CertCities.com -- The Ultimate Site for Certified IT Professionals
Keep on Top of the Latest Certification News: Subscribe to CertCities.com Newsletter Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... Exam Reviews ..Exam Review Article Thursday: February 2, 2012



Security+: Get with the Basics
This exam isn't designed to have much depth, but it does cover a wide range of security topics relevant to networking professionals.


by Andy Barkl

11/6/2002 -- As you may have noticed, in the past 18 months a greater emphasis has been placed on computer and network security. As part of that, security certification has become more popular, any many new titles are popping up to capture this interest. One of these is the vendor-neutral, entry-level Security+ from the Computing Technology Industry Association (CompTIA).

Most CompTIA exams are written for those relatively new to the IT industry, and generally scratch only the surface of the technology covered. Security+ is no exception. It will test your knowledge on a wide-range of security related topics, but it doesn't go into any real depth. CompTIA recommends two years of networking experience for this exam. I personally recommend some hands-on security experience, if only to give you the chance to work with many of the tools and techniques covered on this exam -- some will be hard to master without understanding the practical application. Even so, armed with one of the many Security+ study guides that will soon flood the market, I believe most people with the recommended level of experience will find the exam on the easy side.

Content Overview
The final version of the Security+ exam has not yet been released (CompTIA has said only that it will go live in late 2002). I took the beta version earlier this fall. It contained 125 multiple-choice questions and lasted two hours. When released, the live exam will contain fewer questions and cost around $199 (U.S.). To earn the certification, candidates must pass this one exam. Once earned, Security+ certification is good for life.

Security+ features five main objective areas:

  • General Security Concepts (30 percent)
  • Communications Security (20 percent)
  • Infrastructure Security (20 percent)
  • Basics of Cryptology (15 percent)
  • Operational/Organizational Security (15 percent)

Most of the domains seemed equally weighted on the beta exam, but there are certainly areas that can get more obscure than others. The following should give you a general idea of what's covered by each. (A detailed list of the exam's objectives can be found here.)

General Security Topics
General security concepts are just that, general. For instance, what is the recommended minimum length a user's password should be? What network attack method includes the attacker calling a user and pretending to be from the company's support staff? Is it a virus or a Trojan horse that replicates itself from system to system using various techniques? What is a form of two-factor authentication?

Tip: If you're new to security topics, an excellent book that can get you up to speed in this area is "Computer Security Basics" from O'Reilly.

Communications Security
This domain can include slightly more obscure topics. It will help if you're well-versed in today's network security protocols. Do the acronyms VPN, RADIUS, TACACS+, L2TP/PPTP, SSH, and IPSEC mean something to you? You need to know these protocols (and many others) plus their uses to pass this domain. For example, make sure you know the advantages of a VPN and how to create one, which remote access protocols can be used to centrally authenticate users, and which OSI layer the various protocols operate at.

Infrastructure Security
This domain requires that you understand firewalls, routers, switches, wireless devices, modems and intrusion detection systems, to name a few. CompTIA also expects candidates to be able to field questions regarding TCP port numbers, access-control techniques, and of course, methods for securing wireless and other devices.

Other objectives within this domain include securing network media, removable media, security topologies, security baselines and application hardening. Can you answer questions like: What is the most secure network media available? What are the methods used to secure data on removable media? Is a DMZ a form of a secure network topology? How can you create security baselines? If you remove ActiveX controls, is that a method of application hardening? As you can see, this domain is a step-up from the first two, but still not too difficult.

Basics of Cryptology

Now it's time for some real fun. This domain includes objectives for security algorithms and hashing. You'll also find concepts of cryptology, standards and protocols, and key management/certificate lifecycle objectives. This is where you'll need some of that network security experience that CompTIA didn't tell you about but I think is required. Simply studying the different security algorithms such as MD5, SHA, DES, 3DES and RSA will only leave you asking, what was that? You really need to setup a lab where you can experiment with the different encryption methods and truly understand the concepts behind each. After all, what fun is it if you can't walk the walk?

The other half of this domain includes the PKI objective of certificates. Here again you'll need to be familiar with the practical side of things, including certificate issuance, revocation, expiration, suspension, renewal and destruction. If you're running a Windows 2000 server network in your lab, it's fairly simple to install and build a Certificate Server and get the hands-on experience that you'll need for this section.

Operational/Organizational Security
This is where you'll find some of the more interesting objective areas such as physical security, disaster recovery, forensics, education, and documentation. Well, O.K., not all of them are very exciting, but a few are. For example, my favorite is forensics. Investigation and gathering of evidence, to find wrongdoing to prevent further misuse can be exciting. Of course, most of the time you may be doing nothing more than securing the system to prevent accidental damage.

Physical security includes controlling access to systems and data, such as the server room. Make sure you know all the methods used to control physical access, such as card readers and biometrics.

For the disaster recovery section, you need a fairly solid understanding of the baseline techniques and procedures. You should also be familiar with data backup and restore strategies.

With business continuity, organizations will put in place public media relations experts in case a network attack occurs. Then there are natural disasters that can disrupt the business continuity. Should you install your hot site within the same geographic boundaries as your primary site?

Policies and procedures are always a tough thing to deal with and get users to adhere to. You should be familiar with the reasons for policies and procedures and the necessities of writing, maintaining and enforcing them.

User education is one of the primary responsibilities of any network security person or team, and the advantages of awareness campaigns to promote user compliance are tremendous. Most network security problems or attacks in today's networks are internal, and many of the problems can be attributed to user errors. Training and education both need to play a bigger role in many of our corporate networks.

Documentation is the final objective in this domain -- usually the last thing anyone ever completes. However, well written, complete and up-to-date documentation can make the difference between an ad-hoc network and one that is truly secure.

Preparing for Security+
Along with the recommended experience, CompTIA recommends (but does not require) that you hold its A+ and Network+ certifications. I don't agree that you should have A+ -- there's not much crossover here -- however, Network+ may be a good idea for some, especially considering Security+'s heavy coverage of TCP/IP.

As I mentioned earlier, a flood of Security+ study guides is heading our way. But if you don't want to wait for the market to shake these offerings out, you can always pick up a more general security title. Auerbach publishing offers a few titles, including the popular "Information Security Management Handbook." Sybex also has many security titles available, as do a wide variety of IT publishers. Personally, I prefer the Auerbach books. While they're not designed to be used as exam study guides, they contain the information you need and are also excellent for technical reference.

Security+ preparation classes may also become widespread. But you can also take a more general security class. I recently attended a course from SANS. This organization has many courses to choose from, including Security Essentials, which is designed for the new security person. SANS is also another resource for security-related books.

Getting Secured
I think Security+ will be used by many to gauge one's awareness and basic understanding of network security. It could even be used by employers for select user groups as part of a security awareness campaign. At the very least, the exams and/or the study guides developed for it should be required for an organization's technical and support staff.

There are other security certifications available on the market today, but most of them are geared towards the higher-level IT professional with the word security in their job title. Security+ is for the rest of us, and does what it's designed to do -- serve as a way to test baseline knowledge of this important topic.

 


Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .


More articles by Andy Barkl:


There are 63 CertCities.com user Comments for “Security+: Get with the Basics”
The current user rating is: two stars - somewhat challeging 1/2
Page 1 of 7
12/13/02: Anonymous says:
three stars - difficult, but manageable
More difficult than the CIW security professional exam.
12/19/02: Anonymous says:
one star - cakewalk
Less difficult that the ISC2 CISSP exam. Although that exam is also a cakewalk.
1/27/03: Anonymous says:
three stars - difficult, but manageable
Thanks for the review. It's pretty easy if you know your stuff.
2/25/03: Anonymous says:
five stars - true gurus only
very difficult
4/8/03: Anonymous says:
three stars - difficult, but manageable
Don't rely on the Sybex book for a good test prep.
5/21/03: Jerry from New Jersey says:
four stars - very difficult
Take your money to the track. The horse running in the third race is a better bet. I used the TestTakers Book, Exam Cramm and Transcenders. About 7 out of 10 questions were easy and found in the books. (Transcenders was not much help with this one.) You need 764 out of 900 to pass. If all questions are equally weighed, that would be just under 85% correct. If you get a few poorly worded questions, a CompTia special, and get hit with a few concepts that did not stick, it's really easy to miss the mark. Unless you really need this certification, I would consider putting my money and efforts elsewhere.
6/5/03: Anonymous says:
four stars - very difficult
I passed the CISSP no problem but have failed this exam after doing practice exams, reading books and working with security on a daily basis! Poorly worded questions and some security concepts that are a poor evaluation of knoweledge.
6/6/03: Blaizze from Chicago says:
four stars - very difficult
This exam requires a lot of soul searching. I sat for it twice already, and still no dice. You most definately need to bring your "A" game for this one. I would'nt say the questions are poorly worded all that much, because I managed to get within 5% of nailing it. I guess its not too bad considering I have no IT experience. Its going to depend on how bad you want it. Good Luck!
6/9/03: Kristofor from Denver says:
four stars - very difficult
Very good Exam from CompTia. I was really surprised how difficult it was. Dont rely on Sybex or Mike Myers book. I used CISSP book to study for this one!!
6/13/03: unknown from unknown says:
one star - cakewalk
worst exam ever...what a rip
First Page   Next Page   Last Page

Exam Difficulty Rating Key
five stars - true gurus only true gurus only
four stars - very difficult very difficult
three stars - difficult, but manageable difficult, but manageable
two stars - somewhat challeging somewhat challeging
one star - cakewalk cakewalk
Your comment about: “Security+: Get with the Basics”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top