Networking Concepts in Security+

Stephen Schneiter

Administrator
Staff member
  • Nov 26, 2018
    707
    6
    2,685
    95,121
    Knoxville, TN
    So, here is a question for those that teach Security+ before Network+. How do you handle networking concepts that are included in Security+ objectives? Do you just cover them as you come across them, or do you offer a basic networking modular component as an add on to Security+? Thanks in advance! Inquiring minds want to know! ?
     
    So, here is a question for those that teach Security+ before Network+. How do you handle networking concepts that are included in Security+ objectives? Do you just cover them as you come across them, or do you offer a basic networking modular component as an add on to Security+? Thanks in advance! Inquiring minds want to know! ?
    Of course Network+ should be first then Security+ otherwise it will be nightmare
     
    In a perfect world, students would pass A+ first, Network+ second, and Security+ third. Unfortunately, we do not live in a perfect world.

    I've lost count of how many students attempted Security+ as their first certification. Many of the students had no IT background whatsoever.

    I preface every class with a recommendation to learn as much about tech as possible if they want to pursue a career in cybersecurity. Learn about hardware/software troubleshooting. Learn about networking. Learn about the cloud. Learn about IoT devices and ICS/SCADA systems. Learn about AI/ML. Learn programming languages and command-line scripting. Learn vendor-specific tools. Learn as much as you can because threat actors have countless threat vectors. You can't protect an organization if you don't understand the underlying technologies.
     
    So, here is a question for those that teach Security+ before Network+. How do you handle networking concepts that are included in Security+ objectives? Do you just cover them as you come across them, or do you offer a basic networking modular component as an add on to Security+? Thanks in advance! Inquiring minds want to know! ?
    I tried this once and it was an ever-lovin' nightmare. Teaching network security without the network component, to me, sets students up for failure.

    As a wider angle concept, I see that most of the jobs out on the market are wanting Security+ (or the cert within x of hire). This forces people to push for Security to chase the job, rather than having the underpinning A+ and Network+ subject matter nailed down.

    What gets me is that it seems that CompTIA might be acknowledging that particular point by adapting the A+_Cyber to contain networking topics - or what I see as a scaled back version of the Net+ material so learners don't feel compelled to go through Network+ proper on their way to Security+.

    Now, I saw at Summit the progression of Tech+, A+_Cyber, Security+ for learners getting into the field.

    A+_Cyber's training page on Coursera (linked from CompTIA) indicates a total training time of 31 hours for A+_Cyber, with students at Beginner Level, which is described as "This course is designed for beginners with minimal to no experience in IT, making it accessible to all.". This says to me that a zero experienced student would be ready to sit Security+ after less than one week of training time.

    I've trained students for years and I never would have considered putting someone in Security+ with that little of training, which makes me wonder about CompTIA's approach. I spoke with Todd Thibodeaux during the conference and he seemed acute to the idea that Security+ is the gatekeeper cert for many jobs in DoD and looking for ways to try to help learners reach that level faster.

    Again...it makes me wonder.

    /r
     
    • Like
    Reactions: MOHAMMAD SOAEB
    In a perfect world, students would pass A+ first, Network+ second, and Security+ third. Unfortunately, we do not live in a perfect world.

    I've lost count of how many students attempted Security+ as their first certification. Many of the students had no IT background whatsoever.

    I preface every class with a recommendation to learn as much about tech as possible if they want to pursue a career in cybersecurity. Learn about hardware/software troubleshooting. Learn about networking. Learn about the cloud. Learn about IoT devices and ICS/SCADA systems. Learn about AI/ML. Learn programming languages and command-line scripting. Learn vendor-specific tools. Learn as much as you can because threat actors have countless threat vectors. You can't protect an organization if you don't understand the underlying technologies.
    Man, I have to agree!
    I recently taught a class that started at Net+, then Sec+, and continued on to CCNA.
    That was the most difficult time, I've had to date, teaching. Most of the students had some IT background, or even had classes, in college.
    None of them were as prepared, as they seemed to think they were. I even had a student tell me, that he "thought" he knew networking, but realized he didn't. BUT, he said he had definitely started to grasp it (that was a great compliment, even thought he didn't realize it), by the end of the class.
    Multiple times during class. I was covering material that I would have covered with my A+ classes.
     
    • Like
    Reactions: Gregory Childers
    I’ve been teaching since 1999 and found throughout my tenor that training centers will fill the seats and it was always up to me to get them past the class into the cert to get their checkboxes checked ( sec+ check!) so they can do their job of click okay on the pop up. ( at least that’s what it seams like nowadays)

    I’ve always had to include topics from net+ in my sec+ classes. It makes it difficult to complete the class without feeling like rushing thru a few chapters all because you had to explain subnetting and what DNS & DHCP does.

    I tried to get my student the basics of what they needed to know and the rest would come from their prospective employer.

    what I found frustrating is that with all the objectives covered in these classes, there is a good 25-40% that student just won’t see in the real world.

    It’s great to know how to setup a DNS and DHCP serverbut realistically the students will most likely not be doing that on the job.

    it all depends on what they are doing as part of their job responsibilities. Most of the students I’ve been teaching have been either military or folks that are looking for that first job in cyber.

    I’ve also taught boot camps for years with high success rates to get folks running into the job with arms wide open. For those that were willing to put the hard work in got the reward.

    I think the challenge is how do we as Instructors teach to learn and remember information for longevity.
    one way I found that seems to work is, take something the student already knows and ‘relate’ to it.

    now with chatGPT I challenge my students to ask questions like, could you explain the OSI model with marvel heros?

    And this is the response:

    ChatGPT

    Sure, think of the OSI (Open Systems Interconnection) model as a team of Marvel superheroes:
    1. Physical Layer - The Hulk: The Hulk is the powerhouse, dealing with raw strength. Similarly, the Physical Layer deals with the physical connection of devices, like cables and hardware.
    2. Data Link Layer - Black Widow and Hawkeye: This layer is about communication between directly connected devices. Black Widow and Hawkeye work together efficiently, just like devices communicating on the same network.
    3. Network Layer - Iron Man: Iron Man handles routing and directing the flow of traffic in various situations. Similarly, the Network Layer manages the path data takes through the network.
    4. Transport Layer - Captain America: Captain America ensures the safe transportation of his team. Similarly, the Transport Layer is responsible for end-to-end communication and data integrity.
    5. Session Layer - Doctor Strange: Doctor Strange establishes, maintains, and terminates communication sessions. Similarly, the Session Layer manages and controls dialogues between two devices.
    6. Presentation Layer - Ant-Man: Ant-Man deals with the transformation of his size, much like the Presentation Layer, which handles data format translation and encryption/decryption.
    7. Application Layer - Spider-Man: Spider-Man interacts directly with users, just as the Application Layer provides network services directly to end-users or applications.
    Each superhero (layer) has a specific role, and together they form a powerful team (model) to ensure efficient communication.

    —————-
    Now what’s nice about this is that you can really customize this to whatever the students are already familiar with.

    I had a Chef in my class and we had found a way to explain the OSI model to him using same approach.

    so all that to say,
    Teach them to ‘relate’ to something they already know. It makes it easier for them to understand and comprehend, the beauty of it is that they also remember it in the long haul!!

    Just my few cents worth.

    thanks for ur time,
    Red Kohler
     
    An easy way to fix this would be to make A+ a mandatory prerequisite for Network+

    and make Network+ a mandatory prerequisite for Security+

    and make Security+ a mandatory prerequisite for CySA+ and PenTest+

    And make CySA+ or PenTest+ a mandatory prerequisite for CASP+.
    That would be great Gregory, ideal for sure.

    how would that work for students that are paying out of pocket, trying to support a family on a single salary or no salary.

    I understand why we have students in classes they shouldn’t be in.

    1. salespeople within the training centers pushing for classes that are happing next week.. ooops you missed A+ and net+, that’s okay, here’s Sec+ or CySA+ ( yes, I’ve had students where I was their first instructor in a CySA+ class with no prior experience) and plenty for sec+ classes.

    2. Students that are paying out of pocket need a cert that gets them to dive into the workforce in the area they prefer ( cyber in my case)
    To say that it’s mandatory to take A+ before net+ ( it’s the most reasonable step up) is just not realistic.
    students will not pay for two additional classes just to get into security+, the funds may just not be there for that.

    and if we as instructors do our job well, we should be able to adapt to the changes and make it work.

    Please understand I totally agree that students should go thru the process of A+ then Net+, then Sec+ ,etc.

    But the reality is, this will most likely not ever happen in that order. If compTIA mandated that it be so, I think it would get to a point that a good % of trainers would be finding new ways to earn a living.

    Keep in mind, this is just my opinion.
    Been training since April 1999 and have over 20k+ students on my belt.
    One thing it’s taught me, make it work with what your given. And make it the best it can be.

    Cheers,
    Red Kohler
     
    • Like
    Reactions: Hank Cox
    So, here is a question for those that teach Security+ before Network+. How do you handle networking concepts that are included in Security+ objectives? Do you just cover them as you come across them, or do you offer a basic networking modular component as an add on to Security+? Thanks in advance! Inquiring minds want to know! ?
    Adapt, make it work with what you got.
    I’ve been put into these situations over and over again by training centers.
    sales people need to make sales.. if sec+ is next on the schedule, it will get sold.
    It’s been like this ever since I started teaching back in ‘99.
    Not sure it’s gonna change.
    I’ve learned to adapt, work with what I got and make the best of it.
    Figure out how students will remember and ‘relate’ the information given.

    You don’t want them coming into your class and two weeks later everything is a blur.
    I use a lot of keyword associations in my classes.
    I relate to the car mechanic and the chef in the kitchen that wants to get into cyber and figure out a way to relate with what they already know to what I’m trying to teach them.

    Everything we do in life is related to something else we experienced. Teaching someone cyber is no different or any other topic.

    just my opinion,

    Cheers,
    Red Kohler
     
    That would be great Gregory, ideal for sure.

    how would that work for students that are paying out of pocket, trying to support a family on a single salary or no salary.

    Training and higher education aren't guaranteed to anyone. They could buy some inexpensive exam prep books online and pass the exams. I've seen far too many people on Reddit bragging about passing the trifecta with zero experience simply by memorizing the information in Professer Messer's free videos or Jason Dion's incredibly inexpensive videos.

    I understand why we have students in classes they shouldn’t be in.

    1. salespeople within the training centers pushing for classes that are happing next week.. ooops you missed A+ and net+, that’s okay, here’s Sec+ or CySA+ ( yes, I’ve had students where I was their first instructor in a CySA+ class with no prior experience) and plenty for sec+ classes.
    This does a disservice to them and the other students with the prerequisite knowledge and experience. The students without experience struggle, while the experienced students are held back because the newbie slows down the pace. Every person should train for the level they are at, not the level they eventually want to achieve. Besides, no advanced-level certification will get them a job if they have no experience.

    2. Students that are paying out of pocket need a cert that gets them to dive into the workforce in the area they prefer ( cyber in my case)
    To say that it’s mandatory to take A+ before net+ ( it’s the most reasonable step up) is just not realistic.
    students will not pay for two additional classes just to get into security+, the funds may just not be there for that.
    It's unrealistic to expect a person without prerequisite experience to succeed by skipping important knowledge areas. And for the trifecta, there are low/no cost alternatives.

    and if we as instructors do our job well, we should be able to adapt to the changes and make it work.

    If I teach a CISSP class and someone with no IT or management experience attends, they will struggle and most likely fail the exam. They cannot skip important knowledge areas or do it without some experience.


    Please understand I totally agree that students should go through the process of A+, then Net+, then Sec+ ,etc.

    But the reality is, this will most likely not ever happen in that order. If compTIA mandated that it be so, I think it would get to a point that a good % of trainers would be finding new ways to earn a living.

    Keep in mind, this is just my opinion.
    Been training since April 1999 and have over 20k+ students on my belt.
    One thing it’s taught me, make it work with what your given. And make it the best it can be.

    I've been teaching for 24 years and I've learned that there are no shortcuts.
     
    • Like
    Reactions: Jill West
    Thanks for your responses Gregory, appreciate the feedback,

    don’t get me wrong, I agree with what you are saying.
    My point was how we as trainers get put into situations where we have to make do with what we are given.

    So rather than require that it’s mandatory for students to take A+ then Net+, etc.
    maybe more so have a system where we can vet the students before they come into a class.

    Question becomes; is that the role for the trainer or the training center/sales team?

    In response to your responses:
    1. I’ve seen far too many ‘paper-certified’ folks out there as well that have no clue what they are doing and are in fact doing us all in the industry as disservice.
    to address this I try and incorporate as much real world and hand on exposure as possible.
    I also tell my students that getting the cert doesn’t mean you know it all. And that because of people that just get the cert ( thru boot camps and the such) and get the jobs , then can complete the job required tasks, get let go, only to make things harder for the person who may have spent time really trying to understand the material and go thru the labs to get that XP.

    I have my students create a tryhackme account and ask them to use it 15min a day. To get more exposure.

    I think what it comes down to is that the system is broken and needs to be fix or at the very least tweaked.

    2. Again, I agree with you there as well.
    sales needs to have a better understanding on what these classes are about instead of looking at the commission they bring.
    Perhaps turn us trainers into the sales folks. As we’re able to discern where a student should start off with by talking to them… as we understand and can gauge where a students understanding is of the topics that would be covered in the classes.

    the challenges we face as trainers is that we will always have students in the classrooms that are both experienced and brand new to the industry.

    I would say it’s up to us to mentor and give great advice to the students and give them realistic expectations of what to expect with let’s say the Sec+ cert with no real world experience.

    3. Yes you are right that it is unrealistic to expect students without prerequisite experience to succeed by skipping important areas, but who’s saying we’re skipping? We adapt, figure out a way to get the important information across.

    4. Yes, true, students will most likely struggle when they take a CISSP class as their first class.
    however, isn’t it our responsibility as trainers to fill in the gaps , rewind it back and talk about topics that would be a prerequisite?
    And this is what I meant by it being challenging for us trainers to teach classes where we are put into these situations.
    what I’m saying is, how do we as trainers figure out how to still make it work.
    the students shouldn’t be in a CISSP class to start with… but who’s fault it is? Not the trainers fault.
    perhaps if we are able to pre-screen students before they sign up for a class so we can give direction and advice on what would be the best class to start with based on their current knowledge… that would definitely be the day to rejoice!
    One would hope that the sales folks selling these classes would have that insight, and there are some training centers out there that do follow that model.
    but there are plenty of training centers out there that don’t.

    5. to your final comment; you and I have been around for quite a while and I believe that we share the same frustrations about how things are done.
    And yes, no such thing as shortcuts.

    I appreciate your time to respond and engage in this topic!!

    Cheers,
    Red Kohler
     
    I see two challenges:

    1) Training companies need to drive students into classes by any means necessary. Often, that means exaggerating how much they can make or what certs they should attempt.

    This has got to stop. Sales and marketing must have honest conversations with students to let them know that good salaries can happen, but only after years of experience and hard work. Certs are important to build foundational knowledge but don't guarantee anything.

    2) Too many students want to put forward the least effort but expect immediate gratification. They want to memorize vocabulary terms, watch abbreviated videos, and take a battery of practice exams until they memorize the bare minimum they need to pass. Usually an exam where they have no prerequisite experience, foundational knowledge, or previous certifications. They want to start in the middle or at the end, but they want to be spared the beginning. And they want it all for free. Then they expect a starting salary of six figures.

    This has got to stop. Students need to be given the truth. Nothing good comes easy. They have to do the work and pay their dues. It takes time and work. And some of that comes with a cost. Free training is usually worth nothing. Most free/inexpensive training options I've seen were borderline embarrassing, with limited content and countless errors. The students must be encouraged to learn, think, and apply knowledge.

    It should not be the trainer's/instructor's responsibility if the student has signed up for the wrong class or is unprepared. I had a situation decades ago where a senior salesperson attempted to enroll a student in an advanced-level class for a topic where the student met none of the prerequisites. They interrupted my class one hour into the lesson and asked me to admit the student. I denied the request. It is their job to place the student in the correct class, not mine. It is my job to manage my classroom and facilitate learning for my class.
     
    An easy way to fix this would be to make A+ a mandatory prerequisite for Network+

    and make Network+ a mandatory prerequisite for Security+

    and make Security+ a mandatory prerequisite for CySA+ and PenTest+

    And make CySA+ or PenTest+ a mandatory prerequisite for CASP+.
    That would be pretty draconian, but I cannot say I would disagree with it. Several years ago, I pushed (against some resistance in the academics department) to have those prerequisites in place to advance through our CST/CNST program. "It makes scheduling harder" and "if a student fails, they end up having to go on leave of absence until the class they need comes around again"...so on, and so forth. Luckily, eventually, the high-ups agreed with me, although it makes things less fluid and flexible for the school.

    I've also heard the contention that the school shouldn't be the gatekeeper on what they take "let the student decide that for themselves". The problem is, if a student comes to a school for their training and then wants the Burger King special "have it your way", then what's the school really for, anyway? A school should provide a framework and contact points where students are disciplined to learn.

    Discipline, however, is a lost art these days.

    To me, doing the trifecta, step by step, is the best way to do the training. There are no shortcuts in that.
     
    • Like
    Reactions: Red Kohler
    That would be pretty draconian, but I cannot say I would disagree with it. Several years ago, I pushed (against some resistance in the academics department) to have those prerequisites in place to advance through our CST/CNST program. "It makes scheduling harder" and "if a student fails, they end up having to go on leave of absence until the class they need comes around again"...so on, and so forth. Luckily, eventually, the high-ups agreed with me, although it makes things less fluid and flexible for the school.

    I've also heard the contention that the school shouldn't be the gatekeeper on what they take "let the student decide that for themselves". The problem is, if a student comes to a school for their training and then wants the Burger King special "have it your way", then what's the school really for, anyway? A school should provide a framework and contact points where students are disciplined to learn.

    Discipline, however, is a lost art these days.

    To me, doing the trifecta, step by step, is the best way to do the training. There are no shortcuts in that.

    I don't think of it as draconian. I see it as setting the student up for success. To succeed in tech, particularly in cybersecurity, they need to have a broad technical foundation and a deep specialized knowledge. Far too many people want to cut corners and skip the foundational knowledge and would rather start in the middle or at the end. It's like a medical student wanting to do brain surgery without taking their first biology class.
     
    So, here is a question for those that teach Security+ before Network+. How do you handle networking concepts that are included in Security+ objectives? Do you just cover them as you come across them, or do you offer a basic networking modular component as an add on to Security+? Thanks in advance! Inquiring minds want to know! ?
    Normally I end up doing both to give that added value.
     
    I have a list of Net+ concepts that are covered in Sec+ and have developed notes and videos that I share with students that are not confident with their understandings of those topics. I call these concepts out as being Net+ and tell students if they have questions to let me know so I can share additional content and address their questions outside of the Sec+ class meetings.
     
    • Like
    Reactions: Stephen Schneiter
    As mentioned above in most cases Training companies have different teams (Sales,account managers and instructors etc) who have different targets to meet. As an instructor you often do not have much choice, especially if you are delivering a 5 Day Course, in most cases you find out during introductions on Monday morning. In my case i have student resources that include notes and videos for every course that i teach, i share these with them on the last day of the course and i try and fill in the gaps during the 5 days for smaller topics like Network foundations but still pointing them to the resources. All of this also eats into class room time, so in some cases we end up shortening the coffee and lunch breaks to 10 and 45 minutes