How hard is Security+?

Many jobs require Security+, and even if a job doesn’t require it, having Security+ can help you break into your first security job. So how hard is Security+?

Even if you don’t work in security, but work with security, say, as a system administrator, having Security+ is helpful, as it can help you understand why a security analyst is asking for something. When you understand motive, then the relationship can move from following orders to something more collaborative, which is always a good thing.

Fair game Security+ knowledge

how hard is Security+?
It takes more to secure a computer than just putting a lock and chain on it. Security+ tests your knowledge of fundamental computer security.

Security+ is a bit more hands-on and technical than higher-level certifications, which tend to spend a lot of time in policy. The core of Security+ is knowing common ports and protocols and which ones are secure, and common attacks and countermeasures.

Ports and protocols

So to pass Security+, you’ll need to know the difference between http and https, which one runs on port 443 and which one runs on port 80. It certainly wouldn’t hurt to know that the protocols used for HTTPS include SSL and TLS. I wouldn’t expect a question on when it’s still acceptable to use SSL, but I suppose it would be within the realm of possibility. There will be some questions involving the nuts and bolts inside SSL and TLS.


Encryption is a very important topic. Back when I took it, it barely touched on it, but that’s not true anymore. Unlike higher level certifications, Security+ doesn’t get into the math, but you’ll need to know the difference between symmetric and asymmetric encryption and recognize examples of each. You’ll need to know the difference between encryption and hashing, and when each is appropriate. If the output of SSL Labs looks like gobbledygook to you, you’ll understand most of it by the time you’re done studying for the test.

If you’re not familiar with SSL Labs, I don’t mind one bit if you visit the site, plug my URL into it, and study the results.

Attacks and countermeasures

You’ll also need to know common attacks and countermeasures, things like buffer overflows and denial of service attacks. It seemed like 1/3 of my test was identifying various denial of service attacks. A current test probably won’t spend as much time on denial of service anymore.

Types of malware

You’ll also need to be able to identify different types of malware: viruses, worms, Trojan horses, adware and spyware. If you’re able to identify these by characteristics, you should be OK. Know what type of malware jumps from computer to computer, and you’re probably OK. Having to be able to tell me the difference between a virus and a worm is probably a bit hard.

How hard is Security+?

Word came down pretty fast that I would have to get Security+ in order to keep my job back in 2008. I think I might have only had six weeks’ notice. So  I went to a bootcamp, took a study test per day for about a week, and was able to pass it. I was a seasoned systems administrator at that point, so the material wasn’t super difficult for me. I was familiar with all of the concepts. It would have been harder for me if I’d taken it straight out of college.

The day I took the test, I went into work, worked half the day, went and took the test in the early afternoon, passed, then went back to work for a couple more hours. The test didn’t rattle me. The tests in my classes I took my freshman year of college were harder, generally, than Security+. I can think of one class whose tests were easier, and, frankly, I have little respect for that particular class and professor.

If you don’t have a lot of field experience, don’t expect to be able to waltz in and just take the test. Get a book or two and study, take some practice tests, and maybe go to a bootcamp. If you treat it like you would treat the first few weeks of a college class, you’ll be fine.

What happened when I took a practice test just now

Just for giggles, I just took a sample Security+ test to see what would happen. I’ve had the certification for nine years, I have my CISSP, and I work for a security company. This is all stuff I knew once, but since I specialize in the narrow field of vulnerability management, it’s been a few years since I’ve had to think about some of this stuff. Taking the test cold, I scored an 82 percent. I wouldn’t chance taking the real thing until I could score 90.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux