CompTIA, the creator of several popular entry-level certifications, offers the Security+ exam. Security+ is a vendor-neutral
certification that covers the foundations of information security. The exam is
offered at Prometric and VUE test centers worldwide. We recently took the exam and have much to say, but before we get into the
"nitty-gritty" of the exam, we want to give you some of the history behind it, and our
observations on the cert itself. Due to NDAs (non-disclosure agreements), we can't
disclose massive specifics, but we can give you lots of useful information on how to
prepare if you decide to take it.
CompTIA + Security = Excellent Idea
CompTIA decided to create a sorely-needed exam that would focus
attention on IT security-related topics, and how to work in an environment that deals
with security issues. Thus, the Security+ exam was born. While some people may
think that CompTIA was just jumping on the security bandwagon, we
disagree. Here's why:
1) It's a good and fair test.
2) Microsoft, Novell, etc. need a security exam in their tracks.
3) CompTIA has a well-earned reputation for creating fair entry-level exams.
What we loved about the Security+ exam is that, unlike other exams we've
taken, it mapped directly to the posted objectives. It's also a nice stepping-stone to
the TICSA or CISSP certifications.
In general, the Security+ exam is a great idea, and after taking the exam,
we feel it delivers exactly what it was supposed to: an exam that tests general
security knowledge accurately.
Here's the target audience for the Security+
exam, according to CompTIA:
"The CompTIA Security+ certification exam is targeted at professionals with at
least 2 years of networking experience and a thorough knowledge of TCP/IP. The test
covers a wide breadth of knowledge that is not related to any specific vendor. It is
recommended that the Security+ test candidate have the knowledge and skills
equivalent of those tested for in the CompTIA A+ and Network+ certification exams."
Hey, that's not too bad right? We've been preparing for the CISSP now for about a
month, and all of the study in that area was good preparation for the Security+
exam. Anyone in the same mode right now would not have a very
difficult time with this exam.
Take notice though...if you know nothing about security, then this test will floor you. It is
important to understand that this IS a security test and should not be taken lightly
by anyone not working or studying in the Information Security field. Our comments above about the fairness of the exam are based on exactly what CompTIA says:
"is targeted at professionals with at least 2 years of networking experience and a
thorough knowledge of TCP/IP".
The Exam! Can you hack it? (No Pun Intended)
Yes, you can... let's go over some of the more granular details of the exam.
The CompTIA Security+ exam consists of 100 questions, and 90 minutes are
given to complete the exam. This was more than enough time to complete the exam.
Here is a breakdown of what is being tested. The Security+ exam contains five
domain areas:
Lets look at each of these exam domains in depth...
Knowing General Security Concepts means knowing about most aspects of access
control, authentication, malicious software, and general exploits and attacks. When
CompTIA says that you should have at least 2 years of experience with TCP/IP, they
aren't kidding. Most protocol-based exploits are possible due to the inherent
weakness of the TCP/IP (IPV4 or version 4) protocol suite, and this is heavily tested
on the exam. Do you know what a Smurf attack exploits? If you said ICMP, that's not
enough. You need to know your details! You must know about 10-15 different types
of attacks, and you need to know how to differentiate between them all. Attacks
include Sniffing, Man in the Middle, Social Engineering, and Password Cracking. I
even saw attacks listed that didn't make it on the test objectives list. Know them all,
and know them well.
Also, you had better brush up on the differences between your access controls: DAC,
MAC, and RBAC. MAC (Mandatory Access Control) deems that all users and resources
need to be classified by security labels, and is mostly used for defense-based or
other government-based systems. Don't know what I am talking about? You may
want to wait for the study guides, because you will be tested heavily on access
control topics....
You must be logged in to view this entire article. Click Here to Finish Reading this Article
Earn an affordable, online bachelor's degree in Information Technology—Security Emphasis
plus nine IT certifications including Sun Certified Programmer for the Java Platform, MySQL Core, and Security+. Your prior college and IT certifications may waive some degree requirements FREE subscription to Network World.
Your complimentary subscription will include 50 weekly issues jam packed with news analysis, expert industry opinion and management/career advice, all of which is packaged with your business needs in mind. We want to help you connect the technology dots and help you advance your company's business goals
Email this Article
Print this Article
