09/10/2018
Are you studying for a cybersecurity certification exam? Some people struggle because they expect the wrong things. So, here's what you need to know.
ACIC -- I Also Get To Learn
Learning Tree courses include a great added benefit. It's the After-Course Instructor Coaching session. When I teach a Linux server course, I tell people it's a free hour of consulting time. However, for a test-prep course, I call it one-on-one tutoring. Because, you see, it's exactly that!
I noticed a pattern during a recent series of these. They were all for course 446, CompTIA Security+® Training. The students were overwhelmed. Why? Because they expected a very different experience.
What was happening?
The Certifiers' Point of View
CompTIA, (ISC)2, and other organizations design certification exams. Therefore, their reputations are on the line. Once you pass the exam, they vouch for you. "This person has convinced us that they're a qualified worker in this field."
A certification test isn't an apprenticeship. It's just a test. It lasts a few hours at most. It runs in thousands of locations world-wide. Grading must be automated. So, it's a multiple-choice test.
Skill and knowledge are very different things. You would like to test skill. That is, whether someone knows how to do something. However, a multiple-choice test is mostly limited to knowledge. Do they know about a thing?
Why This Matters
U.S. DoD Directive 8570.01-M makes it clear. You must hold one or more certifications before you work with DoD data and systems.
DoD and other agencies looked at what was available. CompTIA Security+ and (ISC)2 CISSP already existed. The whole world recognizes them. So, no one was surprised when DoD relied on them.
Security+ is the obvious entry point. CISSP is the usual next step.
DoD can influence the exams. They had serious talks with CompTIA before the recent Security+ update.
However, DoD doesn't fully control them. They know what's in the tests. What's more, they have some influence on general patterns. But, most of all, they find them useful.
The Disconnect Between Test Expectations and Reality
So, back to those after-course sessions. What did I notice? Some people miss an important point. Certification isn't a "License to Learn". It's evidence that you're already a skilled worker.
Many people say "I want to transition into cybersecurity." Of course! There are many opportunities. However, some people say this despite little to no background in computers, let alone networking. They may get there eventually. But, it will be a multi-stage journey.
Certifiers Tell Us What They Expect
CompTIA recently opened up. They assume that most people taking Security+ are getting their third certification. Or at least they have progressed through corresponding earlier stages.
You started working in desktop support. So, you passed A+. Then, after a few years of connecting desktops to networks, you passed CompTIA Network+.
Next, you expanded further. You worked on the network itself. You set up switches and routers. Then you did a little with Windows and Linux servers. Cybersecurity requires doing all that very carefully. So, that led to Security+.
Meanwhile, (ISC)2 has required experience for some time. CISSP currently requires five years of full-time security work.
DoD Anticipates Multiple Steps
I was just starting to write this. Then, a DoD journal arrived. Its name is a mouthful, the Journal of Cyber Security and Information Systems.
The recent article "Cybersecurity Competency Assessment Using Augmented Qualification Standards" describes a Department of the Navy program. It's the Analyst Qualification Standard, and it's based on the Personnel Qualification Standard. (see NAVEDTRA 43100-1J if you want the details)
The multiple levels caught my attention. You master the basics in the Fundamentals (or 1000) Level.
Then, you start to use specific cybersecurity tools in the System (or 2000) Level. They keep it simple. They break complex systems into basic components.
Next, you apply the earlier levels in the Applications (or 3000) Level. You use practical tools, techniques, and methods. You perform real-world tasks.
All that is followed by Final Qualification. That combines recommendations from already-qualified personnel, observation of duties, and either a written or oral examination. Of course, both of those are closed-book.
The journey is in multiple stages. You demonstrate some ability. Then, you gain experience. Later, you progress.
So How Can You Get Up To Speed?
Networking is a big hurdle for many Security+ candidates. Get on the command line! Become familiar with standard utilities. Use ping
, traceroute
, netstat
, and others. If you find the output of traceroute
(spelled tracert
on Windows) totally uninteresting or mysterious, then there's little hope for you as a cybersecurity specialist.
The Security+ exam asks you to interpret network command output. Many questions ask you to diagnose configuration problems. Those could lead to denial of service at best. Or, far worse, connection hijacking and therefore violations of confidentiality, integrity, and authentication.
Doug Comer's textbook Internetworking with TCP/IP is an excellent reference. However, new copies are expensive. A used older edition should do the job.
If your training budget and schedule allow, take Learning Tree's course 450, Introduction to Networking Training. It provides an excellent overview. It includes security at multiple levels. You learn about VPNs, VLANs, route filtering and firewalls, L2 and L3 tunnels, WPA2, and more.
Get Out There And Pass That Test!
Above all, make sure that you understand the expected background!