CompTIA Security+ Compressed into Zen Koans
The best way that I know of to prepare for the CompTIA Security+ certification exam is to take Learning Tree's test prep course. The most helpful thing of all is the quiz software you get with that course, as it is the most realistic simulation of the exam that I've seen. The next most helpful thing for final review is one of its handouts.
This page is just an overview of some of the philosophy of the design of that test. (hence the pictures from the Zen Buddhist temple in Japan...)
I have compiled a list of distinctive CompTIA sayings you can use against them to easily get points for questions that otherwise are misleading or make little sense. Hopefully these can be succinct and thought-provoking like koans, but the main goal is to get through that stupid test.
I could imagine that a safe at CompTIA headquarters contains a book made up of a few hundred sentences, plus "Memorize this table of TCP and UDP port numbers, and also these inaccurate drawings of what we think RAID looks like." If you could memorize that book of sentences, like memorizing some ritual, you would know the answers to almost all of the questions. I know the exact form of some of those sentences. For example:
Acceptable use policy is enforced by URL and content filtering.
Yes, you could save two words and put it in the active voice, "URL and content filtering enforce acceptable use policy", but it's the first form that appears on the test.
Many are simple:
AES is the best symmetric cipher.
Kerberos is the best single-sign-on system.
Logs and audits enforce accountability.
Some take two sentences, the first will be in the question and the second is in the answer:
A manager wants to deploy a new application. Tell them "Refer to the risk analysis."
It can be helpful to know a little of the background:
Symmetric ciphers should be used on data. (Because they are efficient, and data can be large)
Asymmetric ciphers protect the negotiations and keys. (That is, they do the endpoint authentications and set up symmetric session keys)
Unfortunately, many are one to two decades out of data. You must know many details about WEP flaws instead of simply "WEP is flawed, WPA came later and is much better, and WPA/2 came after that and is better yet." Ten years after the brief fad of "war-chalking" had appeared and disappeared, a question about it appeared on the test (about 2013). Twenty years after most places had retired their last Thicknet Ethernet, a question appeared (2015).
This is not the study guide, this tells you how to use the study guide.Take the course to get the
quizzer, notes, handouts,
and the textbook
First use the quizzer software to see what you need to learn.
Then use the course notes to see if that jogs your memory. If not, read the relevant sections in the textbook.
Then mark Handout #1 to highlight what you need to review before the real test.
You can't take anything into the testing room, but make the crib sheet you would like to take in. The process of thinking back, "What do I need to know?", and organizing that and writing it down makes you learn it.
Think like a devious test writer. Let's say you're uncertain about this cluster of concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer. Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.
Explain it to someone. Explain the concepts you find difficult to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them, and dogs are extremely tolerant. You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it.
Understand the test. Realize that the test does not try to measure if you are a skilled practitioner. The test is aimed at managers who need to communicate with technical experts. It's a vocabulary test to see if you can use the right words even if you don't really know much at all about what you're talking about.
CompTIA Security+ Philosophy
These aren't necessarily the answers themselves, but guidance for dealing with the exam questions.
A mile wide and an inch deep, go no deeper.
Pick the simple answer for the common case. No scenario is for you, it's for the mythical test-taker.
Reality helps with concepts, but not specifics.
He who says "At work we must do X and Y so that Z can then happen" has strayed from the path of wisdom.
He who says "I can imagine a scenario where X and then Y could lead to Z" has gone even further off the path.
Even a silly sounding policy is always correct.
Protocol analyzers have many important security uses.
Know the crypto flowcharts to visualize the answer.
How do you do these, which key is used first by the
sender, and which key is used last by the receiver:
• Symmetric encryption for confidentiality
• Asymmetric encryption for confidentiality
• Asymmetric encryption for authentication
• Digital signature
Be able to put things into order.
"What is the first step ... last step in this process?"
"Which is the most ... least intrusive vulnerability analysis?"
"Order of volatility (OOV) is"
1: Memory/CPU registers and processes
2: Routing and ARP tables
3: Swap and temporary files
4: Disk drives read with a read-only controller
6: Physical configuration
Be able to put things into categories within sets.
Detective, Preventative, Corrective
Technical, Management, Operational
Encrypting, Encoding, Hashing
Authenticating, Authorizing, Auditing
and so on.
When you are told the name, job title, department, and the often-irrelevant current task of every player in a little story, read past those quickly. They're there to slow you down.
CompTIA Wants You To Know Some Specific Sayings
I don't know exactly what CompTIA means by some of these distinctive phrases. But that doesn't matter because all I need to know is that these are the right answers.
"Business Continuity" means "3-4 days after and continuing from there."
"Contingency Planning" is for one very specific problem.
"The first step in Disaster Recovery Planning is a Business Impact Analysis."
"Job rotation" is preventative.
"Enforced vacation" is detective.
"Job rotation" might have kept Nixon and Agnew in office.
Impersonation is when a person pretends to be another person.
Warm sites can start in under a week.
Hot sites are always ready right now, so they're expensive.
Both behavior-based and anomaly-based IDS must observe for a while to learn the local baseline. They mention "exceptions or broken protocol rules" when they're talking about anomaly-based.
Privilege escalation is used to mean two very different things, use the context to figure out which one they're talking about:
- During an annual review of user rights, you notice someone has accumulated privileges while rotating through jobs. There's no attack, but they no longer need some of those privileges.
- During an attack, the intruder is replaying captured privileges or running a buffer overflow to transition from low-privileges user to sysadmin.
When they ask "What would be the very best way...",
they are implying
"...if expense and complexity don't matter."
For example: diesel generators, HSMs, Kerberos, biometric door locks, and SELinux in full enforcing mode.
CompTIA Wants You To Worry About Some Minor Things
These aren't wrong, but there are bigger things to worry about:
Spyware can spy on your browsing history.
Cross-Site Scripting can steal your webmail credentials.
Tell the guards if you find suspicious USB devices in the parking lot.
Bluetooth moves data at 1 Mbps.
Also see the outdated topics below.
What Color Is The Sky in the CompTIA Universe?
CompTIA consistently insists that a number of things are not the way they are in the real world. Shrug and mark the correct answer.
TCP Wrapper is a Linux-only technology that "wraps" TCP connections in SSL/TLS tunnels.
Cheroots are Linux sandboxes.
Those are small cigars,
chroot is the real thing.
Kuberos is a single-sign-on system.
It's spelled Kerberos.
Risk = vulnerability × threat × value
Dipole antennas use higher power.
All routers have ACLs and all are default deny. Always.
The entire Internet contains nothing but Windows desktops,
plus a few Windows servers.
Except for once in a while Linux appears out of the blue:
ssh / scp / sftp,
SELinux (a.k.a. NSA Security-Enhanced Linux),
NetStumbler is the only way to discover WLANs,
and AirSnort is the only way to break WEP.
Mitre's CVE archive is full of exploits.
Cloud computing includes something called "Management as a Service". It consists of those SaaS or Software as a Service tools that managers, not workers, might use. GMail, Google Docs, salesforce.com, etc are SaaS. Budget-planning or project-planning SaaS, however, is "Management as a Service".
Hash an image before and after you collect it.
(And just how am I to calculate the hash of something I don't have yet?)
Role-Based Access Control is an easy hierarchical way to
(Because CompTIA thinks that Windows group policies are real RBAC)
The security of RSA is based on the difficulty of
factoring large primes.
(No, prime numbers can't be factored. It's the difficulty of finding the prime factors of large non-prime numbers.)
P2P (or peer-to-peer file sharing) can be stopped by URL filtering. That contradicts the meaning of "peer to peer"!
CompTIA Congratulates Bill Clinton on his Recent Election
Welcome to the 1990s. CompTIA wants you to select answers that assumes these things are still true and important:
Smurf and Fraggle attacks still happen.
(but DNS and NTP amplification don't)
Users still have permission to remove
when a hoax e-mail tells them that will
solve all their problems.
SYSTEM32 still contains the Windows OS.
We must still worry about Teardrop, a widespread vulnerability discovered and patched in 1997.
Kerberos still uses nothing but DES.
Even through RFC 6649 in 2012 deprecated the use of DES and other weak cryptographic algorithms in Kerberos.
People still use ThickNet Ethernet, and cause themselves trouble by removing the terminator at the end of the cable segment.
War-dialing attacks against modem banks and RAS are a big worry.
War Chalking is a new thing, it happens a lot, and you should worry about it. Tell the guards if you find any!
Viruses still spread on floppy disks.
Code Red and SQL Slammer are recent worms, and Back Orifice is a recent backdoor.
A database search returning 1,000 records is an enormous result and therefore suspicious.
Backups always involve magnetic tapes.
Malware still does obvious things so it's easy to catch. Spyware saturates your CPU, worms saturate your networks, and zombies communicate via ICQ.
Spammers use their own email addresses and clearly announce their offers in the subject line.
You frequently encounter ROT-13 encoding.
Apparently because people still read
rec.jokes on USENET.
CompTIA Likes to Confuse You
Here are some confusingly similar or overlapping topics ideal for setting up tricky multiple-choice questions:
CompTIA uses the phrase Rule-Based Access Control just so they confuse you about Role-Based Access Control, which is what the rest of the world means by RBAC.
OTP stands for both One-Time Password (at first login you must change it) and One-Time Pad (the only truly secure cipher). MAC stands for three very different security concepts.
With the SYO-401 version in August 2014 they added some terms just to make things more confusing. For example:
- DHE stands for both "Data-Handling Electronics" and "Diffie-Hellman Ephemeral".
- ISSO (Information Systems Security Officer) versus ESSO (Enterprise Single Sign-On)
- SCAP (Securiy Content Automation Protocol) versus SCEP (Simple Certificate Enrollment Protocol)
- Waterfall (software project management concept) versus Whirlpool (hash function)
SYO-401 also added more management terminology that yes, has to do with the management of projects that can help security, but the terms aren't the security itself and add confusion over only vaguely connected concepts.
- BPA = Business Partnership Agreement
- CAR = Corrective Action Report
- CTO = Chief Technology Officer
- IRP = Incident Response Procedure
- ISA = Interconnection Security Agreement
- ISSO = Information Systems Security Officer
- ITCP = Information Technology Contingency Planning
- MOU = Memorandom of Understanding
- RAD = Rapid Application Development
- SDLC = Software Development Life Cycle
- SDLM = Software Development Lifecycle Methodology
- SEIM = Security Information and Event Management
- SOAP = Simple Object Access Protocol
- UAT = User Acceptance Testing
- VDI = Virtual Desktop Infrastructure
- VTC = Video Teleconferencing
Watch out for answers that are true "by the letter of the law" even though they would be bad choices. WEP, PPTP, and DES do encrypt even though the first two are flawed designs and the third is no longer considered secure enough. MD5 is a cryptographic hash function, even though it has weaknesses.
|People in hats:||White||Grey||Black|
|Techniques in boxes:||White||Grey||Black (with Fuzzing)|
|IDS and anti-malware errors:||False Positive||False Negative|
|Biometric authentication errors:||False Acceptance||False Rejection|
|Behavior upon an error:||Fail Safe||Fail Open|
Where does steganography hides data in images?
most significant bit, or
least significant bit, or
most significant byte, or
least significant byte.
What do digital certificates contain?
server's public key, or
server's private key, or
CA's public key, or
CA's private key.
With lost phone questions, are we trying to track down and recover the hardware asset, or remotely wipe the data, or keep the finder from making calls on our bill? Or some combination of those goals?
This isn't trickiness, but many questions are effectively two or more questions in one. For example:
Julie, a left-handed Episcopalian network engineer
in the software development department, needs
to encrypt some large files containing sensitive
customer data in order to fulfill compliance
Her manager is emphasizing the importance because
these are medical records.
What should she use?
Once you have waded through the intentionally distracting and time-wasting clutter, you have the real question: How to encrypt large data sets? First part: The general answer is Symmetric ciphers but that isn't a choice. Second part: Now you have to look through the list for examples of those: AES and DES. Third part: Realize that AES is (by far) the better choice.
Security+ isn't Network+, except when it is
Someone told me that they think that CompTIA assumes that this is your third certification. You probably got A+ (PC hardware and Windows desktop fundamentals) two or three years ago, and you did Network+ maybe a year ago. Hmmm. Maybe.
CompTIA doesn't explicitly say that (at least not that I've noticed), and much of Security+ seems to be aimed at managers who need to talk to technical people without understanding the technology, but it's a reasonable way of explaining many of the test oddities.
A glaring example is the presence of UDP and TCP port numbers plus three IP protocol numbers in the question pool. It just depends on luck, which questions you happen to draw. You might get no questions at all about these, but you might get 10 to 12 questions in which you need to know some of these numbers. Some could come out of the network domain itself, but there can be questions in the authentication and identity management domain that ask about this detail of SSH or RADIUS or LDAP or (since this is CompTIA) Telnet.
|DHCP||67 / 68|
|FTP||20 / 21|
|FTP/S||990 / 989|
|SSH, sftp, scp||22|
What about a study book?
The least bad one is the
CompTIA Security+ Study Guide: SY0-401
It's based on CompTIA's material,
but that means that it only tells you
some of the truth.
I haven't noticed anything in that book that contradicts
what they want you to say on the test, but:
• Some material on the test is not covered in the book.
• Some material in the book is not included in the test.
So you will waste some time, energy, and memory on things you don't really need to know, and you won't have seen some of the topics you need to know. And this is the best book available...
What About Other On-Line Practice Exams?
There are many on-line practice tests. Many of them contain many irrelevent things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.
There once was aiоtеstking.com, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnоw.com and then to briеfmеnоw.org. By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtеstking.com now directs you to еxamcollеction.com, which has a mix of paid and supposedly free content.
Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close.Lead2Pass Cram.com
Lead2Pass also has test questions with very good explanations.
Cram.com has questions in the form of a game or a puzzle. The format is very different from the real test, but that's good as it makes you think about the same thing a different way. It has a few things that aren't in the real test, but most of it exactly covers the content.Quizlet
A student from one course event got in touch with me later, saying that Quizlet.com had been very helpful.
The Pictures I Draw When TeachingPictures
I draw several pictures when I teach the course. I also type up some lists. It's pretty much the same set of pictures and lists every time. If you took the course from me, you can download a typical set of them.
Now you know a little more about how to think about the awful questions on this test.
Mark up Handout #1 to use it as your study guide. Go through the notes in the 3-ring binder and see what you highlighted. For the ones you don't yet know, highlight them on Handout #1. You might find some things mentioned on this page that you want to highlight or add to the handout.
Now you're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.
Re-do the Short Quiz A versions to see how it's going. Then read sections of the textbook or look back through the acronyms or whatever as needed. When Short Quiz A becomes too easy, try Short Quiz B. Then "All Questions" for that domain.
Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.