Last Updated on November 20, 2016 by Dave Farquhar
One of my coworkers is being required to get a Security+ certification, and asked me for advice. She’s gone to class, read some books, and she’s going to another class on TCP/IP, but she’s just not comfortable yet. I gave her some Security+ test taking tips.
Since other people might be in her situation, I figure it’s worth writing about.
To me, going to class and reading books is just half the equation. There are two pieces missing. One piece is the hands-on. For me, the hands-on stuff was automatic, and I didn’t have to do a lot of it. I’ve been hardening systems to government standards since late 2005 and I’ve been building servers and networks even longer than that. But when I found a lab activity in a book, I’d jump on a system (typically an older system that I don’t use for anything but tinkering) and walk through whatever activity they talked about.
So if you don’t have one already, a beater computer running at least Windows XP is a good investment. Ask around first, to see if anyone has an unused Pentium 4 in a closet or basement they can loan you, but if not, it’s usually possible to score something off Craigslist for less than $100. Set it up and go through the labs. You’ll retain more that way than you would just looking at screenshots. And when things don’t work quite the way they’re supposed to–and they don’t, that’s just the way things happen in the real world–figuring out what happened and reacting to it is valuable experience.
That experience is the difference between what one of my former bosses calls a “paper certification” and someone he’ll actually hire. A good interviewer knows how to ask questions to see the difference.
The second thing to do is find some test questions and actually take some tests. All of the books will have questions in them, and that’s a start. Digging up questions online also helps.
Frequently I hear people object and say the only questions they can find are from 2008. There’s nothing wrong with that. In some respects, yes, 2008 is a long time ago, but only in some respects. That’s ancient history when it comes to wireless networking and smartphones, but the rest of the stuff hasn’t changed. For 90% of the test, what you do is the very same thing today as it was a decade ago–we just have better tools now, in some cases–and why you do it hasn’t changed either.
If you want to actually know this stuff, as opposed to having a paper certification, you should be able to answer questions from 2008 or even earlier and get a decent score.
Build up a generous bank of study questions and go through about 100 questions per day. Don’t memorize the answer–know why that’s the answer. Once you’re at the point where you can consistently score over 90% and you know why the answer is what the book or flashcard says it is, you’re about ready for the test.
You can go to Quizlet.com and download flash cards of security-related terms and common ports. That wouldn’t be a bad idea. You will have questions about specific ports on the test, and that portion of the test is pure memorization. And knowing the definition of a switch and the definition of a router will prepare you for a litany of questions, up to and including a question asking what the difference is between a router and a switch.
And the rest of it comes down to test-taking skills. Schedule the test during your best part of the day, whenever that happens to be. (Unlike high school or college, you can actually control this part.) Get a good night’s sleep the night before, eat well that day, then go in and take the test. Keep in mind they’ll give you a sheet of paper and a pencil at the beginning of the test. Take advantage of that. Spend an hour or so beforehand going over the common TCP/IP ports, the private network ranges, and anything else you feel weak on, so that you can remember it long enough to jot that stuff down. I did that, and that probably allowed me to answer 10 more questions correctly than I otherwise would have. Ten questions can easily be enough to make the difference between passing and not passing.
Regarding the actual test-taking process, there are several things to keep in mind. Don’t let any single question or series of questions make you panic. If you don’t know the answer, mark the question and come back to it at the end. Keep in mind that 10 of the questions aren’t graded, and some of those ungraded questions don’t have a right answer. I had one question on my test that was about where Linux stores a particular configuration file, and all of the choices were Windows file locations. The question looked something like this. (Keep in mind I took the test almost five years ago, but the tactic hasn’t changed).
Where does Linux store its user passwords?
A. c:\windows\system32\drivers\etc
B. c:\documents and settings\all users\desktop
C. c:\autoexec.bat
D. c:\windows\system32\config\system.dat
It’s a multiple-choice test, so take advantage of it. At least one of the answers is ridiculous, and frequently two of them will be. Use the process of elimination to narrow the answer down as far as you can, then re-read the question. Frequently there will be clues in the question, if not the answer itself. If you still can’t figure it out, jot down a note on your paper on the question and the possible answers, then move on. Sometimes another question on the test will help you answer the question, either by jarring your memory, or giving the answer.
Here’s another example question that actually does have a correct answer, so we’ll use the process of elimination to answer it.
Which of the following functions is MOST likely performed by a web security gateway?
A. Flood Guard
B. Protocol analysis
C. Spam filtering
D. Content filtering
Answer A is a distractor–in 17 years, I’ve never seen a Flood Guard. Answer B, protocol analysis, is something you do with a sniffer or protocol analyzer, not with a gateway. That leaves two similar-looking answers. But spam is more closely associated with e-mail than with web content, so it’s probably not the best answer. Answer D, content filtering, makes a a lot more sense in the context of web security.
The most important thing to remember is that it’s a 100-question test, and a passing score is 750 out of 900. Potentially you can get as few as 75 of the questions right and pass. Get more than 83 of them right, and you’ll almost assuredly pass. Ten of the questions aren’t graded and the graded questions aren’t necessarily all weighted the same.
And when all else fails, the correct answer is more likely to be B or C than A or D, so if you just can’t decide between two answers, favor a B or C answer over an A or D answer.
Whether you should favor B or C when you can’t decide between those two is a matter I’ve heard students–including honors students–debate stridently, but I don’t think there’s a clear answer there. If I really can’t choose between B or C, rather than pick my favorite, I’m more inclined to tally up how many Bs and how many Cs I’ve chosen, and then make a decision. If B and C are close to equal, I’d probably choose the one with the lower tally. If there’s a big disparity between B and C, I’d probably choose the one with the higher tally.
But regarding this last tactic, I would hope you only resorted to it for five questions or fewer.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.