Studying for the CompTIA Security+ Exam: What and Why

I’ve decided to start studying for the CompTIA Security+ exam, and thought that I’d document some of that studying here.  I find it helpful to connect new concepts either to hands-on examples, or to recent news stories.  Because of the current state of things, and my interest in security, finding real-life stories to illustrate Security+ concepts shouldn’t be too difficult.  ; )

Like I said, this is the format this is useful to me.  I’m documenting it here on my blog because it may be useful to others.

In this post, and any future posts about the Security+ exam, I’m using the CompTIA Security+ All-in-One Exam Guide, Fifth Edition (Exam SY0-501) book.

Why Security, and Why CompTIA?

The first chapter (err, intro section) outlines why security is important, and a growing need for security specialists.  Security is broadly defined as

[…] protecting our data from disclosure, modification, or destruction from unauthorized individuals.

The book then briefly touches on the difficulties in creating secure software. The software industry faces ever-growing codebase sizes, increasingly complex technology, and shorter deadlines. Errors are made even under the best of circumstances, and these added stressors do not help the cause. While it is important to have trained security professionals, the security posture of an organization is the sum of all of its employees.  Thus, all users play a role in the cybersecurity posture of an organization.

Sooo, why CompTIA?  CompTIA is the Computing Technology Industry Association, and has a number of certifications (obtained by way of exam).  The Security+ cert covers a variety of topics.  It appears to be, from my perspective, a broad but shallow overview of the cybersecurity field.  My take on it is that it’s a good baseline certification to start with.  Before anyone gets up in arms about the importance of certifications, consider that it does, in some ways, level the playing field.  Certs can be a resume item that can get underrepresented people a foot in the door.  Sometimes, that’s an opportunity that has denied to them, but offered to others with fewer official credentials.

Organization of the Exam (and This Book)

Anyhow, this book outlines the 6 major areas that will be on the exam, as well as the percentage of questions:

  1. Threats, Attacks and Vulnerabilities (21%)
  2. Technologies and Tools (22%)
  3. Architecture and Design (15%)
  4. Identity and Access Management (16%)
  5. Risk Management (14%)
  6. Cryptography and PKI (12%)

Each of these sections is a collection of chapters in the book.  There are 29 (!!) chapters in total.  I feel like I’m back in college.  : )

Threats, Attacks and Vulnerabilities

This section has 5 chapters.  It covers “indicators of compromise and types of malware; different types of attacks, threat actor types and attributes; penetration testing concepts; vulnerability scanning concepts; and the impact of types of vulnerabilities.”

Technologies and Tools

This part covers how to install and configure network components (hardware and software) in order to support organization security.  It also covers “the appropriate software tools to assess the security posture of an organization” and “troubleshooting common security issues,” how to interpret output from these security tools, secure mobile device deployment and management, and implementing secure protocols.  This section covers 5 chapters, and sounds very sysadmin-ish.

Architecture and Design

A 7 chapter section here.  This is a bit more abstract, and covers frameworks, best practices and secure network architecture.  It also appears to have a hodgepodge of other information, including embedded systems, securely deploying applications, and cloud-related security.  Lastly, it appears to have some suggestions, like “automation strategies to reduce risk” and the “importance of physical security controls.”  This section (having not read it yet) seems more oriented towards programmers and IT.

Identity and Access Management

“Identity and risk access management concepts; identity and access services; identity and access management protocols, and common account management practices”.  3 chapters that sound very IT-oriented.

Risk Management

This section covers “the importance of policies, plans and procedures related to organizational security” as well as business impact analysis, risk management processes, incident response, some basic forensics and disaster recovery ideas, and data security and privacy practices.  Since the early chapters discuss mitigations for each of the attack vectors, this section might contain a lot of repetition. However, it might be more focused on the business case for security (which I think we can all agree is pretty evident at this point 🤞).  5 chapters.

Cryptography and PKI

The last 4 chapters are about the basics of cryptography and cryptographic algorithms.  It also covers some more practical components of cryptography, including wifi security settings and implementing public key infrastructure (PKI).

About the Exam

Lastly, the exam is 90 questions in 90 minutes (very Gravity-esque).  There are 900 possible points.  A score of 750 is considered passing.

Visit the CompTIA website to look at pricing and scheduling an exam.