Most CompTIA exams are written for those relatively new to the IT industry, and generally scratch only the surface of the technology covered. Security+ is no exception. It will test your knowledge on a wide-range of security related topics, but it doesn't go into any real depth. CompTIA recommends two years of networking experience for this exam. I personally recommend some hands-on security experience, if only to give you the chance to work with many of the tools and techniques covered on this exam -- some will be hard to master without understanding the practical application. Even so, armed with one of the many Security+ study guides that will soon flood the market, I believe most people with the recommended level of experience will find the exam on the easy side.

Content Overview
The final version of the Security+ exam has not yet been released (CompTIA has said only that it will go live in late 2002). I took the beta version earlier this fall. It contained 125 multiple-choice questions and lasted two hours. When released, the live exam will contain fewer questions and cost around $199 (U.S.). To earn the certification, candidates must pass this one exam. Once earned, Security+ certification is good for life.

Security+ features five main objective areas:

• General Security Concepts (30 percent)
• Communications Security (20 percent)
• Infrastructure Security (20 percent)
• Basics of Cryptology (15 percent)
• Operational/Organizational Security (15 percent)

Most of the domains seemed equally weighted on the beta exam, but there are certainly areas that can get more obscure than others. The following should give you a general idea of what's covered by each. (A detailed list of the exam's objectives can be found here.)

General Security Topics
General security concepts are just that, general. For instance, what is the recommended minimum length a user's password should be? What network attack method includes the attacker calling a user and pretending to be from the company's support staff? Is it a virus or a Trojan horse that replicates itself from system to system using various techniques? What is a form of two-factor authentication?

Tip: If you're new to security topics, an excellent book that can get you up to speed in this area is "Computer Security Basics" from O'Reilly.

-- advertisement (story continued below) --

Communications Security
This domain can include slightly more obscure topics. It will help if you're well-versed in today's network security protocols. Do the acronyms VPN, RADIUS, TACACS+, L2TP/PPTP, SSH, and IPSEC mean something to you? You need to know these protocols (and many others) plus their uses to pass this domain. For example, make sure you know the advantages of a VPN and how to create one, which remote access protocols can be used to centrally authenticate users, and which OSI layer the various protocols operate at.

Infrastructure Security
This domain requires that you understand firewalls, routers, switches, wireless devices, modems and intrusion detection systems, to name a few. CompTIA also expects candidates to be able to field questions regarding TCP port numbers, access-control techniques, and of course, methods for securing wireless and other devices.

Other objectives within this domain include securing network media, removable media, security topologies, security baselines and application hardening. Can you answer questions like: What is the most secure network media available? What are the methods used to secure data on removable media? Is a DMZ a form of a secure network topology? How can you create security baselines? If you remove ActiveX controls, is that a method of application hardening? As you can see, this domain is a step-up from the first two, but still not too difficult.

Basics of Cryptology
Now it's time for some real fun. This domain includes objectives for security algorithms and hashing. You'll also find concepts of cryptology, standards and protocols, and key management/certificate lifecycle objectives. This is where you'll need some of that network security experience that CompTIA didn't tell you about but I think is required. Simply studying the different security algorithms such as MD5, SHA, DES, 3DES and RSA will only leave you asking, what was that? You really need to setup a lab where you can experiment with the different encryption methods and truly understand the concepts behind each. After all, what fun is it if you can't walk the walk?

The other half of this domain includes the PKI objective of certificates. Here again you'll need to be familiar with the practical side of things, including certificate issuance, revocation, expiration, suspension, renewal and destruction. If you're running a Windows 2000 server network in your lab, it's fairly simple to install and build a Certificate Server and get the hands-on experience that you'll need for this section.

Operational/Organizational Security
This is where you'll find some of the more interesting objective areas such as physical security, disaster recovery, forensics, education, and documentation. Well, O.K., not all of them are very exciting, but a few are. For example, my favorite is forensics. Investigation and gathering of evidence, to find wrongdoing to prevent further misuse can be exciting. Of course, most of the time you may be doing nothing more than securing the system to prevent accidental damage.

Physical security includes controlling access to systems and data, such as the server room. Make sure you know all the methods used to control physical access, such as card readers and biometrics.

For the disaster recovery section, you need a fairly solid understanding of the baseline techniques and procedures. You should also be familiar with data backup and restore strategies.

With business continuity, organizations will put in place public media relations experts in case a network attack occurs. Then there are natural disasters that can disrupt the business continuity. Should you install your hot site within the same geographic boundaries as your primary site?

Policies and procedures are always a tough thing to deal with and get users to adhere to. You should be familiar with the reasons for policies and procedures and the necessities of writing, maintaining and enforcing them.

User education is one of the primary responsibilities of any network security person or team, and the advantages of awareness campaigns to promote user compliance are tremendous. Most network security problems or attacks in today's networks are internal, and many of the problems can be attributed to user errors. Training and education both need to play a bigger role in many of our corporate networks.

Documentation is the final objective in this domain -- usually the last thing anyone ever completes. However, well written, complete and up-to-date documentation can make the difference between an ad-hoc network and one that is truly secure.

Preparing for Security+
Along with the recommended experience, CompTIA recommends (but does not require) that you hold its A+ and Network+ certifications. I don't agree that you should have A+ -- there's not much crossover here -- however, Network+ may be a good idea for some, especially considering Security+'s heavy coverage of TCP/IP.

As I mentioned earlier, a flood of Security+ study guides is heading our way. But if you don't want to wait for the market to shake these offerings out, you can always pick up a more general security title. Auerbach publishing offers a few titles, including the popular "Information Security Management Handbook." Sybex also has many security titles available, as do a wide variety of IT publishers. Personally, I prefer the Auerbach books. While they're not designed to be used as exam study guides, they contain the information you need and are also excellent for technical reference.

Security+ preparation classes may also become widespread. But you can also take a more general security class. I recently attended a course from SANS. This organization has many courses to choose from, including Security Essentials, which is designed for the new security person. SANS is also another resource for security-related books.

Getting Secured
I think Security+ will be used by many to gauge one's awareness and basic understanding of network security. It could even be used by employers for select user groups as part of a security awareness campaign. At the very least, the exams and/or the study guides developed for it should be required for an organization's technical and support staff.

There are other security certifications available on the market today, but most of them are geared towards the higher-level IT professional with the word security in their job title. Security+ is for the rest of us, and does what it's designed to do -- serve as a way to test baseline knowledge of this important topic.

More articles by Andy Barkl:

70-623: A Vista Exam for Consumer Support Techs

Securing Networks with PIX and ASA (SNPA 642-522)

Cisco’s IPS Exam (#642-532): Get Your Network Secure

Securing Virtual Private Networks (642-511)