If you haven’t gotten it already you absolutely need to get the Security+ and we are going to show you exactly why. Of course there are other certifications like the CISSP that may be better career wise but none give you that quick stepping stone into the industry as quick as the Security+ Plus. You can study for the Security+, take the exam and be ready to apply for information security positions in just a couple months and this is why you absolutely need this certification if you don’t have any of the higher level certifications already.
The Security+ exam is yet another Comptia exam such as the A+ and Network+ certifications. It is an ideal place for security and I.T. novices to start building a foundation for penetration testing and ethical hacking. Many see it as the first stepping stone towards a career in the security industry, though there are many other security certifications such as the CCNA Security, CEH (Certified Ethical Hacker), and others.
Security+ Plus Fast Facts
- First offered in 2002
- Vendor neutral certification
- Compliant with the ISO 17024 standards
- Approved by the US Department of Defense (DoD) under 8140/8570.01-M directive
- Accredited by American National Standards Institute (ANSI)
The test is an hour and a half long, and consists of 90 multiple choice questions. That means you will have approximately 1 minute to spend on each question, and you need to get a score of 750 (on a scale of 100-900) to pass. Comptia recommends that certification candidates have at least two years of on the job experience “with a security focus.”
But that’s just a recommendation, so don’t let that deter you from pursuing this certification if you don’t have 2 years of experience in a security-centric I.T. role. As we’ll discuss next, I don’t really think this exam is extremely challenging. However, you’ll want to make sure you study your tuckus off, because failure can be an expensive endeavor. Right now it costs $311.00 USD to take the exam. Failing an exam already stings enough without considering the prospect of waisting $300 bucks on the test, too.
If you want to transition your career into the realm of Internet security and penetration testing, this isn’t a bad place to start. On the other hand, if you already have engouh experience and additional certifications, you may want to start with a vendor-centric exam. For instance, if you work for a Cisco partner, you may want to forgo the Security+ exam in favor of the CCNA Security exam, especially if you already have a working knowledge of the concepts contained in the study materials.
Difficulty
A lot of prospective students always want to know just how difficult the Security+ exam is, but first I need to point out a few things. The difficulty of any exam is inherently subjective, and can be influenced by a variety of factors. For example, the education level and IQ of the student, experience in the security and penetration testing fields, level of preparedness, and amount of study time (among other factors) all have a heavy bearing on how a student percieves the difficulty of the exam.
Keeping that in mind, I think most people in the I.T. industry would agree that the Security+ exam certainly isn’t one of the harder exams. In fact, I think most people would agree that it lies nearer towards the easier end of the spectrum. For example, one of the biggest and hairiest exams a network engineer can take is any of the expert-level Cisco certifications (CCIE-type exams).
These types of exams have extremely complex and demanding written portions, and then the candidate is required to take a comprehensive lab exam, whereby they are given extremely challenging real-world scenarios, and are then required to make the proper configurations.
Fortunately for Security+ test takers, there is no lab portion of the exam. It is only a written exam (well, technically you take it on a computer at a certified testing center like Pearson Vue). The exam is administered in a multiple choice format, and again, I think most people would agree multiple choice is one of the simpler formats.
Obviously, entry level certifications like the Security+ exam are going to be eaiser than expert level certifications. But how hard is it compared to other entry level certfications? By and large, I tend to think of the Comptia exams as fairly easy exams. But believe it or not, I actually found the Security+ exam to be easier than the A+ exam. The A+ exam deals some incredibly easy and dreadfully boring materials, such as sockets, plugs and connectors found on desktop and laptop computers. Because the Security+ exam material was more exciting, it was easier to study for and a lot more practical.
In addition, I think it’s easier than every other entry level Cisco certification. The CCNA, though not as hard as professional or expert level exams, is pretty formidable. In addition to more challenging concepts, the format of Cisco exams are trickier, with simulation type exams that are weighted more than a simple multiple choice question.
So, all in all, I think the Security+ exam is rather easy, especially when compared to other exams. But remember, your mileage may vary.
Professional Value and Marketability
I’m still not sold on the idea of a high level of professional value and marketability with entry level Comptia exams, but they are still useful, and I’ll tell you why. One of the largest misconceptions of burgeoning network engineers, I.T. personnel, and penetration testers is that a certification is a means to an end that guarantees a high salary.
I’ve said it before, and I’ll say it again: with exception to certifications like the CCIE, most certifications won’t guarantee you a certain salary bracket. A lot of eager and wide-eyed students look up data on Payscale and think they can take a shortcut to the top by loading their resumes with exam certifications. Payscale certaqinly offers valuable information, but you need to understand the data to know what to expect with regards to salary and income.
Right now, Payscale lists the salary range of information security analysts with the Security+ certification as approximately $50,000 to $90,000. Just looking at that data, it’s easy to see why so many newbies think they can expect a high salary after certification. They think that even if they get a job with a salary on the low end of the spectrum, they’ll be making about $50,000 USD per year. But folks, it just doesn’t work that way.
Of the 492 salaries that Payscale used as statistical data, few (if any) of those polled had less than 0-2 years of experience. And anyone who has had to hunt for a job knows how important experience is. Sometimes it seems to be a chicken and egg scenario and even entry level jobs want candidates with several years of experience under their belt.
So without years spent working in the industry, it’s highly unlikely that you’ll ever come close to these figures, even with the Security+ certification. I would also like to point out that it’s extremely rare for an I.T. professional to immediately assume a security-centric role. Typically, it takes five to ten years before an employee gets promoted to a security team, because there’s so many other foundational topics that the employee needs to master first.
For instance, let’s consider a recent college graduate with a Bachelors in CIS or another Computer Science related discipline. Without any experience, it’s likely that they’re going to end up working at a help desk. With a few entry level certfications, you might be able to find a job working for a consulting firm like a Cisco partner. But even with certifications, you’ll need to start at the bottom and work your way before the company trusts you enough to put their network security in your hands.
That said, many job hunters have successfully used certifications to break through the initial entry barrier. Think about things from an employer’s perspective. Would they rather have the recent college graduate with only a degree or the candidate with a degree and the Network+, Security+, and CCNA certifications under their belt (assuming experience levels are the same)?
So in summary, there is a certain degree of intrinsic value with certifications because the bolster your resume and put you a step ahead of the competition. But don’t incorrectly assueme that you’ll land a job making $50,000 to $$97,000 per year. Nevertheless, though perhaps more towards the entry-level side of the spectrum, the Comptia exams are well respected throughout the I.T. industry. The following are a few reasons why Comptia is respected and why their certifications hold professional value:
-
Comptia certifications meet ISO 17024 standards, are are approved by the U.S. Department of Defense
-
Security+ is an internationally recognized qualification
-
Studies have shown that, on average, certified individuals earn more than those who lack certification
With that said, let’s take a closer look at the actual subject matter, concepts, and content contained on the Security+ exam.
The non-profit Computing Technology Industry Association (CompTIA) offers a number of vendor-neutral certifications to IT and cyber-security professionals. CompTIA certifications can be divided into four categories namely (a) core certifications, (b) infrastructure certifications, (c) Cybersecurity certifications, and (d) additional professional certifications. Security+ certification falls into the core certification category. CompTIA Security+ is a vendor-neutral entry level certification that validates the baseline cyber-security skills and knowledge of the professionals. This includes systems installation skills, configuration skills, securing (devices, applications, and networks) skills, knowledge of cyber-threats and analyses, risk mitigation techniques, and different cyber laws, policies, and regulations.
Security+ Exam History
As the technology evolves, CompTIA updates the format of the Security+ exam to keep up with the current technology and best security practices. The SY0-101 was the first exam version of Security+ certification offered in 2002. SY0-101 was replaced by SY0-201 in 2009, focusing on Systems security domain. In 2011, CompTIA announced SY0-301 version of the exam by making Cloud computing and other significant information security updates part of the exam. CompTIA updated the exam version to SY0-401 in 2014, focusing on access control and risk management areas. The SY0-501 is the latest Security+ exam version launched in October 2017. The current version focuses on six different IT and cyber-security domains mentioned below.
- Technologies and Tools
- Threats, Attacks, and Vulnerabilities
- Identity and Access Management
- Architecture and Design
- Risk Management
- Cryptography and PKI
Who Should Earn Security+ SY0-501
Security+ SY0-501 suits to the IT professionals who want to showcase their IT skills and knowledge, such as systems installation, threat management, risk management, identity and access management, and information security. The people having Security+ SY0-501 credentials can have the following key career positions.
- Network administrators
- System administrators
- Junior IT auditors
- Penetration testers
Security+ SY0-501 Eligibility
Since Security+ Plus SY0-501 is an entry level certification, there are no prerequisites to take Security+ SY0-501 exam. The exam however needs good IT understanding and cyber-security skills. Having two years’ work experience in the IT field is a plus but not mandatory.
Security+ SY0-501 Exam
The current Security+ SY0-501 CompTIA exam consists of a maximum of 90 questions from all the six domains explained below. There are multiple choices and performance based questions in the exam. The test duration is 90 minutes, requiring a score of 750 for passing the exam. The passing score of 750 is graded on a scale of 100-900. The following table presents the contribution of each domain in terms of exam percentage.
CompTIA Security+ Domains
Following is a brief description of all the domains that are covered in CompTIA Security+ exam.
Domain-1 Technologies and Tools: The 22% of the Security+ SY0-501 exam comprise of questions from Technologies and tools domain. The domain requires the following knowledge and skill sets from the candidates.
- Installation and configuration of network components to support the security of the organizations. Firewalls, routers, switches, and load balancers are example network components.
- Assessing the security posture of the organizations through different appropriate tools. Protocol analyzers, network scanners, password crackers, exploitation frameworks, honeypots, and command line utilities like nmap, netcat, and tracert are the example software tools that are used to assess the security posture.
- Knowledge of troubleshooting common security issues like misconfigured devices, permission issues, access issues, data security issues, logs and event anomalies, and authentication issues.
- Analyzing and interpreting the results from security technologies like Web Application Firewalls (WAFs), intrusion detection systems, and Data Loss Prevention (DLP) systems.
- Secure deployment of mobile devices in given scenarios.
- Implementation of security protocols in given scenarios.
Domain-2: Threats, Attacks, and Vulnerabilities: Threats, attacks, and vulnerabilities constitute 21% of the SY0-501 exam. Candidates should focus on the following domain knowledge and skills to better prepare for the Security+ exam.
- Analyzing the vulnerabilities indicators and determining the malware types whether the found malware are virus, bots, Trojans, RATs, or ransomware etc.
- Comparing different cyber-attacks, such as social engineering, application or service attacks, and cryptographic attacks.
- Knowledge of threat actors and attributes.
- Knowledge of penetration testing concepts.
- Knowledge of different vulnerabilities and their impact.
- Knowledge of vulnerabilities scanning concepts.
Domain-3 Identity and Access Management: The ratio of identity and access management domain in SY0-501 exam is 16%. Candidates should have the following knowledge of the domain.
- Comparison of the identity management and access management concepts.
- Knowledge of installation and configuration of the identity and access management services in given scenarios.
- Implementing the identity and access management controls in given scenarios.
- For given scenarios, differentiating between different account management practices, such as account types, general concepts, and account policy enforcement.
Domain-4 Architecture and Design: The 15% of the questions in Security+ exam are about architecture and design domain. The domain covers the following key concepts.
- Knowledge of different frameworks, best practices, use cases, and security-wise best configuration guides.
- Ability to implement secure network architectures in given scenarios.
- Implementing secure systems designs in given scenarios.
- Knowledge of secure staging deployments.
- Concepts of secure application development and deployment.
- Understanding of Cloud and virtualization concepts.
- Knowledge of automation strategies those are helpful in reducing risks.
- Knowledge of security controls and their importance.
Domain-5 Risk Management: Risk management domain makes 14% of the SY0-501 exam. The candidates must have the following knowledge and expertise to solve exam questions related to risk management domain.
- Knowledge of policies, procedures, and plans related to security of the organizations.
- Knowledge of risk management processes and key concepts.
- Understanding of incident response plans and processes in given scenarios.
- Having basic Forensic concepts.
- Concepts of disaster recovery and business continuity operations.
- Knowledge of implementing data security and privacy for given scenarios.
Domain-6 Cryptography and PKI: Security+ Plus SY0-501 exam contains 12% questions about cryptography and Public Key Infrastructure (PKI). Candidates having the following cryptographic concepts have better chances to solve the exam questions related to cryptography and public key infrastructure.
- Basic concept of cryptography, such as encryption, decryption, hashing, digital signatures etc.
- Knowledge of cryptographic algorithms and their properties. Examples include symmetric algorithms, asymmetric algorithms, cipher modes, hashing algorithms, and key stretching algorithms.
- Knowledge of wireless security settings, such as installation and configuration settings.
- Knowledge of implementing Public Key Infrastructure (PKI) for given scenarios.
Security+ Certification Renewal
CompTIA Security+ certification is valid for 3 years. The certification must be renewed after every 3 years. The candidates can keep the certification updated through Continuing Education (CE) program. The CE program involves activities and training related to Security+ certification content. CertMaster CE is an online self-paced course designed for the Security+ holders. The candidates can renew Security+ certification by completing the course. The other option is to earn 50 CE units and upload them to the certification account to automatically renew the certification. Candidates can also retain the Security+ certification by acquiring higher CompTIA certifications.
Now let’s take a moment to dig a little deeper and analyze the subtopics included on the exam.
Network Security
The term ‘network security’ is admittedly a little broad, and it covers a wide range of topics. First off, you’re going to need to be able to identify and explain the functions of various networking devices such as firewalls, routers, switches, proxies, web security gateways, and VPN concentrators. If you don’t know what all of those devices are or what they do, take a deep breath and relax. That’s what the study materials are for.
In addition, you’re going to need to learn about intrusion detection systems and intrusion prevention systems, be they based on behavior, signatures, anomalies, or heuristics. Furthermore, you’re going to need to learn about protocol analyzers like WireShark. Other notable concepts in this section include the following:
-
spam and URL filters
-
malware and content inspection
-
web application firewalls
-
application aware networking hardware such as firewalls, IPS, IDS, and proxies
-
VLANs, 802.1x, port security, securing routers, flood guards, loop prevention, and network segmentation
-
DMZ’s, subnets, telephony, virtualization, remote access, and cloud computing from a security perspective
-
TCP/IP protocols and secure protocols
-
Wireless security algorithms such as WEP, WPA, WPA2, EAP, PEAP, LEAP, and so on
Compliance and Operational Security
The compliance and operational security section typically isn’t the most exciting or “sexy” portion of the exam. Nevertheless, you’re going to need to learn about concepts such as managerial and operational controls, false positives/negatives, and reducing risk with documents such as the privacy policy, acceptable use policy, security policy, terms of service, and related policies (not too exciting).
Another large component of the compliance section of the exam is understanding the security risks with different types of technologies, such as cloud computing and virtualization.
Other concepts in this section include:
-
Securely managing changes and new implementations
-
Incident management
-
Users, groups, and permissions
-
Audits
-
Enforcing policies
-
Data loss prevention
Threats and Vulnerabilities
The threats and vulnerabilities section of the exam content is a lot more exciting, and is the jucier part of the examination. In this section, you’re going to learn about all the different types of malware including:
-
adware
-
viruses
-
spyware
-
Trojans
-
rootkits
-
backdoors
-
botnets
-
ransomware
-
armed viruses
-
polymorphic malware
Furthermore, you’re going to learn the dirty details of how several sophisticated attacks are carried out such as:
-
MitM attacks
-
DoS/DdoS
-
Smurf attacks
-
Spoofing attacks
-
Spam and phishing attempts
-
Privilege escalation
-
Pharming
-
DNS and ARP poisoning
-
Password attacks such as brute force, dictionary attacks, hybrid attacks, birthday cracks, and rainbow tables
-
Social engineering
-
A whole range of wireless cracks and attacks
Application, Data, and Host Security
In my opinion, the application, data, and host security section is one of the more challenging sections of the exam. In this section you will learn how individual hosts and applications can be targeted in an attack, and you’ll come to understand web threats such as cross-site scripting and SQLi. In addition, a large section of the exam has been updated to accommodate changes in mobile security. Data security concepts in this section also contain the following:
-
Cloud storage, SANs, big data, and data encryption
-
Hardware based encryption devices
-
Permissions and ACLs (Access Control Lists)
Access Control and Identity Management
A lot of security technologies revolve around being able to securely identify and authenticate users. Managing these accounts and identities takes an immense amount of planning and security. A few of the identity management technologies you’ll need to brush up on include RADIUS servers, TACACS+, LDAP, Secure LDAP, Kerberos, and SAML.
Furthermore, you’ll need to learn the nuances and definitions of different authentication components such as identification, authentication, authorization, and accounting. Though this isn’t my favorite section, it is more exciting than the policy and compliance section, and undoubtedly an absolutely crucial component of modern network security.
Cryptography
I may not be a gifted math genius on the same level as Rain Man, but even I can appreciate the astounding complexity and beauty of mathematical concepts that have created modern cryptography. If you’ve ever wondered how a VPN tunnel encrypts data so that no one else can read it without the proper decryption key, then this section is going to provide you with some revelations.
The three main sections of the cryptographic questions include the following:
-
Utilize and understand general cryptographic concepts (types of encryption, symmetric versus asymmetric keys, hashing, transport encryption, digital signatures, PFS, etc.)
-
Use the correct encryption technologies given a scenario (such as AES, DES/3DES, MD5, SHA, PGP, Twofish, SSL, TLS, IPSec, SSH, HTTPS, and more)
-
Given a scenario, use the correct PKI, certificate management, and associated technologies
Final Thoughts
The Security+ exam is one of the best places to start if you’re curious about the wide world of Internet and network security. Though you may encounter a few initial hurdles as you wrap your brain around numerous new and exciting concepts, this exam certainly isn’t the most challenging security certification on the market.
You can either pick up the study materials on your own and prepare with self-study or take a rather expensive class to prepare. Sometimes the classes include exam vouchers that discount the cost of sitting the exam. Either way, this exam will help strengthen your resume, prove to employers that your serious about technology, help build a foundation of general security concepts, and validate your skill and knowledge in the realm of Internet security.