128.46.144.53) 56(84) bytes of data.

--- whatever.example.com ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4079ms 

In the following, we asked for a name that doesn't exist. Either we misspelled it, or the relevant DNS server is lacking a record.

$ ping foo.example.com
ping: unknown host foo.example.com 

In this last one, we see another form the above error may take.

$ ping foo.example.com
ping: foo.example.com: Name or service not known

traceroute

It's spelled tracert on Windows. Recognize DNS errors as above.

The output will resemble something like the following, with one line per router along the way, and three probes to each router. Line 1 is hop #1, line 2 is the router 2 hops away, and so on.

If you don't get a response within the timeout period, you see "*" instead of a time. A line with three stars means the router at that distance did not respond at all. If you see its names or IP addresses and then a mix of times and stars, it responded some and timed out some.

An unending series of probes that entirely timed out means either that it reached the target and the target didn't respond (very common for web servers), or that the network is broken beyond the last router that responded.

Finally, slightly inconsistent DNS configurations may makes things a little more confusing.

Here is an example. I was staying at a hostel in Fukuoka, Japan, when I updated this page. I asked for a trace to the Purdue Federal Credit Union in West Lafayette, Indiana, U.S.A. I explicitly asked for the IP addresses to be converted back to fully-qualified domain names. Depending on your version of the tool, it may provide nothing but IP addresses by default.

This example shows some of the potential DNS oddities. The name www.purduefed.com is an alias, the canonical name is simply purduefed.com. Then, the hosting company has not changed the PTR record mapping back from IP address to name. It used to do business as Purdue Employees Federal Credit Union, using the domain purdueefcu.com, which appears as the last hop. There was an outdated PTR record for that IP address when I did this.

$ traceroute --resolve-hostnames www.purduefed.com
traceroute to purduefed.com (72.12.218.18), 64 hops max
 1  192.168.11.1  8.789 ms  5.242 ms  2.219 ms
 2  r081.fkoknt01.ap.so-net.ne.jp (218.221.253.61)  11.886 ms  18.253 ms  9.495 ms
 3  tn02gi6.fkoknt01.ap.so-net.ne.jp (210.132.216.89)  6.779 ms  7.018 ms  8.796 ms
 4  note-13Vl638.net.so-net.ne.jp (202.223.119.213)  27.055 ms  54.929 ms  46.687 ms
 5  202.213.194.61  23.846 ms  32.668 ms  27.771 ms
 6  202.213.194.33  26.746 ms  31.092 ms  25.822 ms
 7  ae-4.a01.tokyjp05.jp.bb.gin.ntt.net (120.88.53.9)  24.472 ms  29.946 ms  91.634 ms
 8  ae-24.r03.tokyjp05.jp.bb.gin.ntt.net (129.250.6.83)  27.009 ms  32.079 ms  26.424 ms
 9  * * *
10  ae-12-12.car1.Louisville1.Level3.net (4.69.140.213)  191.316 ms  430.565 ms  395.326 ms
11  WINTEK-CORP.car1.Louisville1.Level3.net (4.59.184.106)  392.432 ms  220.610 ms  203.536 ms
12  72.12.218.10  214.017 ms  374.270 ms  343.802 ms
13  www.purdueefcu.com (72.12.218.18) [open]  462.688 ms  263.595 ms  399.409 ms

Hop #1 is the wireless access point in the hostel. 192.168.0.0/16 is a private block of IP addresses commonly used by small routers.

Hops #2-4 are across the so-net.ne.jp network in Japan.

Hops #5 and 6 are routers in the 202.213.194.0/24 network. That network also belongs to so-net.ne.jp, but they have not set up DNS pointer records and so we only see IP addresses, not names (I used the whois command to figure out who owned those addresses). You could say that this represents an error in the form of missing DNS data. It's really only a problem for easily interpreting traceroute output, so I would only select that as an error if I couldn't find anything else.

Hops #7 and 8 are across ntt.net, a major network provider in Japan.

Hop #9 timed out all three times. That router dropped the timed-out packets, but it did not return ICMP error reports for that. Later steps returned results, so this router was not responding as expected although it could successfully forward packets for the later steps. Again, I don't see this as an error, but if I had to pick something, this seems to me to be a better choice than the lack of DNS pointer records for hops 5-6.

Hops #10 and 11 are across level3.net routers, a major world-wide provider. The round-trip times generally increase, but look how much larger they are for hop #10. The router at hop #8 was in Japan, then hop #10 was in the U.S.

Hop #12 is another router whose name doesn't resolve back to a name. The 72.12.192.0/192 range (that is, 72.12.192.0 through 72.12.223.255) belongs to Wintek, a network provider in Lafayette, Indiana.

Hop #13 is the destination.

Other than the three sent to hop #9, all the individual packets returned ICMP reports. Sometimes just 1 or 2 packets will time out, and you see "*" instead of a time.

Sometimes you will notice that every packet is routed individually. The 3 packets sent with a given TTL may take different routes, leading to 2 or 3 hostnames or IP addresses reported on the corresponding line.

netstat

The netstat command can display many things, depending on the command-line option. Routing table with -r, Ethernet interface statistics with -i, and so on.

The -a option asks for the state of all services, and -n means leave it numeric, don't try to use DNS to map back to host names. Here's a real example, from my server:

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.138.0.3.22          184.16.205.240.50966   ESTABLISHED
tcp4       0      0 127.0.0.1.9000         127.0.0.1.37632        TIME_WAIT
tcp4       0      0 127.0.0.1.11628        127.0.0.1.9000         TIME_WAIT
tcp4       0      0 10.138.0.3.443         62.231.124.172.42117   TIME_WAIT
tcp4       0      0 10.138.0.3.443         62.231.124.172.42115   TIME_WAIT
tcp4       0      0 127.0.0.1.12042        127.0.0.1.9000         TIME_WAIT
tcp4       0      0 10.138.0.3.443         5.148.56.100.50820     TIME_WAIT
tcp4       0      0 10.138.0.3.443         176.212.20.116.11111   FIN_WAIT_2
tcp4       0    185 10.138.0.3.443         176.212.20.116.11394   LAST_ACK
tcp4       0     31 10.138.0.3.443         77.88.11.254.46154     LAST_ACK
tcp4       0      0 10.138.0.3.443         61.146.63.211.5028     ESTABLISHED
tcp4       0      0 10.138.0.3.443         46.229.168.84.48366    TIME_WAIT
tcp4       0      0 10.138.0.3.443         46.229.168.75.58818    TIME_WAIT
tcp4       0      0 10.138.0.3.443         92.84.229.82.55000     ESTABLISHED
tcp4       0   4582 10.138.0.3.443         92.84.229.82.54999     ESTABLISHED
tcp4       0      0 10.138.0.3.80          130.15.4.209.46944     TIME_WAIT
tcp4       0      0 10.138.0.3.80          46.229.168.70.15234    TIME_WAIT
tcp4       0      0 10.138.0.3.443         78.109.23.1.27269      TIME_WAIT
tcp4       0      0 10.138.0.3.443         61.146.63.211.4989     TIME_WAIT
tcp4       0      0 10.138.0.3.443         78.109.23.1.16889      TIME_WAIT
tcp4       0      0 10.138.0.3.443         80.42.127.171.55336    ESTABLISHED
tcp4       0      0 10.138.0.3.443         109.178.61.69.39398    FIN_WAIT_2
tcp4       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.9000         *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
udp4       0      0 127.0.0.1.123          *.*                    
udp4       0      0 10.138.0.3.123         *.*                    
udp4       0      0 *.123                  *.*                    
udp4       0      0 *.514                  *.*                    

"LISTEN" indicates that a service process is listening for connections. "ESTABLISHED" means that a client is currently connected and transferring data. Others TCP states including "LAST_ACK", "TIME_WAIT", "FIN_WAIT", "FIN_WAIT_2", and others, indicate that we caught a connection in the process of being established or shut down.

Notice in the above that SSH is listening for new connections on TCP/22, and an SSH connection is currently established. That's me connected in from 184.16.205.240, running the netstat command.

My server accepts connections over HTTP (TCP/80), and immediately redirects the client to the same URL over HTTPS (TCP/443). That's called HTTPS redirect, it's best practice for security, you need to know that on the test.

Example Question #3

Users are reporting that they can't access the financial department's secure web page. The following command output is observed. What is wrong?

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.138.0.3.22          184.16.205.240.50966   ESTABLISHED
tcp4       0      0 127.0.0.1.9000         127.0.0.1.37632        TIME_WAIT
tcp4       0      0 127.0.0.1.11628        127.0.0.1.9000         TIME_WAIT
tcp4       0      0 127.0.0.1.12042        127.0.0.1.9000         TIME_WAIT
tcp4       0      0 10.138.0.3.80          130.15.4.209.46944     TIME_WAIT
tcp4       0      0 10.138.0.3.80          46.229.168.70.15234    TIME_WAIT
tcp4       0      0 10.138.0.3.80          173.187.65.22.50598    ESTABLISHED
tcp4       0      0 10.138.0.3.80          212.3.84.1.55989       ESTABLISHED
tcp4       0      0 10.138.0.3.80          212.3.84.1.55987       ESTABLISHED
tcp4       0      0 10.138.0.3.80          212.3.84.1.55988       TIME_WAIT
tcp4       0      0 10.138.0.3.80          212.3.84.1.55986       TIME_WAIT
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.9000         *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp4       0      0 127.0.0.1.25           *.*                    LISTEN
udp4       0      0 127.0.0.1.123          *.*                    
udp4       0      0 10.138.0.3.123         *.*                    
udp4       0      0 *.123                  *.*                    
udp4       0      0 *.514                  *.*                    

A: The web server is down
B: The server is up but its web service isn't running
C: The certificate has expired
D: The certificate has been revoked
E: HTTPS isn't enabled
F: A firewall is blocking connections

See the answer

Know Where to Put Things

You may get a question with a network diagram. The router probably won't be labeled with its name, it will look like a short barrel with an "X" with arrowhead on its top, the standard image. And the firewall will probably look like a box that's on fire.

Remember, CompTIA is testing if you know computer and network security right now, and so it's reasonable to assume that you have a background in both computers and networking.

The items I show in parenthesis below, like (_ACL_), will be in little boxes or round-ended capsules that you can drag around. They snap into place when you drop them.

Pardon the ASCII art, I'll make a prettier version some day...

Example Question #4

Deploy the security tools

		  The Internet
			|
			|
		     Firewall
			|
			|
		      Router----------------------------
		      /    \				|
		     /      \				|
	Ethernet-----        -----Ethernet	     Ethernet
	 Switch                    Switch	      Switch
	 /  |  \                   /  |  \	     /   |  \______
	/   |   \                 /   |   \	    /    |         \
	PC  PC   PC               PC  PC   PC    web	 file    server
						server	server	

	(_DLP_)			(_WAF_)
	(_DLP_)			(_Rules_)
	(_802.1x_)		(_RADIUS_)
	(_802.1x_)		(_ACL_)
	(_802.1x_)

See the answer

Example Question #5

There are physical security questions in the pool. Again, drag things to the correct rooms or systems.

Deploy the security tools

+-------------------------------------------------------+---------------+
| SERVER ROOM						| LOBBY		|
|							|		|
| server			USB sticks		|		  /
| server			with signing key	|		 /
| server						|		/
+----------------------------------------      ---------+		|
| INNER OFFICE			|  WAP &      /	  OUTER	|		|
|		printer		|Ethernet    /	 OFFICE	|		|
|				| switch    /		|		|
| laptop	laptop		|			  /		|
| laptop	laptop		  /	 desktop	 /		|
| laptop	laptop		 /	 desktop	/		|
|				/	 desktop	|		|
+-------------------------------+-----------------------+---------------+

(_cable_lock_)		(_card_swipe_lock)
(_cable_lock_)		(_biometric_lock_)
(_cable_lock_)		(_safe_)
(_cable_lock_)		(_locking_metal_cabinet_)
(_cable_lock_)		(_captive_portal_)
(_cable_lock_)		(_video_camera_)

See the answer

Know Basic Linux and Windows File System Locations

Jump to:
File System
Example
Questions

There are now some questions where they give you lists of files and hashes at various times, and they ask you to identify which is the sign of an intrusion.

You have to know, at a very basic level, where some files are located and which will change during routine operation.

Windows File Tampering

They may show you that the hash for a file like one of the following has changed, and ask you what it means:
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\System32\kernel32.dll
C:\Windows\System32\boot\*
Those are parts of the operating system itself or the boot loader, so you have been seriously hacked. If "root kit" is a choice, select that.

Linux File Tampering

Don't panic, you don't need to know very much! But you may be asked questions that require you to know:

The kernel, the core of the OS itself, and how it boots, are based on files under /boot/*. A file vmlinuz* is the kernel itself, grub.cfg is the configuration file for the GRUB boot loader. It specifies how the kernel is loaded and started, and an attacker might boot it strangely to completely subvert security.

Executable programs relied upon by everyone including the system administrator and the operating system have bin (short for "binary") in their first or second element. That is:
/bin/*
/sbin/*
/usr/bin/*
/usr/sbin/*

Shared libraries, like DLL files in Windows, provide "one-step hacking" opportunities for an attacker. Modify a shared library, and you modify the behavior of all the dynamically linked programs using it, which will be many or most binaries on the system. They have lib (short for "library") in their first or second element. That is:
/lib/*
/lib64/*
/usr/lib/*
/usr/lib64/*

None of the things I have listed so far should change unexpectedly!

System configuration goes under /etc/* For the most part, these files shouldn't change. However...

Almost everything about a user except their password is defined in /etc/passwd, and the hash of their current password is stored in /etc/shadow. (Yes, everything was originally in passwd, then the password hash was moved to shadow)

So, creating and modifying users changes /etc/passwd. And, when a user changes their password, /etc/shadow changes. We expect those changes.

Someone responded to this unannounced addition to the test by saying that CompTIA was probably just beta-testing potential Linux+ question. No. The Linux+ test doesn't get into these issues at all. It's much more about "which command does what?" and memorizing the synopsis line and first paragraph of a large number of manual pages.

Example Question #6

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

See the answer

Example Question #7

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		7c6fa9266a5abfa03d685ea7f7164393c984b710
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

See the answer

Example Question #8

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	9c5bbcbdc2994a9835b8804b9ffa699935715a34
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

See the answer

Example Question #9

LAST WEEK:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

TODAY:
/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	cfc34c90281bbed47540c6288ec975a4602ee3df
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/ssh/sshd_config:	5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?

A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.

See the answer

Example Question #10

Question: Management has decided they want wireless security, but they don't have resources to do key management and maintain certificates. What should they use?

A: WEP
B: WAP
C: WPA
D: WPA/2-E

See the answer

Example Question #11

Question: Management has decided to use geo-fencing to restrict mobile device operation to company premises. Which technology should you select?

A: BYOD
B: COPE
C: CYOD
D: BODE

See the answer

Example Question #12

Question: You need to protect both endpoint authentication and data confidentiality in all data streams. Which two ciphers should you choose?

A: AES-CBC
B: AES-CCMP
C: AES-ECM
D: AES-GCM

See the answer

Example Question #13

Question: News reports tell of major DDoS against a famous company. You receive a letter from your ISP saying that your home is sending malicious Linux-sourced traffic. But you don't own a Linux computer, in fact you don't own any computer. Your home electronics are limited to a smart TV with a Blu-ray player and a DVR or Digital Video Recorder. What has happened?

A: Nothing, your ISP is wrong
B: BOT
C: RAT
D: Trojan

See the answer

Example Question #14

Question: Many unexplained payments have been sent to a mysterious vendor. The current model is:

  • Add new vendor: Clerk
  • Approve new vendor: Clerk
  • Pay vendor: Clerk
  • Approve payment: Manager

What should it be?

A:

  • Add new vendor: Manager
  • Approve new vendor: Clerk
  • Pay vendor: Clerk
  • Approve payment: Manager

B:

  • Add new vendor: Clerk
  • Approve new vendor: Manager
  • Pay vendor: Clerk
  • Approve payment: Clerk

C:

  • Add new vendor: Clerk
  • Approve new vendor: Manager
  • Pay vendor: Clerk
  • Approve payment: Manager

D:

  • Add new vendor: Clerk
  • Approve new vendor: Manager
  • Pay vendor: Manager
  • Approve payment: Manager

See the answer

Example Question #15

Question: Which can you put in a boot script to prevent MITM?

A: nmap -sS -sV -T5 192.168.27.72
B: arp -s 00:13:3b:12:6f:aa 192.168.12.72
C: tcpdump -i eth0 host 192.168.12.72 or ether host 00:13:3b:12:6f:aa
D: netstat -an
E: ping 192.168.12.72

See the answer

CompTIA Wants You To Know Some Specific Sayings

I don't know exactly what CompTIA means by some of these distinctive phrases. But that doesn't matter because all I need to know is that these are the right answers.

"Acceptable Use Policy is enforced with user education and content/URL filtering."
"Code of Ethics is a set of minimum expected behaviors."
"When a manager wants to introduce a new application, tell them to look at the risk analysis."
"Threat modeling predicts the most likely points of attack."
"MITM and replay attacks start by sniffing the network with a protocol analyzer."
"Vulnerability scanners are passive because they don't send exploits."
"Clients must use proxies or NAT to access the Internet."
"Fuzzing sends sequential or random data to a target."
"Check access logs daily."
"Highly complex computer-generated passwords are bad."
"Logs and audits enforce accountability."
"Audits attempt to reconcile activity against a standard (policy), and mysterious anomalies are likely to be problems."
"Quantitative" or "a metric" means numbers, and that's the best analysis. But for human behavior we're stuck with qualitative assessment.
"Disposal" means destroy the media, "sanitize" means wipe it for re-use.
"Disaster Recovery" means "as the hurricane is moving away."
"Business Continuity" means "3-4 days after and continuing from there."
"Contingency Planning" is for one very specific problem.
"The first step in risk assessment is an asset inventory."
"The first step in Disaster Recovery Planning is a Business Impact Analysis."
"Succession planning" is corrective.
"Job rotation" is preventative.
"Enforced vacation" is detective.
"Succession planning" is why Gerald Ford ended up as the President.
"Job rotation" might have kept Nixon and Agnew in office.
Spoofing is when a host pretends to be another host,
Impersonation is when a person pretends to be another person.
Cold sites require over one week to start.
Warm sites can start in under a week.
Hot sites are always ready right now, so they're expensive.
"Armored viruses resist analysis"
"Malicious invulnerable add-ons are software added to browsers to test the system with spyware, botnet software, etc."
"You cannot identify a zero-day attack. Except you can identify them with fuzzing, honeypots, host IPS, and network IPS. Network IPS can identify and stop in-progress zero-day attacks."
"An APT cannot be identified. Except you can identify one with host configuration baselines."
"Use a safe or vault to protect HSM, TPM, and portable media with signing keys and other highly sensitive data. Lock wireless access points inside rack cabinets (nice Faraday cage)."

Both behavior-based and anomaly-based IDS must observe for a while to learn the local baseline. They mention "exceptions or broken protocol rules" when they're talking about anomaly-based.

Privilege escalation is used to mean two very different things, use the context to figure out which one they're talking about:

When they ask "What would be the very best way...", they are implying "...if expense and complexity don't matter."
For example: diesel generators, HSMs, Kerberos, biometric door locks, and SELinux in full enforcing mode. Kerberos and SELinux are free software, but complex to manage. The others cost a lot of money.

What Color Is The Sky in the CompTIA Universe?

CompTIA consistently insists that a number of things are not the way they are in the real world. Shrug and mark the correct answer.

All routers have ACLs and all are default deny. Always.

The entire Internet contains nothing but Windows desktops, plus a few Windows servers.
Except for once in a while Linux appears out of the blue: ssh / scp / sftp, root, SELinux (a.k.a. NSA Security-Enhanced Linux), /etc/passwd and /etc/shadow, plus the above about file system tampering.

NetStumbler is the only way to discover WLANs,
and AirSnort is the only way to break WEP.

Role-Based Access Control is an easy hierarchical way to administer authorizations.
(Because CompTIA thinks that Windows group policies are real RBAC)

CompTIA Likes to Confuse You

Here are some confusingly similar or overlapping topics ideal for setting up tricky multiple-choice questions:

CompTIA uses the phrase Rule-Based Access Control just so they confuse you about Role-Based Access Control, which is what the rest of the world means by RBAC.

OTP stands for both One-Time Password (at first login you must change it) and One-Time Pad (the only truly secure cipher). MAC stands for three very different security concepts.

People in hats: White Grey Black
Techniques in boxes: White Grey Black (with Fuzzing)
IDS and anti-malware errors: False Positive False Negative
Biometric authentication errors: False Acceptance False Rejection
Behavior upon an error: Fail Safe Fail Open

What do digital certificates contain?
    server's public key, or
    server's private key, or
    CA's public key, or
    CA's private key.

With lost phone questions, are we trying to track down and recover the hardware asset, or remotely wipe the data, or keep the finder from making calls on our bill? Or some combination of those goals?

This isn't trickiness, but many questions are effectively two or more questions in one. For example:

Julie, a left-handed Episcopalian network engineer in the software development department, needs to encrypt some large files containing sensitive customer data in order to fulfill compliance requirements. Her manager is emphasizing the importance because these are medical records. What should she use?
RSA
AES
DES
ECC

Once you have waded through the intentionally distracting and time-wasting clutter, you have the real question: How to encrypt large data sets? First part: The general answer is Symmetric ciphers but that isn't a choice. Second part: Now you have to look through the list for examples of those: AES and DES. Third part: Realize that AES is (by far) the better choice.

Security+ isn't Network+, except when it is

CompTIA assumes that this is your third certification. You probably got A+ (PC hardware and Windows desktop fundamentals) two or three years ago, and you did Network+ maybe a year ago, and you have been working in those areas since then, if not longer. Hmmm. Maybe.

This is despite Security+ being partly aimed at managers who need to talk to technical people without understanding the technology.

A glaring example is the presence of UDP and TCP port numbers plus three IP protocol numbers in the question pool. It just depends on luck, which questions you happen to draw. You might get no questions at all about these, but you might get 10 to 12 questions in which you need to know some of these numbers.

Protocol TCP
port
UDP
port
IP
proto
CIFS 445
DHCP 67 / 68
DNS 53 53
FTP 20 / 21
FTP/S 990 / 989
HTTP 80
HTTP/S 443
IMAP2 143
IMAP/S 993
Kerberos 88 88
LDAP 389 389
LDAP/s 636 636
MS SQL 1433
NetBIOS 139 139
POP3 110
POP3/S 995
RADIUS 1812
RDP 3389
SMTP 25
SNMP 161 161
SNMP trap 162 162
SSH, sftp, scp 22
TACACS 49
Telnet 23
ICMP 1
IPsec ESP 50
IPsec AH 51
IKE 500
SIP 5060 5060

What about a study book?

The least bad one is the CompTIA Security+ Study Guide: Exam SY0-501 by Sybex. It's based on CompTIA's material, but that means that it only tells you some of the truth. I haven't noticed anything in that book that contradicts what they want you to say on the test, but:

  1. Some material on the test is not covered in the book.
  2. Some material in the book is not included in the test.

So you will waste some time, energy, and memory on things you don't really need to know, and you won't have seen some of the topics you need to know. And this is the best book available...

What About Other On-Line Practice Exams?

There are many on-line practice tests. Many of them contain many irrelevent things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.

There once was aiоtеstking.com, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnоw.com and then to briеfmеnоw.org. By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtеstking.com now directs you to еxamcollеction.com, which has a mix of paid and supposedly free content.

Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close.

Cram.com

Cram.com has questions in the form of a game or a puzzle. The format is very different from the real test, but that's good as it makes you think about the same thing a different way. It has a few things that aren't in the real test, but during the last year or two of the SY0-401 exam, most of it exactly covered the content.

www.briefmenow.org has had questions, but what they claim are the answers are often wrong.

Lead2Pass seems to be a "dumps" dealer, selling illicit verbatim exam content. They use the tell-tale term "dumps" term on their web site.

Further warning: While of course you would never look at "brain dump" sites with verbatim material, and therefore this warning is irrelevant... Some verbatim web sites have screen shots of actual questions, accompanied by wrong "explanations" of what the correct answers are.

Quizlet

A student from one course event got in touch with me later, saying that they thought Quizlet.com had been very helpful. Some quizes there may be helpful, but anyone can upload anything, including irrelevant and outdated content, and totally wrong answers.

Good luck!

Now you know a little more about how to think about the awful questions on this test.

Mark up Handout #1 to use it as your study guide. Go through the notes in the 3-ring binder and see what you highlighted. For the ones you don't yet know, highlight them on Handout #1. You might find some things mentioned on this page that you want to highlight or add to the handout.

Now you're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.

Re-do the Short Quiz A versions to see how it's going. Then read sections of the textbook or look back through the acronyms or whatever as needed. When Short Quiz A becomes too easy, try Short Quiz B. Then "All Questions" for that domain.

Type my address.

Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.

To the Cybersecurity Page