I got CompTIA Security+ certified.
Why
I don't know. Honestly. I guess a mix of thinking it'd look good on a resume, mild fascination with security, and the hubris I could probably pass the test without many months of study. This was on the heels, pretty much, of taking a "WebOps Professional" certification course for work and I was just in that headspace, I guess.
Part of me is recalcitrant about certifications -- they are worthless compared to real-world experience and actually testing your knowledge in real scenarios. They also involve memorizing a lot of information that is easily looked up, which is annoying.
But part of me also thinks it's decently valuable (I wouldn't have done it if not). Part of me is happy to continue to add educational line-items to my resume. I don't have a degree, so it helps. Sort of.
At work I already do triage of vulnerabilities and CVEs, and I sort of think this certification doo-hickey gave me better grounding and standing for all of that work. The malicious code parts of the exam learnin' was pretty helpful, along with the language around discussing risk in a way that makes sense to business-headed people.
Knowledge I Already Had
- About 25 years on the computer, split evenly between hobbyist and professional
memelord internet troll digital goblinweb developer. - About a year of Information Technology work for my high school... in 2004.
- A CompTIA A+ certification... from 2005. I'm lucky enough this is a "Good For Life" version of the certification and it never expires, so it's still valid.
Stuff for Studying
- Professor Messer's training videos -- pretty good test preparation video series. They're short and give a good conceptual overview, it seems. I also bought his practice exams since they were $30. I didn't finish the video series, got about halfway through.
- CompTIA Security+ Study Guide by by Mike Chapple and David Seidl -- A book written for the test, with practice questions. I read through and took notes on the whole thing. Seems a little bit too in-depth, and probably wasn't truly necessary for test-only purposes, but I was also actually trying to learn stuff, so it was helpful. There are good explanations of how something is applied, which is nice.
- Darknet Diaries -- no, really. I'd listened to this through the prior year and I think it was helpful to have the entirety of this podcast digested. There are many, many excellent stories of real security breaches, attacks, etc. Jack's work is well-researched and quite well-explained and he's had a myriad of seriously interesting and well-informed guests from both Red and Blue teams.
- I also regularly listen to the Open Source Security podcast. A bit of entertainment and news, and pretty helpful.
- I used to listen to the OSINT podcast, when it was still around.
Exam
I was going to take the exam online, but apparently they are pretty strict about behavior (e.g., proctors yelling at people for moving their lips or leaning on their hands). I don't do so hot with those kinds of restrictions (what is this flesh prison, anyway?) so I picked an offline testing center. Picked a random Saturday in the afternoon, and took the prior day off work for the relaxation and last-minute cramming.
I got three performance-based/scenario questions. One was on network design. One was on determining which of a series of servers was infected/clean, and which was the source of the infection. And another was on networking two VPN concentrators. Having two networking-based performance questions was kind of harrowing, I generally dislike networking and don't really know what I'm doing. I guess I did OK enough to pass, though.
For multiple choice, I got 76 questions. I didn't have to know any port numbers for anything, which was nice. I'd skipped over memorizing those, since they're easy to look up and not information I actually want to hold in my brain.
I re-reviewed all of the questions prior to submission, and I believe I finished with 14 minutes to spare.
Next?
Maybe Linux+. That one seems really relevant to my day-to-day. I have a pretty hefty book on Linux and I figure it can dovetail nicely with slapping some distro into some abandoned computer floating around my house (as of this writing I've only ever used Linux over the command line in the sense of being a server, never as a desktop daily-driver). Lots of learning to be had there. If I go that direction, I wouldn't actually take an exam in a timeline faster than "two years."
I was thinking about the accessibility exam again... but I just don't have it in me. I'd rather go deeper into backend and sysadmin and less people-facing stuff. A lot of accessibility is either the terribly boring work of running scanners and making spreadsheets, or it's people-heavy with presenting and trying to convince others of the necessity of accessibility work. Generally just... not where I want to live.
Next for real and for sure: sleeping a while.