|
Home > Archive > Security+ > October 2002 > Took the Security+ Beta
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Took the Security+ Beta
|
|
| dagger 2002-09-25, 7:03 am |
| Well, I don't know what came over me (well I think it was the $90 price tag opposed to $199.00 when the final exam is released)
but I decided to take the Security+ beta exam yesterday morning.
Over all, I didn't think it was a very hard exam. I found it all based on factual memorization. If you have good memorizing skills you will pass this exam no problem.
There are no scenario based questions so it is much easier then the Server+ exam.
I did see a good percentage of cryptography questions, but if you can remember the basic facts it won't be that hard.
There were questions based on how to prevent a Man-in-the-Middle attack, and quit a few
on Social engineering. (they were gimmies).
Over all, it is a good cert to get your feet wet, but I don't know if it will be "taking off" as a recognized Security cert.
It was just based on facts, so good memorization skills will get you a pass.
I thought the exam would of been harder,
with scenario based questions on how to secure your network by giving you a diagram
and making you place each server or whatever
in the proper DMZ zones ...or something of the sorts.
But like questions on the lines of:
What type of server would you use to protect your network from intruders?
A: Firewall
B: Router
C: IIS
D: TCP
I found a lot of basic questoins like that.
Hope this helps  | |
| BootData 2002-09-25, 9:01 am |
| thanks for sharing (just like u said u would in the other thread
how many questions were there? how about the time?
I understand Comptia certs don't have 'expiry' date. Is this the case with 'beta' exams as well ? | |
| dagger 2002-09-25, 9:42 am |
| There were 125 questions, as for the time limit on the beta.....Mm I think they give three hours ( I was in and out in 1 1/2 hours).
I don't think any CompTIA exam has an expiry date, so if you get certified by passing the beta you are certified for life.
The beta exam is over Sept 30th.
It costs $90.00
then when the real exam is released
it will cost $199.00. | |
| BootData 2002-09-25, 10:34 am |
| dagger, btw, why don't u update your profile on the left?  | |
| dagger 2002-09-25, 3:27 pm |
| We dont'get a pass/fail
at the end of the exam for a beta.
They send out that information later.
So when I get that info
and if I passed I will update it.
I have no idea if I passed or not
I didn't have all the cryptography stuff memorized....so I must of got dinged quite a bit in that section. | |
| Rosetower 2002-09-26, 10:50 am |
| Thank you for the information. I think I will give this cert a try. | |
| AuthorHelen 2002-09-26, 11:12 pm |
| Folks,
Dagger's correct in saying that the Security+ exam seems to be heavily weighted toward crypto (in reality, the objectives' mention of it being 15% of the test seems to be accurate... but when you're in there and keep getting hit with every possible crypto sub-topic, it sure feels like more), and that memorization (of ports, definitions, etc.) gets you far.
On the crypto front, I half think the exam dev committee took a clue from Microsoft's exams, in attempting to use the exam to "market" a technology they want people to use more, by requiring that people learn about it to pass the exam. The particular technology in question is public/private key crypto, and it has historically been viewed as complex and has not been well-understood by most IT folks. It's really NOT that tough once you get your brain around it, but there is a bit of a learning curve, and Security+ may be just the motivation some folks need to put the time in.
I'm not sure I agree that it's strictly a memorization-based test. I recalled having to logic some things out, choose the "best" answer of two answers that really were both correct, etc.
As far as its worth as a security cert, there seems to be a market for Network+ as well as CCNP, with the former often used as a stepping-stone to the latter. Given that the reigning king of the security cert hill, CISSP, currently requires 3 years of experience in the field (and may require more in the future), it seems to me that there is a mindshare opening for a more entry-level cert.
--
* Helen * | |
| mikop 2002-09-26, 11:48 pm |
| my biggest issue has always been... what is an entry level security cert...
honestly, A+ and Net + does not have that good of a track record imo... look at their forums... there are A+ certified who can't put together a system and there are Net + who can't put together a simple peer to peer network with 3 pc... and the comparison of security + to the approximate difficulty level of these cert just scare the hell out of me
I think there is a difference in perception... CISSP is valid because of its requirement, that ppl who has that experience level must, be it certified or not, have knowledge of security issues... it does not mean that because CISSP has validity, that any coverage of the relative domains will have that validity, which I think is part of your argument, that they need a *lesser* cert to jump off of.
I have looked over the exam objective, various documents including the pdf file... I agree that these information is vital... but the coverage and depth (perceived... as I have not take the test and have decided not to...) really leave a lot to be desired... What good if one know about these information but lack any ability to implement it... or what annoy me more is... knowing half, enough to bullsh*t is most dangerous... either you bug the engineer with your new found knowledge yet not true understanding... or you think you have a grasp of security issues but the implmentation provides only a false sense of security...
I have an issue with comptia's exam policy also... certainly being vender neutral it would be hard to have an *exam track*... but boy... I wish at the very least they require some thing before taking some of their test that many are consider a step above net/a+ like server + and probably security +.
I dunno... since we are talking about PKI and variosu crypto techniques... I rather ppl know nothing and just trust that it is implemented... than to know some... just enough to be dangerous... other technologies, fine you can be half XXX about it... supporting a small company with 30 pc and a dsl connect would be fine for a net +, but security?... heh... I know that if I ever sit at an interview where the person who has no demonstrated experience field in security but has the security + cert and he write he knows security technologies, I will prolly chuckle... What good is knowing the various attack forms when you don't have a solid understanding of tcp/ip or have/can provide a solid path to secure against these attacks. It seem to me that the depth of the coverage will only provide a *bs* answer... (hehe I think I am just bitter because I see so many net+ claiming to have intimate knowledge of tcp/ip... when they can't explain the handshake process... ) I am a bitter bitter man
Just to clairfy... I do not consider myself security professional... nor do I have an intimate knowledge of tcp/ip... and I don't claim to be... so I am not putting this down because I am in a happier place... just addressing my concerns. | |
| AuthorHelen 2002-09-27, 1:02 am |
| Mikop,
You raise some *great* issues in your most recent post...
>> what is an entry level security cert...
I think it's one that keeps someone who's doing security for the first time, from making at some of the mistakes they might make if they hadn't studied for the cert. From what I've seen of the real world and of Security+, if certain folks I know who were performing security functions (without anything beyond learn-by-doing) had known the material in Security+ at the time, it would have enabled them to do their jobs better and make fewer naive mistakes. (Of course, there really is no substitute for experience, and some stuff can be learned only by doing ... but many basic things like why one might want a DMZ on their network, etc. can be learned about by reading a lot less destructively than by doing.)
>> honestly, A+ and Net + does not have that good of a track record imo...
Yes, there are "paper A+" and "paper Net+" folks, just like there are paper MCSE's. But out in industry, among the crowd who hires technicians (and advertises the qualifications of their techs to potential customers), A+ (particularly) and Net+ have substantial mindshare as a demonstration of competency -- at least in the Seattle area. If someone doesn't have a lot of experience, but does have one of these certs, it would catch my attention more than someone who had the same amount of experience but no certs.
>> and the comparison of security + to the approximate difficulty level of these cert just scare the hell out of me
:-) I hear you! There are two situations in which a Security+ certified person might ideally find themselves, as I see it.
First, as a low-geek-on-the-totem-pole working for a CISSP (or otherwise-qualified person) managing an enterprise network's security. Hopefully, their supervisor would keep them out of trouble caused by misapplication of assumed knowledge. The way I see the Security+ cert as useful in this case, is that when the CISSP talks, the LGOTTP stands a chance of actually understanding what is said, because he learned those terms while pursuing Security+.
Second, as the main network support person in a small organization. Many companies can't afford to have a very experienced wizard admin on staff, or even on call. They have a budget, and a list of tasks that need to be performed. They hire the person they feel is most likely to do these tasks best. (Realistically speaking, there are many people who could do the job much better than an entry-level person if an infinite number of dollars were allocated to paying them. But also realistically speaking, sometimes the hiring process is a balancing act between what you can convince YOUR boss to fund, and what you know in your gut that you really need.) If your budget only allows hiring an entry or intermediate level computer support person fresh from help desk duties, I'd consider someone with security knowledge as proven by Security+ -- no matter how limited -- to be more interesting than someone without it, for the reason mentioned at the top of this note (if earning Security+ enables them to avoid making ONE security mistake on the job, it was time well spent -- and I believe this will be the case).
>> I think there is a difference in perception... CISSP is valid because of its requirement, that ppl who has that experience level must, be it certified or not, have knowledge of security issues...
I'm not sure what you mean by this... could you re-state?
>> it does not mean that because CISSP has validity, that any coverage of the relative domains will have that validity, which I think is part of your argument, that they need a *lesser* cert to jump off of.
Again, I'm not sure what you're meaning to say here. But I will say that I do see a "lesser" cert as being a good jumping off point for someone working on getting those three years of experience -- again, it avoids them being completely in the situation of learning on the job. For example, is it better to learn after a break-in, that you can put filtering rules on routers to limit inbound/outbound traffic, or is it better to at least be aware it's possible to do this, and that you need to figure out how to do this for your particular equipment, before the break-in happens? I'd rather have a person who at least knows that you can tweak access lists (even if he doesn't know HOW to do it, and would have to make some calls to figure that out). Of course, this is predicated on the person knowing their limitations (which you seem to be worried about) and being honest about what they do/don't know, and asking useful questions.
>> I have looked over the exam objective, various documents including the pdf file... I agree that these information is vital...
Yep.
>> but the coverage and depth (perceived... as I have not take the test and have decided not to...) really leave a lot to be desired...
It *is* mostly overview-level, Mikop. 100-level courses on any subject tend to be. (This frustrates me a bit, too -- ask my co-author how many times he's clobbered me for rambling on about a topic in too much depth. ;-) If you want to hit all the high points in one test, without requiring CISSP-level knowledge, overview is what you get. And like a Win2K MCSE, you can obtain the Security+, knowing a little about many areas, and then go on to specialize in a particular facet, like intrusion detection, or a forensics package, or .... in the future. For instance, I know just enough about Active Directory to be dangerous, not enough to architect an AD solution for a Fortune 500. That's OK, because I let others do that, and I stick to other facets of Win2K admin.
>> What good if one know about these information but lack any ability to implement it... or what annoy me more is... knowing half, enough to bullsh*t is most dangerous...
OH, YES! Note that Tcat and I addressed this issue, in somewhat-more-vague ;-) terms, EARLY in our PDF, reminding a Security+ person that they don't know it all and that they should be properly respectful of those they work for, who know more. For the case where Joe small business owner is hiring their only net admin, CompTIA needs to make clear that Security+ is an intro-level cert, and not an indicator that this person is capable of making every security-related decision for the company.
>> either you bug the engineer with your new found knowledge yet not true understanding... or you think you have a grasp of security issues but the implmentation provides only a false sense of security...
See above. I do agree this is an issue. But you know... requiring 3 years' experience doesn't necessarily solve the problem of incompetent people portraying themselves as capable, and snowing those around them. In fact, sometimes the years of experience themselves act as a factor that helps make the snow stick. Maybe I've just been around some particularly inept admins, but even as a student, I knew more about some aspects of computer security than the experienced people who were paid to manage it. Letting people get a Security+ cert and spend a couple years apprenticing in the "implementation" trenches before becoming major decisionmakers really makes sense to me, given my past experience.
>> I have an issue with comptia's exam policy also... certainly being vender neutral it would be hard to have an *exam track*... but boy... I wish at the very least they require some thing before taking some of their test that many are consider a step above net/a+ like server + and probably security +.
What do you mean "require some thing before taking some of their test that many are conider a step above net/a+"? What kind of "thing" are you thinking of?
>> I dunno... since we are talking about PKI and variosu crypto techniques... I rather ppl know nothing and just trust that it is implemented... than to know some... just enough to be dangerous...
There's a Catch-22 with PKI that has to get broken somehow. Where we sit now is that it sure looks like it won't ever get implemented if folks don't know anything about it. Telling folks it's a good thing, and even why it's a good thing, hasn't seemed to result in widespread adoption, because folks hit the documentation and scream "yikes!". When something hasn't worked in the past, a useful response is often to do something, ANYTHING, different than what was done before. I'm OK with trying, "test low-level people for basic knowledge of the concepts of PKI architecture" as an alternative to what's been tried before, that hasn't helped.
>> other technologies, fine you can be half XXX about it... supporting a small company with 30 pc and a dsl connect would be fine for a net +, but security?... heh... I know that if I ever sit at an interview where the person who has no demonstrated experience field in security but has the security + cert and he write he knows security technologies, I will prolly chuckle...
I wouldn't chuckle, Mikop, I'd *grill* them -- with the idea that if I ended up hiring the person (no matter how much they don't know -- remember, I've got a budget to live by), they'd be quite clear on the fact that I know the limits of their knowledge, and would hopefully act accordingly instead of trying to spread snow.
>> What good is knowing the various attack forms when you don't have a solid understanding of tcp/ip
Security+ assumes folks got that from Network+. I agree with you that it's important background information. This is why we, at one time, had an in-depth TCP/IP appendix in our freebie PDF. We took it out at some point, I think because someone felt that since Network+ was a pre-req it wasn't our responsibility to provide that type of information in the PDF, and we didn't want to support such a person pursuing the cert. IE, if a person didn't know it already at the time they picked up the PDF, too much of the material just wouldn't make enough sense to them. We didn't want to give anyone a false sense of security that if they didn't know what a TCP port was at the time they picked up our PDF, they could still pass.
>> or have/can provide a solid path to secure against these attacks. It seem to me that the depth of the coverage will only provide a *bs* answer... (hehe I think I am just bitter because I see so many net+ claiming to have intimate knowledge of tcp/ip... when they can't explain the handshake process... ) I am a bitter bitter man
;-) OK, Tcat and I don't like the "paper <insert cert of your choice>" idea, either. That's why our book is more than a minimalist "cram", and includes extensive explanations of each of the items in the test domain, complete with a few history lessons, tool recommendations, threat mitigation advice from the real world, further reading suggestions, etc. We really do hope that as someone reads our book in preparation for the exam, they learn more than the bare essentials required for the cert. (FYI, that 228-page draft has approximately doubled in size since it was let loose in the wild, and we're still adding features, call-outs and pop-quizzes to the manuscript.)
>> Just to clairfy... I do not consider myself security professional... nor do I have an intimate knowledge of tcp/ip... and I don't claim to be... so I am not putting this down because I am in a happier place... just addressing my concerns.
You've got some valid concerns; it remains to be seen how industry acceptance of this exam plays out. I'll be the first to admit that the "interestingness" of any cert is a matter of opinion, and that there is the potential for folks not very familiar with it to misunderstand the level of knoweldge that it represents. I still think it is a good baseline, and am thus spending my time in evangelizing the cert. I wouldn't be as invested in the Security+ book as I am, if I didn't really believe it *should* be an important cert in the industry. (For example, my name's not on a Server+, INet+, or even Linux+, book.)
Thanks again for making some good points.
--
* Helen * | |
| chodan 2002-09-27, 8:09 pm |
| I think it all comes down to expierience.
If I interview someone with a Sec+ but very little expierience then I might be skeptical but I would probably ask for specific examples of their security expeirience.
Even though this is an "entry level" Certification it recomends 2 years of expierience which is a little more than entry level expierience.
That being said entry into security is evidently considered a more rigorous field than basic networking.
I could not have even thought of passing this cert with only a year or less of expierience. I can't just memorize facts and regurgitate them on command though,I have to know it or I can't pass it. | |
| Tulcingo 2002-10-02, 10:54 pm |
| HELLO PEOPLE ALL I HAVE TO SAY IS THAT WE ALL KNOW THAT COMPTIA TEST'S ARE ALL ENTRY LEVEL AND WE SEE THAT MANY PEOPLE HAVE THE CERT UNDER THE BELT... WE ALL KNOW THAT...ALL I WOULD LIKE TO SAY IS THAT NO MATTER WHAT CERTS WE GET IT WOULD PROBABLY LOOK NICE ON A RESUME BUT IT ALL DEPENDS ON THE HANDS ON YOU HAVE... CORRECT ME IF IM WRONG... NOW A DAYS COMPANY'S ONLY HIRE PEOPLE WITH HANDS ON AND IF YOU HAVE CERTS WELL THATS A PLUS TO PUSH IT UP A LITTLE. | |
| chodan 2002-10-03, 8:19 am |
| I agree with the statement that it all comes down to expierience.
But Sec+ lists 2 years expeirience as recomended expierience.
Not exactly expert level, hehe but not entry level either.
As for having the cert under our belt that is something we will have to wait and see
I think I passed but I won't know till they tell me. | |
| Rosetower 2002-10-03, 11:51 pm |
| Took the exam on 9/30. Had problems with a couple of questions that were worded improperly, left comments to that effect.
It looks like Cryptography will be a major topic in the live exam.
I only had a couple of days to review the available study guides, the material was right on target, so I give myself a 75% chance of passing.
All in all, it was a fair exam. | |
| infosecpronyc 2002-10-05, 2:24 pm |
| I also took the Beta test and have to echo most of what has been posted before. I found the beta to be weighted to cryptology, but it had it's fair share of other domains also. I guess they are trying to get a handle on exactly how to weigh the various security domains before going live with the exam.
Overall I didn't find the test overly difficult, even though I can't be sure I passed or not. I hope I did, would hate to spend another 200 bucks :-).
There aren't many study resources available yet but one that I found invaluable was Beachfront Quizzers free exam prep...you can get it at http://www.totalrecallpress.com/downloads.php
As of now it's still free but I believe that will change when the exam goes live in November or December. In the meantime if you need a good text that covers most of the information on the Security+ exam try Mandy Andress's CIW Security Analyst Bible. I estimate if you know most of that information you will be on the fast track to Security+ certification.
Keep in mind that the Security+ certification will not be any guarantee of getting work in the Security field. It is an entry-level cert and will only get you that far. If you already have years of experience in the Security field you are much better served shooting for CISSP or SANS certification.
H | |
| AuthorHelen 2002-10-05, 3:32 pm |
| Hi infosecprony,
quote:
There aren't many study resources available yet but one that I found invaluable was Beachfront Quizzers free exam prep...you can get it at http://www.totalrecallpress.com/downloads.php
As of now it's still free but I believe that will change when the exam goes live in November or December.
Now that someone's raised this subject, I hope the examnotes folks don't mind my posting a bit about our distribution plans...
The test sim is temporarily free, courtesy of Total Recall Press, in a promo which I believe lasts a month. A revised test sim more targeted toward specific Security+ objectives is coming -- my co-author Tcat did the original one based on a subset of CISSP-level content, before the Security+ objectives were released. The new Security+ test sim, when completed, will probably not be available for free in the near future (just a guess... I am not Total Recall).
The free draft prep PDF document Tcat and I released just before the Security+ beta started is free now, and WILL REMAIN FREE LATER, for non-commercial use. We did this to get at least basic information out there in a form accessible to many people. Note that it is copyrighted, so if you include it in study materials to pass along to others, which is fine with us AS LONG AS YOU DO THIS FRIEND TO FRIEND NON-COMMERCIALLY and without asking for "donations" for yourself, please include the whole thing.
What WILL change is the price of our expanded, final copy- and tech-edited, ebook (450 pages and counting so far, including lots of clear explanations of crypto, and we're not done adding content and putting sample questions and tool information in). Currently, during the beta period and until our final ebook is completed, we are offering an advance order price of $20 for the ebook, per comments in the free PDF.
The final ebook will ship before or on the date that the Security+ exam goes live. After that point, the ebook price will increase to around the $30 ballpark; for those who like to carry dead tree stuff with them, it will also be available in printed form, in several additions (with/without questions, bundled with/without the new test sim, etc.) thought Total Recall Press.
--
* Helen * | |
| Mr. Linux Guy 2002-10-11, 9:02 am |
| Cool. I might try for this one after I complete my CCIE. | |
| foxmedia 2002-10-11, 10:23 am |
| .[\B] The free draft prep PDF document Tcat and I released just before the Security+ beta started is free now,.[/B]
AuthorHelen
Where can I get this PDF file. The Beachfront download comes down as a *.brogaine file (?) and I can't open this.
I am very interested in taking the Security+ exam. Thanks for any info you can provide | |
| AuthorHelen 2002-10-11, 10:39 am |
| Foxmedia,
I'm not sure what on earth a .brogaine file is, or why a file with that extension is on the download site. (??) If you go to www.alphageekproductions.com, you should be able to download the PDF.
Let us know if you still have trouble downloading direct from alphageekproductions. (FYI, the Security+ beta finished on 9/30, and the test is expected to go live later this year, so you can start studying now, to take the test later.)
--
* Helen * | |
| foxmedia 2002-10-12, 6:46 pm |
| [QUOTE]Originally posted by AuthorHelen
[B]Foxmedia,
I'm not sure what on earth a .brogaine file is, or why a file with that extension is on the download site. (??) If you go to www.alphageekproductions.com, you should be able to download the PDF.
Got the file, but it will not load. Error message says " Please install BFQ Beta Security+ first."
Whoa! | |
| dannyboy 950 2002-10-13, 8:02 am |
| That is the engine that will allow you to read those files and use the test simulater it doesnt bite.
Or it didnt when I downloaded it. LOL | |
| foxmedia 2002-10-13, 9:46 pm |
| Have downloaded succesfully. Thanks |
|
|
|
|