Fountain and plaques at a Buddhist temple.

CompTIA Security+ Guidance

CompTIA Security+ Compressed into Zen Koans

The best way that I know of to prepare for the CompTIA Security+ certification exam is to take Learning Tree's test prep course. The most helpful thing of all is the quiz software you get with that course, as it is the most realistic simulation of the exam that I've seen. The next most helpful thing for final review is one of its handouts.

This page is just an overview of some of the philosophy of the design of that test. (hence the pictures from the Zen Buddhist temple in Japan...)

Be aware that CompTIA pretends that one major release of their exam is a long-term static document. They say that after over 3 years of the SY0-301 exam being the Security+ exam, in a form that never changed, the SY0-401 exam appeared and suddenly was the only form of the exam for the following four and a half years.

My rant about how horribly bad the SY0-401 exam was

No. Not at all.

They release a major upgrade, such as SY0-301 to SY0-401, to SY0-501, every 3 to almost 5 years. But during that 3 to nearly 5 years of a given exam, it evolves through a series of entirely unannounced and unacknowledged updates.

These "mid-course adjustments" may be minor tweaks to what the exam covers, or they may be more significant. As a general rule, a given exam major release gets progressively worse during the time CompTIA says it's "the" current version.

SY0-501 was a much better exam than its predecessor, at least when it first came out.

See my detailed rant if you want to know just how bad the SY0-401 exam was. You had to memorize historical trivia that hadn't mattered for over two decades, and much of the rest of the exam required you to recite fiction.

Let's Move Forward!

I have compiled a list of distinctive CompTIA sayings you can use against them to easily get points for questions that otherwise are misleading or make little sense. Hopefully these can be succinct and thought-provoking like koans. The main goal is to get through that stupid test.

I also have a list of things you need to know that are not included in CompTIA study material.

I could imagine that a safe at CompTIA headquarters contains a book made up of a few hundred sentences, plus "Memorize this table of TCP and UDP port numbers", plus "we assume you know these parts of Network+". If you could memorize that book of sentences, like memorizing some ritual, you would know the answers to almost all of the questions. I know the exact form of some of those sentences. For example:

Acceptable use policy is enforced by URL and content filtering.

Yes, you could save two words and put it in the active voice, "URL and content filtering enforce acceptable use policy", but it's the first form that appears on the test.

Many are simple:

AES is the best symmetric cipher.

Kerberos is the best single-sign-on system.

Logs and audits enforce accountability.

Some take two sentences, the first will be in the question and the second is in the answer:

A manager wants to deploy a new application. Tell them "Refer to the risk analysis."

It can be helpful to know a little of the background:

Symmetric ciphers should be used on data. (Because they are efficient, and data can be large)

Asymmetric ciphers protect the negotiations and keys. (That is, they do the endpoint authentications and set up symmetric session keys)

This is not the study guide, this tells you how to use the study guide.

Take the course to get the
quizzer, notes, handouts,
and the textbook

First use the quizzer software to see what you need to learn.

Then use the course notes to see if that jogs your memory. If not, read the relevant sections in the textbook.

Then mark Handout #1 to highlight what you need to review before the real test.

Fountain and plaques at a Buddhist temple.


You can't take anything into the testing room, but make the crib sheet you would like to take in. The process of thinking back, "What do I need to know?", and organizing that and writing it down makes you learn it.

Think like a devious test writer. Let's say you're uncertain about this cluster of related concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer. Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.

Explain it to someone. Explain the concepts you find difficult to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them, and dogs are extremely tolerant. You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it.

Understand the test. Realize that the test does not try to measure if you are a skilled practitioner. The test is aimed at managers who need to communicate with technical experts. It's a vocabulary test to see if you can use the right words even if you don't really know much at all about what you're talking about.

CompTIA Security+ Philosophy

These aren't necessarily the answers themselves, but guidance for dealing with the exam questions.

A mile wide and an inch deep, go no deeper.

Pick the simple answer for the common case. No scenario is for you, it's for the mythical test-taker.

Reality helps with concepts, but not specifics.

He who says "At work we must do X and Y so that Z can then happen" has strayed from the path of wisdom.

He who says "I can imagine a scenario where X and then Y could lead to Z" has gone even further off the path.

Even a silly sounding policy is always correct.

Involve management.

Protocol analyzers have many important security uses.

Know the crypto flowcharts to visualize the answer. How do you do these, which key is used first by the sender, and which key is used last by the receiver:
• Symmetric encryption for confidentiality
• Asymmetric encryption for confidentiality
• Asymmetric encryption for authentication
• Digital signature

Be able to put things into order.
"What is the first step ... last step in this process?"
"Which is the most ... least intrusive vulnerability analysis?"
"Order of volatility (OOV) is"
 1: Memory/CPU registers and processes
 2: Routing and ARP tables
 3: Swap and temporary files
 4: Disk drives read with a read-only controller
 5: Logs
 6: Physical configuration
 7: Backups

Be able to put things into categories within sets.
Detective, Preventative, Corrective
Technical, Management, Operational
Symmetric, Asymmetric
Encrypting, Encoding, Hashing
Authenticating, Authorizing, Auditing
and so on.

When you are told the name, job title, department, and the often-irrelevant current task of every player in a little story, read past those quickly. They're there to slow you down.


The best way I can describe this is to warn you to be careful about language.

Some questions include a list of things that are true, that are useful, and they appear within the list of choices. Be careful to find what they are asking for within that list. For example, a question might look like this:

Question: You want to use a system that can protect communication by authenticating the server, and also providing a copy of the server's public key in a trustworthy format. A provider of trusted certificates will only provide one when you follow their rules. There is a protocol that you can use to check in real time whether a certificate should be trusted or not. You must have a copy of the currently untrusted certificates locally, to reduce network traffic. Rather than a complete copy of the key, you may refer to its hash instead. There are ways to prevent a breach today from exposing secrets based on keys in the past. What do you need?





E: thumbprint


Each of the sentences in the above question refers to one of the choices, and I have made it easy by putting the choices in the same order:
"a system that can ..." = TLS or Transport Layer Security
"the rules" = CPS or Certificate Practices Statement
"a protocol" = OCSP or Online Certificate Status Protocol
"copy of the revoked keys" = CRL or Certificate Revocation List
"its hash" = thumbprint
"exposure today doesn't expose keys from the past" = PFS or Perfect Forward Secrecy.

You have to work backward through the English. "What do you need?" is the actual question. All the choices are relevant and true, but only one answers the question.

One of the sentences says "You must have", versus stating that item X provides feature Y and so on.

That one corresponds to a local copy of the CRL, which is a relatively uncommon or unneeded step. This makes it a better question from the CompTIA point of view. Less common makes it more challenging.

Yes, the question is sort of about TLS in general. But the question, once we find it, is about a specific topic (having a list of invalid keys) rather than about TLS in general (authenticating the server and its public key).

Network+ Knowledge

I have heard from two sources that the U.S. Department of Defense and CompTIA have had some rather intense discussions.

The first story that I heard described how, around late 2017, US DoD told CompTIA to quit the nonsense with questions about mid-1990s concerns, like Thicknet and Teardrop and Smurf Amplifiers. And also, cut out all the fiction, all the questions where you have to pick a specific wrong answer to get the point.

The second story described CompTIA's exasperation at the number of test-takers who didn't know much at all about networking. OK, DoD people, realize that:

CompTIA expects that most people taking Security+ have already passed Network+, or they could pass it if they took it.

Know Basic Network Command Output

I think that CompTIA is trying to include some of the CEH (or Certified Ethical Hacker) requirement to recognize basic command output. Not much, just a little. But they want you to do some very introductory level CEH work of interpreting tool output.

You need to interpret the output of commands showing IP address assignment, ping, traceroute, and, I think, netstat.

This doesn't seem to be mentioned at all in CompTIA's description of their exam, so I will briefly explain.

IP Address Assignment


The old way on Linux involves the ifconfig command:

$ ifconfig
enp3s0    Link encap:Ethernet  HWaddr 42:01:0a:8a:00:03
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::4001:aff:fe8a:3/64 Scope:Link
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:148 errors:0 dropped:0 overruns:0 frame:0
          TX packets:213 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:44485 (44.4 KB)  TX bytes:32929 (32.9 KB)

lo        Link encap:Local Loopback  
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1840 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1840 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:554583 (554.5 KB)  TX bytes:554583 (554.5 KB)

wlo1      Link encap:Ethernet  HWaddr 68:a3:c4:70:f1:73  
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::c87a:16ce:3a61:8f0c/64 Scope:Link
          RX packets:58124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:38160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:74797563 (74.7 MB)  TX bytes:3995897 (3.9 MB)

We can no longer trust ifconfig, the ip command is the new way:

$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 42:01:0a:8a:00:03 brd ff:ff:ff:ff:ff:ff
    inet brd scope link enp3s0:avahi
       valid_lft forever preferred_lft forever
    inet6 fe80::4001:aff:fe8a:3/64 scope link 
       valid_lft forever preferred_lft forever
3: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 68:a3:c4:70:f1:73 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic wlo1
       valid_lft 172742sec preferred_lft 172742sec
    inet6 fe80::c87a:16ce:3a61:8f0c/64 scope link 
       valid_lft forever preferred_lft forever

What do you need to know about the above for the Security+ exam?

IPv4 addresses are 32-bit strings. They are represented as four base-10 numbers in the range 0-255, separated by dots. In the above, the software loopback or "localhost" interface lo gets,, the wired Ethernet inferface enp3s0 gets, and the wireless interface wlo1 gets It's "lo" for loopback, "e" for Ethernet, "wl" for wireless.

My page on IP addresses and subnets has far more than you need to know for Security+

In particular, you should recognize:

Loopback or lo is assigned, meaning that the first 8 bits or 127.*.*.* define the network. That means communication within this host only.

The wired Ethernet or enp3s0 was assigned, meaning that 169.254.*.* is the network itself, and is this device in particular. Know that 169.254.*.* is the "AutoConf" address block. An assignment here means that there is no DHCP server on this network.

The wireless Ethernet or wlo1 was assigned 192.168.*.* means "inside only" or private IP address space. means a chunk within that.

Simplified, this means:

127.*.*.* = "localhost", communication only within this one computer

169.254.*.* = "AutoConf", automatic configuration, called Bonjour or Rendezvous among other names by Apple. Communication within the LAN, there is no functioning DHCP server.

As for "link-only" or "inside-only" addresses, these are private IP address spaces:
10/8 = = 10.*.*.*
172.16/12 = = 172.16.*.* - 172.31.*.*.*
192.168/16 = = 192.168.*.*
You need a NAT router, or a proxy gateway doing NAT, to communicate with external servers. And CompTIA is fussy about the terms, it's actually NAT/PAT for what you usually use.


These addresses are 128 bits long, represented in base 16 or hexadecimal, 0-9 plus a-f, with colons between 16-bit or 4-character chunks that may be compressed together. You don't need to know much beyond:

::1 or ::1/128 = localhost in IPv6
fe80::*/64 = link-local-only IPv6, on the local LAN but not routable to the outside world.


Recognize errors. In the following, we are directly connected, plugged into the same switch. However, that other host isn't up. Our host,, is reporting that the target,, is unreachable. It recognizes that the target is on the same LAN, so it should be able to use ARP to find the target hardware address, but it can't.

$ ping
PING ( 56(84) bytes of data.
From icmp_seq=1 Destination Host Unreachable
From icmp_seq=2 Destination Host Unreachable
From icmp_seq=3 Destination Host Unreachable
From icmp_seq=4 Destination Host Unreachable

In the following, the host is a few router hops away and it isn't responding. Nothing came back. You might see some router between here and there reporting that it's unreachable. Here, it's silent failure.

$ ping
PING ( 56(84) bytes of data.

--- ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4079ms 

In the following, we asked for a name that doesn't exist. Either we misspelled it, or the relevant DNS server is lacking a record.

$ ping
ping: unknown host 


It's spelled tracert on Windows. Recognize DNS errors as above.

The output will resemble something like the following, with one line per router along the way, and three probes to each router. Line 1 is hop #1, line 2 is the router 2 hops away, and so on.

If you don't get a response within the timeout period, you see "*" instead of a time. A line with three stars means the router at that distance did not respond at all. If you see its names or IP addresses and then a mix of times and stars, it responded some and timed out some.

An unending series of probes that entirely timed out means either that it reached the target and the target didn't respond (very common for web servers), or that the network is broken beyond the last router that responded.

Finally, slightly inconsistent DNS configurations may makes things a little more confusing.

Here is an example. I was staying at a hostel in Fukuoka, Japan, when I updated this page. I asked for a trace to the Purdue Federal Credit Union in West Lafayette, Indiana, U.S.A. I explicitly asked for the IP addresses to be converted back to fully-qualified domain names. Depending on your version of the tool, it may provide nothing but IP addresses by default.

This example shows some of the potential DNS oddities. The name is an alias, the canonical name is simply Then, the hosting company has not changed the PTR record mapping back from IP address to name. It used to do business as Purdue Employees Federal Credit Union, using the domain, which appears as the last hop.

$ traceroute --resolve-hostnames
traceroute to (, 64 hops max
 1  8.789 ms  5.242 ms  2.219 ms
 2 (  11.886 ms  18.253 ms  9.495 ms
 3 (  6.779 ms  7.018 ms  8.796 ms
 4 (  27.055 ms  54.929 ms  46.687 ms
 5  23.846 ms  32.668 ms  27.771 ms
 6  26.746 ms  31.092 ms  25.822 ms
 7 (  24.472 ms  29.946 ms  91.634 ms
 8 (  27.009 ms  32.079 ms  26.424 ms
 9  * * *
10 (  191.316 ms  430.565 ms  395.326 ms
11 (  392.432 ms  220.610 ms  203.536 ms
12  214.017 ms  374.270 ms  343.802 ms
13 ( [open]  462.688 ms  263.595 ms  399.409 ms

Hop #1 is the wireless access point in the hostel. is a private block of IP addresses commonly used by small routers.

Hops #2-4 are across the network in Japan.

Hops #5 and 6 are routers in the network. That network also belongs to, but they have not set up DNS pointer records and so we only see IP addresses, not names (I used the whois command to figure out who owned those addresses). You could say that this represents an error in the form of missing DNS data. It's really only a problem for easily interpreting traceroute output, so I would only select that as an error if I couldn't find anything else.

Hops #7 and 8 are across, a major network provider in Japan.

Hop #9 timed out all three times. That router dropped the timed-out packets, but it did not return ICMP error reports for that. Later steps returned results, so this router was not responding as expected although it could successfully forward packets. Again, I don't see this as an error, but I had to pick something, this seems to me to be a better choice than the lack of DNS pointer records for hops 5-6.

Hops #10 and 11 are across routers, a major world-wide provider. The round-trip times generally increase, but look how much larger they are for hop #10. The router at hop #8 was in Japan, then hop #10 was in the U.S.

Hop #12 is another router whose name doesn't resolve back to a name. The range (that is, through belongs to Wintek, a network provider in Lafayette, Indiana.

Hop #13 is the destination.

Other than the three sent to hop #9, all the individual packets returned ICMP reports. Sometimes just 1 or 2 packets will time out, and you see "*" instead of a time.

Sometimes you will notice that every packet is routed individually. The 3 packets sent with a given TTL may take different routes, leading to 2 or 3 hostnames or IP addresses reported on the corresponding line.


The netstat command can display many things, depending on the command-line option. Routing table with -r, Ethernet interface statistics with -i, and so on.

The -a option asks for the state of all services, and -n means leave it numeric, don't try to use DNS to map back to host names. Here's a real example, from my server:

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0   ESTABLISHED
tcp4       0      0        TIME_WAIT
tcp4       0      0         TIME_WAIT
tcp4       0      0   TIME_WAIT
tcp4       0      0   TIME_WAIT
tcp4       0      0         TIME_WAIT
tcp4       0      0     TIME_WAIT
tcp4       0      0   FIN_WAIT_2
tcp4       0    185   LAST_ACK
tcp4       0     31     LAST_ACK
tcp4       0      0     ESTABLISHED
tcp4       0      0    TIME_WAIT
tcp4       0      0    TIME_WAIT
tcp4       0      0     ESTABLISHED
tcp4       0   4582     ESTABLISHED
tcp4       0      0     TIME_WAIT
tcp4       0      0    TIME_WAIT
tcp4       0      0      TIME_WAIT
tcp4       0      0     TIME_WAIT
tcp4       0      0      TIME_WAIT
tcp4       0      0    ESTABLISHED
tcp4       0      0    FIN_WAIT_2
tcp4       0      0 *.443                  *.*                    LISTEN
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp4       0      0           *.*                    LISTEN
udp4       0      0          *.*                    
udp4       0      0         *.*                    
udp4       0      0 *.123                  *.*                    
udp4       0      0 *.514                  *.*                    

"LISTEN" indicates that a service process is listening for connections. "ESTABLISHED" means that a client is currently connected and transferring data. Others TCP states including "LAST_ACK", "TIME_WAIT", "FIN_WAIT", "FIN_WAIT_2", and others, indicate that we caught a connection in the process of being established or shut down.

Notice in the above that SSH is listening for new connections on TCP/22, and an SSH connection is currently established. That's me connected in from, running the netstat command.

My server accepts connections over HTTP (TCP/80), and immediately redirects the client to the same URL over HTTPS (TCP/443). That's called HTTPS redirect, it's best practice for security, you need to know that on the test.

Let's say you instead saw just this output:

$ netstat -an
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0   ESTABLISHED
tcp4       0      0        TIME_WAIT
tcp4       0      0         TIME_WAIT
tcp4       0      0         TIME_WAIT
tcp4       0      0     TIME_WAIT
tcp4       0      0    TIME_WAIT
tcp4       0      0    ESTABLISHED
tcp4       0      0       ESTABLISHED
tcp4       0      0       ESTABLISHED
tcp4       0      0       TIME_WAIT
tcp4       0      0       TIME_WAIT
tcp4       0      0 *.80                   *.*                    LISTEN
tcp4       0      0         *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN
tcp4       0      0           *.*                    LISTEN
udp4       0      0          *.*                    
udp4       0      0         *.*                    
udp4       0      0 *.123                  *.*                    
udp4       0      0 *.514                  *.*                    

The question might be:

Users are reporting that they can't access the financial department's secure web page. What is wrong?
A: The web server is down
B: The server is up but its web service isn't running
C: The certificate has expired
D: The certificate has been revoked
E: HTTPS isn't enabled
F: A firewall is blocking connections

The server is obviously running because I was able to run the command, so it isn't A.

The web service is running because one line shows that it's listening on port 80 and other lines show current connections on that port. So, it isn't B.

Problems with the certificate happen after the connection is established. They don't have anything to do with TCP connections, which is what netstat shows you. C and D could be problems, and users might describe their results as "can't access", but they're asking us about netstat output.

The netstat tells what's happening on that one system, so we don't see explicit information about what's happening out on the network. It won't tell us "a firewall is blocking connections". F could be a problem, but...

The answer is E, the web server process is not listening on port 443. We expect to see at least the one line saying "LISTEN". It might happen to not have any active connections at the moment, but it should be listening.

Know Basic Linux and Windows File System Locations

There are now some questions where they give you lists of files and hashes at various times, and they ask you to identify which is the sign of an intrusion.

You have to know, at a very basic level, where some files are located and which will change during routine operation.

Windows File Tampering

They may show you that the hash for a file like one of the following has changed, and ask you what it means:
Those are parts of the operating system itself or the boot loader, so you have been seriously hacked. If "root kit" is a choice, select that.

Linux File Tampering

Don't panic, you don't need to know very much! But you may be asked questions that require you to know:

The kernel, the core of the OS itself, and how it boots, is based on files under /boot/*. A file vmlinuz* is the kernel itself, grub.cfg is the configuration file for the GRUB boot loader. It specifies how the kernel is loaded and started, and an attacker might boot it strangely to completely subvert security.

Executable programs relied upon by everyone including the system administrator and the operating system have bin (short for "binary") in their first or second element. That is:

Shared libraries, like DLL files in Windows, provide "one-step hacking" opportunities for an attacker. Modify a shared library, and you modify the behavior of all the dynamically linked programs, which will be most binaries on the system. They have lib (short for "library") in their first or second element. That is:

None of the things I have listed so far should change unexpectedly!

System configuration goes under /etc/* For the most part, these files shouldn't change. However...

Almost everything about a user except their password is defined in /etc/passwd, and the hash of their current password is stored in /etc/shadow. (Yes, everything was originally in passwd, then the password hash was moved to shadow)

So, creating and modifying users changes /etc/passwd. And, when a user changes their password, /etc/shadow changes. We expect those changes.

So let's say they showed you this:

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

The file /etc/shadow changed, but we expect this, so the answer is that there's probably nothing to worry about.

What about this:

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		7c6fa9266a5abfa03d685ea7f7164393c984b710
/etc/shadow:		9a4fb74ef00824d6e84785ad53d6fed364947778
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

Both /etc/shadow and /etc/passwd changed, you probably added a new user, adding one new line to each file. Or maybe you modified a user (changing passwd) and coincidentally someone changed their password (changing shadow). Again, no worry.

What about this?

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		9c5bbcbdc2994a9835b8804b9ffa699935715a34
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

Intrusion! Someone has modified a system configuration file! See /etc/hosts.

What about this?

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	d6328ceea77c930e853da08b494c71ad2f8f9b47
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842

/boot/grub/grub.cfg:	6c3209882734351aa672d3f222bb382267c22ad4
/boot/vmlinuz-4.13.0:	cfc34c90281bbed47540c6288ec975a4602ee3df
/etc/passwd:		02f727aaabab9c2963092ba3d7f3543980fef790
/etc/shadow:		71558dd386a50333ffb71c07ad904e9abd6792cf
/etc/hosts:		5a960d6641b42ff8f9e947e218b371b2ad12a728
/bin/ls			b79f70b18538de0199e6829e06b547e079df8842 

This is worst of all! Someone has replaced the file containing the kernel. Once you reboot after such a change, you are running the intruder's operating system. This is a sign of a root kit.

Someone responded to this unannounced addition to the test by saying that CompTIA was probably just beta-testing potential Linux+ question. No. The Linux+ test doesn't get into these issues at all. It's much more about "which command does what?" and memorizing the synopsis line and first paragraph of a large number of manual pages.

CompTIA Wants You To Know Some Specific Sayings

I don't know exactly what CompTIA means by some of these distinctive phrases. But that doesn't matter because all I need to know is that these are the right answers.

"Acceptable Use Policy is enforced with user education and content/URL filtering."
"Code of Ethics is a set of minimum expected behaviors."
"When a manager wants to introduce a new application, tell them to look at the risk analysis."
"Threat modeling predicts the most likely points of attack."
"MITM and replay attacks start by sniffing the network with a protocol analyzer."
"Vulnerability scanners are passive because they don't send exploits."
"Clients must use proxies or NAT to access the Internet."
"Fuzzing sends sequential or random data to a target."
"Check access logs daily."
"Highly complex computer-generated passwords are bad."
"Logs and audits enforce accountability."
"Audits attempt to reconcile activity against a standard (policy), and mysterious anomalies are likely to be problems."
"Quantitative" or "a metric" means numbers, and that's the best analysis. But for human behavior we're stuck with qualitative assessment.
"Disposal" means destroy the media, "sanitize" means wipe it for re-use.
"Disaster Recovery" means "as the hurricane is moving away."
"Business Continuity" means "3-4 days after and continuing from there."
"Contingency Planning" is for one very specific problem.
"The first step in risk assessment is an asset inventory."
"The first step in Disaster Recovery Planning is a Business Impact Analysis."
"Succession planning," sometimes "Compensating," is corrective.
"Job rotation" is preventative.
"Enforced vacation" is detective.
"Succession planning" is why Gerald Ford ended up as the President.
"Job rotation" might have kept Nixon and Agnew in office.
Spoofing is when a host pretends to be another host,
Impersonation is when a person pretends to be another person.
Cold sites require over one week to start.
Warm sites can start in under a week.
Hot sites are always ready right now, so they're expensive.
"Armored viruses resist analysis"
"Malicious invulnerable add-ons are software added to browsers to test the system with spyware, botnet software, etc."
"You cannot identify a zero-day attack. Except you can identify them with fuzzing, honeypots, host IPS, and network IPS. Network IPS can identify and stop in-progress zero-day attacks."
"An APT cannot be identified. Except you can identify one with host configuration baselines."
"Use a safe or vault to protect HSM, TPM, and portable media with signing keys and other highly sensitive data. Lock wireless access points inside rack cabinets (nice Faraday cage)."

Both behavior-based and anomaly-based IDS must observe for a while to learn the local baseline. They mention "exceptions or broken protocol rules" when they're talking about anomaly-based.

Privilege escalation is used to mean two very different things, use the context to figure out which one they're talking about:

When they ask "What would be the very best way...", they are implying "...if expense and complexity don't matter."
For example: diesel generators, HSMs, Kerberos, biometric door locks, and SELinux in full enforcing mode. Kerberos and SELinux are free software, but complex to manage. The others cost a lot of money.

What Color Is The Sky in the CompTIA Universe?

CompTIA consistently insists that a number of things are not the way they are in the real world. Shrug and mark the correct answer.

All routers have ACLs and all are default deny. Always.

The entire Internet contains nothing but Windows desktops, plus a few Windows servers.
Except for once in a while Linux appears out of the blue: ssh / scp / sftp, root, SELinux (a.k.a. NSA Security-Enhanced Linux), /etc/passwd and /etc/shadow, plus the above about file system tampering.

NetStumbler is the only way to discover WLANs,
and AirSnort is the only way to break WEP.

Role-Based Access Control is an easy hierarchical way to administer authorizations.
(Because CompTIA thinks that Windows group policies are real RBAC)

CompTIA Likes to Confuse You

Here are some confusingly similar or overlapping topics ideal for setting up tricky multiple-choice questions:

CompTIA uses the phrase Rule-Based Access Control just so they confuse you about Role-Based Access Control, which is what the rest of the world means by RBAC.

OTP stands for both One-Time Password (at first login you must change it) and One-Time Pad (the only truly secure cipher). MAC stands for three very different security concepts.

People in hats: White Grey Black
Techniques in boxes: White Grey Black (with Fuzzing)
IDS and anti-malware errors: False Positive False Negative
Biometric authentication errors: False Acceptance False Rejection
Behavior upon an error: Fail Safe Fail Open

What do digital certificates contain?
    server's public key, or
    server's private key, or
    CA's public key, or
    CA's private key.

With lost phone questions, are we trying to track down and recover the hardware asset, or remotely wipe the data, or keep the finder from making calls on our bill? Or some combination of those goals?

This isn't trickiness, but many questions are effectively two or more questions in one. For example:

Julie, a left-handed Episcopalian network engineer in the software development department, needs to encrypt some large files containing sensitive customer data in order to fulfill compliance requirements. Her manager is emphasizing the importance because these are medical records. What should she use?

Once you have waded through the intentionally distracting and time-wasting clutter, you have the real question: How to encrypt large data sets? First part: The general answer is Symmetric ciphers but that isn't a choice. Second part: Now you have to look through the list for examples of those: AES and DES. Third part: Realize that AES is (by far) the better choice.

Security+ isn't Network+, except when it is

CompTIA assumes that this is your third certification. You probably got A+ (PC hardware and Windows desktop fundamentals) two or three years ago, and you did Network+ maybe a year ago, and you have been working in those areas since then, if not longer. Hmmm. Maybe.

This is despite Security+ being partly aimed at managers who need to talk to technical people without understanding the technology.

A glaring example is the presence of UDP and TCP port numbers plus three IP protocol numbers in the question pool. It just depends on luck, which questions you happen to draw. You might get no questions at all about these, but you might get 10 to 12 questions in which you need to know some of these numbers.

Protocol TCP
CIFS 445
DHCP 67 / 68
DNS 53 53
FTP 20 / 21
FTP/S 990 / 989
HTTP/S 443
IMAP2 143
IMAP/S 993
Kerberos 88 88
LDAP 389 389
LDAP/s 636 636
MS SQL 1433
NetBIOS 139 139
POP3 110
POP3/S 995
RDP 3389
SNMP 161 161
SNMP trap 162 162
SSH, sftp, scp 22
Telnet 23
IPsec ESP 50
IPsec AH 51
IKE 500
SIP 5060 5060

What about a study book?

The least bad one is the CompTIA Security+ Study Guide: Exam SY0-501 by Sybex. It's based on CompTIA's material, but that means that it only tells you some of the truth. I haven't noticed anything in that book that contradicts what they want you to say on the test, but:

  1. Some material on the test is not covered in the book.
  2. Some material in the book is not included in the test.

So you will waste some time, energy, and memory on things you don't really need to know, and you won't have seen some of the topics you need to know. And this is the best book available...

What About Other On-Line Practice Exams?

There are many on-line practice tests. Many of them contain many irrelevent things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.

There once was aiоtе, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnо and then to briеfmеnо By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtе now directs you to еxamcollе, which has a mix of paid and supposedly free content.

Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close.


Lead2Pass also has had test questions with very good explanations. has questions in the form of a game or a puzzle. The format is very different from the real test, but that's good as it makes you think about the same thing a different way. It has a few things that aren't in the real test, but during the last year or two of the SY0-401 exam, most of it exactly covered the content. has had questions, but what they claim are the answers are often wrong.

Warning: As of June 2018, it appears that neither Lead2Pass nor have SY0-501 material.

Further warning: While of course you would never look at "brain dump" sites with verbatim material, and therefore this warning is irrelevant... Some verbatim web sites have screen shots of actual questions, accompanied by wrong "explanations" of what the correct answers are.


A student from one course event got in touch with me later, saying that had been very helpful.

The Pictures I Draw When Teaching

and lists

I draw several pictures when I teach the course. I also type up some lists. It's pretty much the same set of pictures and lists every time. If you took the course from me, you can download a typical set of them. But beware: these are from the SY0-401 version, I still need to capture a set from a SY0-501 course event.

Good luck!

Now you know a little more about how to think about the awful questions on this test.

Mark up Handout #1 to use it as your study guide. Go through the notes in the 3-ring binder and see what you highlighted. For the ones you don't yet know, highlight them on Handout #1. You might find some things mentioned on this page that you want to highlight or add to the handout.

Now you're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.

Re-do the Short Quiz A versions to see how it's going. Then read sections of the textbook or look back through the acronyms or whatever as needed. When Short Quiz A becomes too easy, try Short Quiz B. Then "All Questions" for that domain.

Type my address.

Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.

To the Cybersecurity Page