Introduction
It's been such a long road but we've finally gotten here! I've finally taken the CompTIA Security+ exam. I studied, I passed (not without drama) and now what? Well... Absolutely nothing. I'm going to rest and restore my peace of mind for a bit. As you may recall from our prior post about the true substance of obtaining security certifications, Security+ is usually the first one that people go after. It's a very generalized exam that tests your knowledge on the security industry as a whole and not just one specific area. Because of this, a lot of cyber experts hate Security+, which is why yours truly has been putting it off for so long. If you're anything like me, I hate having to memorize a bunch of subject matter that doesn't necessarily relate to my job title. However, studying for this exam wasn't so bad. Taking it was another thing, but we'll get to that later. Overall, if you're looking to break into Cybersecurity with an impressive BANG! here is what you need to know when it comes to preparing for Security+:
Exam Topics By Portion
As previously mentioned, Security+ is a very generalized exam that focuses a little bit on almost every pathway of Cybersecurity careers. By chapter, these pertain to the following areas (according to Ian Neil's "CompTIA Security+: SY0-601 Certification Guide, Second Edition"):
Chapter 1: Enterprise Governance (Security Controls)
Chapter 2: Implementing PKI (Cryptography)
Chapter 3: Investigating Identity and Access Management
Chapter 4: Exploring Virtualization and Cloud Concepts
Chapter 5: Monitoring, Scanning, and Penetration Testing
Chapter 6: Understanding Secure and Insecure Protocols
Chapter 7: Delving into Network and Security Concepts
Chapter 8: Securing Wireless and Mobile Solutions
Chapter 9: Identifying Threats, Attacks, and Vulnerabilities
Chapter 10: Governance, Risk, and Compliance
Chapter 11: Managing Application Security
Chapter 12: Dealing with Incident Response Procedures
Usually when taking Security+, people say that the exam tends to focus the most on chapters 7-10 (Security Networks, Identifying Threats, GRC, etc.) and I found this to be mostly true. If we had to break it down percentage wise, I would say that the questions on my specific exam were made up by these portions:
Network Security: 20%
GRC: 20%
Threats & Vulns: 25%
Virtualization & Cloud: 15%
Everything Else: 20%
Now lucky for me, I have the most experience in GRC and risk management, so those questions were a breeze. However, I definitely should have studied up more on the Network Security and Virtualization portions of the test, because two out of my four Performance Based Questions (PBQs) were only on that, and it was not my strong suit. Knowing that now, I wish that I spent more time studying how to configure firewalls, remote access capabilities, and cloud security architecture instead of worrying about getting a question right on mobile phone encryption.
How Were The PBQs (Performance Based Questions)?
On the CompTIA Security+ exam, there are a few Performance Based Questions (PBQs) that they throw at you in order to test your technical skills in real-life situations. I'll just be honest here: I sucked at that. That's mainly because I only bought the textbook -which is all multiple choice practice questions- and I didn't spend any money on PBQ training course software. When deciding how to study for this exam, I was working on a tight budget and couldn't afford to spend much on study materials when the one-time exam voucher was already $400. However, if you're nervous about PBQs and don't mind spending a little extra on studying, I would definitely recommend buying a training course. I know it's weird to say this even though I passed, but my stress level was through the roof while doing the PBQs. It also didn't help that my computer died during the test (which again, we'll get to that later), but watching someone go through the PBQs on YouTube isn't as good as doing them yourself.
You can have anywhere from 3-10 PBQs on one Security+ exam and they are usually one of two options: A kind of matching game (drag and drop/choose from dropdown) or a virtual simulation. I thankfully only had 4 PBQs and all of them were the matching game, but if there were any more than that, I may not have gotten as good of a score. Therefore, make sure you reserve enough time to study the PBQs, and pay attention to the most common topics that they test on. This could include any of the following:
Chapter 10
Identify Data Type & Risk Mitigation Tactics
Chapter 9
Identify Attack Type & Prevention Tactics
Investigate Logs
Chapter 8
Securing WAPs and Wireless Channels
Chapter 7
Configuring Firewalls & Access Control Lists
VPNs/Split Tunneling
IP Addressing
Network Segmentation
Chapter 6
Configuring Switches, Routers, & Domain Controllers
Chapter 4
Cloud Storage Management
Chapter 3
Creating Account Policies
Actual Tips For Taking The Exam
Have a Strategy
Are you a multiple-choice aficionado or a highly technical wizard? Depending on what you align with more, this can affect your exam strategy. As for myself, I'm waaaay more comfortable with answering multiple-choice questions. Every single test throughout my educational years, Lord knows I've always prayed for it to be multiple choice. Therefore, it was better for me to focus more on the PBQs (at the front of the test) and then be able to answer the bulk of multiple choice questions quickly towards the end. If you're the opposite, then it may be better for you to take more time comparing answers and then return to the PBQs later on. Keep in mind that there are about 90 questions total on the Security+ exam, and at least 80 of those are going to be multiple choice. Therefore, figure out whether it's smarter for you to reserve your time answering PBQs or vice versa. Just definitely don't ignore studying/practicing for either portion.
Take It At The Right Time
Scheduling your exam at a certain date and time can also be a strategic benefit for passing. After studying 3 months for this test, I felt like taking it on a Monday was the best deadline to set for myself to just get this thing over with. Since I like to have a fresh review the day-of for exams, I took Security+ around mid-afternoon so that I could give myself time to go over everything one last time. However, I can understand those who like to take their exams first thing in the morning for the sake of enjoying the rest of your day. If you're taking the exam online, CompTIA gives you a lot flexibility for scheduling, so you can schedule your exam the day before at basically any hour.
If you're planning on taking your exam at a physical testing center, make sure you remember the exact date and show up an hour to 30 minutes (AT LEAST) before your exam time. We've all had little bouts of forgetfulness here and there, but you definitely don't want to be rushing or forget you had to take an exam of this caliber.
The Night Before: Read The Book Front to Back
Of course I don't mean to read the ENTIRE book (come on, now). What I'm trying to say is: The night before the exam, cover only what you don't know and ignore what you do. Now this may seem like a no-brainer, but a lot of people tend to waste their time going over material that they already have down pat. Security+ is so much information to memorize, so sometimes we can get caught up in the tiny details that don't really matter. It can be hard to prioritize information in the days leading up to the exam, but I'm telling you that you need to only look at the stuff that you missed while studying. Maybe there's one chapter that you get the "gist" of but you haven't really taken the time to understand completely; that's what you need to focus on. Please do not waste your time on material that you already know. I should have done a better job with this when I took my test (specifically referring to the Networks and Cloud chapters).
Therefore, the night before the test, go through every chapter with a highlighter -and if you haven't done so already- highlight the stuff you aren't familiar with. In the back of your head, you'll be skimming through all of the material you already absorbed, and in a way, that forces you to review those topics anyways.
If Taking Your Exam Online, CHARGE YOUR COMPUTER!!!!!!!!
Oh my Lord, how do I even begin to explain this: So I'm supposedly a smart person, right? I went to college, I have a tough degree, I know that Africa is a continent and not a country, and yet... I forgot to charge my computer before my exam. And low and behold, it DIED! Right towards the end of my exam when I had 20 minutes left, IT DIIIIIIIED!!!! And when my computer died, I wanted to die too. I honestly did. I immediately started crying and screaming "NO, NO, NO" and freaking out. So yes, I threw a full blown tantrum at 22 years old, but I paid $400 for this exam, studied for months on end, only for my dumb absent-minded brain to ruin my chances of finding out my score. Would you have not done the same? If you happen to be a stable and mature adult, perhaps not... but still. I had a lot of money riding on this that I couldn't afford to waste. Luckily for me, after I calmed down and plugged my computer in to charge, I called CompTIA customer service and had a very nicely unhinged chat with the rep on the other line. They told me I could still go back into the exam and continue if there was time left, and the proctor monitoring my activity let me finish with at least some dignity intact. Problem solved! Secretly though, I still can't believe that I passed. It was quite the emotional rollercoaster.
How To Make The Most Of Security+ On A Budget
I wanted to include this little blurb here on how to affordably take and pass Security+. Even though I shamelessly plugged buying a training course (which some go into the thousands of dollars), I understand that this is not a reasonable option for most people, especially if you happen to be a college student or recent grad. However, the good news is that you don't have to drop a ton of money on studying in order to pass this exam. There are multiple training materials online that you can access for free, along with some budget-friendly alternatives. Along with the textbook, I mainly used examcompass.com and Ian Neil's Security+ online exam resources to study. I passed, if not with a little less than I originally hoped for (I got a 775 when the passing score is a 750), so if you want a higher score, then I would spend some money on a training course.
This also all depends on how long you've been working in the security industry or your prior knowledge of security terms and concepts. Cybersecurity was my undergrad degree, so I was comfortable with a lot of the Security+ material. However, if you're completely new to the security industry, then that's another circumstance in which I would buy a training course. But just so you know that there are a wide range of options available, I've included this list of free/low budget resources:
Websites:
Ian Neil Security+ Exam Resources (Flashcards, Vocab Terms, Mock Exams) - https://securityplus.training/
Examcompass (Multiple Choice Practice Quizzes) - https://www.examcompass.com/
CompTIA Free Practice Tests - https://www.comptia.org/training/resources/practice-tests
Test-Guide Free Practice Tests - https://www.test-guide.com/free-comptia-security-plus-practice-tests.html
Crucial Exams (Free Practice Questions, PBQ Prep, Flashcards) - https://crucialexams.com/exams/comptia/security/sy0-701#PerformanceBasedQuestions
Cybr.com (Free PBQ Practice) - https://cybr.com/courses/comptia-security-sy0-601-practice-exams/lessons/performance-based-questions-1/
YouTube:
Low Budget Training Courses
Udemy Security+ Training (Includes PBQ Practice + Practice Tests) - As of March 27th, 76% off deal at $16.99
Professor Messer (Some Free Training Material Included) - Practice tests usually go for $30, notes and exam tests $50
If You Fail: Know That More Than 60% Of People Don't Pass The Exam On Their First Try
I'm the kind of person who takes comfort in this fact; a sort of "group-failure" mentality where it's not completely your fault if things don't turn out for the best. What I mean by this is: If you don't pass Security+ your first try, don't sweat it. This exam is HARD. It's designed to be hard, and if everyone could do it, then everyone would be a certified security professional. The night before I took my exam, I was super nervous and went on Reddit to kind of gage how many times it was normal not to pass, and I found that the answer varies. Some people took it twice, but a lot people ended up taking Security+ 3 times -3 TIMES- before they finally got certified. If you're anything like me, this made me feel better. I went into the exam still nervous, but I knew that it was okay if I didn't pass on my first try...because nearly nobody does. Especially based on your situation (whether you're new to the industry, a college student, etc.), take comfort in the fact that it's okay if you don't pass your first time, and it's perfectly natural to try for a second, a third, or even a fourth attempt. Deep down, know that there's no "proper" amount of times for you to take this exam.
Conclusion: A Cert Does Not Equal Skill
Lastly, I just want to say that even though Security+ is supposed to be an industry-standard certification, I personally know so many cyber professionals -lightyears ahead of myself and others in terms of skill, experience, and knowledge- who haven't taken this exam and they're doing just fine. Better than fine, even! So if you don't have your Security+ or if you've taken it and haven't passed, just know that this test isn't a true measure of your ability or potential as a security expert. I've said this before and I'll say it again: Certifications are mainly for HR. The real reason why I had to get my Security+ is because I was so fed up with people tossing my resume in the trash because I didn't have it. Therefore, if you're looking for a job, a certification can be a dealbreaker for making yourself stand out from the competition...not necessarily a "proclamation" of your ability. If we're being real here, I know people who have their Security+ and multiple other certifications and they still can't tell you what a firewall is. So just keep this in mind next time you're beating yourself up that you're not as "cert-loaded" as some other people.
Overall, studying for/taking Security+ is not something to be afraid of. If you're prepared to put in the work and actually learn the material, eventually you'll add this important cert to your security arsenal.
Comments