8 minute read

Security+ is an industry standard certfication that is very popular and held in high regard. CompTIA recommends you to have an Network+ level of knowledge combined with two years of IT administration experience with a focus in Security before you go for this exam, but that is nothing more than a recommendation. You can easily pass this exam with no IT work experience and without a Network+ behind you. I did and so can you. I initially passed this exam in December of 2018, but over time i realized that my tips and tricks were too surface-level, so i rewrote my blogpost entirely with extra information for you. I hope you find it at least remotely useful.

How many questions are there and how do i pass?

Security+ consists of 90 questions and several of them are going to be performance-based. It has a maximum score of 900 and 750 is the least amount you need to pass. Performance-based questions can often take exam takers by surprise, so it’s important to recognize what they will entail. You will find a detailed description below.

How much do i have to spend on the exam?

The Security+ voucher is normally around $330, however if you are an active student, you can buy a discounted voucher from the CompTIA academic store. You will have to prove your enrollment by providing documents, so just be aware of that.

What topics are there on the exam?

Below is the breakdown of domains for the exam, coupled with the percentage of questions belonging to each domain. Technologies and Tools has the highest percentage, but in reality nearly every question will somehow be related to it, because it is the foundation for everything else.

  • Technologies and Tools – 22%
  • Threats, Attacks and Vulnerabilities – 21%
  • Identity and Access Management – 16%
  • Architecture and Design – 15%
  • Risk Management – 14%
  • Cryptography and PKI – 12%

So what are performance-based questions?

The words “performance-based question” strike fear and raise the heart rate of any average CompTIA test taker, myself included. However, you shouldn’t be afraid of them on the Security+. The reason people get so blindsided by these questions is because they don’t put proper time into studying for them. The knowledge of the rest of the theoretical material will help you complete them, but you can’t rely on it solely. These questions include, but are not limited to: Setting up a Wireless Network You are given an interactive network diagram and are supposed to change the settings in a way that will make it work. It might include setting the correct IP for a radius server or enabling a correct security protocol on the Access Point. Know your WIFI protocols and port numbers.

Configuring a firewall

You are given a set of instructions, a network diagram and an Access Control List of a firewall. You are supposed to modify it in a way that will satisfy the instructions you are given. Review CIDR notations and remember your port numbers for this one.

Drag-and-Drop Security Controls

You are given a selection of different security controls and are tasked with applying them where it’s appropriate on a given network diagram or even a building. Remember the best practices related to choosing security controls and you should have no problem completing this one.

Drag-and-Drop Matching

This is a wildcard. You might be given a list of ports to which you have to match services. You might be given a list of attacks to which you have to match definitions or remedies. You might even have to match RAID levels. You should be fine with this one without any special prep. This is the same information you study for the rest of the test.

Drag-and-Drop Correct Order

You may be asked to put the right order for a process such as incident response or an order of volatility. Same as last one, study the regular material and you will be fine with this one.

Command Line

I have not encountered this one on my test and i don’t know anyone who has, but people say these questions might also appear on the exam, so you should nevertheless study for them. Review basic Windows and Linux commands and you should be fine. Also try the “help” command. It works in CompTIA’s example PBQ, so it should theoretically work on the exam.

One important note about performance-based questions: Flag them for review and proceed with multiple choice. That will prevent you from losing precious time if you get stuck and the multiple choice questions will refresh your mind before you get to the real stuff.

Study material

Classes

If you are serious about passing this exam, you should inquire with the local community-colleges, because they might have classes structured specifically around preparing for Security+. Chances are, you are eligible for Financial Aid, so they won’t cost you a dime. I personally would not recommend going for those expensive $1000+ classes unless you have some money to spare or your employer is willing to sponsor you. This might be overkill. The exam isn’t that hard and you shouldn’t go to such lengths to pass it.

Books

I personally used “Security+ Guide to Network Security Fundamentals” by Mark Ciampa and that book is very thorough. More thorough than the exam itself. It has one major downside though: it is outrageously expensive at around $200. If my college class did not require it, i would not have purchased it. I’ve heard nothing but praise for “CompTIA Security+: Get Certified Get Ahead” by Darril R. Gibson. If you do not wish to spend $200, go for this one. Its information aligns well with the exam objectives, but should not be used as your sole study material.

Videos

There are a lot of good choices here. You can get good Security+ courses on Udemy for $10 because they have a sale every other day. Another good source is Mike Chapple on Lynda.com. I personally used this one and found that it is a good short addition to the rest of my study material, but it is not expansive enough to cover everything you need. One of, if not the best video course is by Professor Messer. His videos align perfectly with the exam objectives. He even covered something that appeared on my exam but was never covered by the rest of my study material. One thing I would not recommend is Coursera. It is a waste of your time and money. Please do not go for their courses, they are the definition of “surface level”.

Acronyms and Port numbers

There will a LOT of acronyms on the exam, so prepare yourself for that by doing flashcards. Same thing with port numbers. This is the only part of the preparation which is pure memorization. Do them until you can remember most of it.

Practice Tests

The better ones are often paid and a lot of the free ones on Google will be purposely vague and confusing because their author wants to force you to buy their study material by convincing you that you don’t know anything and that they can totally fix that for $49.99. Use multiple ones and do not rely on the score too much. I would however recommend you to study until you can consistently hit at least 90% on different tests.

What material should I use?

Combine different materials and never rely on just one source. One of the most important cybersecurity concepts is Defense in Depth, so apply it to your test preparation. Use multiple overlapping sources. Pick a book, a video course and a bunch of different practice tests.

Scheduling the exam

I’ve seen books that recommend you to schedule your exam 45 days from the day of the start of your prep and while i see the reason for that, i do not believe that it is a good idea. Yes, you will be more motivated because of time constraints, however i do believe it is better to take time. I started preparing for the exam in September of 2018 and i scheduled the test in November for December. I recommend you book your exam a month from the date that you feel confident taking it. Yes, going over your material several times is no fun and you might lose your sanity in the process, however that will ensure you are overprepared and do not forget your material. Never stop reviewing. If you don’t review for a week, you will forget it. Also, buy the voucher in advance. That ensures you are financially committed to the exam and you can’t back out of it.

Taking the exam

Don't concern yourself with subjective opinions regarding the test difficulty. I've heard some people say that S+ is the hardest exam they've ever taken and that is simply ridiculous to me (and i'm no Kevin Mitnick). People's perception of difficulty is based entirely on their personal characteristics, knowledge and preparation

If test anxiety does take over, as it did for me, meditate or use breathing exercises. Something as simple as 4-7-8 helped me a lot before the test.

Elimination is very very effective in multiple choice. If you don't know the answer right away, try to eliminate the ones that don't belong. I've found that there were never more than 2 plausible options once you eliminate the ones that don't belong.

To conclude

This test is not going to be the most difficult test in your life as some people say. Put the time to study and you will be fine. I passed it with 816/900 without any IT experience and so can you. My next destination is going to be CySa+. I’ve already ordered my study materials and i will post a similar article about it once i pass it.

Links and Resources