Security Exam Study Strategies
Several study ingredients are key to security certification success, for security credentials at all levels. But because there are so many security certifications to choose from, we won’t describe a detailed plan of attack for some particular security certification exam. Rather, we’ll provide a set of general guidelines and approaches that should help you prepare for just about any security exam.
We’ll also identify a collection of key topics about which any competent security professional should be knowledgeable. Most programs cover these topics at some level of detail or another—the more senior or advanced certifications tend to dig more into the details, while the more junior or less advanced programs tend to concentrate more on concepts, terminology and basics.
- Master the basics of information security: Obtain and read a good general security book; use it to teach yourself the vocabulary, concepts, tools and techniques associated with good information security. Consider this a necessary orientation to the overall subject matter.
- Understand security policy: A security policy captures an organization’s posture to identify and protect key assets, including information, systems, facilities and more. Formulating security policy requires performing risk analyses and assessments. Maintaining proper security means revising and revisiting security policy in light of new threats or attacks, new tools and technologies to foil or avoid them and changes to organizational priorities and investments. In short, it’s a job that’s never done!
- Investigate the ins and outs of risk assessment: Ultimately, security rests on an understanding of what’s at risk and what protecting an organization from such risks is worth. It’s essential to understand how this exercise works, the steps involved in completing it, what kinds of tools exist to support the process and what kinds of documentation should be created to capture the results. Any decent security book will spend some time on this topic.
- Recognize, catalog and analyze threats and appropriate responses: A sense of history and a feel for the flow of events that define security countermeasures is essential to practicing security as a discipline. This means familiarizing yourself with at least the outlines of the catalog of known attacks and threats, recognizing well-known types and classes and understanding what kinds of responses are appropriate, both in the short and long terms. Keeping up with current events in the security field means keeping current on attacks and exploits on an ongoing basis.
- Understand the security regimen: New attacks happen regularly; new vulnerabilities are discovered in the platforms and applications in use in your organization; new security risks, countermeasures, tools and techniques come along all the time. Security is an ongoing process, not a “fix it and forget it” task. Learning about security practices, processes and procedures will reinforce this notion, but understanding the day-to-day work involved will be your single most intense and valuable learning experience in becoming a competent information security professional.
The key security topics about which every well-prepared certification candidate should be informed include the following:
- Cryptography and keys: As we’ve mentioned elsewhere in this study guide, modern information security rests firmly on a foundation of cryptography and related services and benefits. These include the notions of privacy, confidentiality, digital signature, symmetric and asymmetric keys and the public key infrastructure (PKI) and all the types of keys and cryptography algorithms that make these things both possible and important. Any competent security professional, no matter what level, needs to understand the terms and concepts that fall within this broad heading. The more senior the credential, the more the candidate needs to understand its inner workings, as well as related design, implementation, management and troubleshooting issues, practices and procedures.
- Securing communications: Given ubiquitous access to the glorious but dangerous Internet and the ease with which users come and go across organizational boundaries into what virus hunters call “the wild” (public networks in general), an understanding of communications is essential to establish competency as an information security professional. This means mastering the protocols and vulnerabilities involved, as well as key tools and technologies including virtual private networks, tunneling, address and port translation, firewalls, intrusion detection systems, filtering and proxying methods and other communications security tools and techniques on an “as needed” basis.
- Implementing security policy: Ultimately, security policy reflects an organization’s posture, practices, education, investment and dependence on information security. There is no single topic that ties the field together more thoroughly, nor is there any other topic that professionals must understand more completely, than this one. More junior candidates need to understand its contents, requirements and lifecycle. More senior candidates need to know how to design, implement and manage security policy and should understand its significance at the business level (finance, strategy, costs and benefits) as well.
- Understanding physical security: Without physical security, no other kind of security is possible. Creating good physical security involves evaluating and securing one’s premises, managing access to sensitive information, equipment and infrastructure and more. Above all, it involves educating users about the importance of security and the risks and consequences associated with security failures. Make it a hobby horse as you prepare for certification, and you’ll be repaid for your obsession on your exams, and in the workplace!
You’ll find plenty of places to turn for more information and education on the topic of information security in our resource guide, online at www.certmag.com/issues/feb02/sg/securityresources. But please remember that your best overall study strategy when preparing for any security certification exam is to be well-informed on all the relevant topics. Although we give you a great leg up in this article, you should make a thorough review and analysis of the actual exam’s objectives the linchpin of your preparation efforts. Build a laundry list of areas where you need more knowledge, understanding, skills and experience (or any combination of these factors), use it to drive your studies and bone up all you can on topics where you’re not completely comfortable, and it’s hard to go wrong on any exam. Good luck!
Ed Tittel is president of LANwrights Inc. and is contributing editor for Certification Magazine. Ed can be reached at firstname.lastname@example.org.
James Michael Stewart is a senior writer, project manager and instructor at LANwrights Inc. He can be reached at email@example.com.