I recently saw the Avengers: Infinity War movie, and it reminded me of the most recent iteration of the CompTIA Security+ certification exam. The record-smashing film features almost every character from the Marvel universe, just as now every possible security term and keyword is showing up on the laundry list of objectives for this latest version of the Security+ certification exam. In other words, do not expect this exam to present as a single narrative but rather a broad cast of characters.
This is not necessarily a bad thing, as both the movie and the exam are garnering rave reviews, but it does make preparing for it challenging. Therefore, to assist anyone sitting for the Security+ certification exam, I want to offer advice and pointers taken from our CompTIA Approved Quality Content (CAQC) Security+ course.
#1 Know about ALL current security issues
Almost half of the exam covers security threats, attacks, vulnerabilities, technologies, and tools and includes recent threats like crypto-malware, stego-malware, ransomware, RATs, APTs, Zero-days, and Malware-as-a-Service (MaaS). Do you know how to create a ransomware campaign in Kali Linux? If the answer is no, now is the time to get familiar with the components of exploit kits.
You also need to know or be able to define the reason for the success of social engineering campaigns. CompTIA lists several reasons, with no explanation, so you might want to watch our training where it covers authority, intimidation, consensus, scarcity, familiarity, trust, and urgency of the victim.
And be sure to familiarize yourself with the most common web server and wireless attacks.
#2 Practice configurations
CompTIA lists the question types as being either multiple choice or performance-based. The possibility of various question types may cause some anxiety as some people worry about the possibility of several elaborate performance tasks on the exam. Relax. All security practitioners should be able to configure basic access control lists and firewall rules, syslog, SSH connections, and SNMP. This is a vendor-neutral exam so there will not be any complex configurations beyond the fundamentals.
I strongly recommend you know how to configure an IPsec IKEv1 site-to-site VPN with pre-shared keys between two routers. Even if you do not use it in the exam, it is a valuable skill since so many organizations use solutions like Amazon Web Services (AWS).
Also, be aware that the “use of open-source intelligence” exam objective does not refer to using open-source code. Do yourself a favor and search the web for “OSINT” before the exam.
Although cryptography and PKI are only about 12% of the exam, I recommend watching “The Art Of the Problem” videos from Brit Cruise on YouTube to help prepare for that bank of questions. AES-GCM-128 (or 256) and elliptic curve are also very popular algorithms and modes, so make sure you have those bases covered.
#3 What’s “New” is always hot
Expect a good percentage of the 90 or so questions to cover more recent technologies. In short, don’t expect a lot of WEP or DES questions.
Here’s a list of some of the “newish” technologies and solutions you need to know for this new version of the CompTIA Security+ exam.
These are in no particular order but should cover you until the next update the exam in 2021.
- Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
- Crypto service provider and Crypto modules
- Hardware Security Modules (HSM)
- Continuity of operations planning (COOP)
- Forensic strategic intelligence/counterintelligence gathering
- Privacy impact and threshold assessment
- Driver manipulation – shimming and refactoring
- Everything on the “deploy mobile devices securely” objectives list
- Configuration compliance scanners
- These utilities: ping, netstat, tracert, nslookup/dig, arp, ipconfig/ip/ifconfig, tcpdump, nmap, and netcat
- Data Loss Prevention (DLP)
- Internet of Things (IoT) and SCADA
Despite Marvel’s best efforts, most fans knew Infinity War would mean the end of many of our cherished heroes, and so we braced ourselves before taking a seat in the theater. The same goes for the Security+ exam; be prepared for any unpleasant surprises by knowing what to expect before you sit down.