If you’re planning to take the SY0-501 version of the Security+ exam, you should understand mobile device management concepts. This includes tools that help enforce security policies on mobile devices. They also include enforcing strong authentication methods to prevent unauthorized access.

For example, can you answer this question?

Q. Management within your company wants to implement a method that will authorize employees based on several elements, including the employee’s identity, location, time of day, and type of device used by the employee. Which of the following will meet this need?

A. Geofence

B. Containerization

C. Tethering

D. Context-aware authentication

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.

Mobile Device Management

Mobile device management (MDM) includes the technologies to manage mobile devices. The goal is to ensure these devices have security controls in place to keep them secure.

System management tools, such as Microsoft System Center Configuration Manager (SCCM, also known as ConfigMgr), ensure systems are kept up to date with current patches, have antivirus software installed with up-to-date definitions, and are secured using standard security practices. While these tools originally focused on desktop PCs and laptops, they have expanded to include many mobile devices. As an example, ConfigMgr includes support for many mobile devices, including Apple iOS-based devices and Android-based devices.

Mobile Device Management Concepts

MDM applications help administrators manage mobile devices. The following bullets describe many of the MDM concepts that apply to mobile devices:
• Application management. MDM tools can restrict what applications can run on mobile devices. They often use application whitelists to control the applications and prevent unapproved applications from being installed.
• Full device encryption. Encryption protects against loss of confidentiality on multiple platforms, including workstations, servers, mobile devices, and data transmissions. Encryption methods such as full device encryption provide device security, application security, and data security. While an organization can ensure corporate-owned devices use full device encryption, this isn’t always possible when employees use their own devices.
• Storage segmentation. In some mobile devices, it’s possible to use storage segmentation to isolate data. For example, users might be required to use external storage for any corporate data to reduce the risk of data loss if the device is lost or stolen. It’s also possible to create separate segments within the device. Users would store corporate data within an encrypted segment and personal data elsewhere on the device.
• Content management. After creating segmented storage spaces, it’s important to ensure that appropriate content is stored there. An MDM system can ensure that all content retrieved from an organization source (such as a server) is stored in an encrypted segment. Also, content management can force the user to authenticate again when accessing data within this encrypted segment.

• Containerization. Containerization can also be implemented in mobile devices. By running an application in a container, it isolates and protects the application, including any of its data. This is very useful when an organization allows employees to use their own devices. It’s possible to encrypt the container to protect it without encrypting the entire device.
• Passwords and PINs. Mobile devices commonly support the use of passwords or personal identification numbers (PINs). MDM systems typically support password policies, similar to the password policies used in desktop systems. The only limitation is that some mobile devices only support PINs, while others support either passwords or PINs.
Biometrics.  Many mobile devices now support biometrics for authentication. For example, you can teach the device your fingerprint and then use your fingerprint to authenticate instead of entering a password or PIN.
• Remote wipe. Remote wipe capabilities are useful if the phone is lost. It sends a remote signal to the device to wipe or erase all the data. The owner can send a remote wipe signal to the phone to delete all the data on the phone. This also deletes any cached data, such as cached online banking passwords, and provides a complete sanitization of the device by removing all valuable data.

• Geolocation. Mobile devices commonly include Global Positioning System (GPS) capabilities that can be used for geolocation. Applications commonly use GPS to identify the location of the device. This can also be used to locate a lost device.
• Geofencing. Organizations sometimes use GPS to create a virtual fence or geographic boundary using geofencing technologies. Apps can respond when the device is within the virtual fence. As an example, an organization can configure mobile apps so that they will only run when the device is within the virtual fence. Similarly, an organization can configure a wireless network to only operate for mobile devices within the defined boundary.
• GPS tagging. GPS tagging (also called geotagging) adds geographical information to files such as pictures when posting them to social media web sites. For example, when you take a picture with a smartphone that has GPS features enabled, the picture application adds latitude and longitude coordinates to the picture. Thinking of friends and family, this is a neat feature. However, thinking of thieves and criminals, they can exploit this data. For example, if Lisa frequently posts pictures of friends and family at her house, these pictures identify her address. If she later starts posting pictures from a vacation location, thieves can realize she’s gone and burglarize her home.
• Context-aware authentication. Context-aware authentication uses multiple elements to authenticate a user and a mobile device. It can include the user’s identity, geolocation, verification that the device is within a geofence, time of day, and type of device. Combined, these elements help prevent unauthorized users from accessing apps or data.

---

Q. Management within your company wants to implement a method that will authorize employees based on several elements, including the employee’s identity, location, time of day, and type of device used by the employee. Which of the following will meet this need?

A. Geofence

B. Containerization

C. Tethering

D. Context-aware authentication

Answer is D. Context-aware authentication can authenticate a user and a mobile device using multiple elements, including identity, geolocation, time of day, and type of device. None of the other answers meets all the requirements of the question.

A geofence creates a virtual fence, or geographic boundary, and can be used with context-aware authentication.

Containerization isolates an application, protecting it and its data.

Tethering allows one device to share its Internet connection with other devices.

See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on deploying mobile devices securely.

Read More

If you’re planning to take the SY0-501 version of the Security+ exam, you should understand the different types of malware such as Trojans. A Trojan appears to be one thing, such as pirated software or free antivirus software, but is something malicious.

For example, can you answer this question?

Q. A recent antivirus scan on a server detected a Trojan. A technician removed the Trojan, but a security administrator expressed concern that unauthorized personnel might be able to access data on the server. The security administrator decided to check the server further. Of the following choices, what is the administrator MOST likely looking for on this server?

A. Backdoor
B. Logic bomb
C. Rootkit
D. Botnet

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.

Trojans

A Trojan, also called a Trojan horse, looks like something beneficial, but it’s actually something malicious. Trojan horses are named after the infamous horse from the Trojan War. In Greek mythology, the Achaeans tried to sack the city of Troy for several years, but they simply couldn’t penetrate the city’s defenses. At some point, someone got the idea of building a huge wooden horse and convincing the people of Troy that it was a gift from the gods. Warriors hid inside, and the horse was rolled up to the gates.

The people of Troy partied all day and all night celebrating their good fortune, but when the city slept, the warriors climbed down from inside the horse and opened the gates. The rest of the warriors flooded in. What the Greek warriors couldn’t do for years, the Trojan horse helped them do in a single day.

In computers, a Trojan horse can come as pirated software, a useful utility, a game, or something else that users might be enticed to download and try. Attackers are increasingly using drive-by downloads to deliver Trojans. In a drive-by download, web servers include malicious code that attempts to download and install itself on user computers after the user visits.

Here are the typical steps involved in a drive-by download:
1. Attackers compromise a web site to gain control of it.
2. Attackers install a Trojan embedded in the web site’s code.
3. Attackers attempt to trick users into visiting the site. Sometimes, they simply send the link to thousands of users via email hoping that some of them click the link.
4. When users visit, the web site attempts to download the Trojan onto the users’ systems.

Another Trojan method that has become popular in recent years is rogueware, also known as scareware. Rogueware masquerades as a free antivirus program. When a user visits a site, a message on the web page or a pop-up appears indicating it detected malware on the user’s system. The user is encouraged to download and install free antivirus software.

On the surface, this free antivirus software looks useful. However, it isn’t. If a user installs and runs it on a system, it appears to do a system scan. After the scan completes, it reports finding multiple issues, such as infections by dozens of viruses. The report isn’t true. The application reports these issues even on a freshly installed operating system with zero infections.

It then encourages the user to resolve these issues immediately. If the user tries to resolve the issues, the program informs the user that this is only the trial version, and the trial version won’t resolve these issues. However, for the small fee of $79.95, users can unlock the full version to remove the threats. Some rogueware installs additional malicious components. For example, it might allow the attacker to take remote control of the infected system.

Many web browser extensions include malicious Trojans. As an example, I once added an extension into my Google Chrome browser so that I could download videos and view them offline. Unfortunately, it modified the browser’s behavior. When I went to a page from a Google search and then right-clicked on the page, it took to me to a malicious web site encouraging me to install malware disguised as a Windows Repair tool. At one point after right-clicking, it indicated my Chrome browser was out of date and encouraged me to download and install an update. However, using Chrome’s tools, I verified that Chrome was up to date. When I clicked on Extensions to remove it, it redirected me to a malicious web site. I ultimately reset Chrome to the default settings, disabling all the extensions, and deleted the malicious extension.

Backdoors

A backdoor provides another way of accessing a system, similar to how a backdoor in a house provides another method of entry. Malware often installs backdoors on systems to bypass normal authentication methods.
While application developers often code backdoors into applications, this practice is not recommended. For example, an application developer might create a backdoor within an application intended for maintenance purposes. However, if attackers discover the backdoor, they can use it to access the application.

Effective account management policies help prevent ex-employees from creating backdoors after they are fired. For example, if an employee loses network access immediately after being fired, the employee cannot create a backdoor account. In contrast, if an administrator retains network access, he might create another administrative account. IT personnel might disable his account after they learn he has been fired, but he can still use this new backdoor account. That’s exactly what a Fannie Mae Unix engineer did after being told he was fired.

Fannie Mae’s account management policy did not revoke his elevated system privileges right away, giving him time to create a backdoor account. After going home, he accessed the system remotely and installed a logic bomb script scheduled to run at 9:00 a.m. on January 31. If another administrator hadn’t discovered the logic bomb, it would have deleted data and backups for about four thousand servers, changed their passwords, and shut them down.

---

Q. A recent antivirus scan on a server detected a Trojan. A technician removed the Trojan, but a security administrator expressed concern that unauthorized personnel might be able to access data on the server. The security administrator decided to check the server further. Of the following choices, what is the administrator MOST likely looking for on this server?

A. Backdoor
B. Logic bomb
C. Rootkit
D. Botnet

Answer is A. The security administrator is most likely looking for a backdoor because Trojans commonly create backdoors, and a backdoor allows unauthorized personnel to access data on the system.

Logic bombs and rootkits can create backdoor accounts, but Trojans don’t create logic bombs and would rarely install a rootkit.

The computer might be joined to a botnet, but a botnet is a group of computers.

Read More

If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of the impact associated with different types of vulnerabilities. This includes the security implications of embedded systems that are now in printers, vehicles, smart devices, and more.

For example, can you answer this question?

Q. Bizzfad is planning to implement a CYOD deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?

A. SCADA access

B. Storage segmentation

C. Database security

D. Embedded RTOS

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.

The CompTIA Security+ objectives include a long list of embedded systems. Some of these might be familiar to you, but others use acronyms that aren’t familiar to many people.

Wearable Technology Systems

A smart television (TV) is one of many smart devices that you might have in your home. You can easily connect it to your home’s wired or wireless network and use it to access the Internet. Many people use it to stream TV shows and movies to their TV. This is possible because these smart TVs have embedded systems giving them additional capabilities.

Other smart devices include wearable technology and home automation systems. Combined, these smart devices are often referred to as the Internet of things (IoT).

Wearable technology has exploded in recent years. It includes any device you can wear or have implanted. These devices can then be used to interact with other devices, such as a smartphone. As an example, Fitbit has manufactured a range of products that you can wear to monitor your health and fitness. Combined with an app on their smartphone, people can gain insight into how well they’re doing on their goals.

Most veterinarians recommend implanting microchips in pets. Animal shelters routinely look for these and if found, they can help return the pets to their owners. Some can even be used to open some pet doors. The company Dangerous Things sells a similar device for people that can reportedly be injected into your hand at the tattoo parlor. Once injected, you can program it to open some smart locks or control your cell phone. Be careful, though. Dangerous Things warns “Use of this device is strictly at your own risk.”

Home Automation Systems

Home automation includes Internet-connected devices, such as wireless thermostats, lighting, coffee makers, and more. These devices typically connect to the home’s network, which gives them Internet access. This allows people to access or control these devices from the Internet, even when they aren’t home.

Camera systems often include Internet-connected cameras. These cameras can be within a home automation system or supporting physical security goals for an organization.

A system on a chip (SoC) is an integrated circuit that includes all the functionality of a computing system within the hardware. It typically includes an application contained within onboard memory, such as read-only memory (ROM), electrically erasable programmable ROM (EEPROM), or flash memory. Many mobile computing devices include an SoC.

An industrial control system (ICS) typically refers to systems within large facilities such as power plants or water treatment facilities. An ICS is controlled by a supervisory control and data acquisition (SCADA) system. Ideally, these systems are contained within isolated networks, such as within a virtual local area network (VLAN), that do not have access to the Internet. If they are connected to the corporate network, they are often protected by a network intrusion prevention system (NIPS) to block unwanted traffic.

Real-Time Operating System (RTOS)

A real-time operating system (RTOS) is an operating system that reacts to input within a specific time. If it can’t respond within the specified time, it doesn’t process the data and typically reports an error. As an example, imagine an automated assembly line used to create donuts. Each location on the line receives materials from the previous location, adds additional materials or somehow processes the materials (such as mixing them), and passes the result to the next location. Each of these locations could include an embedded system with an RTOS to ensure it receives and processes the materials within a specified time. If it doesn’t, it can raise an error or alert and stop the assembly line.

Admittedly, an RTOS is probably overkill for a donut assembly line. There are simpler ways. However, some assembly lines are much quicker and require response times for each location in the millisecond or nanosecond range. An RTOS can be used reliably in these systems.

HVAC Systems

Heating, ventilation, and air conditioning (HVAC) systems keep computing systems at the proper temperature and with the proper humidity. Most have embedded systems to control them. If attackers can access these systems, they may be able to remotely turn off the HVAC system or trick it into keeping the temperature at 95 degrees within a data center. The resulting damage to systems within this data center could be catastrophic.
You can also find many embedded systems in special-purpose devices, such as medical devices, automotive vehicles, and unmanned aerial vehicles. Some control dedicated tasks, such as ensuring each engine cylinder fires at exactly the right time. Others control much more complex tasks, such as automatically parallel parking a car. Select the option and take your hands off the wheel. The car will park itself, within the space, and without hitting anything.

While these systems aren’t necessarily accessible via the Internet, many autos now include Internet access via satellite communications. Manufacturers could decide to integrate all the embedded systems in an automobile, making them all accessible via the Internet.

Aircraft and unmanned aerial vehicles (UAVs) include embedded systems. Hobbyists use small UAVs to take pictures remotely. Other organizations such as the military include sophisticated embedded systems for reconnaissance and to deliver weapons.

---

Q. Bizzfad is planning to implement a CYOD deployment model. You’re asked to provide input for the new policy. Which of the following concepts are appropriate for this policy?

A. SCADA access

B. Storage segmentation

C. Database security

D. Embedded RTOS

Answer is B. Storage segmentation creates separate storage areas in mobile devices and can be used with a choose your own device (CYOD) mobile device deployment model. None of the other answers are directly related to mobile devices.

A supervisory control and data acquisition (SCADA) system controls an industrial control system (ICS), such as those used in nuclear power plants or water treatment facilities, and it should be isolated.

Database security includes the use of permissions and encryption to protect data in a database. Some embedded systems use a real-time operating system (RTOS) when the system must react within a specific time.

See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on deploying mobile device securely.

Read Mobile Device Deployment Models blog post for more information about different mobile device deployment models.

Read More

If you’re planning to take the SY0-501 version of the Security+ exam, you should understand secure application development and deployment concepts. This includes common methods used to create secure applications such as development life-cycle models and using testing to ensure code quality.

For example, can you answer this question?

Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?

A. Waterfall

B. SDLC

C. Agile

D. Secure DevOps

More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.

Testing for Code Quality

Many organizations that create applications also employ testers to verify the quality of the code. Testers use a variety of different methods to put the code through its paces. Ideally, they will detect problems with the code before it goes live.

Some of the common methods of testing code include:

• Static code analyzers. Static code analysis examines the code without executing it. Automated tools can analyze code and mark potential defects. Some tools work as the developer creates the code, similar to a spell checker. Other tools can examine the code once it is semifinalized.
• Dynamic analysis. Dynamic analysis checks the code as it is running. A common method is to use fuzzing. Fuzzing uses a computer program to send random data to an application. In some cases, the random data can crash the program or create unexpected results, indicating a vulnerability. Problems discovered during a dynamic analysis can be fixed before releasing the application.
• Stress testing. Stress testing methods attempt to simulate a live environment and determine how effective or efficient an application operates with a load. As an example, a web application is susceptible to a DDoS attack. A stress test can simulate a DDoS attack and determine its impact on the web application.
• Sandboxing. A sandbox is an isolated area used for testing programs. The term comes from a sandbox in a playground. Children can play in the sandbox where they are relatively safe (and parents can easily keep their eyes on them). Similarly, application developers can test applications in a sandbox, knowing that any changes they make will not affect anything outside the sandbox. Virtual machines (VMs) are often used for sandboxing. For example, Java virtual machines include a sandbox to restrict untrusted applications.
• Model verification. Testing helps identify and remove bugs. However, it’s also important that the software does what it’s meant to do. Model verification is the process of ensuring that software meets specifications and fulfills its intended purpose.

Development Life-Cycle Models

Software development life cycle (SDLC) models attempt to give structure to software development projects. Two popular models are waterfall and agile.

Waterfall Model

The waterfall model includes multiple stages going from top to bottom. Each stage feeds the next stage, so when you finish one stage, you move on to the next stage. When following the waterfall model strictly, you don’t go back to a stage after finishing it. There are multiple variations of the waterfall model, but they all use stages. However, the names of these stages vary from one model to another.

Some typical stages used with the waterfall model include:

• Requirements. The developers work with the customer to understand the requirements. The output of this stage is a requirements document, which provides clear guidance on what the application will do.
• Design. Developers begin to design the software architecture in this stage. This is similar to creating the blueprints for a building. The design stage doesn’t include any detailed coding, but instead focuses on the overall structure of the project.
• Implementation. Developers write the code at this stage, based on the requirements and design.
• Verification. The verification stage ensures the code meets the requirements.
•  Maintenance. The maintenance stage implements changes and updates as desired.

A challenge with the waterfall model is that it lacks flexibility. It is difficult to revise anything from previous stages. For example, if a customer realizes a change in the requirements is needed, it isn’t possible to implement this change until the maintenance stage.

Agile Model

The agile model uses a set of principles shared by cross-functional teams. These principles stress interaction, creating a working application, collaborating with the customer, and responding to change.

Instead of strict phases, the agile model uses iterative cycles. Each cycle creates a working, if not complete, product. Testers verify the product works with the current features and then developers move on to the next cycle. The next cycle adds additional features, often adding small, incremental changes from the previous cycle.

A key difference of the agile model (compared with the waterfall model) is that it emphasizes interaction between customers, developers, and testers during each cycle. In contrast, the waterfall model encourages interaction with customers during the requirements stage, but not during the design and implementation stages.

The agile model can be very effective if the customer has a clear idea of the requirements. If not, the customer might ask for changes during each cycle, extending the project’s timeline.

---

Q. Management at your organization is planning to hire a development firm to create a sophisticated web application. One of their primary goals is to ensure that personnel involved with the project frequently collaborate with each other throughout the project. Which of the following is an appropriate model for this project?

A. Waterfall

B. SDLC

C. Agile

D. Secure DevOps

Answer is C. The agile software development model is flexible, ensures that personnel interact with each other throughout a project, and is the best of the available choices.

The waterfall model isn’t as flexible and focuses instead on completing the project in stages.

Both agile and waterfall are software development life cycle (SDLC) models, which is a generic concept designed to provide structure for software development projects.

Secure DevOps is an agile-aligned development methodology that focuses on security considerations throughout a project.

See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on secure coding concepts.

Read More

During my high school days, I picked up a Kurt Vonnegut novel. I don’t remember which one (Slaughterhouse-Five maybe?), but I thoroughly enjoyed it and quickly finished it.

Hi ho.

I kept going back to the library, checking out another Vonnegut title as soon as I finished the current one.

Hi ho.

At one point, the librarian noted “it looks like someone is reading through all of Vonnegut’s books.” I admitted that was me. But I also admitted that there was a lot in his books that eluded me. I knew that the stories were often trying to make a bigger point, but I suspected that I was missing it.

* * *

Hunter and Grey were born in the same litter about 14 years ago, but didn’t look like brothers at all. Hunter was born with the looks and characteristics of a Chow-Chow (think of a puffy-lion dog), while Grey was born with the looks and characteristics of a Labrador Retriever.

In their younger days, they loved chasing rabbits and deer though they never caught either. We’ve have a little cabin surrounded by about 20 acres out in the country and I remember once seeing a graceful deer bounding down a trail behind the cabin. He was clearly moving quickly, with his strong legs helping him leap more than run. It was a peaceful scene, though quite brief as the deer quickly disappeared down the trail.

A moment later, Hunter and Grey appeared. They were out of breath, tired, and their legs were now just flailing helplessly as they gave up on the chase.

Hi ho.

I couldn’t help but laugh at the clash between the two scenes, the almost effortless grace of the deer and the complete exhaustion of the two dogs.

They saw me and quickly forgot about the chase, bounding toward me with their tongues hanging out and their tails wagging.

* * *

One of the last Vonnegut books I read was Slapstick. It had moments of inspiration with entertaining stories sprinkled throughout. But one thing really distracted me, even though I finished it.

Hi ho.

At what seemed to be completely random times, he simply started a new paragraph and finished it with just two words.

Hi ho.

Years later, I read where Vonnegut frequently used “Hi ho” in Slapstick to mark a death. If a person died, “Hi ho”. When a bottle of wine is emptied, “Hi ho”. If a book is read to the end, “Hi ho.” If a relationship ended, “Hi ho”.

I took this as truth and remembered it for a long time. Even today, when I hear “Hi ho” I think about death.

However, at some point I went back to the book to see if it is true. If it is, I can’t prove it. It may be there, but it is still eluding me.

Hi ho.

* * *

Hunter had a seizure over the weekend. He’s had these before but this one seemed worse. He had trouble getting up and walking.

On Monday, he fell down some stairs and hasn’t been able to get up. He’s been in obvious pain and discomfort so we took him to the vet hospital today. After an exam and some tests, the vet said she could give him pain meds, but he will need to depend on us for all of his mobility. She was compassionate and ultimately offered options.

We’ve loved having him for the last 14 years and he’s always given us unconditional love. He’s been a great companion to us.

Hi ho.

Read More

Do you know about the SY0-601 Security+ beta questions that are appearing in the SY0-501 Security+ exam?

It’s an old story. When CompTIA is about to launch a new version of an exam, they seed the current version with beta questions for the new exam. In other words, if you take the SY0-501 question, don’t be surprised if you see questions related to the SY0-601 objectives.

SY0-601 Beta Questions

In July 2020, CompTIA announced they were launching the SY0-601 version of the exam in November 2020. Knowing this, you can expect to see beta questions from the SY0-601 objectives in the SY0-501 exam.

Many people start to panic when they start seeing questions that are completely foreign to them. However, there’s no need to panic.

Security+ Beta Questions are Not Graded

CompTIA uses Security+ beta questions for testing. If everyone gets the question correct, the question is too easy. If everyone gets the question incorrect, the question is too difficult. They determine a question is valid using some predetermined metric between these two extremes.

The good news is that beta questions aren’t graded. The bad news is that you do not know what questions are beta questions so you have to answer each question as if it’s a valid question.

Almost all test vendors test questions this way so it isn’t anything new. However, it can be a little disconcerting when you see five or more questions that look completely foreign to you.

SY0-601 Question

As an example, the objectives for the SY0-601 exam include this:

1.8 Explain the techniques used in penetration testing.
• Exercise types

• Red team
• Blue team
• White team
• Purple team

Based on my experience with the Security+ exam since SY0-201, I fully expect to see some questions on exercise types when the SY0-601 exam is launched. With that in mind, beta questions on these exercise types may show up on the SY0-501 exam.

Here’s a possible sample:

Your IT department includes a subgroup of employees dedicated to cybersecurity testing. Each member of this group has knowledge of known TTPs and how to use them. Additionally, each member of this group has knowledge of security controls that would be implemented to protect network resources. Which of the following BEST describes members of this team?

• A. Members of the red team
• B. Members of the blue team
• C. Members of the purple team
• D. Members of the white team

If you’ve studied for the SY0-501 exam and not the SY0-601 exam, you might think “Holy rainbow, Batman. I never saw these before.” However, these terms are not in the SY0-501 objectives so any questions about them are obviously beta questions.

Beta Questions can be on Current Objectives

All beta questions aren’t so obvious. As an example, CompTIA has reduced the emphasis on cryptography and PKI in the SY0-601 exam. It used to be an entire domain. In the SY0-601 exam, the topics are included as objectives within other domains.

As an example, SY0-501 includes this objective:
6.1 Compare and contrast basic concepts of cryptography.

The SY0-601 exam has a similar objective:
2.8 Summarize the basics of cryptographic concepts.

A lot of the same basic cryptography concepts are covered. However, the objectives change from “compare and contrast” to “summarize”. With this change, CompTIA may choose to rewrite these questions to make them easier.

Some objectives are almost the same, but CompTIA may still add new questions for these. If you understand the concepts, it doesn’t matter how CompTIA words the questions. You should still be able to answer them correctly.

Deep Dive – Skip if Desired

Learning objectives are often based on Blooms Taxonomy. It is based on a hierarchy of understanding and various verbs are used for specific levels within the hierarchy. The following list shows commonly quoted levels from the most basic to the most complex understanding.

• Knowledge: recall, name
• Comprehension: understand, summarize
• Application: use the knowledge, troubleshoot
• Analysis: compare and contrast, recognize trends
• Synthesis: apply previous learn concepts to new ideas, invent, imagine
• Evaluation: compare ideas, solve problems

The words “compare” and “contrast” used in SY0-501 indicate a level of analysis is required to answer a question.

The word “summarizing” used in SY0-601 indicates that comprehension is required to answer a question.

As you can see in the above list, comprehension is considered a more basic level of understanding than analysis.

Sample Beta Question Answer

Your IT department includes a subgroup of employees dedicated to cybersecurity testing. Each member of this group has knowledge of known TTPs and how to use them. Additionally, each member of this group has knowledge of security controls that would be implemented to protect network resources. Which of the following BEST describes members of this team?

• A. Members of the red team
• B. Members of the blue team
• C. Members of the purple team
• D. Members of the white team

C is correct. A purple team is composed of personnel that can perform as either red team members or blue team members. A red team attacks and they often use tactics, techniques, and procedures (TTPs) that attackers have used in actual attacks. A blue team defends, and they would know about various security controls used to protect network resources. The white team wasn’t mentioned in the scenario, but they don’t perform any testing, but instead set the rules and oversee the testing.

Read More