CompTIA Security+ certification review

Overview

   I will start my certification story with Security+. At the beginning of 2015 my wife and I decided to relocate from Russia somewhere in Europe, because technical security jobs in my city are at low demand with pretty shit salaries by the way. So one of the first steps for us was to convert my knowledge in something more recognizable all around the world. I read some reviews regarding different certifications and decided to start with CompTIA Security+. I knew that this certification is an entry level one for security, so I it didn't take much time to prepare. Another important reason was that English is not my native language, so I wanted to get a feel of enterprise security terms and approaches.

   I have quite weird thoughts about certification process itself. It is not rare that certification is used not for proving skills, just to move up for career ladder regardless what you know and your abilities. That is why I am a big fan of Offensive Security guys, their approach and frustration. Obviously for Security+ you can easily google dumps, but if you don't understand the actual material you will struggle a lot in feature. By the way price around 300$ is quite challenging in Russia I decided to pass exam myself as I did before in school and University. I was always bad in "copy-paste" way.

   I examined CompTIA site and found more details about themes:

• Network Security - 21%
• Compliance and Operational Security - 18%
• Threats and Vulnerabilities - 21%
• Application, Data and Host Security - 16%
• Access Control and Identity Management - 13%
• Cryptography - 11%

All questions were divided on these categories. 90 questions/90 minutes to complete exam. 900 points maximum, 750 to pass. Let's prepare.

Preparation

There were 2 books for Security+ preparation:

1. Gibson "Security+" - https://www.amazon.co.uk/CompTIA-Security-Certified-Ahead-SY0-401/dp/1939136024

2. Dulaney "Security+ Study Guide" - https://www.amazon.co.uk/CompTIA-Security-Certified-Ahead-SY0-401/dp/1939136024 

Both books were excellent preparation guide. Let's dig a bit in. Topics were quite similar, so I will speak about both books in general.

1. Network Security. Here you will find all variety of topics about firewalls, IPS/IDS, VLAN, DMZ, NAT, protocols from different layers of TCP/IP stack and etc. In exam most of the questions in these domain would be about port numbers and associated protocols, effective security measures to lock down security on network level, wireless security.
2. Compliance and Operational Security. This part is quite boring and annoying, but I can't but mention the fact that these topics would be very helpful for you when you will decide to ask security budget increase or buy new fancy useless security toy=) Disaster recovery, backup plans, incident response, risk management - understanding all these topics would be handy to speak with business. More interesting to read about physical security and security administration. Remember all abbreviations, what they mean and how technical stuff influence them.
3. Threats and Vulnerabilities. I think most interesting topic in both books. You will dive in malware classification, application and general attacks, social engineering. Most questions from this category would be about choosing best way to mitigate some threat or to distinct one threat from another.
4. Access Control and Identity Management. Here you will deal with authentication/authorization (802.1x, port security, RADIUS and etc), host-based security software, ways to improve security on endpoints. Most questions would be about how to implement these features to address specific threat in most effective way.
5. Cryptography. Key concepts of symmetric and public key cryptography, hashing, most common protocols, limitations and recommended parameters to use. Also network protocols which use cryptography heavily would be described: IPSec, TLS, HTTPS and etc.

Exam

   My review would not be really full without my impression about exam. Actually it was not too bad. CompTIA gave you various number of situations and asked for best solution in this situation. 2 out of 4 answers were quite stupid, but to choose right one you will probably need to think a bit. It was all about choosing best variant. You need to remember 2 parameters from situation in your head to do right  choice. Also you can find performance-based questions, which were far away from practice. In one question you will probably found parts from different domains. For question examples-have a look at samples in books above.

   I spent 2 weeks to prepare for this exam. I did it in PearsonVue center. I used about 60 minutes to achieve 880/900, probably I missed 1 or 2 questions. My first step towards relocation was made.

Conclusion

This exam can prove your entry level of understanding security. It is not hard technical exam, more situation based. Obviously, good university would provide all necessary background to pass this exam quickly. If you are looking for Level 1 position or your first infosec job it is a good choice. With my current level of experience and knowledge I would not bother to recertify after expiration.

Review on Usable Security Course by Maryland University on coursera.org

   During one of the autumn evenings I found an email from Coursera about  Specialization program. For me I found interesting specialization in Cybersecurity. If I'm not mistaken in Maryland University there is one of the biggest Security Operation Centers in US. The specialization contains 4 courses: Usable Security, Software Security, Cryptography, Hardware Security. All courses have their own dates to start, so you can enter a course. If you want verified certificate or you'd like to finish Cybersecurity specialization you should follow signature track and pay 49$ for each course. 

   Signature Track is a way that you can confirm your identity. You should type some text, so they can verify you. Also they took your photo and asked to send your government id with photo. This scheme is implemented in such way: you complete quizz and then they took your typo and photo. Of course, this is not the way to clearly identify you, there are a lot of ways to overcome it. But as for me, the main reason is to get knowledge, not to achieve certificates.

   Let's come back to our courses. I started with Usable Secuity. When I first read the syllabus, I thought: "Oh, piece of cake... What is the reason to give such kind of material?" I worked in the field of security for almost 4 years, not so much, but enough to understand some key principles. You assess risks, find suitable security measures, implement them and also include this in your information security policy. Of course, your users are a part of this process, but you educate them and control what they are doing. But this course gave me some info to think about...

   Course included 5 key themes: design principles, measuring and evaluating usability, authentication, web browsing and privacy. The material was not technical, so you could not find any descriptions of secure authentication schemes and etc. During week 1 human computer interaction and ways of measuring usability was described in details. Week 2 was about design and ways how to perform it. Week 3 gave key concepts how to evaluate system design (controlled experiments, A\B testing and etc). Week 4 provided me with solid guidelines for usable security. Week 5 revealed usable authentication theme. I was surprised when professor started to check current browser https certificate validation on professor of biology, who was not so familiar with computer security at all. He was a little bit shocked when he saw warning. When she became to show him how to accept risk and got access to site... For him it was a rocket science... As for me, he is smart person, but he is not living in the field of computer security, so all these things and tricks are not convenient for him.

Week 6 was about usable privacy. Professor gave good list about how to make terms and agreements clear to users. Then final exam and course was finished.

I got certificate with verification link on it.

   For me this course was very useful. Now I tried to think and act like a user or ask user to do something, because the only way to develop a secure system by design is to develop it convenient and clear for users and administrators.