CompTIA Security+ SY0-701 - Study Guide
This guide covers all five domains of the CompTIA Security+ SY0-701 exam with expanded explanations, practical examples, and key concepts you need to know.
Table of Contents
Exam Overview
Exam Code
SY0-701
Number of Questions
Maximum of 90
Question Types
Multiple choice, Performance-based
Duration
90 minutes
Passing Score
750 (on a scale of 100-900)
Recommended Experience
2 years in IT administration with security focus
Domain 1: General Security Concepts (12%)
1.1 Security Controls
The CIA Triad - Foundation of Information Security
The CIA Triad represents the three fundamental goals of information security:
Confidentiality
Ensuring information is only accessible to authorized individuals
Encryption, Access Controls
Disclosure
Integrity
Ensuring data hasn't been modified without authorization
Hashing, Digital Signatures
Alteration
Availability
Ensuring systems and data are accessible when needed
Redundancy, Backups
Denial
💡 Exam Tip: The DAD Triad (Disclosure, Alteration, Denial) represents what attackers try to achieve - the opposite of CIA.
Non-Repudiation
Non-repudiation ensures that a party cannot deny having performed an action. It's achieved through:
Digital signatures - Cryptographically prove who sent a message
Audit logs - Record of who did what and when
Certificates - Bind identity to cryptographic keys
Types of Security Controls
Security controls are categorized by function and implementation:
By Function:
Preventive
Stop security incidents before they occur
Firewalls, Encryption, Access Controls
Detective
Identify security incidents in progress or after
IDS, SIEM, Log Monitoring
Corrective
Fix problems after they've occurred
Patches, Backup Restoration
Deterrent
Discourage potential attackers
Warning banners, Security cameras
Compensating
Alternative controls when primary isn't feasible
MFA when biometrics unavailable
Directive
Direct behavior through policies
AUP, Security policies
By Implementation:
Technical (Logical)
Technology-based controls
Firewalls, IPS, Encryption, ACLs
Operational (Administrative)
Day-to-day procedures
Log monitoring, Vulnerability management, Access reviews
Managerial
Risk management approach
Risk assessments, Security planning, Change management
Physical
Tangible security measures
Fences, Locks, Lighting, Guards, Fire suppression
Gap Analysis
Gap Analysis is the process of comparing your current security posture against desired objectives or frameworks:
Identify control objectives (what you want to achieve)
Assess current security controls (where you are)
Determine gaps between objectives and reality
Prioritize remediation efforts based on risk
1.2 Zero Trust Architecture (ZTA)
Core Principle: "Never Trust, Always Verify"
Zero Trust operates on the assumption that no user or system should be automatically trusted, regardless of their location (inside or outside the network perimeter).
Key Components:
Control Plane
Makes security decisions (Policy Engine + Policy Administrator)
Data Plane
Where actual data flows occur
Policy Engine (PE)
Makes policy decisions based on context
Policy Administrator (PA)
Establishes/removes communication between subjects and resources
Policy Enforcement Point (PEP)
Enforces decisions - allows/denies access
Zero Trust Pillars:
Identity - Strong authentication for all users
Devices - Device health verification
Networks - Micro-segmentation
Applications & Workloads - Secure application access
Data - Data-centric security
💡 Exam Tip: CISA's Zero Trust Maturity Model 2.0 (ZTTM 2.0) provides guidance for implementing ZTA.
1.3 Change Management
Proper change management prevents security incidents caused by unauthorized or poorly planned changes:
Change Management Process:
Request - Submit change request
Review - Assess impact and risk
Approve - Get authorization (Change Advisory Board)
Test - Validate in staging environment
Implement - Execute the change
Document - Record what was done
Monitor - Verify success and watch for issues
Technical Implications:
Version control - Track changes to code/configs
Rollback procedures - Ability to undo changes
Testing environments - Staging, QA, UAT before production
1.4 Cryptographic Solutions
Encryption Fundamentals
Encryption
Converting plaintext to ciphertext using a key
Decryption
Converting ciphertext back to plaintext
Key Space
Total range of possible key values
Key Length
Number of bits in the key (longer = more secure)
Symmetric vs Asymmetric Encryption
Keys
Single shared key
Public + Private key pair
Speed
Fast
Slow
Key Distribution
Challenging (must share secretly)
Easy (public key can be shared)
Use Cases
Bulk data encryption
Key exchange, Digital signatures
Examples
AES, DES, 3DES
RSA, ECC, Diffie-Hellman
Keys Needed
n(n-1)/2 for n users
2n for n users
Important Algorithms
Symmetric Algorithms:
AES
128/192/256-bit
Current standard
3DES
168-bit
Legacy, deprecated
DES
56-bit
Insecure, don't use
Asymmetric Algorithms:
RSA
Encryption, Signatures
Most widely used
ECC
Encryption, Signatures
Smaller keys, same security
Diffie-Hellman
Key Exchange
Establishes shared secrets
DSA
Digital Signatures
Signatures only
Hashing
Hashing creates a one-way, fixed-length output from any input. Used for:
Password storage
Data integrity verification
Digital signatures
SHA-256
256-bit
Current standard
SHA-3
Variable
Latest SHA version
SHA-1
160-bit
Deprecated
MD5
128-bit
Broken, don't use
💡 Exam Tip: Know the difference - Encryption is reversible (two-way), Hashing is not (one-way).
Key Concepts
Salting - Adding random data before hashing to prevent rainbow table attacks
Key Stretching - Multiple iterations of hashing to slow brute force attacks
HMAC - Hash-based Message Authentication Code (provides integrity + authentication)
Digital Signatures - Provide non-repudiation and integrity (sign with private key, verify with public)
Domain 2: Threats, Vulnerabilities, and Mitigations (22%)
2.1 Threat Actors
Categories of Threat Actors
Nation-State/APT
Espionage, Warfare
Very High
Very High
Organized Crime
Financial gain
High
High
Hacktivists
Political/Social causes
Medium
Medium
Insider Threats
Varies (money, revenge)
Internal access
Varies
Script Kiddies
Curiosity, Recognition
Low
Low
Competitors
Business advantage
Medium-High
Medium
Advanced Persistent Threats (APTs)
APTs are characterized by:
Advanced - Sophisticated techniques and tools
Persistent - Long-term presence in target network
Threat - Clear intent to cause harm or steal data
💡 Common APT Tactics: Spear phishing, Zero-day exploits, Living off the land
Shadow IT
Shadow IT refers to unauthorized technology used within an organization without IT department knowledge. Risks include:
Unpatched vulnerabilities
Data leakage
Compliance violations
No backup or recovery
2.2 Attack Vectors and Surfaces
Common Attack Vectors
Phishing, malicious attachments
Email filtering, User training
Web
Drive-by downloads, XSS
Web filtering, WAF
Removable Media
Infected USB drives
Disable autorun, DLP
Social Engineering
Human manipulation
Security awareness training
Supply Chain
Compromised vendors/software
Vendor assessment, SBOMs
Wireless
Rogue APs, Evil twins
WIPS, Strong authentication
Attack Surface
The attack surface includes all points where an attacker could attempt to enter or extract data:
Physical - Buildings, hardware, media
Digital - Networks, applications, services
Human - Employees who can be manipulated
2.3 Social Engineering Attacks
Types of Social Engineering
Phishing
Mass fraudulent emails
Email filtering, Training
Spear Phishing
Targeted phishing at individuals
Advanced email security
Whaling
Targeting executives
Executive awareness training
Vishing
Voice-based phishing
Call verification procedures
Smishing
SMS-based phishing
Mobile security awareness
Pretexting
Creating fake scenario
Verification procedures
Business Email Compromise (BEC)
Impersonating executives
Out-of-band verification
Phishing Indicators
Urgency or threats
Generic greetings
Suspicious links (hover to check)
Mismatched URLs
Poor grammar/spelling
Requests for sensitive info
TRUST Framework (CISA)
Tell your story
Ready your team
Understand and assess MDM
Strategize response
Track outcomes
2.4 Malware Types
Categories of Malicious Software
Virus
Requires host program & user action
Infects files, needs propagation mechanism
Worm
Self-replicating, no host needed
Spreads via network automatically
Trojan
Disguised as legitimate software
Appears useful, hides malicious payload
Ransomware
Encrypts data, demands payment
Uses strong encryption, Bitcoin payments
Spyware
Monitors user activity
Keyloggers, screen capture
Rootkit
Hides at OS/firmware level
Very hard to detect, infects MBR/boot
Logic Bomb
Activates on trigger condition
Time-based or event-based activation
RAT
Remote Access Trojan
Provides backdoor access
Botnet
Network of infected devices
Used for DDoS, spam campaigns
Keylogger
Records keystrokes
Captures passwords, data
Bloatware/PUP
Unwanted bundled software
Not necessarily malicious
Malware Delivery Methods
Drive-by downloads - Visiting compromised websites
Malvertising - Malicious advertisements
Email attachments - Infected documents, executables
Removable media - USB drives
Supply chain - Compromised software updates
Honeypots, Honeynets & Honeyfiles
Honeypot
Decoy system to attract/study attackers
Honeynet
Network of honeypots
Honeyfile
Decoy file that triggers alerts when accessed
Honeytoken
Fake data/credentials to track leaks
2.5 Password Attacks
Types of Password Attacks
Brute Force
Try all possible combinations
Account lockout, Complex passwords
Dictionary
Try common words/phrases
Avoid dictionary words
Password Spraying
One password, many accounts
Account lockout detection
Rainbow Table
Precomputed hash lookups
Salting passwords
Credential Stuffing
Use leaked credentials
Unique passwords per site
Offline Attack
Attack stolen hash database
Strong hashing algorithms
Password Best Practices
Minimum 14+ characters
Use passphrases
Enable MFA
Use password managers
Never reuse passwords
Regular rotation (when compromised)
💡 Tool Note: John the Ripper and Hashcat are common password cracking tools used in penetration testing.
2.6 Application Attacks
Injection Attacks
SQL Injection
Databases
Parameterized queries, Input validation
LDAP Injection
Directory services
Input sanitization
Command Injection
OS commands
Input validation, Least privilege
XML Injection
XML parsers
Disable external entities
SQL Injection Example:
Cross-Site Scripting (XSS)
Reflected (Type 1)
Payload in URL, immediate execution
Stored (Type 2)
Payload stored on server, affects all users
DOM-based
Modifies page's DOM in browser
Mitigation: Input validation, Output encoding, CSP headers
Cross-Site Request Forgery (CSRF/XSRF)
Forces authenticated users to perform unwanted actions. Also known as:
One-click attack
Session riding
Sea surf
Mitigation: CSRF tokens, SameSite cookies, Re-authentication
Other Web Attacks
SSRF
Server-side request forgery - trick server to make requests
IDOR
Insecure Direct Object Reference - manipulating URLs
Directory Traversal
Using ../ to access unauthorized files
Session Hijacking
Stealing session cookies
Clickjacking
Hidden malicious UI elements
2.7 Network Attacks
Denial of Service (DoS/DDoS)
Volumetric
Flood bandwidth (UDP floods)
Protocol
Exploit protocol weaknesses (SYN flood)
Application
Target application layer (HTTP floods)
Amplification
Small query → Large response (DNS amp)
Reflection
Spoofed source, responses hit victim
ICMP Flood
Ping flood attack
Smurf Attack
ICMP broadcast with spoofed source
Man-in-the-Middle (MITM/On-Path)
Attacker intercepts communications between two parties:
ARP Spoofing - Associate attacker's MAC with victim's IP
DNS Spoofing - Redirect DNS queries
SSL Stripping - Downgrade HTTPS to HTTP
Man-in-the-Browser (MITB) - Malware in browser
Wireless Attacks
Evil Twin
Rogue AP mimicking legitimate AP
Rogue AP
Unauthorized access point
Deauthentication
Force disconnect from AP
WPS Attack
Brute force WPS PIN
Bluetooth Attacks
Bluejacking, Bluesnarfing, BIAS
Domain 3: Security Architecture (18%)
3.1 Network Architecture Concepts
Network Segmentation
DMZ
Demilitarized zone between internal and external networks
VLAN
Virtual LAN - logical network segmentation
Micro-segmentation
Granular segmentation at workload level
Air Gap
Complete physical isolation from networks
Extranet
Controlled access for external partners
Intranet
Internal private network
Defense in Depth (DiD)
Multiple layers of security controls to protect assets:
Perimeter - Firewalls, IDS/IPS
Network - Segmentation, VLANs
Host - Endpoint protection, Hardening
Application - WAF, Secure coding
Data - Encryption, DLP
OSI Model Security
L7
Application
WAF, Input validation
L6
Presentation
Encryption/Decryption
L5
Session
Session management
L4
Transport
TLS, Firewalls (stateful)
L3
Network
IPSec, Routing security
L2
Data Link
MAC filtering, 802.1X
L1
Physical
Physical security
3.2 Security Appliances
Firewalls
Stateless (Packet Filter)
Examines individual packets, no context
Stateful
Tracks connection state
NGFW
Deep packet inspection, IPS, App awareness
WAF
Protects web applications (Layer 7)
UTM
All-in-one: FW, IDS/IPS, AV, VPN
Intrusion Detection/Prevention
IDS
Detects threats, alerts only
IPS
Detects and blocks threats
NIDS/NIPS
Network-based
HIDS/HIPS
Host-based
Detection Methods:
Signature-based - Known threat patterns
Anomaly-based - Deviation from baseline
Behavior-based - Suspicious actions
Proxy Servers
Forward Proxy - Client-side, outbound traffic
Reverse Proxy - Server-side, protects web servers
Transparent Proxy - No client configuration
Content Filtering - Block categories/URLs
3.3 Cloud Security
Cloud Service Models
IaaS
OS, Apps, Data
Hardware, Virtualization
PaaS
Apps, Data
OS, Hardware
SaaS
Data (mostly)
Everything else
FaaS
Code/Functions
Everything else
💡 Remember: "Pizza as a Service" - the more letters, the less you manage.
Cloud Deployment Models
Public
Shared infrastructure (AWS, Azure, GCP)
Private
Dedicated to single organization
Hybrid
Mix of public and private
Community
Shared by organizations with common needs
Multi-cloud
Using multiple cloud providers
Cloud Security Concepts
CASB
Cloud Access Security Broker - policy enforcement
SASE
Secure Access Service Edge - combines SD-WAN + security
VPC
Virtual Private Cloud - isolated cloud network
Cloud Bursting
Overflow to public cloud when capacity exceeded
Responsibility Matrix
Applications
Customer
Customer
Provider
Data
Customer
Customer
Shared
Runtime
Customer
Provider
Provider
OS
Customer
Provider
Provider
Virtualization
Provider
Provider
Provider
Hardware
Provider
Provider
Provider
3.4 Virtualization Security
Hypervisor Types
Type 1 (Bare Metal)
Runs directly on hardware
VMware ESXi, Hyper-V
Type 2 (Hosted)
Runs on top of OS
VirtualBox, VMware Workstation
Virtualization Security Concerns
VM Escape - Breaking out of VM to hypervisor
VM Sprawl - Uncontrolled VM proliferation
Resource Exhaustion - VMs consuming shared resources
Snapshot Management - Sensitive data in snapshots
Containers vs VMs
Isolation
Process-level
Hardware-level
Size
Megabytes
Gigabytes
Startup
Seconds
Minutes
Security
Shared kernel risk
Full isolation
Example
Docker
VMware
3.5 Secure Infrastructure Design
High Availability Concepts
Redundancy
Duplicate components
Fault Tolerance
System continues despite failures
Load Balancing
Distribute traffic across servers
Clustering
Multiple servers as one logical unit
Failover
Automatic switch to backup
RAID Levels
0
Striping
2
None
Performance
1
Mirroring
2
1 disk
Redundancy
5
Striping + Parity
3
1 disk
Balance
6
Double Parity
4
2 disks
High availability
10
1+0
4
1 per mirror
Performance + Redundancy
Backup Strategies
Full
Complete copy of all data
Slow backup, Fast restore
Incremental
Changes since last backup
Fast backup, Slow restore
Differential
Changes since last full backup
Medium both
Snapshot
Point-in-time image
Very fast
Recovery Objectives
RPO (Recovery Point Objective) - Maximum acceptable data loss (time)
RTO (Recovery Time Objective) - Maximum acceptable downtime
Site Types
Hot
Fully operational
$$$
Minutes
Warm
Partial equipment
$$
Hours-Days
Cold
Empty facility
$
Days-Weeks
3.6 Hardware Security
Secure Boot Process
BIOS/UEFI - Initial hardware check
Secure Boot - Verifies bootloader signature
Measured Boot - Creates hash measurements
Trusted Boot - Validates OS components
Hardware Security Modules
TPM
Trusted Platform Module - stores crypto keys, measurements
HSM
Hardware Security Module - manages keys at scale
Secure Enclave
Isolated processor (Apple devices)
SED
Self-Encrypting Drive
Full Disk Encryption
BitLocker
Windows
FileVault
macOS
LUKS
Linux
VeraCrypt
Cross-platform
Domain 4: Security Operations (28%)
4.1 Identity and Access Management (IAM)
AAA Framework
Authentication
Verify identity (Who are you?)
Authorization
Determine permissions (What can you do?)
Accounting
Track actions (What did you do?)
Authentication Factors
Something You Know
Knowledge
Password, PIN, Security questions
Something You Have
Possession
Smart card, Token, Phone
Something You Are
Inherence
Fingerprint, Retina, Face
Somewhere You Are
Location
GPS, IP address
Something You Do
Behavior
Typing patterns, Gait
Multi-Factor Authentication (MFA)
MFA requires two or more different factor types. Using two passwords is NOT MFA.
Common MFA Methods:
TOTP - Time-based One Time Password (Authenticator apps)
HOTP - HMAC-based OTP (Hardware tokens)
Push notifications - Mobile app approval
SMS codes - (Less secure, SIM swapping risk)
Hardware keys - FIDO2/WebAuthn (YubiKey)
Authentication Protocols
Kerberos
Ticket-based, Active Directory
Secure
LDAP
Directory queries (port 389)
Use LDAPS (636)
RADIUS
AAA for network access
Common for VPN/WiFi
TACACS+
Cisco AAA protocol
Encrypts entire packet
SAML
XML-based federation
Enterprise SSO
OAuth
Authorization framework
API access
OpenID Connect
Identity layer on OAuth
Modern SSO
802.1X (Port-Based NAC)
Components:
Supplicant - Client requesting access
Authenticator - Switch/AP
Authentication Server - RADIUS server
EAP Types
EAP-TLS
Mutual certificate authentication (most secure)
EAP-TTLS
Server cert only, tunnel for inner auth
PEAP
Similar to TTLS, Microsoft
EAP-FAST
Cisco, replaces LEAP
LEAP
Cisco legacy (insecure)
4.2 Access Control Models
DAC
Owner controls access
File systems
MAC
System enforces labels
Military, Government
RBAC
Role-based permissions
Enterprise
ABAC
Attribute-based policies
Complex environments
Rule-Based
Firewall-style rules
Network access
Privileged Access Management (PAM)
Password Vaulting - Secure storage of credentials
Just-in-Time (JIT) - Temporary elevated access
Ephemeral Accounts - Short-lived credentials
Privileged Session Management - Monitor admin sessions
4.3 Network Security Operations
VPN Technologies
IPSec
Full tunnel, Layer 3
SSL/TLS VPN
Browser-based, portal access
Site-to-Site
Connect networks
Remote Access
Individual user connections
Split Tunnel
Only corporate traffic through VPN
Full Tunnel
All traffic through VPN
IPSec Components
AH
Authentication Header - integrity only
ESP
Encapsulating Security Payload - encryption + integrity
IKE
Internet Key Exchange - key negotiation
SA
Security Association - connection parameters
Modes:
Transport Mode - Encrypts payload only
Tunnel Mode - Encrypts entire packet
DNS Security
DNSSEC
Validates DNS responses (integrity)
DNS Filtering
Block malicious domains
DoH
DNS over HTTPS (encrypted)
DoT
DNS over TLS (encrypted)
Email Security
SPF
Sender Policy Framework - authorized senders
DKIM
DomainKeys Identified Mail - message signature
DMARC
Combines SPF + DKIM, reporting
S/MIME
Email encryption and signing
4.4 Security Monitoring
SIEM (Security Information and Event Management)
Functions:
Log aggregation and correlation
Real-time alerting
Threat detection
Compliance reporting
Forensic analysis
SOC (Security Operations Center)
Tier 1
Alert triage, Initial response
Tier 2
Deep investigation
Tier 3
Advanced threats, Threat hunting
SOC Manager
Strategy, Team management
SOAR (Security Orchestration, Automation, and Response)
Orchestration - Coordinate security tools
Automation - Automate repetitive tasks
Response - Playbook-driven incident response
Key Security Metrics
MTTD
Mean Time to Detect
MTTR
Mean Time to Respond/Repair
MTTC
Mean Time to Contain
False Positive Rate
Incorrect alerts
True Positive Rate
Correct detections
4.5 Incident Response
PICERL Framework (SANS)
Preparation
Policies, Training, Tools
Identification
Detect and validate incident
Containment
Limit damage (short/long term)
Eradication
Remove threat
Recovery
Restore systems
Lessons Learned
Post-incident review
Incident Response Team
Incident Manager
Overall coordination
Technical Lead
Technical response
Communications
Internal/External messaging
Legal/HR
Compliance, Personnel issues
Evidence Handling
Order of Volatility (most volatile first):
CPU registers, cache
RAM contents
Temporary files, swap
Disk data
Logs on remote systems
Archived media
Chain of Custody
Document everything
Hash evidence (before/after)
Maintain logs of who handled evidence
Secure storage with access controls
Timestamps on all actions
4.6 Digital Forensics
Forensic Process
Identification - Recognize potential evidence
Collection - Gather evidence properly
Analysis - Examine evidence
Reporting - Document findings
Forensic Tools
FTK/EnCase
Commercial forensic suites
Autopsy
Open-source forensic platform
Volatility
Memory forensics
KAPE
Artifact collection
Wireshark
Network packet analysis
Image Formats
E01
EnCase format, compression + hashing
AFF
Advanced Forensics Format (open)
RAW/DD
Bit-for-bit copy
Legal Concepts
Legal Hold
Preserve relevant data for litigation
E-Discovery
Electronic evidence for legal proceedings
Chain of Custody
Documented evidence handling
Domain 5: Security Program Management and Oversight (20%)
5.1 Governance, Risk, and Compliance (GRC)
Security Governance
Policies
High-level statements of intent
Standards
Mandatory requirements
Procedures
Step-by-step instructions
Guidelines
Recommended practices
Baselines
Minimum security configurations
Common Policies
AUP
Acceptable Use Policy - defines allowed behavior
Data Classification
How to handle different data types
Password Policy
Credential requirements
Remote Access
Working from outside network
Change Management
How to implement changes
Incident Response
How to handle security incidents
Data Retention
How long to keep data
Security Frameworks
NIST CSF
Cybersecurity risk management
All
NIST RMF
System authorization
Government
ISO 27001
Information security management
International
ISO 27002
Security control implementation
International
CIS Controls
Prioritized security actions
All
COBIT
IT governance
Enterprise
NIST Cybersecurity Framework Core
Identify
Asset management, Risk assessment
Protect
Access control, Training, Encryption
Detect
Monitoring, Detection processes
Respond
Response planning, Communications
Recover
Recovery planning, Improvements
5.2 Risk Management
Risk Assessment Process
Identify assets and threats
Analyze likelihood and impact
Evaluate risk level
Treat risks (mitigate, accept, transfer, avoid)
Monitor and review
Risk Terminology
Threat
Potential cause of unwanted incident
Vulnerability
Weakness that can be exploited
Risk
Threat × Vulnerability × Impact
Likelihood
Probability of occurrence
Impact
Consequence if risk materializes
Residual Risk
Risk remaining after controls
Risk Appetite
Level of risk organization accepts
Risk Treatment Options
Mitigate
Implement controls to reduce risk
Accept
Acknowledge and accept the risk
Transfer
Shift risk to third party (insurance)
Avoid
Eliminate the risk entirely
Quantitative Risk Analysis
SLE
Single Loss Expectancy = AV × EF
ALE
Annual Loss Expectancy = SLE × ARO
AV
Asset Value
EF
Exposure Factor (% of asset affected)
ARO
Annualized Rate of Occurrence
Example: Server worth $50,000 (AV), 25% damage (EF), twice per year (ARO)
SLE = $50,000 × 0.25 = $12,500
ALE = $12,500 × 2 = $25,000/year
Risk Register
Documents identified risks including:
Risk description
Likelihood and impact
Risk owner
Treatment strategy
Control measures
Residual risk
5.3 Compliance
Regulatory Requirements
GDPR
EU data privacy
HIPAA
US healthcare data
PCI DSS
Payment card data
SOX
US financial reporting
GLBA
US financial institutions
FERPA
US student records
CCPA
California privacy
Key GDPR Concepts
Data Subject Rights - Access, Rectification, Erasure, Portability
Data Protection Officer (DPO) - Required for certain organizations
72-hour breach notification - Report breaches within 72 hours
Lawful basis - Need legitimate reason to process data
Fines - Up to 4% of global revenue or €20M
Compliance Activities
Audits
Formal examination of controls
Assessments
Evaluation of security posture
Penetration Testing
Authorized attack simulation
Vulnerability Scanning
Automated weakness identification
Policy Review
Regular policy updates
5.4 Security Awareness Training
Training Topics
Phishing recognition
Password security
Physical security
Data handling
Social engineering
Incident reporting
Clean desk policy
Mobile device security
Training Methods
CBT
Computer-based training
Phishing Simulations
Test employee awareness
Tabletop Exercises
Scenario-based discussions
Role-based Training
Job-specific security training
Gamification
Interactive learning
Measuring Effectiveness
Phishing test click rates
Training completion rates
Incident reporting rates
Quiz/assessment scores
Security behavior changes
5.5 Third-Party Risk Management
Vendor Assessment
Questionnaires
Evaluate vendor security practices
Audits
On-site or remote verification
Penetration Tests
Test vendor security
SOC Reports
Independent audit reports
Agreement Types
NDA
Non-Disclosure Agreement - confidentiality
SLA
Service Level Agreement - performance standards
MSA
Master Service Agreement - overall relationship
SOW
Statement of Work - specific project details
BPA
Business Partner Agreement - partnership terms
MOU/MOA
Memorandum of Understanding/Agreement
SOC Reports
SOC 1
Financial reporting controls
SOC 2 Type I
Control design at point in time
SOC 2 Type II
Control effectiveness over time
SOC 3
General use summary report
5.6 Data Security
Data Classification
Public
No restrictions
Marketing materials
Internal
Company only
Internal memos
Confidential
Need-to-know basis
Financial data
Restricted/Secret
Highest protection
Trade secrets
Data States
At Rest
Disk encryption, Database encryption
In Transit
TLS, VPN, IPSec
In Use
Secure enclaves, Memory encryption
Data Loss Prevention (DLP)
Endpoint DLP
Monitors workstations
Network DLP
Monitors network traffic
Cloud DLP
Monitors cloud services
Data Roles
Data Owner
Accountable for data protection
Data Custodian
Implements technical controls
Data Steward
Manages data quality
Data Processor
Processes data on behalf of controller
Data Controller
Determines data processing purposes
Privacy Enhancing Techniques
Anonymization
Remove identifying information
Pseudonymization
Replace identifiers with pseudonyms
Tokenization
Replace sensitive data with tokens
Data Masking
Hide portions of data
Quick Reference: Ports & Protocols
Common Ports to Know
20/21
TCP
FTP
Insecure - Use SFTP/FTPS
22
TCP
SSH/SFTP/SCP
Secure
23
TCP
Telnet
Insecure - Use SSH
25
TCP
SMTP
Unencrypted - Use 587
53
TCP/UDP
DNS
Use DNSSEC
80
TCP
HTTP
Unencrypted - Use HTTPS
110
TCP
POP3
Insecure - Use 995
143
TCP
IMAP
Insecure - Use 993
161/162
UDP
SNMP
Use SNMPv3
389
TCP
LDAP
Use LDAPS (636)
443
TCP
HTTPS
Secure
445
TCP
SMB
Block externally
587
TCP
SMTP (submission)
With TLS
636
TCP
LDAPS
Secure
993
TCP
IMAPS
Secure
995
TCP
POP3S
Secure
989/990
TCP
FTPS (Implicit)
Secure
1433
TCP
MS SQL
Secure internally
3389
TCP
RDP
Use VPN/MFA
5060/5061
TCP/UDP
SIP/SIPS
5061 is secure
Port Ranges
0-1023
Well-known/System
Reserved for common services
1024-49151
Registered/User
Application-specific
49152-65535
Dynamic/Private
Temporary/ephemeral connections
Quick Reference: Cryptography
Algorithm Summary
Symmetric Encryption (Shared Key)
AES-128
128-bit
128-bit
Approved
AES-256
256-bit
128-bit
Strongest
3DES
168-bit
64-bit
Deprecated
DES
56-bit
64-bit
Broken
RC4
Variable
Stream
Broken
Asymmetric Encryption (Public/Private Key)
RSA
2048+ bits
Encryption, Signatures
ECC
256+ bits
Smaller keys, IoT
Diffie-Hellman
2048+ bits
Key exchange only
DSA
2048+ bits
Signatures only
ECDHE
256+ bits
Perfect forward secrecy
Hash Functions
SHA-3
Variable
Latest standard
SHA-256
256-bit
Widely used
SHA-1
160-bit
Deprecated
MD5
128-bit
Broken
Block Cipher Modes
ECB
Electronic Codebook - Don't use (patterns visible)
CBC
Cipher Block Chaining - Common, uses IV
CTR
Counter Mode - Parallelizable
GCM
Galois/Counter Mode - Authenticated encryption
CCMP
Used in WPA2
PKI (Public Key Infrastructure) Components
CA
Certificate Authority - Issues certificates
RA
Registration Authority - Verifies identities
CRL
Certificate Revocation List - Revoked certs
OCSP
Online Certificate Status Protocol - Real-time revocation
CSR
Certificate Signing Request - Request new cert
Certificate Types
DV
Domain Validation - Basic, domain control only
OV
Organization Validation - Verified organization
EV
Extended Validation - Highest assurance
Wildcard
*.domain.com - All subdomains (one level)
SAN
Subject Alternative Name - Multiple domains
Quick Reference: Linux Commands
Essential Security Commands
chmod
Change permissions
chmod 755 file.sh
chown
Change ownership
chown user:group file
ls -la
List with permissions
Shows hidden files
ps aux
List processes
Find running processes
netstat -an
Network connections
Active connections
grep
Search text
grep "error" /var/log/syslog
find
Find files
find / -name "*.conf"
cat
Display file
cat /etc/passwd
tail -f
Follow log file
tail -f /var/log/auth.log
dd
Disk imaging
Forensic imaging
sha256sum
Calculate hash
Verify file integrity
Permission Numbers (chmod)
0
---
No permission
1
--x
Execute
2
-w-
Write
3
-wx
Write + Execute
4
r--
Read
5
r-x
Read + Execute
6
rw-
Read + Write
7
rwx
Read + Write + Execute
Example: chmod 750 = Owner: rwx, Group: r-x, Others: none
Quick Reference: Wireless Security
WiFi Standards
802.11b
Wi-Fi 1
2.4 GHz
11 Mbps
802.11a
Wi-Fi 2
5 GHz
54 Mbps
802.11g
Wi-Fi 3
2.4 GHz
54 Mbps
802.11n
Wi-Fi 4
2.4/5 GHz
600 Mbps
802.11ac
Wi-Fi 5
5 GHz
6.9 Gbps
802.11ax
Wi-Fi 6/6E
2.4/5/6 GHz
9.6 Gbps
Wireless Security Protocols
WEP
RC4
Broken
WPA
TKIP
Deprecated
WPA2-Personal
AES-CCMP
PSK
WPA2-Enterprise
AES-CCMP
802.1X/RADIUS
WPA3-Personal
SAE
Latest
WPA3-Enterprise
192-bit
Strongest
Key WPA3 Features
SAE (Simultaneous Authentication of Equals) - Dragonfly key exchange
Perfect Forward Secrecy - Past communications protected if key compromised
OWE (Opportunistic Wireless Encryption) - Encrypted open networks
Quick Reference: Acronyms
Must-Know Acronyms
AAA
Authentication, Authorization, Accounting
ACL
Access Control List
AES
Advanced Encryption Standard
APT
Advanced Persistent Threat
BCP
Business Continuity Plan
BYOD
Bring Your Own Device
CA
Certificate Authority
CASB
Cloud Access Security Broker
CIA
Confidentiality, Integrity, Availability
CSRF
Cross-Site Request Forgery
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
DAC
Discretionary Access Control
DDoS
Distributed Denial of Service
DHCP
Dynamic Host Configuration Protocol
DLP
Data Loss Prevention
DMZ
Demilitarized Zone
DNS
Domain Name System
DRP
Disaster Recovery Plan
EDR
Endpoint Detection and Response
FDE
Full Disk Encryption
GDPR
General Data Protection Regulation
GPO
Group Policy Object
HIDS
Host-based Intrusion Detection System
HIPAA
Health Insurance Portability and Accountability Act
HSM
Hardware Security Module
IAM
Identity and Access Management
ICS
Industrial Control Systems
IDS
Intrusion Detection System
IoC
Indicators of Compromise
IPS
Intrusion Prevention System
IPSec
Internet Protocol Security
MAC
Mandatory Access Control (or Media Access Control)
MDM
Mobile Device Management
MFA
Multi-Factor Authentication
MITM
Man-in-the-Middle
NAC
Network Access Control
NGFW
Next-Generation Firewall
NIST
National Institute of Standards and Technology
NVD
National Vulnerability Database
OSINT
Open Source Intelligence
PAM
Privileged Access Management
PCI DSS
Payment Card Industry Data Security Standard
PKI
Public Key Infrastructure
RADIUS
Remote Authentication Dial-In User Service
RBAC
Role-Based Access Control
RPO
Recovery Point Objective
RTO
Recovery Time Objective
SAML
Security Assertion Markup Language
SASE
Secure Access Service Edge
SCADA
Supervisory Control and Data Acquisition
SIEM
Security Information and Event Management
SOAR
Security Orchestration, Automation, and Response
SOC
Security Operations Center
SOX
Sarbanes-Oxley Act
SPF
Sender Policy Framework
SQL
Structured Query Language
SSH
Secure Shell
SSL
Secure Sockets Layer (deprecated)
SSO
Single Sign-On
TLS
Transport Layer Security
TPM
Trusted Platform Module
UTM
Unified Threat Management
VPN
Virtual Private Network
WAF
Web Application Firewall
XDR
Extended Detection and Response
XSS
Cross-Site Scripting
ZTA
Zero Trust Architecture
Study Tips for the Exam
Exam Strategy
Read questions carefully - Watch for words like "BEST," "MOST," "FIRST"
Eliminate wrong answers - Often 2 answers are clearly wrong
Performance-based questions first or last - Choose your strategy
Flag and return - Don't spend too long on difficult questions
Trust your preparation - First instinct is often correct
High-Priority Topics by Domain
Domain 1 (12%)
CIA Triad and security control types
Zero Trust principles
Change management
Domain 2 (22%)
Threat actors and motivations
Malware types and indicators
Attack techniques (XSS, SQLi, CSRF)
Domain 3 (18%)
Cloud service models (IaaS, PaaS, SaaS)
Network security appliances
Secure protocols vs insecure
Domain 4 (28%) - LARGEST DOMAIN
Authentication protocols (RADIUS, TACACS+, Kerberos)
Incident response phases (PICERL)
Digital forensics concepts
Domain 5 (20%)
Risk management calculations (SLE, ALE)
Compliance regulations (GDPR, HIPAA, PCI DSS)
Security policies and frameworks
Resources
Good luck on your Security+ exam!
Remember: Security+ validates foundational cybersecurity skills. Focus on understanding concepts rather than memorizing details.
Last updated