Take-Home Certification Exams: Adventures in Online Proctoring

February 18, 2016 at 4:35 pm | Posted in Proctors, Study hints, Technical Tips | Leave a comment
Tags: , ,

So, you’ve spent months studying for the latest certification. You’re ready to schedule the exam and  proudly showcase your new knowledge and skills. Until recently, your only option was to take the exam at an approved testing center. [Editor’s note: the following opinion does not represent the corporate viewpoint of Kaplan, Transcender, Graham Holdings, or any sane person, Josh. ~A.L.] Most test centers are a cross between a corporate cubicle farm and prison camp. Sure, there are people there, but people in their worst possible moments: bleary-eyed, nerve-wracked, and way too over-caffeinated. [Editor’s note: This would explain those horrible ID photos on my score reports. ~A.L.]

If you don’t live near a corporate testing hub, you might dread the half-day of commuting time, lost productivity, or even the need for an overnight hotel stay. (In a major hub like Atlanta, there are testing centers galore, but we have to fight bumper-to-bumper traffic to get there.) You may be too busy with your day job to get the time off, or you might want enough time to fit in a last-minute cram session. You may experience test anxiety that negatively affects your performance, especially when testing in an impersonal, sterile environment.

Enter online proctoring.

Message not recommended. Online proctors might not appreciate the humor.

The glorious promise of an online proctored exam is the ability to take a certification exam wherever you are at the time of your choice, without travel or stressful interactions. And except for a few caveats, the dream is reality. But you need to really consider those caveats. The whirlwind home-alone experience isn’t for everyone!

Josh’s Excellent Proctored-Exam-At-Home Adventure

First: equipment. You need a decent PC with a camera and microphone and high-speed Internet bandwidth. Every online proctor will have a pre-flight checklist that will verify your hardware is up to snuff. Don’t wait until minutes before taking the exam to ensure your equipment will pass. Run the check as soon as possible, and leave yourself time to borrow, purchase, or overnight yourself any missing components.

Next: scheduling. You read that right – even though you have more flexibility than a testing center’s hours, including the ability to take your exam late at night or very early in the morning, a live proctor still has to be present on the other end of the connection to observe you take the exam. For this reason, some time slots may be unavailable – the proctor might already have too many test takers to keep track of. (Or maybe they actually sleep.)

Finally: location. From my personal experience, you need to find a room or an enclosed space in a room that will be quiet and isolated (where no one can here you scream). This is actually required to prevent accusations of cheating, so close all of your windows  and make sure no one is in the same room with you. If you don’t have access to a private room in your home, check your local public library – most have study rooms that can be reserved for periods of up to two hours. Other options would be a hotel conference room or an unused cubicle or office in your workplace.

If you’re testing in your own home, secure any pets away from the exam area and make sure that children won’t enter the area. I chose my dining room (finally getting some use out of it!), because I would have at least three walls around me. I locked up my cats  for the duration, especially after my first unsuccessful attempt when my cat Norio attempted to lie across my hands during the exam (the proctor had to pick himself off the floor laughing, but was gracious enough to allow me to continue). I also silenced my cellphone and let everyone, especially my wife, know that I would be completely unavailable and unresponsive for the duration.

No pet time for you – I have a test to take!

Additional considerations for at-home online examinations

Here are a few other tips I’ve learned from online proctored experiences:

  • Do not install any updates or new software on the same day as your exam appointment. Murphy’s law in action here. I’ve had to cancel at least one exam after installing an update to Visual Studio on the machine I was using for the exam. It took over an hour, and finished installing just in time for the proctor to tell me that my test time was up.
  • If you’re using a laptop, make sure you’re plugged into a power source. Especially if you have some ridiculous 42-inch super AMOLED screens which will run dry after 5 minutes of operation.

This thing is for an online test, not a gaming rig!

  • Empty your pockets of everything (and make sure you wear pants, too).  Some test centers require this and will make you display your empty pockets to the camera. And you’ll have to spin around (so you may want to hold off of on the antihistamines for a bit).
  • Clean up the table or desk where you are testing. You can’t have any loose papers or computer equipment lying around. You’ll have to pick up your laptop (or attached camera) and rotate it around the work space to demonstrate that no cheating materials are nearby, so make sure there’s nothing embarrassing lying around.
  • You cannot have bags, purses, boxes, or any other items on the floor next to your chair.
  • You must take off all bracelets and watches. This I forget all of the time, but the proctor won’t. Save yourself some testing time and do this beforehand.
  • Make sure you can roll up long sleeves to display that you don’t have notes written on your skin.
  • Do not bring any food, drinks or gum into the test environment. It’s not allowed. Well, at least don’t open your mouth too wide or smack too loud.
  • Be nice to your proctor. It’s at their discretion if and when you get bathroom breaks!

If you have wearable medical devices (such as insulin pumps or medical alert bracelets) that should not be removed, or if your personal beliefs don’t allow you to comply with certain regulations (such as displaying bare arms), be sure to ask the vendor to specify IN WRITING whether exemptions are allowed in general, and to approve yours in particular, to avoid disappointment at test time.

“You keep using that word – I do not think it means what you think it means”

Different vendors have different terminology. When you’re searching for an exam you can take from home, be sure you’re searching for online proctored exams. For example, Oracle refers to exams taken online as “non-proctored” and exams taken in person at Oracle University testing centers as “proctored.” Here is more information on online proctored exams with Oracle.

Sold! Where do I sign up?

Due to security considerations, not every vendor offers an online exam experience. Project Management Institute, for example, only allows people to sit the PMP exam at approved testing centers.

At this time of writing, Cisco allows certain of its exams to be scheduled through Pearson Vue for an at-home exam experience.

EC Council, for popular security certifications like CEH, delivers their exams through ProctorU.

CompTIA’s online exam program is called the Anywhere Proctored program, but the available information seems to be geared toward test providers, not test takers. At this time of writing, I could not definitely find a CompTIA exam that could be taken online outside of a boot camp or other training course.

Microsoft has a robust online proctored exam environment, called “online proctored exam delivery.” You can read their full list of policies here.

According to Pearson Vue, VMware offers all VCA exams in a 24/7 online format. There is a full FAQ available.

Online proctoring exam service PeopleCert offers online proctored exams for a variety of vendors, including ITIL®, PRINCE2®, MSP®, P3O®, MoV®, DevOpsLean ITLean Six Sigma,ACCESSIBILITY PASS and ISO.

However you choose to take your exam, as always, we wish you good luck and happy testing!

~Josh aka codeguru

The New A+ 900 Series: What’s New (Part 3 of 5)

February 10, 2016 at 10:56 am | Posted in CompTIA, Study hints, study tips | 1 Comment

Welcome back to my series of posts on the new A+ exam. The old 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States. CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015.

  • In my first post, I went over the timeline and what to expect from the exam changes as a whole.
  • In my second post, I went into detail regarding the first two objectives for 220-901, Hardware and Networking.

In this post, I will cover the second two objectives for 220-901, Mobile Devices and Hardware and Network Troubleshooting. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics. This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

You’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is used to describe the depth or complexity of a learning outcome, just as the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in the abstract, you may be asked to configure a subnet mask.

220-901 Objective 3: Mobile Devices

A+ 220-802 covered mobile devices in its own domain. It included features of mobile operating systems,  basic network connectivity, configuring email, securing mobile devices, hardware differences in regards to tablets and laptops, and mobile device synchronization. Laptops were covered separately, in the 220-801 Laptops domain.

What’s changed? In A+ 220-901, mobile devices now includes laptop hardware and components, laptop display components, laptop features, features of other mobile devices, and accessories and ports of other mobile devices. In some cases, minor wording changes occurred at the subobjective level.

3.1 Install and configure laptop hardware and components. – From Objective 3, subobjective 1 in the old 220-801. New topics were added:

  • Ports/Adapters section  – added entire section
    • Thunderbolt – added to the Ports/Adapters section
    • DisplayPort – added to the Port/Adapters section
    • USB to RJ-45 dongle – added to the Ports/Adapters section
    • USB to WiFi dongle – added to the Ports/Adapters section
    • USB to Bluetooth – added to the Ports/Adapters section
    • USB Optical Drive – added to the Ports/Adapters section
  • SSD vs. Hybrid vs. Magnetic disk – added to the Hard Drive subsection
  • 1.8in vs. 2.5in – added to the Hard Drive subsection
  • Smart card reader – added to the Hardware/Device Replacement section
  • Optical drive – added to the Hardware/Device Replacement section

3.2 Explain the function of components within the display of a laptop. – From Objective 3, subobjective 2 in 220-801. The Bloom’s level has increased. “Explain the function of” requires applying your knowledge, rather than the old wording of “Compare and contrast” (demonstrating knowledge without application). These new topics were added:

  • TTL vs. IPS – added to LCD subsection
  • Webcam – added
  • Microphone – added
  • Digitizer – added

3.3 Given a scenario, use appropriate laptop features. – From Objective 3, subobjective 3 in 220-801. The Bloom’s level (and therefore the difficulty) for this objective changed, because the “Given a scenario, use” phrase replaced “Compare and contrast” (demonstrating knowledge without application) in the old version. One new topic was added:

  • Rotating / removable screens – added

3.4 Explain the characteristics of various types of other mobile devices. – This objective was not part of the A+ 900-series exams. The topics in this objective are:

  • Tablets – added
  • Smart phones – added
  • Wearable technology devices section – added entire section
    • Smart watches – added to the Wearable technology devices section
    • Fitness monitors – added to the Wearable technology devices section
    • Glasses and headsets – added to the Wearable technology devices section
  • Phablets – added
  • e-Readers – added
  • Smart camera – added
  • GPS – added

3.5 Compare and contrast accessories & ports of other mobile devices. – This objective was not in the A+ 900-series exams. The topics in this objective are:

  • Connection types – added section
    • NFC – added
    • Proprietary vendor specific ports (communication/power) – added
    • microUSB/miniUSB – added
    • Lightning – added
    • Bluetooth – added
    • IR – added
    • Hotspot / tethering – added
  • Accessories – added section
    • Headsets – added
    • Speakers – added
    • Game pads – added
    • Docking stations – added
    • Extra battery packs/battery chargers – added
    • Protective covers / water proofing – added
    • Credit card readers – added
    • Memory/MicroSD – added
220-901 Objective 4: Hardware & Network Troubleshooting

The old A+ 220-802 covered troubleshooting in its own domain. It included the troubleshooting theory, hardware troubleshooting, network troubleshooting, operating system troubleshooting, security troubleshooting, laptop troubleshooting, and printer troubleshooting.

In A+ 220-901, this objective covers hardware troubleshooting, network troubleshooting, mobile device troubleshooting, and printer troubleshooting. The other aspects of troubleshooting have been moved to the A+ 220-902 exam. All changes are in RED ITALICS.

4.1 Given a scenario, troubleshoot common problems related to motherboards, RAM, CPU and power with appropriate tools. – From Objective 4, subobjective 2 in 220-802. This subobjective had no changes.

4.2 Given a scenario, troubleshoot hard drives and RAID arrays with appropriate tools. – From Objective 4, subobjective 3 in 220-802. This subobjective had no changes.

4.3 Given a scenario, troubleshoot common video, projector and display issues. – From Objective 4, subobjective 4 in 220-802. This subobjective had no changes.

4.4 Given a scenario, troubleshoot wired and wireless networks with appropriate tools. – From Objective 4, subobjective 5 in 220-802. This subobjective had no changes.

4.5 Given a scenario, troubleshoot, and repair common mobile device issues while adhering to the appropriate procedures. – From Objective 4, subobjective 6 in 220-802. The old version of this objective only mentioned laptops, not mobile devices. So keep in mind that you must expand all of the troubleshooting scenarios to include all other mobile devices, including laptops, tablets, and smart phones. New topics include:

  • Touchscreen non-responsive – added to Common symptoms
  • Apps not loading – added to Common symptoms
  • Slow performance – added to Common symptoms
  • Unable to decrypt email – added to Common symptoms
  • Extremely short battery life – added to Common symptoms
  • Overheating – added to Common symptoms
  • Frozen system – added to Common symptoms
  • No sound from speakers – added to Common symptoms
  • GPS not functioning – added to Common symptoms
  • Swollen battery – added to Common symptoms

2.6 Given a scenario, troubleshoot printers with appropriate tools. – From Objective 4, subobjective 9 in 220-802. This subobjective had no changes.

Closing Thoughts

As you can see, I am just covering the high points and not delving too deeply into these topics. My point here is to help those who already know the A+ understand exactly what new topics they need to study. CompTIA has started a series of Webinars called Deep Dive: A Look Inside the A+ 900 Series Objectives that cover these topics much more deeply than I do. You can access these Webinars  by joining the CompTIA Instructor Network at http://bit.ly/1Sxj3h9.

Remember, this post is part of a series of posts I will be completing. Here are the details for those posts:

To help you start your A+ 900-series study schedule off right, we have launched our 220-901 practice test! It includes performance-based questions and covers all the 220-901 topics.

cert-220-901

Thanks again for reading!

-Robin Abernathy

The New A+ 900 Series: What’s New (Part 2 of 5)

January 28, 2016 at 1:08 pm | Posted in Certification Paths, CompTIA, Study hints, study tips | 1 Comment
Tags: ,

As I explained in my last post, CompTIA has released a new version of the A+ certification by rolling out the 220-901 and 220-902 exams on December 15, 2015. The old 220-801 and 220-802 exams are still available, but they will retire on June 30, 2016 in the United States.

In this post, I will cover the first two objectives for 220-901, Hardware and Networking. I’ll give you the entire overview of each objective, list each subobjective, tell you where each topic fell in the old A+ 800-series (if applicable), and put all changes or additions in RED ITALICS.

I will not call out any deleted topics, although CompTIA has removed some topics (for example, floppy drives and SCSI). This is because I am not really sure if those topics were actually removed from the exam, or if they are just so insignificant that they aren’t called out in the objective listing, but are still floating around in some test questions. Remember that CompTIA’s objective listing contains a disclaimer that says,

“The lists of examples provided in bulleted format below each objective are not exhaustive lists. Other examples of technologies, processes or tasks pertaining to each objective may also be included on the exam although not listed or covered in this objectives document.”

For this reason, I didn’t want to focus on what was removed. My exam experience has shown that the bullet lists are not exhaustive. Spending time focusing on what was removed may give you a false sense of security by making you think you don’t need to study those topics. So I am just ignoring any topic removals.

First, a note about “Bloom’s Levels”

In this and subsequent posts, you’ll see me refer to topics changing their Bloom’s level. In the instructional design world, Bloom’s taxonomy is a model for describing the depth or complexity of a learning outcome, much like the OSI model describes the level at which a network component operates. Level 1 is basic memorization (what is a router?), where level 6 is complete mastery of a concept (designing a network from scratch).

If I mention here that a Bloom’s level has changed, it generally means that CompTIA is asking for something more complex than memorization. While these changes shouldn’t scare you, there is a bit more “rubber meeting the road” to the higher Bloom’s levels. For example, instead of recognizing various LCD technologies from a list, you may be asked to evaluate which LCD is the best choice for a given scenario. Instead of answering a question about how CIDR notation behaves in abstract, you may be asked to configure a subnet mask.

220-901 Objective 1: Hardware

A+ 220-801 covered hardware in its own domain and included BIOS, motherboards, RAM, expansion cards, storage devices, CPUs and cooling, connectors and cables, power supplies, custom configurations, display devices, and peripherals. In A+ 220-901, hardware has been expanded to include UEFI and printers and multi-functional devices (which  was its own objective in 220-801). In some cases, minor wording changes occured at the subobjective level.

1.1 Given a scenario, configure settings and use BIOS/UEFI tools on a PC. – From Objective 1, subobjective 1 in the old version. The Bloom’s level for this objective increased, because the “Given a scenario” qualification is now part of this objective. Instead of simply identifying what a setting does, you will likely be asked to choose the correct setting for a given set of conditions. There is only one new topic:

  • Secure boot – added to BIOS security sub-section

1.2 Explain the importance of motherboard components, their purpose, and properties. – From Objective 1, subobjective 2 in 220-801. The Bloom’s level (and therefore the difficulty) for this objective changed as well, because the “Explain the importance” phrase is used instead of “Differentiate between” (demonstrating knowledge without application) in the old version. One new topic was added:

  • Mini-ITX – added to Sizes section

1.3 Compare and contrast various RAM types and their features. – From Objective 1, subobjective 3 in 220-801. One new topic was added:

  • Buffered versus unbuffered – added to Types section

1.4 Install and configure PC expansion cards. – From Objective 1, subobjective 4 in 220-801. One new topic was added:

  • Storage cards – added

1.5 Install and configure storage devices and use appropriate media. – From Objective 1, subobjective 5 in 220-801. New topics include:

  • Hybrid and eMMC – added to Solid state/flash drives section

1.6 Install various types of CPUs and apply the appropriate cooling methods. – From Objective 1, subobjective 6 in 220-801. The Bloom’s level for this objective changed because the “Install” phrase (using acquired knowledge) is used instead of “Differentiate among” (demonstrating knowledge without application) in the old version. New topics include:

  • Intel 1150, 2011 – added to Socket types section
  • AMD FM2, FM2+ – added to Socket types section
  • Disable execute bit – added to Characteristics section
  • Fanless/passive – added to Cooling section

1.7 Compare and contrast various PC connection interfaces, their characteristics and purpose. – From Objective 1, subobjective 7 in 220-801. New topics include:

  • Analog and Digital (Optical connector) – added to Audio sub-section
  • NFC – added to Wireless connections section
  • Quality and DRM – added to Characteristics section

1.8 Install a power supply based on given specifications. – From Objective 1, subobjective 8 in 220-801. One new topic was added:

  • Dual rail – added to Specifications section

1.9 Given a scenario, select the appropriate components for a custom PC configuration, to meet customer specifications or needs. – From Objective 1, subobjective 9 in 220-801. The Bloom’s level for this objective was raised to include “Given a scenario.” New topics are:

  • Multicore processor – changed from Powerful processor in Graphic / CAD / CAM design workstation section. This change simply updates the test’s language to current PC technology, as all “powerful” processors today will be multicore by default.
  • Multicore processor – changed from Powerful processor in Gaming PC section.  Again, this is not new knowledge, but rather an update of the test’s nomenclature.
  • Meets recommended requirements for selected OS – changed from Meets recommended requirements for Windows in Standard thick client section. This is an important change because it shows a shift back to including other operating systems besides Windows, which hasn’t been the case in the past few A+ releases.
  • Meets minimum requirements for selected OS – changed from Meets minimum requirements for running Windows in Thin client section.
  • Network connectivity – added to Thin client section.

1.10 Compare and contrast types of display devices and their features. – From Objective 1, subobjective 10 in 220-801. The Bloom’s level for this objective changed because the “Compare and contrast” phrase is used instead of “Given a scenario, evaluate” in the old version. New topics include:

  • TN vs. IPS and Flourescent vs. LED backlighting – added in the LCD sub-section
  • Refresh / frame rates – added frame rates
  • Aspect ratios (16:916:10, and 4:3) – added specific ratios

1.11 Identify common PC connector types and associated cables. – From Objective 1, subobjective 11 in 220-801. New topics include:

  • Adapters and converters (DVI to HDMIUSB A to USB BUSB to EthernetDVI to VGAThunderbolt to DVIPS/2 to USB,  and HDMI to VGA) – all added, and all reflective of the cables commonly available in today’s computing environments.

1.12 Install and configure common peripheral devices. – From Objective 1 subobjective 12 in 220-801. New topics include:

  • Biometric devices, Motion sensor, Touch padsSmart card readers, and Digital cameras – added to the Input devices section
  • Smart TV and Set-Top Box – added to the Input & Output devices section

1.13 Install SOHO multifunction device / printers and configure appropriate settings. – From Objective 4, subobjective 2 in 220-801. The Bloom’s level for this objective changed because the “Given a scenario” phrase has been removed. In addition, multifunction devices have been added and configuration knowledge is required. The new topics include:

  • Configuration settings (DuplexCollateOrientation, and Quality) – added to the Use appropriate drivers for a given operating system section
  • Infrastructure vs. adhoc – added to the Wireless sub-section
  • Cloud printing/remote printing – added to the Device sharing section
  • TCP/Bonjour/AirPrint – added to the Sharing local/networked device via Operating System settings sub-section
  • Data privacy (User authentication on the device and Hard drive caching) – added to the Public/shared devices section

1.14 Compare and contrast differences between the various print technologies and the associated imaging process. – From Objective 4, subobjective 1 in 220-801. The wording changed to “Compare and contrast” from “Explain the differences between,” but in my opinion, this change did not affect the Bloom’s level. New topic is:

  • Virtual (Print to filePrint to PDFPrint to XPS, and Print to image) – added

1.15 Given a scenario, perform appropriate printer maintenance. – From Objective 4, subobjective 3 in 220-801.  New topics include:

  • Inkjet (Clean heads, replace cartridges, calibration, clear jams) – added
220-901 Objective 2: Networking

A+ 220-801 covered networking in its own domain and included network cables and connectors, TCP/IP, TCP and UDP ports and protocols, wireless networking standards and encryption, SOHO wireless/wired router installation and configuration, Internet connection types, network types, network devices, and networking tools. In A+ 220-901, minor wording changes occurred at the subobjective level. All changes are in RED ITALICS.

2.1 Identify the various types of network cables and connectors. – From Objective 2, subobjective 1 in 220-801. This subobjective had no changes.

2.2 Compare and contrast the characteristics of connectors and cabling. – From Objective 2, subobjective 2 in 220-801. Slight wording change at subobjective level, but no change in the Bloom’s level. New topics include:

  • CAT6e, CAT7 – added to Twisted pair section
  • Splitters and effects on signal quality – added to Twisted pair and Coaxial sections

2.3 Explain the properties and characteristics of TCP/IP. – From Objective 2, subobjective 3 in 220-801. New topics include:

  • Public vs. private vs. APIPA/link local – added link local
  • Subnet mask vs. CIDR – added CIDR

2.4 Explain common TCP and UDP ports, protocols, and their purpose. – From Objective 2, subobjective 4 in 220-801. New topics include:

  • 22 – SSH; 137-139, 445 – SMB; and 548 or 427 – AFP – added to Ports section
  • CIFS and AFP – added to Protocols section

2.5 Compare and contrast various WiFi networking standards and encryption types. – From Objective 2, subobjective 5 in 220-801. New topics include:

  • 802.11ac – added to Standards section

2.6 Given a scenario, install and configure SOHO wireless/wired router and apply appropriate settings. – From Objective 2, subobjective 6 in 220-801. The Bloom’s level for this objective changed because the “Given a scenario” qualification is now part of this objective. New topics include:

  • NAT / DNAT – added DNAT
  • Firmware – added
  • UPnP – added

2.7 Compare and contrast Internet connection types, network types, and their features. – From Objective 2, subobjective 7 and 8 in 220-801. New topics include:

  • Tethering – added in the Cellular subsection

2.8 Compare and contrast network architecture devices, their functions, and features. – From Objective 2, subobjective 9 in 220-801. New topics include:

  • Patch panel– added
  • Repeaters/extenders – added
  • Ethernet over Power – added
  • Power over Ethernet injector – added

2.9 Given a scenario, use appropriate networking tools. – From Objective 2, subobjective 10 in 220-801. New topics include:

  • Cable stripper – added
  • Tone generator & probe – added generator
  • WiFi analyzer – added
Closing Thoughts

As you can see, I am just covering the high points and not delving too deeply into these topics. My point here is to help those who already know the A+ understand exactly what new topics they need to study. CompTIA has started a series of Webinars called Deep Dive: A Look Inside the A+ 900 Series Objectives that cover these topics much more deeply than I do. You can access these Webinars  by joining the CompTIA Instructor Network at http://bit.ly/1Sxj3h9.

Remember, this post is part of a series of posts I will be completing. Here are the details for those posts:

To help you get through the holiday doldrums and start your 2016 study schedule off right, we just launched our 220-901 practice test! It includes performance-based questions and covers all the 220-901 topics.

cert-220-901

Thanks again for reading!

-Robin Abernathy

CISSP 2015: What’s New (Part 5 of 5)

December 10, 2015 at 9:47 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam. In my fourth post, I covered Domain 5 and 6 of the new CISSP exam. In this, my FINAL post, I will conclude with Domains 7 and 8, Security Operations and Software Development Security.

Broadly speaking, Domain 7 reflects how security should be included as part of day-to-day organizational operations. Domain 8 covers aspects of designing, implementing, and analyzing security for applications.

For my assessment, I’ll start by giving you the entire overview of each domain with its Key Areas of Knowledge. I’ll tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 7: Security Operations – Framework and Key Areas of Knowledge

CISSP 2012 also covered security operations as its own  domain. The majority of the old Domain 7 (Security Operations) has been retained, with the addition of new topics that cover investigations, monitoring, resource protection, incident response, recovery strategies, and physical security. Because day-to-day security operations are fundamental to security, this domain contains the most topics of any area in the exam.

This domain also includes a few topics that were moved from the old Domain 8 (Business Continuity and Disaster Recovery Planning), Domain 9 (Legal, Regulations, Investigations, and Compliance), and Domain 10 (Physical (Environmental) Security).

Domain 7 Key Areas of Knowledge:

    1. Understand and support investigations – From Domain 9, subheading c in the old version.
      1. Evidence collection and handling (e.g., chain of custody, interviewing) – From Domain 9, subheading c in the old version.
      2. Reporting and documenting – From Domain 9, subheading c in the old version.
      3. Investigation techniques (e.g., root-cause analysis, incident handling) – From Domain 9, subheading c in the old version.
      4. Digital forensics (e.g., media, network, software, and embedded devices) – From Domain 9, subheading d in the old version.
    2. Understand requirements for investigation types – New
      1. Operational – New
      2. Criminal – New
      3. Civil – New
      4. Regulatory – New
      5. Electronic discovery (eDiscovery) – New
    3. Conduct logging and monitoring activities – From Domain 1, subheading a in the old version.
      1. Intrusion detection and prevention – New
      2. Security information and event management – New
      3. Continuous monitoring – New
      4. Egress monitoring (e.g., data loss prevention, steganography, watermarking) – Mostly New. Steganography and watermarking are from Domain 5, subheading 1 in the old version.
    4. Secure the provisioning of resources – From Domain 9, subheading f in the old version.
      1. Asset inventory (e.g., hardware, software) – New
      2. Configuration management – New
      3. Physical assets – New
      4. Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – New
      5. Cloud assets (e.g., services, VMs, storage, networks) – From Domain 9, subheading f in the old version.
      6. Applications (e.g., workloads or private clouds, web services, software as a service) – From Domain 9, subheading f in the old version.
    5. Understand and apply foundational security operations concepts – From Domain 7, subheading a in the old version.
      1. Need to know/least privilege (e.g., entitlement, aggregation, transitive trust) – From Domain 1, subheading c and Domain 7, subheading a in the old version.
      2. Separation of duties and responsibilities – From Domain 7, subheading a in the told version.
      3. Monitor special privileges (e.g., operators, administrators) – From Domain 7, subheading a in the old version.
      4. Job rotation – From Domain 7, subheading a in the old version.
      5. Information lifecycle – From Domain 3, subheading e in the old version.
      6. Service-level agreements – New
    6. Employ resource protection techniques – From Domain 7, subheading b in old version.
      1. Media management – From Domain 7, subheading b in old version.
      2. Hardware and software asset management – From Domain 7, subheading b in old version.
    7. Conduct incident management – From Domain 7, subheading c in the old version.
      1. Detection – From Domain 7, subheading c in the old version.
      2. Response – From Domain 7, subheading c in the old version.
      3. Mitigation – New
      4. Reporting – From Domain 7, subheading c in the old version.
      5. Recovery – From Domain 7, subheading c in the old version.
      6. Remediation – From Domain 7, subheading c in the old version.
      7. Lessons learned – New
    8. Operate and maintain preventative measures – From Domain 7, subheading d in the old version.
      1. Firewalls – New
      2. Intrusion detection and prevention systems – New
      3. Whitelisting/Blacklisting – New
      4. Third-party security services – New
      5. Sandboxing – New
      6. Honeypots/Honeynets – New
      7. Anti-malware – New
    9. Implement and support patch and vulnerability management – From Domain 7, subheading e in the old version.
    10. Participate in and understand change management processes (e.g., versioning baselining, security impact analysis) – From Domain 7, subheading f in the old version.
    11. Implement recovery strategies – From Domain 8, subheading c in the old version.
      1. Backup storage strategies (e.g., offsite storage, electronic vaulting, tape rotation) – From Domain 8, subheading c in the old version.
      2. Recovery site strategies – From Domain 8, subheadin c in the old version.
      3. Multiple processing sites (e.g., operationally redundant systems) – New
      4. System resilience, high availability, quality of service, and fault tolerance – From Domain 7, subheading g in the old version.
    12. Implement disaster recovery processes – From Domain 8, subheading d in the old version.
      1. Response – From Domain 8, subheading d in the old version.
      2. Personnel – From Domain 8, subheading d in the old version.
      3. Communications – From Domain 8, subheading d in the old version.
      4. Assessment – From Domain 8, subheading d in the old version.
      5. Restoration – From Domain 8, subheading d in the old version.
      6. Training and awareness – From Domain 8, subheading d in the old version.
    13. Test disaster recovery plans – From Domain 8, subheading e in the old version.
      1. Read-through – From Domain 8, subheading e in the old version.
      2. Walkthrough – From Domain 8, subheading e in the old version.
      3. Simulation – From Domain 8, subheading e in the old version.
      4. Parallel – From Domain 8, subheading e in the old version.
      5. Full interruption – From Domain 8, subheading e in the old version.
    14. Participate in business continuity planning and exercises – New
    15. Implement and manage physical security – From Domain 10, subheading b and c in the old version.
      1. Perimeter (e.g., access control and monitoring) – From Domain 10, subheading b in the old version.
      2. Internal security (e.g., escort requirements/visitor control, keys, and locks) – From Domain 10, subheading c in the old version.
    16. Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring) – From Domain 10, subheading f in the old version.
Domain 7 – Just the New Topics, Ma’am

Here’s a shortlist of the entirely new topics in Domain 7.

Knowledge Area B, Understand requirements for investigation types, contains both new and old topics. The definition of “investigation types” is now a little more granular. The candidate will have to understand correct procedures and what constitutes evidence for each type of investigation:

  • Operational – This is a new topic. This topic will focus on the requirements for operational investigations.
  • Criminal – This is a new topic. This topic will focus on the requirements for criminal investigation.
  • Civil – This is a new topic. This topic will focus on the requirements for civil investigations.
  • Regulatory – This is a new topic. This topic will focus on the requirements for regulatory investigations.
  • Electronic Discovery (eDiscovery) – This is a new topic. This topic will focus on the requirements for eDiscovery investigations.

Knowledge Area C, Conduct logging and monitoring activities, contains both new and old topics. As with Knowledge Area B, the topics have become more granular and specific than in the previous exam. These topics within this Domain are new:

  • Intrusion detection and prevention – This is a new topic. This topic will focus on intrusion detection and prevention as part of operational logging and monitoring.
  • Security information and event management – This is a new topic. This topic will focus on security information and event management (SEIM) as part of operational logging and monitoring.
  • Continuous monitoring – This is a new topic. This topic will focus on  continuous monitoring as part of operational logging and monitoring.

Knowledge Area D, Secure the provisioning of resources, contains both new and old topics. The following topics within this Domain are new, and deal with provisioning practices for physical, virtual, and logical assets. Other types of security for these assets are amply covered in Domains 3 and 4. Here the focus is more on sanitation, license management, versioning and baselining, patch management, and inventory control.

  • Asset inventory (e.g., hardware, software) – This is a new topic. This topic will focus on hardware, software, and other asset inventory as a part of resource provisioning.
  • Configuration management – This is a new topic. This topic will focus on configuration management as part of resource provisioning.
  • Physical assets – This is a new topic. This topic will focus on the resource provisioning of physical assets.
  • Virtual assets (e.g., software-defined network, virtual SAN, guest operating systems) – This is a new topic. This topic will focus on the resource provisioning of virtual assets.

Knowledge Area E, Understand and apply foundational security operations concepts, contains mostly old topics, but does contain one new topic. The following topic withing this Domain is new:

  • Service-level agreements – This is a new topic, and like most new topics for 2015, is driven by the move toward cloud provisioning. This topic will cover service-level agreements and their effect on security operations.

Knowledge Area G, Conduct incident management, contains both new and old topics. The following topics within this Domain are new:

  • Mitigation – This is a new topic. This topic will test on best practice concepts for incident mitigation.
  • Lessons learned – This is a new topic. This topic will focus on documenting and integrating lessons learned from incidents.

Knowledge Area H, Operate and maintain preventative measures, contains mostly new topics, although the Knowledge Area itself is not new. Most of the topics were implied by the old Domain 7 Knowledge Area D, “Prevent or respond to attacks (e.g., malicious code, zero-day exploit, denial of service),” but again, CISSP 2015 is far more granular. These specific topics within this Domain are new:

  • Firewalls – This is a new topic. This topic will focus on using firewalls for intrusion prevention. The previous exam mentioned firewalls in the context of securing the firewall itself; here, the focus is deployment.
  • Intrusion detection and prevention systems – This is a new topic. This topic will focus on deploying types of intrusion detection and prevention systems (HIDS, NIDS, IPS, and so on).
  • Whitelisting/Blacklisting – This is a new topic. This topic will focus on using whitelisting/blacklisting as a prevention strategy, including its advantages and disadvantages.
  • Third-party security services – This is a new topic. This topic will focus on using third-party security services as part of prevention.
  • Sandboxing – This is a new topic. This topic will focus on using sandboxing as part of prevention.
  • Honeypots/Honeynets – This is a new topic. This topic will focus on using honeypots/honeynets as part of prevention.
  • Anti-malware – This is a new topic. This topic will focus on using anti-malware as part of prevention.

Knowledge Area K, Implement recovery strategies, contains mostly old and one new topic. This following topic within this Domain is new:

  • Multiple processing sites (e.g., operationally redundant systems) – This is a new topic. This topic will focus on using hot sites, cold sites, service bureaus, and other alternate processing sites for disaster recovery. While the topic may be new, the concept is classic CISSP.

Knowledge Area N, Participate in business continuity planning and exercises, is a new Knowledge Area. It covers designing, maintaining, and implementing business continuity plans and exercises. Again, this is a classic component of risk management and disaster recovery planning; what’s new is the granularity of assigning a complete knowledge area to the concept.

Domain 8: Software Development Security – Framework and Key Areas of Knowledge

Domain 8 consists of content formerly included in the old Domain 4 (Software Development Security). The majority of this Domain was included in CISSP 2012; only a few new topics were introduced for this round. It is primarily concerned with understanding security as part of the software development lifecycle.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Understand and apply security in the software development lifecycle – From Domain 4, subheading a in the old version.
    1. Development methodologies (e.g., Agile, Waterfall) – From Domain 4, subheading a in the old version.
    2. Maturity models – From Domain 4, subheading a in the old version.
    3. Operation and maintenance – From Domain 4, subheading a in the old version.
    4. Change management – From Domain 4, subheading a in the old version.
    5. Integrated product team (e.g., DevOps) – New
  2. Enforce security controls in development environments – From Domain 4, subheading b in the old version.
    1. Security of the software environments – From Domain 4, subheading b in the old version.
    2. Security weaknesses and vulnerabilities at the source-code level (e.g., buffer overflow, escalation of privilege, input/output validation) – From Domain 4, subheading b in the old version.
    3. Configuration management as an aspect of secure coding – From Domain 4, subheading b in the old version.
    4. Security of code repositories – New
    5. Security of application programming interfaces – From Domain 4, subheading b in the old version.
  3. Assess the effectiveness of software security – From Domain 4, subheading c in the old version.
    1. Auditing and logging of changes – From Domain 4, subheading c in the old version.
    2. Risk analysis and mitigation – From Domain 4, subheading c in the old version.
    3. Acceptance testing – New
  4. Assess security impact of acquired software – New
Domain 8 – Just the New Topics already

Here’s a closer look at the new topics in Domain 8.

Knowledge Area A, Understand and apply security in the software development lifecycle, contains mostly old and one new topic. The following topic within this Domain is new:

  • Integrated product team (e.g., DevOps) – This is a new topic. It covers integrated software development concepts, such as Agile, DevOps, and software assurance.

From Knowledge Area B, Enforce security controls in development environments, contains mostly old and one new topic. The following topic within this Domain is new:

  • Security of code repositories – This is a new topic. It discusses securing code repositories in collaborative development environments.

From Knowledge Area C, Assess the effectiveness of software security, contains mostly old and one new topic. This following topics within this Domain is new:

  • Acceptance testing – This is a new topic. It covers using acceptance testing as part of assessing software security effectiveness.

Knowledge Area D, Assess security impact of acquired software, is a new topic. It covers the procedures for assessing the security impact of acquired software, including commercial software.

Recap

I cannot believe I have finally reached the end of my latest magnum opus. Here’s the complete listing of all parts:

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domains 1 and 2.
      • Part 3 covered new domains 3 and 4.
      • Part 4 covered new domains 5 and 6.
      • Part 5 (this post) covers new domains 7 and 8.

It is our sincere hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin A.

FREE webinar on November 18: Best prep tips for your Office 365 exam

November 11, 2015 at 4:02 pm | Posted in Microsoft, Study hints, study tips | Leave a comment
Tags: , , ,

Join Transcender’s subject matter expert and Microsoft practice test author, George Monsalvatge, for a free webinar that will prepare you for your Office 365 exam. This live, interactive webinar will walk you through the preparation process and cover such topics as:

  • What exactly are they going to test me on?
  • Have the technologies changed since Microsoft first released the exams? If so, which versions should I study?
  • How in-depth are the questions?
  • What’s the format of the question – multiple answer, fill-in-the-blank, interactive – and what’s the best approach for each question type?

To register for the webinar, click this link.

The webinar will take place on Wednesday, November 18, from 12:00 PM – 1:00 PM EST (Show in My Time Zone).

CISSP 2015: What’s New (Part 3 of 5)

September 30, 2015 at 3:51 pm | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags:

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam.

Today I will cover the next two domains, Security Engineering and Communications and Network Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 3: Security Engineering – Framework and Key Areas of Knowledge

The majority of the new Domain 3 merges topics from the old Domain 5 (Cryptography), Domain 6 (Security Architecture and Design), and Domain 10 (Physical Security).

Domain 3 Key Areas of Knowledge:

    1. Implement and manage engineering processes using secure design principles. – New
    2. Understand the fundamental concepts of security models (e.g., confidentiality, integrity, multi-level models) – From Domain 6, subheading a in the old version.
    3. Select controls and countermeasures based upon systems security evaluation models – From Domain 6, subheading b and f in the old version.
    4. Understand security capabilities of information systems (e.g. memory protection, virtualization, trusted platform module, interfaces, fault tolerance) – From Domain 6, subheading c in the old version.
    5. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
      1. Client-based (e.g., applets, local caches) – From Domain 6, subheading e in the old version.
      2. Server-based (e.g., data flow control) – From Domain 6, subheading 3 in he told version.
      3. Database security (e.g., inference, aggregation, data mining, data analytics, warehousing) – From Domain 6, subheading e in the old version.
      4. Large-scale parallel data systems – New
      5. Distributed system (e.g., cloud computing, grid computing, peer to peer) – From Domain 6, subheading e in the old version.
      6. Cryptographic systems – New
      7. Industrial control system (e.g., SCADA) – New
    6. Assess and mitigate  vulnerabilities in web-based systems (e.g., XML, OWASP) – From Domain 6, subheading 3 in old version.
    7. Assess and mitigate vulnerabilities in mobile systems – New
    8. Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)) – New
    9. Apply crytography
      1. Cryptographic life cycle (e.g., cryptographic limitations, algorithm/protocol governance) – From Domain 5, subheading b a in the old version.
      2. Cryptographic types (e.g., symmetric, asymmetric, elliptic curves) – From Domain 5, subheading c in the old version.
      3. Public Key Infrastructure (PKI) – From Domain 5, subheading j in the old version.
      4. Key management practices – From Domain 5, subheading d in the old version.
      5. Digital signatures – From Domain 5, subheading e in the old version.
      6. Digital rights management – New
      7. Non-repudiation – From Domain 5, subheading f in the old version.
      8. Integrity (hashing and salting) – From Domain 5, subheading c in the old version.
      9. Methods of cryptoanalytic attacks (e.g., brute force, cipher-text only, known plaintext) – From Domain 5, subheading g in the old version.
    10. Apply secure principles to site and facility design – From Domain 10, subheading a in the old version.
    11. Design and implement physical security.
      1. Wiring closets – New
      2. Server rooms – From Domain 10, subheading d in the old version.
      3. Media storage facilities – New
      4. Evidence storage – New
      5. Restricted and work area security (e.g., operations centers) – From Domain 10, subheading d in old version.
      6. Data center security – From Domain 10, subheading d in old version.
      7. Utilities and HVAC considerations – From Domain 10, subheading d in old version.
      8. Water issues (e.g., leakage, flooding) – From Domain 10, subheading d in old version.
      9. Fire prevention, detection, and supression – From Domain 10, subheading d in the old version.
Domain 3 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 3.

Knowledge Area A, Implement and manage engineering processes using secure design principles, is a new knowledge area. It covers the secure design principles that need to be understood to pass the exam, including ISO/IEC and NIST standards.

From Knowledge Area E. Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements:

  • Large-scale parallel data systems – This is a new topic. This topic will focus on the vulnerabilities of large-scale parallel data systems.
  • Cryptographic systems – This is a new topic. This topic will focus on the vulnerabilities of crytographic systems.
  • Industrial control system (e.g., SCADA) – This is a new topic. This topic will focus on the vulnerabilities of industrial control systems.

Knowledge Area G, Assess and mitigate vulnerabilities in mobile systems, is also a new knowledge area. It covers the vulnerabilities of mobile systems. 

Knowledge Area H, Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g., network-enabled devices, Internet of things (IoT)), is also a new knowledge area. This covers the vulnerabilities of embedded devices and cyber-physical systems.

From Knowledge Area I. Apply crytography:

  • Digital rights management – This is a new topic. It focuses on using cryptography to provide digital rights management (DRM), including digital watermarking and other access control methods.

From Knowledge Area K. Design and implement physical security:

  • Wiring closets – This is a new topic. It discusses the physical security of wiring closets.
  • Media storage facilities – This is a new topic. It discusses the physical security of media storage facilities.
  • Evidence storage – This is a new topic. It discusses how to properly store evidence.
Domain 4: Communication and Network Security – Framework and Key Areas of Knowledge

The majority of Domain 4 consists of content formerly included in the old Domain 2 (Telecommunications and Network Security).

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation)
    1. OSI and TCP/IP models – From Domain 2, subheading a in the old version.
    2. IP networking – From Domain 2, subheading a in the old version.
    3. Implications of multilayer protocols (e.g., DNP3) – From Domain 2, subheading a in the old version.
    4. Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) – New
    5. Software-defined networks – New
    6. Wireless networks – New
    7. Cryptography used to maintain communication security – From Domain 5, subheading h in the old version.
  2. Secure network components.
    1. Operation of hardware (e.g., modems, switches, routers, wireless access points, mobile devices) – From Domain 2, subheading b in the old version.
    2. Tranmission media (e.g., wired, wireless, fiber) – From Domain 2, subheading b in the old version.
    3. Network access control devices (e.g., firewall, proxies) – From Domain 2, subheading b in the old version.
    4. Endpoint security – From Domain 2, subheading b in the old version.
    5. Content-distribution networks – New
    6. Physical devices – New
  3. Design and establish secure communication channels.
    1. Voice – From Domain 2, subheading c in the old version.
    2. Multimedia collaboration (e.g., remote meeting technology, instant messaging) – From Domain 2, subheading c in the old version.
    3. Remote access (e.g., VPN, screen scraper, virtual application/desktop, telecommuting) – From Domain 2, subheading c in the old version.
    4. Data communications (e.g., VLAN, TLS/SSL) – From Domain 2, subheading c in the old version.
    5. Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – New
  4. Prevent or mitigate network attacks – From Domain 2, subheading d in the old version.
Domain 4 – Just the New Topics already

Here’s a closer look at the new topics in Domain 4.

From Knowledge Area A, Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation):

  • Converged protocols (e.g., FCoE, MPLS, VoIP, iSCSI) This is a new topic. It discusses secure design principles for converged protocols.
  • Software-defined networksThis is a new topic. It covers secure design principles for software-defined networks at the infrastructure, control, and application layers.
  • Wireless networks – This is a new topic. It covers secure design principles for wireless networks. 

From Knowledge Area B, Secure network components 

  • Content-distribution networks – This is a new topic. It discusses secure network components for content-distribution networks.
  • Physical devices – This is a new topic. It discusses issues of security for the physical devices used for content-distribution networks.

From Knowledge Area C, Design and establish secure communication channels

  • Virtualized networks (e.g., SDN, virtual SAN, guest operating systems, port isolation) – This is a new topic. It covers the secure communication channels for virtualized networks.
Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 (this post) covers new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next two posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 2 of 5)

September 16, 2015 at 6:29 am | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam. The topics there should at least help you get started preparing for the exam. With this post, I’ll start discussing the domains covered by the new CISSP exam.

The former version of CISSP had 10 domains:

  1. Access Control
  2. Telecommunications and Network Security
  3. Information Security Governance and Risk Management
  4. Software Development Security
  5. Cryptography
  6. Security Architecture and Design
  7. Security Operations
  8. Business Continuity and Disaster Recovery Planning
  9. Legal, Regulations, Investigations, and Compliance
  10. Physical Security

With the 2015 update, the content was rearranged into 8 domains:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Today I will cover the first two domains, Security and Risk Management and Asset Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 1: Security and Risk Management – Framework and Key Areas of Knowledge

The majority of the new Domain 1 merges topics from the old Domain 3 (Information Security Governance & Risk Management) and Domain 9 (Legal, Regulations, Investigations, & Compliance).

Domain 1 Key Areas of Knowledge:

    1. Understand and apply concepts of confidentiality, integrity, and availability. – From Domain 3, subheading C in old version.
    2. Apply security governance principles through:
      1. Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget, and resources) – From Domain 3, subheading a and j in old version.
      2. Organizational processes (e.g., acquisitions, divertitures, governance committees) – From Domain 3, subheading b in old version.
      3. Security roles and responsibilities – From Domain 3, subheading b and Domain 9, subheading c in old version.
      4. Control frameworks – From Domain 3, subheading b in old version.
      5. Due care – From Domain 3, subheading b in old version.
      6. Due diligence – From Domain 3, subheading b in old version.
    3. Compliance
      1. Legislative and regulatory compliance – From Domain 3, subheading b and Domain 9, subheading e in old version.
      2. Privacy requirements compliance – From Domain 3, subheading b in old version.
    4. Understand legal and regulatory issues that pertain to information security in a global context.
      1. Computer crimes – From Domain 9, subheading a in old version.
      2. Licensing and intellectual property (e.g., copyright, trademark, digital-rights management) – From Domain 9, subheading a in old version.
      3. Import/export controls – From Domain 9, subheading a in old version.
      4. Trans-border data flow – From Domain 9, subheading a in old version.
      5. Privacy – From Domain 9, subheading a in old version.
      6. Data breaches – New
    5. Understand professional ethics.
      1. Exercise (ISC)2 Code of Professional Ethics. – From Domain 9, subheading b in old version.
      2. Support organization’s code of ethics. – From Domain 9, subheading b in old version.
    6. Develop and implement documented security policy, standards, procedures, and guidelines. – From Domain 3, subheading d and j in old version.
    7. Understand business continuity requirements.
      1. Develop and document project scope and plan. – From Domain 8, subheading a in old version.
      2. Conduct business impact analysis. – From Domain 8, subheading b in old version.
    8. Contribute to personnel security policies.
      1. Employment candidate screening (e.g, reference checks, education verification) – From Domain 3, subheading h in old version.
      2. Employment agreement and policies – From Domain 3, subheading h in old version.
      3. Employment termination processes – From Domain 3, subheading h in old version.
      4. Vendor, consultant, and contractor controls – From Domain 3, subheading h in old version.
      5. Compliance – New
      6. Privacy – New
    9. Understand and apply risk management concepts.
      1. Identify threats and vulnerabilities. – From Domain 3, subheading g in old version.
      2. Risk assessment/analysis (qualitative, quantitative, hybrid) – From Domain 3, subheading g in old version.
      3. Risk assignment/acceptance (e.g., system authorization) – From Domain 3, subheading g in old version.
      4. Countermeasure selection – From Domain 3, subheading g in old version.
      5. Implementation – New
      6. Types of controls (preventive, directive, corrective, etc.) – From Domain 1, subheading a in old version.
      7. Control assessment – New
      8. Monitoring and measurement – New
      9. Asset valuation – From Domain 1, subheading b and Domain 3, subheading g in old version.
      10. Reporting – New
      11. Continuous improvement – New
      12. Risk frameworks – New
    10. Understand and apply threat modeling. – Although some of this topic was covered in Domain 1, subheading b, the majority of this topic is new.
      1. Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – New
      2. Determining and diagramming potential attacks (e.g., social engineering, spoofing) – New
      3. Performing reduction analysis – New
      4. Technologies and processes to remediate threats (e.g, software architecture and operations) New
    11. Integrate security risk considerations into acquisition strategy and practice
      1. Hardware, software, and services – New
      2. Third-party assessment and monitoring (e.g. on-site assessment, document exchange and review, process/policy review) – From Domain 3, subheading f in the old version.
      3. Minimum security requirements – New
      4. Service-level requirements – New
    12. Establish and manage information security education, training, and awareness – From Domain 3, subheading 1 in old version. Although this topic is covered there, the 2015 subheadings are all new.
      1. Appropriate levels of awareness, training, and education required within organization – New
      2. Periodic reviews for content relevancy – New
Domain 1 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 1.

From Knowledge Area D. Understand legal and regulatory issues that pertain to information security in a global context:

  • Data breaches – While this is a “new” topic because it wasn’t originally in Domain 9, subheading a, most of the topics covered in this section should already be known to the security professional.

From Knowledge Area H. Contribute to personnel security policies:

  • Compliance – This is a new topic. While compliance is covered in other areas, the CISSP exam has never specifically covered compliance as related to personnel security policies. This topic will focus on the ways an organization can ensure that personnel complies with any security policies that are in place.
  • Privacy – This is a new topic. While privacy is covered in other areas, the CISSP exam has never specifically covered privacy as related to personnel. This topic will focus on the organization’s responsibility to ensure that personnel’s information remains private, and also on how to ensure that personnel understand the importance of privacy for any data the organization owns.

From Knowledge Area I. Understand and apply risk management concepts:

  • Implementation – This is a new topic. It focuses on following implementation guidelines when implementing a risk management process at an organization.
  • Control assessment – This is a new topic. It covers how to assess the controls that you have implemented.
  • Monitoring and measurement – This is a new topic. It covers monitoring and measuring risk and the controls that are implemented to protect against the risks.
  • Reporting – This is a new topic. It explains the process for reporting on risk management.
  • Continuous improvement – This is a new topic. It covers how to improve the risk management process over time.
  • Risk frameworks – While technically a new topic, risk frameworks were generally covered as part of the risk management process, just not as an individual topic. This topic is about any international and industry risk frameworks that may be available to help guide your organization.

From Knowledge Area J. Understand and apply threat modeling:

  • Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – This is a new topic. It discusses the different threats to organizational security.
  • Determining and diagramming potential attacks (e.g., social engineering, spoofing) – This is a new topic. It focuses on the potential attacks that the threats can carry out.
  • Performing reduction analysis – This is a new topic. It discusses how to determine if threats and the attacks they carried out can be reduced.
  • Technologies and processes to remediate threats (e.g, software architecture and operations) – This is a new topic. It focuses on how to remediate the threats that you identified.

From Knowledge Area K. Integrate security risk considerations into acquisition strategy and practice:

  • Hardware, software, and services – This is a new topic. It analyzes the security risks when integrating hardware, software, and services when acquisitions occur.
  • Minimum security requirements – This is a new topic. It focuses on determining the minimum security requirements when an acquisition occurs.
  • Service-level requirements – This is a new topic. It discusses all facets of service-level requirements when acquisitions occur.

From Knowledge Area L. Establish and manage information security education, training, and awareness:

  • Appropriate levels of awareness, training, and education required within organization – This is a new topic. It covers levels of security awareness, training, and education that should be provided to personnel.
  • Periodic reviews for content relevancy – This is a new topic. It focuses on reviewing the security education, training, and awareness program to ensure that new security topics are covered.
Domain 2: Asset Security – Framework and Key Areas of Knowledge

The majority of Domain 2 consists of new knowledge areas and topics, though it also pulls in a bit of content formerly included in the old Domains 5 (Cryptopgraphy) and Domain 7 (Operations Security). Why is there so much new content to cover here? Big data is a big asset, and as ISC(2) points, privacy considerations have increased due to “the rapid expansion in the collection and storage of digitized personal information.”

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Classify information and supporting assets (e.g., sensitivity, criticality) – New
  2. Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – New
  3. Protect privacy – New
    1. Data owners – New
    2. Data processors – New
    3. Data remanence – New
    4. Collection limitation – New
  4. Ensure appropriate retention (e.g., media, hardware, personnel) – From Domain 7, subheading a in the old version.
  5. Determine data security controls (e.g., data at rest, data in transit) – From Domain 5, subheading a in old version. Although this topic is covered there, the 2015 subheadings are all new.
    1. Baselines – New
    2. Scoping and tailoring – New
    3. Standards selection – New
    4. Cryptography – New
  6. Establish handling requirements (markings, labels, storage, destruction of sensitive information) – From Domain 7, subheading a in the old version.
Domain 2 – Just the New Topics already

Here’s a closer look at the new topics in Domain 2.

Knowledge Area A, Classify information and supporting assets (e.g., sensitivity, criticality) – Although this is a new knowledge area, it was covered (though briefly) as part of the former CISSP. It covers the procedures for classifying information and assets as part of securing them.

Knowledge Area B, Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – This is a new knowledge area. It focuses on determining which organizational entity or personnel owns the assets you have identified.

Knowledge Area C, Protect privacy – This is another new knowledge area. It discusses protecting the privacy of information and assets. All of the subheadings in this category are also new.

  • Data owners – This is a new topic. It covers the responsibilities of data owners to ensure the privacy of information and assets.
  • Data processors – This is a new topic. It focuses on ensuring that all data processors (including personnel and other assets) understand the importance of information and asset privacy.
  • Data remanence – This is a new topic. It discusses data remanence and its effects on information and asset privacy.
  • Collection limitation – This is a new topic. It focuses on the collection limitations regarding asset privacy.

From Knowledge Area E, Determine data security controls (e.g., data at rest, data in transit):

  • Baselines – This is a new topic. It covers how to obtain data security control baselines.
  • Scoping and tailoring – This is a new topic. It analyzes how to scope and tailor the data security controls to meet the organization’s needs.
  • Standards selection – This is a new topic. It focuses on how the select the security control standards that your organization will use.
  • Cryptography – While technically a new topic, knowledge of cryptography and its effect on data security were covered in Domain 5 in the old version.
Recap

In the coming weeks, I will be posting the other 3 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 (this post) covers new domain 1 and 2.
      • Part 3 will cover new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next three posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

CISSP 2015: What’s New (Part 1 of 5)

August 26, 2015 at 8:43 am | Posted in CISSP, Study hints, study tips | Leave a comment
Tags: , ,

As many of you are probably aware, (ISC)2 updated the Certified Information Systems Security Professional (CISSP) exam in April 2015. You may be worried that the update meant all the existing CISSP products out there immediately became obsolete. Fortunately, that is just not true.

So what did change? Well, there are several points that you need to understand about this new version. (ISC)2 posted a wonderful FAQ regarding the new version: https://www.isc2.org/cissp-sscp-domains-faq/default.aspx.

Here’s what I found from my own investigation of the new CISSP exam.

No topics were REMOVED from the exam.

From the FAQ link above: “Some topics have been expanded (e.g., asset security, security assessment and testing), while other topics have been realigned under different domains.” There was also this answer to a question: “Content was not removed from the exam and/or training material, but rather refreshed and reorganized to include the most current information and best practices relevant to the global information security industry.”

New topics WERE added to the exam.

From the FAQ link above: “The CISSP exam is being updated to stay relevant amidst the changes occurring in the information security field. Refreshed technical content has been added to the Official (ISC)² CISSP CBK to reflect the most current topics in the information security industry today.”

New item types WERE added to the exam.

The exam includes both multiple choice and “advanced innovative” questions. The new innovative questions are hot spot and drag-and-drop questions. For more information on these question types, see https://www.isc2.org/innovative-cissp-questions/default.aspx.

The exam contains the same number of questions as before.

This exam still have 250 questions. You still have 6 hours to complete the exam.

The exam was condensed from 10 domains to 8 domains.

But let me repeat, content was not removed. It was simply restructured.

The new domains are:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)
The experience prerequisites have not changed.

Again, as per the FAQ: “For the CISSP, a candidate is required to have a minimum of 5 years of cumulative paid full-time work experience in 2 out of the 8 domains (experience in 2 out of the total number of domains) of the CISSP CBK.”

If you don’t meet the experience requirements, you can still take the exam.

Basically, if you take and pass the exam without having the experience requirements, you don’t get the CISSP certification, but you do become an Associate of (ISC)2. That means they give you six years to meet the experience and CISSP endorsement requirements. See https://www.isc2.org/how-to-become-an-associate.aspx for more information on this loophole.

More detailed analysis is in the works!

Now that you are caught up on the basics regarding this exam, you need to understand the difference between the old domains and new domains. In the coming weeks, I will be posting the other 4 parts of this series. (Hyperlinks will be added as the posts are written.)

  • Part 2 covers new domain 1 and 2
  • Part 3 covers new domain 3 and 4
  • Part 4 covers new domain 5 and 6
  • Part 5 covers new domain 7 and 8

Each of these posts will show you where any topics that were in the old version came from and highlight any new topics.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin Abernathy

Reader writes: Where can server admins find good PowerShell training?

November 10, 2014 at 12:48 pm | Posted in Microsoft, Study hints, study tips, Technical Tips | 1 Comment
Tags: , ,

Editor’s Note: Regarding PowerShell and Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 2), reader Jeremy Brown recently commented: “I feel there should be more sections in training materials dedicated to recapping PS… there is a disparity between expected knowledge and printed material…” Blog post guest author Scott Winger attempts to find some workable solutions.

For those of us who aren’t yet PowerShell Masters, Jeremy’s point is painfully sharp when one considers code snippets such as this one from SANS.org’s Cyber Defense & Cybersecurity blog:

[[[[[[[[[
filter extract-text ($RegularExpression) 
{ 
 select-string -inputobject $_ -pattern $regularexpression -allmatches | 
 select-object -expandproperty matches | 
 foreach { 
 if ($_.groups.count -le 1) { if ($_.value){ $_.value } } 
 else 
 { 
 $submatches = select-object -input $_ -expandproperty groups 
 $submatches[1..($submatches.count - 1)] | foreach { if ($_.value){ $_.value } } 
 } 
 }
}
Get-Service | ForEach `
{ 
 $sctxt = sc.exe qc $_.name
 $Path = $sctxt | extract-text -reg 'BINARY_PATH_NAME\W+\:[\W\"]+([^\"]+)'
 $Identity = $sctxt | extract-text -reg 'SERVICE_START_NAME\W+\:[\W\"]+([^\"]+)'
 Add-Member -InputObject $_ -NotePropertyName "Path" -NotePropertyValue $Path 
 Add-Member -InputObject $_ -NotePropertyName "Identity" -NotePropertyValue $Identity
 $_
} | format-list Name,DisplayName,Identity,Path
]]]]]]]]]

In this post, I’ll explain how you can teach yourself to analyze and create arbitrarily complex scripts, i.e., how to teach yourself to master PowerShell. But before starting, I want to share a little known droll fact: there’s an annual contest to see who can deliberately write the most impossibly abstruse code:

http://www.ioccc.org

Although this contest is for programs written in C, I’ve included it to show that countless others have wrestled with code that’s far too complex.

First, a few words in praise of PowerShell

Jeffery Snover, Parser, Syntax, Major Domo, Rom-Com.

At this moment you should be thinking:

[[[[[[[[
Rom-Com…

What?!

Good Golly man! … Is that a typo or are you drunk?
]]]]]]]]

Let’s take a look at these words a little more closely and then you can decide whether or not I need a 12-step program (or at least an editor) before blogging for a hapless audience.

Jeffery Snover:
He’s the guy who invented PowerShell. And, to give you an idea how important PowerShell is to your 70-410 endeavor, he’s also the Lead Architect for Windows Server 2012. So at this moment, you should be thinking, [[Holy SYNTAX DIAGRAM, Batman! If I’m gonna master Server 2012, I’d better learn PowerShell!]] This is absolutely true because, thanks to the vision of Mr. Snover, Server 2012 can be controlled, customized, queried, and tuned by over 2,400 PowerShell cmdlets.

Parser:
Precious few IT pros even know what a parser is, let alone recognize its quiet-yet-vital role in their success. But IT masters know parsers well. Whether you’re doing PowerShell, NSLookups, DiskPart.exe, or CMD.exe … heck, even when you’re clicking the mouse, it’s the parser that’s your Major Domo. It’s the parser that captures, interprets, and carries out your every syntactically correct command. So get to know PowerShell’s parser via the suggestions I’ve provided in the section below. And, then, practice, practice, practice.

Syntax:
Every language, spoken, written, mathematical, or musical, has a set of rules that its speakers have to know. And the rules for a language’s constructs are called its syntax. In the case of PowerShell, although at first you might be dazzled by its syntactical complexities, the mother of all PowerShell syntax diagrams fits on four printed pages. And this brings us to Rom-Com. You and PowerShell can do great things together. But, unlike two people in a cheesy romantic comedy who fall in love without speaking the same language, you and PowerShell won’t even get started if you don’t learn its syntax. So print and master the few pages of the PowerShell about_Command_Syntax file mentioned below.

Second, a curated list of resources and study tactics

Whenever one endeavors to learn a new programming language, a trip to the armory is a good first step, because you need learning resources.

Enter and explore the doorway to the Learning PowerShell Arsenal:
http://www.reddit.com/r/sysadmin/comments/2c2x22/best_place_to_learn_powershell/

Download the about_Command_Syntax document from Microsoft’s official PowerShell Syntax Authority. And I recommend that you keep it handy and refer to it often. (Here’s the link: http://technet.microsoft.com/en-us/library/hh847867.aspx)

Sign up for and become active on the Hey Scripting Guy PowerShell forum. Those of us who’ve been around long enough to remember the coveted, expensive, and hard-to-get IBM Red Books are astonished that this era’s IT experts are so helpful by tradition — and for free. Here’s the Hey Scripting Guy link: http://blogs.technet.com/b/heyscriptingguy/

Head over to YouTube and root out the many excellent PowerShell videos, such as this one from TechEd North America 2014:
https://www.youtube.com/watch?v=SSJot1ycM70

Study complex PowerShell code on your breaks and before bed.

And now for the big guns:  Buy Don Jones’ and Jeffery Hicks’ Learn Windows PowerShell 3 in a Month of Lunches. Lunch is optional, but the labs are not: do them as you work through each chapter.

[Editor’s note: I’m amending Scott’s post to second the reader’s recommendation of Windows PowerShell Best Practices by Hey Scripting Guy writer Ed Wilson, highlighted in a comment below.]

Third, the call to action

Fire up PowerShell and start with some “get” statements so you’ll do no harm. Then take your first baby steps using some simple “set” statements.

Then, start building your own custom library of scriptlets with commonly used categories, such as:

\Enumerating\ActiveDirectory,
\Enumerating\FileSystem,
\Parsing\TextFiles,
\Parsing\Strings,
\Parsing\TableData,
\Parsing\ObjectData,
\Writing\[same folders as parsing]
etc.

Proceed apace to Advanced Analytical PowerShelling:

Predict the results/output of PowerShell code that’s a step or two or even way beyond your current abilities. Then run the script and compare your guestimates to the results. Of course, for this type of practice, a computing sandbox in which you can unleash total annihilation is a must.

Correspond with experts by seeking out and participating in PowerShell special use case blogs, such as those at SANs Security and elsewhere:
http://cyber-defense.sans.org/blog/category/powershell

Look into the relationship PowerShell has with .NET and how you can use PowerShell underneath the graphical world of C#.

Take PowerShell to new unconquered worlds via Desired State Configuration Tool, Puppet Forge, and PowerCLI.

And here are some thoughts and words for those who would be PowerShell Mystics:

Study the notion of an Abstract Syntax Tree; diagram pieces of its underlying data structure on paper. Then celebrate as you come to understand how PowerShell’s Tab Completion feature works.

Study rudimentary Data Structures: Arrays, B-Trees, Heaps, Linked Lists, etc., because it’s the data structures that lie at the heart of all programming. Understanding underlying data structures is also, often, the key to troubleshooting complex IT problems.

If you’ve got comments I’d like to hear em.

And good luck with your 70-410,

Scott

P.s. If you’ve been wondering, [What’s up with the square brackets?]  Well, speaking of parsers, I had the good fortune of taking a Programming Languages and Compilers course at one of the world’s greatest Computer Science universities.  And when one writes a parser to carry out specific commands, one quickly absorbs the nature and value of brackets, braces, and parentheses.  So the brackets are this scrivener’s habit and they are what they seem: a simple delimiter for emphasis.

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

PMP for iPad: Transcender’s PMP5ED flash card app now in iTunes

October 29, 2014 at 1:40 pm | Posted in PMI, Study hints, Transcender news | Leave a comment
Tags: , , , ,

Good news for those of you in the Apple ecosystem: the iTunes store now carries an iPhone/iPad compatible version of our PMP5ED Flash Cards mobile app.

Here’s a quick feature list:

  • Over 1,000 questions covering all exam objectives
  • Simple and intuitive flash card interface
  • Easy self-grading
  • Answer history tracking and reporting
  • Customizable based on your reading preferences
  • Supports iPads and iPhones running iOS 7 and later

The app costs $3.99 and is available for download today.

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: