In May, CompTIA is scheduled to release the newest version of the SY0-401 certification exam, more commonly known as Security+. This entry-level certification is aimed at the administrator who has two years’ experience in the field and is currently held by more than 250,000 worldwide. Additionally, it is approved by the U.S. Department of Defense (DoD) as one of the required certification options in the 8570.01-M directive for Information Assurance Technical Level II and Management Level I jobs.
To help you prepare for it, there will be the usual plethora of study guides, training manuals, test engines, and video-based products published or released to the market. There are two low-cost ways, though, that you can prepare for the exam without needing to rely so heavily on these third-party products. You can approach them as complements to your usual preparation regimen and in this article we’ll take a look at both approaches.
One of the best ways to train for any exam is to get hands-on experience. With Security+, this is possible by downloading a total of 12 programs that you can do hand-on training with. So doing will help you understand the topics at a level much higher than just memorizing them for a multiple-choice exam. The programs in the following alphabetic list, all recommended by CompTIA, can be used on various platforms and will not only help you prep for the upcoming exam, but also allow you to build a pretty impressive toolkit:
[Note: Click the title of each item in the list to find out where you can download it.]
1. Back Orifice: This remote administration tool can be used by administrators or attackers to take control of Windows-based systems. It is sometimes installed using a Trojan horse program and it will allow a remote user to take full control of systems on which it is installed.
2. BackTrack: Originally called by this moniker, it became known as Kali in 2013. This Linux distribution is based on Ubuntu and includes with it a collection of over 300 software tools for penetration testing and auditing.
3. Cain & Abel: A password recovery tool, it can use utilize rainbow tables, perform dictionary or brute force attacks and employ packet sniffing. In the latter capacity, VoIP can be easily sniffed with this or similar tools.
4. John the Ripper: Similar to Cain & Abel, this is a password recovery tool that originally was created for use on Unix systems, but has far outgrown that limitation.
5. Metasploit: Used in penetration testing, this tool looks for “exploit code” that can be used against a remote machine and includes fuzzing tools. The development platform which shares the same name is becoming the default standard.
6. NMAP: The best-known network mapper, this can run on all operating systems. One of the most popular attacks that utilizes Nmap is the Xmas attack (also more appropriately known as the Xmas scan). This is an advanced scan that tries to get around firewall detection and look for open ports. It accomplishes this by setting three flags (FIN, PSH, and URG)and you can find all you ever wanted to know at the nmap.org site in the reference guide.
7. OpenVAS: While Retina and Nessus are two of the better known vulnerability scanners, OpenVAS (which was originally based on Nessus) – or Open Vulnerability Assessment System – is also widely used. Like Metasploit, it is a framework of services and tools for vulnerability scanning.
8. pfSense: An open source firewall, this is based on the FreeBSD OS and includes a simple interface that makes configuration a breeze.
9. Security Onion: A distribution of Linux based on Ubuntu, this one focuses on intrusion detection and network security monitoring. Tools packaged with it include Snort, one of the most popular real-time tools for analyzing network traffic.
10. TCPdump: A command-line protocol analyzer, this can be used to examine packets as they pass through. Technically, a *nix tool (Unix, Linux, etc.), there are ports of it that work with Windows.
11. UTM (Can also be found here and here; other options available): When you combine a firewall with other abilities (intrusion prevention, antivirus, content filtering, etc.), what used to be called an all-in-one appliance is now known as a UTM. The advantages of combining everything into one include a reduced learning curve (you only have one product to learn), a single vendor to deal with, and – typically – reduced complexity. The disadvantages of combining everything into one include a potential single point of failure, and the dependence on the one vendor.
12. Wireshark: When it comes to a sniffer, Wireshark is available for most platforms and is a market leader. By using a sniffer, an internal attacker can capture all the information transported by the network. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. This vulnerability is particularly acute in environments where network connections are easily accessible to outsiders. For example, an attacker could put a laptop or a portable computer in your wiring closet and attach it to your network
To round things out, it is highly recommended that you also get experience with proxy server configuration and virtualization/cloud technologies. Be familiar with the Source Forge site where you can find so many open source solutions and be comfortable creatively thinking of ways to protect your data.
Method Two: Focus on the Vernacular
Another approach to exam preparation is to speak the language. This approach pales to getting hands-on and dirty with the technology, but since Security+ is an entry-level, knowledge-based exam, it works. You can find a list of the entire acronym set at the end of the objectives posted by CompTIA, but for this discussion I would like to focus only on the changes that have occurred in the list since the last one (for SY0-301) was published three years ago. Those changes fall into five categories:
1. Removals. Security is like any other industry — a lot of words get added to the language over time, but very few fall away. While 48 new ones were added, only three entries that existed in the older objectives have been removed this time around: BOTS (Network Robots), CMM (Capability Maturity Model), and LANMAN (Local Area Network Manager).
2. Obvious oversights. Some of the 48 new entries are ones that should have appeared in the list a long time ago but just slipped through the cracks. Make sure you know, and understand, all of these as you prepare: BYOD (Bring Your Own Device), CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart), DBA (Database Administrator), DHE (Diffie-Hellman Ephemeral), FACL (File System Access Control List), FTPS (Secured File Transfer Protocol), GPS (Global Positioning System), IDS (Intrusion Detection System), MTTF (Mean Time To Failure), P2P (Peer to Peer), RC4 (RSA Variable Key Size Encryption Algorithm), SAN (Storage Area Network), SFTP (Secured File Transfer Protocol), SQL ( Structured Query Language), UDP (User Datagram Protocol), URI (Uniform Resource Identifier), WPA2 (WiFi Protected Access 2).
3. Business terms. As with every IT component, over time the focus turns more and more to the business side of it as it becomes necessary to justify expenses and allocate costs accordingly. BAC (Business Availability Center), BIA (Business Impact Analysis), BPA (Business Partners Agreement), CAR (Corrective Action Report), CIO (Chief Information Officer), CTO (Chief Technology Officer), IR (Incident Response), IRP (Incident Response Procedure), ISA (Interconnection Security Agreement), ISSO (Information Systems Security Officer), MOU (Memorandum of Understanding), SIEM (Security Information and Event Management).
4. New technologies. A lot can change in three years. DNAT (Destination Network Address Translation), ECDHE (Elliptic Curve Diffie-Hellman Ephemeral), FDE (Full Disk Encryption), HOTP (HMAC-based One Time Password), LSO (Locally Shared Object), MaaS (Monitoring as a Service), NFC (Near Field Communication), PAC (Proxy Auto Configuration), PBKDF2 (Password Based Key Deviation Function 2), SCADA (System Control and Data Acquisition), SCEP (Simple Certificate Enrollment Protocol), TOTP (Time-based One Time Password), UTM (Unified Threat Management).
5. Miscellaneous. Then there are those that you just scratch your head and wonder why they were added: CSR (Control Status Register), DHE (Data-Handling Electronics), ESN (Electronic Serial Number), GPG (Global Property Guide), JBOD (Just a Bunch of Disks), TGT (Ticket Granting Ticket).
It is important to look at all the acronyms in the objective list and know what each of them mean but those presented here merit special scrutiny for their sudden inclusion (or — in the case of three of them — exclusion) to what previously existed. Make sure you know not only what the acronym stands for but also the technology associated with it and when it would — or would not — be used.
Summing It Up
The two methods discussed here of preparing for the newest Security+ certification exam from CompTIA can work well in conjunction with other exam study. As with any certification exam, you want to view the content from the standpoint of the vendor and be able to answer questions from the standpoint of how they perceived them when they wrote them. The lists presented here were generated based on items appearing in their preparation guides and, as such, should help you immensely.