|
Home > Archive > Security+ > November 2002 > What to study before the Security+ books come out
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
What to study before the Security+ books come out
|
|
| wildscribe 2002-10-13, 8:12 pm |
| I have to agree with others in this group that Security+ has potential. I want to get the Security+ cert, but it doesn't appear that the first study books will reach the market until the end of November at the earliest. Even then, I question of the content of those books because I know it takes a few months for the real information about the test to come out.
I did download AuthorHelen's PDF from TotalRecallPress, and I have tried the Security+ questions on Cert21.com (both appear to be excellent study tools). But I am wondering if there are other books or web sites that I could check out.
While I was at Borders the other day, I picked up a copy of Ed Skoudis's Counter Hack book and wound up buying it. It does a good job explaining the various methods hackers use to break into servers and explains the tools they use, but it doesn't really go into how encryption works and how to set up a security plan for a network. I also set up a test network with a W2K and Red Hat box to try out the various cracking tools, but this might be going too far to study for the Security+. Still, it's a good way to learn how hacking\cracking is done.
It would be great if others could recommend other helpful study material.
Thanks all!
- Wild | |
| azimuth40 2002-10-17, 2:10 pm |
| There have been times where I wished that this book really existed. | |
| rpoerner 2002-10-19, 12:17 am |
| I recommend reading Maximum Security (Third Edition) I used this book as a text book for my Network Security class in college. The book has alot of useful material. Matter of fact one of the authors of the book was my teacher! I got an "A" in the class and relied heavily on this book to get that grade. If you find any other books useful for this certification let me know.
Good Luck with your certifications. | |
| AuthorHelen 2002-10-19, 7:50 am |
| Wildscribe,
Tcat&Helen's book is scheduled to be out in mid-November. (It may be out as an ebook, though not a free and freely-redistributable one like our draft, before then. We also have an arrangement with Total Recall Press for printed volumes.)
I disappeared from the forum to crank on final text cleanup and am now doing graphics, boxing those every-popular exam pointers, and writing review questions.
Generally the production exams contain a subset of the beta material, and don't tend to introduce new material that was not tested by the beta. So I don't think you'd be doing yourself a disservice to look at new Security+ books this Fall. At "worst," you'll learn more about a topic than is required by Security+. We're confident that we have done a thorough job with content. I truly believe you won't walk out of the testing center disappointed if you study our final book and then go take the exam.
By the way, yes, it is overkill to know how wield specific tools as if you're a +5 dex fighter with a +5 broadsword. Remember that this exam is vendor and platform neutral. For example, you might be asked questions about the FTP protocol, but not about the Microsoft or WU FTP servers.
The emphasis is on concepts (and more than you ever thought you'd need to know, this decade, about crypto). Security+ is a broad-based cert that makes a good companion to a hands-on-oriented security cert (which does require tool knowledge), since each concentrates on different aspects of the security process.
By the way, in case anyone wonders if I can mention a book I didn't write... for a "fun" computer security book to test your incident response skills, try one called something like "Hacker Challenge". It has a couple dozen intrusion detection scenarios and clues, and you get to "play along" by determining what to do next and figuring things out.
Hope that helps,
--
* Helen * | |
| Kasor 2002-10-20, 10:45 am |
| Study is way to do it, but what about experience and working knowledge.
Security is not something you can read and understand. I would wait for it. | |
| AuthorHelen 2002-10-20, 1:14 pm |
| Kasor,
I think the previous poster was talking about waiting, not for the sake of experience, but to see if study materials get "closer" to the test. (I still say that detailed hands-on knowledge of how crackers do their thing, or how a Checkpoint FW-1 is configured, is required for some security opportuniies, but it is not required to do well on Security+. Security+ isn't an exam to demonstrate one's detailed knowledge of a specialty. What is required for Security+ is serious survey-level knowledge of the field. As such, it's a bit different from the traditional A+, Network+ hands-on, nitty-gritty-details exams CompTIA is known for.)
I would hope that anyone attempting Security+ would have at least a bit of experience with security technologies/activities such as:
- anti-virus programs
- personal firewalls
- user administration (on Linux/UNIX or Windows)
- file permissions (again on your choice of OS)
- maybe port scanners like nmap
All of these things can be investigated using one's personal computer and LAN, without requiring access to an enterprise system, or actual work responsibilities in the field. (Seems that Wildscribe has already started to experiment with security on his network).
Given the pre-reqs, I'd also hope that the person has hands-on with some network equipment and common TCP/IP network utilities like ping (a year or two does not seem off-base, because in order to really understand much of the Security+ material, you need to have a solid handle on TCP/IP and the place of networks in business).
But I'm fairly sure it's not realistic to assume that everyone (or even most people) working in the area of computer security has knowledge of all domains, because Security+ is a very broad exam. I routinely see network auditors disclaim detailed knowledge of cryptography, and cryptographers say they've never looked at what security issues there might be in DNS servers. I've been in the security space for more than 15 years, and folks, I still had to do research on some domains before I sat the exam -- an exam targeted to someone with less than 3 years experience -- because I specialize in certain areas, and not in others.
Kasor seems to raise the point of, "Don't study until after you have more working knowledge." I think that's true for the very-detailed CISSP or the hands-on-oriented GIAC cert. I don't think it's true for Security+, as long as you DO have experience in networking and the willingness to gain some experience in security on your own computer. Security+ is not positioned as a cert for those who've been in the industry many years -- that's the more advanced CISSP, which requires its candidates to demonstrate 3 years' experience in the field. "Just download some code off the net and play with it until you learn?" Many people won't do that without being introduced to the concepts first -- it's a different learning style.
Again here we're facing the "chicken and egg" situation. Does experience come before the certification study, or after it? I think the answer depends on the situation each person is in. I don't think either answer is right in all cases.
--
* Helen * | |
|
| I may be off in the relevancy of these links related specific to the security+ exam but they are pretty neat for all security focus IT folks as they are entertaining read and places to explore.
http://online.securityfocus.com/library
lots of neat articles to read, follow the menu to the right to explore specific topic
for example, while browsing around I came across this
http://www.trustmatta.com/services/courses.htm
pretty neat intro articles to the bottom that may be good for this exam.
also try nsa.gov
http://www.nsa.gov/snac/emailexec/guides/eec-1.pdf
pretty neat article to read for windows users. for example, for counter measure 5, it discuss hidden file extension,
http://www.nsa.gov/snac/support/download.htm
#7, 60 minutes network security guide among others is pretty neat read.
most of this articles are pretty short, 30 pages etc, perfect for those quick read through for entertainment so it doesn't feel like studying but you retain a lot of info. | |
| wildscribe 2002-10-24, 9:07 am |
| I want to thank everyone for their suggestions. It doesn't appear that we will have to wait long for study guides. I did a search of Security+ on Amazon and it revealed that 10 Security+ study guides are scheduled to be published in the next six months! This is amazing for a new cert. I don't think there are 10 study guides for Network+.
Among the Security+ guides set to hit the market are Mike Meyer's Security+ Passport, Microsoft's Security+ Study Kit, and AuthorHelen's Examwise for Security+ and InsideScoop for Security+. (Note to AuthorHelen: are you really releasing two Security+ books? and I also think it's great that you visit ExamNotes. I am shocked that more cert book authors don't stop by these forums. I think it's the best place to get an "in the trenches" feel for what is going on in the cert world.)
As for my plans to get Security+, I now plan to wait until November when the study guides come out and go from there. In the meantime, I hope to get my Linux+ and CCNA out of the way.
Best O'Luck to Everyone!
- Wild | |
| Luchnia 2002-10-24, 5:27 pm |
| That reads like a good plan, wildscribe 
I think I am gonna inch my way toward the Security+ after I knock out Linux+, unless I get side-tracked. It seems more and more are talking about hosing Microsoft and going to Linux.
I talked to an IS manager at a local hospital and they are planning to change all desktops to Linux and keeping MS on the servers. She told me she was tired of playing the MS money game every couple of years and added it was always tough not knowing what MS is going to do next.
I think it is good to get some security knowledge under the belt for the days ahead and it reads like Security+ is the starting point for this security journey. I hope it gives us an edge on the competition, too!
Peace | |
| AuthorHelen 2002-10-24, 6:15 pm |
| Wildscribe,
Yes, there are two books. Tcat and I didn't write two completely different books. One's a subset of the other -- it's a marketing thing that the publisher is doing. I think one, "Inside Scoop," is packaged with the TotalRecall test sim, and the other is not. I'm not sure if there are any other differences. Right now I'm in final edits, so I'm more focused on content accuracy than on what the publisher might do to it after I turn it over! (The problem with having detailed knowledge of a field is that you're worried about the technical accuracy of every short sentence used to summarize complex issues!)
In terms of authors, I wouldn't be so sure that I'm the only one here. I'm the only one announcing my identity and posting, but I'll bet others lurk and possibly post under pseudonyms.
I've co-authored other books, but this is the first one I've said much about on-line. Security has long been a particular interest and skill of mine (I was finding and reporting OS security vulnerabilities back in the 1980's), so I'm specifically interested in evangelizing the subject. Time is limited, and we all have to pick how we use the minutes in the day... I think computer security is important enough to spend some time helping others get into the field.
--
* Helen * | |
|
| quote:
Originally posted by Luchnia
I talked to an IS manager at a local hospital and they are planning to change all desktops to Linux and keeping MS on the servers. She told me she was tired of playing the MS money game every couple of years and added it was always tough not knowing what MS is going to do next.
wheeee! retraining end user on linux... I don't think MS has anything to worry about in the short term about linux taking the desktop market from them...
desktop os license is cheap, retraining and supporting users is not. but again, many healthcare use proprietary software exclusively so beign on linux instead of microsft may be transparent to its users in most regard. | |
| Luchnia 2002-10-24, 7:41 pm |
| wheeee! retraining end user on linux...
Mikop, that was much of what I asked the lady. I mentioned the cost of end user training on Linux being the key factor, and she mentioned the fact that the hospital used proprietary software, so end user training would not be a big deal.
Yeah, I agree, I don't think MS is too worried about Linux, in fact, if Bill gets bugged too much he will just buy the Linux world  and call in Winux.
I think I am gonna check with her again in spring and see if they have done anything further in the Linux area. I do think MS has to make some changes or there will be a few bucks going over the other side of the fence in the next few years.
Peace | |
| voltaire4u 2002-11-09, 8:00 am |
| Link to study guide site
Download the "whole book".
It's a 224 page pdf file. Good material. A few typos, but you can live with that. Just a lot of stuff you need to know. | |
| luisjo 2002-11-14, 12:45 am |
| to autorhelen, congrats, not every body writes a book, tell you i almost finish your preview of the book on securty+, its great very informative and above all very complete, congrats, | |
|
| quote:
Originally posted by wildscribe
I want to
...As for my plans to get Security+, I now plan to wait until November when the study guides come out and go from there. In the meantime, I hope to get my Linux+ and CCNA out of the way.
Best O'Luck to Everyone!
- Wild
I completely agree with you on your thoughts. Linux is becoming a force. At first I thought it would become broken due to fragmentation, ala UNIX in the '80's. Now it appears that the United Linux forum will consoldate differences, not companies. The challange will lie with 'wantabie's' that don't take the time to really study the O/S. 20 years ago (and up until 2000) I was a great MS cheerleader because MS ended the fragmentation issues.
Today, the number of folks who are *quietly* installing Linux servers is susprising. The future battle is the desktop. It appears to me the chicken/egg answer there is OpenOffice.org and the supporting packages http://ooextras.sourceforge.net/
At the risk of a long post, I would like to address the second question and confusion point of Helen's work with TotalRecallPress books.
Inside Scoop is less a book and more a system. While the book is both a prep for the test/reference book, it Also includes a very exaustive 'test sim' with many web links unique from the book. (As I am the course desinger, I can say the 'test sim' is really created to give a instructor at a collage enough material to keep a class busy for a year.) Discussions with the publisher (new news to you Helen) appear that Inside Scoop will include the brain-based learning subminial audio CD as well.
Exam Insight is the *exact* same written words as Inside Scoop, without the test sim, glossary, less Q&A, etc.
Exam Wise is a print version of the test sim.
In short, Inside Scoop (was designed) as 200-300 collage courseware, just not marketed there, while Exam Insight is a strip-down of the material to compete with the other publishers on the same topic. Exam Wise is a unique entry which is a printed test sim.
HTH
Tcat |
|
|
|
|