CompTIA Security+ Certification Review

Introduction

CompTIA Security+ should be the first security certification a cyber security student should earn, as it establishes the core knowledge required of most cybersecurity roles and provides a springboard to intermediate-level cybersecurity jobs.

It is ideal for candidates who are looking to become cyber security analysts, vulnerability assessor or even penetration testers. Security+ is compliant with ISO 17024 standards and overall has really good reputation in the industry, which is one of the reasons I decided to go for this certification, back in early 2019.

Pros

• It is a vendor-neutral certification
• Relatively inexpensive, at about 350 USD
• Great industry recognition
• This certification is often required, especially for government jobs
• No prerequisites to sign up for the certification
• Great amount of learning material online
• It only requires 50 continuing education units to renew the certification for three years
• It can be renewed by earning a higher-level CompTIA certification

Cons

• The certification is very theoretical and as much as it does a great job at delivering the fundamentals and knowledge required I wouldn’t say it prepares you for an actual cybersecurity-related job.
• This certification by itself isn’t enough to get your foot in the door and land a job in cybersecurity, it needs to be combined with practical experience and/or other certifications/degrees.
• Even though the exam contains performance-based questions, it fails to give you an accurate representation of what a real-life cybersecurity job is like.
• Because the certification is very broad, it doesn’t go into great detail when it comes to things like vulnerabilities, attacks, tools etc.
• Although it’s not as massive as something like CEH, at times it does feel like the certification wants you to become an encyclopedia rather than learning the practical applications of certain techniques or processes in real-life scenarios.

Exam Objectives

The certification covers pretty much all of the aspects of cyber security and also touches on specific techniques of tools used, it is quite broad which can be frustrating but also useful as it means it can allow to specialize in a very specific skill set later on, once you have a good understanding of the fundamentals. The course is divided in the following sections:

• Threats, Attacks and Vulnerabilities
• Technologies and Tools
• Architecture and Design
• Identity and Access Management
• Risk Management
• Cryptography and PKI

Threats, Attacks and Vulnerabilities

This section expects you to know all about the various types of threats (viruses, worm, trojan, rootkit, spyware, backdoors etc.) and attacks (phishing, denial of service, injections, buffer overflow, main in the middle, spoofing, evil twin etc.), the threat actors and their characteristics (script kiddies, hacktivists, organized crime, advanced persistent threats, insiders etc.), the fundamental concepts and types of penetration testing and vulnerability assessments (active and passive reconnaissance, pivoting, persistence, privilege escalation, white/gray/black box testing, vulnerability assessments i.e. passive/active, credentialed vs non credentialed etc.), and the types of vulnerabilities along with their impact (race condition, improper input/error handling, misconfiguration, memory corruption, zero day etc).

Technologies and Tools

This section covers the various hardware and software components used to improve a company’s security (firewalls, VPNs, intrusion detection/prevention systems, switches/routers, proxy, SIEM systems etc), software tools to perform security testing (vulnerability scanners, password crackers, honeypots, passive and active information gathering, port scanning etc.), troubleshooting security issues (clear text credentials, reading and reacting to event logs, access violation, data exfiltration, personnel issues, authentication issues etc.), analyzing and interpreting the output of security systems (intrusion prevention/detection systems, antivirus, firewalls, patch management tools etc.), security deploying mobile devices (types of connections, security mobile concepts such as geofencing and geolocation, remote wipe, screen locks, biometrics and passwords/pins, enforcement of functionality such as rooting, side-loading, camera/microphone, OTG and tethering, types of deployment i.e. BYOD, COPE, CYOD, corporate owned etc.), and implementing secure protocols in organizations (SSH, LDAPS, FTPS/SFTP, SNMPv3, SSL/TLS, HTTPS for the secure transfer of data such as files, voice/video, email and web etc.)

Architecture and Design

This part explains the implementation of secure architecture, design and policies, through frameworks, benchmarks, concepts such as defense in-depth, network architecture concepts (types of networks and topologies, isolation, physical security devices and SDN etc.), security system design implementation (hardware/firmware security, operating systems, peripherals etc.), secure staging deployment concepts (sandboxing, types of environments, secure baselines etc.), knowledge of security implications of embedded systems (SCADA/ICA, IoT, HVAC, SoC, Printers, Cameras, special purpose systems etc.), secure development and deployment concepts (life-cycle models, secure DevOps, version control, secure coding techniques, QA and testing etc.), virtualization concepts (hypervisors, VM sprawl/escape avoidance, cloud deployments such as SaaS, PaaS, IaaS, on-premise vs. hosted vs.. cloud, VDI/VDE etc.), resiliency and automation strategies (scripting, templates, master images, non-persistence, elasticity, scalability, redundancy, fault tolerance, high availability etc.) and physical security controls (lighting, signs, fencing, alarms, safes, mantraps, locks, biometrics, cable locks, screen filters, keys etc.).

Identity and Access Management

This talks about the various identify and access management concepts (AAA, multi-factor authentication, federation, single sign-on, transitive trust etc.), identity and access services (LDAP, Kerberos TACACS+, CHAP/PAP/MSCHAP, RADIUS, SAML, OAUTH, NTLM etc.), identity and access management controls (access control models, physical access control, biometric factors, tokens, certificate-based authentication etc.) and the common account management practices (types of accounts i.e. user/shared/guest/service, general security concepts such as least privilege, auditing and review, account maintenance, group-based access control etc., account policy enforcement such as credential management, group policy, password complexity/expiration/recovery/lockout/history/reuse etc.).

Risk Management

This section covers security policies, plans and procedures (types of agreements like BPA, SLA, ISA, MOU/MOA, personnel management procedures such as mandatory vacations, job rotation, separation of duties, role-based awareness training and general security policies), business impact analysis concepts (RTO/RPO, MTBF, MTTR, mission-essential functions, single point of failure, types of impact etc.), risk management processes and concepts ( threat assessment such as environmental vs manmade, risk assessment processes such SLE, ALE, ARO, risk register, impact, testing, risk response technique, change management etc.), Incident response procedures (elements of an incident response plan such as documentation, roles and reporting, incident response process i.e. preparation, identification, containment, eradication, recovery and lessons learned), basic concepts of forensics (order of volatility, chain of custody, legal hold, data acquisition, preservation, recovery etc.), disaster recovery and business continuity procedure (types of recovery sites i.e. hot/war/cold, order of restoration, types of backup i.e. differential/incremental, shapshots and full, geographic considerations and continuity of operation such as tabletops, failover, alternate processing sites and business practices), types of controls (deterrent, preventive, detective, corrective, compensating, technical, administrative, physical) and security and privacy practices (data destruction and media sanitization through burning, shredding, pulping, pulverizing, degaussing, wiping etc.., data sensitivity labeling and handling i.e. condifential, private, public, proprietary, PII etc., data roles i.e. such as owner, custodian, privacy officer, data retention, legal and compliance).

Cryptography and PKI

This section includes the basic concepts of cryptography (encryption algorithms, hashing, salt, key exchange, stenography, obfuscation, key strength, data transfer types, key stretching etc.), cryptography algorithms and their properties (symmetric i.e. AES, DES, 3DES, RC4 etc., asymmetric i.e.. RSA, DSA, Diffie-Hellman, PGP/GPG etc., hashing algorithms such as MD5, SHA, HMAC etc., types of obfuscation like XOR and ROT 13 etc.), wireless security settings (the various protocols such as WPA, WPA2, CCMP, TKIP etc., authentication protocols like EAP, PEAP, EAP-FAST, IEEE 802.1x etc. and methods of authentication like PSK, enterprise, open and captive portals) and public key infrastructure (implementation components like CA, intermediate CA, CRL, OCSP, certificate, public/private key etc., concepts like online vs offline, stapling/pinning, trust model, keuy escrow etc., types of certificate such as wildcard, SAN, code signing, self-signed etc. and certificate formats i.e. DER, PEM, PFX, CER etc.).

Exam Preparation

I started preparing for the exam around November 2018 and passed the exam on the first attempt in January 2019.
In terms of learning material, I used the TOTAL: CompTIA Security+ Certification (SY0-501) course on Udemy, which includes 19 hours of video lessons.

I then bought a few Android apps and Udemy quizzes to do some more practice for the exam:

• TOTAL: CompTIA Security+ Cert. (SY0-501) Practice Tests
• CompTIA Security+ SY0-501 Prep
• Security+ Premium (CompTIA Security+ Pocket Prep)

The Exam

The certification exam lasts about 90 minutes and it is made of 90 multiple choice questions and performance-based questions (which may require you to run certain commands or perform certain actions), the passing score is about 83% which makes it one of the toughest CompTIA certifications in terms of passing score.

I managed to pass the exam on my first attempt with about 50 points above the passing score, which at the time I thought was good enough, as I attempted the exam as soon as I felt ready, rather than trying to get full marks.

Conclusion

I really loved preparing for this certification and I believe it delivers some very solid knowledge that every cybersecurity professional should have. I would definitely recommend it to anyone looking to start a career in cyber security, and potentially in specific areas of it since the certification is very broad, although don’t do the mistake to think this will be enough to get the foot in the door as you will also require some practical knowledge to be successful in the field.