PolitiHack, Or How I Learned to Stop Worrying About Russians Influencing the US Election and Learned to Love CybersecurityDecember 23, 2016 at 4:12 pm | Posted in cybersecurity, Knowledge | 2 Comments
Tags: attacker, casp, ceh, cfr, CISSP, cozy bear, cybersecurity, DNC, fancy bear, fbi, GSEC, guccifer 2.0, Hackers, Russia, Security+
Hackitivism and cyberespionage are certainly nothing new, especially emanating from Russia. But the 2016 US presidential election was a swift education for Americans and the watching world regarding the widespread consequences of a successful APT (advanced persistent threat). A joint statement issued by the Department of Homeland Security and the Office of the Director of National Intelligence on Election Security stated that the “U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations” (emphasis ours).
Thanks to the detailed reporting from the New York Times, the fog of war is beginning to clear and the full extent of the cyberattack has become clear. And what is increasingly apparent is that at every stage, cybersecurity training could have significantly mitigated or (perhaps) even prevented portions of the attack altogether.
Enter the low-rung MIS contractor hired by the DNC — Yared Tamene. He claims no cybersecurity expertise, much less any cybersecurity-related certification like GSEC, CASP, CISSP, CEH or CFR. So it’s hardly appropriate to assign him the brunt of the blame. Instead, we should use his example to learn how cybersecurity knowledge and skills could have better informed the fateful decisions that he, and many others, made along the way.
In the fall of 2015, the FBI noticed some unusual outgoing network traffic from the DNC network, suggesting that at least one computer was compromised. The early forensics linked the compromise to a known Russian cyberespionage group going by the moniker “the Dukes” (AKA “Cozy Bear” and “APT29”) , who had in just the last few years, penetrated the White House, State Department and Joint Chiefs of Staff email systems. A special agent picked up the phone, called Tamene, and told him what they knew.
Before we even get to Tamene’s response, any trained cybersecurity first responder knows why the FBI called via phone rather than emailing their dire message. Communication protocol during a security incident should be out-of-band, meaning outside of the primary communication channels (primarily network where the attacker could be listening). Ironically, Tamene was convinced that the FBI call was a hoax, and after repeated calls over the new few months, he ignored the urgency. In November, the FBI even confirmed with Tamene that known malware was routing data to servers located in Moscow.
Tags: casp, exam expirations, Security+
Winter holidays are crunch time for many folks. Certification test-takers are no exception, as vendors typically choose the end of the calendar year to retire exams. Those seeking to earn (or renew) their Security+ have until December 31, 2014 to take the older edition of the exam, SY0-301 / JK0-018.
When the newer edition of this exam, SY0-401, was released earlier this year, Robin Abernathy blogged extensively about the changes to the objectives, topic weighting, and method of item delivery, and how these changes would affect your plan of study. If you’re on the fence about whether to knock out the 301 or wait a little longer to sit the 401, her posts may give you the information you need to make that decision:
- Part One: Depth of topic coverage and item types
- Part Two: Changes to topics in domains 1, 2, and 3
- Part Three: Changes to domains 4, 5, and 6, plus new acronyms
You can still purchase the Transcender practice exam for Cert-SY0-301.
On an additional note, CompTIA has announced they will release an updated CASP certification exam, CAS-002, launching on January 20, 2015. The new exam will repleace CAS-001, which will retire in May 2015.
Tags: casp, CompTIA, Performance-Based Testing, Security+
It’s getting close to that time of year again, folks. The CompTIA Academy Educator Conference will be held on August 1-3 in beautiful Phoenix, Arizona. (Now, I’m just taking everyone else’s word on the beautiful part. This will be my first visit there! But the pictures I’ve seen are lovely.)
This three-day event is well worth your time if you are an educator at any level (high school, college, professional) and you instruct individuals who are seeking CompTIA certifications. As a peer-to-peer networking resource, it’s beyond compare. You also get to rub elbows with some great folks – ehem – ME! Also, you don’t have to be a CompTIA Academy educator to attend. However, the sessions are designed to benefit Academy Partners. If your organization is not an Academy Partner, visit this site to learn how (and why) to become one: http://partners.comptia.org/Academy-Partner.aspx.
With the recent release of a new Security+ exam and the new CASP and Network+ exams due to be released in the coming months, it’s a great idea to attend this conference just to stay on top of things. My presentation on Friday will cover the new Security+ exam, the CASP exam, some techniques for covering the new performance-based items in your classroom. I will also share some information about braindumps/piracy and why you should never use this type of content in your classroom. You can see the full schedule here: http://www2.comptia.org/events/events/academy-educator-conference/agenda.aspx
For all conference related information, including the agenda, registration information, exhibitor information, and hotel information, visit the CompTIA Academy Educator Conference page. If you register before July 31st, you pay $199 instead of $399 at the event. Believe me when I say that this will be the best $199 you will spend.
I would LOVE to see you there!
Tags: CompTIA, Security+
In my first post, I covered the overall changes from SY0-301 to SY0-401. I described how the exam is moving from “tell” to “show and tell,” with more emphasis on applying your knowledge to scenarios than simply answering fact-based questions.
In my second post, I went into detailed changes in the first three domains. This post will wrap up the topic-level changes that will affect those who previously studied for the SY0-301, as well as those who are approaching the Security+ exam for the first time. I’ll also cover the alphabet soup of new acronyms added to the list of “terms you should be familiar with.” Hang on to your hats!
Domain 4: Application, Data and Host Security Changes
Domain 4.1 is “Explain the importance of application security controls and techniques.” There are two new topics for this domain: NoSQL databases vs. SQL databases, and Server-side vs. Client-side validation.
In SY0-301, mobile devices were covered as a subdomain of Domain 4.2, “Carry out appropriate procedures to establish host security.” The 2014 test makes mobile devices the sole topic of Domain 4.2, which is now called “Summarize mobile security concepts and technologies.” This domain covers these topics, all of which are new to the Security+ exam (with the exception of GPS):
- Device security
- Full device encryption
- Remote wiping
- GPS (included in 4.2 in SY0-301)
- Application control
- Storage segmentation
- Asset tracking
- Inventory control
- Mobile device management
- Device access control
- Removable storage
- Disabling unused features
- Application security
- Key management
- Credential management
- Application whitelisting
- Transitive trust/authentication
- BYOD concerns
- Data ownership
- Support ownership
- Patch management
- Antivirus management
- Adherence to corporate policies
- User acceptance
- Architecture/infrastructure considerations
- Legal concerns
- Acceptable use policy
- On-board camera/video
The non-mobile device topics from the old Domain 4.2 are now in the new Domain 4.3, which states “Given a scenario, select the appropriate solution to establish host security.” There are a few new topics in this domain: OS hardening, white listing vs. black listing applications, trusted OS, host-based intrusion detection, and virtualization subtopics (including snapshots, patch compatibility, host availability/elasticity, security control testing, and sandboxing).
Domain 4.4 now states “Implement the appropriate controls to ensure data security” where this SY0-301 domain (which was 4.3) merely asked you to explain concepts in data security importance. The new topics in this domain are cloud storage, SAN, Handling Big Data, data in-transit/data at-rest/data in-use, permissions/ACL, and data policies (including wiping, disposing, retention, and storage).
Domain 4.5 is another new domain, called “Compare and contrast alternative methods to mitigate security risks in static environments” (aka “Did someone hack your refrigerator?”). The topics are divided into Environments and Methods, with the following subtopics:
- Embedded (Printer, Smart TV, HVAC control)
- Android and iOS
- Game consoles
- In-vehicle computing systems
- Network segmentation
- Security layers
- Application firewalls
- Manual updates
- Firmware version control
- Control redundancy and diversity
Domain 5: Access Control and Identity Management Changes
Domain 5.1 now states “Compare and contrast the function and purpose of authentication services” where the SY0-301 domain was about explaining this information. There are only two new topics here: SAML and Secure LDAP.
Domain 5.2 now states “Given a scenario, select the appropriate authentication, authorization or access control,” where the SY0-301 domain asked you to simply explain these concepts. Many of the topics have changed their wording, but are essentially the same concept. The only new topics in this category are authentication (TOTP, HOTP, CHAP, PAP), federation, and transitive trust/authentication.
Domain 5.3 now states “Install and configure security controls when performing account management, based on best practices.” The new topics included in this domain are as follows:
- Account policy enforcement (credential management; Group policy; password history, reuse, and length; and generic account prohibition)
- User access reviews
- Continuous monitoring
Domain 6: Cryptography Changes
Domain 6.1 now states “Given a scenario, utilize general cryptography concepts” where the SY0-301 domain asked you to summarize these concepts, so this is another domain that will now involved scenario-based questions. This domain has four new topics: session keys, in-band vs. out-of-band key exchange, ephemeral key, and perfect forward secrecy.
Domain 6.2 now states “Given a scenario, use appropriate cryptographic methods,” where this SY0-301 domain did NOT mention scenarios. The new topics for this domain are Diffie-Hellman, DHE, ECDHE, cipher suites (specifically strong vs. weak ciphers), and key stretching (PBKDF2, Bcrypt).
Domain 6.3 now states “Given a scenario, use appropriate PKI, certificate management and associated components” and is the result of combining Domains 6.3 and 6.4 from SY0-301 and adding the scenario stipulation. This domain has added topic coverage for certificate authorities and digital certificates, including OCSP and CSR.
Alphabet Soup: Acronyms to Know and Love
The Security+ exam objectives also include a list of acronyms. While I don’t advocate trying to memorize the entire list, it’s good to skim it and read up on terms you’re not familiar with. You may know that concept in practice, but not by the specific name it’s called on the Security+ exam. Or it may be a concept so familiar that it never occurred to you to make an acronym of it (such as TOTP – Top of the Page ).
There are seventy new acronyms on the list (and only one removed – they no longer ask you to remember BOTS as Network Robots). I repeat, don’t panic: many of the new additions to the acronym list were already included as subtopics or topics on SY0-301. Also, the majority of these terms are familiar to anyone who does any kind of work in computers.
The completely new concepts are:
API – Application Programming Interface
ASP – Application Service Provider
BAC – Business Availability Center
BIA- Business Impact Analysis
BPA – Business Partners Agreement
BYOD – Bring Your Own Device
CAPTCHA- Completely Automated Public Turning Test to Tell Computers and Humans Apart
CIO– Chief Information Officer
COOP – Continuity of Operation Planning
CP – Contingency Planning (included as “IT contingency planning” in Domain 2.5 in SY0-301)
CSR – Control Status Register
CSU – Channel Service Unit
CTO- Chief Technology Officer
DHE – Data-Handling Electronics
DNAT – Destination Network Address Transaction
DSL – Digital Subscriber line
DSU – Data Service Unit
ECDHE – Elliptic Curve Diffie-Hellman Key Exchange
ESN- Electronic Serial Number
GPO – Group Policy Object
HOTP – HMAC based One Time Password
HTML – HyperText Markup Language
IRP – Incident Response Procedure
ISA – Interconnection Security Agreement
ISSO- Information Systems Security Officer
ITCP – IT Contingency Plan (included as “IT contingency planning” in Domain 2.5 in SY0-301)
LAN – Local Area Network (was LANMAN, Local Area Network Manager, in SY0-301)
MaaS- Monitoring as a Service
MOU – Memorandum of Understanding
MPLS – Multi-Protocol Layer Switch
MTBF – Mean Time Between Failures (a topic in 2.7 in SY0-301)
MTTR – Mean Time to Recover (a topic in 2.7 in SY0-301)
MTTF – Mean Time to Failure (a topic in 2.7 in SY0-301)
NDA – Non-Disclosure Agreement
OCSP – Online Certificate Status Protocol
OLA – Open License Agreement
P2P – Peer to Peer
PAM – Pluggable Authentication Modules
PBKDF2 – Password Based Key Derivation Function 2
PCAP – Packet Capture
PIV – Personal Identity Verification
ROI – Return of Investment
RPO – Recovery Point Objective
SAML – Security Assertions Markup Language
SAN – Storage Area Network
SCADA – System Control and Data Acquisition
SCEP- Simple Certificate Enrollment Protocol
SEH – Structured Exception Handler
SIEM – Security Information and Event Management
SOAP – Simple Object Access Point
SQL – Structured Query Language
SSD – Solid State Drive
TOTP – Top of the Page
TSIG – Transaction Signature
UEFI – Unified Extensible Firmware Interface
UDP- User Datagram Protocol
URI- Uniform Resource Identifier
UTM- Unified Threat Management
VDI – Virtualization Desktop Infrastructure
WPS – WiFi Protected Setup
WTLS – Wireless TLS
XML – Extensible Markup Language
That’s all, folks!
We have released our SY0-401 practice test, a feat we are especially proud of because we are the first product to market. Please visit the product page for more information!
Well, that’s all I have to say for now. I am sure that you will be hearing from me soon! -Robin
Tags: CompTIA, Performance-Based Testing, Security+, study tips, sy0-401
In my previous post, I covered the overall changes from SY0-301 to SY0-401. I described how the exam is moving from “tell” to “show and tell,” with more emphasis on applying your knowledge to scenarios than simply answering fact-based questions.
In this post I’ll delve into the first three domains and draw out the topic-level changes that may affect your study plan, especially if approaching your three-year renewal in Security+.
(In my final post, I’ll cover domains 4 through 6 and the list of acronyms.)
Domain 1: Network Security Changes
Domain 1.1 now states “Implement security configuration parameters on network devices and other technologies,” where this SY0-301 domain only asked you to explain each security function and its purpose. In addition, all-in-one security appliances are now referred to as UTM security appliances. These are now listed as including URL filters, content inspection, and malware inspection.
Domain 1.2 now states “Given a scenario, use secure network administration principles” where this SY0-301 domain focused on applying and implementing these principles. This particular change means that all questions now written for this domain will include scenarios.
Domain 1.3 now states “Explain network design elements and components” where they SY0-301 domain was only about distinguishing and differentiating between these components. The Cloud computing topic within this domain now has four new subtopics: Private, Public, Hybrid, and Community.
Domain 1.4 now states “Given a scenario, implement common protocols and services” where this SY0-301 domain was only about implementing common protocols. This particular change means that all questions now written for this domain will include scenarios. New protocols added to this domain include: iSCSI, Fibre Channel, FCoE, FTP, SFTP, TFTP, TELNET, HTTP, and NetBIOS. (Most of these were listed in Domain 1.5 in SY0-301 and were moved to this domain.) Also, this domain now includes a listing of port numbers that you should definitely know: 21, 22, 25, 53, 80, 110, 139, 143, 443, and 3389.
Domain 1.5 now states “Given a scenario, troubleshoot security issues related to wireless networking” where this SY0-301 domain was actually domain 1.6, where it read “Implement wireless network in a secure manner.” Once again, this domain change means that all questions now written for this domain will include scenarios. In addition, there are four new topics for this domain:
All of the new topics added to this domain are:
- Application-aware devices (1.1)
- Unified threat management (1.2)
- Layered security / Defense in depth (1.3)
- OSI relevance (1.4)
- Captive portals (1.5)
- Antenna types (1.5)
- Site surveys (1.5)
- VPN (over open wireless) (1.5)
Domain 2: Compliance and Operational Security Changes
There were so many new topics added in this domain that I have chosen to list them in the domain description (to prevent slow death by bulleted list).
Domain 2.1 now states “Explain the importance of risk-related concepts” instead of just defining the concepts, as in SY0-301. The topics that have been added to this domain are: False negatives, SLE, ARO, MTTR, MTTF, MTBF, Vulnerabilities, Threat vectors, Probability / threat likelihood, Recovery time objective, and recovery point objective.
Domain 2.2 is a new objective: “Summarize the security implications of integrating systems and data with third parties.” The topics included in this domain are as follows:
- On-boarding/off-boarding business partners
- Social media networks and/or applications
- Interoperability agreements
- Privacy considerations
- Risk awareness
- Unauthorized data sharing
- Data ownership
- Data backups
- Follow security policy and procedures
- Review agreement requirements to verify compliance and performance standards
Domain 2.3 now states “Given a scenario, implement appropriate risk mitigation strategies” instead of just carrying out these strategies as in SY0-301. One new topic was added to this domain: Enforce technology controls, including Data Loss Prevention (DLP).
Domain 2.4 is technically a new domain, but it was actually listed as a topic under Domain 2.4 in SY0-301. It states “Given a scenario, implement basic forensic procedures.” This is another domain that will include only scenario-based questions. Only one new topic is listed here: Big data analysis.
Domain 2.5 now states “Summarize common incident response procedures” where this SY0-301 domain was about executing the appropriate incident response procedures. All but one of this topics in this domain are new:
- Incident identification
- Escalation and notification
- Mitigation steps
- Lessons learned
- Recovery/reconstitution procedures
- First responder
- Incident isolation
- Device removal
- Data breach
Domain 2.6 is the same as Domain 2.4 in SY0-301. Topics that were added to this domain include: Role-based training, Information classification levels (High, Medium, Low, Confidential, Private, and Public), and Follow up and gather training metrics to validate compliance and security posture.
Domain 2.7 states “Compare and contrast physical security and environmental controls” and pulls some topics from SY0-301 Domain 2.6 Explain the impact and proper use of environmental controls. New topics to this domain include the following:
- Physical security
- Hardware locks
- Video Surveillance
- Proximity readers
- Access list
- Proper lighting
- Protected distribution (cabling)
- Motion detection
- Control types
Domain 2.8 is completely new and states “Summarize risk management best practices.” However, most of the topics in it are repeated from SY0-301 Domains 2.5 and 2.7. The NEW topics in this domain are as follows:
- Risk assessment
- IT contingency planning
- High availability
- Tabletop exercises
Domain 2.9 is completely new, and states “Given a scenario, select the appropriate control to meet the goals of security.” This domain, like many others, will only include scenario-based questions. The topics covered in this domain are as follows:
- Access controls
- Digital signatures
- Fault tolerance
- Escape plans
- Escape routes
- Testing controls
Domain 3: Threats and Vulnerabilities Changes
Domain 3.1 now states “Explain types of malware” where this SY0-301 domain asked you to analyze and differentiate malware. The new topics here are ransomware, polymorphic malware, and armored viruses.
Domain 3.2 now states “Summarize various types of attacks” where this SY0-301 domain was about analyzing and differentiating the attacks. Three new attack types were added to this domain: Password attacks (Brute force, Dictionary attacks, Hybrid, Birthday attacks, and Rainbow tables), typo squatting/URL hijacking, and watering hole attacks.
Domain 3.3 now states “Summarize social engineering attacks and the associated effectiveness with each attack” where this SY0-301 domain was about analyzing and differentiating these attacks. One new topic, Principles (reasons for effectiveness), was added with several subtopics: Authority, Intimidation, Consensus/Social proof, Scarcity, Urgency, Familiarity/liking, and Trust.
Domain 3.4 now states “Explain types of wireless attacks” where this SY0-301 domain was about analyzing and differentiating the attacks. Four new topics have been added to this domain: Near field communication, Replay attacks, WEP/WPA attacks, and WPS attacks.
Domain 3.5 now states “Explain types of application attacks” where this SY0-301 domain was about analyzing and differentiating the attacks. Four new topics have been added to this domain: Integer overflow, LSO (Locally Shared Objects), Flash Cookies, and Arbitrary code execution / remote code execution.
Domain 3.6 now states “Analyze a scenario and select the appropriate type of mitigation and deterrent techniques.” The major change to this domain is that is uses the word scenario, which implies that all questions on this topic will now be scenarios. There are no new topics in this domain.
Domain 3.7 now states “Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities” where this Sy0-301 domain was about implementing these tools. Once again, scenarios are specifically mentioned as being the question type for this domain. Two new tools are listed in this domain: Passive vs. active tools and Banner grabbing.
Domain 3.8 now states “Explain the proper use of penetration testing versus vulnerability scanning.” Three vulnerability scanning topics have been added to this domain: Intrusive vs. non-intrusive, Credentialed vs. non-credentialed, and False positive.
Stay tuned next week, when I’ll finish out my summary of changes in Domains 4, 5, and 6!
Until next time!
Tags: CompTIA, Performance-Based Testing, Security+, study tips
Has it been three years already? It seems like just last week I was talking about SY0-301, and now here I am trying to catch my breath after pushing the 2014 Security+ exam, SY0-401, over the finish line and into our practice test lineup. (But really, I am just glad to finally get to write about something other than project management.) As usual, the new Security+ exam will include many of the same topics as the previous version. In this post I’ll focus on the overall differences between SY0-301 and SY0-401. In the next two posts (get excited!) I’ll take a closer look at changes within the examination blueprint, which can be downloaded here from CompTIA. (Note: the download requires you to provide personal information.)
Topics and weightings
At first glance, it may seem that very little has changed. The six domains are the same apart from some shifts in weighting (the percentage of the test devoted to that topic):
1.0 Network Security 20% (21% in SY0-301) 2.0 Compliance and Operational Security 18% (no change) 3.0 Threats and Vulnerabilities 20% (21% in SY0-301) 4.0 Application, Data and Host Security 15% (16% in SY0-301) 5.0 Access Control and Identity Management 15% (13% in SY0-301) 6.0 Cryptography 12% (11% in SY0-301)
As you can see from these numbers, this new distribution will probably only mean one or two questions more for Domains 5 and 6. But it’s more important to note that within each domain, there are many topic-level changes that will affect your study plan. Within these domains CompTIA has added several new topics which were not tested in 301. These new topics include application-aware devices, unified threat management, defense-in-depth, OS hardening, white-listing versus black-listing, and many others that I’ll cover in the next two posts. There are three new sub-domains distributed among Domains 2 and 4. These new sub-domains add topic coverage on mobile security, mitigating security risks in a static environment, and implementing basic forensic procedures. That last sub-domain leads neatly into my next topic: you can expect increased difficulty and more applied concept questions on the new Security+ exam, in comparison to the older style of asking straight knowledge-based questions.
Stop, Drop, & Scenario!
While many of the sub-domains cover the same list of topics, CompTIA has changed many of the keywords from “understand” and “explain” to “implement” and “troubleshoot.” Several also show the addition of one important phrase: “given a scenario.” Because this phrasing was added to so many domains, I feel I should take a little time to explain the distinction. As many of you know, the Security+ exam has been considered a mostly knowledge-based exam that includes mostly knowledge-based questions. Scenario questions are the next logical step up from knowledge-based questions. They expect you to take those tidbits of knowledge that you have memorized, remember them, and then apply them in the scenario to come up with the correct answer. Let me give you an example. First, look at a sample knowledge-based question from our practice test:
Which of the following is a default port used by FTP? a. 20 b. 53 c. 80 d. 443
Now look at another example, which turns this same question into a scenario:
Your company has recently implemented a new firewall. Users start complaining that they are unable to access resources on your company’s FTP server. What should you do? a. Open ports 20 and 21 on the new firewall. b. Open port 53 on the new firewall. c. Open port 80 on the new firewall. d. Open port 443 on the FTP server.
As you can see from my examples, you still need the same basic knowledge to answer both of these questions. So REALLY, answering these two questions is the same level of difficulty, but by adding the scenario you are ensuring that the student understands how the knowledge applies in a real-world situation. Instead of remembering which port belongs with FTP, the student also has to identify the location where the ports should be configured. I could also increase the difficulty of the scenario question by including more invalid options. We have released our SY0-401 practice test, a feat we are especially proud of because we are the first product to market. Please visit the product page for more information!
The next post will dive into the topic-level changes in Network Security (Domain 1), Compliance and Operational Security (Domain 2), and Threats and Vulnerabilities (Domain 3).
I’ll cover the other three domains in the final post in this series.
Until next time! –Robin
Tags: comptia educator's conference, Security+
For the last two years, I have been attending the CompTIA Academy Educator Conference (which used to be part of CompTIA Breakaway, which is now renamed ChannelCon…but I digress!). The first year I was an attendee and just took in all the IT certification information that was handed out. Last year in Las Vegas, I gave a small presentation on CompTIA’s CASP certification (you can read about that here).
This year, I will be speaking on “Security Certifications and Performance-Based Testing: Taking Your Students to the Next Level.” If you have attended this event in the past, you already know just how valuable it can be for educators who are responsible for any CompTIA training. And this year looks to be no different, especially when you consider all the changes that CompTIA has implemented over the past few years.
If you have never attended this event, I encourage you to do so, particularly if you provide training for any CompTIA certifications. At this event, you often get access to some A-list authors in an informal environment. They give you pointers and show you some of the tools you can use in your classroom. It is a great value – especially for its low cost.
And I have GREAT news – you can use Promo Code EDU25% to receive 25% off the published conference rate. Go to http://www.comptia.org/events/events/academy_educator/index.aspx to register and obtain conference details. (Register before 7/24 to get the best rate!)
Hope to see you there!
Tags: a+, CompTIA, network+, PBT, Performance-Based Testing, Security+
With the release of CompTIA’s new A+ series, 220-801 and 220-802, many of you will finally get your first look at CompTIA’s performance-based questions. The performance-based questions were actually first released by CompTIA in their CompTIA Advanced Security Practitioner (CASP) exam, but the CASP has a more limited audience than CompTIA’s A+, Network+, and Security+ exams.
Several members of our Content Development team have seen the CASP, the new A+ and Network+ performance-based questions, and we all feel that CompTIA is headed in the right direction with these item types. While we can’t share any details ourselves, CompTIA has released information over the past few weeks that will hopefully answer some of your questions. Here are a few resources I would recommend:
- I found a lot of information in the blog post titled “What Is a Performance-Based Question?” I suggest you read the blog post and watch the accompanying video.
- CompTIA also published another blog entry, titled Rigor of New CompTIA A+ 800 Series Exams Reflects Change in Entry-Level IT Roles, explaining the rationale behind the changed format and objectives.
- Pearson IT Certification announced that it will have a FREE Webcast about the new A+ 800-series exams on December 13, 2012. For more information, go to http://promos.pearsonitcertification.com/acton/fs/blocks/showLandingPage/a/1811/p/p-0058/t/page/fm/19. This Webcast looks especially suited for instructors, as it covers what’s new, improved, and different!
Did you notice CompTIA has increased the recommended hours of hands-on field experience to one year, up from the previously recommended six months? Those of us who have already taken the exam perceived a small but definite increase in difficulty. Again, with those performance-based items, you can either perform a task or you can’t. Hands-on experience is key. If the question simulates an action you do every day at work, then you’re probably going to find it a breeze. If it tests a concept you’ve only read about in books or studied in the abstract, it may take you a little longer to puzzle out the solution.
As I already mentioned, the new A+ and Network+ exams include performance-based questions. CompTIA will integrate performance-based questions into the Security+ exam in January.
So it looks like the move is permanent, folks! Embrace it! And know that what CompTIA has released is just the tip of the iceberg. Does anyone remember Microsoft’s 83-640 exam? I think that was a glimpse of where performance-based testing should really go.
Tags: casp, CompTIA, network+, Performance-Based Testing, Security+
As many of you may know, CompTIA introduced performance-based questions on the CompTIA Advanced Security Practitioner (CASP) certification exam. These questions have really added to the difficulty of the exam. The new A+ series (220-801 and 220-802), to be released in October 2012, will also include this item type. We were told that CompTIA was looking into expanding some of their other certifications to include this item type, but we weren’t told when the changes would occur other than “fourth quarter of 2012.”
Finally, CompTIA has released some concrete details about upcoming changes to the Network+ and Security+ certification exams. And the news? Both of these certifications will be adding performance-based questions in as soon as one month!
Network+ candidates: How the product changes affect you
For Network+, the last day to take this exam WITHOUT performance-based items is November 3, 2012. Starting on November 4, 2012, all Pearson VUE-delivered Network+ exams will include this item type.
CompTIA is encouraging individuals who are already studying for Network+ to take the current exam before the performance–based questions become incorporated. As part of this initiative, CompTIA will allow you to purchase a Network+ exam voucher by November 3 and save 15%. Purchase a Network+ Exam Voucher Now if you plan on taking the exam by November 3rd. Once you buy the voucher, you’ll have between ten and twelve months from the date of purchase to redeem it for a test. After November 3, these exam vouchers revert to full price.
Security+ candidates: How the product changes affect you
For Security+, the last day to take the exam WITHOUT performance-based items is December 31, 2012. Starting on January 5, 2013, all Pearson VUE-delivered Security+ exams will include this item type.
As with Network+, CompTIA is encouraging individuals already studying for Security+ to take the current exam before performance–based question become incorporated. Purchase a Security+ exam voucher by December 31, 2012 and save 15%. Purchase Security+ Exam Voucher Now if you plan on taking the exam by December 31st. The voucher is valid for ten to twelve months from the date of purchase. On January 1, 2013, these exam vouchers revert to full price.
In addition, CompTIA has created a great video all about the CompTIA testing experience that includes information about the PBT item type. The item type discussion section starts at around the 5-minute mark, but I would suggest watching the whole video, because it contains some great information.
Transcender customers: how the product changes affect you
As far as the Transcender products go, we will definitely be adding performance-based items to our current practice tests. But keep in mind that we do NOT get an advance viewing of these items — so we cannot see what these items entail until November 3rd for Network+ and January 5th for Security+. Once we see how CompTIA handles the performance-based aspect, we will put together a plan for revising our practice products so that they’ll best prepare you for the actual exam. We anticipate that we’ll be adding our own performance-based items approximately 6-8 weeks after the CompTIA exams release.
Any Transcender customers who have an active practice test license at the time we release the product update will be able to update their purchase to the new version at NO additional cost. (What a great value add!)
Feel free to contact us with any questions you may have, and happy testing!
Tags: CISSP, resource review, Security+, study resources, study tips
Well, 2011 is more than halfway done, and my world has revolved around all things CompTIA. Between Windows 7 updates for the A+ exams and a new Security+ exam, I have had little time to focus on anything else. But the CISSP certification has been on my mind, mainly because I was already working on security topics for the Security+. So immediately after completing our new Security+ (SY0-301) practice test development, I began updating our CISSP practice test. This update will focus on expanding the explanations for our items, writing new items on new content, and editing existing references to cover the All-In-One CISSP Exam Guide, Fifth Edition.
The latest news is that an update to the CISSP exam is scheduled for January 1, 2012. A quick visit to the ISC2 website, https://www.isc2.org/cib/Default.aspx, and you can download the newest Candidate Information Bulletin (CIB) for the CISSP. The CIB is a document that lists the knowledge areas that are covered in the exam. The CIB also contains candidate-focused information on the exam format, exam guidelines, and so on.
After downloading and reviewing the CIB, I realized our students (you) would probably appreciate an explanation of the changes that I noted. So what follows is a brief description of the changes. Please keep in mind that I am strictly analyzing the content of the CIB. I do not in any way have any inside knowledge about the new CISSP version that is coming in January aside from what is listed in the CIB. For each Knowledge area, I will be highlighting any changes in red. Changes include any new data or any data that is moved from one Knowledge Area, or subobjective, to another.
As always, the 2012 update to CISSP covers 10 main Knowledge Areas (changes are in bold, red font):
- Access Control
- Telecommunications and Network Security
- Information Security Governance and Risk Management
- Software Development Security (formerly Application Development Security)
- Security Architecture and Design
- Security Operations (formerly Operations Security)
- Business Continuity and Disaster Recovery Planning,
- Legal, Regulations, Investigations, and Compliance
- Physical (Environmental) Security
I will analyze the first five Knowledge Areas in this post. In the coming weeks, I will analyze the second five Knowledge Areas.
In the Access Control Knowledge Area, there are now four subobjectives instead of three. Subobjective 4 is completely new. Here are the new subobjectives for the Access Control Knowledge Area (changes are in red and boldface font):
|subobj 1||Control access by applying the following concepts/methodologies/techniques: policies, types of controls (preventative, detective, corrective, etc.), techniques (e.g., non-discretionary, discretionary, and mandatory), identification and authentication, decentralized/distributed access control techniques, authorization mechanisms, and logging and monitoring.|
|subobj 2||Understand access control attacks: threat modeling, asset valuation, vulnerability analysis, access aggregation|
|subobj 3||Assess effectiveness of access controls: user entitlement, access review and audit|
|subobj 4||Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)|
In the Telecommunications and Network Security Knowledge area, there are now four subobjectives instead of three. The first subobjective for this Knowledge area, Establish secure data communications, is actually included as part of subobjective 3. Here are the new subobjectives for the Telecommunications and Network Security Knowledge area (changes are in red and boldface font):
|subobj 1||Understand secure network architecture and design (e.g., IP and non-IP protocols, segmentation): OSI and TCP/IP models, IP networking, implications of multi-layer protocols|
|subobj 2||Securing network components: hardware (e.g., modems switches, routers, wireless access points), transmission media (e.g., wired, wireless, fiber), network access control devices (e.g., firewalls, proxies), end-point security|
|subobj 3||Establish secure communication channels (e.g., VPN, TLS/SSL, VLAN): voice (e.g., POTS, PBX, VoIP), multimedia collaboration (e;g;, remote meeting technology, instant messaging), remote access (e.g., screen scraper, virtual application/desktop, telecommuting), data communications|
|subobj 4||Understand network attacks (e.g., DDoS, spoofing)|
In the Information Security Governance and Risk Management Knowledge area, there are now 10 subobjectives instead of 14. The Support certification and accreditation subobjective was completely deleted. The Develop and implement information security strategies and Assess the completeness and effectiveness of the security program subobjectives are now part of the Manage the security function subobjective. Finally the professional ethics subobjective has been moved to the Legal, Regulations, Investigations, and Compliance Knowledge area. While subobjective 5 and 6 may at first appear new, but they are actually just existing subobjectives that has been reworded. Here are the new subobjectives for the Information Security Governance and Risk Management Knowledge area (changes are in red and boldface font):
|subobj 1||Understand and align security function to goals, mission, and objectives of the organization.|
|subobj 2||Understand and apply security governance: organizational processes(e.g., acquisitions, divestitures, governance committee), security roles and responsibilities, legislative and regulatory compliance, privacy requirements compliance, control frameworks, due care, and due diligence.|
|subobj 3||Understand and apply concepts of confidentiality, integrity, and availability.|
|subobj 4||Develop and implement security policy: security policies, standards/baselines, procedures, guidelines, and documentation.|
|subobj 5||Manage the information life cycle (e.g., classification, categorization, and ownership)|
|subobj 6||Manage third-party governance (e.g., on-site assessment, document exchange and review, process/policy review)|
|subobj 7||Understand and apply risk management concepts: identify threats and vulnerabilities, risk assessment/analysis (qualitative, quantitative, hybrid) , risk assignment/acceptance, countermeasure selection, tangible and intangible asset valuation|
|subobj 8||Manage personnel security: employment candidate screening (e.g., reference checks, education verification), employment agreements and policies, employee termination processes, and vendor, consultant, and contractor controls.|
|subobj 9||Develop and manage security education, training, and awareness.|
|subobj 10||Manage the security function: budget, metrics, resources, develop and implement information security strategies, assess the completeness and effectiveness of the security program|
In the Software Development Security Knowledge area, the same subobjectives are listed. But within each subobjective, there are some minor changes. For subobjective 1, risk analysis was removed. For subobjective 3, the listing of the tools to assess the effectiveness of software security are no longer listed. Here are the new subobjectives for the Software Development Security Knowledge area (changes are in red):
|subobj 1||Understand and apply security in the system life cycle: Development Life Cycle, Maturity models, Operation and maintenance, and Change management.|
|subobj 2||Understand the environment and security controls: security of the software environment, security issues of programming languages, security issues in source code (e.g, buffer overflow, escalation of privilege, backdoor), and configuration management.|
|subobj 3||Assess the effectiveness of software security|
In the Cryptography Knowledge area, a new subobjective has been added and two subobjectives have been minimally revised. Here are the new subobjectives for the Cryptography Knowledge area (changes are in red):
|subobj 1||Understand the application and use of cryptography: data at rest (e.g, hard drive) and data in transit (e.g., “on the wire”).|
|subobj 2||Understand the cryptographic life cycle (e.g., cryptographic limitations, algorithms/protocol governance)|
|subobj 3||Understand encryption concepts: foundational concepts, symmetric cryptography, asymmetric cryptography, hybrid cryptography, message digests, and hashing.|
|subobj 4||Understand key management process: creation/distribution, storage/destruction, recovery, and key escrow.|
|subobj 5||Understand digital signatures.|
|suboj 6||Understand non-repudiation.|
|subobj 7||Understand methods of cryptanalytic attacks: chosen plain-text, social engineering for key discovery, brute force (e.g., rainbow tables, specialized/scalable architecture), cipher-text only, known plaintext, frequency analysis, chosen cipher-text, and implementation attacks.|
|subobj 8||Use cryptography to maintain network security.|
|subobj 9||Use crypgraphy to maintain application security.|
|subobj 10||Understand Public Key Infrastructure (PKI).|
|subobj 11||Understand certificate-related issues.|
|subobj 12||Understand information hiding alternatives (e.g., steganography, watermarking).|
Watch in the coming weeks for the second half of this post that covers the other Knowledge areas. During that post, I will explain how these changes may affect your studying habits and what it all means for our Transcender practice test.