Passed The CompTIA Sec+ Exam, Now To Complain About It...

Studying For The Exam

The CompTIA Security+ exam is almost entirely a test of how much bullshit corporate-speak you can memorize at once. There is almost no technical skills required by the exam or acquired through studying for it. More technical experience is gained from needing to install and troubleshoot both their garbage testing software and Windows as a Linux user.

I'm convinced that someone with an exceptional memory could take pre-made notes like the ones Professor Messer sell (that I did not buy and am therefore not personally vouching for) and study them and/or turn them into flashcards and use a spaced repetition platform and be ready to take the exam in 2-3 weeks without any more effort than that.

I spent just over a month of weekdays studying before taking the exam. I think the best thing anyone can do for themselves while self-studying is determining the study method that suites them the most. Personally, I like grindy textbooks so I primarily used Mike Chapple's SY0-601 Study Guide which was good enough for me. The book and listing purport to come with an online learning environment and flashcards among other things, but it didn't come with a code nor did I get an email for anything like that. But I guess even if I did I very likely wouldn't have used them anyway. Each chapter ends with a set of relevant review questions that I would say represent the exam pretty well.

I took over 80 pages of physical (actually digital + drawing tablet) notes in the style of headers, sub-headers, and bullet points. The scenario questions of the exam usually have a single word or phrase that indicate which answer is the "most correct", so after doing practice tests or additional studying I underlined those key phrases and wrote a short sub-note written above them in a different color to help associate them to the topic.

On the note of practice exams, I purchased access to the 6 offered by diontraining. I passed 5/6 of them with a score of over 80%, and got 75% on the last one on my first attempts. I took half of those again and got >90% on my second way through. The questions frequently prompted a feeling of "are you fucking kidding me???", especially when it seems to conflict with other resources. Here's an example:

> Dion Training is currently undergoing an audit of its information systems. The auditor wants to understand how the PII data from a particular database is used within business operations. Which of the following employees should the auditor interview?
> A. Data owner
> B. Data steward
> C. Data controller
> D. Data privacy officer

The collect answer is... D? But wait, what?

> Explanation: The primary role of the data protection officer (DPO) is to ensure that her organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. They must understand how any privacy information is used within business operations. Therefore, they are the best person for the auditor to interview to get a complete picture of the data usage.

"Data privacy officer" seems to be referring to a Chief Privacy Officer, but the explanation then calls them the "Data protection officer", which to quote Wikipedia, "the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated." Regardless of any potential typos, the book I went through states the following about data controllers, not DPOs:

> Data controllers are the entities who determine the reasons for processing personal information and direct the methods of processing that data.

Which mirrors what the European Commission says on their own website:

> The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides 'why' and 'how' the personal data should be processed it is the data controller.

Sounds to me like if the "auditor wants to understand how the PII data from a particular database is used within business operations." they should probably speak to the employee who "determines the purposes for which and the means by which personal data is processed."

I also found those tests to be a little bit more difficult, or at least have longer and more frequent scenarios than the real one. They also cover topics that are not directly listed in the exam objectives. An example of something I came across multiple times but never saw detailed in my book or the real test are log snippets that you have to correlate to network access control list rules. The syntax for these is (DENY|ALLOW) (TCP|UDP|IP) (source_addr) (dest_addr) (protocol). Where ANY in place of an address is equivalent to and HOST in front of a host address is equivalent to host_addr/ Cisco has a couple pages I found useful for this here and here.

With frustrating questions and questionable difficulty aside, I still found doing these practice exams to be valuable and a decent measure of how ready for the exam I was. I don't have a specific reason as to why I chose Dion's, and think you could use any as long as you can verify the questions are similar to the real thing.

On the day of my exam I spent an hour or two before my check-in time doing some last minute reviews of my notes, and more importantly of the exam objectives to quickly refresh on anything I felt I wouldn't know how to answer a question about or how differentiate from other similar topics. For example, make sure you can state the differences and specific use cases of RADIUS, TACACS+, Kerberos, etc. and specify by name the key technologies they use.

Preparation For The Exam

CompTIA uses Pearson Vue and their OnVUE software for hosting and monitoring the online tests. This was easily the most stressful part of the entire process and I recommend doing it in person instead if you have the opportunity to.

The website is a terrible maze and it would be worthwhile to take a moment to get familiar with navigating it to the extent you need to before it matters (check-in time). One misdirection and you may find yourself in a login redirect loop or something similar.

The OnVUE program itself is where things get really uncomfortable. There is absolutely no Linux support, but even after I installed my "choice" non-free operating system on a spare desktop I still could not get the program's "system test" to succeed. It kept failing to use more than even half a megabit per second despite my speed test being some hundreds of times faster than that. I tried various combinations of wired and wireless, redownloading the program, restarting, adding explicit firewall rules, etc. You know you're in for some glowie shit when the solution to your troubleshooting ends up being disabling all firewalls and anti-virus, and running the program as Administrator. I don't know if there would have been a better solution with more time but I couldn't find any online quickly. I imagine the implications for anyone running this program at their corporate workplace are pretty severe if this is the only way to get it working.

I'd recommend doing the system test again before your check-in time. It'll be tested again during the check-in process too, but it's better to be safe so you aren't one of the unlucky ones who miss their appointments because of technical issues. The check-in button unlocked on the minute of my appointment, and it did end up taking the full 30 minutes or so. Definitely don't be late because there isn't that much time to spare. You'll be prompted to take a photo of yourself, four photos of your testing environment in every direction, and a photo of your government issued photo ID. After this you may or may not be asked to repeat any of these steps or do additional steps such as using your webcam to show them anything they are suspicious of like ensuring that any additional screens are unplugged. Take this into consideration if you are using a webcam that is built into your system. Since I don't even own speakers or a webcam I had to purchase each for taking the test. They've already been returned, of course.

The testing policies include: screen recording, full system access to the "greeter" watching you, system process monitoring, webcam and microphone on at all times, area must be cleared of everything around you including things that would only be useful in the most nonsensically complex cheating scandles imaginable, no background sounds, no covering your face, no reading the questions aloud, no touching your phone, to never leave your chair or stand up, to change something within your environment if prompted, and so on.

> You understand, acknowledge and agree that you will be monitored at your location through audio, technology and video means so all activity at your location will be detectable by test proctors. By accessing this website and ticking this box you signify your acknowledgement and agreement that any inappropriate or wrongful conduct, as determined in Pearson VUE's or the test proctor's sole discretion, witnessed while monitoring your testing session will be reported by Pearson VUE to the testing program sponsor and may also be reported to the appropriate governmental authorities, including, but not limited to, any law enforcement officials.

> Pearson VUE may use facial comparison technology for the purpose of verifying your identity during the testing process. It will compare your facial image to the one on your identification and to facial images captured during the testing process and help us further develop, upgrade, and improve this application.

It's no wonder the exam itself states that "spyware" is only considered to be "potentially unwanted programs" 。゚(゚^∀^゚)゚。

You can do your own searching in communities that congregate around obtaining certifications or on review sites for horror stories about Pearson Vue and their OnVUE program.

Taking The Exam

I did pass, but not by a ton. My score was >780 with <750 being a fail and 900 being a perfect score.

The surveillance previously mentioned was uncomfortable, but I stopped thinking about it as much once I got somewhat into a groove. Occasionally I'd be distracted or self conscious that I was breaking some rule, like worrying about being yelled at or revoked for scratching an itch or something. If you are asked to change anything about your setup (like adjusting your camera) a chat window will pop up that blocks your questions without stopping the time. All time spent on these formalities is wasted. You can drag it out of the way and keep reading while you wait for them to respond again. It'll automatically close once you've obliged them.

There were fewer scenario questions than you generally see on practice tests but still a lot. Often you'll read the question, notice that multiple answers were all correct, and have to re-read the question looking for a key word that indicates which one is the most specifically applicable.

I would avoid overthinking the answers too much. If you're using nuanced situational logic to pick your answer then you're probably wrong. Decipher what the question is actually asking you. Given a scenario such as this one from a practice test: a software development team at BigBro Mega Corp is creating a bulk file upload utility and it's been decided in a requirements planning meeting that 64-bits of data will be encrypted at a time before being transmitted from the developer's workstations to the webserver, etc., etc., you have to reword it to something like "what kind of cipher might work on a fixed-length of bits at a time?" and try to determine what else from the question you can ignore as quickly as possible. (Side note but that's a question I got wrong because the question was for 8-bits, not 64-bits, and I thought stream ciphers are sometimes used to encrypt one character, or byte, at a time but the answer was block cipher. Maybe I am wrong and stream ciphers really do only work on one bit at a time. I don't know for sure because web search results for this are inconsistent.)

In the same sense, pay attention to the phrasing of the question being asked at the end of the scenario. "Which of the following will provide [the subject] the STRONGEST security?", or "What [can the subject use] to MOST EFFECTIVELY [accomplish something specific from the scenario].", or "Provides the GREATEST PROTECTION", etc. These should be taken very literally without any additional consideration to the scenario that isn't already written. In a real workplace you'd be weighing every action with a variety of other factors including the time, cost, or complexity required to maintain security controls or workplace infrastructure, but you should instead read these questions from the perspective of some techbro CEO's wet dream where employees and their job duties are fully monitored and controlled without nuance.

I don't recall many of the ordered procedures that came up constantly while studying showing up on my exam. This includes things such as performing risk assessments, remembering specific details about standards/specifications like the AICPA's categories of SOC assessments and reports, the NIST CSF and RMF, Visa's What To Do If Compromised, the EDRM, the cyber kill chain steps, the Diamond Model of Intrusion Analysis features, the COOP phases, the exact order of the IR phases listed in the objectives, contents of X.509 certificates, the DH algorithm steps, DES modes of operation, details of various software development models, calculating CVSS or even its metrics, ThreatConnect confidence levels, EUROPOL's IOCTA, and so on. That's not to say you shouldn't study these or my exact test represents anyone else's, but it does feel like some of my time studying was misplaced.

It is true however that almost every answer when possible is given to you an as acronym. There are way more acronyms listed in the objectives than you'll see on your test, but since you don't know which questions you'll get definitely memorize as many as you can.

There was less of a focus on ports than I expected, but they were still important to know. I recommend learning the ports associated with these protocols, including any that were used historically: SMTP, SMTPS, IMAP, IMAPS, POP3, POP3S, RTP, RADIUS, Diameter, TACACS+, Kerberos, LDAP, LDAPS, DHCP, DNS, L2TP, PPTP, HTTP, HTTPS, SNMP, SSH/SFTP/SCP, FTP, FTPS, TFTP, SMB, NetBIOS, RDP, Telnet. It's true some of these aren't listed on the objectives, but I still got a question about one that wasn't. They're also on practice exams if you do any of those. I recommend using Anki and creating a custom deck with these protocols including as-question and as-answer cards. I also included a description of the protocol on the answer side as well for drilling them in. There are preexisting Anki decks, but I found that those include way too many ports that aren't relevant so I'd just make your own.

As you're doing the exam, there is a bar at the top of the screen that, while doesn't block any part of the question, is very close to doing so to the point of being somewhat distracting. This bar includes a chat window popup prompt, a video feed of yourself (you never see your exam "greeter"), the remaining time, the question you're on, a button for flagging questions for later review if you have time, and a button for opening the "whiteboard" that you can use to write notes with your mouse or by typing. I didn't end up using the whiteboard but it could be useful if you get questions for things such as calculating annualized loss expectancy. Apparently they offer a simulation of the whiteboard so you can see how it works before needing to use it. If you were doing your test in person you'd be given a sheet of paper and a pencil.

I got 4 performance-based questions (PBQs) which to quote CompTIA, "test a candidate's ability to solve problems in a simulated environment". You can see exactly what a PBQ looks like using the simulation they provide on their website. This is accurate to the point where even the UI and pop-up window that blocks part of the simulation are exactly the same as what appeared on the exam. To echo the common advice: definitely skip the PBQs until after you've completed the multiple-choice questions. 90 minutes to do ~80 wordy scenario questions and ~4 PBQs is not a lot of time, but I've heard of people skipping the PBQs all together and still passing. You really don't want to feel like you're running out of time while doing the multiple-choice questions. I had just under 5 minutes left after finishing the questions to come back and do the PBQs. They take time, but weren't very difficult at all. In fact, most of them contained the solutions within the simulation somewhere. I'm pretty sure you can score decently on them just by changing some of the default inputs even if they're incorrect. When you click next on the final question you're taken to a review screen that lets you see what questions you've flagged or haven't provided an answer to. If you run out of time a window will pop up saying you have and once you accept it the exam is over.

It's also true that you feel like you're doing much worse than you actually are. I was genuinely shocked that I had passed and was dreading seeing the results. After you complete the exam you're taken to a survey of over a dozen personal and employment questions. Fortunately, most of these have "No response" as an option so you can avoid feeding their exploitive system more than you already have. After clicking through that, you're taken to a page with a CompTIA logo and small text that says something to the effect of "Congratulations you've passed your exam with a score of XXX". There are no big green checkmarks or anything else that immediately indicates whether or not you've passed. After accepting, the OnVUE program just automatically closes and you don't hear anything else for another day or two when they send you an email or four. The Pearson Vue website does have a "Score report" that you can use to verify the result, but it otherwise contains very little information. You'll never be able to see what you answered incorrectly besides what objectives they fell under. The email you get prompts you to create an account for yet another corpo site that you use to "claim" your certification and that employers can use to verify that you have it.

As of now, I don't plan on doing any other CompTIA certifications because I don't see the value in them in my life at the moment. If I become desperate for entry-level work maybe I'd consider it, but otherwise I don't see the point. In truth, I don't really know why I did this one except maybe resume padding in the future. I'd say it could be an ego thing, but I've come out of this feeling pretty dumb for having spent the time and money on it so I don't think that's it.

I feel relieved that it's over, and I'm now going to go back to focusing on studying what's more interesting to me for a while.

<soapbox>In my opinion, shame on any company that puts value into career gates such as these broad, memorization-based, non-technical certifications. Any industry that has as universally miserable entry-level workers as the IT industry does indicates that something big ought to be done to improve both the introduction and progression of a one's career. Obviously, I'm not holding my breath for this to ever happen.</soapbox>