CompTIA Certifications for IT Professionals. Part 4 of 7. CompTIA Security +
Pashkov Kuzma - Lead InfoSec, EMC trainer @ training.muk.ua/courses/security
0. Information security as an activity
The first significant experience in the field of information security (hereinafter referred to as IS) was obtained in the laboratory for the development of information security tools of one of the largest system integrators in the North-West in the early 2000s. The laboratory provided a full cycle of creating automated systems in a secure execution: starting with research, development, continuing with the streaming creation of protection systems, and ending with the organization of their warranty service.
The created systems were supposed to be used both in the commercial and state secrets mode, therefore they without fail passed certification / tests for compliance with the class / level of protection. The professional staff of the laboratory shone with the natives of the best military universities of the country (All-Union Higher Military School named after A.F. Mozhaiskyand YOU to them. S.M.Budennogo ), such as Winter Vladimir and Sohen Victor. At the same time, students studying in the field of “ information protection ”, like me, were involved in the laboratory as commissioning engineers .
The systems were created on the basis of Hewlett-Packard equipment, Microsoft software, and NPC Informzashita information security tools . The customer presented severe requirements for the qualification of the Contractor’s personnel, therefore the laboratory management allocated a budget for training and certification. Moreover, if everything was obvious with authorized courses and certification of vendors (HP, Microsoft, Informzaschita), then there was uncertainty regarding the minimum set of knowledge and skills in information security.
Applicants for an engineer’s vacancy showed a completely different level of training in information security, and the management made a strong-willed decision to use the presence of a vendor-independent certification status of CompTIA Security + as an input requirement . This choice was obvious, as there were no national analogues of this certification, and the statuses CompTIA A + , Network + and Server + were already successfully used by other integrator units in the recruitment and training of personnel. In general, I began to prepare for my first certification in information security.
1. Acquaintance with certification
Information security is at the intersection of a number of sciences, and in connection with the explosive growth of risks, information security is also a dynamically developing scientific discipline. That is why the task of determining the minimum set of knowledge and skills in information security requires a systematic approach with continuous analysis of the state of the information technology market and regular adjustment of this set.
For more than 13 years, this task has been successfully solved by the largest operator of vendor-independent certifications Computing Technology Industry Association (CompTIA) under the supervision of the American National Standarts Institute (ANSI) in accordance with the family of open training standards and certification ISO / IEC Standart 17024.
Over the years, Security + certification redefined the set of knowledge and skills on the basics of information security 4 times. The first iteration was in the form of a computer test with the code SY0-101 and I passed it as an aspiring design engineer at the Prometric testing center, paying $ 250 for an attempted delivery. In 2015, at the time of writing this article, the 4th version of the test with the code SY0-401 is relevant , I also passed it already out of professional interest as a teacher of the author's training course for this certification.
The SY0-401 exam consists of 100 questions in English, lasts 90 minutes (plus 30 minutes for those who are not native speakers), and checks both theoretical knowledge and practical skills in 6 domains (topics):
1) network security
2) compliance with requirements and security of operations
3) threats and vulnerabilities
4) security of applications, data and hosts
5) access control and entity management
An extensive list of requirements for candidates for the exam can be presented in the following form:
- knowledge of the fundamental principles of development and implementation of a set of measures to manage IS risks;
- knowledge of background information about established IS policies / standards / procedures, features of the safe use of modern information technologies, vulnerabilities and a general understanding of the attacks associated with them;
As well as practical skills in using publicly available information protection tools that implement discretionary (in Windows / Linux operating systems) and role-based (in business applications) access control models.
2. Methodology of preparation
For those who have not studied in my specialty and have no experience in information security, but specializing in information technology, I highly recommend getting or at least preparing (without passing exams) for the CompTIA A +, Network + and Server + certifications - they are indicated in the input requirements to Security + candidates.
My training at the university with a degree in Information Security gave me an understanding of the fundamental principles of information security, and working in a team of design engineers streaming to create security systems allowed me to put this understanding into practice when solving applied problems. Therefore, I will try to describe the most obvious principles for each domain:
1) network security: the concept of the network perimeter and the implementation of control functions at its points; access control to the organization’s data transmission medium and data protection during transmission through communication channels;
2) compliance with requirements and safety of operations: laws and regulators as the main sources of requirements for a protection system; organizational and administrative, design / operational documentation;
3) threats and vulnerabilities: sources of threats and their features; quantitative and qualitative risk assessment;
4) security of applications, data and hosts: options for the decomposition of an automated system and the implementation of control functions over its results;
5) access control and entity management: the essence of control; Access Attribute Lifecycle and Privilege Management
6) cryptography: problems of using symmetric / asymmetric cryptography and methods for solving them; public key infrastructure
Perhaps these principles will reveal to you video courses (Computer-based training - CBT), which can be found in search engines by the names of their leading world, for example, Pluralsight (formerly CBT Nuggets), developers, as well as the names of certification statuses and codes exams. Bruce Schneider’s books “Applied Cryptography”, “ Security of Global Network Technologies ” by Vladimir Zima, and the passage of Microsoft 2821 authorized course “Designing, commissioning, and maintaining public key infrastructure based on Windows technologies”, an updated version, helped me a lotwhich is still successfully read in the leading training centers in Moscow and Kiev .
If I had no problems with understanding and applying the principles in 2003, then with reference information about the features of various closed and open protection technologies, a failure was clearly observed. Even now, having more than 10 years of experience teaching various IT courses, technologies like Kerberos, RADIUS / TACACS +, etc., specific names of policies and standards, as well as characteristics of American cryptographic algorithms, require, if not literal memorization, then at least the need to concentrate , re-read literature and refresh your memory before passing the exam.
Therefore, according to the established tradition, one has to intensively engage in self-training with the help of self-study manuals from leading world publishers of books on IT / IS topics: Wiley, Sybex, Syngress, Microsoft Press, etc.
By the name of the certification status and phrases like the “study guide”, for example , “CompTIA Security + exam study guide” in search engines and thematic forums, such as www.certification.ru , you can easily find 2-3 books by different authors to familiarize yourself with different approaches to preparation. The textbooks are overwhelmingly in English, so be sure to tighten up technical English.
Practical skills of using publicly available information protection tools are quite easy to obtain with a stand and a set of laboratory works corresponding to the description of the exam. The stand can be assembled on low-cost equipment using shareware hypervisors (Oracle Virtual Box, Microsoft Hyper-V, VMWare ESXi, etc.) in the form of a set of virtual machines with a variety of operating systems and business applications. For detailed instructions on its creation and the laboratory workshop itself, see the self-study manuals mentioned earlier.
Also, do not forget that each attempt to pass the exam is paid (now about $ 266), so you should “train” yourself in paid testing systems (Boson, TestOut, MeasureUp, etc.) with a pool of questions of the level corresponding to the exam, emulating what happens on real exam. In search engines and topic forums like www.certcollection.org you can always find these testing systems by exam codes.
Having achieved a consistently high percentage of correct answers (> 90%), we can hope for a successful passing the exam on the first attempt in a real testing system Virtual University Enterprise (www.vue.com) or Prometric (www.prometric.com)
The first time I spent 2 months preparing in my free time (I didn’t cancel my studies at a university or university), after 10 years of continuous work in my specialty, it took me 3 weeks - draw conclusions.
In 2003, passing this exam successfully gave life-long Security + status, but now it is given for 3 years and to renew it you need to regularly confirm to the CompTIA operator that you keep your qualifications up to date as part of the Continuous Education continuing education program .
Security+ является удобной отправной точкой в карьере специалиста в ИБ и засчитывается как в инженерных сертификациях по средствам защиты информации ведущих производителей (Microsoft, RSA, IBM, Cisco и пр), так и в экспертных вендорнезависимых сертификациях от ISACA, (ISC)2, EC-Council и др.
Также, для тех кто не читал другие статьи из цикла «Сертификации CompTIA», напоминаю, что во многих американских ВУЗах в программах бакалавриата\магистратуры, а также в рамках дополнительного профессионального образования сертификации CompTIA засчитываются, позволяя сэкономить время и деньги на обучение.
5. Продолжение истории
The subsequent transfer to a managerial position, attempts to manage a team of engineers, the need to justify costs, personal responsibility for the actions of subordinates and the timing of work execution made me quickly deal with the project management methodology. But this is already the story for the next article, the theme of which is CompTIA Project + certification .
I look forward to questions on CompTIA training and certification at PashkovK@muk.com.ua
CompTIA certification for IT professionals. Part 1 of 7: CompTIA A +
CompTIA Certifications for IT Professionals. Part 7 of 7. CompTIA CTT + (Certified Technical Trainer)
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service