Just passed the CompTIA Security+ certification. score wasy 812. What that works out to in % terms I don't know - they have an oddball way of working things out.
This was my second attempt - only about half a dozen questions in there which were written by someone smoking the funny stuff. The first attempt had around 60% of questions written by crack-heads (You just cannot figure out what on earth they are asking)

Well that's done, I can concentrate on the final Semester of the Cisco Academy CCNA and my MCSA.

I'm just off to sit in the corner for a nervous breakdown :D

Good job lad, it does make you think who writes some of the question.

Deddard,
Congratulations on passing, what study aids did you use for the material?
(I may be down the same road shortly)
:)

PrntRhd - I'll write a 'review' of the exam over the next couple of days - there's lots of points that people taking this exam need to know about.
Some of the study aids I used include
Syngress Shinder Books: Security+ study guide & DVD training system (ISBN1-931836-72-8) - don't be fooled by the dvd training system though - it's next to useless, however the book is good.
Other stuff has included the certiguide site - there's some good info there, and searching through some of the technical pages from the IETF, MIT etc.

Got to go do my MCSA right now, but I'll get back to you on this.

Congratulation deddard! I'll be interested in your review. It's an interesting cert.

:)

OK, time for a review.
For those who don't know, the CompTIA Security+ certification is considered an entry-level certification for computer security.
For those of you who are thinking 'entry level - that sounds easy enough' you will be in for a shock.
Although it is considered entry level, it is not for computer beginners. If you don't know your DES from your AES, forget it for now - go study some more!

The Security+ was set up to introduce security certification in a vendor-neutral way, and CompTIA have actually managed this; this exam does not appear to be tied to Micro$oft or any other vendor - I don't think I had a single question on M$ specific stuff (although they can be in there!) The certification is newest CompTIA, and so has some of the problems of earlier certs - oddball questions in particular.

The exam is 100 questions long. You need to get 90% to pass. CompTIA have a weird way of marking - the scores are between 100 and 900, with a 768 needed for a pass. Although it seems that a simple 90 questions will get through, you may get away with less, as there seems to be some weighting to the answers (although I don't know how!) You only get 90 minutes to do the exam, and each question is a multi-choice, SINGLE answer. There are no multiple answers to give.

What's in there:

You will need to study a wide range of security concepts. Although billed as 'general security concepts' you had better understand the nitty-gritty of some of the most widely used security.

SSL: HTTPS (that bit you get when you connect to a secure site) is a good place for me to start. None of the books I've checked out goes into any detail, but I had a question that asked whihc part of a SSL communication allowed certain information to be exchanged - you'll want to study SSL so you understand things down to handshaking, change_cipher_spec level.

That's just an example of encryption/authentication and how you need to understand it. The same applies to most of the others out there including Kerberos and especially CERTIFICATES. If you don't understand the complexities of digital certificates and how and why they are used, don't bother sitting the exam - X509 certificates are tied into many forms of authentication, and compTIA will test you more than once regarding these.

You will need to know the port numbers AND the protocol (TCP/UDP) that different protocols and services use - everything from echo through SSH, DNS, Kerberos, IPSEC, Instant Messaging LDAP and PPtP - in short, if it's a commonly used protocol or security method, study it!

Make sure that you understand disaster recovery and business continuity. THe different parts of each one are important, everything from backup types, tape rotation to security cameras, Hot and cold sites, SLA (service level agreements) to computer forensic techniques (don't unplug the PC, maintain chain of evidence etc) and moats/fences.

The business continuity/disaster recovery is one part where no matter what you do, you could trip up. THis is purely because some of the terminology that CompTIA will throw at you will not be familiar. I had several questions in the first attempt where I have STILL not been able to figure out what they were talking about!


Understand the different types of attacks and exploits - smurfing, fraggles, land attacks etc - there will be questions in there such as ' which attack initiates a connection but does not send the final ack' or similar - and that would be an easy one!
DDOS, FTP bouncing, spoofing and how to prevent them are covered, along with many other exploits. You should know the functions and reasons behind VLANs and Routers. If you understand servers, especially web servers (permissions etc) then you will have a bit of knowledge which is needed - there will be questions on how to lock down permissions on web or ftp servers.

Check your knowledge of non-electronic and electronic exploits including social engineering, man-in-the-middle attacks, tcp hijacking, replay attacks, and how to prevent them.

Back to encryption - make sure that you understand the different types, their key lengths and strengths and weaknesses. If you don't know whether DES is symmetrical or assymetrical, it's time to go find out! Know why symmetrical and assymetrical keys are used, the functions and reasons for key escrow, and how keys can be exploited.

Access control is one of the biggest topics covered - Mandatory, ROle-based etc all get covered - you will need to understand them rather than just pay lip service to them.

In short the exam covers a huge area. this is not something to just cram for, because you will fail unless you get the luckiest questions on earth.
Speaking of which.........

This is a typical CompTIA exam. 100 questions is fine, as long as they are fair questions. However, you could end up with 100 questions from hell - that's the luck of the draw. During my first attempt, there were 2 other people taking the exam at the same time.
One got all 'easy' (read understandable, mainstream) questions. One got a middle of the road set (general to hard questions, some obscure) and I got the questions from hell.

I simply couldn't understand what many of the questions were asking - they were too vague or open to interpretation, such as 'what protocol provides encryption in.....' with the answers including IPSec and ESP. Anyone who knows IPSec understands that IPSec can indeed be used in encryption, but IPSec relies on ESP for it's payload encryption - so how do we answer this sort of question?

The second attempt was better. I had some tough questions in there (some I didn't know) but they were at least a test of my knowledge, instead of a test of the question writer's ability to stay awake and create meaningful questions after a few scotches.

I'll dig out some of my sources and post them back later. - this is something you really need to start googling on for the finer details - go everywhere from the IETF and MIT to manufacturers sites.

good luck folks!

A couple of points I missed in the previous post:
Make sure you understand wireless security. This includes the protocols and cyphers used in 802.11b (there may be some on G, but it wasn't a ratified standard in 2002) plus the wireless functions of your cell-phone. It's one of those things where you think 'what on earth has that got to do with computer security?' but as it can be integrated into standard wireless networks (especially when using WAP) it does become important. Know the tech details and the exploits and weaknesses.

Wow Deddard. Seems like it is indeed a tough exam. But when it comes to security, I guess it should be tough. I won't be taking it any time soon, but it is in the future. Thanks for the heads up. ;)