This week I checked off a big goal – getting my Security+ certification. It’s a baseline cert in cybersecurity, but I needed something to validate my knowledge since my degrees are not in this area. This is my retrospective/brain dump of the process. I hope it might be helpful to others.
I’ll admit, I was tempted to jump straight to CISSP. That’s one of the really big certifications and is seen as a standard for many options in cybersecurity. However, I wanted (needed?) something as soon as possible to demonstrate that I have some idea what I’m doing. I believed I could get prepped and ready for Sec+ faster than I could get ready for CISSP. Plus Sec+ is considerably cheaper.
My main source for studying was Mike Meyers’ CompTIA Security+ Certification Guide (Exam SY0-501). I was pretty happy with this book. Easy to read, logical topic grouping, mapping to all objectives, and some solid digital resources.
I also used the CompTIA Security+ SY0-501 and SY0-401 Prep Android app from Konnect L.L.C. This app has a good selection of flashcards and questions set up by objective and the ability to do practice tests. It was great for quick studying and review when I was on the go.
The last month or so, I picked up a subscription to the CertBlaster Security+ practice tests to get more practice on the performance-based questions. This offers 4 exams and question sets for each objective. It has a good variety of questions and pretty solid explanations so you can understand the correct answer rather than regurgitating it.
And I looked up concepts, etc. as needed online or in my other books as needed. I feel like I kept my study prep costs down as much as possible while getting what I needed to get the job done. I think all in, including the exam voucher, I kept it under $500. While that’s by no means cheap, it was doable for me with some planning. I would like to see some scholarships or something set up for certifications. I know just paying for the test is beyond reach for many, and I worry how students who may also be paying for tuition will be able to cough up extra for certs. I know I was never in position to be able to do so as a student.
I took longer to prep than I really should have (about 7 months). I wanted to know the info to be able to use it, not just to pass the test. So while I was prepping for this, I was also working on programming stuff, doing a book club on packet analysis, working on various capture the flag and hacking exercises, playing with Splunk, working, and pretending to have a life. I think if you have a solid background, you could probably pass this certification by spending a month or two just reviewing the exam objectives and looking up anything that you aren’t comfortable with. Most of the concepts were familiar to me from being interested in cybersecurity and having some responsibilities that overlap with cybersecurity stuff.
My basic approach was read/highlight the book, type notes, and repeat until done with book. While doing that, regularly use the practice exams that came with the book and flip through the flashcards and questions on the app. When I was about done typing up my book notes, I got the CertBlaster tests and starting doing a practice test and/or some of the drill questions most days. CertBlaster recommends being able to consistently score 95 or higher to be confident in taking the exam.
Once I finished typing up my notes, I scheduled my exam for about 2 weeks out. That gave me time to read over notes from each chapter at a reasonable rate and spend a lot of time with CertBlaster just drilling the questions.
The week before the test, I ended up going to NCCIC-DHS Intermediate Industrial Control System Cybersecurity Training (parts 1 and 2). The courses were great and did help a little with review, but I wouldn’t generally recommended doing training for something else that close to a certification exam. But the trainings were scheduled when they were scheduled, and it was too good of an opportunity to pass up.
Then the day before the test, I went to the (CS)2AI/WiSC-UH conference. More awesome ICS stuff, and it was great to do some networking. Possibly not the best idea the day before a test though. I felt ok taking the time to go because I was at the level CertBlaster recommended on the practice tests, and going to a conference and learning cool things would prevent me from obsessing over my test the next day.
These things could be considered distractions, but they do also support long-term goals and provide skills and information I need moving forward.
Then day of test was review a little, work, take a break from work to test, and work some more. Not ideal, but it got the job done.
I think one thing I should have done differently was schedule the exam when I started prepping to put myself on a firm timeline. I didn’t because I wasn’t sure how long I would need to prep with all of my other responsibilities. In some ways, that was great because I was able to do things with Wireshark through my book club and a bunch of other fun stuff, like boot2root boxes and CTF, but it did let me neglect the less fun get through the exam material stuff. I’m okay with the approach that I took because I would rather take my time and spend more time playing with the toys than intense test prepping. Since I’m on my own timeline, I think that’s fine. BUT if I needed to complete the certification for work requirements or some other external reason, I would definitely recommend scheduling the test right at the start.
I think when it comes to certification prep, you really have to take a hard look in the mirror and decide how you want to approach things. I’m pretty good at setting deadlines for myself and working through them. That is one skill that working in academia really refines. You are on your own to get your research done to get tenure while you balance all of the other commitments you have to get done. If I weren’t as practiced with arbitrary guidelines, I would have set a test date earlier.
I also spent a lot of working on other things. Again, the luxury of internal motivation let me do this. It was great because presenting at a Splunk User’s Group, getting sucked into Splunk Security Essentials, going to a conference, and going to training are good and important things to do. I also volunteered to present on Nmap at my ethical hacking club next week because it’s a good thing to do. But I’d think twice about these things if work had me on a deadline to get certified.
I’m horrible at celebrating my accomplishments. I have a tendency to be really ‘meh’ about them. I think my biggest reaction to finishing up any of my degrees was basically “check, what’s next?”. So I wanted to make sure that I acknowledged this one. I posted it on LinkedIn and Twitter and let myself just be happy about achieving the goal.
I’ve taken a little bit of time to reflect about what I’ve done and where I want to go. I feel like Sec+ is a good jumping off point for CISSP, but I also want to get a pen testing certification. Eventually, I want to get OSCP – because it’s awesome. But right now, I feel like the PenTest+ cert is a better option. CEH is quite frankly, just out of my price range.
So I guess that’s my plan for now. Work toward CISSP and PenTest+, hack all the things (legally of course), play on Splunk, work through The Hacker Playbook 3 for book club, and keep moving forward. The great thing about this is that all of these really work together. Plus building up my home lab and putting all of these things into practice is more fun than just studying for a certification.