How to complete the CompTIA Trifecta without any IT experience

Posted on By Greg Aucun commentaire sur How to complete the CompTIA Trifecta without any IT experience
Connaissances & Réflexions, Cybersécurité

My long-term goal is to earn the Offensive Security Certified Professional (OSCP) certification. Ever since I have started looking into cybersecurity, OSCP has always popped up as the certification to obtain. It is meant to demonstrate enough knowledge and expertise in penetration testing to easily land any related job (or so I wish to believe). Even though recent years have seen competitors propose excellent alternatives said to be more « real-world » realistic, even though the « try harder » motto of the OSCP is getting a bad rap all over the place, and even though it is on the expensive side of the certifications market, I have set my mind to obtain the OSCP one day. That is non-negotiable. I have equated the OSCP to a martial art black belt: you deserve it once you have been through many years of training, you can’t claim to be good at it without it, but it is only from there that the actual journey starts. It is a goal and a stepping stone at the same time. So regardless of its actual value, it is still a valid and reasonable objective to go after. The problem though is that I have no IT experience.

A little bit of background: discovering CompTIA

Even though I tinkered a bit with Linux in my college years and have helped some friends and family members to clean their Windows installations (back in the days when defragmenting was the solution to everything), I didn’t have any proper IT education and absolutely no real experience that could help me in my quest for the OSCP. Also, my college studies and my job had nothing to do with IT. So how would I go from almost digital illiterate to cyber-wizard? For quite a long time, I thought that was just a silly dream and I didn’t seriously try to pursue it.

In 2013-2014, I was still interested in the topic, but without knowing what to do, I started learning some Python, created a few simple programs, and gave up after six months, as I got stuck and didn’t see how that would help me anyway. It’s around that time that I’ve first heard about the Computing Technology Industry Association (CompTIA), which is a vendor-neutral IT certification entity. They offer many different certifications related to IT, going from computer hardware and software, to network, security and more. In other words, I finally found something that made sense. I don’t remember exactly how it was presented back then, but nowadays they have a clear roadmap of all the certifications they create, which makes it easier for people like me to know where to go, what to learn and in which order.

At the time, I decided that I would start with the Network+ certification, because I thought that learning about computer networks would be more interesting and useful than learning about computers in general. Even if the A+ certification is supposed to be the first one to get, I went another direction. Looking at the resources available, I chose Mike Meyers’ All-in-One Exam Guide (I link all the resources I used at the bottom of this article). I don’t remember if that is all that was available to me in my region then, or if it’s just that I was very bad at researching information, but I somehow believed that it was the only possibility. So, I started reading this book and took notes as I progressed. It was difficult for three reasons: first of all, English is not my mother tongue and I was not that fluent back then; secondly, I really lacked basic IT knowledge, and many concepts were still hard to grasp, especially without any real-world practice; and third, I was reading late at night, after exhausting and never-ending days at work. I read a bit more than half the book, and had to give it up…

Jumping a few years ahead, I discovered IppSec on YouTube. That was eye-opening. Magic was not something out of this world, it was real. I was watching it. Actual wizardry. I didn’t understand anything of what he was doing, but I knew for sure that I wanted to be able to do the same. That is when I looked back at my All-in-One Exam Guide and understood that I wasn’t going to be able to do that if I didn’t go through the proper trials. This is when I decided to give it another try. My new lifestyle allowed for a better work-life balance, which meant more time to properly study. But this time, after I learnt from my mistakes, I went for the A+ studies first, and expended the breadth of my sources.

Going after the CompTIA A+ not exactly the right way

After more researches on the web, I got the latest A+ All-in-One Exam Guide, bought the corresponding Udemy courses, and discovered another bald guy who provides CompTIA-related teaching, for free, Professor Messer (teaser: there’s actually a third bald guy that comes in later, but as far as I know, they don’t end up walking into a bar). Retrospectively, the A+ certification was probably the hardest to obtain, just because of how wide the range of topics is. This is probably why CompTIA made it a two-parts certification, the first one focusing on everything related to hardware, and the second one related to software. You need to pass both to be A+ certified.

I did say before that I had been playing a bit with computers ever since I was young, but nothing at the level, nor at the depth required by this certification: I had to learn how CPUs work exactly, how the different kinds of printers print, what computer screens used to be/are made of, how data is saved in RAM versus in a SSD and how it moves around, what is in the Event Viewer of Windows and how to retrieve useful information from it, some Terminal commands to do some basic maintenance, safety measures when dealing with specific hardware, etc. Everything to make you the best computer repairperson around. And the above is barely scratching the surface.

Looking at the list of exam objectives, I knew that it was going to be a long ride. I started my learning with the Mike Meyers’ Udemy courses. Mike Meyers is a great teacher: he keeps the student engaged, he is funny, and is able to make all the concepts very easy to understand. It all clicks very quickly. But the downside of his videos is that they are somewhat superficial and lack quite a bit of the details and nuances actually required for the exam.

This is all covered in his book. His All-in-One Exam Guide is phone-book huge, and it does contain everything that needs to be learnt for the exam and more. It mixes both the hardware and the software parts of the certification, but also historical background and extra pieces of information relevant to future IT technicians, but not so much for the exam itself. It is useful to contextualize a lot of the content and to make it more actionable on the job too. I focused on the hardware sections of the book first, since I was going to do the first part of the exam before the other. It took me quite a while to read through everything, to take notes and to make sure that I didn’t miss anything.

Finally, I watched Professor Messer’s videos to review the topics and to have them being presented in a different light. Professor Messer’s tone is way drier than Meyers’, but it is so much more to the point: he teaches what is on the exam objectives, exactly, in order, nothing more, nothing less. It was very useful to confirm what was really necessary to know for the exam and trim down a bit from the mountain of details from Meyers’.

At that point, I took a few practice exams on Udemy and Messer’s, and felt relatively confident with the results. I booked my test in August 2019 and went for it at an exam center. I hadn’t taken any real test in a while and I remember that I was very stressed about it. The exam was rough: all my preparation was based on acquiring knowledge, not so much on practicing. So, the so-called Performance-based Questions (PBQs) were way harder than I expected. As everyone recommends, I did skip them and did them last. But looking at them on the way to the Multiple Choices Questions (MCQs) made me worried. The MCQs didn’t help though, and I felt that I was failing throughout the exam. The wording is tricky and most of the answers either seem to be the right answer, or none of them. After two hours through, I reached the end of the countdown (being a non-native English speaker in a non-English speaking country, I get an extra 30 minutes, so two hours in total). I clicked to continue, my heart was racing, and… before giving you the results, they make you go through a demographics questionnaire, which I wasn’t expecting. I was so anxious about seeing my result that I didn’t see how many questions there were, and frantically clicked away when suddenly the results appeared and I didn’t realize it wasn’t another demographics question. And I had passed! I felt immense relief, and even though it was the very first step of my journey, it amounted to a big accomplishment for me.

So much so that I was extremely exhausted, mostly because I erroneously gave myself only about one month to study. I studied until way too late every day, and that wasn’t healthy or really effective. And it pretty much burnt me out for a while. I wanted to continue right away with the second part of the A+ certification, and I did for a few days, but then my motivation went away… I just spent so much time and energy, that my body told me to stop. And I listened for about a year and a half…

Completing the A+ with a slightly better approach

Beginning of 2021, new resolutions and all, I decided it was time to finish what I had started. I drafted a study plan that would take me two months to complete this time, giving me a bit more breathing room, which was very necessary after my first run at it. Even though I should have adjusted more, I continued with the same overall method that worked the first time: started with Meyers’ Udemy courses, followed up with his book and by taking notes, and rounding it all up with Messer’s videos. Because I paced myself better, and also because the content had more to do with software than hardware, it felt less foreign to me and easier to learn. Also, I started using Quizlet, which allows learners to create their own flashcards. It helped a lot to review everything in an efficient way. I ended up with 570 cards, which was quite a lot to create and go through (wait until we arrive at Security+…), but very helpful.

After two months of going through all these materials, I booked the exam. This time, because of COVID, I had no choice but to take the exam at home. I thought it would be more relaxing, being in the comfort of my own place; it didn’t exactly go that way. Pearson’s OnVUE system is used for this, and the software was pretty smooth. However, the day of the exam, as per the instructions available on their website, there is a whole verification process that was way more complicated than I expected: I had to show my entire room through my webcam, which is of course stuck to my laptop, so not the most comfortable way of doing so; they made me take a picture of my ID, but their application didn’t allow to switch the camera of my phone (so I had to take a full picture of my passport in selfie mode), and then they said that they can call in case something is wrong, but you are not allowed to have your phone with you, nor to make any sound, so you never know if they’re calling you or not. And then you wait…

Until, finally, the exam is loaded into the software and it starts. The webcam has to be on at all times, and it is recommended to not move, keep your eyes on the screen, not read the questions out loud, etc. Some people seem to have had some very bad experiences with them, but for me, except the registration process that can really be improved and caused me unnecessary stress, the rest of it went very smoothly, at least in terms of the « taking your exam at home » experience. The questions themselves were quite on par with the first exam, and even though I thought that I knew software a bit better than hardware, the exam ended up being harder than the first one. I remember that I had no idea what to do for one PBQ and another one was very shady. Nonetheless, at the end of the two hours, my heart raced again, but I remembered about the demographics questions, so I knew I wasn’t going to get my result right away. Ultimately, the good news was delivered: beginning of March 2021, I was now officially A+ certified!

Yet, again, I felt burnt out. Two months was not enough time, at my level, to ingurgitate all the A+ content in a good way, and it led me to take another six months off of any kind of real studying. More than that, I still failed to see any relevance to IT security. I had studied so many concepts, but only a few of them really seemed to bring me in the right direction… As I kept watching IppSec on YouTube, I was wondering how any of what I had learnt was relevant. However, what I also started to realize is that the more I was watching him, the more I understood (still very little) and some parts here and there were actually mentioned in the A+ content. So, I guess it wasn’t so bad after all.

Going after the Network+ with the arrival of a third teacher

In September 2021, I decided it was time to jump back on the horse and bring the cavalcade to Network+. I was still reading about other people studying, passing or failing the exam, and one name came up quite a bit: Jason Dion, the third part of the CBT (not Computer-based Training, the CompTIA Bald Trinity) (unofficial term). Everyone was praising how good his practice exams were, so I wanted to give his content a try. I ended up getting his full course on his website (instead of the Udemy course), because it had simulations. Seeing how the PBQs were problematic for me, this could be a good solution to practice. His course was easy to understand and follow, as it is organized in a logical way and progresses incrementally, building up on concepts seen previously. The simulations were a bit disappointing however, a bit slow, and some of them didn’t seem to be relevant for the exam; some others though were really good. Overall, they did teach me some practical concepts about networking, and complemented with the rest of the videos, that was a good experience.

That being said, looking at the exam objectives provided by CompTIA, it looked like some points were not really touched on, or too briefly. So, I went back to Professor Messer to review the entire course once again, through his methodical per-objective lessons, which once again really helped refining my understanding. As I was watching his videos, I took notes directly into Quizlet, and if something seemed off, I went back to Dion’s videos to update them. This time, I didn’t take notes while reading the Network+ All-in-One Exam Guide, but I did read it, a little bit every night before bed. This actually was a huge improvement in my studying method: it took less time, and my notes were more to the point and accurate.

I also discovered the Pocket Prep’s « IT & Security » app (Apple Store), which has many different questions related to various certifications, among which the main CompTIA ones. Their questions are not worded exactly like the questions from the exam, but rather focused on making sure that the little nuances between similar terms or concepts are well understood. It was very useful to understand the networking notions better. I did 20 questions a day for a month.

I finished with Meyers’ Udemy course, to review the overall concepts, and it was still very pleasant to see him goof around while making complex topics very easy to understand. This helps cooling down a bit, while making sure that the main core of the exam is well grasped. I then took Dion’s and Meyers’ practice exams (Messer didn’t have any), and was rather satisfied with the results, so I booked my exam for mid-November. This time, I went back to the exam center.

The exam went great. Even though it was still tricky and the wording of some questions was really head-banging, the majority of the questions seemed rather easy. The practice exams from Dion had questions very similar to the ones of the exam (either in wording or in substance), which helped a lot. Reversely, Meyers’ practice tests are always a bit sub-par and seem to recycle questions from previous versions of the exam. Anyway, for once, I was quite confident that it went well. And it did, as I passed with more than 850 points (out of 900), which was even better than all the practice tests that I had taken. After three exams successfully passed on my first try, there was only one left: Security+.

This time, I had given me about two months and a half to study and review my notes, the content of Network+ was very interesting and I could see how a good part of it was relevant to cybersecurity. So, this time, I stayed quite motivated and decided that I shouldn’t wait too long before taking the Security+ certification. I just gave myself about a month, and right at the beginning of January 2022, I started my study plan for Security+.

The final boss (Security+) and my definitive study recommendations for the CompTIA Trifecta certifications

After reflecting quite a bit on my past methods, I decided to make the following plan for the Security+, but it is also what I would actually recommend anyone to do for any of the Trifecta certifications, as it gave me the best results and the healthiest way to retain the knowledge:

  1. Start with Professor Messer lessons. They are dry, they don’t go in any logical order, but it doesn’t matter. This is what is required to know for the exam, and it follows closely the official exam objectives to make sure that every item is covered. If you learn just that, you are already well prepared.
  2. Take notes in Quizlet, for each of the above lessons and concepts. That way, when you need to review something from the exam objective, you know right away where to look for.
  3. Continue with Jason Dion’s course. It does cover pretty much every item too, but in a logical order, which helps contextualize the different concepts. The simulations were also much more interesting than for Network+, and I recommend them, as they were quite helpful this time. He also mentions what is necessary to remember and what can be skipped: most of the time, the indications seemed to be accurate (but no need to learn all the ports numbers, just the main ones from Network+ are enough).
  4. Jump into Mike Meyers’ Udemy course. Unfortunately, it is not just Mike Meyers in this course, and his colleague, while very knowledgeable and professional, doesn’t have the same goofy tone that Mike Meyers has. Some people might prefer that, but after watching Messer’s and Dion’s, something less monotone would have been nice. Nonetheless, the content quality is quite high, and that helped to complete the Quizlet notes wherever necessary.
  5. While doing 1., 2., 3., and 4., I also read Meyers’ Security+ All-in-One Exam Guide at night, ten pages a day, including the exam objectives and the Index parts. Once again, this was extremely detailed, as it went into all the nuances necessary for the exam, and beyond. The last parts of the book were a good help to make sure that no acronym or name was left unknown.
  6. While doing 1., 2., 3., 4., and 5., I used the Pocket Prep’s « IT & Security » app again, and as for Network+, it was a good way to make the distinction between different but closely related terms. Ten questions a day for two months, that was a good pace.
  7. Go through the official CompTIA exam objectives one more time and make sure to read about all the acronyms too. If the first part seems to have become obvious for most people, I haven’t seen much talking about the acronyms. While there is no actual question in the exam asking what a particular acronym stands for, they still use them as if they were all known. It threw me off for a few questions in the past. After reviewing each term, either through my Quizlet notes or via a quick Google search, I actually was able to find the answers to two questions in the exam that I wouldn’t have caught by just going through the other courses.
  8. Finish with the reviewing of the Quizlet notes (this time, a good 991 cards!) while taking as many practice exams as possible. I recommend, in order, Messer’s, Dion’s and then Meyers’. Messer’s and Dion’s are the closest to the actual exam and they really helped. Meyers’, as always, are not that necessary, but still good to have another angle too, to make sure the concepts are well mastered.

The above took me a little bit less than three months, and I never felt that I was rushed or doing too much at once. For me, that was the ideal order and the ideal pace. I had booked my exam after the end of step 4. After successfully passing the first two parts of the Trifecta I worried that I would trip up now, so close to the finishing line. The last few days were quite stressful. I knew that the exam was going to throw me some curveballs, with their annoying wording, but at least I was expecting it. Back to the exam center, I looked briefly at the PBQs and saw that at least there was nothing unfamiliar, so I jumped right into the MCQs. Overall, some very easy ones, and as always, some where the different choices could have been all correct too. I went back to the PBQs at the end, and did two out of three pretty easily; the third one not so much, but that was my own fault for not reviewing how to practice that particular point. Anyhow, after all this, I thought that it felt similar to the experience I had passing the practice exams the past weeks before this, and expected to have a similar positive result. And I wasn’t wrong, I passed with exactly 800 points out of 900.

Pfew! Finally! I discovered CompTIA back in 2014, and eight years later, I finally accomplished the CompTIA Trifecta: A+, Network+ and Security+. I don’t think they will help me get a job per se (and I don’t need one right now, I already have one), but I wanted to take them mostly for the knowledge that comes with them. It gradually went from content that seemed quite far off to really on spot with cybersecurity. That feels great!

Now when I watch IppSec, I’m not entirely lost anymore, and the magic starts to make more sense to me: I understand more or less what he is doing or what he is talking about. And taking the three CompTIA certifications certainly had a huge role in that. Now, at the same time, I have to admit that 90% of that content is theoretical: I know of cybersecurity a bit more, but I can’t do it yet.

This is why, before going further down the cybersecurity rabbit hole, and in order to continue establishing some solid core competencies, I will (re)learn Linux more in depth, as it will be the main tool used for pentesting down the road. It will also be a good way for me to review and further my knowledge of Bash scripting, which doesn’t seem to be too superfluous in that industry. After that, I will also restart my learning of Python and start building some tools. After the very theoretical exams, I want to do something more practical now. That is why the rest of this year 2022 will be dedicated to Linux first, and then Python. I don’t expect to be « fluent » by the end of the year, but to know enough to keep learning as I then move into concrete penetration testing learning. But that will be for 2023.

My seven recommended resources to pass the CompTIA Trifecta

  1. Take Professor Messer’s courses and practice exams.
  2. Take notes as Quizlet flashcards for each exam objective (or any other similar app).
  3. Take Jason Dion’s courses (with simulations) and practice exams (also available on Udemy).
  4. Take Mike Meyers’ courses and (optionally) practice exams.
  5. Read Mike Meyers’ All-in-One Exam Guides.
  6. Download the Pocket Prep’s IT & Security app (or any other similar app).
  7. Review thoroughly all the official exam objectives.

Laisser un commentaire

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.