CompTIA Security +?

[Ben]

I once again have to do my annual .gov required IT security training and this year they've chosen CompTIA Security+.

Have any of you done this course? If so, do you have any study recommendations or test taking hints? So far I've purchased "Security+ Get Certified Get Ahead" by Gibson, based on its reviews on Amazon. It seems to be a clear and easy to use study guide, given that it will cover all the questions I might run into on the exam. I've also begun taking practice exams that I've found via Google.

Any other hints or tips?

[sanglant]

[whisper]if it's multiple choice, i have a really neat trick, that makes any test a simple english test. [/whisper]

[AJ Dual]

Ah ha...

It should really be called "Why your employer isn't really interested in security, just the appearance thereof... plus." 

[Firethorn]

Ben, do you work in an IT position?  I work IA.

AJ - I wouldn't call it useless.  It's not complete, it covered the basics pretty well when I took it.

Personally, I took a bunch of online CBTs and passed.  We were provided a book, but in my estimation the book was useless.  Too bad I don't have the title handy, or I'd be able to tell you what to avoid.

[AJ Dual]

Ben, do you work in an IT position?  I work IA.

AJ - I wouldn't call it useless.  It's not complete, it covered the basics pretty well when I took it.

Personally, I took a bunch of online CBTs and passed.  We were provided a book, but in my estimation the book was useless.  Too bad I don't have the title handy, or I'd be able to tell you what to avoid.

I didn't say CompTIA was useless. It's just an eye-opener in terms of what you see when you get "Security best practices" laid out for you in a clear concise way, and you compare that to what your employer does in the real world. 

It's very good for interviews, hiring, resume etc. and what at least to TRY to do, until management inevitably pushes back.

I've worked many different places, ones that have pretty serious security concerns, at least in regards to HIPAA and Sarbanes Oxley compliance/liability issues. And it was always the same. Talk a good game about security, document it for review/audit, but in actual practice, security is Swiss Cheese with constant "Exceptions Proving The Rule". "He's a really important manager, VP, Consultant etc... just do it.." "The application team will miss their deadline if you don't just set the groups THIS way (or open the app up to DOMAIN USERS/EVERYONE etc. because they didn't write it correctly."

The ONLY places I've seen that are SERIOUS about IT security are banks/financial institutions, and (certain segments) of the fed.gov.

[Ben]

Ben, do you work in an IT position?  I work IA.

AJ - I wouldn't call it useless.  It's not complete, it covered the basics pretty well when I took it.

Personally, I took a bunch of online CBTs and passed.  We were provided a book, but in my estimation the book was useless.  Too bad I don't have the title handy, or I'd be able to tell you what to avoid.

Collateral duty IT -- I told the boss to turn his computer off and back on again to fix something once in 1997 and then got hooked into it. 

Because I have other security related duties for my office, I'm part of a group that has to comply with what I believe is a DoD initiative regarding annual IT security training that started a couple of years ago. First class was SANS 401 (which was actually fun as it was in-person in Albuquerque and I learned a lot). Last year was virtual classroom ITIL (meh), and this year is the "home study" CompTIA.

Because most of my IT knowledge comes from fixing hardware and network stuff because it's broken and there's nobody else to do it, some of these trainings are frustrating to me. There's certain complex stuff that I'm a whiz at because it was a problem I had to figure out on my own, but then a bunch of the stuff that's considered beginner material (like knowing all my ports) I suck at because I never had any formal training.

[Firethorn]

Collateral duty IT -- I told the boss to turn his computer off and back on again to fix something once in 1997 and then got hooked into it. 

Oh fun. 

DoD personnel who get network access are supposed to have annual IA Awareness training in the form of a CBT that takes the average person under an hour, and me about 10 minutes while working on something else.

Because I have other security related duties for my office, I'm part of a group that has to comply with what I believe is a DoD initiative regarding annual IT security training that started a couple of years ago. First class was SANS 401 (which was actually fun as it was in-person in Albuquerque and I learned a lot). Last year was virtual classroom ITIL (meh), and this year is the "home study" CompTIA.

AF take on this is that people with admin rights need to be 'certified'.  This takes the form of A+, Net+, Sec+, and CISSP.

Because most of my IT knowledge comes from fixing hardware and network stuff because it's broken and there's nobody else to do it, some of these trainings are frustrating to me. There's certain complex stuff that I'm a whiz at because it was a problem I had to figure out on my own, but then a bunch of the stuff that's considered beginner material (like knowing all my ports) I suck at because I never had any formal training.

'Knowing your ports'?  That comes from experience, in my case.  I've never studied the chart.  There's a great big huge list, but there's like a dozen you should remember.

Sounds like A+/Net+ would be better fits.

[Ben]

Yeah, we do the annual online awareness training via DOC for all personnel. Once people learn they can hit the "back" button to change their answer, they all get it done in about ten minutes (though I guess they don't learn much).

Sounds similar to us on the admin account training. I have an OU account so have to do it, though someone who may have a local admin waiver to their laptop (e.g., because they're in the field all the time) only has to do the Awareness Training.

The ports were just kind of an example. I know the ones I work with all the time, but things like the "top twenty ports" or whatever seem to be examples of basic concepts most of these courses seem to imply I should already know. They apparently have no idea just how dumb I am. :)

[Firethorn]

It's less 'top 20 ports' then basic knowledge about a number of common services, including the port number they happen to use.  TCP or UDP is also good.

HTTP(80), HTTPS(443, 8080), SNMP(161), FTP(20&21), DNS(53), POP3(11), SMTP(25), Telnet(23),  SSH(22), IMAP(143)

IMAP isn't that common, but you can substitute DHCP(68), IRC(194), etc...

[RevDisk]

I'm "studying" for Security+ and Network+ to pad the resume.  It's about unlearning reality and learning the proper buzzwords.  Some basic concepts are good, though. 

Network+ is at least providing interesting information on antique networks like token ring.  All I previously knew was "Token ring is possibly contagious.  Kill it with fire.  Then nuke it."   Now I'm learning in great detail the background information of the importance of using magnesium enriched napalm prior to a minimum of 15 kt cobalt-60 tamped fission weapon.

[AJ Dual]

Much/Most of Miller Brewing in Milwaukee was Token Ring when I worked there. And later it was Ethernet over the old Token Ring with Balun converters. 

They were STILL converting to pure Cat 5/5e runs when I left there in 2007.

[41magsnub]

Heh...  when I took a class for network+ in school we demo'd ARCNet over barbed wire.  It worked fine.  Only time I ever saw ARCnet.

I have had to work on 10base2 before but only to reorganize keeping the loop intact as I replaced it with 10baseT.

[AJ Dual]

On my very first IT job back in '92, pulling a T-connector or terminator off of the 10base2 network was a great way to get management off your back for a few minutes to an hour if you needed some space as they went off and checked all the segments. 

Of course you'd just plug it back in before they got to you at random times so no one knew you were the culprit.

[tyme]

There are a zillion + 1 study guides for all certification exams.  Check out the table of contents of a book like this security+ study guide, and if you are familiar enough with the contents that you don't think you need such a study guide, use the table of contents as a study outline and google any concepts you're not clear on.

To really learn something, I'd suggest a book that's heavy on theory, like Computer Security.