CompTIA Security+ SY0-401 Certification Exam Was A Dumpster Fire

Be Glad That CompTIA Replaced The Horrible SY0-401 Security+ Exam

The CompTIA SY0-401 Security+ exam was horrible. It required you to memorize a large set of fiction, saying certain wrong things to get the point, plus a large collection of ancient history, things that haven't mattered since the mid-1990s.

The good news is that they fixed much of that with the SY0-501 exam that came out in late 2017.

Go see the updated information for my suggestions on how to pass the current exam. But if you want to see my rant about just how horrible the SY0-401 exam was, continue...

The best way that I knew of to prepare for the CompTIA Security+ certification exam is to take the test-prep course that I used to teach. The most helpful thing of all is the quiz software you get with that course, as it is the most realistic simulation of the exam that I've seen. The next most helpful thing for final review is one of its handouts.

However, CompTIA, like (ISC)², doesn't want anyone to teach people how to better prepare for their exams. So, after some legal threats, the useful courses were retired.

I could imagine that a safe at CompTIA headquarters contains a book made up of a few hundred sentences, plus "Memorize this table of TCP and UDP port numbers, and also these inaccurate drawings of what we think RAID looks like." If you could memorize that book of sentences, like memorizing some ritual, you would know the answers to almost all of the questions. I know the exact form of some of those sentences. For example:

Acceptable use policy is enforced by URL and content filtering.

Yes, you could save two words and put it in the active voice, "URL and content filtering enforce acceptable use policy", but it's the first form that appears on the test.

Many are simple:

AES is the best symmetric cipher.

Kerberos is the best single-sign-on system.

Logs and audits enforce accountability.

Some take two sentences, the first will be in the question and the second is in the answer:

A manager wants to deploy a new application. Tell them "Refer to the risk analysis."

It can be helpful to know a little of the background:

Symmetric ciphers should be used on data. (Because they are efficient, and data can be large)

Asymmetric ciphers protect the negotiations and keys. (That is, they do the endpoint authentications and set up symmetric session keys)

Unfortunately, many are one to two decades out of data. You must know many details about WEP flaws instead of simply "WEP is flawed, WPA came later and is much better, and WPA/2 came after that and is better yet." Ten years after the brief fad of "war-chalking" had appeared and disappeared, a question about it appeared on the test (about 2013). Twenty years after most places had retired their last Thicknet Ethernet, a question appeared (2015).

This is not the study guide, this tells you how to use the study guide.

First use the quizzer software to see what you need to learn.

Then use the course notes to see if that jogs your memory. If not, read the relevant sections in the textbook.

Then mark Handout #1 to highlight what you need to review before the real test.

Suggestions

You can't take anything into the testing room, but make the crib sheet you would like to take in. The process of thinking back, "What do I need to know?", and organizing that and writing it down makes you learn it.

Think like a devious test writer. Let's say you're uncertain about this cluster of concepts: MTTR, MTBF, RTO, RPO, BCP, COO, DRP. Try to write your own multiple-choice questions involving these! Make it so it could be answered, but avoid giving away the answer. Then look at what you wrote — how could you make it tougher while still possible to answer? This will force you to think carefully about the topic, and realize how information still leaks through in the question and exposes some information about what choices are right or wrong.

Explain it to someone. Explain the concepts you find difficult to someone else. Maybe you have a study partner. If not, children are pretty tolerant of having things explained to them, and dogs are extremely tolerant. You have to think about a thing carefully to talk about it, and you have to come to some understanding to explain it.

Understand the test. Realize that the test does not try to measure if you are a skilled practitioner. The test is aimed at managers who need to communicate with technical experts. It's a vocabulary test to see if you can use the right words even if you don't really know much at all about what you're talking about.

CompTIA Security+ Philosophy

These aren't necessarily the answers themselves, but guidance for dealing with the exam questions.

A mile wide and an inch deep, go no deeper.

Pick the simple answer for the common case. No scenario is for you, it's for the mythical test-taker.

Reality helps with concepts, but not specifics.

He who says "At work we must do X and Y so that Z can then happen" has strayed from the path of wisdom.

He who says "I can imagine a scenario where X and then Y could lead to Z" has gone even further off the path.

Even a silly sounding policy is always correct.

Involve management.

Protocol analyzers have many important security uses.

Know the crypto flowcharts to visualize the answer. How do you do these, which key is used first by the sender, and which key is used last by the receiver:
• Symmetric encryption for confidentiality
• Asymmetric encryption for confidentiality
• Asymmetric encryption for authentication
• Digital signature
• HMAC

Be able to put things into order.
"What is the first step ... last step in this process?"
"Which is the most ... least intrusive vulnerability analysis?"
"Order of volatility (OOV) is"
1: Memory/CPU registers and processes
2: Routing and ARP tables
3: Swap and temporary files
4: Disk drives read with a read-only controller
5: Logs
6: Physical configuration
7: Backups

Be able to put things into categories within sets.
Detective, Preventative, Corrective
Technical, Management, Operational
Symmetric, Asymmetric
Encrypting, Encoding, Hashing
Authenticating, Authorizing, Auditing
and so on.

When you are told the name, job title, department, and the often-irrelevant current task of every player in a little story, read past those quickly. They're there to slow you down.

CompTIA Wants You To Know Some Specific Sayings

I don't know exactly what CompTIA means by some of these distinctive phrases. But that doesn't matter because all I need to know is that these are the right answers.

"Acceptable Use Policy is enforced with user education and content/URL filtering."

"Code of Ethics is a set of minimum expected behaviors."

"When a manager wants to introduce a new application, tell them to look at the risk analysis."

"Threat modeling predicts the most likely points of attack."

"MITM and replay attacks start by sniffing the network with a protocol analyzer."

"Vulnerability scanners are passive because they don't send exploits."

"Clients must use proxies or NAT to access the Internet."

"Fuzzing sends sequential or random data to a target."

"Check access logs daily."

"Highly complex computer-generated passwords are bad."

"Logs and audits enforce accountability."

"Audits attempt to reconcile activity against a standard (policy), and mysterious anomalies are likely to be problems."

"Quantitative" or "a metric" means numbers, and that's the best analysis. But for human behavior we're stuck with qualitative assessment.

"Disposal" means destroy the media, "sanitize" means wipe it for re-use.

"Disaster Recovery" means "as the hurricane is moving away."
"Business Continuity" means "3-4 days after and continuing from there."
"Contingency Planning" is for one very specific problem.

"The first step in risk assessment is an asset inventory."
"The first step in Disaster Recovery Planning is a Business Impact Analysis."

"Succession planning," sometimes "Compensating," is corrective.
"Job rotation" is preventative.
"Enforced vacation" is detective.

"Succession planning" is why Gerald Ford ended up as the President.
"Job rotation" might have kept Nixon and Agnew in office.

Spoofing is when a host pretends to be another host,
Impersonation is when a person pretends to be another person.

Cold sites require over one week to start.
Warm sites can start in under a week.
Hot sites are always ready right now, so they're expensive.

"Armored viruses resist analysis"

"Malicious invulnerable add-ons are software added to browsers to test the system with spyware, botnet software, etc."

"You cannot identify a zero-day attack. Except you can identify them with fuzzing, honeypots, host IPS, and network IPS. Network IPS can identify and stop in-progress zero-day attacks."

"An APT cannot be identified. Except you can identify one with host configuration baselines."

"Use a safe or vault to protect HSM, TPM, and portable media with signing keys and other highly sensitive data. Lock wireless access points inside rack cabinets (nice Faraday cage)."

Both behavior-based and anomaly-based IDS must observe for a while to learn the local baseline. They mention "exceptions or broken protocol rules" when they're talking about anomaly-based.

Privilege escalation is used to mean two very different things, use the context to figure out which one they're talking about:

During an annual review of user rights, you notice someone has accumulated privileges while rotating through jobs. There's no attack, but they no longer need some of those privileges.
During an attack, the intruder is replaying captured privileges or running a buffer overflow to transition from low-privileges user to sysadmin.

When they ask "What would be the very best way...", they are implying "...if expense and complexity don't matter."
For example: diesel generators, HSMs, Kerberos, biometric door locks, and SELinux in full enforcing mode.

CompTIA Wants You To Worry About Some Minor Things

These aren't wrong, but there are bigger things to worry about:

Spyware can spy on your browsing history.

Cross-Site Scripting can steal your webmail credentials.

Tell the guards if you find suspicious USB devices in the parking lot.

Bluetooth moves data at 1 Mbps.

Also see the outdated topics below.

What Color Is The Sky in the CompTIA Universe?

CompTIA consistently insists that a number of things are not the way they are in the real world. Shrug and mark the correct answer.

TCP Wrapper is a Linux-only technology that "wraps" TCP connections in SSL/TLS tunnels.

Cheroots are Linux sandboxes.
Those are small cigars, chroot is the real thing.

Kuberos is a single-sign-on system.
It's spelled Kerberos.

Risk = vulnerability × threat × value

Dipole antennas use higher power.

All routers have ACLs and all are default deny. Always.

The entire Internet contains nothing but Windows desktops, plus a few Windows servers.
Except for once in a while Linux appears out of the blue: ssh / scp / sftp, root, SELinux (a.k.a. NSA Security-Enhanced Linux), /etc/passwd and /etc/shadow.

NetStumbler is the only way to discover WLANs,
and AirSnort is the only way to break WEP.

Mitre's CVE archive is full of exploits.

Cloud computing includes something called "Management as a Service". It consists of those SaaS or Software as a Service tools that managers, not workers, might use. GMail, Google Docs, salesforce.com, etc are SaaS. Budget-planning or project-planning SaaS, however, is "Management as a Service".

Hash an image before and after you collect it.
(And just how am I to calculate the hash of something I don't have yet?)

Role-Based Access Control is an easy hierarchical way to administer authorizations.
(Because CompTIA thinks that Windows group policies are real RBAC)

The security of RSA is based on the difficulty of factoring large primes.
(No, prime numbers can't be factored. It's the difficulty of finding the prime factors of large non-prime numbers.)

P2P (or peer-to-peer file sharing) can be stopped by URL filtering. That contradicts the meaning of "peer to peer"!

CompTIA Congratulates Bill Clinton on his Recent Election

Welcome to the 1990s. CompTIA wants you to select answers that assumes these things are still true and important:

Smurf and Fraggle attacks still happen.
(but DNS and NTP amplification don't)

Advice Dog urges you to delete SYSTEM32 and make your PC faster.

Users still have permission to remove SYSTEM32 when a hoax e-mail tells them that will solve all their problems.

SYSTEM32 still contains the Windows OS.

We must still worry about Teardrop, a widespread vulnerability discovered and patched in 1997.

Kerberos still uses nothing but DES.
Even through RFC 6649 in 2012 deprecated the use of DES and other weak cryptographic algorithms in Kerberos.

People still use ThickNet Ethernet, and cause themselves trouble by removing the terminator at the end of the cable segment.

War-dialing attacks against modem banks and RAS are a big worry.

War Chalking is a new thing, it happens a lot, and you should worry about it. Tell the guards if you find any!

Viruses still spread on floppy disks.

Code Red and SQL Slammer are recent worms, and Back Orifice is a recent backdoor.

A database search returning 1,000 records is an enormous result and therefore suspicious.

Backups always involve magnetic tapes.

Malware still does obvious things so it's easy to catch. Spyware saturates your CPU, worms saturate your networks, and zombies communicate via ICQ.

Spammers use their own email addresses and clearly announce their offers in the subject line.

You frequently encounter ROT-13 encoding.
Apparently because people still read rec.jokes on USENET.

CompTIA Likes to Confuse You

Here are some confusingly similar or overlapping topics ideal for setting up tricky multiple-choice questions:

CompTIA uses the phrase Rule-Based Access Control just so they confuse you about Role-Based Access Control, which is what the rest of the world means by RBAC.

OTP stands for both One-Time Password (at first login you must change it) and One-Time Pad (the only truly secure cipher). MAC stands for three very different security concepts.

With the SYO-401 version in August 2014 they added some terms just to make things more confusing. For example:

DHE stands for both "Data-Handling Electronics" and "Diffie-Hellman Ephemeral".
ISSO (Information Systems Security Officer) versus ESSO (Enterprise Single Sign-On)
SCAP (Security Content Automation Protocol) versus SCEP (Simple Certificate Enrollment Protocol)
Waterfall (software project management concept) versus Whirlpool (hash function)

SYO-401 also added more management terminology that yes, has to do with the management of projects that can help security, but the terms aren't the security itself and add confusion over only vaguely connected concepts.

BPA = Business Partnership Agreement
CAR = Corrective Action Report
CTO = Chief Technology Officer
IRP = Incident Response Procedure
ISA = Interconnection Security Agreement
ISSO = Information Systems Security Officer
ITCP = Information Technology Contingency Planning
MOU = Memorandom of Understanding
RAD = Rapid Application Development
SDLC = Software Development Life Cycle
SDLM = Software Development Lifecycle Methodology
SEIM = Security Information and Event Management
SOAP = Simple Object Access Protocol
UAT = User Acceptance Testing
VDI = Virtual Desktop Infrastructure
VTC = Video Teleconferencing

Watch out for answers that are true "by the letter of the law" even though they would be bad choices. WEP, PPTP, and DES do encrypt even though the first two are flawed designs and the third is no longer considered secure enough. MD5 is a cryptographic hash function, even though it has weaknesses.

People in hats:	White	Grey	Black
Techniques in boxes:	White	Grey	Black (with Fuzzing)

IDS and anti-malware errors:	False Positive	False Negative
Biometric authentication errors:	False Acceptance	False Rejection
Behavior upon an error:	Fail Safe	Fail Open

Where does steganography hides data in images?
    most significant bit, or
    least significant bit, or
    most significant byte, or
    least significant byte.

What do digital certificates contain?
    server's public key, or
    server's private key, or
    CA's public key, or
    CA's private key.

With lost phone questions, are we trying to track down and recover the hardware asset, or remotely wipe the data, or keep the finder from making calls on our bill? Or some combination of those goals?

This isn't trickiness, but many questions are effectively two or more questions in one. For example:

Julie, a left-handed Episcopalian network engineer in the software development department, needs to encrypt some large files containing sensitive customer data in order to fulfill compliance requirements. Her manager is emphasizing the importance because these are medical records. What should she use?
RSA
AES
DES
ECC

Once you have waded through the intentionally distracting and time-wasting clutter, you have the real question: How to encrypt large data sets? First part: The general answer is Symmetric ciphers but that isn't a choice. Second part: Now you have to look through the list for examples of those: AES and DES. Third part: Realize that AES is (by far) the better choice.

Security+ isn't Network+, except when it is

Someone told me that they think that CompTIA assumes that this is your third certification. You probably got A+ (PC hardware and Windows desktop fundamentals) two or three years ago, and you did Network+ maybe a year ago. Hmmm. Maybe.

CompTIA doesn't explicitly say that (at least not that I've noticed), and much of Security+ seems to be aimed at managers who need to talk to technical people without understanding the technology, but it's a reasonable way of explaining many of the test oddities.

A glaring example is the presence of UDP and TCP port numbers plus three IP protocol numbers in the question pool. It just depends on luck, which questions you happen to draw. You might get no questions at all about these, but you might get 10 to 12 questions in which you need to know some of these numbers. Some could come out of the network domain itself, but there can be questions in the authentication and identity management domain that ask about this detail of SSH or RADIUS or LDAP or (since this is CompTIA) Telnet.

Protocol	TCP port	UDP port	IP proto
CIFS	445
DHCP		67 / 68
DNS	53	53
FTP	20 / 21
FTP/S	990 / 989
HTTP	80
HTTP/S	443
IMAP2	143
IMAP/S	993
Kerberos	88	88
LDAP	389	389
LDAP/s	636	636
MS SQL	1433
NetBIOS	139	139
POP3	110
POP3/S	995
RADIUS		1812
RDP	3389
SMTP	25
SNMP	161	161
SNMP trap	162	162
SSH, sftp, scp	22
TACACS	49
Telnet	23
ICMP			1
IPsec ESP			50
IPsec AH			51
IKE		500
SIP	5060	5060

What about a study book?

The least bad one is the CompTIA Security+ Study Guide: SY0-401 by Sybex. It's based on CompTIA's material, but that means that it only tells you some of the truth. I haven't noticed anything in that book that contradicts what they want you to say on the test, but:
• Some material on the test is not covered in the book.
• Some material in the book is not included in the test.
So you will waste some time, energy, and memory on things you don't really need to know, and you won't have seen some of the topics you need to know. And this is the best book available...

Amazon
ASIN: 1118875079

What About Other On-Line Practice Exams?

There are many on-line practice tests. Many of them contain many irrelevent things that aren't on the real test, while omitting many things that are on the real test. Others are shady operators that move from domain to domain. Sometimes you will find that there are both .com and .org variants for a given domain, each of which redirects you to completely different unrelated domains.

There once was aiоtеstking.com, as in "all-in-one test king". In mid-2017 they seem to have migrated to briеfmеnоw.com and then to briеfmеnоw.org. By November 2017, the two briеfmеnоw domains had entirely different content, then a month later the .com one was an empty site. Meanwhile, aiоtеstking.com now directs you to еxamcollеction.com, which has a mix of paid and supposedly free content.

Sybex, Transcender, and others run legitimate practice exam sites. That means that they don't have verbatim question content, but they're reasonably close.

Lead2Pass Cram.com

Lead2Pass also has test questions with very good explanations.

Cram.com has questions in the form of a game or a puzzle. The format is very different from the real test, but that's good as it makes you think about the same thing a different way. It has a few things that aren't in the real test, but most of it exactly covers the content.

Quizlet

A student from one course event got in touch with me later, saying that Quizlet.com had been very helpful.

The Pictures I Draw When Teaching

I draw several pictures when I teach the course. I also type up some lists. It's pretty much the same set of pictures and lists every time. If you took the course from me, you can download a typical set of them.

Good luck!

Now you know a little more about how to think about the awful questions on this test.

Mark up Handout #1 to use it as your study guide. Go through the notes in the 3-ring binder and see what you highlighted. For the ones you don't yet know, highlight them on Handout #1. You might find some things mentioned on this page that you want to highlight or add to the handout.

Now you're on your way to making your own one-page crib sheet. The smaller your study guide or crib sheet becomes, the more you already know and the less you have to be reminded of.

Re-do the Short Quiz A versions to see how it's going. Then read sections of the textbook or look back through the acronyms or whatever as needed. When Short Quiz A becomes too easy, try Short Quiz B. Then "All Questions" for that domain.

Let us know how you did! Especially let us know if there were any surprises on the exam, any questions on topics we don't yet realize we need to cover.

To the Cybersecurity Page