Tips for an Information Security Analyst/Pentester career - Ep. 21: Security+ Certification Walkthrough

I recently achieved a CompTIA Security+ certification and I'd like to provide you with some basic hands-on tips about how I passed it.

I will discuss here only what I'm allowed to talk about, based on the non-disclosure agreement I signed with CompTIA.

1) Check where you're at: 

I went for Security+ right away, but CompTIA suggests you should go for A+ and Network+ first.

You should have 2 years' minimum professional experience in IT and/or, yet better, in information security for you to attempt Security+.

However, such experience is recommended, but not required, unlike CISSP.

My profile can be different from yours, so my choice could not be applicable or feasible to you.

I had 13 years' experience as a Desktop Support and two Associate's Degree (Cyber Security & Network Security) already.

If you're new to IT, you might consider A+ or Cisco CCNA first, along with, or instead of, a college education. 

The fact you're a n00b doesn't have to discourage you.

We all were, included myself.

A real hacker always feels like a n00b, because there's always a lot to learn every day, every passing second, I should say.

2) Use more study methods:

You can use YouTube videos, text books, instructor-led training and anything else you like.

I'm old school, so I need to have a systematic guide to refer to.

I used two study guides and I think that's the right way to go.

Using one textbook only might be a mistake. This is the only version you'd be getting and, though concepts are pretty much the same regardless of the book you use, not all authors are equally good in terms of communication skills.

You might understand the same concepts better by using a different study guide that follows another approach, or is simply written better.

Then you might delude yourself thinking you're better prepared than you really are, only because you know all review questions by heart.

I went through David Prowse's guide for 6 times over three months and I consistently scored 90% or more in every exam.

I felt over-confident, as I knew them all. 

Sadly, I was tending to memorize questions instead of understanding them.

I mean, I knew why the right answer was right and vice versa, but I kinda stopped wondering why that was, in the end.

It had become too boring.

Then I threw in Professor Messer's material over the last two weeks and I took his final practice exam.

I was in for a shocker: 60%.

What was going on?

He follows a different approach and he's more thorough on certain concepts.

Additionally, he closely sticks to the exam objectives, while Prowse expands on that.

I worked my way around the new material until I could score 92% on that exam.

That's when I knew I was ready.

3) Focus on concepts, not on practice questions per se

In the actual certification exam, you're never gonna get the same practice questions you'll find in your study guide(s), or even online. 

You might sometimes find one or two of them in the real exam, if you're lucky.

However, even when this occurs, most questions you get are scenario-based.

In other words, they won't mostly ask you for definitions (e.g.: what's an ACL?).

You'll be asked, instead, to choose the best possible ACL (sticking with the same example) to be applied, given a specific scenario.

That's how it works and why memorizing questions is totally no use.

For this same very reason, avoid brain dump sites, unless they explain you why a certain answer is correct or not.

Don't rely solely on your memory. Carefully read the questions and walk through the provided solutions to see why you should exclude some and select others.

4) Manage your time

You might get less than 90 questions (that was my case).

The first questions are very often simulations. If you're uncomfortable with them, skip them and move on, because they might make you waste precious time trying to figure out how they work.

You can also flag questions for review.

Skip any questions you get stuck on and go back to them later.

After the first simulation-based questions, you'll end up with multiple-choice questions.

Their wording is purposefully involved, lengthy and unclear, so you'd better read them 2-3 times to make sure you got them right.

I first reviewed all questions and I skipped a whole lot of them.

Other questions looked more straightforward to me and I thought I had the right answers for them right away.

However,  after going through them a couple of times, I realized I had totally misunderstood their wording and, as a result, my initial answers were incorrect.

In other cases, I had to take an educated guess, because the wording was so unclear or the depicted scenario so ambiguous that I was totally unsure what solution(s) I was supposed to pick.

That's the worst situation you might find yourself in over the exam.

Therefore, don't rush it, even if you think you got it right.

Read the question closely.

A single word in a question can completely change its meaning and, as a result, the correct answer(s) to choose.

For example, an ACL can be configured with an implicit allow or with an implicit deny.

Depending on what specific scenario is depicted in the question, the best solution to be picked can be different.

It's a weird exam. I was confident but, until the end, I had no idea whether I had passed it or not.

The grade scale is deliberately confusing (750 out of a scale of 100-900). In fact, 750 out of 900 would mean an approximate 83% score, but we don't know how each question is graded, nor whether each question weighs equally.

My educated guess is they might have a different weigh based on their difficulty level.

I think the 2-3 reviews performed before submitting made all the difference between failing and passing.

5) Celebrate, but don't expect a life change

I think Security+ is a good certification and will open more opportunities for me, but I don't believe it's gonna change my life.

Don't listen to marketing statements saying guys with this cert gain $ 90,000 per year.

If this occurs is because they already have a certain skill set and/or experience and have to meet HR requirements.

Don't kid yourself.

A positive of Security+ is it gives you access to government jobs, but the corporate sector pays off much better, so I don’t think I want to do that.

I learned a lot, because it gives you a high level overview of security and technology, but I'm not where I wanna be yet.

Security+ will surely help you get a foot in the door and obtain more interviews.

It's a good cert to work on the defensive end, but I want to be a red teamer.

Like Dave Kennedy told me once, defense is important and it's fun, too.

Over the last hacking conferences this year, very offensive-oriented hackers like himself are starting being actively involved in defense, too, because it's the only way to counter the bad guys.

I want to work in defense for a while to become a better hacker, but my ultimate goal is to be on the offensive end.

I'm gonna have a break and then I'll take on OSCP (Offensive Security Certified Professional).

Meet you up there, guys!

Hope this helps some of you.

If you have questions, feel free to contact me, but don't ask me for things I can't disclose.

Episode 22

Episode 20