How I Passed the Security+ Exam In Two Weeks
In January 2023 I passed the CompTIA Security+ exam. With little-to-no prior knowledge on many of the topics covered in the exam, I was able to sign up for, study for, and pass the exam all in less than two weeks. While the Security+ exam is an entry-level cybersecurity certification, intended to show base knowledge and interest in the field of cybersecurity to employers, it still contains a wide swath of information that the test taker needs to remember in order to ensure success. In this article, I’ve compiled my top 5 tips that helped me pass the Security+ exam in such a short amount of time. I will also link to some resources that I found helpful throughout my studies.
1. Know the Exam Objectives
It may seem obvious to some, but not to others. On the CompTIA website, you can download the exam objectives for the newest version of the exam, SY0-701. The best way to start is to understand where you are starting from, which is why reading through the exam objectives and taking note of what is familiar and what are completely new concepts is an important first step to passing any examination.
To use myself as an example, I had spent many years focused on software development and software development security. With that experience, I was very familiar with application vulnerabilities and the secure development lifecycle. While reading through the exam objectives, I felt comfortable with my knowledge of these areas, but I noticed some glaring holes in my knowledge, specifically around network security and the security architecture domain as a whole. Reading through the objectives will give you a base understanding of everything on the exam and will help you focus in on the areas where you need to spend the majority of your study time. Once you have completed this step, your studying can officially begin.
2. Focus on Weak Areas
Picking up right where we left off with tip one, once you have identified weak areas you need to spend time diving deep into those subjects. For each area where I was not familiar, I referenced several free online resources including Mike Chapple’s Linkedin Learning videos and Professor Messer’s YouTube videos on the Security+ exam topics. I took copious amounts of notes, filling up over 20 pages with content that only covered about 60% of the exam. After completing my first review, I would re-vist these weak areas, daily, in the two weeks leading up to my exam date. The first study session was multiple hours long and very focused. After that, I would spend maybe a half hour a day re-reviewing my notes on the topics, eventually summarizing them down to one page front-and-back, that I would be able to use as a quick review sheet whenever I had spare time.
3. Audio and Video are Your Friends
While I find that I get the most value out of reading through a textbook and taking detailed notes, I only have so much time to sit down and read through study materials every day. With only two weeks to study, I knew that I needed to get in as many repetitions as possible to cement the new knowledge in my mind. Those videos I reference earlier became my go-to soundtrack for commuting, at the gym, and any other context where I may have headphones in. Just by listening to those videos while at the gym, alone, I added an extra 12 hours of study time in two weeks that I wouldn’t have had, otherwise. For those of you that listen to music while you work, take advantage of that time and soak up as much knowledge as possible through audio reviews of the exam domains.
4. Memorize the Boring Stuff
What could be boring about cybersecurity? Ports and protocols. Learning about all of the different types of malware, vulnerabilities, and attack vectors was exciting and I found myself researching more on the side after learning what was required for the exam, but for some topics, such as ports and protocols and network architecture, I had to make a concerted effort to absorb the information for the exam. Of course while studying all of those port numbers, all I could think was “I can just google this. Why would I ever need to memorize these numbers?” The truth is, you won’t. You will likely remember a few key ports just from seeing them in your day to day job. For instance, I don’t think I will ever forget that port 443 is HTTPS and port 80 is HTTP, but there are roughly 50 ports and protocols that I memorized for the exam, and that saved my test on a few occasions. Throughout the exam, you will likely need to analyze log files from various devices such as a SIEM. Those log files will have port numbers associated with them, and the only way you are going to have any clue what is going on in that log is by understanding the protocol that is being referenced in the log. For example, if you see communications over port 25, you can determine that insecure emails are being transmitted. If you see port 3389 referenced, you know that someone is utilizing the remote desktop protocol (RDP) and you may want to look into your authentication mechanisms and controls. Knowing these boring things can be a life-saver on the exam. For topics like this, the only way to absorb the information is simple memorization and for memorization tasks my favorite technique is spaced repetition.
Spaced repetition is a technique for memorization where you re-visit topics by attempting to actively recall them at various intervals. The goal is to commit that information to memory and to reduce the amount of the information that you forget with each repetition. For example, the first time you review the ports and protocols you should go through all of them, write them out, and attempt to commit them to memory. Then, the next day, start your study session off by trying to write down as many of the ports and associated protocols that you can remember, without referencing your notes. Once you’ve done that, you can review your original notes and fill in any gaps. Keep doing that over a two-week period, and you will have those ports memorized just like your own phone number. I have even seen success utilizing spaced memorization in the same day or within the same study session. If you touch on a topic at the beginning of your session, and then attempt to recall as much as possible before wrapping up for the day, you will give your brain another chance to log that information into longer-term memory.
5. Practice How You Play
Take practice exams! Take several of them and then use them to determine where you need to spend more of your time. At the beginning of this process, you may have thought you knew risk management concepts really well, but when you take your first practice exam you may realize that there a several concepts within cyber risk management with which you are not familiar. For that reason, you need to take your first practice exam early and take several throughout the course of your studies to measure progress. In my studies, I took my first practice exam on day 2, which allowed me to focus my studying for the rest of the week on the areas where I performed the worst. I, then, took a second exam on the last day of that first week, to measure my progress and to see where I needed to allocate my time next. Finally, I took a third exam just two days before taking the real one at the testing center. The purpose of this was threefold. One, it helped me confirm that I was actually ready to take the exam. Two, it helped me identify any areas where I still may need some last-minute review, and three, it helped me practice for actually taking the exam.
When I take practice exams, I make the environment as close to what I will experience on gameday as possible. For this test, I would be sat down in front of a computer screen and given one sheet of notepaper to utilize throughout the test. For my practice, I put myself in that same environment. I sat down in front of a screen with no other distractions and one sheet of paper and a pencil to take the exam. I tried to make my testing environment as close as possible to the real thing, so that I could be the most comfortable when taking the actual exam. This has worked for me for several exams in the past and I cannot recommend it enough.
Conclusion
Those were my top 5 tips that helped me pass the CompTIA Security+ exam in only two weeks. As a recap:
1. Know the exam objectives
2. Focus on weak areas
3. Audio and video are your friends
4. Memorize the boring stuff
5. Practice how you play
Those five tips allowed me to pass the exam with a short runway and many competing priorities. If you are interested in the resources I used to study for the exam, I’ve linked to them below. Thanks for reading!
