CompTIA Security+ SY0-701 - Study Guide

This guide covers all five domains of the CompTIA Security+ SY0-701 exam with expanded explanations, practical examples, and key concepts you need to know.

Table of Contents

1. Domain 1: General Security Concepts (12%)

2. Domain 2: Threats, Vulnerabilities, and Mitigations (22%)

3. Domain 3: Security Architecture (18%)

4. Domain 4: Security Operations (28%)

5. Domain 5: Security Program Management and Oversight (20%)

6. Quick Reference: Ports & Protocols

7. Quick Reference: Cryptography

8. Quick Reference: Linux Commands

9. Quick Reference: Acronyms

Exam Overview

Aspect	Details
Exam Code	SY0-701
Number of Questions	Maximum of 90
Question Types	Multiple choice, Performance-based
Duration	90 minutes
Passing Score	750 (on a scale of 100-900)
Recommended Experience	2 years in IT administration with security focus

Domain 1: General Security Concepts (12%)

1.1 Security Controls

The CIA Triad - Foundation of Information Security

The CIA Triad represents the three fundamental goals of information security:

Principle	Definition	Example	Opposite (DAD Triad)
Confidentiality	Ensuring information is only accessible to authorized individuals	Encryption, Access Controls	Disclosure
Integrity	Ensuring data hasn't been modified without authorization	Hashing, Digital Signatures	Alteration
Availability	Ensuring systems and data are accessible when needed	Redundancy, Backups	Denial

💡 Exam Tip: The DAD Triad (Disclosure, Alteration, Denial) represents what attackers try to achieve - the opposite of CIA.

Non-Repudiation

Non-repudiation ensures that a party cannot deny having performed an action. It's achieved through:

• Digital signatures - Cryptographically prove who sent a message

• Audit logs - Record of who did what and when

• Certificates - Bind identity to cryptographic keys

Types of Security Controls

Security controls are categorized by function and implementation:

By Function:

Type	Purpose	Examples
Preventive	Stop security incidents before they occur	Firewalls, Encryption, Access Controls
Detective	Identify security incidents in progress or after	IDS, SIEM, Log Monitoring
Corrective	Fix problems after they've occurred	Patches, Backup Restoration
Deterrent	Discourage potential attackers	Warning banners, Security cameras
Compensating	Alternative controls when primary isn't feasible	MFA when biometrics unavailable
Directive	Direct behavior through policies	AUP, Security policies

By Implementation:

Type	Description	Examples
Technical (Logical)	Technology-based controls	Firewalls, IPS, Encryption, ACLs
Operational (Administrative)	Day-to-day procedures	Log monitoring, Vulnerability management, Access reviews
Managerial	Risk management approach	Risk assessments, Security planning, Change management
Physical	Tangible security measures	Fences, Locks, Lighting, Guards, Fire suppression

Gap Analysis

Gap Analysis is the process of comparing your current security posture against desired objectives or frameworks:

1. Identify control objectives (what you want to achieve)

2. Assess current security controls (where you are)

3. Determine gaps between objectives and reality

4. Prioritize remediation efforts based on risk

1.2 Zero Trust Architecture (ZTA)

Core Principle: "Never Trust, Always Verify"

Zero Trust operates on the assumption that no user or system should be automatically trusted, regardless of their location (inside or outside the network perimeter).

Key Components:

Component	Function
Control Plane	Makes security decisions (Policy Engine + Policy Administrator)
Data Plane	Where actual data flows occur
Policy Engine (PE)	Makes policy decisions based on context
Policy Administrator (PA)	Establishes/removes communication between subjects and resources
Policy Enforcement Point (PEP)	Enforces decisions - allows/denies access

Zero Trust Pillars:

1. Identity - Strong authentication for all users

2. Devices - Device health verification

3. Networks - Micro-segmentation

4. Applications & Workloads - Secure application access

5. Data - Data-centric security

💡 Exam Tip: CISA's Zero Trust Maturity Model 2.0 (ZTTM 2.0) provides guidance for implementing ZTA.

1.3 Change Management

Proper change management prevents security incidents caused by unauthorized or poorly planned changes:

Change Management Process:

1. Request - Submit change request

2. Review - Assess impact and risk

3. Approve - Get authorization (Change Advisory Board)

4. Test - Validate in staging environment

5. Implement - Execute the change

6. Document - Record what was done

7. Monitor - Verify success and watch for issues

Technical Implications:

• Version control - Track changes to code/configs

• Rollback procedures - Ability to undo changes

• Testing environments - Staging, QA, UAT before production

1.4 Cryptographic Solutions

Encryption Fundamentals

Term	Definition
Encryption	Converting plaintext to ciphertext using a key
Decryption	Converting ciphertext back to plaintext
Key Space	Total range of possible key values
Key Length	Number of bits in the key (longer = more secure)

Symmetric vs Asymmetric Encryption

Aspect	Symmetric	Asymmetric
Keys	Single shared key	Public + Private key pair
Speed	Fast	Slow
Key Distribution	Challenging (must share secretly)	Easy (public key can be shared)
Use Cases	Bulk data encryption	Key exchange, Digital signatures
Examples	AES, DES, 3DES	RSA, ECC, Diffie-Hellman
Keys Needed	n(n-1)/2 for n users	2n for n users

Important Algorithms

Symmetric Algorithms:

Algorithm	Key Size	Status
AES	128/192/256-bit	Current standard
3DES	168-bit	Legacy, deprecated
DES	56-bit	Insecure, don't use

Asymmetric Algorithms:

Algorithm	Purpose	Notes
RSA	Encryption, Signatures	Most widely used
ECC	Encryption, Signatures	Smaller keys, same security
Diffie-Hellman	Key Exchange	Establishes shared secrets
DSA	Digital Signatures	Signatures only

Hashing

Hashing creates a one-way, fixed-length output from any input. Used for:

• Password storage

• Data integrity verification

• Digital signatures

Algorithm	Output	Status
SHA-256	256-bit	Current standard
SHA-3	Variable	Latest SHA version
SHA-1	160-bit	Deprecated
MD5	128-bit	Broken, don't use

💡 Exam Tip: Know the difference - Encryption is reversible (two-way), Hashing is not (one-way).

Key Concepts

• Salting - Adding random data before hashing to prevent rainbow table attacks

• Key Stretching - Multiple iterations of hashing to slow brute force attacks

• HMAC - Hash-based Message Authentication Code (provides integrity + authentication)

• Digital Signatures - Provide non-repudiation and integrity (sign with private key, verify with public)

Domain 2: Threats, Vulnerabilities, and Mitigations (22%)

2.1 Threat Actors

Categories of Threat Actors

Actor Type	Motivation	Resources	Sophistication
Nation-State/APT	Espionage, Warfare	Very High	Very High
Organized Crime	Financial gain	High	High
Hacktivists	Political/Social causes	Medium	Medium
Insider Threats	Varies (money, revenge)	Internal access	Varies
Script Kiddies	Curiosity, Recognition	Low	Low
Competitors	Business advantage	Medium-High	Medium

Advanced Persistent Threats (APTs)

APTs are characterized by:

• Advanced - Sophisticated techniques and tools

• Persistent - Long-term presence in target network

• Threat - Clear intent to cause harm or steal data

💡 Common APT Tactics: Spear phishing, Zero-day exploits, Living off the land

Shadow IT

Shadow IT refers to unauthorized technology used within an organization without IT department knowledge. Risks include:

• Unpatched vulnerabilities

• Data leakage

• Compliance violations

• No backup or recovery

2.2 Attack Vectors and Surfaces

Common Attack Vectors

Vector	Description	Mitigation
Email	Phishing, malicious attachments	Email filtering, User training
Web	Drive-by downloads, XSS	Web filtering, WAF
Removable Media	Infected USB drives	Disable autorun, DLP
Social Engineering	Human manipulation	Security awareness training
Supply Chain	Compromised vendors/software	Vendor assessment, SBOMs
Wireless	Rogue APs, Evil twins	WIPS, Strong authentication

Attack Surface

The attack surface includes all points where an attacker could attempt to enter or extract data:

• Physical - Buildings, hardware, media

• Digital - Networks, applications, services

• Human - Employees who can be manipulated

2.3 Social Engineering Attacks

Types of Social Engineering

Attack	Description	Prevention
Phishing	Mass fraudulent emails	Email filtering, Training
Spear Phishing	Targeted phishing at individuals	Advanced email security
Whaling	Targeting executives	Executive awareness training
Vishing	Voice-based phishing	Call verification procedures
Smishing	SMS-based phishing	Mobile security awareness
Pretexting	Creating fake scenario	Verification procedures
Business Email Compromise (BEC)	Impersonating executives	Out-of-band verification

Phishing Indicators

• Urgency or threats

• Generic greetings

• Suspicious links (hover to check)

• Mismatched URLs

• Poor grammar/spelling

• Requests for sensitive info

TRUST Framework (CISA)

• Tell your story

• Ready your team

• Understand and assess MDM

• Strategize response

• Track outcomes

2.4 Malware Types

Categories of Malicious Software

Malware Type	Description	Key Characteristics
Virus	Requires host program & user action	Infects files, needs propagation mechanism
Worm	Self-replicating, no host needed	Spreads via network automatically
Trojan	Disguised as legitimate software	Appears useful, hides malicious payload
Ransomware	Encrypts data, demands payment	Uses strong encryption, Bitcoin payments
Spyware	Monitors user activity	Keyloggers, screen capture
Rootkit	Hides at OS/firmware level	Very hard to detect, infects MBR/boot
Logic Bomb	Activates on trigger condition	Time-based or event-based activation
RAT	Remote Access Trojan	Provides backdoor access
Botnet	Network of infected devices	Used for DDoS, spam campaigns
Keylogger	Records keystrokes	Captures passwords, data
Bloatware/PUP	Unwanted bundled software	Not necessarily malicious

Malware Delivery Methods

• Drive-by downloads - Visiting compromised websites

• Malvertising - Malicious advertisements

• Email attachments - Infected documents, executables

• Removable media - USB drives

• Supply chain - Compromised software updates

Honeypots, Honeynets & Honeyfiles

Type	Purpose
Honeypot	Decoy system to attract/study attackers
Honeynet	Network of honeypots
Honeyfile	Decoy file that triggers alerts when accessed
Honeytoken	Fake data/credentials to track leaks

2.5 Password Attacks

Types of Password Attacks

Attack	Description	Defense
Brute Force	Try all possible combinations	Account lockout, Complex passwords
Dictionary	Try common words/phrases	Avoid dictionary words
Password Spraying	One password, many accounts	Account lockout detection
Rainbow Table	Precomputed hash lookups	Salting passwords
Credential Stuffing	Use leaked credentials	Unique passwords per site
Offline Attack	Attack stolen hash database	Strong hashing algorithms

Password Best Practices

• Minimum 14+ characters

• Use passphrases

• Enable MFA

• Use password managers

• Never reuse passwords

• Regular rotation (when compromised)

💡 Tool Note: John the Ripper and Hashcat are common password cracking tools used in penetration testing.

2.6 Application Attacks

Injection Attacks

Attack	Target	Mitigation
SQL Injection	Databases	Parameterized queries, Input validation
LDAP Injection	Directory services	Input sanitization
Command Injection	OS commands	Input validation, Least privilege
XML Injection	XML parsers	Disable external entities

SQL Injection Example:

' OR '1'='1' --

Cross-Site Scripting (XSS)

Type	Description
Reflected (Type 1)	Payload in URL, immediate execution
Stored (Type 2)	Payload stored on server, affects all users
DOM-based	Modifies page's DOM in browser

Mitigation: Input validation, Output encoding, CSP headers

Cross-Site Request Forgery (CSRF/XSRF)

Forces authenticated users to perform unwanted actions. Also known as:

• One-click attack

• Session riding

• Sea surf

Mitigation: CSRF tokens, SameSite cookies, Re-authentication

Other Web Attacks

Attack	Description
SSRF	Server-side request forgery - trick server to make requests
IDOR	Insecure Direct Object Reference - manipulating URLs
Directory Traversal	Using ../ to access unauthorized files
Session Hijacking	Stealing session cookies
Clickjacking	Hidden malicious UI elements

2.7 Network Attacks

Denial of Service (DoS/DDoS)

Attack Type	Method
Volumetric	Flood bandwidth (UDP floods)
Protocol	Exploit protocol weaknesses (SYN flood)
Application	Target application layer (HTTP floods)
Amplification	Small query → Large response (DNS amp)
Reflection	Spoofed source, responses hit victim
ICMP Flood	Ping flood attack
Smurf Attack	ICMP broadcast with spoofed source

Man-in-the-Middle (MITM/On-Path)

Attacker intercepts communications between two parties:

• ARP Spoofing - Associate attacker's MAC with victim's IP

• DNS Spoofing - Redirect DNS queries

• SSL Stripping - Downgrade HTTPS to HTTP

• Man-in-the-Browser (MITB) - Malware in browser

Wireless Attacks

Attack	Description
Evil Twin	Rogue AP mimicking legitimate AP
Rogue AP	Unauthorized access point
Deauthentication	Force disconnect from AP
WPS Attack	Brute force WPS PIN
Bluetooth Attacks	Bluejacking, Bluesnarfing, BIAS

Domain 3: Security Architecture (18%)

3.1 Network Architecture Concepts

Network Segmentation

Concept	Description
DMZ	Demilitarized zone between internal and external networks
VLAN	Virtual LAN - logical network segmentation
Micro-segmentation	Granular segmentation at workload level
Air Gap	Complete physical isolation from networks
Extranet	Controlled access for external partners
Intranet	Internal private network

Defense in Depth (DiD)

Multiple layers of security controls to protect assets:

1. Perimeter - Firewalls, IDS/IPS

2. Network - Segmentation, VLANs

3. Host - Endpoint protection, Hardening

4. Application - WAF, Secure coding

5. Data - Encryption, DLP

OSI Model Security

Layer	Name	Security Considerations
L7	Application	WAF, Input validation
L6	Presentation	Encryption/Decryption
L5	Session	Session management
L4	Transport	TLS, Firewalls (stateful)
L3	Network	IPSec, Routing security
L2	Data Link	MAC filtering, 802.1X
L1	Physical	Physical security

3.2 Security Appliances

Firewalls

Type	Function
Stateless (Packet Filter)	Examines individual packets, no context
Stateful	Tracks connection state
NGFW	Deep packet inspection, IPS, App awareness
WAF	Protects web applications (Layer 7)
UTM	All-in-one: FW, IDS/IPS, AV, VPN

Intrusion Detection/Prevention

System	Function
IDS	Detects threats, alerts only
IPS	Detects and blocks threats
NIDS/NIPS	Network-based
HIDS/HIPS	Host-based

Detection Methods:

• Signature-based - Known threat patterns

• Anomaly-based - Deviation from baseline

• Behavior-based - Suspicious actions

Proxy Servers

• Forward Proxy - Client-side, outbound traffic

• Reverse Proxy - Server-side, protects web servers

• Transparent Proxy - No client configuration

• Content Filtering - Block categories/URLs

3.3 Cloud Security

Cloud Service Models

Model	You Manage	Provider Manages
IaaS	OS, Apps, Data	Hardware, Virtualization
PaaS	Apps, Data	OS, Hardware
SaaS	Data (mostly)	Everything else
FaaS	Code/Functions	Everything else

💡 Remember: "Pizza as a Service" - the more letters, the less you manage.

Cloud Deployment Models

Model	Description
Public	Shared infrastructure (AWS, Azure, GCP)
Private	Dedicated to single organization
Hybrid	Mix of public and private
Community	Shared by organizations with common needs
Multi-cloud	Using multiple cloud providers

Cloud Security Concepts

Concept	Description
CASB	Cloud Access Security Broker - policy enforcement
SASE	Secure Access Service Edge - combines SD-WAN + security
VPC	Virtual Private Cloud - isolated cloud network
Cloud Bursting	Overflow to public cloud when capacity exceeded

Responsibility Matrix

Element	IaaS	PaaS	SaaS
Applications	Customer	Customer	Provider
Data	Customer	Customer	Shared
Runtime	Customer	Provider	Provider
OS	Customer	Provider	Provider
Virtualization	Provider	Provider	Provider
Hardware	Provider	Provider	Provider

3.4 Virtualization Security

Hypervisor Types

Type	Description	Examples
Type 1 (Bare Metal)	Runs directly on hardware	VMware ESXi, Hyper-V
Type 2 (Hosted)	Runs on top of OS	VirtualBox, VMware Workstation

Virtualization Security Concerns

• VM Escape - Breaking out of VM to hypervisor

• VM Sprawl - Uncontrolled VM proliferation

• Resource Exhaustion - VMs consuming shared resources

• Snapshot Management - Sensitive data in snapshots

Containers vs VMs

Aspect	Containers	Virtual Machines
Isolation	Process-level	Hardware-level
Size	Megabytes	Gigabytes
Startup	Seconds	Minutes
Security	Shared kernel risk	Full isolation
Example	Docker	VMware

3.5 Secure Infrastructure Design

High Availability Concepts

Term	Definition
Redundancy	Duplicate components
Fault Tolerance	System continues despite failures
Load Balancing	Distribute traffic across servers
Clustering	Multiple servers as one logical unit
Failover	Automatic switch to backup

RAID Levels

RAID	Name	Min Disks	Fault Tolerance	Use Case
0	Striping	2	None	Performance
1	Mirroring	2	1 disk	Redundancy
5	Striping + Parity	3	1 disk	Balance
6	Double Parity	4	2 disks	High availability
10	1+0	4	1 per mirror	Performance + Redundancy

Backup Strategies

Type	Description	Speed
Full	Complete copy of all data	Slow backup, Fast restore
Incremental	Changes since last backup	Fast backup, Slow restore
Differential	Changes since last full backup	Medium both
Snapshot	Point-in-time image	Very fast

Recovery Objectives

• RPO (Recovery Point Objective) - Maximum acceptable data loss (time)

• RTO (Recovery Time Objective) - Maximum acceptable downtime

Site Types

Site	Readiness	Cost	RTO
Hot	Fully operational	$$$	Minutes
Warm	Partial equipment	$$	Hours-Days
Cold	Empty facility	$	Days-Weeks

3.6 Hardware Security

Secure Boot Process

1. BIOS/UEFI - Initial hardware check

2. Secure Boot - Verifies bootloader signature

3. Measured Boot - Creates hash measurements

4. Trusted Boot - Validates OS components

Hardware Security Modules

Component	Function
TPM	Trusted Platform Module - stores crypto keys, measurements
HSM	Hardware Security Module - manages keys at scale
Secure Enclave	Isolated processor (Apple devices)
SED	Self-Encrypting Drive

Full Disk Encryption

Technology	Platform
BitLocker	Windows
FileVault	macOS
LUKS	Linux
VeraCrypt	Cross-platform

Domain 4: Security Operations (28%)

4.1 Identity and Access Management (IAM)

AAA Framework

Component	Function
Authentication	Verify identity (Who are you?)
Authorization	Determine permissions (What can you do?)
Accounting	Track actions (What did you do?)

Authentication Factors

Factor	Type	Examples
Something You Know	Knowledge	Password, PIN, Security questions
Something You Have	Possession	Smart card, Token, Phone
Something You Are	Inherence	Fingerprint, Retina, Face
Somewhere You Are	Location	GPS, IP address
Something You Do	Behavior	Typing patterns, Gait

Multi-Factor Authentication (MFA)

MFA requires two or more different factor types. Using two passwords is NOT MFA.

Common MFA Methods:

• TOTP - Time-based One Time Password (Authenticator apps)

• HOTP - HMAC-based OTP (Hardware tokens)

• Push notifications - Mobile app approval

• SMS codes - (Less secure, SIM swapping risk)

• Hardware keys - FIDO2/WebAuthn (YubiKey)

Authentication Protocols

Protocol	Description	Security
Kerberos	Ticket-based, Active Directory	Secure
LDAP	Directory queries (port 389)	Use LDAPS (636)
RADIUS	AAA for network access	Common for VPN/WiFi
TACACS+	Cisco AAA protocol	Encrypts entire packet
SAML	XML-based federation	Enterprise SSO
OAuth	Authorization framework	API access
OpenID Connect	Identity layer on OAuth	Modern SSO

802.1X (Port-Based NAC)

Components:

• Supplicant - Client requesting access

• Authenticator - Switch/AP

• Authentication Server - RADIUS server

EAP Types

EAP Type	Description
EAP-TLS	Mutual certificate authentication (most secure)
EAP-TTLS	Server cert only, tunnel for inner auth
PEAP	Similar to TTLS, Microsoft
EAP-FAST	Cisco, replaces LEAP
LEAP	Cisco legacy (insecure)

4.2 Access Control Models

Model	Description	Use Case
DAC	Owner controls access	File systems
MAC	System enforces labels	Military, Government
RBAC	Role-based permissions	Enterprise
ABAC	Attribute-based policies	Complex environments
Rule-Based	Firewall-style rules	Network access

Privileged Access Management (PAM)

• Password Vaulting - Secure storage of credentials

• Just-in-Time (JIT) - Temporary elevated access

• Ephemeral Accounts - Short-lived credentials

• Privileged Session Management - Monitor admin sessions

4.3 Network Security Operations

VPN Technologies

Type	Description
IPSec	Full tunnel, Layer 3
SSL/TLS VPN	Browser-based, portal access
Site-to-Site	Connect networks
Remote Access	Individual user connections
Split Tunnel	Only corporate traffic through VPN
Full Tunnel	All traffic through VPN

IPSec Components

Component	Function
AH	Authentication Header - integrity only
ESP	Encapsulating Security Payload - encryption + integrity
IKE	Internet Key Exchange - key negotiation
SA	Security Association - connection parameters

Modes:

• Transport Mode - Encrypts payload only

• Tunnel Mode - Encrypts entire packet

DNS Security

Technology	Function
DNSSEC	Validates DNS responses (integrity)
DNS Filtering	Block malicious domains
DoH	DNS over HTTPS (encrypted)
DoT	DNS over TLS (encrypted)

Email Security

Protocol	Function
SPF	Sender Policy Framework - authorized senders
DKIM	DomainKeys Identified Mail - message signature
DMARC	Combines SPF + DKIM, reporting
S/MIME	Email encryption and signing

4.4 Security Monitoring

SIEM (Security Information and Event Management)

Functions:

• Log aggregation and correlation

• Real-time alerting

• Threat detection

• Compliance reporting

• Forensic analysis

SOC (Security Operations Center)

Role	Responsibility
Tier 1	Alert triage, Initial response
Tier 2	Deep investigation
Tier 3	Advanced threats, Threat hunting
SOC Manager	Strategy, Team management

SOAR (Security Orchestration, Automation, and Response)

• Orchestration - Coordinate security tools

• Automation - Automate repetitive tasks

• Response - Playbook-driven incident response

Key Security Metrics

Metric	Description
MTTD	Mean Time to Detect
MTTR	Mean Time to Respond/Repair
MTTC	Mean Time to Contain
False Positive Rate	Incorrect alerts
True Positive Rate	Correct detections

4.5 Incident Response

PICERL Framework (SANS)

Phase	Activities
Preparation	Policies, Training, Tools
Identification	Detect and validate incident
Containment	Limit damage (short/long term)
Eradication	Remove threat
Recovery	Restore systems
Lessons Learned	Post-incident review

Incident Response Team

Role	Function
Incident Manager	Overall coordination
Technical Lead	Technical response
Communications	Internal/External messaging
Legal/HR	Compliance, Personnel issues

Evidence Handling

Order of Volatility (most volatile first):

1. CPU registers, cache

2. RAM contents

3. Temporary files, swap

4. Disk data

5. Logs on remote systems

6. Archived media

Chain of Custody

• Document everything

• Hash evidence (before/after)

• Maintain logs of who handled evidence

• Secure storage with access controls

• Timestamps on all actions

4.6 Digital Forensics

Forensic Process

1. Identification - Recognize potential evidence

2. Collection - Gather evidence properly

3. Analysis - Examine evidence

4. Reporting - Document findings

Forensic Tools

Tool	Purpose
FTK/EnCase	Commercial forensic suites
Autopsy	Open-source forensic platform
Volatility	Memory forensics
KAPE	Artifact collection
Wireshark	Network packet analysis

Image Formats

Format	Description
E01	EnCase format, compression + hashing
AFF	Advanced Forensics Format (open)
RAW/DD	Bit-for-bit copy

Legal Concepts

Term	Definition
Legal Hold	Preserve relevant data for litigation
E-Discovery	Electronic evidence for legal proceedings
Chain of Custody	Documented evidence handling

Domain 5: Security Program Management and Oversight (20%)

5.1 Governance, Risk, and Compliance (GRC)

Security Governance

Element	Description
Policies	High-level statements of intent
Standards	Mandatory requirements
Procedures	Step-by-step instructions
Guidelines	Recommended practices
Baselines	Minimum security configurations

Common Policies

Policy	Purpose
AUP	Acceptable Use Policy - defines allowed behavior
Data Classification	How to handle different data types
Password Policy	Credential requirements
Remote Access	Working from outside network
Change Management	How to implement changes
Incident Response	How to handle security incidents
Data Retention	How long to keep data

Security Frameworks

Framework	Focus	Sector
NIST CSF	Cybersecurity risk management	All
NIST RMF	System authorization	Government
ISO 27001	Information security management	International
ISO 27002	Security control implementation	International
CIS Controls	Prioritized security actions	All
COBIT	IT governance	Enterprise

NIST Cybersecurity Framework Core

Function	Focus
Identify	Asset management, Risk assessment
Protect	Access control, Training, Encryption
Detect	Monitoring, Detection processes
Respond	Response planning, Communications
Recover	Recovery planning, Improvements

5.2 Risk Management

Risk Assessment Process

1. Identify assets and threats

2. Analyze likelihood and impact

3. Evaluate risk level

4. Treat risks (mitigate, accept, transfer, avoid)

5. Monitor and review

Risk Terminology

Term	Definition
Threat	Potential cause of unwanted incident
Vulnerability	Weakness that can be exploited
Risk	Threat × Vulnerability × Impact
Likelihood	Probability of occurrence
Impact	Consequence if risk materializes
Residual Risk	Risk remaining after controls
Risk Appetite	Level of risk organization accepts

Risk Treatment Options

Option	Action
Mitigate	Implement controls to reduce risk
Accept	Acknowledge and accept the risk
Transfer	Shift risk to third party (insurance)
Avoid	Eliminate the risk entirely

Quantitative Risk Analysis

Metric	Formula
SLE	Single Loss Expectancy = AV × EF
ALE	Annual Loss Expectancy = SLE × ARO
AV	Asset Value
EF	Exposure Factor (% of asset affected)
ARO	Annualized Rate of Occurrence

Example: Server worth $50,000 (AV), 25% damage (EF), twice per year (ARO)

• SLE = $50,000 × 0.25 = $12,500

• ALE = $12,500 × 2 = $25,000/year

Risk Register

Documents identified risks including:

• Risk description

• Likelihood and impact

• Risk owner

• Treatment strategy

• Control measures

• Residual risk

5.3 Compliance

Regulatory Requirements

Regulation	Scope
GDPR	EU data privacy
HIPAA	US healthcare data
PCI DSS	Payment card data
SOX	US financial reporting
GLBA	US financial institutions
FERPA	US student records
CCPA	California privacy

Key GDPR Concepts

• Data Subject Rights - Access, Rectification, Erasure, Portability

• Data Protection Officer (DPO) - Required for certain organizations

• 72-hour breach notification - Report breaches within 72 hours

• Lawful basis - Need legitimate reason to process data

• Fines - Up to 4% of global revenue or €20M

Compliance Activities

Activity	Description
Audits	Formal examination of controls
Assessments	Evaluation of security posture
Penetration Testing	Authorized attack simulation
Vulnerability Scanning	Automated weakness identification
Policy Review	Regular policy updates

5.4 Security Awareness Training

Training Topics

• Phishing recognition

• Password security

• Physical security

• Data handling

• Social engineering

• Incident reporting

• Clean desk policy

• Mobile device security

Training Methods

Method	Description
CBT	Computer-based training
Phishing Simulations	Test employee awareness
Tabletop Exercises	Scenario-based discussions
Role-based Training	Job-specific security training
Gamification	Interactive learning

Measuring Effectiveness

• Phishing test click rates

• Training completion rates

• Incident reporting rates

• Quiz/assessment scores

• Security behavior changes

5.5 Third-Party Risk Management

Vendor Assessment

Assessment	Purpose
Questionnaires	Evaluate vendor security practices
Audits	On-site or remote verification
Penetration Tests	Test vendor security
SOC Reports	Independent audit reports

Agreement Types

Agreement	Purpose
NDA	Non-Disclosure Agreement - confidentiality
SLA	Service Level Agreement - performance standards
MSA	Master Service Agreement - overall relationship
SOW	Statement of Work - specific project details
BPA	Business Partner Agreement - partnership terms
MOU/MOA	Memorandum of Understanding/Agreement

SOC Reports

Type	Scope
SOC 1	Financial reporting controls
SOC 2 Type I	Control design at point in time
SOC 2 Type II	Control effectiveness over time
SOC 3	General use summary report

5.6 Data Security

Data Classification

Level	Description	Examples
Public	No restrictions	Marketing materials
Internal	Company only	Internal memos
Confidential	Need-to-know basis	Financial data
Restricted/Secret	Highest protection	Trade secrets

Data States

State	Protection
At Rest	Disk encryption, Database encryption
In Transit	TLS, VPN, IPSec
In Use	Secure enclaves, Memory encryption

Data Loss Prevention (DLP)

Type	Coverage
Endpoint DLP	Monitors workstations
Network DLP	Monitors network traffic
Cloud DLP	Monitors cloud services

Data Roles

Role	Responsibility
Data Owner	Accountable for data protection
Data Custodian	Implements technical controls
Data Steward	Manages data quality
Data Processor	Processes data on behalf of controller
Data Controller	Determines data processing purposes

Privacy Enhancing Techniques

Technique	Description
Anonymization	Remove identifying information
Pseudonymization	Replace identifiers with pseudonyms
Tokenization	Replace sensitive data with tokens
Data Masking	Hide portions of data

Quick Reference: Ports & Protocols

Common Ports to Know

Port	Protocol	Service	Security Notes
20/21	TCP	FTP	Insecure - Use SFTP/FTPS
22	TCP	SSH/SFTP/SCP	Secure
23	TCP	Telnet	Insecure - Use SSH
25	TCP	SMTP	Unencrypted - Use 587
53	TCP/UDP	DNS	Use DNSSEC
80	TCP	HTTP	Unencrypted - Use HTTPS
110	TCP	POP3	Insecure - Use 995
143	TCP	IMAP	Insecure - Use 993
161/162	UDP	SNMP	Use SNMPv3
389	TCP	LDAP	Use LDAPS (636)
443	TCP	HTTPS	Secure
445	TCP	SMB	Block externally
587	TCP	SMTP (submission)	With TLS
636	TCP	LDAPS	Secure
993	TCP	IMAPS	Secure
995	TCP	POP3S	Secure
989/990	TCP	FTPS (Implicit)	Secure
1433	TCP	MS SQL	Secure internally
3389	TCP	RDP	Use VPN/MFA
5060/5061	TCP/UDP	SIP/SIPS	5061 is secure

Port Ranges

Range	Name	Usage
0-1023	Well-known/System	Reserved for common services
1024-49151	Registered/User	Application-specific
49152-65535	Dynamic/Private	Temporary/ephemeral connections

Quick Reference: Cryptography

Algorithm Summary

Symmetric Encryption (Shared Key)

Algorithm	Key Size	Block Size	Status
AES-128	128-bit	128-bit	Approved
AES-256	256-bit	128-bit	Strongest
3DES	168-bit	64-bit	Deprecated
DES	56-bit	64-bit	Broken
RC4	Variable	Stream	Broken

Asymmetric Encryption (Public/Private Key)

Algorithm	Key Size	Usage
RSA	2048+ bits	Encryption, Signatures
ECC	256+ bits	Smaller keys, IoT
Diffie-Hellman	2048+ bits	Key exchange only
DSA	2048+ bits	Signatures only
ECDHE	256+ bits	Perfect forward secrecy

Hash Functions

Algorithm	Output	Status
SHA-3	Variable	Latest standard
SHA-256	256-bit	Widely used
SHA-1	160-bit	Deprecated
MD5	128-bit	Broken

Block Cipher Modes

Mode	Description
ECB	Electronic Codebook - Don't use (patterns visible)
CBC	Cipher Block Chaining - Common, uses IV
CTR	Counter Mode - Parallelizable
GCM	Galois/Counter Mode - Authenticated encryption
CCMP	Used in WPA2

PKI (Public Key Infrastructure) Components

Component	Function
CA	Certificate Authority - Issues certificates
RA	Registration Authority - Verifies identities
CRL	Certificate Revocation List - Revoked certs
OCSP	Online Certificate Status Protocol - Real-time revocation
CSR	Certificate Signing Request - Request new cert

Certificate Types

Type	Description
DV	Domain Validation - Basic, domain control only
OV	Organization Validation - Verified organization
EV	Extended Validation - Highest assurance
Wildcard	*.domain.com - All subdomains (one level)
SAN	Subject Alternative Name - Multiple domains

Quick Reference: Linux Commands

Essential Security Commands

Command	Purpose	Example
chmod	Change permissions	chmod 755 file.sh
chown	Change ownership	chown user:group file
ls -la	List with permissions	Shows hidden files
ps aux	List processes	Find running processes
netstat -an	Network connections	Active connections
grep	Search text	grep "error" /var/log/syslog
find	Find files	find / -name "*.conf"
cat	Display file	cat /etc/passwd
tail -f	Follow log file	tail -f /var/log/auth.log
dd	Disk imaging	Forensic imaging
sha256sum	Calculate hash	Verify file integrity

Permission Numbers (chmod)

Number	Permission	Meaning
0	---	No permission
1	--x	Execute
2	-w-	Write
3	-wx	Write + Execute
4	r--	Read
5	r-x	Read + Execute
6	rw-	Read + Write
7	rwx	Read + Write + Execute

Example: chmod 750 = Owner: rwx, Group: r-x, Others: none

Quick Reference: Wireless Security

WiFi Standards

Standard	Name	Frequency	Max Speed
802.11b	Wi-Fi 1	2.4 GHz	11 Mbps
802.11a	Wi-Fi 2	5 GHz	54 Mbps
802.11g	Wi-Fi 3	2.4 GHz	54 Mbps
802.11n	Wi-Fi 4	2.4/5 GHz	600 Mbps
802.11ac	Wi-Fi 5	5 GHz	6.9 Gbps
802.11ax	Wi-Fi 6/6E	2.4/5/6 GHz	9.6 Gbps

Wireless Security Protocols

Protocol	Encryption	Status
WEP	RC4	Broken
WPA	TKIP	Deprecated
WPA2-Personal	AES-CCMP	PSK
WPA2-Enterprise	AES-CCMP	802.1X/RADIUS
WPA3-Personal	SAE	Latest
WPA3-Enterprise	192-bit	Strongest

Key WPA3 Features

• SAE (Simultaneous Authentication of Equals) - Dragonfly key exchange

• Perfect Forward Secrecy - Past communications protected if key compromised

• OWE (Opportunistic Wireless Encryption) - Encrypted open networks

Quick Reference: Acronyms

Must-Know Acronyms

Acronym	Full Name
AAA	Authentication, Authorization, Accounting
ACL	Access Control List
AES	Advanced Encryption Standard
APT	Advanced Persistent Threat
BCP	Business Continuity Plan
BYOD	Bring Your Own Device
CA	Certificate Authority
CASB	Cloud Access Security Broker
CIA	Confidentiality, Integrity, Availability
CSRF	Cross-Site Request Forgery
CVE	Common Vulnerabilities and Exposures
CVSS	Common Vulnerability Scoring System
DAC	Discretionary Access Control
DDoS	Distributed Denial of Service
DHCP	Dynamic Host Configuration Protocol
DLP	Data Loss Prevention
DMZ	Demilitarized Zone
DNS	Domain Name System
DRP	Disaster Recovery Plan
EDR	Endpoint Detection and Response
FDE	Full Disk Encryption
GDPR	General Data Protection Regulation
GPO	Group Policy Object
HIDS	Host-based Intrusion Detection System
HIPAA	Health Insurance Portability and Accountability Act
HSM	Hardware Security Module
IAM	Identity and Access Management
ICS	Industrial Control Systems
IDS	Intrusion Detection System
IoC	Indicators of Compromise
IPS	Intrusion Prevention System
IPSec	Internet Protocol Security
MAC	Mandatory Access Control (or Media Access Control)
MDM	Mobile Device Management
MFA	Multi-Factor Authentication
MITM	Man-in-the-Middle
NAC	Network Access Control
NGFW	Next-Generation Firewall
NIST	National Institute of Standards and Technology
NVD	National Vulnerability Database
OSINT	Open Source Intelligence
PAM	Privileged Access Management
PCI DSS	Payment Card Industry Data Security Standard
PKI	Public Key Infrastructure
RADIUS	Remote Authentication Dial-In User Service
RBAC	Role-Based Access Control
RPO	Recovery Point Objective
RTO	Recovery Time Objective
SAML	Security Assertion Markup Language
SASE	Secure Access Service Edge
SCADA	Supervisory Control and Data Acquisition
SIEM	Security Information and Event Management
SOAR	Security Orchestration, Automation, and Response
SOC	Security Operations Center
SOX	Sarbanes-Oxley Act
SPF	Sender Policy Framework
SQL	Structured Query Language
SSH	Secure Shell
SSL	Secure Sockets Layer (deprecated)
SSO	Single Sign-On
TLS	Transport Layer Security
TPM	Trusted Platform Module
UTM	Unified Threat Management
VPN	Virtual Private Network
WAF	Web Application Firewall
XDR	Extended Detection and Response
XSS	Cross-Site Scripting
ZTA	Zero Trust Architecture

Study Tips for the Exam

Exam Strategy

1. Read questions carefully - Watch for words like "BEST," "MOST," "FIRST"

2. Eliminate wrong answers - Often 2 answers are clearly wrong

3. Performance-based questions first or last - Choose your strategy

4. Flag and return - Don't spend too long on difficult questions

5. Trust your preparation - First instinct is often correct

High-Priority Topics by Domain

Domain 1 (12%)

• CIA Triad and security control types

• Zero Trust principles

• Change management

Domain 2 (22%)

• Threat actors and motivations

• Malware types and indicators

• Attack techniques (XSS, SQLi, CSRF)

Domain 3 (18%)

• Cloud service models (IaaS, PaaS, SaaS)

• Network security appliances

• Secure protocols vs insecure

Domain 4 (28%) - LARGEST DOMAIN

• Authentication protocols (RADIUS, TACACS+, Kerberos)

• Incident response phases (PICERL)

• Digital forensics concepts

Domain 5 (20%)

• Risk management calculations (SLE, ALE)

• Compliance regulations (GDPR, HIPAA, PCI DSS)

• Security policies and frameworks

Resources

• CompTIA Security+ Objectives

• NIST Cybersecurity Framework

• OWASP Top 10

• MITRE ATT&CK

• CIS Controls

Good luck on your Security+ exam!

Remember: Security+ validates foundational cybersecurity skills. Focus on understanding concepts rather than memorizing details.