Security+ exam questions and answers: What to expect

Chris Sienko: 0:00

Infosec and Cyberwork hacks are here to help you pass the Security Plus exam. For today's hack, tommy Gober, infosec Bootcamp instructor extraordinaire, is walking us through some sample Security Plus questions, providing excellent strategies during exam time to narrow down potential answers in a logical and stress-free way. And the only way you're going to see it is by staying right here for this Cyberwork hack. Hey, welcome to a new episode of Cyberwork Hacks. The purpose of this spin-off of our popular Cyberwork podcast is to take a single fundamental question and give you a quick, clear and actionable solution or a new insight into how to utilize Infosec products and training to achieve your work and career goals. So our guest today, tommy Gober, is an Infosec instructor and, among his many areas of expertise, he is our Bootcamp instructor for what you probably all know as one of the most popular and in-demand certifications, and that's CompTIA's Security Plus certification. So for today's Cyberwork hack, tommy's prepared a couple of sample Security Plus questions and he's going to walk us through how they are constructed and how you should approach them when you're taking the exam. So thanks for joining me today, tommy. Hey, chris, good to be here. Thank you so, tommy. We heard from some Security Plus cert holders that the experience of studying for the exam and learning the concepts felt different from the experience of conveying the information and the methods required by the exam. So can you break down the different types of exam questions on the Security Plus?

Tommy Gober: 1:30

Yeah. So there's a few different types that CompTIA likes to ask on really any of their certification exams. There's the multiple answer or, I'm sorry, the multiple choice. The multiple choice that's A, b, c or D right Multiple answer, and that's usually where you're going to see select two, select all that apply. Yeah, right, right, yeah, maybe you have a mix of those and it's like to pick the top two reasons why On the CompTIA exam format they will literally say select two. They're going to tell you exactly how many of the following answers you need to choose, gotcha, and it doesn't let you move on If you only answer one. It's like select two. It's going to be like hey, bozo, you need to go back and gotcha Out of curiosity on a question where you have to select two.

Chris Sienko: 2:17

I'm assuming that it's an all or nothing. You don't get like half credit if you select one right one and one wrong one.

Tommy Gober: 2:24

You know that's a good question. So that is a question that comes up quite a bit in our boot camps is how are these tests scored? And the official answer is nobody knows. Okay.

Chris Sienko: 2:35

All right, it just goes into the board and that's it.

Tommy Gober: 2:38

Yeah yeah, CompTIA has not been publicly open about how they assess these exams. That's set. After taking a few dozen CompTIA exams over the years, I have my suspicions and I believe that and this is complete conjecture on my part it's not official. But I think that the way that they score this is they have a certain number of correct answers expected for you. So if you answer all the questions with 100% accuracy, then you get the highest score based on the way statistics work. But if they say select two, I think you can get. You know you'll get. Like if they answers are A and B, I think you can get a half of it correct by answering one of those correct, Because I think that counts towards your correct answers. But officially, no idea.

Chris Sienko: 3:39

Yeah yeah, and probably some sort of magical you know percentage, weight and so forth, like they do with everything. Yeah, yeah, when you've taken the exam, you've submitted it, and it comes back you've passed or failed. Do you get to see which questions you got wrong? Nope, none of it, it just goes into the box yeah, not directly.

Tommy Gober: 4:01

So on the exam pass or fail they will tell you these are the objectives in which you missed at least one question. You don't know how many questions you missed in that domain it may have. Just you know that objective may have been represented in two different questions, but they presented the content differently and so you're not really sure how did I get that one incorrect or not? And so it just kind of gives you this list. So you don't really know exactly, but you do kind of have a ballpark idea of like, okay, this is where I kind of need to know more study. And so if you have done a personal inventory of you know I got the objectives from CompTIA, I went through and I listed all these things out and I know these questions are not. If you did an inventory like that, you know the places where you're weak and you might be looking at the test result. You're like, yeah, I kind of screwed that up because I didn't.

Chris Sienko: 4:57

You know, I knew I was weak on that you can feel it, rather than like going question by question. Okay, so I think the best way to get a feeling for each of these types is to run a couple of example exam questions. Tommy, and you provided me some samples here, so I'm going to share my screen very quickly and once we have done this, then I can. I think it'll be easier for people to sort of understand in person here. So, Tommy, I'm just going to let I'll move the slides for you when you want, but just take away from here.

Tommy Gober: 5:29

Thank you, vanna. So, yeah, the first question that we got here. So this one is an example of how they're going to throw these acronyms at you and, like I said, vocabulary is key on this exam. So, knowing how you, knowing what the question is, first of all, asking them, knowing what are my options, when you glance at these answers HTTPS, smtp, tls, sftp what the heck are those? Notice, I have not read the question yet, I'm just looking at the answers. I want to first glance at my answer choices and that's going to kind of frame my thinking. This is just kind of test taking steps in general, but this is going to frame my thinking so that when I go up and read the question I will then be able to understand what are my options. So, having glanced at the answers HTTPS, smtp, tls, sftp I don't even know what those are. Let's go back and look at the question and read through it. An organization's chief information officer recently received an email from human resources that contains sensitive information. The CIO noticed the email was sent via insecure means. A policy has since been put in place stating all emails must be transmitting using secure technologies. Which of the following should be implemented to address the new policy. So this is a wordy question, chris. There's a lot of stuff going on here, but what are they asking? It's saying which of the following options should be implemented to address the new policy. What's that new policy? The policy has been put in place stating all emails must be transmitted using secure technology. So we're transmitting something. It has to be secure, meaning we're looking for some form of encryption. Encryption is how we send things securely. Okay. So the question is really asking which of the following is a form of encryption that we can, by extension, send email with? And so our options are HTTPS, smtp, tls and SFTP. Let's unpack what each of those are. Through the bootcamp, we talk about these different technologies. I'll say these are protocols, and we discuss what they mean, and then we unpack what they are. So unpacking HTTPS hypertext transfer protocol, secure HTTPS that's for requesting web pages and whatnot. We were not transmitting data that way, though. These days, we do a lot of our web based email, don't we? So plausible answer. Let's keep that one in mind. Maybe SMTP, simple mail transfer protocol. This is what your mail transfer agent sends the email out. Whenever I send you an email across, it goes out from me through SMTP. Well, that's not really a secure protocol, as we discussed in the bootcamps, so that one's going to be off of our list. Smtp by itself is not secure, so we put a line through that. Next up is TLS transport layer security. This is a form of encryption that we actually will secure a lot of insecure protocols like SMTP. We would use TLS to encrypt that to have SMTPS, or we use that for encrypting hypertext transfer protocol, http, and what we do is we tack on that little S at the end and it suddenly is a secure protocol. So HTTPS uses TLS, smtps uses TLS. That's the security that those are providing. So very, very strong contender there. Looking down at our final option there on letter D, delta is SFTP, that is, secure file transfer protocol, that is FTP utilizing SSH or secure shell. So that's not really something we would use to normally send email via, and so of these four options, the best one if you go on the next slide it will highlight our correct answer is indeed C, charlie, tls. Yes, very good. So that's kind of an unpacking of how to interpret these questions.

Chris Sienko: 9:48

Very good, sorry about that, let me get back on there. Ok, there, it is All right. Very good, cool. Ok, let's go up to the next one here.

Tommy Gober: 9:58

This is number two More alphabet soup, ooh.

Chris Sienko: 10:03

They like to throw these. The first one I knew some of those terms. This one I am out to see, so I'm excited to hear about this. But is that means, like I know some of?

Tommy Gober: 10:10

these words. So which of the following should be used to validate the integrity of data? We got TLS, ssh, md5, and RSA. The reason I picked this one out. This is a prime example of how sometimes CompTIA plays their hand. They kind of clue us into what the answer is just by using a keyword in the question itself. So which of the following is just to validate the integrity of data? One of the things that we do in the boot camp is we talk about how, in CompTIA land, whenever you're taking one of these certifications, if they are talking about integrity they mean hashing, and if they're talking about hashing they are talking about integrity. It's a two-way street. If you see that keyword, just know that they are zeroing in on hashing or integrity. Those two go hand in hand. So our options are TLS Transport Layer Security we just talked about that SSH, just talked about that one earlier. That is what allows us to remotely connect to a remote host via encryption. I'm going to skip on down to Delta, letter D and RSA, another form of encryption. So TLS, ssh, rsa all deal with encryption. Only the letter C, charlie, uses a form of hashing known as MD5, not bulletproof form of hashing, but a very, very common, often used form of hashing. So the question itself is asking which of the following is a hashing format protocol algorithm? And the answer on this one is C, charlie MD5. It's the only one of those choices that has to deal with hashing and because we saw that keyword up there in the question integrity we know that hashing is what they're asking about.

Chris Sienko: 12:01

Awesome, All right, ready, you have for one more here.

Tommy Gober: 12:04

Yeah, let's do it All right, this is a fun one too. So let's glance down at our answers one more time before we read the question. Okay, reflected XSS, restored XSS, cross site request forgery and then, lastly, sql injection. So first of all, what the heck is XSS? That's the cross site scripting we're talking about. Reflected cross site scripting is kind of where an attacker throws some generally JavaScript at your machine and then it says here's some data for you to process. Here you go, I want you to take this and run it. But what are you actually doing? Is it's actually saying I want you to go over that way and get the JavaScript from that system. Over there, I'm reflecting it, I'm sending you off that way to pull the code. That's over yonder B stored XSS this is where I gave you the JavaScript and then the system takes that and stores it into that database, holds a copy of that so that when any site visitors, users, customers go to the site, that database is presenting its information. Well, it's brought that JavaScript back out and now it's launching an attack on your clients or customers. That's also not good. Cross site request forgery gets a little bit deeper. It has to deal with stealing credentials in order for an attacker to act on your behalf. Then the last one down here is the SQL injection. Sql, the language that we use with databases and so forth. Looking up at the question here logs from an IDS, which we talked about as an intrusion detection system. Logs from an IDS alerted on a string entered into the company's website login page. The following line was pulled from the HTTP post request User ID equals Carlos or one equals one and request equals submit. Which of the following was attempted? You know what? We can short circuit this whole question. We don't have to look at anything else. We don't have to think about anything else. The answer to this one is D delta SQL injection. How do I know? Because I wrote the question, chris, the go-to thing that I want you to hone in on, and this is true across all CompTIA certifications. You see, right there in the very center of the screen or one equals one. That's your clue that they're talking about SQL injection. That's CompTIA again playing their hand, including you in. Hey, what are we asking about? They're asking about SQL injection. If you see, or one equals one, you can just throw everything else off, just about Don't have to read anything else. You're going to get it right there to SQL injection. I do spend a little bit of time. We talk about how does SQL work? Why does this or one equals one work? But really, what you're looking at, chris, when does one equal one? All the time, right, yeah, when you. It's always one. You know, until the cows come home, it's every day. If one does not equal one, we have some huge, huge problems in the world. And so it's just saying this is always going to be true and because of the way that SQL is processed, it's going to yield far more information than the system may otherwise want to share. And so that's what you're taking some SQL logic, injecting that into the database it's running and then yielding some information beyond what those site designers would want you to do, gotcha.

Chris Sienko: 15:39

All right, well, thank you. There's three excellent examples there, so I want to, before we go. Infosec, security Plus Bootcamp ends with a practice exam before the actual exam. Right yeah, now can you tell us how that works and how it helps you to retain knowledge better when it's the moment of truth, to take these in?

Tommy Gober: 15:58

Absolutely so. There are different approaches to this. Each instructor takes these approaches a little differently. What I like my folks to do for my bootcamp is we spend a little bit of time each evening, kind of as homework. Do it on your own. You don't have to do it right away at the end of the bootcamp. You can take a break, you can go for a walk, whatever, but at some point at the end of the day I want you to go through and take these practice exams. The reason I want you to do that is to get exposure to these concepts. How will these items be presented to you? In the form of a question and then, as we're going through the course, I want you to be able to. It creates this learning community where everybody's kind of racing and clamoring and be like hey, hey, hey, that was on the practice exam. I remember that, love it. It lets you see how these topics are going to be presented on the exam so that when you get to exam time you've got some practice under your back.

Chris Sienko: 16:57

You're not going to get that sort of brain. Seize up where you're like. I've never seen this before. The structure yeah, right. So what's your best piece of advice for exam day?

Tommy Gober: 17:06

Good vibes. Okay, total chill when I go to do this. You've put in the time, you've put in the effort, you've taken the practice exams, you have prepared for this. It's showtime. Be proud, go in confident, knowing what you know. You may not know everything on the exam. There are times when I go to take these refresher exams just to kind of understand what, how these tests have done. I don't, even after these many years, I still don't ace every one of these because sometimes the questions are just a little confusing order. But you know what? I still go in confident and I still walk out with my chin up held high because I prepared for this. I am successful with it. So my game day, test day I go to. I schedule my exam. If you're a morning person, schedule it in the morning. If you're an afternoon person, I need a little time to boot up. Take in the afternoon. I like to go. I like to schedule my exam kind of mid to late afternoon. I like to go and eat lunch at one of my favorite restaurants and I've got a nice cold drink with me. I've got some good tunes in the car and I'm headed down to the test center and I'm just kind of like in a vibe. I'm just like I'm zoned out, I'm just kind of walking in zen, fabulous.

Chris Sienko: 18:35

Oh, that's great advice, so I'm gonna leave it there. So, Tommy Gober, thank you for making the Security Plus exam a little less mystifying. I think this is gonna be something people are really excited about. So thank you Absolutely. And to everyone else, thank you for watching this episode. If you enjoyed this video and felt it really helped you this one especially please share it with your colleagues, your forums and on your social media accounts. I'd love to see people letting us know if this really helped them out and definitely subscribe to our podcast feed and YouTube page. You can just type in Cyberwork Infosec on any of them and you're on your way. So there's plenty more to come, including a couple more Security Plus from Tommy here. So if you have any topics you want us to cover, feel free to drop them in the comments below. But until then, see you next time and happy learning. Hey, if you're worried about choosing the right cybersecurity career, click here to see the 12th most in-demand cybersecurity roles. I ask experts working in the field how to get hired and how to do the work of these security roles so you can choose your study with confidence. I'll see you there.