---

MODULE 1

Meet the Security+ Exam

---

So you’ve decided to take the Security+ exam! If your career is headed toward information security, you’ve taken the best first step by reading this book and preparing for this exam. The CompTIA Security+ exam is widely recognized and accepted as an important first step in demonstrating and validating your information security knowledge. Passing this exam can help you further your career, get work in the information security field, and increase your professional knowledge and value.

In this first module, we’ll look at several topics that are relevant to preparing for the exam. First, we’ll discuss why certifications are a necessary part of our profession. Then we’ll look at the various certifications offered for information security professionals, so you can get a preview of where your career path might lead from here. We’ll look a little bit deeper at CompTIA and the Security+ exam in particular and discuss how the exam is laid out, what requirements you should meet before sitting the exam, and what topics you should study for the exam. We’ll also cover some of the best study techniques that can help you prepare for the exam.

---

You’ll often hear people refer to the information security field as computer or network security, information assurance, or the latest term, cybersecurity. This is because our field evolves constantly, as new technologies, new threats, and new ways of doing business develop. For now, consider these terms interchangeable, but understand that each has its own particular nuances that you will probably encounter later on in your career.

Why Do We Need Certification Exams?

The information security field, like most other technical fields, requires that professionals acquire several skills to succeed. For the most part, these skills include knowledge, practical expertise, and experience. Experience could be measured in years, of course, but that doesn’t adequately define the particular areas of expertise you may have or the different areas that you have worked in during your professional life. Knowledge is important as the foundation you use to develop skills and abilities to help you perform particular tasks. And of course, practical skills mean that you can actually perform and complete tasks, with consistency and accuracy.

So, how do we measure an individual’s abilities, experience, knowledge, and skills? In our professional field, information security, these attributes can be measured in several ways, including through the use of certification exams. Certification exams are used in other technical fields as well, such as the automotive industry, the electrical industry, and even in nontechnical fields.

Certifications offer several benefits: They can help to verify and validate that you have a requisite level of knowledge and skills in particular areas. Some certifications, which require prerequisite years of experience, can also help verify experience levels if you achieve them. Once you achieve a certification in your field, you are recognized as having a specific level of prerequisites that meet industrywide standards. In the next few sections, we’ll discuss these particular aspects of certification.

Demonstrating and Validating Skills and Knowledge

If a person walks into your business and states that she wants a job as a network administrator, what is one of the first things you’ll probably want to see from her? A resume, of course! The resume lists the individual’s experience, education, background, and any professional credentials she may possess. But even though a resume may indicate that she is exactly what you’re looking for in an employee, remember that it only represents what she is telling you about herself. Unfortunately, people can overestimate their skills or even include false information on resumes. So how do we independently verify that people have the level of knowledge, skills, ability, and experience they say they do, and that these qualities meet the standards we are looking for in employees?

That’s where certifications can come in. Certifications are basically independent assessments of an individual’s professional qualities, such as knowledge, skills, and experience. These assessments provide an objective means of measuring these qualities against an industry accepted standard. Speaking of these qualities, let’s examine each one of them in a bit more detail.

Experience

You’ve probably heard that there is no substitute for experience, and that’s certainly true. Experience in performing tasks and functions relevant to information security is critical to being able to perform more complex tasks. Many security professionals come from different backgrounds: some begin as help desk technicians, network administrators, or server administrators, while others are database developers and web application programmers. Regardless of a person’s background, there are aspects of information security that depend upon experience in each and every one of these disciplines. Many people have experience in several of these different areas, while some people have many years of experience in only one or two areas.

Traditional thought in the information security field was that a person needed to have a good breadth and depth of experience in one or several of these areas before becoming a security professional. There’s definitely some value to this line of reasoning, since many of the things we do in information security are built upon the knowledge that we gain from these different areas. However, more frequently, we’re seeing that people entering the security field come from nontechnical or even non-IT backgrounds and have very minimal experience in some of these different information technology areas. Although a person could begin working in some areas of information security without having an extensive background in IT, he may be more successful if he comes from another IT area and works his way into security. The Security+ exam relies heavily on a person’s knowledge and experience from many of these areas as well; you’ll see questions related to networking, application vulnerabilities, physical security, and basic conceptual knowledge from a variety of areas.

Skills

Skills relate to a person’s abilities in working with different technologies. A security professional needs to be skilled in working with both software and hardware, to include configuring and troubleshooting hosts and applications, managing network devices, and supporting customers. All security professionals should have basic skills, such as working with security software and security devices such as firewalls, for example. Although the Security+ exam does not go in-depth to measure skills using any particular vendor’s products or applications, it does address general skills and knowledge that a security professional must have.

Concepts and Knowledge

More than anything, the Security+ exam tests a candidate’s basic knowledge on a variety of concepts and topics related to security. Of course, it includes some security theory, but it also tests on concepts and knowledge that you may not initially believe are necessary to becoming a security professional. For example, the exam includes a great deal of network-related questions, because securing networks is a huge part of what we security professionals do. It also requires that you know about application vulnerabilities, such as buffer overflows, for example. You’ll also need basic knowledge about areas such as physical security, business continuity, and disaster recovery. These aren’t necessarily what a novice might think of as information technology areas, but they are areas critical to your success as an information security professional.

The World of IT Security Certification

You might hear some people, sometimes even seasoned veterans in the security field, say that there is little value in certification. Some of these folks even say that experience is probably the most important thing you can have, and there’s some truth to this. However, formal certification programs serve a valuable purpose: they can help to validate experience, skills, and knowledge. These qualities need to be validated so that an employer or peer can be assured that a person possesses the minimum qualities needed to perform the security function, task, or job. Additionally, certification can help bring a person in line with a more standardized set of requirements for knowledge and skills. If a person is weak in networking knowledge, for example, studying for the Security+ exam can help her increase her conceptual knowledge of networking. Certifications can help ensure that people pursuing a particular path in information security are all on a level playing field in terms of knowledge and skills. So certification isn’t intended as a replacement for experience, but it helps to validate that experience, along with skills and knowledge.

Information security professionals often acquire several different certifications. Many of the certifications are intended for people at various stages of their professional careers. Some, like the Security+ certification, are intended to test people just entering the cybersecurity career field from another aspect of information technology, or to test people who have been doing security work for a while. Other certifications are intended for professionals who have many more years of experience in the field, have been exposed to many different aspects of security, and are now ready to lead and manage security programs. Still other certifications are more technical in nature and are intended to validate a particular skill set in a specialized area of security. In the next few sections, we’ll take a look at some of these security certifications. Understand that these are only representative examples of some of the more popular certifications available; there are certainly many more that you should consider during your career.

(ISC)²

The International Information System Security Certification Consortium, Inc., or (ISC)², is a worldwide provider of security-related training and certifications. It provides many different advanced level courses and certifications for information security professionals who have progressed in their careers and have prerequisite years of experience in particular areas of information security. Their core certification, the Certified Information Systems Security Professional (CISSP), is considered the gold standard for information security professionals wanting to validate years of experience in eight core areas, including network security, business continuity and disaster recovery, information security law, physical security, application security, and others. (ISC)² also offers certifications in specialized areas, such as information security engineering, computer forensics, and health care information security, and has stringent requirements for professionals attempting and maintaining these certifications.

EC-Council

EC-Council is another world-recognized provider of training and certifications for cybersecurity professionals. Its many certifications range from specialized areas of security, such as ethical hacking and computer forensics, to more advanced certifications covering secure programming and the duties of chief information security officers. EC-Council certifications offer a unique opportunity for cybersecurity professionals to validate highly technical knowledge and skills in high demand areas of information security.

ISACA

Formerly known as the Information Systems Audit and Control Association, this organization is now simply known by only its acronym, ISACA. It provides training and certification for cybersecurity professionals engaged in highly specialized areas of the field. Chief among its certifications are those that target information security auditors, managers, and risk management and security control professionals. ISACA also has very stringent requirements for years of experience in particular areas of information security, but the professionals who achieve its certifications are considered among the top in the field.

Other Security Certifications

All the different organizations that offer quality cybersecurity training and certifications are too numerous to list here; we’ve mentioned only a few of the more well-known ones. We also haven’t discussed the certification that is the focus of this book, the CompTIA Security+ certification. We will cover CompTIA and the Security+ certification in great detail in just a moment.

Here’s a word of caution regarding estimating the value of certification: Understand that the value placed upon a particular certification coming from any certifying body is relative and may depend upon the opinions of different professionals in the industry, or how an organization or business views the validity of the certification. It also may depend on how in-depth a particular certification goes into a given area. Ultimately, the industry tends to regulate itself, and the higher quality certifications usually stand out.

Table 1-1 lists some of the more popular certifications that you should consider as you progress throughout your career.

Table 1-1 Popular Cybersecurity Certifications

The CompTIA Security+ Examination

Now we’ll focus on our main area of concern: the CompTIA Security+ exam. We’ll cover different aspects of the exam you’ll need to know about before you even start studying: how the exam is laid out, the number of questions you’ll encounter, and the requirements you’ll need to have under your belt before sitting the exam. First, though, we’ll discuss CompTIA as an organization, what it is all about, and some of the other certifications it offers.

CompTIA as an Organization

The Computing Technology Industry Association (CompTIA) is a professional organization made up of industry partners and individuals within the information technology field. The different aspects of CompTIA’s mission include certification, education, and public policy. As of this writing, CompTIA offers around 18 different vendor-neutral certifications covering a wide range of information technology areas. Examples of some these areas and certifications include Linux+ (focusing on the Linux operating system), A+ (which focuses on computer technology support fundamentals), Network+ (covering different network technologies), Mobility+ (focusing on mobile device technologies and management), and, of course, Security+.

CompTIA certifications are considered the de-facto standard in the industry in some areas, including the Security+ certification. Because they are vendor neutral, almost all of CompTIA certifications cover basic knowledge of fundamental concepts of a particular area. The exams usually validate knowledge that all professionals in a particular area must have; this allows employers and others to be confident that the individual’s knowledge meets a minimum level of standardization across the industry. For more in-depth or advanced studies, most security professionals gravitate toward a vendor-specific certification, such as a Microsoft certification or one that covers a very specific skill set, such as EC-Council’s CEH exam.

The Exam

Let’s state up front and for the record that CompTIA does not have any particular requirements for individuals who want to take the Security+ exam. In other words, there are no particular prerequisites for certification or definitive requirements for years of experience. However, CompTIA does have several recommendations that are fairly valid, including prerequisite knowledge of particular areas, such as those that might be validated by other CompTIA certifications such as the Network+ certification, for instance. In other words, the level of networking knowledge you are expected to have before you take the Security+ exam is the level that you would have after successfully completing the Network+ certification. Having said that, here are CompTIA’s recommendations:

  Network+ certification

  Two years of experience in network or server administration, with a focus on security

Obviously, you would want to have experience in several areas, such as networking knowledge, basic information security concepts, hardware, software (both operating systems and applications), cryptography, physical security, and so on. We’ll cover the particular exam objectives that you need to be familiar with in the next few sections. However, the Security+ exam is well-suited for someone who has a broad base of knowledge in not only one or two particular areas, but in several areas in the information technology field. Keep in mind that because this is a lower level exam, in-depth knowledge of any one particular area is not required. So even if you don’t have any experience in, say, database or application programming, you can still study and gain the knowledge you need in order to pass the exam.

General Information

Officially known as the SY0-401 exam in its current version, the Security+ exam consists of no more than 90 questions. Previous versions of the exam typically included exactly 100 questions, but as CompTIA has refined its exams, they have become more adaptive in nature. You’ll have 90 minutes to complete the exam. It consists mostly of multiple-choice and performance-based questions. The multiple-choice questions typically offer a question or statement, with four choices (A, B, C, or D) also offered to answer the question or complete the statement. The performance-based questions (also known as scenario questions) present the test-taker with a scenario and some options to choose from to best answer the requirements of the scenario. There also may be performance-based questions that require a test-taker to perform certain actions, such as typing in a command, dragging and dropping, performing a particular task, and so on.

The passing score for the exam is currently listed on CompTIA’s web site as 750 (on a scale of 100 to 900). Make sure that you check the web site frequently for changes, however, because CompTIA tends to update information about the exam, including passing score and objectives, from time to time without notice. Many certification exams provide for these types of scaled scores, and a 750 would be roughly equal to answering 75 questions out of 90 correctly.

The current price for the Security+ exam is $302 (US). You can pay for the exam by purchasing a voucher directly from CompTIA, and then use the voucher number you receive by e-mail when registering on the test center’s site. More about registering for the exam in a moment.

Objectives

The CompTIA Security+ exam is divided into topics by domains and objectives. Domains are the higher level topics, and objectives are lower level divisions. Table 1-2 lists the major domains on the Security+ exam.

Table 1-2 The CompTIA Security+ Exam Domains

We won’t list all of the different sub-objectives for each domain here, since that would be a rather long list. You should download the official exam objectives from the CompTIA web site when you begin your study, and be sure to check it again before you take the exam in case of updates. The official CompTIA web site is the definitive source for updates to the exam objectives and other pertinent exam information.

When looking at the exam domains, note that the number of exam questions listed in Table 1-2 is approximate; in some cases, the numbers in Table 1-2 have been rounded up or down, since there can’t be 13.5 questions on the exam, for instance. Likewise, there’s no exact percentage of exam questions that easily correspond to the domains. For example, although the network security domain is approximately 20 percent of the exam, that doesn’t mean you’ll be able to count the exact number of questions that you could identify as “the” network security domain questions. Because many different things are interrelated in information security, you might find that a question that appears to be in the network security domain may actually fall into another domain. The question may mention some relevant information about network security, but the correct answer to the question may actually relate to other topics, such as web application security, for example. You’ll often find questions that contain a variety of information (both relevant and irrelevant to the correct answer), including network information, cryptography information, and vulnerability information, for instance. That would make it difficult to determine positively whether or not a question was directly from the network security domain or the cryptography domain. Your best bet is to know each of the domains well and be able to read the question thoroughly to understand exactly what the question is asking for and understand what information in the question is relevant to the correct answer.

How to Schedule the Exam

Once you’ve purchased your test voucher, you can create an account and log on to the test center provider’s web site, which in this case is Pearson Vue (www.pearsonvue.com/comptia/). Pearson Vue is the preferred testing partner of CompTIA for the Security+ exam, among others. If you don’t already have a CompTIA account, you’ll be prompted to create one before creating an account on the Pearson Vue site. You then have to select a date and location for the test. Once that’s done, you may need to provide some more information, and then you’ll be prompted to type the voucher number to pay for the exam. Note that this process is subject to change; this is only a general description of the process.

After you have successfully registered for the exam, you’ll get a confirmation from Pearson Vue. Although you may not necessarily need it, it’s often helpful to print the confirmation information and take it with you to the test center when you go to take the test. This would help you resolve any problems you might encounter if the test center is unaware of your appointment, or if there is some other issue with the test schedule. Additionally, you’ll be required to present identification at the test center before you can take the exam. The exam confirmation sheet will provide details of what types of identification are acceptable at the test center.

---

Remember to take at least two forms of identification with you to the test center; usually at least one will have to be some form of picture ID, such as a driver’s license, passport, or military ID. Also remember to take your exam confirmation sheet as well.

Studying for the CompTIA Security+ Exam

Everyone studies for examinations differently. There is no one true right way to study; it’s really based upon how you as an individual learn best. However, you may be able to incorporate a few studying and general test-taking strategies.

First, capitalize on any areas of experience you may have. If you have a solid background in networking, for example, you may need to bone up on some of the more obscure areas of networking, but you probably won’t have to spend too much time studying that area. Focus particularly on areas about which you have absolutely no knowledge, since you’ll need to answer questions about these areas on the exam.

Second, don’t assume that because you know a great deal about one particular area, that will be enough for you to pass exam. The objectives for the exam specify percentages of exam questions you might expect to find about a particular topic. Doing well on only a single topic would not be enough for you to pass.

The exam tests fundamental concepts, including basic knowledge, terms, and definitions. It’s worth your time to learn as many relevant definitions and terms from the exam objectives as you can. Often, just knowing the difference between two terms can help you answer the question correctly. Additionally, the exam will expect you to know information that you must first memorize. For example, you are expected to know quite a few network ports and protocols, which we’ll cover a bit later in the book. When it gets right down to it, you have to memorize these. So in addition to studying to understand the different concepts and terms, you’ll also need to memorize different tables of information.

As we progress through the book, we will also give you other tips and tricks that you’ll need to know for the exam, including bits of knowledge on how to approach a particular question area or topic. It goes without saying that you probably need to set aside a definite period of time each day to study. You should also set study goals that include the particular topics you want to focus on for a given study session.

Module 1 Questions and Answers

Questions

1. Which of the following terms is used to describe the information security field? (Choose all that apply.)

A. Data security

B. Information assurance

C. Cybersecurity

D. Risk management

2. Certification can help validate all of the following for an individual entering the cybersecurity profession, except:

A. Knowledge

B. Skills

C. Experience

D. Suitability

3. Organizations that provide advanced certification for cybersecurity professionals include_________ and __________.

A. ISACA

B. (ISC)²

C. AMA

D. HIPAA

4. Which of the following is an advanced certification that focuses on information systems security engineering?

A. CRISC

B. ISSAP

C. ISSEP

D. Security+

5. You are contemplating taking the CompTIA Security + examination. One of the senior security engineers in your work center states that certifications don’t really mean anything. What would your response be?

A. Experience means more than certifications.

B. Certifications help to independently validate knowledge, skills, and experience against industry standards.

C. Certifications mean more than experience.

D. Certifications can’t validate a person’s knowledge or skills in the real world.

6. Which of the following organizations offers the industry-recognized entry-level Security+ certification?

A. ISACA

B. CompTIA

C. EC-Council

D. (ISC)²

7. Which of the following are CompTIA’s recommended prerequisites a candidate should have before taking the Security+ exam?

A. Network+ certification and two years of experience in IT and security

B. CISSP certification and three years of experience in information security

C. A+ certification

D. Network+ certification and five years of experience in security

8. Which of the following is the current passing score for the Security+ exam?

A. 550

B. 85 percent

C. 80 percent

D. 750

9. The Security+ exam includes no more than __________ questions.

A. 100

B. 750

C. 90

D. 900

10. What is the time limit currently allowed for taking the Security+ exam?

A. 90 minutes

B. 3 hours

C. 6 hours

D. 120 minutes

Answers

1. A, B, C. All three of these terms can be used to describe the general information security career field. While risk management is certainly a part of this career field, the term alone doesn’t indicate whether it has to do with information security or another area.

2. D. Suitability for the cybersecurity profession can’t be measured by a certification exam.

3. A, B. Both ISACA and (ISC)² provide advanced level certifications for cybersecurity professionals.

4. C. The ISSEP certification, from (ISC)², focuses on information systems security engineering.

5. B. Certifications help to independently validate knowledge, skills, and experience against industry standards.

6. B. CompTIA offers the industry-recognized entry-level Security+ certification.

7. A. CompTIA recommends (but does not require) that a candidate for the Security+ exam have the Network+ certification and two years of experience in IT and security.

8. D. 750 is the current passing score for the Security+ exam.

9. C. The Security+ exam includes no more than 90 questions.

10. A. Candidates have up to 90 minutes to complete the Security+ exam.