Home > Articles > CompTIA > Security+

Comparing and Contrasting Security+ and SSCP

  • Print
  • + Share This
IT Professionals interested in starting down the information security path cannot avoid learning about the CompTIA Security+ and the (ISC)2 SSCP certifications. Both are entry level for the field, cost about the same, and involve a like number of questions, along with an uncannily similar set of topical domains for the exam. Read this article to understand how these two credentials differ, and why (or why not) you might choose to skip them altogether, or choose one over the other.
Like this article? We recommend

Like this article? We recommend

If you take a look at the various facts and figures that appear in Table 1 below, you might be inclined to consider the CompTIA Security+ certification and the (ISC)2 Systems Security Certified Practitioner (SSCP) credential are more or less interchangeable parts. They cost roughly the same, they cover roughly the same topic areas, and each one involves answering roughly the same number of questions. But these exams are not interchangeable, and serve somewhat different purposes and audiences, as the discussion that follows Table 1 will show.

Table 1: Basic Facts & Figures for Security+ and SSCP

Name

Sponsor

Cost

Questions

Time

(mins)

Topic Domains Covered

Security+

CompTIA

$250-270

100

90

Network Security; Compliance and Operational Security; Threats and Vulnerabilities; Application, data, and host security; Access control and identity management; Cryptography

SSCP

(ISC)2

$295

125

180

Access controls; Malicious code and activity; Monitoring and analysis; Networks and communications; Risk, response, and recovery; Security operations and administration

Closer Look #1: Security+

CompTIA describes the target audience for the Security+ certification as IT security professionals who possess a minimum of two years’ “experience with IT administration with a focus on security.” A good candidate will also have “day to day technical information security experience,” and possess “broad knowledge of security concerns and implementation” where the items listed in the “Topic Domains Covered” column in Table 1 are concerned (all quotes come from the Security+ Exam Objectives for exam SY0-301—the most current version, scheduled to take effect in 2011—available for download from the CompTIA Security+ Web page).

The CompTIA Security+ topic domains take a moderate dive into modern topics and issues commonly associated with information security, without necessarily going into excruciating detail. Thus, for example, the Network Security domain breaks down into six sub-topics:

  • Network devices and technologies, such as firewalls, routers, switches, load balancers, proxies, security appliances of many kinds, and other hardware are explored and explained from a security perspective.
  • Methods for applying and implementing secure network administration principles are discussed, including rule-based management, firewall rules, VLAN management, secure router configuration, access control lists (ACLs), and more.
  • Methods for distinguishing and differentiating among network design elements and combinations are dissected, with an emphasis on enhancing and enforcing security. These encompass DMZs, subnetting, VLANs, network address translation (NAT), remote access, network access control (NAC), virtualization, and cloud computing technologies (PaaS, Saas, IaaS).
  • Working with common protocols to enforce, implement, and enhance security. Protocols mentioned are IPsec, SNMP, SSH, DNS, TLS, SSL, TCP/IP, FTPS, HTTPS, SFTP, SCP, ICMP, and IPv4 vs. IPv6.
  • The range of commonly used default network ports is investigated, where the following services merit specific mention: FTP, SFTP, FTPS, TFTP, Telnet, HTTP, HTTPS, SCP, SSH, and NetBIOS.
  • Secure implementation of wireless networking is explored and explained. In this context, the following techniques, algorithms, and tools are covered: WPA/WPA2, WEP, EAP, PEAP, LEAP, MAC address filtering, SSID broadcast management, TKIP, CCMP, antenna placement, and power level controls.

All in all, the Security+ provides a good general nuts-and-bolts survey of modern information security topics, tools, techniques, and best practices. It tends to focus in on specific instances of these things, and it doesn’t always emphasize a deep understanding of security consciousness, perhaps because that’s believed to come with additional time and experience beyond its target candidate population. Nevertheless, the six topical domains for the Security+ do cover most of the key issues and concerns in understanding, implementing, and maintaining proper information security.

  • + Share This
  • 🔖 Save To Your Account