Tuesday, January 1, 2013

Security+ and Performance Based Questions


If you’re planning on taking the Security+ exam you can expect to see performance based questions.  They have already been added to A+ and Network+ exams. You can read more about performance based questions here, but in short a performance based question requires you to perform a task rather than simply requiring you to answer a multiple choice question.
I've field several questions about these related to Security+ so here are some answers to some common questions.

When Do They Appear in Security+?

CompTIA has stated that these types of questions will begin to appear in the Security+ exam in the first quarter of 2013. This could be any time between January 1st and March 31st, 2013.
If you've taken the exam and you saw them, I'd love to hear from you so that I can let readers know they have started to appear. You can leave a comment on this page or send me a note through my contact page.

Pass the Security+ exam the first time you take it
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

How Many Questions Are on The Security+ Exam?

When you have only multiple choice questions, the Security+ exam includes 100 questions.
When performance based questions are added, you'll probably have 90 questions with 87 questions being basic multiple choice questions and three being performance based questions. Here are a couple of pages that give sample multiple choice questions:

What Performance Based Questions Should I Expect?

At this writing, the only people that know the answer to this question are people at CompTIA. However, based on how CompTIA has done this with other exams, we can predict what you might see.

Command Prompt

You might be asked to perform a task from the command prompt. You'll have access to a simulated command prompt and be required to perform a specific task.
In the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide, I gave an example (pages 411 and 412) with a couple of graphics that could easily be used in this exam.
The question could go like this: "Determine if the file shown in the graphic is valid."  The file in the graphic includes a valid MD5 hash.
You are then put into a command prompt with nothing more than a blinking cursor. What do you do?
The first step is to see what is in the current directory. You could do so with the dir command. More than likely, you'll see the file that was displayed in the graphic, along with programs that can be used to create a hash such as md5sum and sha1sum.
Next, you'd calculate the hash on the file using the correct program. This requires you to know that the hash shown in the graphic is an MD5 hash. You'd then run the md5sum program against the file to calculate the hash. If the hash shown in the graphic was a SHA1 hash, you'd need to run sha1sum instead.
That's it. In retrospect, you only need to enter two commands: dir and md5sum filename. However, you need to have some underlying knowledge to do so successfully.

Click on a Diagram

You might be asked to click on a diagram to select something. As an example, you might be tasked with giving a user appropriate permissions to perform job tasks. The diagram then shows a list of groups with specific permissions assigned. You then need to pick which group (or groups) to put the user into.
The key here would be to remember the principle of least privilege and ensure that the user is granted enough rights and permissions to perform the job and no more.

Learn by listening 
Key points from the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
Over one hour and 20 minutes of audio from the "Remember This" blocks
Over three hours and 20 minutes of questions and answers on audio

What is the Biggest Challenge?

Many of the questions are straight forward and it's easy to identify what is desired. However, the biggest challenge many people report with these types of questions is figuring out what some of the questions are actually asking. For example, the sample in the Command Prompt section earlier only states "Determine if the file shown in the graphic is valid" and shows a graphic. It doesn't tell you to run the dir and the md5sum commands. However, this is the only way you can determine if the file is valid.
With that in mind, you often need to give these types of questions a little more thought and pay attention to the clues given in the question.

How Much Are These Questions Worth?

More than likely these questions are worth more than a typical multiple choice question. While CompTIA doesn't release the actual value of any single question, it's entirely possible that each question is worth a little more than 4 percent of the total.
If the original exam has 100 multiple choice questions and the new exam has 87 multiple choice questions with three performance based questions, these three performance based questions could be worth about 13 percent of the total. If you divide 13 percent by three, it's a little over 4.

Will Books Be Updated to Include Performance Based Questions?

It's unlikely that any books will be updated specifically for the Performance Based Questions. It takes an extensive amount of time and effort to rewrite, edit, layout, proof, and reprint books.
Certification books are typically only updated when the certification changes significantly. For example, the differences in the objectives between SY0-201 and SY0-301 Security+ objectives were significant. Publishers that had SY0-201 books in print published new books on the SY0-301 exam.
Further, most books include the content needed to successfully pass these performance based questions. The objectives aren't changing. The only that is changing is the way that the objectives are being tested. If you understand the content, you will be able to answer the questions.
Along these lines, I've been asked a few times if the CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide will be updated. This isn't likely. I expect that CompTIA will be releasing new objectives for the SY0-401 exam sometime this year.  When they do, I'll be updating the SY0-301 Study Guide. You'll probably still be able to take the SY0-301 exam through at least part of 2014.
Realistic practice test questions for the Security+ SY0-301 exam
Available through LearnZapp on your mobile phone

Summary

If you’re planning on taking the Security+ exam any time from today on, you can expect to see performance based questions. These questions are different than multiple choice questions but they are not impossible to answer. If you understand the content, you will likely be able to answer these questions without too much difficulty.