CISSP 2015: What’s New (Part 2 of 5)

September 16, 2015 at 6:29 am | Posted in CISSP, Study hints, study tips, Vendor news | Leave a comment
Tags: , ,

In my first post, I gave you a quick overview of the changes to the new CISSP exam. The topics there should at least help you get started preparing for the exam. With this post, I’ll start discussing the domains covered by the new CISSP exam.

The former version of CISSP had 10 domains:

  1. Access Control
  2. Telecommunications and Network Security
  3. Information Security Governance and Risk Management
  4. Software Development Security
  5. Cryptography
  6. Security Architecture and Design
  7. Security Operations
  8. Business Continuity and Disaster Recovery Planning
  9. Legal, Regulations, Investigations, and Compliance
  10. Physical Security

With the 2015 update, the content was rearranged into 8 domains:

  1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  2. Asset Security (Protecting Security of Assets)
  3. Security Engineering (Engineering and Management of Security)
  4. Communications and Network Security (Designing and Protecting Network Security)
  5. Identity and Access Management (Controlling Access and Managing Identity)
  6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  8. Software Development Security (Understanding, Applying, and Enforcing Software Security)

Today I will cover the first two domains, Security and Risk Management and Asset Security. First I’ll give you the entire overview of each domain with its Key Areas of Knowledge, tell you where each topic fell in the old Candidate Information Bulletin (CIB), and put new topics in red italics. Next, I’ll call out the completely new content from each sub-domain and give you a brief rundown of what it entails. (If you’d like, you can skip straight to the new stuff by clicking here.)

Domain 1: Security and Risk Management – Framework and Key Areas of Knowledge

The majority of the new Domain 1 merges topics from the old Domain 3 (Information Security Governance & Risk Management) and Domain 9 (Legal, Regulations, Investigations, & Compliance).

Domain 1 Key Areas of Knowledge:

    1. Understand and apply concepts of confidentiality, integrity, and availability. – From Domain 3, subheading C in old version.
    2. Apply security governance principles through:
      1. Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget, and resources) – From Domain 3, subheading a and j in old version.
      2. Organizational processes (e.g., acquisitions, divertitures, governance committees) – From Domain 3, subheading b in old version.
      3. Security roles and responsibilities – From Domain 3, subheading b and Domain 9, subheading c in old version.
      4. Control frameworks – From Domain 3, subheading b in old version.
      5. Due care – From Domain 3, subheading b in old version.
      6. Due diligence – From Domain 3, subheading b in old version.
    3. Compliance
      1. Legislative and regulatory compliance – From Domain 3, subheading b and Domain 9, subheading e in old version.
      2. Privacy requirements compliance – From Domain 3, subheading b in old version.
    4. Understand legal and regulatory issues that pertain to information security in a global context.
      1. Computer crimes – From Domain 9, subheading a in old version.
      2. Licensing and intellectual property (e.g., copyright, trademark, digital-rights management) – From Domain 9, subheading a in old version.
      3. Import/export controls – From Domain 9, subheading a in old version.
      4. Trans-border data flow – From Domain 9, subheading a in old version.
      5. Privacy – From Domain 9, subheading a in old version.
      6. Data breaches – New
    5. Understand professional ethics.
      1. Exercise (ISC)2 Code of Professional Ethics. – From Domain 9, subheading b in old version.
      2. Support organization’s code of ethics. – From Domain 9, subheading b in old version.
    6. Develop and implement documented security policy, standards, procedures, and guidelines. – From Domain 3, subheading d and j in old version.
    7. Understand business continuity requirements.
      1. Develop and document project scope and plan. – From Domain 8, subheading a in old version.
      2. Conduct business impact analysis. – From Domain 8, subheading b in old version.
    8. Contribute to personnel security policies.
      1. Employment candidate screening (e.g, reference checks, education verification) – From Domain 3, subheading h in old version.
      2. Employment agreement and policies – From Domain 3, subheading h in old version.
      3. Employment termination processes – From Domain 3, subheading h in old version.
      4. Vendor, consultant, and contractor controls – From Domain 3, subheading h in old version.
      5. Compliance – New
      6. Privacy – New
    9. Understand and apply risk management concepts.
      1. Identify threats and vulnerabilities. – From Domain 3, subheading g in old version.
      2. Risk assessment/analysis (qualitative, quantitative, hybrid) – From Domain 3, subheading g in old version.
      3. Risk assignment/acceptance (e.g., system authorization) – From Domain 3, subheading g in old version.
      4. Countermeasure selection – From Domain 3, subheading g in old version.
      5. Implementation – New
      6. Types of controls (preventive, directive, corrective, etc.) – From Domain 1, subheading a in old version.
      7. Control assessment – New
      8. Monitoring and measurement – New
      9. Asset valuation – From Domain 1, subheading b and Domain 3, subheading g in old version.
      10. Reporting – New
      11. Continuous improvement – New
      12. Risk frameworks – New
    10. Understand and apply threat modeling. – Although some of this topic was covered in Domain 1, subheading b, the majority of this topic is new.
      1. Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – New
      2. Determining and diagramming potential attacks (e.g., social engineering, spoofing) – New
      3. Performing reduction analysis – New
      4. Technologies and processes to remediate threats (e.g, software architecture and operations) New
    11. Integrate security risk considerations into acquisition strategy and practice
      1. Hardware, software, and services – New
      2. Third-party assessment and monitoring (e.g. on-site assessment, document exchange and review, process/policy review) – From Domain 3, subheading f in the old version.
      3. Minimum security requirements – New
      4. Service-level requirements – New
    12. Establish and manage information security education, training, and awareness – From Domain 3, subheading 1 in old version. Although this topic is covered there, the 2015 subheadings are all new.
      1. Appropriate levels of awareness, training, and education required within organization – New
      2. Periodic reviews for content relevancy – New
Domain 1 – Just the New Topics, Ma’am

Next, here’s a shortlist of the entirely new topics in Domain 1.

From Knowledge Area D. Understand legal and regulatory issues that pertain to information security in a global context:

  • Data breaches – While this is a “new” topic because it wasn’t originally in Domain 9, subheading a, most of the topics covered in this section should already be known to the security professional.

From Knowledge Area H. Contribute to personnel security policies:

  • Compliance – This is a new topic. While compliance is covered in other areas, the CISSP exam has never specifically covered compliance as related to personnel security policies. This topic will focus on the ways an organization can ensure that personnel complies with any security policies that are in place.
  • Privacy – This is a new topic. While privacy is covered in other areas, the CISSP exam has never specifically covered privacy as related to personnel. This topic will focus on the organization’s responsibility to ensure that personnel’s information remains private, and also on how to ensure that personnel understand the importance of privacy for any data the organization owns.

From Knowledge Area I. Understand and apply risk management concepts:

  • Implementation – This is a new topic. It focuses on following implementation guidelines when implementing a risk management process at an organization.
  • Control assessment – This is a new topic. It covers how to assess the controls that you have implemented.
  • Monitoring and measurement – This is a new topic. It covers monitoring and measuring risk and the controls that are implemented to protect against the risks.
  • Reporting – This is a new topic. It explains the process for reporting on risk management.
  • Continuous improvement – This is a new topic. It covers how to improve the risk management process over time.
  • Risk frameworks – While technically a new topic, risk frameworks were generally covered as part of the risk management process, just not as an individual topic. This topic is about any international and industry risk frameworks that may be available to help guide your organization.

From Knowledge Area J. Understand and apply threat modeling:

  • Identifying threats (e.g., adversaries, contractors, employees, trusted partners) – This is a new topic. It discusses the different threats to organizational security.
  • Determining and diagramming potential attacks (e.g., social engineering, spoofing) – This is a new topic. It focuses on the potential attacks that the threats can carry out.
  • Performing reduction analysis – This is a new topic. It discusses how to determine if threats and the attacks they carried out can be reduced.
  • Technologies and processes to remediate threats (e.g, software architecture and operations) – This is a new topic. It focuses on how to remediate the threats that you identified.

From Knowledge Area K. Integrate security risk considerations into acquisition strategy and practice:

  • Hardware, software, and services – This is a new topic. It analyzes the security risks when integrating hardware, software, and services when acquisitions occur.
  • Minimum security requirements – This is a new topic. It focuses on determining the minimum security requirements when an acquisition occurs.
  • Service-level requirements – This is a new topic. It discusses all facets of service-level requirements when acquisitions occur.

From Knowledge Area L. Establish and manage information security education, training, and awareness:

  • Appropriate levels of awareness, training, and education required within organization – This is a new topic. It covers levels of security awareness, training, and education that should be provided to personnel.
  • Periodic reviews for content relevancy – This is a new topic. It focuses on reviewing the security education, training, and awareness program to ensure that new security topics are covered.
Domain 2: Asset Security – Framework and Key Areas of Knowledge

The majority of Domain 2 consists of new knowledge areas and topics, though it also pulls in a bit of content formerly included in the old Domains 5 (Cryptopgraphy) and Domain 7 (Operations Security). Why is there so much new content to cover here? Big data is a big asset, and as ISC(2) points, privacy considerations have increased due to “the rapid expansion in the collection and storage of digitized personal information.”

As before, I’ll start by introducing the new content in the context of its domain, then give you a granular breakdown (which you can skip to by clicking here).

  1. Classify information and supporting assets (e.g., sensitivity, criticality) – New
  2. Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – New
  3. Protect privacy – New
    1. Data owners – New
    2. Data processors – New
    3. Data remanence – New
    4. Collection limitation – New
  4. Ensure appropriate retention (e.g., media, hardware, personnel) – From Domain 7, subheading a in the old version.
  5. Determine data security controls (e.g., data at rest, data in transit) – From Domain 5, subheading a in old version. Although this topic is covered there, the 2015 subheadings are all new.
    1. Baselines – New
    2. Scoping and tailoring – New
    3. Standards selection – New
    4. Cryptography – New
  6. Establish handling requirements (markings, labels, storage, destruction of sensitive information) – From Domain 7, subheading a in the old version.
Domain 2 – Just the New Topics already

Here’s a closer look at the new topics in Domain 2.

Knowledge Area A, Classify information and supporting assets (e.g., sensitivity, criticality) – Although this is a new knowledge area, it was covered (though briefly) as part of the former CISSP. It covers the procedures for classifying information and assets as part of securing them.

Knowledge Area B, Determine and maintain ownership (e.g., data owners, system owners, business/mission owners) – This is a new knowledge area. It focuses on determining which organizational entity or personnel owns the assets you have identified.

Knowledge Area C, Protect privacy – This is another new knowledge area. It discusses protecting the privacy of information and assets. All of the subheadings in this category are also new.

  • Data owners – This is a new topic. It covers the responsibilities of data owners to ensure the privacy of information and assets.
  • Data processors – This is a new topic. It focuses on ensuring that all data processors (including personnel and other assets) understand the importance of information and asset privacy.
  • Data remanence – This is a new topic. It discusses data remanence and its effects on information and asset privacy.
  • Collection limitation – This is a new topic. It focuses on the collection limitations regarding asset privacy.

From Knowledge Area E, Determine data security controls (e.g., data at rest, data in transit):

  • Baselines – This is a new topic. It covers how to obtain data security control baselines.
  • Scoping and tailoring – This is a new topic. It analyzes how to scope and tailor the data security controls to meet the organization’s needs.
  • Standards selection – This is a new topic. It focuses on how the select the security control standards that your organization will use.
  • Cryptography – While technically a new topic, knowledge of cryptography and its effect on data security were covered in Domain 5 in the old version.

In the coming weeks, I will be posting the other 3 parts of this series. (Hyperlinks will be added as the posts are written.)

      • Part 1 covered general information about the new CISSP.
      • Part 2 (this post) covers new domain 1 and 2.
      • Part 3 will cover new domain 3 and 4.
      • Part 4 will cover new domain 5 and 6.
      • Part 5 will cover new domain 7 and 8.

The next three posts will come over the next few weeks.

It is our hope that this information will help you prepare for this exam! Remember, our practice test covers all the topics and also the different item types that you will see on the live exam.

Wishing you certification success!


Reader writes: Where can server admins find good PowerShell training?

November 10, 2014 at 12:48 pm | Posted in Microsoft, Study hints, study tips, Technical Tips | 1 Comment
Tags: , ,

Editor’s Note: Regarding PowerShell and Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 2), reader Jeremy Brown recently commented: “I feel there should be more sections in training materials dedicated to recapping PS… there is a disparity between expected knowledge and printed material…” Blog post guest author Scott Winger attempts to find some workable solutions.

For those of us who aren’t yet PowerShell Masters, Jeremy’s point is painfully sharp when one considers code snippets such as this one from’s Cyber Defense & Cybersecurity blog:

filter extract-text ($RegularExpression) 
 select-string -inputobject $_ -pattern $regularexpression -allmatches | 
 select-object -expandproperty matches | 
 foreach { 
 if ($_.groups.count -le 1) { if ($_.value){ $_.value } } 
 $submatches = select-object -input $_ -expandproperty groups 
 $submatches[1..($submatches.count - 1)] | foreach { if ($_.value){ $_.value } } 
Get-Service | ForEach `
 $sctxt = sc.exe qc $
 $Path = $sctxt | extract-text -reg 'BINARY_PATH_NAME\W+\:[\W\"]+([^\"]+)'
 $Identity = $sctxt | extract-text -reg 'SERVICE_START_NAME\W+\:[\W\"]+([^\"]+)'
 Add-Member -InputObject $_ -NotePropertyName "Path" -NotePropertyValue $Path 
 Add-Member -InputObject $_ -NotePropertyName "Identity" -NotePropertyValue $Identity
} | format-list Name,DisplayName,Identity,Path

In this post, I’ll explain how you can teach yourself to analyze and create arbitrarily complex scripts, i.e., how to teach yourself to master PowerShell. But before starting, I want to share a little known droll fact: there’s an annual contest to see who can deliberately write the most impossibly abstruse code:

Although this contest is for programs written in C, I’ve included it to show that countless others have wrestled with code that’s far too complex.

First, a few words in praise of PowerShell

Jeffery Snover, Parser, Syntax, Major Domo, Rom-Com.

At this moment you should be thinking:



Good Golly man! … Is that a typo or are you drunk?

Let’s take a look at these words a little more closely and then you can decide whether or not I need a 12-step program (or at least an editor) before blogging for a hapless audience.

Jeffery Snover:
He’s the guy who invented PowerShell. And, to give you an idea how important PowerShell is to your 70-410 endeavor, he’s also the Lead Architect for Windows Server 2012. So at this moment, you should be thinking, [[Holy SYNTAX DIAGRAM, Batman! If I’m gonna master Server 2012, I’d better learn PowerShell!]] This is absolutely true because, thanks to the vision of Mr. Snover, Server 2012 can be controlled, customized, queried, and tuned by over 2,400 PowerShell cmdlets.

Precious few IT pros even know what a parser is, let alone recognize its quiet-yet-vital role in their success. But IT masters know parsers well. Whether you’re doing PowerShell, NSLookups, DiskPart.exe, or CMD.exe … heck, even when you’re clicking the mouse, it’s the parser that’s your Major Domo. It’s the parser that captures, interprets, and carries out your every syntactically correct command. So get to know PowerShell’s parser via the suggestions I’ve provided in the section below. And, then, practice, practice, practice.

Every language, spoken, written, mathematical, or musical, has a set of rules that its speakers have to know. And the rules for a language’s constructs are called its syntax. In the case of PowerShell, although at first you might be dazzled by its syntactical complexities, the mother of all PowerShell syntax diagrams fits on four printed pages. And this brings us to Rom-Com. You and PowerShell can do great things together. But, unlike two people in a cheesy romantic comedy who fall in love without speaking the same language, you and PowerShell won’t even get started if you don’t learn its syntax. So print and master the few pages of the PowerShell about_Command_Syntax file mentioned below.

Second, a curated list of resources and study tactics

Whenever one endeavors to learn a new programming language, a trip to the armory is a good first step, because you need learning resources.

Enter and explore the doorway to the Learning PowerShell Arsenal:

Download the about_Command_Syntax document from Microsoft’s official PowerShell Syntax Authority. And I recommend that you keep it handy and refer to it often. (Here’s the link:

Sign up for and become active on the Hey Scripting Guy PowerShell forum. Those of us who’ve been around long enough to remember the coveted, expensive, and hard-to-get IBM Red Books are astonished that this era’s IT experts are so helpful by tradition — and for free. Here’s the Hey Scripting Guy link:

Head over to YouTube and root out the many excellent PowerShell videos, such as this one from TechEd North America 2014:

Study complex PowerShell code on your breaks and before bed.

And now for the big guns:  Buy Don Jones’ and Jeffery Hicks’ Learn Windows PowerShell 3 in a Month of Lunches. Lunch is optional, but the labs are not: do them as you work through each chapter.

[Editor’s note: I’m amending Scott’s post to second the reader’s recommendation of Windows PowerShell Best Practices by Hey Scripting Guy writer Ed Wilson, highlighted in a comment below.]

Third, the call to action

Fire up PowerShell and start with some “get” statements so you’ll do no harm. Then take your first baby steps using some simple “set” statements.

Then, start building your own custom library of scriptlets with commonly used categories, such as:

\Writing\[same folders as parsing]

Proceed apace to Advanced Analytical PowerShelling:

Predict the results/output of PowerShell code that’s a step or two or even way beyond your current abilities. Then run the script and compare your guestimates to the results. Of course, for this type of practice, a computing sandbox in which you can unleash total annihilation is a must.

Correspond with experts by seeking out and participating in PowerShell special use case blogs, such as those at SANs Security and elsewhere:

Look into the relationship PowerShell has with .NET and how you can use PowerShell underneath the graphical world of C#.

Take PowerShell to new unconquered worlds via Desired State Configuration Tool, Puppet Forge, and PowerCLI.

And here are some thoughts and words for those who would be PowerShell Mystics:

Study the notion of an Abstract Syntax Tree; diagram pieces of its underlying data structure on paper. Then celebrate as you come to understand how PowerShell’s Tab Completion feature works.

Study rudimentary Data Structures: Arrays, B-Trees, Heaps, Linked Lists, etc., because it’s the data structures that lie at the heart of all programming. Understanding underlying data structures is also, often, the key to troubleshooting complex IT problems.

If you’ve got comments I’d like to hear em.

And good luck with your 70-410,


P.s. If you’ve been wondering, [What’s up with the square brackets?]  Well, speaking of parsers, I had the good fortune of taking a Programming Languages and Compilers course at one of the world’s greatest Computer Science universities.  And when one writes a parser to carry out specific commands, one quickly absorbs the nature and value of brackets, braces, and parentheses.  So the brackets are this scrivener’s habit and they are what they seem: a simple delimiter for emphasis.

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 2)

September 16, 2014 at 8:45 am | Posted in Microsoft, Study hints, study tips | 18 Comments
Tags: , , , ,

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

In Part 1, I provided a timeline for gathering resources and working yourself up to exam day. In this post, I’m going to focus on the exam’s content and provide examples from each of the 70-410 Objective Areas. In Part 3 I’ll provide tips for developing the required knowledge.

Vade Mecum (rhymes with shoddy kaboom): a handbook or guide that is kept constantly at hand for consultation. It’s the term elite computer scientists use when referring to a technical manual or field guide. But different types of manuals have different purposes:

  • “Run Books” tell you every keystroke for building a particular server, but are, by intent, skimpy on concepts.
  • The “Mastering,” “Unleashed,” and “Inside Out” tomes give an overview of every existing role and feature.
  • White papers tend to be a vendor’s promotion of their product or a think tank’s comparisons and recommendations.

For passing the 70-410, a simple, custom-made field guide is a surprisingly effective learning tool.

I emphasize custom-made because building it also builds the neuronal pathways you’re going to need. And, for passing the 70-410, it’s the pathways, i.e., the learning, we’re after, though, as you’ll see in the next post, rote memorization will play a key role too.

After taking the exam you’ll have the beginnings of a custom-made Server 2012 reference; but that’s just a bonus. As for format, .html .docx, .pdf, .txt, pen and paper, take your pick. Just make sure you can have a copy in your hands in the waiting room at the exam center for last-minute review – before you check in.

So, right out of my personal Server 2012 reference, here are some samples of questions you must be able to answer quickly and confidently when you take your 70-410 exam, broken down by exam objective.

Install and configure servers (15–20%)

What are the important differences between Windows Server 2008, Server 2008 R2, Server 2012, and Server 2012 R2?

What are the Server 2012 license types? How are they different?

What can you do when you run Server 2012’s setup.exe that you can’t do when you boot from the install DVD? And the reverse?

What is PowerShell Desired State Configuration? What are its requirements?

Configure server roles and features (15–20%)

Can you use RSAT on a Server 2008 or Windows 7 machine to remotely manage Server 2012 or Server 2012 R2 servers?

What is a “server pool” in the context of Server Manager 2012?

What are the limitations of Server Manager 2012 when managing Windows Server 2003 and 2008 servers?

What software must you install on Server 2003 servers in order to include them in Server Manager 2012 Pools? And on Server 2008?

What are “Work Folders” and what are the major steps for setting up the “simple” Work Folder configuration?

What are the architectural differences between the 6to4 and Teredo IPv6-over-IPv4 Tunneling Protocols? What has to be unblocked if you’re going to implement 6to4 and why? What are the optimal use cases for each?

What are the TCP and UDP ports that must be allowed in to a VPN server using PPTP? SSL? IPSec?

What are the tasks that can be done with Administrative Center that can’t be done with Active Directory Users and Computers?

What is iSNS and what is it used for?

What are the DHCP Code Numbers for the following DHCP Options:
• NetBIOS Name Server
• DHCP Relay Agent Information
• DNS server
• Router
• Domain Name
• NetBIOS Node Type

What are the IPv6 address prefix bit patterns? What are they each called? How are they used?

What is the maximum number of subnets you could create given this address space: 2001:5860:b002:3000::/53? And why? What is this address’ IPv6 prefix bit pattern? What is the type of this IPv6 address?

What is an ISATAP DNS host record, and how is it used? What, exactly, does an ISATAP device do?

What is an IPv6 port proxy, and when would you use it?

How do you configure a DNS server to always request name resolution services from the Source of Authority (SoA) DNS server for a particular name space?

What is the purpose of the built-in DNSUpdateProxy Security Group?

What is the purpose of the InetOrgPerson object?

What are the types of AppLocker rules, and how do they differ from each other?

What was the predecessor to AppLocker called? How does AppLocker differ from its predecessor?

If you anticipate migrating to AppLocker from its predecessor, what preparatory decision will make this migration easier?

What are the TCP and UDP ports that are required for PPTP-based VPNs? SSTP? L2TP? What do these acronyms stand for? How are these protocols different? Which, if any, of these protocols are usually preferred? Why?

What must be configured to allow a Windows Deployment Server to be on a separate subnet from the clients to which it deploys operating systems?

What are the mechanics of DNS conditional forwarding?

Configure Hyper-V (15–20%)

What, exactly, does paravirtualized mean? What are the Microsoft terms for paravirtualized and non-paravirtualized components?

What are the most important new features and roles in Hyper-V 2012? What are they for?

What can and, as importantly, can’t, members of the Hyper-V Administrators group do?

What are the differences between .vhd and .vhdx files? What version of Windows Server introduced each?

In Hyper-V, what is “Dynamic Memory”? What is “Startup Memory”?

Why are five disks required to protect against the failure of two disks in a mirrored set?

What is Virtual Machine Chimney? What does it mean when we say that this feature has been deprecated?

Why is the Allow management operating system to share this network adapter setting required if I want one VM’s NIC to have more bandwidth than another VMs’ NICs?

Deploy and configure core network services (15–20%)

What are the command line switches for diskpart, and what does the “clean” switch do?

What features are added to a Core Installation of Server 2012 when you enable “Desktop Experience?”

What does the Configure-SMRemoting.exe command do?

What does cmdkey do?

What does the wmic qfe list command do? What do “wmic” and “qfe” stand for?

Install and administer Active Directory (15–20%)

How do you use Active Directory Users and Computers to set a default tray selection on a printer?

Why does inter-site replication for Global Security Groups require more [or less] network bandwidth than inter-site replication for Universal Security groups?

What are the various types of Domain Security Groups to which the various types of Domain Security Groups can be converted? And for each pair of conversions, describe why it is or is not allowed and list the memberships that must be eliminated before conversion will be possible.

Do domain controllers have local Security Groups? Why or why not?

What, exactly, is a Security Principal?

Create and manage Group Policy (15–20%)

What are the things that can be done with Group Policy Preferences? How are Group Policy Preferences different from standard Group Policies?

What version of Windows Server first provided Group Policy Preferences?

As I said before, if you’ve got comments, I’d like to hear ’em!

Thanks in advance, and good luck.

–Scott Winger

Passing the Microsoft 70-410 exam: one trainer’s perspective (Part 1)

August 22, 2014 at 10:48 am | Posted in Microsoft, Study hints, study tips | 11 Comments
Tags: , , , , ,

Editor’s note: today’s guest post was written by IT instructor Scott Winger. Scott is a computing technologist at the University of Wisconsin in Madison and a technical editor for VMware Press. He also teaches continuing education classes in IT for Madison College.

You did the labs, looked at countless flash cards, and sat almost two dozen mock exams. You read: tons. You paid your hundred and fifty bucks. Now you’ve just clicked End Exam on the real deal, the Microsoft 70-410: Installing and Configuring Windows Server 2012 exam.

So, in the second or two that Microsoft takes to grade your work, there’s a moment of confidence and pride because you know you nailed it. And then the confirmation appears: “Congratulations! You’ve passed.”

The above was my experience.

But how will you achieve that End-Exam moment of confidence and pride?

What do you need to buy?

What are the steps?

This set of posts, “Passing the Microsoft 70-410 exam,” will help you answer those questions.  I’ll provide closely focused examples from each of the official objective areas to help you know, how, where, when, and on what to focus your three required types of effort: lab work, research, and drilling.

What to Buy

The serious student who lacks reasonable access to a server will need to pay for labs, textbooks, or even training at some point. However, the good news is that there are many professional-level resources available for free.

For the price of a simple login, the Microsoft Virtual Academy allows you to customize a course of targeted videos and some basic self-assessment materials. The following link will deliver over 20 mini-courses for you to explore:

On the TechNet Video channel, you can access a series of screencasts and technologies geared for IT pros:

These overviews can be a great way to gain confidence in the material. However, for serious study and practice assessment, you’ll probably want to investigate the following resources, all of which I can recommend from personal use.

Craig Zacker wrote the Microsoft Official Academic Curriculum, Installing and Configuring Server 2012 R2. This course is available as both a textbook and a lab manual, and they are superbly constructed. And, not only did Craig team up with Microsoft’s Server 2012 team to write this book, but if you don’t have access to a machine with at least 12GB of RAM and an i5 class or better processor, you can buy a MOAC edition that comes with the Microsoft Official Academic Curriculum Labs Online space, which provides all the horsepower you’ll need for doing the labs.

(Note: the “Server 1” course I taught at my local Technical College came right out of Craig’s book. So check out the course catalog of your nearest Technical or Community College. You may be surprised how pertinent, affordable, and enriching these institutions can be.)

The next vital acquisition is one of the Server 2012 R2 tomes, which are designed to cover every role and feature and provide the valuable insights of their highly qualified authors. I used Mark Minasi’s Mastering Windows Server 2012 R2, and found it to be excellent.

When you’re ready to test your knowledge,’s 70-410 Exam Engine is not an option: it’s essential. The only question is when to buy it. (Read on for my recommendations for timing your purchase.) However, at this early stage, it’s worth joining the Transcender Club (a free login) so that you’ll be notified of any flash sales and possibly score yourself a discount.

Finally, of course, you’ll have to register and pay for the exam. Microsoft frequently rolls out a Second Shot program, which allows a free exam retake in case you don’t pass the first time. It’s worth checking their Special Offers page on a regular basis while you’re still in learning mode. And as of this writing, I see you can download a free e-book by Mitch Tulloch, Introducing Windows Server 2012 RTM Edition (PDF, Mobi, EPub).

That’s it. Buy the above things at the right times as described below, and work with them as they were designed to be used, and you can pass the difficult 70-410 with confidence.

What to Do (and when to do it)

To get started, buy Craig’s book and lab manual. And if you don’t have access to the computing power you’ll need, buy them with the online lab space. And buy one of the Server 2012 tomes.

Next, spend about a hundred hours reading Craig’s book cover to cover, doing the labs as you go. (If you didn’t purchase the edition with online labs, refer to the free Microsoft Virtual Academy and TechNet video training.) During this lab/research phase, you should supplement your reading with TechNet’s Server 2012 collection and by skimming the related sections in your tome.

There are also quite a few excellent resources on the web. Microsoft’s TechNet Library should live in your bookmarks bar. (See )

When you’ve finished the research/lab phase, it’ll be time to buy the Transcender 70-410 test engine and drill with the flash cards and the mock exams. Your goal in this phase is to score in the mid-80 percentages each day for the entire week leading up to your exam. Remember, to be eligible for Transcender’s Pass Guarantee, you’ll need to take your exam within six months of the purchase date. (Also remember that if you buy the Exam Voucher with your test engine, that cost is not covered by the guarantee.)

In my next post I’ll describe how you can create a personalized Server 2012 study guide while doing your labs, research, flash cards, and mock exams. I’ll also focus in on questions from each of the 70-410 objective areas.

If you’ve got comments, I’d like to hear them.

Thanks in advance and good luck.

–Scott Winger

Transcender pros have published the perfect stocking stuffer

December 11, 2013 at 5:34 pm | Posted in CISSP, Kaplan IT Training news, Study hints | Leave a comment
Tags: , ,

Transcender developers Robin Abernathy and Troy McMillan have written the latest CISSP Cert Guide published by Pearson IT Certification, a leading publisher in the IT textbook and study guide field. This book is now available in print and electonic format through Amazon, Safari Books Online, Barnes & Noble, and other retailers, as well as directly from Pearson IT.

CISSP guide

This book was released at the end of November. Purchasing the print copy also grants you a 45-day free trial of the e-edition through Safari Books Online. The print and electronic versions include two practice exams. The Premium Edition eBook includes additional practice exams and a more detailed answer key.

The authors were kind enough (a.k.a – they’re sitting right next to me so they don’t really have a choice) to provide a brief Q&A regarding the content.

Q. Would you say this book is exam-focused, or more of a general learning tool?

A: Definitely exam focused. It skips all of the intro fluff, and goes right to the meat of the exam topics.

Q. Who is the intended audience for this book?

A.  The (ISC)2 CISSP exam itself requires that you have four to five years of hands-on experience in information systems security before trying to pass the test. This book contains what any EXPERIENCED security professional needs to review to pass the exam. It’s not designed for beginners.

Q. Do you need to own any particular equipment to use this book effectively?

A. The more devices and hardware you can use to practice the various security techniques, the better. For the book itself you’ll need a Windows desktop or VM to run the practice test engine.

Free resources to help you learn, master, and get certified on SQL Server 2012

November 1, 2012 at 10:27 am | Posted in Microsoft | 6 Comments
Tags: , , ,

I am always trying to gain more knowledge that will advance my career. However, I’m finding that keeping up with the leading edge of technology can be a bit pricey. I don’t want to find myself looking for loose change in parking lots or scuba diving at night for quarters in the wishing fountain at the mall to pay for training and materials on SQL Server 2012. Thankfully, Microsoft offers a lot of FREE resources to help you learn SQL Server 2012.

Virtual Labs

I highly recommend the SQL Server 2012 virtual labs (  At the time of this post, there are 19 labs that are between 45 and 90 minutes each. They cover such topics as AlwaysOn Availability Groups and Upgrading to SQL Server 2012. Bang-for-the-buck-wise, this is the best way to gain experience with SQL Server 2012. With these virtual labs, you don’t have to invest money in SQL Server 2012 licenses or buy additional hardware to set up a multi-server configuration to prepare for certification; you just need a highspeed Internet connection and Internet Explorer. The labs consist of virtual machines running SQL Server 2012 with accompanying lab text in a sidebar. Not every feature of SQL Server 2012 is enabled in the VM, but there are enough features to play around with and get a feel for the controls.

The labs have step-by-step instructions. I actually recommend that you ignore them the first time around. The beauty of these VMs is that you do not have to perform the lab by the directions. You can use the lab to experiment with the software and test different features.

Free Books Online

The SQL Server 2012 Books Online resource contains everything that you wanted to know about SQL Server 2012 but were too clueless to ask. You can access it on the web at If you are in a firewall or proxy-restricted environment, you can download the information directly from The downloaded version is nice to have on your mobile device if you’re stuck in an airport with no Internet connection and the airline can’t locate the plane that is supposed to take you home…totally hypothetical situation of course.

Microsoft Books Online allows you to search on any topic. The search results are pulled from TechNet and other authoritative sources.

The information is FREE and is generally used by technical writers to put together materials for SQL Server.

Microsoft Prep Guides

These are the classic pre-certification resource: the objectives and sub-objectives that you must master to pass the test.  For example, the prep guide for the 70-462 exam, Administering Microsoft SQL Server 2012 Databases, can be located at  Here’s a tip:  you can change the last number in the URL to match, your specific Microsoft exam to find the prep guide for that exam.

The prep guide pages have four tabs: Overview, Skills Measured, Preparation Materials and Community. The Overview tab describes the audience profile for the exam and any certifications associated with the exam. The Skills Measured tab lists tasks that you must master to be successful on the exam. The tasks are broken down by objective and each objective’s weighting percentage for the exam. The Preparation Materials tab displays the officially Microsoft sanctioned training materials.  By now you might be reading along and saying, “Gee, George, I already checked there, and it was a dead end!” I feel your pain. Generally, there is not a lot of preparation information listed for a relatively new exam, and what is listed usually isn’t free. So I encourage you to check out the Community tab which has links to newsgroups that can give you a better perspective on training and possible offer some reviews on just-released instructional materials, so I find them a better resource for new technologies.

The Skills Measured tab lists the tasks Microsoft recommends that you know for the exam. I would suggest that you don’t limit your knowledge or experience to the items on this list. In my recent experience with Microsoft exams, the Skills Measured tab contains about 95% of what you will be asked on the exam. The other 5% will be the kinds of questions you can only answer from experience (which is where the virtual labs come in handy). Remember, Microsoft is moving away from the standard fact-based multiple choice question types, and weighing their exams more heavily toward question types that emphasize hands-on knowledge — such as Build List and Reorder, Extended Matching, and Case Studies. This is why you need to have a lot of practical knowledge of SQL Server 2012 to pass the exam.

Despite what is listed, there probably is a Transcender practice test available or SOON TO BE  AVAILABLE for most of these exams. Check the Transcender web site regularly over the next few months for the availability of the practice test.

Free e-book: Introducing Microsoft SQL Server 2012

You should definitely obtain the free e-book on Microsoft SQL Server 2012. This e-book is an overview of SQL Server 2012 and will introduce you to some new features in SQL Server 2012. You can download the e-book from the link for the 70-462 Microsoft Prep Guide,

Again, this is where those virtual labs come in handy. I guarantee that the certification exam will expect you to be familiar with the functionality changes between previous versions of SQL Server and SQL Server 2012. Go through the e-book chapter by chapter, and use the virtual lab to poke around every new feature introduced in the book.

To successfully pass a Microsoft exam and not spend a dime on additional training is possible, and I have done it, but you have to dedicate some time to it. You should go through each task in the prep guide for the exam. Learn all you can by searching for the task in the books online, and then perform the task in the virtual labs. This will enable you to update your existing knowledge of administering older versions of SQL Server and translate those concepts into 2012.

It is not hard or expensive to learn SQL Server 2012, but it is time consuming. Block out some time in your schedule and use the free resources that are available to master the skills required to gain your SQL Server 2012 certification.

Happy studying!
–George Monsalvatge

Mobile Devices in the new CompTIA A+ exams (Part 2 of 2)

October 26, 2012 at 2:39 pm | Posted in CompTIA | Leave a comment
Tags: , , , ,

Well, it’s been two weeks since I introduced you to the Mobile Devices domain in the new A+ 220-802 exam. In that post, I gave information on the first two objectives in the Mobile Devices domain. In this post, I want to finish by discussing the last three objectives from the domain:

3.3 Compare and contrast methods for securing mobile devices.
3.4 Compare and contrast hardware differences in regards to tablets and laptops.
3.5 Execute and configure mobile device synchronization.

For objective 3.3: Compare and contrast methods for securing mobile devices, the main focus is mobile device security. The main points that you should concern yourself with are as follows:

  • Passcode locks – This is the most basic security measure. Passcode locks block unauthorized users from accessing any of the device’s functions. In Android phones, this is configured in the Settings Location & Security section. In iOS-based devices, it is configured in the Settings – General section.
  • Locator applications – This security measure uses the GPS feature to locate a lost or stolen mobile device. For iPhones, you would enable the Find My iPhone feature. For Android devices, you can use a number of third-party security applications (such as Android Lost, AVG Antivirus, or Lookout) to remotely locate a phone.
  • Remote wipes – This security measure ensures that all data on the mobile device can be erased if the mobile device is lost or stolen. For iPhones, there is an iCloud feature (available in iOS 5) that allows the Remote Wipe feature. Google Apps administrators can perform this function with Google Sync (in beta, as of this writing). Most third-party Android security apps will have the option to locate, lock, or remotely wipe the device.
  • Remote backup applications – This functionality allows all data and applications to be backed up to ensure that the data could be restored if the mobile device is lost or stolen. For iPhones, backups are managed by the iTunes application. For Android devices, you will need to download an application that provides this functionality.
  • Failed login attempts restrictions – This security feature will lock a device after the configured number of failed login attempts. For iPhones, the lock occurs by default after 6 failed attempts and erases the data after 10 failed attempts. For Android devices, this feature is not built in, so you will need to add an application to provide this functionality. Most mobile devices also let you wipe the device contents after the configured number of failed logins.
  • Antivirus – Because mobile devices can be corrupted by malware, you should install an anti-malware application. Desktop antivirus vendors, like McAfee and AVG, also have products designed for mobile devices. Keep in mind that the product must be regularly updated to protect against the latest malware and virus threats.
  • Patching/OS updates – Patching the operating system and applications is necessary for all mobile devices. Most mobile devices have a built-in function that will notify you periodically when updates are detected. Make sure your device is updated so that all the latest security patches are installed, because security patches are the most common type of update.

For objective 3.4: Compare and contrast hardware differences in regards to tablets and laptops, you need to understand the hardware that is used in a mobile device and how it typically compares to laptop hardware.

  • You should keep in mind that most mobile devices do NOT have field-serviceable parts. Specialized tools are needed to replace any mobile device hardware, including the screen and internal parts. Repairs should only be carried out by technicians who are properly trained. If you have a device repaired by a technician that is not backed by the vendor, the warranty will be voided.
  • Also, keep in mind that mobile devices typically cannot be upgraded. Therefore, you should purchase the device that provides the maximum level of hardware for your current and future needs.
  • Most mobile devices are touch screen devices, which uses two technologies: touch flow or multitouch. With touch flow, finger movement (up, down, left, right) controls how the screen scrolls. With multitouch, the screen will recognize multiple touches, which means that more than one finger can work with the interface at the same time.
  • Mobile devices typically use solid-state drives, which are lighter and less prone to crashes.

For objective 3.5: Execute and configure mobile device synchronization, you need to understand how to sync your mobile device. This includes understanding the type of data that will need to be synced, the software requirements to install the syncing application on your desktop computer or laptop, and the connection types that can be used with synchronization. Users will need to be able to sync contact information, applications, e-mail, pictures, music, and videos.

  • Push synchronization is automatic and requires no user effort. Any change made will be synced to the other devices at regular intervals that you configure. (Remember that push synchronization can consume battery so use a longer schedule time if battery consumption is a concern.)
  • Pull synchronization, on the other hand, requires the user to actually activate the synchronization, which then pulls new information from the other device.
  • Synchronization can occur via a direct USB connection between devices, over a Bluetooth connection between the devices, and even over a 802.11 wireless network. Some specialized synchronization applications even allow you to use the Internet for synchronization.

While most mobile devices have a built-in sync feature, applications available through the marketplace usually do a much better job and include many more options. If you purchase a synchronization application, make sure that your mobile device meets the application’s requirements.

In closing, I hope these two Mobile Devices posts have helped to shed a bit of light on just where CompTIA is going with this topic. I have to say that I am glad to see this topic included as part of an IT technician’s job analysis. As mobile devices gain in popularity, technicians will definitely be expected to understand how to configure mobile devices in the real world.

I’ll be taking the 220-801 and 220-802 exams this week. I am really looking forward to seeing how the exams have changed, and assessing the new mobile device coverage and performance-type items.

Watch for my post in the coming weeks where I review Mike Meyer’s Eighth Edition of the CompTIA A+ Certification All-in-One Guide. I’ll also be posting some ideas about mobile phone emulators to help in labs and classrooms, and to help students self-study for the new mobile device topic coverage on the 220-802.

– Robin Abernathy

Mobile Devices in the new CompTIA A+ exams (Part 1 of 2)

October 10, 2012 at 4:36 pm | Posted in CompTIA, Study hints | 1 Comment
Tags: , , ,

Last month, I posted an article about the virtualization topics in the new A+ exams. At that time, I indicated that I would be posting about the new mobile devices topics. I expected to get the two articles out within a few weeks of each other, but as it always seems to happen around here, other things took precedence….and a month later, I am finally sitting down to fulfill my promise.

Mobile devices have increasingly become part of our lives. Because of the popularity of these devices and our dependence on them, the CompTIA A+ certification now includes  mobile device topics to ensure that A+ technicians are proficient in certain aspects of mobile device management. The new A+ 220-802 exam has an entire domain that is dedicated to mobile devices. Domain 3, the Mobile Device domain, makes up 9% of the exam. The objectives from Domain 3 are as follows:

3.1 Explain the basic features of mobile operating systems.
3.2 Establish basic network connectivity and configure email.
3.3 Compare and contrast methods for securing mobile devices.
3.4 Compare and contrast hardware differences in regards to tablets and laptops.
3.5 Execute and configure mobile device synchronization.

There’s a lot to chew on here, so let’s focus on the first two of these objectives. (I will discuss the other three in a coming post.) Please remember that I’m writing based on my experience with mobile devices and on what I’ve read in several reference books. As of this posting, I have not actually taken the new A+ exams. CompTIA released those exams this week, so I’ll hopefully have some time to take them before Part 2 of this blog post! But since I’ve been writing study material for the A+ exams since the 300-level A+,  I am fairly confident that I won’t be too far off the mark.

For Obj 3.1: Explain the basic features of mobile operating systems, you will need to understand the features of the Android and iOS mobile operating systems.

  • Android is an open-source operating system, while the Apple iOS is a vendor-specific OS.
  • Developers for Android have access to the same APIs used by the operating system. Developers for Apple must use the software development kit (SDK) and must be registered as Apple developers.
  • Android apps are purchased from the Google Android market (now called Google Play) or from other Android app sites, while Apple apps can only be purchased from the Apple App store.
  • For screen orientation, mobile devices use an accelerometer and/or a gyroscope. While only one of these is required, many newer mobile devices use both because they work better together.
  • Touch-screen mobile devices require screen calibration. The screen calibration tool will require you to touch the screen in different ways so that the mobile device can learn how you will touch the screen. If the device does not react in an expected manner when you touch the screen, it may need re-calibration.
  • GPS information can be obtained from cell phone towers or from satellites. Keep in mind that keeping the GPS function enabled will cause the battery to be depleted much quicker. Android phones normally use satellites to obtain GPS data, while iPhones use a combination of satellites, cell phone towers, and WiFi towers to obtain GPS data.
  • Geotracking  allows a mobile device to periodically record location information and transmit this information to a centralized server. Consumers have recently raised privacy concerns overs this feature.

For Obj 3.2: Establish basic network connectivity and configure email, you will need to understand how to connect mobile devices to networks and how to configure email on mobile devices. For all of the following points, I would expect this to focus mainly on the two major smart phones (iPhone and Android), but wouldn’t be surprised if you are expected to know how to do this for the iPad and other tablets.

  • Enable/disable the wireless and cellular data network.
  • Understand Bluetooth configuration, including enabling/disabling Bluetooth, enabling device pairing, finding devices for pairing (including entering the PIN code),  and testing Bluetooth connectivity.
  • Configure email. You will need to know the URL of the incoming and outgoing email server, the port numbers used by these servers, and the encryption type (if applicable). You probably will also need to know your account details, including user name, password, and domain name. The process for setting up email will vary slightly based on the mobile device that you are configuring and the type of account. Some of the more popular mail services, such as Exchange and Gmail, are easier to set up because of configuration wizards.

To fully prepare for these objectives, it may be necessary to install a mobile phone emulator on your computer if you do not have access to a physical mobile phone. In many cases, there are free mobile phone emulators available so that you can learn how to perform many of the basic configuration steps. You may want to research the options that are available and install them in a lab environment, particularly if you are an instructor. These emulators can provide a valuable service to students who do not have experience with mobile devices.

Part 2 of this topic will be released in the coming days and will cover the other three Mobile Devices objectives in the 220-802 exam. I also plan to have a post in the coming months on mobile phone emulators, so feel free to send me any information on what you have found in this area.

Until then….


Resource Review: CompTIA A+ Complete Review Guide Second Edition by Emmett Dulaney and Troy McMillan

September 21, 2012 at 4:27 pm | Posted in Certification Paths, CompTIA | Leave a comment
Tags: , ,

The latest version of the A+ exams (220-801 and 220-802) are due out in October. Many of us…ok, maybe just me….anxiously await this latest release from CompTIA.

With this latest iteration, CompTIA has dropped the test naming structures we saw in the past (220-701 A+ Essentials and 220-702 A+ Practical Application) and is just going with a number naming convention (A+ 220-801 and A+ 220-802). But that is not all that has changed: CompTIA has announced that the new exams will include performance-based testing (PBT) items. Think of these items as answering a question by DOING instead of answering a question by selecting from options. I imagine these items will involve running commands, configuring dialog boxes, and matching concepts, but I truly don’t know what they are like. Although Transcender is a CompTIA partner, the details I have about these items are few and far between. I’ll see the questions on the same day that you will, when they go live.

Now back to our resource review. The latest A+ release has been choreographed with the content publishers in a much better manner than in the past. I have been very impressed with the way publishers have hustled to meet the training world’s needs when it comes to these exams. In the past, books and study guides were often released weeks or months after an exam was released. This meant that test candidates did not always jump on the bandwagon early in the certification lifecycle. Often candidates were waiting for a book to help them prepare for the exam, which meant that certification popularity was influenced by the publication of study materials.

With the 800-series A+, trainers and early adopters don’t have the same issues. By the time these exams are released to the public, there will be several references available to choose from. Today I’ll share my thoughts on Sybex’s CompTIA A+ Complete Review Guide, Second Edition, by Emmett Dulaney and Troy McMillan.

Review Guide versus Study Guide: What’s the Difference?

I want to point out that Sybex also released the CompTIA A+Complete Study Guide, Exams 220-801 and 220-802, 2nd Edition by Quentin Docter, Emmett Dulaney, and Toby Skandier this month. Where the Review Guide is 496 pages, the Study Guide rings in at 1100 pages and provides much more background knowledge to help bring the beginner up to speed. Review Guides are better suited for experienced techs wanting to catch up on the latest A+ changes, or those who need a refresher course. Where the Study Guide may be better for self-paced instruction, the Complete Review Guide is more test-prep oriented.

CompTIA A+ Complete Review Guide, Second Edition by Wiley / Sybex

First, I have to share the feature I love the most about this book – its structure. Have you ever downloaded an Objective List from CompTIA? While it makes sense on the exam, it usually does not correspond well to an independent book reference. Often you spend time flipping from chapter to chapter just to find all the information on a particular topic that may be applicable to one exam objective. With Sybex’s Complete Review Guide, the flipping is over. This book is arranged according to the exam objecitves. Each chapter corresponds with a unique exam objective from the Objective List, and each section within a chapter corresponds to a subobjective from the Objective List. This translates into easy, targeted studying. It  also makes it easy to find information about the latest new topics (Virtualization!! Mobile Devices?!?) So if you know that your knowledge is deficient in a particular area (did I mention mobile devices?), then you can go right to that chapter and section to find what you need. (BTW, mobile devices are covered in Chapter 8, pages 363-377.)

Secondly, I love that they give you just the facts you need. This guide is very exam focused. For example, they don’t spend a lot of time explaining the history of computer hardware. If you are looking for a resource that gets straight to the point, then this guide is your choice. It guides you into a focused mode of study to help you learn the information needed to pass the exam.

Finally, the book has plenty of charts, graphics, and bullet points (charts, graphics, and bullets, oh my!) If you have read any of my resource reviews in the past, you know I am a big fan of these study aids. When you have knowledge that you just need to know for an exam, it is often easier to study if this information is in a chart or listed in bullet points. Pictures always help you to recognize hardware, ports, connectors, and the like, which is VERY important for an A+ technician.

In the interest of full disclosure, I should mention that I played a small part in the publication of this book. As you may  have noticed, Troy McMillan, a fellow member of Transcender’s Content Development team, is one of the authors of this book. Through my connection with Troy, I was able to participate as a technical editor of this book. I can attest to the effort that these authors put into its development. Because there are so many facts that you must know, covering the A+ content in a concise manner can be quite daunting. But after sharing the process with Emmet and Troy, I can tell you that these guys have done a great job!

Keep this book in mind when you decide to start preparing for the new A+ exam. It’s a great resource for getting up to speed! And watch in the coming days for my post regarding upcoming changes to the Network+ and Security+ exams.


CASP CompTIA Advanced Security Practitioner Study Guide: A Resource Review

August 10, 2012 at 8:04 am | Posted in CompTIA, Study hints | 1 Comment
Tags: , ,

All of you have probably heard of CompTIA’s first Master series certification: the CompTIA Advanced Security Practitioner (CASP) certification. I took the exam some months back and am proud to say I passed it. If you want to know more about my experience, please read my previous post. In that article, I promised a review of the only CASP reference that is currently available, the CASP CompTIA Advanced Security Practitioner Study Guide by Michael Gregg and Billy Haines. Well, it’s a bit past the promised due date of April (where has the time gone?), but I finally have gotten a chance to complete my review.

I used this book as my primary reference when I was writing Transcender’s Cert-CAS-001 practice test. I found that the book was thorough and covered all of the topics on the exam. I  particularly loved the Exam Essentials section at the end of each chapter. I would suggest that any test candidate read the Exam Essentials section for each chapter and think about  how to test a particular point using a job task.

If you hadn’t already heard, the CASP exam includes performance-based items. These item types require that you perform certain tasks to fulfill the objectives given in the scenario. The very nature of these item types requires that you actually perform security-related tasks on a daily basis in your workflow; therefore, they are almost impossible to replicate in a book. The book’s method of addressing these item types is to include exercises for you to complete on your own. Each chapter includes several exercises to reinforce the topics presented in the chapter. These exercises, which are included in the Lab Manual (Appendix A in the book), will help you understand the tasks that security professionals must perform.

Performing the exercises requires a standard personal computer (not a server or desktop powerhouse) with the capacity to run VMware Player; some exercises require that you have a copy of a Windows desktop operating system, either as the native OS or running on a virtual machine. The labs direct you to download and install various readily available forensic tools, such as Nessus and Wireshark.

The Exam Essentials sections and the Exercises work together to provide a good all-around experience for the test candidate. But to ensure that you can pass the exam, I would recommend that you take all these one step further. For example, one of the Exam Essentials in Chapter 2 is:

Be able to describe advanced network design concepts. Advanced network design requires an understanding of remote access and firewall deployment and placement. Firewall placement designs include packet filtering, dual-homed gateway, screened host, and screened subnet.

Specific scenarios that address this Exam Essential may include: knowing when to deploy a firewall, knowing how to configure ACLs, and knowing where in a complex network a firewall is best deployed. So you should take some extra time to ensure that you understand network diagrams, and research best practices for device deployment.

This book is an excellent reference to start you on your journey to becoming a CASP. If you pair this book with  Transcender’s practice test, you will be well on your way to success. It’s worth noting that Transcender’s practice test actually includes 8 performance-based scenarios that will expose you to the type of items you will see on the live exam. This is the ONLY practice test on the market right now that includes these types of items for the CASP product.  It is just one more way that we demonstrate why our products are considered leading-edge test prep materials and have been preferred by IT professionals for nearly 20 years.

Check back with us over the next few weeks as I hope to provide you with a bit more information on the CASP exam, including where this exam fits into the current certification pathways, and how to prepare for the CASP. Feel free to drop me a line with any CASP questions you may have.

Happy testing!


Next Page »

Entries and comments feeds.

%d bloggers like this: