CISSP 2015: What’s New (Part 4 of 5)

November 5, 2015 at 1:19 pm | Posted in CISSP, study tips | 2 Comments
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam.  In my second post, I covered Domains 1 and 2 of the new CISSP exam. In my third post, I covered Domain 3 and 4 of the new CISSP exam.

Today I will cover the next two domains, Identity and Access Management and Security Assessment and Testing. In a nutshell, Domain 5 reflects the need to integrate cloud-based access control to workflows like Office 365 and Google Drive with on-premise access control, and Domain 6 adds coverage of designing, implementing, and analyzing security testing practices.

First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 5: Identity and Access Management – Framework and Key Areas of Knowledge

CISSP 2012 covered identity management as a knowledge area in the access control domain. In CISSP 2015, identity management is elevated to the domain level and combined with access control. The majority of the old Domain 1 (Access control) has been moved to the new Domain 5 (Identity and Access Management), with the addition of new topics that cover identity, session, and credential management.

This domain also includes a few topics from the old Domain 10 (Physical (Environmental) Security).

Domain 5 Key Areas of Knowledge:

    1. Control physical and logical access to assets – From Domain 10, subheading e in the old version.
      1. Information – New
      2. Systems – From Domain 10, subheading e in the old version.
      3. Devices – From Domain 10, subheading e in the old version.
      4. Facilities – New
    2. Manage identification and authentication of people and devices – From Domain 1, subheading a in the old version.
      1. Identify management implementation (e.g., SSO, LDAP) – From Domain 1 in the old version.
      2. Single/multi-factor authentication (e.g., factors, strength, errors, biometrics) – From Domain 1 in the old version.
      3. Accountability – From Domain 1 in the old version.
      4. Session management (e.g., timeouts, screen savers) – New
      5. Registration and proofing of identity – New
      6. Federated identity management (e.g., SAML) – New
      7. Credential management systems – New
    3. Integrate identity as a service – New
    4. Integrate third-party identity services (e.g., on-premise) – New
    5. Implement and manage authorization mechanisms – From Domain 1, subheading a in the old version.
      1. Role-based access control (RBAC) methods – From Domain 1, subheading a in the old version.
      2. Rule-based access control methods – From Domain 1, subheading a in the told version.
      3. Mandatory access control (MAC) – From Domain 1, subheading a in the old version.
      4. Discretionary access control (DAC) – From Domain 1, subheading a in the old version.
    6. Prevent or mitigate access control attacks – From Domain 1, subheading b in old version.
    7. Manage the identity and access provisioning lifecycle (e.g., provisioning, review) – From Domain 1, subheading c and d in the old version.
Domain 5 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 5.

Knowledge Area A, Control physical and logical access to assets, contains both new and old topics. The definition of “assets” is now a little more granular, replacing “systems and devices” with “information, systems, devices, and facilities.” The following topics within this Domain are new:

  • Information – This is a new topic. This topic will focus on controlling physical and logical access to information.
  • Facilities – This is a new topic. This topic will focus on controlling physical and logical access to buildings and equipment.

Knowledge Area B, Manage identification and authentication of people and devices, contains both new and old topics. The following topics within this Domain are new:

  • Session management (e.g., timeouts, screen savers) – This is a new topic. This topic will focus on mechanisms that provide session management, both online and at the physical client level.
  • Registration and proofing of identity – This is a new topic. This topic will focus on providing registration and using proof of identity mechanisms before issuing authentication credentials to personnel and devices.
  • Federated identity management (e.g., SAML) – This is a new topic. This topic will focus on  enterprise-level federated identity management used for single sign-on, including Active Directory Directory Services, SAML 2.0, and third-party identity providers.
  • Credential management systems – This is a new topic. This topic will focus on using a credential management system for large enterprises.

Knowledge Area C, Integrate identity as a service, is a new knowledge area. It covers using cloud-based identity-as-a-service (IDaaS) to provide single sign-on services for both SaaS and internal applications. 

Knowledge Area D, Integrate third-party identity services (e.g., on-premise), is also a new knowledge area. This covers using third-party identity services in an enterprise to access both cloud-based and on-premise applications.

Domain 6: Security and Assessment Testing – Framework and Key Areas of Knowledge

A portion of Domain 6 consists of content formerly included in the old Domain 1 (Access Control) and Domain 9 (Business Continuity and Disaster Recovery). However, the majority of this Domain contains content that was not specifically listed in the old CISSP version. To master this domain, you should know the various types of test strategies used by organizations, and understand the strengths and weaknesses of each approach. You should also understand how an organization’s information security policies should be implemented and continually validated. This domain combines policy with practice.

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Design and validate assessment and test strategies – New
  2. Control security control testing – New
    1. Vulnerability assessment – From Domain 1, subheading b in the old version.
    2. Penetration testing – From Domain 1, subheading b in the old version.
    3. Log reviews – New
    4. Synthetic transactions – New
    5. Misuse case testing – New
    6. Test coverage analysis – New
    7. Interface testing (e.g., API, UI, physical) – New
  3. Collect security process data – New
    1. Account management (e.g., escalation, revocation) – New
    2. Management review – New
    3. Key performance and risk indicators – New
    4. Backup verification data – New
    5. Training and awareness – New
    6. Disaster recovery and business continuity – New
  4. Analyze and report test outputs (e.g., automated, manual) – New
  5. Conduct or facilitate internal and third party audits – From Domain 9, subheading e in the old version.
Domain 6 – Just the New Topics already

Here’s a closer look at the new topics in Domain 6.

Knowledge Area A, Design and validate assessment and test strategies, is a new knowledge area. It covers the different assessment and test strategies that are used to verify that a control is functioning properly, including automated and manual tests. The key word is “design” – the candidate should understand how to build an integrated strategy, from risk assessment and baselining to implementation and reporting.

From Knowledge Area B, Control security control testing:

  • Log reviews – This is a new topic. It discusses using log review as part of a thorough security control testing plan.
  • Synthetic transactions – This is a new topic. It discusses synthetic transactions as part of security control testing.
  • Misuse case testing – This is a new topic. It discusses misuse cases as part of security control testing.
  • Test coverage analysis – This is a new topic. It discusses analyzing test coverage to ensure that all security controls are tested.
  • Interface testing (e.g., API, UI, physical) – This is a new topic. It discusses testing interfaces as part of security control testing.

From Knowledge Area C, Collect security process data:

  • Account management (e.g., escalation, revocation) – This is a new topic. It covers account management as part of collecting security process data.
  • Management review – This is a new topic. It covers management review of the collected security process data.
  • Key performance and risk indicators – This is a new topic. It covers the key performance and risk indicators that should be collected as part of security process data.
  • Backup verification data – This is a new topic. It covers verifying backup as part of security and assessment testing.
  • Training and awareness – This is a new topic. It covers training and awareness for users to ensure that they understand security and assessment testing.

Knowledge Area D, Analyze and report test outputs (e.g., automated, manual), is a new topic. It covers interpreting and recording the results of your own testing, as well as the results from third-party audits, and developing new mitigations based on test results.

Recap

In the coming weeks, I will be posting the other 2 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 covered new domain 1 and 2.
      • Part 3 covered new domain 3 and 4.
      • Part 4 (this post ) covers new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The last post will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!

-Robin

Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 3)

October 6, 2014 at 8:35 am | Posted in Microsoft | Leave a comment
Tags: , , ,

“Imagination is more important than knowledge.” –Einstein

In Part 1 and Part 2 of this series, I mentioned the resources you need to investigate and listed some of the questions you must be able answer quickly and confidently when you take your 70-410 exam. In this third and final post, I’m going to discuss how to build the required knowledge base.

Consider the previously mentioned sets of port numbers and DHCP Option numbers that you’ll have to know for the exam.

Consider memorizing these as a rite of passage.

Dull… right?

Wrong!

If memorizing isn’t fun, you’re not doing it right.

But much more importantly, since you’re gonna forget most of that stuff anyway, you’ll want to know that there’s a secret sauce that master learners use.

Why The Mind is the Key To Mastery

Although Einstein is instructive, he’s subtle when he says imagination is more important than knowledge. Because that’s the key… right in front of your nose… and you were born with it. Once you’ve imagined a thing, really rendered it completely in your mind, you’re not going to forget it.

Here’s an example: Imagine a young child getting on a bus. Now imagine he’s got a note telling him the stops he’ll pass as he rides to his destination.

Got it?

A kid … with a note.

Now imagine an Active Directory Security Principal. Instead of a kid with a note, it’s a Data Structure – with a list of permissions specifying what can, and can’t, be accessed.

Suddenly it’s obvious, and you’ll never forget it: Security Principals are Active Directory Data Structures to which permissions can be assigned for the simple reason that Security Principals have a place, called an Access Token, in which permissions can be listed. And if it’s not a Security Principal, it can’t be assigned permissions. And if it can be assigned permissions, it’s a Security Principal. (See http://technet.microsoft.com/en-us/library/cc759267(v=ws.10).aspx for more detail.)

So, after rendering this image in your mind, there won’t be any memorization involved when you answer your questions about Security Principals. You’ll simply know what they are and you’ll consult your imagined rendering to answer those questions.

The point here isn’t about Security Principals.

It isn’t about Storage, Networking, Virtualization, or Deployments.

The point is that your imagination is your key to mastery.

And whether your goal is the 70-410 or something far beyond that, it’s your imagination that builds the unforgettable neuronal pathways you’re going to need.

Words To Live (And Study) By

I think there are other words of Einstein’s apropos to your 70-410 endeavor:

  • “To stay appropriately humble, don’t forget this one: “As our circle of knowledge expands, so does the circumference of darkness surrounding it.”
  • “To know whether or not you understand a thing sufficiently: “If you can’t explain it simply, you don’t understand it well enough.”

In that spirit:

Rock on.

Imagine.

Render.

Explain.

Discuss.

Describe.

Stoke a burning passion for mastery.

Good luck.

If you’ve got comments I’d like to hear ‘em,

Scott

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 2)

September 16, 2014 at 8:45 am | Posted in Microsoft, Study hints, study tips | 18 Comments
Tags: , , , ,

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

In Part 1, I provided a timeline for gathering resources and working yourself up to exam day. In this post, I’m going to focus on the exam’s content and provide examples from each of the 70-410 Objective Areas. In Part 3 I’ll provide tips for developing the required knowledge.

Vade Mecum (rhymes with shoddy kaboom): a handbook or guide that is kept constantly at hand for consultation. It’s the term elite computer scientists use when referring to a technical manual or field guide. But different types of manuals have different purposes:

  • “Run Books” tell you every keystroke for building a particular server, but are, by intent, skimpy on concepts.
  • The “Mastering,” “Unleashed,” and “Inside Out” tomes give an overview of every existing role and feature.
  • White papers tend to be a vendor’s promotion of their product or a think tank’s comparisons and recommendations.

For passing the 70-410, a simple, custom-made field guide is a surprisingly effective learning tool.

I emphasize custom-made because building it also builds the neuronal pathways you’re going to need. And, for passing the 70-410, it’s the pathways, i.e., the learning, we’re after, though, as you’ll see in the next post, rote memorization will play a key role too.

After taking the exam you’ll have the beginnings of a custom-made Server 2012 reference; but that’s just a bonus. As for format, .html .docx, .pdf, .txt, pen and paper, take your pick. Just make sure you can have a copy in your hands in the waiting room at the exam center for last-minute review – before you check in.

So, right out of my personal Server 2012 reference, here are some samples of questions you must be able to answer quickly and confidently when you take your 70-410 exam, broken down by exam objective.

Install and configure servers (15–20%)

What are the important differences between Windows Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2?

What are the Server 2012 license types? How are they different?

What can you do when you run Server 2012’s setup.exe that you can’t do when you boot from the install DVD? And the reverse?

What is PowerShell Desired State Configuration? What are its requirements?

Configure server roles and features (15–20%)

Can you use RSAT on a Server 2008 or Windows 7 machine to remotely manage Server 2012 or Server 2012 R2 servers?

What is a “server pool” in the context of Server Manager 2012?

What are the limitations of Server Manager 2012 when managing Windows Server 2003 and 2008 servers?

What software must you install on Server 2003 servers in order to include them in Server Manager 2012 Pools? And on Server 2008?

What are “Work Folders” and what are the major steps for setting up the “simple” Work Folder configuration?

What are the architectural differences between the 6to4 and Teredo IPv6-over-IPv4 Tunneling Protocols? What has to be unblocked if you’re going to implement 6to4 and why? What are the optimal use cases for each?

What are the TCP and UDP ports that must be allowed in to a VPN server using PPTP? SSL? IPSec?

What are the tasks that can be done with Administrative Center that can’t be done with Active Directory Users and Computers?

What is iSNS and what is it used for?

What are the DHCP Code Numbers for the following DHCP Options:
• NetBIOS Name Server
• DHCP Relay Agent Information
• DNS server
• Router
• Domain Name
• NetBIOS Node Type

What are the IPv6 address prefix bit patterns? What are they each called? How are they used?

What is the maximum number of subnets you could create given this address space: 2001:5860:b002:3000::/53? And why? What is this address’ IPv6 prefix bit pattern? What is the type of this IPv6 address?

What is an ISATAP DNS host record, and how is it used? What, exactly, does an ISATAP device do?

What is an IPv6 port proxy, and when would you use it?

How do you configure a DNS server to always request name resolution services from the Source of Authority (SoA) DNS server for a particular name space?

What is the purpose of the built-in DNSUpdateProxy Security Group?

What is the purpose of the InetOrgPerson object?

What are the types of AppLocker rules, and how do they differ from each other?

What was the predecessor to AppLocker called? How does AppLocker differ from its predecessor?

If you anticipate migrating to AppLocker from its predecessor, what preparatory decision will make this migration easier?

What are the TCP and UDP ports that are required for PPTP-based VPNs? SSTP? L2TP? What do these acronyms stand for? How are these protocols different? Which, if any, of these protocols are usually preferred? Why?

What must be configured to allow a Windows Deployment Server to be on a separate subnet from the clients to which it deploys operating systems?

What are the mechanics of DNS conditional forwarding?

Configure Hyper-V (15–20%)

What, exactly, does paravirtualized mean? What are the Microsoft terms for paravirtualized and non-paravirtualized components?

What are the most important new features and roles in Hyper-V 2012? What are they for?

What can and, as importantly, can’t, members of the Hyper-V Administrators group do?

What are the differences between .vhd and .vhdx files? What version of Windows Server introduced each?

In Hyper-V, what is “Dynamic Memory”? What is “Startup Memory”?

Why are five disks required to protect against the failure of two disks in a mirrored set?

What is Virtual Machine Chimney? What does it mean when we say that this feature has been deprecated?

Why is the Allow management operating system to share this network adapter setting required if I want one VM’s NIC to have more bandwidth than another VMs’ NICs?

Deploy and configure core network services (15–20%)

What are the command line switches for diskpart, and what does the “clean” switch do?

What features are added to a Core Installation of Server 2012 when you enable “Desktop Experience?”

What does the Configure-SMRemoting.exe command do?

What does cmdkey do?

What does the wmic qfe list command do? What do “wmic” and “qfe” stand for?

Install and administer Active Directory (15–20%)

How do you use Active Directory Users and Computers to set a default tray selection on a printer?

Why does inter-site replication for Global Security Groups require more [or less] network bandwidth than inter-site replication for Universal Security groups?

What are the various types of Domain Security Groups to which the various types of Domain Security Groups can be converted? And for each pair of conversions, describe why it is or is not allowed and list the memberships that must be eliminated before conversion will be possible.

Do domain controllers have local Security Groups? Why or why not?

What, exactly, is a Security Principal?

Create and manage Group Policy (15–20%)

What are the things that can be done with Group Policy Preferences? How are Group Policy Preferences different from standard Group Policies?

What version of Windows Server first provided Group Policy Preferences?

As I said before, if you’ve got comments, I’d like to hear ’em!

Thanks in advance, and good luck.

–Scott Winger

Mobile Devices in the new CompTIA A+ exams (Part 2 of 2)

October 26, 2012 at 2:39 pm | Posted in CompTIA | Leave a comment
Tags: , , , ,

Well, it’s been two weeks since I introduced you to the Mobile Devices domain in the new A+ 220-802 exam. In that post, I gave information on the first two objectives in the Mobile Devices domain. In this post, I want to finish by discussing the last three objectives from the domain:

3.3 Compare and contrast methods for securing mobile devices.
3.4 Compare and contrast hardware differences in regards to tablets and laptops.
3.5 Execute and configure mobile device synchronization.

For objective 3.3: Compare and contrast methods for securing mobile devices, the main focus is mobile device security. The main points that you should concern yourself with are as follows:

  • Passcode locks – This is the most basic security measure. Passcode locks block unauthorized users from accessing any of the device’s functions. In Android phones, this is configured in the Settings Location & Security section. In iOS-based devices, it is configured in the Settings – General section.
  • Locator applications – This security measure uses the GPS feature to locate a lost or stolen mobile device. For iPhones, you would enable the Find My iPhone feature. For Android devices, you can use a number of third-party security applications (such as Android Lost, AVG Antivirus, or Lookout) to remotely locate a phone.
  • Remote wipes – This security measure ensures that all data on the mobile device can be erased if the mobile device is lost or stolen. For iPhones, there is an iCloud feature (available in iOS 5) that allows the Remote Wipe feature. Google Apps administrators can perform this function with Google Sync (in beta, as of this writing). Most third-party Android security apps will have the option to locate, lock, or remotely wipe the device.
  • Remote backup applications – This functionality allows all data and applications to be backed up to ensure that the data could be restored if the mobile device is lost or stolen. For iPhones, backups are managed by the iTunes application. For Android devices, you will need to download an application that provides this functionality.
  • Failed login attempts restrictions – This security feature will lock a device after the configured number of failed login attempts. For iPhones, the lock occurs by default after 6 failed attempts and erases the data after 10 failed attempts. For Android devices, this feature is not built in, so you will need to add an application to provide this functionality. Most mobile devices also let you wipe the device contents after the configured number of failed logins.
  • Antivirus – Because mobile devices can be corrupted by malware, you should install an anti-malware application. Desktop antivirus vendors, like McAfee and AVG, also have products designed for mobile devices. Keep in mind that the product must be regularly updated to protect against the latest malware and virus threats.
  • Patching/OS updates – Patching the operating system and applications is necessary for all mobile devices. Most mobile devices have a built-in function that will notify you periodically when updates are detected. Make sure your device is updated so that all the latest security patches are installed, because security patches are the most common type of update.

For objective 3.4: Compare and contrast hardware differences in regards to tablets and laptops, you need to understand the hardware that is used in a mobile device and how it typically compares to laptop hardware.

  • You should keep in mind that most mobile devices do NOT have field-serviceable parts. Specialized tools are needed to replace any mobile device hardware, including the screen and internal parts. Repairs should only be carried out by technicians who are properly trained. If you have a device repaired by a technician that is not backed by the vendor, the warranty will be voided.
  • Also, keep in mind that mobile devices typically cannot be upgraded. Therefore, you should purchase the device that provides the maximum level of hardware for your current and future needs.
  • Most mobile devices are touch screen devices, which uses two technologies: touch flow or multitouch. With touch flow, finger movement (up, down, left, right) controls how the screen scrolls. With multitouch, the screen will recognize multiple touches, which means that more than one finger can work with the interface at the same time.
  • Mobile devices typically use solid-state drives, which are lighter and less prone to crashes.

For objective 3.5: Execute and configure mobile device synchronization, you need to understand how to sync your mobile device. This includes understanding the type of data that will need to be synced, the software requirements to install the syncing application on your desktop computer or laptop, and the connection types that can be used with synchronization. Users will need to be able to sync contact information, applications, e-mail, pictures, music, and videos.

  • Push synchronization is automatic and requires no user effort. Any change made will be synced to the other devices at regular intervals that you configure. (Remember that push synchronization can consume battery so use a longer schedule time if battery consumption is a concern.)
  • Pull synchronization, on the other hand, requires the user to actually activate the synchronization, which then pulls new information from the other device.
  • Synchronization can occur via a direct USB connection between devices, over a Bluetooth connection between the devices, and even over a 802.11 wireless network. Some specialized synchronization applications even allow you to use the Internet for synchronization.

While most mobile devices have a built-in sync feature, applications available through the marketplace usually do a much better job and include many more options. If you purchase a synchronization application, make sure that your mobile device meets the application’s requirements.

In closing, I hope these two Mobile Devices posts have helped to shed a bit of light on just where CompTIA is going with this topic. I have to say that I am glad to see this topic included as part of an IT technician’s job analysis. As mobile devices gain in popularity, technicians will definitely be expected to understand how to configure mobile devices in the real world.

I’ll be taking the 220-801 and 220-802 exams this week. I am really looking forward to seeing how the exams have changed, and assessing the new mobile device coverage and performance-type items.

Watch for my post in the coming weeks where I review Mike Meyer’s Eighth Edition of the CompTIA A+ Certification All-in-One Guide. I’ll also be posting some ideas about mobile phone emulators to help in labs and classrooms, and to help students self-study for the new mobile device topic coverage on the 220-802.

– Robin Abernathy

Mobile Devices in the new CompTIA A+ exams (Part 1 of 2)

October 10, 2012 at 4:36 pm | Posted in CompTIA, Study hints | 1 Comment
Tags: , , ,

Last month, I posted an article about the virtualization topics in the new A+ exams. At that time, I indicated that I would be posting about the new mobile devices topics. I expected to get the two articles out within a few weeks of each other, but as it always seems to happen around here, other things took precedence….and a month later, I am finally sitting down to fulfill my promise.

Mobile devices have increasingly become part of our lives. Because of the popularity of these devices and our dependence on them, the CompTIA A+ certification now includes  mobile device topics to ensure that A+ technicians are proficient in certain aspects of mobile device management. The new A+ 220-802 exam has an entire domain that is dedicated to mobile devices. Domain 3, the Mobile Device domain, makes up 9% of the exam. The objectives from Domain 3 are as follows:

3.1 Explain the basic features of mobile operating systems.
3.2 Establish basic network connectivity and configure email.
3.3 Compare and contrast methods for securing mobile devices.
3.4 Compare and contrast hardware differences in regards to tablets and laptops.
3.5 Execute and configure mobile device synchronization.

There’s a lot to chew on here, so let’s focus on the first two of these objectives. (I will discuss the other three in a coming post.) Please remember that I’m writing based on my experience with mobile devices and on what I’ve read in several reference books. As of this posting, I have not actually taken the new A+ exams. CompTIA released those exams this week, so I’ll hopefully have some time to take them before Part 2 of this blog post! But since I’ve been writing study material for the A+ exams since the 300-level A+,  I am fairly confident that I won’t be too far off the mark.

For Obj 3.1: Explain the basic features of mobile operating systems, you will need to understand the features of the Android and iOS mobile operating systems.

  • Android is an open-source operating system, while the Apple iOS is a vendor-specific OS.
  • Developers for Android have access to the same APIs used by the operating system. Developers for Apple must use the software development kit (SDK) and must be registered as Apple developers.
  • Android apps are purchased from the Google Android market (now called Google Play) or from other Android app sites, while Apple apps can only be purchased from the Apple App store.
  • For screen orientation, mobile devices use an accelerometer and/or a gyroscope. While only one of these is required, many newer mobile devices use both because they work better together.
  • Touch-screen mobile devices require screen calibration. The screen calibration tool will require you to touch the screen in different ways so that the mobile device can learn how you will touch the screen. If the device does not react in an expected manner when you touch the screen, it may need re-calibration.
  • GPS information can be obtained from cell phone towers or from satellites. Keep in mind that keeping the GPS function enabled will cause the battery to be depleted much quicker. Android phones normally use satellites to obtain GPS data, while iPhones use a combination of satellites, cell phone towers, and WiFi towers to obtain GPS data.
  • Geotracking  allows a mobile device to periodically record location information and transmit this information to a centralized server. Consumers have recently raised privacy concerns overs this feature.

For Obj 3.2: Establish basic network connectivity and configure email, you will need to understand how to connect mobile devices to networks and how to configure email on mobile devices. For all of the following points, I would expect this to focus mainly on the two major smart phones (iPhone and Android), but wouldn’t be surprised if you are expected to know how to do this for the iPad and other tablets.

  • Enable/disable the wireless and cellular data network.
  • Understand Bluetooth configuration, including enabling/disabling Bluetooth, enabling device pairing, finding devices for pairing (including entering the PIN code),  and testing Bluetooth connectivity.
  • Configure email. You will need to know the URL of the incoming and outgoing email server, the port numbers used by these servers, and the encryption type (if applicable). You probably will also need to know your account details, including user name, password, and domain name. The process for setting up email will vary slightly based on the mobile device that you are configuring and the type of account. Some of the more popular mail services, such as Exchange and Gmail, are easier to set up because of configuration wizards.

To fully prepare for these objectives, it may be necessary to install a mobile phone emulator on your computer if you do not have access to a physical mobile phone. In many cases, there are free mobile phone emulators available so that you can learn how to perform many of the basic configuration steps. You may want to research the options that are available and install them in a lab environment, particularly if you are an instructor. These emulators can provide a valuable service to students who do not have experience with mobile devices.

Part 2 of this topic will be released in the coming days and will cover the other three Mobile Devices objectives in the 220-802 exam. I also plan to have a post in the coming months on mobile phone emulators, so feel free to send me any information on what you have found in this area.

Until then….

-Robin

O-M-G, Microsoft announces more exam question types

August 15, 2012 at 12:32 pm | Posted in Microsoft, Performance-Based Testing, Study hints | Leave a comment
Tags: , , ,

If you’ve taken a Microsoft test in the past, you’ve experienced the Single Answer Multiple Choice and Multiple Answer Multiple Choice questions. While this is a tried and true psychometric technique, a multiple choice question does not always fully test a candidate on his or her knowledge of the material.  You may remember that a few years ago Microsoft launched performance-based testing (PBT) segments with their multiple choice questions. The 83-640 exam included a series of tasks that tested candidates’ abilities in a virtual environment. Although this exam and item type have since retired, most of us that had the chance to experience this item at a test center agreed it was the ultimate test of a candidate’s skill. And I, for one, very much doubt we’ve seen the end of the PBT item.

With a similar goal in mind, by which the certification exam truly separates the experienced IT professional from the pack, Microsoft has added several new item types to exams over the last few months. Well, I say new, but some of these item types are more like “vintage” and you just may have not seen them in a while. You can view the entire list here:

http://www.microsoft.com/learning/en/us/certification/exam.aspx#tab4

Active Screen – These questions are good at testing candidates’ knowledge because you see an actual screen. The downside is the candidate does not need to know where to go in the software to access the screen, the task is limited to the screen that’s provided.

Build List and Reorder – This is one you may recognize if you’ve taken Microsoft exams for as long as I have. This question type is used to test whether a candidate knows which steps are needed to perform a task and the order in which they should be performed.

Case Studies – Case studies allow a candidate to be tested based on different real-life business scenarios. Microsoft used case studies for the Windows 2000 Server and some Windows Server 2003 exams. If you do not have a high level of reading comprehension, you will find case studies to be time consuming. Several testing candidates who did not read rapidly enough struggled and ran out of time with this question type. Microsoft has addressed this issue by no longer timing each case study separately from the rest of the exam questions. While time management is still important, you get one clock for the whole exam, allowing you to spend a bit more time reading through the case study.

Create-a-tree – Similar to the Build List and Reorder question type, these questions test your knowledge on structures and organization. This question type first appeared in the NT 3.5 and NT 4.0 tests.

Drag and Drop – This is a basic matching question. This question type allows a candidate to be tested on multiple concepts. It also appears on exams from other vendors, such as CompTIA and Novell.

Hot Area – This question is similar to an Active Screen question. You have to click one or more places within a graphic to satisfy the question requirements.

Multiple choice – You have seen this question type zillions of times. I believe it was invented in 1,000,000 BC. This item type presents a scenario, a question, and a minimum of four answer options. A prompt within the item stem (or sometimes at the end of the question) will indicate the number of possible correct answers.

Repeated answer choices – These questions (which we called “extended matching” in our previous post, Multiple options beyond multiple choice) are presented in a series. Each question in the series has the exact same answer options. Each question is worded slightly differently, so the answer could be different for each question — or it could be the same correct answer across the questions in the series.

Simulations – These type of questions actually first appeared in Microsoft Vista exams. This question type does a good job of testing the candidate’s knowledge of navigating to the problem and choosing the correct answer. This type of question is better than an Active Screen or Hot Area because the candidate has to navigate the software or OS to find the screen or page that contains the correct choice, and is thus tested on his or her hands-on knowledge. If you do not know how to get to the right set of options, you will not be able to answer the question. The limitation to this type of question is that there may be more than one way to solve a problem. A simulation question may want you to fix a problem with a GUI tool, even though you could correctly solve the task with a PowerShell cmdlet or by running a command from the command prompt.

Short answer code – This type of question will force a candidate to actually type the correct answer into a text box or blank line. This type of question will test your knowledge of the correct code use, the proper order of the code and syntax of the code. We haven’t actually encountered this item type in the wild yet, but we’re keeping our eyes peeled.

Best answer – These type of questions appeared in the original NT 3.5 exams. It is a standard multiple choice question that may have one or more correct answers — you have to pick the BEST answer. People complained back in the day on the NT 3.5 exams as to what constitutes the BEST answer. I believe the debate will continue if Microsoft revives this item type on tests.

If you are planning to take a Microsoft exam in the near future, you may see several of the above question types – or none of them. If you have an issue with any of the types of questions on your Microsoft exam, please let Microsoft know in the comments section at the end of your exam.  Also, if you liked a particular item type on an exam, please take a few seconds to let Microsoft know. And as always, we welcome any questions or comments you might have, and will do our best to reply or point you in the right direction.

Happy Testing.


George Monsalvatge

Reader writes: Help! I know the material but I freeze in the Cisco test!

February 4, 2009 at 11:26 am | Posted in Cisco, Study hints | 2 Comments
Tags: , ,

Recently an email crossed my desk that was not unlike many I receive. It was from a customer who had bought our 640-822 practice test, but failed the live exam. The gist went like this (name removed to protect the innocent):

I took the [640-822] exam on the 14th and not only did I fail the test but I also ran out of time, which is an automatic failure… The questions in one or two cases were worded strangely. I was thrown a curve-ball. It felt more like a Microsoft test. Just thought I would let ya know. Please understand I am NOT blaming Transcender for my failure. I just failed.

And there were scenario questions, with one diagram and 4 questions to answer based on that diagram (the reason I ran out of time). One question concerned a router running EIGRP. I made it work (pretty much) but I took way too long trying to make this run. Testing is not my forte and I was a nervous tangle of nerves when [the new configuration] would not work the first time. I bet that issue was something more that was not mentioned in the actual test question.  If I get that one again I will be ready; I will check out the entire config and not just follow the instructions Cisco provided. They have to know people perform differently in a stressful test enviornment than they do in a relaxed work environment, or at least I do.

This customer was suffering from what we call test anxiety. Sometimes just a little knowledge of what to expect is incredibly helpful. Here were my answers to the customer, which I would like to share because I believe it will help anyone in this kind of situation.

First, keep moving. If you don’t know an answer, set a time limit for looking at the question. If you don’t know it after that time is up, make your best guess and move on. Unanswered questions are always wrong. Getting bogged down keeps you from answering the questions you do know that are further on in the test.

Second, know the item types you’ll encounter. These are the types of questions you’ll find on a Cisco exam, and the best strategies for each type.

Multiple choice – With these items, if you get a question you don’t know, just accept it and don’t waste a lot of time. Try to increase your chances by eliminating the distractors. Frequently, there will be one obviously wrong answer. There might also be what I call a “shiny object,” or an answer that looks great at first glance, but on closer examination shows a tiny detail incorrect. For example, let’s say it asked for the command to put an IP address on an interface, and you see this option:

router1# ip address 192.168.2.5 255.255.255.0

Looks good — until you realize that it is executed at the wrong prompt. This command should be executed at interface configuration mode, like this:

router1(config-if)# ip address 192.168.2.5 255.255.255.0

Also, when you see options that look identical, examine them carefully. There will be some small detail that is different. You will see options that include multiple lines of commands, like this:

router1(config)# int fa0/0
router1(config-if)# ip address 192.168.5.2 255.255.255.0
router1(config-if)# no shutdown

Your first step should be to make sure each part is executed at the proper prompt. Your second step is to make sure they are executed in an order that makes sense. For example, in the output above, line two could not be ahead of line one because you must type line one to get to the prompt displayed in line two.

Drag and drop — These items will require you to match one list of items to another list of items, such as matching protocols to the layers of the OSI model. There is typically only one correct order, so use that knowledge to make sure they all “fit.” Otherwise the whole thing will be wrong. Again, if you are clueless on the topic, don’t waste a lot of time on it. The chances of guessing these correctly is not high, but if you are good at putting puzzles together, you may be able to get it by process of elimination. Place the ones you are sure of first, and then work with what’s left.

Testlets — These items will show you a network diagram and ask about five questions about the diagram. There is also a command window that will be connected to one of the devices in the diagram. It may be a router or a switch. You can run show commands on this device to learn the answers to the questions. For example, they may ask you about Router2’s IP address, but the command prompt is connected to Router1. In that case you would use CDP commands to learn about the other devices.

Sometimes testlets are combined with a drag and drop. For example, you may have to gather information at the command prompt that will enable you to drag IP addresses and device names to the matching devices. If you are clueless about the commands that are required to answer the questions, KEEP IN MIND that sometimes the questions are general theory questions which don’t require running any commands or even looking at the diagram to be answered. So don’t dismiss all of the questions because one of them stumps you. If you get five questions in a testlet, you can still get a couple correct this way.

Simulations — Okay, this is the tough part. Here you must actually configure or fix a router or switch. When something is NOT working, ask yourself, “What should be in place for this to work?” Some people immediately start looking at a bunch of show commands. Another approach, the one that works for me, is to simply pretend that the router or switch has NO configuration at all, and do what you know needs to be done from the ground up. For example, if there is a problem pinging, just reset all the addresses the way you know they should be, rather than waste a lot of time with show commands to figure out what’s currently configured. Just a thought. REMEMBER, if you don’t get a simulation correct, ALL IS NOT LOST. You can still pass without it. Don’t let it so unnerve you that you blow everything. And do not spend more than 15 or 20 minutes on a simulation. Set a time limit and move on.

Make sure you have an answer to every question. Remember, unanswered questions are ALWAYS wrong. That’s probably what killed you the first time. I’ll bet a lot of your answers that you actually gave were correct, but you left too many unanswered to pass. As far as I know, running out of time on the test (leaving some questions unanswered) is not “an automatic failure.” It’s when you don’t have enough correct answers that you fail. You can read Cisco’s Certification Exam Policies here.

I hope this helps, and be sure to let me know if I can answer any other Cisco test questions for you.

–Troy McMillan, CCNA, CCNP

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: