In May 2021, I took the Microsoft Azure Fundamentals (AZ-900) exam. This is similar to Microsoft 365 Fundamentals (MS-900), i.e. it’s asking about what the technology does rather than how you use it. However, I thought this was a better exam than MS-900, i.e. it was more relevant to what you actually need to know for a job, and it’s not just acting as a marketing brochure. This isn’t a formal prerequisite for any other Azure exams (e.g. at associate level), but it seems like a good place to start.
This is also a good exam if you’re on a budget: the training and the exam itself were free of charge! More precisely, I attended a Microsoft Azure virtual training day. The name is a slight misnomer: it was 2½ hours on 2 consecutive days. That training isn’t enough to prepare you for the exam on its own, but it’s useful as a high level overview. When I booked the exam, I entered the email address that I used to book the virtual training day, then that address was linked to my Microsoft certification account, and I was credited with a voucher for the full cost of the exam. I did the exam at home (via online proctoring); I’m not sure whether the voucher is also valid if you attend a Pearson Vue test centre.
At this point, there were 10 associate level certifications: 9 versions of CCNA (Cisco Certified Network Associate), and also CCDA (Cisco Certified Design Associate).
In February 2020, most of the associate exams were merged together into the new CCNA (200-301). The only exception was CCNA CyberOps, which got rebranded as Cisco Certified CyberOps Associate.
In May 2020, the 2 exams above were replaced with a single exam:
NB There was no overlap period between the old/new exams; the last date to take the old exams was 28th May, and the first date to take the new exam was 29th May.
I interleaved the CyberOps exams with the CCNA R&S:
In Mar 2016 I did ICND1.
In Mar 2019, I did SECFND.
In Nov 2019, I did ICND2.
In May 2020, I did SECOPS.
The main reason I did it this way was to stop the CCENT from expiring before I was ready for ICND2.
The SECFND book had 15 chapters (taking up 550 pages) along with appendixes.
The SECOPS book had 11 chapters (taking up 280 pages) along with an appendix.
So, the combined length (830 pages) was equivalent to one of the CCNA textbooks (800-900 pages each). I’m glad to see that the CBROPS study guide is a single book, with 16 chapters (575 pages) plus appendixes.
The Udemy course has been updated for the CBROPS exam, so anyone who paid for the old course will automatically get access to the new material.
NB This blog post applies to the original 2 exams.
In May 2020, I took CompTIA’s Server+ exam. This certification is “good for life”, i.e. it’s not part of the CE program and I don’t have to recertify.
As with all of CompTIA’s exams, there are no formal prerequisites, but they advise you to have A+ first (or at least know the material that’s covered by the A+ certification) along with 18 months of IT experience. I found that there was quite a bit of overlap with the Network+ and Security+ syllabus, so I’d prefer to see it aimed at people who’ve already done those exams. That would reduce duplication in the training material, and allow for more depth on the topics that are server/storage specific. (This certification has absorbed the old Storage+.)
NB I did the SK0-004 syllabus, and the current syllabus is SK0-005. Based on the exam objectives, SK0-005 seems like an improvement, e.g. it goes into more detail about high availability clusters. However, I think that most of the information in this blog post will still be relevant.
In April 2020, I took the eJPT exam from eLearnSecurity. As the “Junior” part of the name suggests, this is an entry level exam, and I think it acts as a good stepping stone towards the eCPPT or the OSCP.
All of eLearnSecurity’s certifications are good for life, as opposed to Cisco/CompTIA certifications which have to be renewed every 3 years; however, they update the syllabus every so often, so eJPTv2 has now replaced the original eJPT (which I did).
This was my third penetration testing exam, and it took an interesting approach. PenTest+ is a traditional theory based exam, where you answer multiple choice questions and then a computer instantly gives you the result when you finish. OSWP is a practical exam, where I had to submit a written report and wait for a human to review it. In the eJPT exam, you are given VPN access to a network, and then you have to answer multiple choice questions based on that network. For instance, they might ask you “How many Windows services are configured for automatic startup on SERVER1?” The only way to find out is to gain access to that server, i.e. you have to actually use the skills that you’ve learnt rather than regurgitating trivia points from memory. I think this approach gives the best of both worlds, i.e. a practical test with instant results, although reports are an important skill for real-life penetration tests.
In March 2020, I took CompTIA’s CySA+ (Cybersecurity Analyst) exam. Along with PenTest+, this bridges the gap between Security+ and CASP. In simple terms, PenTest+ is about “red team” activities (attack) whereas CySA+ is about “blue team” activities (defence). This certification was launched in 2017 as CSA+, but it was rebranded in January 2018 because someone else had already registered “CSA” as a trademark. The exam (CS0-001) stayed the same, although this was retired in October 2020.
NB The CS0-002 exam was launched in April 2020, giving a 6 month overlap, but this blog post covers the older exam. I noticed a bit of overlap between CS0-001 and PT0-001 (possibly because CySA+ launched first), so I’m guessing that CS0-002 will make them more distinct, but I can’t confirm that.
Thinking about the target audience for this certification, it seems to cover a hybrid role. Some of the objectives cover hand-on skills, e.g. configuring a firewall or doing forensic analysis on a PC that’s infected with malware. Other objectives are on the management side, e.g. risk assessments and data classification.
Palo Alto Networks make security products. In particular, they sell firewalls (physical and virtual), and their Panorama software will let you manage multiple firewalls centrally (e.g. for branch offices). Their certification program has 3 tiers:
Entry level
Administrator
Engineer
Palo Alto Networks offer free training for all of these, although you have to pay for the exam. Even if you don’t do the exam, the training might be worthwhile on its own merits.
In December 2019, I took the entry level exam. At the time, that was the Palo Alto Networks Certified Cybersecurity Associate (PCCSA). However, that exam is being retired at the end of this month (2021-01-31), to be replaced by the Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET). This is basically a rebranding exercise; I assume that it was confusing to have “Associate” (PCCSA) and “Administrator” (PCNSA) certifications which both ended with an A. According to the FAQ: “PCCSA certified individuals will have their credentialing status grandfathered into the upgraded PCCET certification framework.” The syllabus has been revised at the same time, to keep it up to date, but it looks much the same as before.
In brief, this exam is “what” rather than “how”, i.e. it’s all about the concepts rather than the implementation. In that respect, it’s quite similar to Microsoft 365 Fundamentals, and both exams are a similar price ($100/£70). When I did the training, the videos were about 50% advertising for Palo Alto Networks products; the pdf (ebook) was a bit more restrained, but there was still quite a bit of marketing/advocacy in there. E.g. the course will describe what WildFire and GlobalProtect are used for, but not how to configure them. By contrast, the exam was much more general, so there was a lot of overlap between this, Security+, and the SSCP.
Cisco have offered the CCNA (Cisco Certified Network Associate) since 1998, but it’s been through a few variations over the years. They’ve changed the syllabus and the number of exams:
Year
Part 1
Part 2
Combined
1998
CCNA (640-407)
2000
CCNA (640-507)
2002
CCNA (640-607)
2003
INTRO (640-821)
ICND (640-811)
CCNA (640-801)
2007
ICND1 (640-822)
ICND2 (640-816)
CCNA (640-802)
2013
ICND1 (100-101)
ICND2 (200-101)
CCNA R&S (200-120)
2016
ICND1 (100-105)
ICND2 (200-105)
CCNA R&S (200-125)
2020
CCNA (200-301)
From 1998-2016, this all applied to Routing and Switching. Meanwhile, Cisco gradually offered a range of other certifications, e.g. “CCNA Wireless” and “CCNA Security”. In 2020, these all got merged together into a single CCNA certification (except for CyberOps). This blog post covers the old R&S syllabus (2013 and 2016), not the new 2020 syllabus.
In brief, I enjoyed this. I thought the content was interesting, and the exam was actually fun (similar to an escape room). However, the course material was written in 2014 and it could do with an overhaul; Offensive Security updated the OSCP in Feb 2020, so hopefully they will do the same for the OSWP at some point.
The student will learn to implement attacks against WEP encrypted networks.
The student will learn to implement attacks against WPA encrypted networks.
The student will learn alternate WEP and WPA cracking techniques.
So, is this course/certification still relevant? How many people are actually using WEP/WPA rather than WPA2 (or open networks that don’t need cracking)? WiGLE (Wireless Geographic Logging Engine) has some stats on this. Here’s a snapshot from 2020-06-07:
In particular:
5.26% on WEP
5.01% on WPA
So, that’s about 10% of wireless networks. Based on that, I can see the skills being useful. However, when I scanned my local (residential) neighbourhood, I couldn’t find any WEP/WPA networks. Any new router from an ISP should come pre-configured with WPA2, and it’s been that way for several years now. I also wonder how up to date those stats are, i.e. whether the WEP networks still exist.
The good news (as a pen tester) is that the same attacks will work on WPA-PSK and WPA2-PSK. According to WiGLE’s stats, 67.5% of networks use WPA2, although unfortunately they don’t show a breakdown of Personal vs. Enterprise. If you’re using WPA2-Enterprise (802.1X authentication) then you’re safe against these attacks. However, in my anecdotal experience there are a lot of WPA2-PSK networks out there.
So, that’s a roundabout way of saying that yes, this exam is still relevant.
If you run a wireless network (at home or at work), how worried should you be? Before I did this course, I’d already heard that WEP is essentially worthless; now that I’ve experienced this from the attacker’s perspective, I can confirm that’s true. WPA2-PSK can be cracked, but it relies on a dictionary attack; if you’ve got a random passphrase then you’re pretty safe, e.g. ~*TJ8H|^u@<)Fk05Uq}t;5?N\v(bv<4s-nT`H””yA$(ha.bEP”+jEg)”&y({Fr
In April 2019, I took the Microsoft 365 Fundamentals (MS-900) exam.
Microsoft offer free training; they say that this will take 4 hours 11 minutes, although you might find that you need to repeat some of the videos if you didn’t fully understand it the first time through (e.g. if you got distracted). It would also be useful to supplement this training with hands-on experience; if you don’t have access to Microsoft 365 already, you can get a single user subscription to Exchange Online (plan 1) for £3/month (+VAT), which won’t break the bank.
The actual exam costs £69 (+VAT) which is definitely at the cheaper end of the spectrum, and I took it from home via online proctoring. According to the FAQ, the actual exam lasts 60 minutes, but the total “seat time” is 90 minutes (allowing for time to read the NDA etc). Unusually, they don’t specify how many questions there will be: The number of questions on an exam is subject to change as we update it over time to keep current changes in the technology and job role. Most Microsoft Certification exams contain between 40-60 questions; however, the number can vary depending on the exam. My exam had 36 questions, and some of those had multiple parts (e.g. a list of statements where you had to mark each statement as true or false). However, the content has changed since then (most recently on 2020-04-14), so your experience might be different. As another example, @Microsoft365Pro said: “I passed this exam on 31/01/2019 the day of the release. I had 63 questions in this particular paper.” Either “63” is a typo for “36” or we had significantly different exams! The whole thing took me about an hour; I wasn’t pushed for time, but I didn’t have loads of time left over, so I think they got it about right.
In April 2019, I took CompTIA’s PenTest+ exam. Along with CySA+, this bridges the gap between Security+ and CASP. As the name suggests, it’s all about penetration testing.
This is a relatively new exam, and it’s still on the first release (PT0-001). Because of that, it’s not very well known, so I haven’t seen any job adverts asking for it. Personally, I took the Security+ exam in November 2016, so that was due to expire in November 2019 (along with the A+ and Network+). Doing this exam was a good way to renew all of my existing CompTIA certifications, while learning some new skills, so I don’t regret it. However, I mainly see it as a stepping stone towards a more useful certification.
Pen testing exams generally fall into two categories: theory and practical. Like the other CompTIA exams, PenTest+ is (primarily) multiple choice. This has the advantage that it can be graded automatically by the testing software. However, it also has the downside that it’s less realistic, because it’s more fragmented. It’s entirely possible to pass this exam without ever actually doing a penetration test, which makes the certification less valuable to employers.
As an analogy, think of a driving test. Normally, you would drive around the area for a while to demonstrate your general ability, then the examiner would ask you to perform a few manoeuvres (e.g. parallel parking). Imagine instead that the examiner drove you to a suitable location, then you swapped seats so that you could do a manoeuvre, then you swapped seats again so that they could drive you to the next location. PenTest+ feels a bit like this, e.g. they might ask you how you would set up a reverse shell but you won’t need to choose when to do that.
