(ISC)2 and CompTIA Want You To Fail — Here's How to Beat Their Language Tricks
a practitioner of cybersecurity,
or information assurance,
or however you classify and name it,
must be fluent in the local language.
You must understand and analyze the reports and descriptions you receive.
You must be able to clearly present your findings, and then educate, motivate, and guide decision makers and IT workers.
However, we definitely don't need the certification companies abusing language to exert control over the IT industry. Many of their questions test your ability to recognize and analyze English grammar in addition to memorizing cybersecurity acronyms. It's part of their effort to artificially drive the exam pass rates down.
Here is how to recognize and defeat some of their inappropriate, irrelevant, and unfair language trickery.
If English is not your first language, then you must be especially careful. However, their language tricks mislead everyone. I'll do my best here to pass along what I have figured out. I know that it's incomplete, but I also know that several people have found that the information I have here is very helpful.
Yes! The IT field isn't that difficult. Cybersecurity doesn't make it much more difficult (unless you are involved in cryptography research and development, of course). The certification companies want industry and government to believe that it's difficult, to provide some false value for their exams. They want people to have to struggle to pass. Partly because exam re-takes directly brings in more money. Partly because perceived difficulty leads to assumptions that the exams are meaningful, and that can lead to their exams being required for certain positions.
The certification companies have ridiculously overblown levels of self-importance. I watched a recorded Zoom conference for instructors approved by (ISC)2 to present courses using their course content. (And by the way, they explained that their course material is intentionally written to not be helpful for preparing for the exams!)
One of the (ISC)2 staff members in the session said something like: "Of course, we know that our exams require a great deal of preparation. Passing one of our flagship exams like CISSP or CCSP is equivalent to graduating from medical school or law school and then passing the associated board exams." Three other (ISC)2 staff members in the session were nodding vigorously with serious expressions.
What nonsense! It was a good thing that I was watching the recorded session instead of having been connected to the live session, because I would have chimed in with a rebuttal.
Here's the reality: Passing a CompTIA or (ISC)2 exam does not mean that you are especially knowledgable about information technology in general or cybersecurity in particular. It only means that you have general knowledge in those areas, but more importantly, that you have either figured out their trickery or been very lucky in guessing.
I believe that I have figured out some of their nonsense and trickery, and I would like to help you. I feel as if I'm one of the astronomers observing the dim and mysterious objects beyond Neptune. I know there's something there. I have observed it multiple times, measuring it in various ways, and I have some information to share. But I know that there is more information that I simply cannot observe.
The certification companies use psychology and language to disorient and impair people attempting to pass their tests. How do I know this? At times they openly admit it while bragging about how difficult their exams are. However, only part of the difficulty comes from needing to understand the technology.
The exam question pools include several questions where the way to find the "correct" answer is to analyze some subtle language tricks. Will your exam include these language tricks? My best guess is that it will probably contain some. Because the question pools are large, and each exam is randomly generated, you might get fewer of these than I have seen, or possibly even none. But then you might get many more than I have ever encountered.
Verbs are the Key
Pay careful attention to the verbs in the questions and the answer choices.
Many questions in the question pools offer wrong answers, or distractors, that address far more important issues that whatever the question is really about. Answer what you are asked. Don't be distracted by excellent suggestions of unrelated conclusions or actions.
Carefully match what a potential answer's verb accomplishes to what the question's verb wants.
Consider AV or anti-malware software. It could:
- Prevent the malware from getting in.
- Detect that malware has gotten in.
- Mitigate the intrusion by preventing malware from spreading further.
- Correct the problem by quarantining or removing the hostile data.
An example question might look like this:
Example Question #1:
Jane, a senior database administrator at the hospital, is charged with protecting patient data. The hospital could face serious regulatory and financial penalties if patient medical or personal information is exposed in a breach. She must routinely monitor the database server's configuration and examine the output of the unified log collection and analysis system. Malware could lead to a security breach on the server, and that must be prevented. Where should anti-malware software be deployed?
- On the database server
- On the log analysis system
- On the firewall connecting the database server's LAN to the internal backbone.
- On the central configuration management system
Certification exam questions frequently contain a paragraph of text, which will distract you with irrelevancies (what's her name? her job title? where?), make it hard to figure out what they're really asking for, and simply waste your very limited time.
The answer is C, because that's the only place you can prevent the malware from reaching the server holding the sensitive data. The key phrase in the question is must be prevented.
They're hoping that you will select A after all their distracting talk about the server. But AV software on the server will only be triggered after the malware is already on the server. Similarly, B and D could tell you about the intrusion after it's already underway.
The meaningful content in the question could be simplified to:
Questions Aren't Related
If I had the above example question, I would definitely select putting the AV software on some screening device at the entry point to the target's network.
I think that the above example question (minus the unneeded clutter!) is actually a reasonable one, as it tests whether you understand the distinctions between prevent, detect, mitigate, and correct, and that's important to know.
However, the very next question on your exam might determine if you know what a reverse proxy is, and what it can and cannot do. A reverse proxy can protect endpoints by decrypting, scanning, and re-encrypting HTTPS traffic. Depending on what sorts of traffic flow to and from the database server, defensive software on the screening device may or may not protect against inappropriate data flows.
For example, a user with shell access on the database server might use SFTP to accidentally download an archive containing malware onto the server.
Or, a rogue user might use SFTP to exfiltrate sensitive data, stealing sensitive data to hold it for ransom, or to harm the organization's reputation.
If you have a question about reverse proxies, then for that question you must think about what must happen so that the screening device can read the traffic and then detect and block malware. After you finish that question, you are no longer thinking specifically of reverse proxies. If the next question describes a scenario with a screening or filtering device, assume that it is a router with ACLs or a firewall with rules and no ability to read encrypted traffic.
Deeper Into Grammar
So far, I think that what I have described is actually reasonable question content. Challenging, even a little tricky, but they're questions about IT and cybersecurity.
However, both CompTIA and (ISC)2 include questions that test whether you understand and notice subtleties of grammar. Specifically, verbal tense, aspect, and transitiveness.Which languages are Indo-European?
I grew up speaking English, and took some French in high school and Russian in college, and then recently did the Duolingo course in Greek. Those are Indo-European languages, along with English. So, while they are very different languages, there are some similarities. Most of it is nothing you would notice until you got deep into the study of multiple languages.
A native speaker of French, or Greek, or Russian would find the English language exam much more difficult than I would. I have no idea what the limited choice of translated exams are like. However, I'm pretty sure that the exams are created in English and then translated into some other languages, and I would expect that to make things even more confusing.
I have read that Mandarin, Cantonese, and other Chinese languages fully support expressing and understanding nuances of tense. A Chinese speaker can understand and discuss events happening in the past and the future just as well as I can. However, tense in Chinese languages is derived from context and isn't explicitly marked by changing the forms or the endings of verbs, or by using auxiliary verbs or other "small helper words" the way that Indo-European languages do.
If your first language is not Indo-European, then I'm afraid that the exams will be even more difficult yet!Visiting Mons
I taught an (ISC)2 test-prep class for NATO at SHAPE, Supreme Headquarters Allied Powers Europe, outside Mons in Belgium. There were 14 people in the course, only two of whom were native English speakers — one from the UK and one from Canada. The ones from Italy, Poland, Spain, and Portugal were unhappy to hear about the English trickery, and the one from Turkey was even more upset. Turkish has an elaborate system of verb tenses unlike Indo-European languages.
So, let me try to explain these aspects of grammar that have nothing at all to do with computers or data security.
Verb Aspect and Tense
I was teaching an all-remote test-prep course from home one week, and I stumbled into a real-world example that will help me to get this across.
The class started at 9:00 each morning. I would get up and get ready, and have the all-remote virtual classroom environment set up by about 7:30. I would type a note into the chat box saying that I was going to the coffee shop a few blocks away, and I should be back in about 20 minutes.
When I got back with my bagel and coffee, I would type another note into the chat box, saying that I was back, I would be off-camera, but I would leave the speakers on and the volume turned up. So, just call out if you have a question. I would sit across the room, out of view of the camera, because no one wants to watch me eat a bagel up close to the camera.
When I had eaten my bagel, I would move back by the laptop used for the remote course. Then I would turn to the side and catch up on my email on the desktop beside me.
I would greet people as they checked in. Someone might see me on the screen without noticing what had scrolled up in the chat box, and ask whether I had gotten my breakfast yet, or if I was ready to answer some questions about what we had discussed the day before. When it was about 8:55, almost time to start, I might hold my large coffee cup up in front of the camera and say something about how I was fully caffeinated and ready to go, so they should also finish getting ready.
My large cup of coffee most mornings became a sort of running joke before class each day. But then it turned into a useful explanation.
The coffee shop is about four blocks from my home. There is a fire station a half a block before getting there. One morning the fire fighters were washing the truck using the small hose they use to water some planters holding flowers. I was amused to think that the professionals might find such a small hose frustrating. I told the students about that, and one of them made a joke about how if they used the big hoses, they would blast the flowers across the street. We were doing a tedious test-prep course, so we appreciated any amusement or distraction.
However, it struck me that this provided a practical physical-world example. The next day, I said:
A couple of minutes ago, Jim asked me if I had gone
to the coffee shop and gotten breakfast yet,
because I hadn't waved my coffee cup in front of the camera.
[holding up my cup so they see it]
Yes! I walked to the coffee shop, got my breakfast, walked back, ate my bagel, and have already drunk most of my coffee.
I walked to the coffee shop. I went there, all the way, and so I got my breakfast. That happened, here's the evidence.
But how about yesterday morning when I told you about seeing them washing the fire truck? It would be somewhat strange and mysterious if I suddenly told you about seeing a fire truck for no apparent reason. I wanted my story to make some sense.
I was walking to the coffee shop and was walking past the fire station along the way. I definitely saw the fire truck. Now, did I continue past the fire station to the coffee shop? If I just told you about seeing something while I was walking there, you don't know if I continued on my way or not. But that wasn't important when I wanted to tell you about the fire truck. My trip was in progress, that's why I was there, but I may or may not have finished the trip.
I don't think this ever came up in English classes in school. I knew about this concept, I could make different points about things that happened or were happening in the past.
The Russian language makes a big deal about this, especially for verbs of motion. So, Russian classes in college were the first time it really was explained to me in a class.
My Russian class referred to this as verbal aspect, which can be perfective or imperfective. Easier terms for us ill-informed native English speakers would be complete and continuing.
A verb describing a complete action
concentrates on telling you that the action was finished.
Or, in the future, that it will finish.
Yesterday I walked to the coffee shop.
Tomorrow I will walk to the coffee shop.
I definitely went there yesterday, and fully intend to go there tomorrow.
A verb describing a continuing action
concentrates on telling you what was happening,
or what will be happening.
Finishing the job doesn't matter,
the point is that a specific action was or will be
Yesterday I was walking to the coffee shop.
Tomorrow I will be walking to the coffee shop.
Reaching it isn't the point. The point is the ongoing activity. I probably passed or will pass the fire station, but I may or may not make it all the way to the coffee shop. Maybe I'm more interested in exercise than breakfast, and walking through the neighborhood is the important part.
Verbs of motion create a headache for Russian students,
because it's different words for the same activity
depending on whether it's complete or continuing.
Worse yet, it's completely different pairs of words
based on how you are moving —
walking, running, driving, riding something, and so on.
Yesterday I walked to the cafe.
Вчера я ходил в кафе.
Yesterday I was walking to the cafe.
Вчера я гулял в кафе.
Russian is Indo-European, and the five words in those Russian sentences are in the same order as the English ones (Russian just doesn't bother with articles like "the" and "a"). You don't need to know the Cyrillic alphabet to see that the sentences are identical except the highlighted words, which are the verbs, and they are completely different.
English sort of cheats by using auxiliary words and some reasonably standardized suffix changes. Many English verbs follow this pattern:
Complete: "verb-ed" in the past, "will verb" in the future.
Continuing: "was verb-ing" in the past, "will be verb-ing" in the future.
People studying English as a foreign language must be frustrated by the irregular verbs like go, which mutates into went, have gone, and so on.
Let's See This Used In A Realistic Example Question
And so, back to cybersecurity and the point for the exam: Pay attention to the aspect of the verb in the question. Is it asking about an activity that was or will be finished? Or is it asking about an activity that was or will be happening? Select an answer that agrees with it. An example might be:
Example Question #2:
Jane, a senior database administrator at the hospital, is responsible for patient data protection. The hospital could face serious regulatory and financial penalties if patient medical or personal information were exposed in a breach. She must prevent malware from reaching the database server. As we know, there are many anti-malware products to choose from. Which should she select?
- Product A, which will quarantine boot sector viruses.
- Product B, which works by comparing traffic content to a list of known malware signatures.
- Product C, which is always monitoring traffic.
- Product D, which is known for having very low false-positive and false negative rates.
What do you think?
A is awfully outdated. When was the last time you worried about boot sector viruses? One of them was the first computer virus for the IBM PC platform, back in 1986.
B, C, and D all sound good. C is a little silly, what products only run some of the time? But B is a short description of how traditional malware detection works, and D sounds like it's better than most products.
However, what's the key verb phrase in the question? Jane must prevent. It must happen, the software must finish the job. The others are those -ing continuing verbs, they describe some activities that might be underway.
I realize that A seems silly, it prevents an outdated threat and it might not do much else. But it's the only choice that completes a defensive action. Since the question asks for a completed action, and we have one complete-action choice and three continuing-action choices, I would lean strongly toward the complete will quarantine. The certification companies ask a lot of questions about outdated technology.
That Was Strange. Maybe Another Example?
Here's one that is very similar to one I saw on a cloud security exam:
Example Question #3:
Your company has decided to start selling products through your website, accepting payment by credit and debit cards. You will do this in a public cloud setting and your staff will administer the servers' operating systems and applications. A secure tunnel connects your cloud server to the payment processing firm. Your staff must install client-side certificates on your VMs so they can automatically authenticate into the payment processor. All purchase records will be stored in your virtual private cloud, in object storage protected by encryption. (except, of course, not the CVV) The payment processor returns values which you store in the purchase records to support any later refunds. What do you need?
Oof. Take your time. There's a lot here, and it seems like almost all of the choices are correct.
Actually, all of them are correct in some sense. Each of them accurately matches to a piece of the story that the question is telling. I've made it easier than it would be on the real exam by putting the answer choices in the same order as what they refer to:
- "Your staff will administer the servers' operating systems and applications" means IaaS.
- "a secure tunnel" means TLS.
- "client-side certificates" means X.509v3.
- "encryption" could be AES-CBC.
- "except not the CVV" is a PCI-DSS requirement.
- "the payment processor returns values" is tokenization.
Look at the verbs in the question. That long question is mostly narration and description. All six of the choices will (or could, for AES-CBC) be involved.
The actual question verb at the end asks what you need, what is required. The key verb phrase in the story within the question is must install. That's the only part that's stated as a requirement instead of being part of a story about things that were occurring. The answer is E, because certificates are in X.509v3 format.
What Led Me To Believe I Had Figured This Out?
I first noticed this on a Security+ exam in March 2018, and then again on a CCSP exam in November 2018. For both exams it was near the end of the period where you could select an answer for a question, but then mark it for review and return to it later, possibly changing your mind.
Given the time restrictions, I had selected answers for some of these and marked them to return later. I had been mystified because it seemed like most if not all of the answers were correct.
When I returned to the first marked one on the Security+ exam, I somehow noticed the pattern that all were "correct" in a way, but only one said "must" or "required" or described a completed action.
I changed my answer to what I now believed was the better answer. Then I went to the other questions I had marked for review, and found the same thing. I had five or six such questions on that exam, and changed my answers on all of them.
As soon as I got out of the testing center, I sat down and wrote everything I could remember about the exam, including the topics or domains of these in this new odd pattern.
Then I looked at the report of my exam score. Of course it doesn't quote the exact questions you missed, but it says you missed two questions in a certain domain, one question in another, and so on. Apparently I had gotten all of these tricky ones correct.
When I did the CCSP exam eight months later, I kept this in mind. I had three or four questions that followed this pattern. I answered them with this new logic, marked them for review, and didn't change any when I went back to check them. Again, I didn't lose any points on their specific domains.
Of course, you can no longer return to review and change your answers on a question, you must march through the entire exam in order. But armed with this knowledge in advance, I feel that I should have a pretty good chance of not being fooled by their tricks.
Through the following years, students in test-prep classes I taught and others have contacted me after their exam to thank me for helping them pass. Many especially mentioned this language issue.
As for the changes to the overall exam format: What (ISC)2 says on the obvious parts of their web site aimed at prospective examinees is very different from what they say in some printed brochures, and what they say in less obvious web pages.
They actually claim that their exams are more meaningful because they use psychological techniques to keep the examinee uncertain and stressed. Part of that is done by not allowing you to return to a question.
They very much prefer the Computerized Adaptive Testing or CAT in which your performance so far adjusts which questions you will see next. If you are doing well on the exam so far, you are given harder questions that, on the positive side, count for more so you finish the exam quicker. However, you have no idea of what is happening, and you will strongly feel that you must be doing worse. That, of course, greatly increases the stress.
These companies' exams measure how well you react to stress during an exam. Understanding the technology seems to be a much less important criteria.
Let's Do One More
Here's a similar example question. It's much more of a Security+ question than a CCSP question. But it tries to play the same trick:
Example Question #4:
Your CEO has met with the CEO of another company, and they have agreed to work together to develop a new service. Authentication and identity management will be connected across the two organizations. Given the sensitivity of the development project, user authentication and authorization will use a centralized server running the best available trusted third-party service. Users will receive identity and service tokens from a unified authentication and authorization service, which requires that system clocks be synchronized across the organizations. Applications will be limited to those written with the API of that service. What do you need?
I have again put the choices in the same order in which their concepts appear in the story:
- "The CEOs met and agreed..." is a BPA event.
- "Connecting IAM..." is Federation.
- "Centralized server..." is Kerberos.
- "Unified authentication and..." is the KDC, the Kerberos Key Distribution Center.
- "Clock synchronization" is done by NTP, the Network Time Protocol.
- "Written to the API of ..." is Kerberization, writing or modifying applications to use the Kerberos shared library.
The actual question asks what you need, and the clock sychronization, meaning NTP, is the only piece stated as a requirement. The answer is E.
Transitive or Intransitive, Active or Passive
There are a few more unexpected verb parts to this.
Some verbs take a direct object, a word that the verb directly acts upon. We say that the verb is transitive because it acts, or did act, or will act, on something specific.
I ate a bagel. I drank coffee.
Ate and drank are transitive verbs in those sentences. They tell what I did to the bagel and the coffee, the direct objects.
If the verb doesn't take a direct object, we say that it is intransitive.
I am sleepy. I will rest.
Am and will rest are intransitive verbs. They talk about states and actions that are or will be true, but they aren't directly applying an action to anything.
Very related to this is active versus passive verbs. An active verb tells about someone or something actually doing something. A passive verb tells about someone or something having some done to it.
I broke the lamp.
The lamp was broken.
Guides to good writing tell us to prefer active verbs. They tell the story more clearly, they make it more interesting.
This is more of a backup plan for me, but...
If I didn't know what to select, I very likely would be biased toward the ones with transitive, active verbs. Especially if the core of the question used one.
This Seems Very Strange and Irrelevant! Do I Really Need This?
I realize that it's unexpected and irrelevant. That's why they do this on the exams — people miss questions on topics they understand, more people fail, and the belief that these exams are meaningful grows. That's what the certification companies want!
Do you really need to know about this? Probably:
- Maybe you are going to do so well on the already tricky exam that you can afford to throw away the questions that you will get wrong by not knowing about this. Congratulations.
- Maybe you will be very lucky, and your randomly generated exam will happen to not include many questions that use this. That could happen.
I wouldn't want to skip over any points I could get!
I started telling people about this as soon as I noticed it and figured out what was going on. After that, multiple students got in touch with me after their exam to thank me for warning them about it.
They especially mentioned questions like my examples above, where it seemed as if all the choices were correct. Then they remembered what I had told them, looking for "must" or "required" or similar within a long story of a question, and looking at the possible answers to see which one completes a task versus the rest of them being part of a story about what was going on.
They usually remembered what topic or domain, and when they got the vague report at the end of the exam, it did not say that they had missed anything on that domain.
Good Luck on the Exam!
Watch out for the verbs!
I'm sorry to have to unload a pile of unwanted and apparently irrelevant details on you, but it does seem that the exam companies are inappropriately testing you for grammar. The exam companies write very poor questions. All of this shows that they're intentionally poor.