How to Use This Quick Reference
This independent Quick Reference is built for candidates preparing for the real CompTIA Security+ (SY0-701) exam. Use it to review high-yield distinctions, service-selection logic, security operations workflows, and common scenario traps.
Fast Scenario Reading Method
| Step | Ask | Exam-useful shortcut |
|---|
| 1. Identify the asset | What is being protected? Data, host, user, app, network, facility? | The asset often determines the control type. |
| 2. Identify the objective | Confidentiality, integrity, availability, safety, privacy, non-repudiation? | “Best” answer usually aligns to the stated objective. |
| 3. Identify the constraint | Cost, usability, downtime, compliance, cloud, remote users, legacy system? | Constraints eliminate technically valid but impractical answers. |
| 4. Map to control type | Preventive, detective, corrective, deterrent, compensating, physical, technical, managerial? | Know what a control does, not just its name. |
| 5. Choose least disruptive fix | Contain, preserve evidence, reduce risk, restore service. | Do not jump to rebuild, disclose, or wipe unless warranted. |
Core Security Principles
Security Goals and Concepts
| Concept | Meaning | Exam clue | Common trap |
|---|
| Confidentiality | Prevent unauthorized disclosure | Encryption, access control, data classification | Hashing is not confidentiality. |
| Integrity | Prevent unauthorized modification | Hashes, digital signatures, file integrity monitoring | Encryption alone does not prove integrity. |
| Availability | Keep systems/data usable | Redundancy, backups, clustering, DDoS mitigation | Confidentiality controls can hurt availability if overapplied. |
| Non-repudiation | Prevent denial of action | Digital signatures, audit logs, timestamps | Shared accounts weaken non-repudiation. |
| Authentication | Prove identity | Password, biometric, certificate, token | Username alone is identification, not authentication. |
| Authorization | Grant permissions | RBAC, ABAC, ACLs, scopes | Happens after authentication. |
| Accounting/Auditing | Track activity | Logs, SIEM, audit trails | Logs must be protected from tampering. |
| Least privilege | Minimum access needed | Just-in-time, role-based access, scoped tokens | “Admin for convenience” violates it. |
| Separation of duties | Split critical tasks | Dual control, change approval | Reduces fraud and single-person error. |
| Defense in depth | Multiple layered controls | Firewall + EDR + MFA + logging | Not the same as relying on one strong control. |
| Zero trust | Never trust implicitly | Continuous verification, device posture, least privilege | Not a product; it is an architecture model. |
Control Categories
| Category | Purpose | Examples |
|---|
| Managerial/Administrative | Policies, oversight, risk decisions | Policies, standards, awareness, vendor reviews, risk register |
| Technical/Logical | Enforced by systems | MFA, ACLs, encryption, EDR, DLP, IDS/IPS |
| Operational | Day-to-day security processes | Change management, incident response, vulnerability management |
| Physical | Protect facilities and hardware | Locks, guards, cameras, mantraps, bollards |
| Legal/Regulatory/Contractual | External or contractual obligations | Data processing agreements, audits, retention requirements |
Control Function Types
| Function | What it does | Examples |
|---|
| Preventive | Stops event before it occurs | MFA, firewall rule, access control, secure configuration |
| Detective | Identifies event after/during occurrence | IDS, SIEM alert, audit log, CCTV |
| Corrective | Restores after event | Backups, patching, reimaging |
| Deterrent | Discourages attacker | Warning banner, guards, visible cameras |
| Compensating | Alternative control when primary is not feasible | Extra monitoring when legacy system cannot support MFA |
| Directive | Instructs expected behavior | Policy, standard, procedure, signage |
Threats, Attacks, and Vulnerabilities
Threat Actor Matrix
| Actor | Motivation | Capability | Typical indicators |
|---|
| Script kiddie | Curiosity, disruption | Low; uses tools | Commodity malware, noisy scans |
| Hacktivist | Ideology | Variable | Defacement, DDoS, data leaks |
| Organized crime | Financial gain | Moderate to high | Ransomware, fraud, credential theft |
| Nation-state/APT | Espionage, sabotage | High; persistent | Stealthy C2, zero-days, long dwell time |
| Insider | Revenge, money, negligence | Authorized access | Unusual data access, policy bypass, privilege misuse |
| Competitor | Business advantage | Variable | IP theft, social engineering |
| Shadow IT user | Convenience | Authorized but unmanaged | Unsanctioned SaaS, unapproved storage |
Malware and Attack Types
| Type | High-yield definition | Key defense |
|---|
| Virus | Attaches to host file; needs execution | EDR, user training, application control |
| Worm | Self-propagates across networks | Patching, segmentation, firewalling |
| Trojan | Malicious software disguised as legitimate | Application allowlisting, user training |
| Ransomware | Encrypts or exfiltrates data for extortion | Offline/immutable backups, EDR, least privilege |
| Rootkit | Hides privileged malicious activity | Secure boot, integrity checks, reimage if compromised |
| Spyware | Collects user/system information | Anti-malware, least privilege |
| Logic bomb | Triggers on condition/time | Code review, separation of duties |
| Fileless malware | Uses memory and trusted tools | EDR behavior analytics, PowerShell logging |
| Botnet | Compromised devices controlled centrally | Egress filtering, DNS monitoring, takedown support |
| Cryptojacking | Unauthorized crypto mining | Resource monitoring, EDR, patching |
| Keylogger | Captures keystrokes | MFA, EDR, secure input methods |
Social Engineering Quick Distinctions
| Attack | Distinction | Best mitigation |
|---|
| Phishing | Broad fraudulent messaging | Awareness, email filtering, reporting |
| Spear phishing | Targeted phishing | Awareness plus identity verification |
| Whaling | Targets executives | Executive training, payment verification |
| Vishing | Voice phishing | Call-back procedures, help desk scripts |
| Smishing | SMS phishing | Mobile awareness, link caution |
| Pretexting | Fabricated scenario | Verification procedures |
| Business email compromise | Impersonates trusted business party | Out-of-band payment confirmation |
| Impersonation | Pretending to be someone | Badges, callback, challenge process |
| Tailgating | Follows authorized person into facility | Mantraps, badge enforcement |
| Shoulder surfing | Observes screen/keyboard | Privacy screens, awareness |
| Dumpster diving | Retrieves discarded information | Shredding, media disposal |
| Watering hole | Compromises site used by target group | Web filtering, browser isolation, patching |
| Brand impersonation | Fake trusted brand/domain | DMARC, user training, domain monitoring |
| Typosquatting | Lookalike domain typo | Domain monitoring, DNS filtering |
Web and Application Attack Reference
| Attack | What happens | Exam indicator | Mitigation |
|---|
| SQL injection | Input alters database query | ' OR '1'='1 | Parameterized queries, input validation |
| XSS | Script runs in victim browser | Stored/reflected script | Output encoding, CSP, validation |
| CSRF | Authenticated user tricked into action | Hidden request from another site | Anti-CSRF token, SameSite cookies |
| SSRF | Server makes attacker-controlled request | Cloud metadata access | Allowlist destinations, block metadata endpoints |
| Directory traversal | Access outside intended path | ../ in URL | Normalize paths, restrict file access |
| Command injection | Input executes OS command | ; cat /etc/passwd | Avoid shell calls, validate input |
| Insecure deserialization | Malicious object processed | Object payload causes code execution | Safe formats, signing, validation |
| Race condition | Timing flaw changes outcome | TOCTOU | Locking, atomic operations |
| API abuse | Excessive or unauthorized calls | Missing auth, no rate limits | API gateway, auth, throttling |
| Session hijacking | Attacker uses session token | Stolen cookie/token | TLS, secure cookies, token rotation |
| Privilege escalation | Gains higher permissions | Local exploit or misconfig | Patching, least privilege, hardening |
Wireless and Network Attacks
| Attack | Description | Mitigation |
|---|
| Evil twin | Rogue AP mimics legitimate SSID | WPA3/WPA2-Enterprise, certificate validation |
| Rogue AP | Unauthorized AP connected to network | Wireless scans, NAC, switch port security |
| Deauthentication attack | Forces clients off Wi-Fi | Protected management frames where supported |
| On-path/MITM | Intercepts/modifies traffic | TLS, VPN, certificate validation |
| ARP poisoning | Spoofs MAC-to-IP mapping | Dynamic ARP inspection, static ARP for critical systems |
| DNS poisoning | Corrupts name resolution | DNSSEC validation, secure DNS, monitoring |
| MAC flooding | Overloads switch CAM table | Port security, storm control |
| VLAN hopping | Escapes VLAN isolation | Disable trunking on access ports, native VLAN hygiene |
| DDoS | Overwhelms service | CDN/scrubbing, rate limits, autoscaling, WAF |
| Replay attack | Reuses captured valid data | Nonces, timestamps, mutual authentication |
Cryptography and PKI
Crypto Selection Matrix
| Need | Use | Why |
|---|
| Protect data confidentiality at rest | Symmetric encryption | Fast for large data volumes |
| Protect data in transit | TLS | Authenticates server and encrypts session |
| Prove data integrity | Hash | Detects change |
| Prove sender and integrity | Digital signature | Hash encrypted with sender private key |
| Exchange keys over untrusted network | Asymmetric crypto / key exchange | Solves secure key establishment |
| Store passwords | Salted adaptive hash | Resists precomputed and brute-force attacks |
| Protect full storage device | Full-disk encryption | Protects lost/stolen device data |
| Protect individual fields | Field-level encryption/tokenization | Limits exposure of sensitive values |
| Verify software origin | Code signing | Validates publisher and integrity |
Hashing, Encryption, Encoding, Obfuscation
| Concept | Reversible? | Key used? | Primary purpose | Example clue |
|---|
| Hashing | No | No, except HMAC uses key | Integrity, password storage | Same input produces fixed digest |
| Symmetric encryption | Yes | Same/shared key | Confidentiality | AES-style scenario |
| Asymmetric encryption | Yes | Public/private pair | Key exchange, signatures, identity | Certificates, PKI |
| Encoding | Yes | No | Format conversion | Base64 is not security |
| Obfuscation | Usually | Sometimes | Make analysis harder | Minified code, masking |
| Tokenization | Mapping reversible by token vault | Vault-controlled | Replace sensitive value | Payment token scenario |
| Data masking | May be irreversible or partial | No | Hide data from users | Shows last four digits only |
PKI Terms
| Term | Exam meaning |
|---|
| Certificate Authority (CA) | Trusted entity that issues certificates |
| Root CA | Trust anchor; should be highly protected/offline when possible |
| Intermediate CA | Issues certs on behalf of root; limits root exposure |
| Certificate | Binds public key to identity |
| CSR | Certificate signing request containing public key and subject info |
| Private key | Must be protected; compromise breaks trust |
| Public key | Shared openly; used to verify signatures or encrypt to owner |
| CRL | Certificate revocation list |
| OCSP | Online certificate status checking |
| Key escrow | Third party stores keys for recovery/access |
| Certificate pinning | App trusts specific certificate/public key |
| Mutual TLS | Client and server authenticate with certificates |
| Format/Extension | Typical use |
|---|
| PEM | Base64 text certificate/key, often .pem, .crt, .cer |
| DER | Binary certificate format |
| PFX/P12 | Certificate plus private key, often password protected |
| CER/CRT | Certificate file; may be PEM or DER |
| P7B/P7C | Certificate chain, usually no private key |
Crypto Traps
| Scenario wording | Best interpretation |
|---|
| “Need to verify file was not changed” | Hash or digital signature, not encryption alone |
| “Need to prove who sent it” | Digital signature, not just hash |
| “Need fastest encryption for large data” | Symmetric encryption |
| “Need secure password storage” | Salted adaptive hashing, not reversible encryption |
| “Need protect data if laptop is stolen” | Full-disk encryption |
| “Need protect web sessions” | TLS with valid certificates |
| “Need prevent use of stolen password” | MFA, conditional access, account monitoring |
Identity and Access Management
Identity Concepts
| Concept | Meaning | Example |
|---|
| Identification | Claiming identity | Username |
| Authentication | Proving identity | Password + token |
| Authorization | Granting rights | Role assignment |
| Federation | Trusting another identity provider | SSO with external IdP |
| Provisioning | Creating accounts/access | New hire workflow |
| Deprovisioning | Removing accounts/access | Termination workflow |
| Attestation/recertification | Periodic access review | Manager confirms access |
| JIT access | Temporary privilege | Admin role for 1 hour |
| PAM | Controls privileged accounts | Vaulting, session recording |
| SSO | One login for many apps | SAML/OIDC portal |
Authentication Factor Matrix
| Factor | Description | Examples | Trap |
|---|
| Something you know | Secret knowledge | Password, PIN | Security questions are weak knowledge factors. |
| Something you have | Possession | Smart card, hardware token, phone app | SMS is weaker than app/hardware token. |
| Something you are | Biometric | Fingerprint, face, iris | Biometrics cannot be changed like passwords. |
| Somewhere you are | Location | Geo-IP, trusted network | Usually context, not standalone factor. |
| Something you do | Behavior | Typing pattern, gesture | Often continuous/risk-based signal. |
Access Control Models
| Model | Decision basis | Best for | Trap |
|---|
| DAC | Owner controls access | Flexible file sharing | Can lead to inconsistent permissions |
| MAC | System labels/classifications | High-security classified environments | Users cannot override labels |
| RBAC | Job roles | Enterprise access management | Role explosion if poorly designed |
| ABAC | Attributes and conditions | Dynamic cloud/SaaS access | More complex policy design |
| Rule-based | Explicit rules | Firewalls, routers, ACLs | Not the same as RBAC |
| Risk-based | Contextual risk score | Adaptive authentication | May step up authentication |
IAM Protocols and Standards
| Protocol/Standard | Primary use | High-yield distinction |
|---|
| LDAP | Directory queries | Used to access directory information |
| Kerberos | Network authentication | Ticket-based; common in Windows domains |
| RADIUS | Centralized AAA | Common for VPN, Wi-Fi, network devices |
| TACACS+ | Device administration AAA | Separates authentication, authorization, accounting |
| SAML | Federated SSO for web apps | XML-based assertions |
| OAuth 2.0 | Delegated authorization | Grants app access without sharing password |
| OpenID Connect | Authentication on top of OAuth 2.0 | Provides identity tokens |
| FIDO2/WebAuthn | Phishing-resistant authentication | Public key-based login |
| 802.1X | Port-based network access control | Wired/wireless NAC with supplicant/authenticator/server |
Password and Account Policy Traps
| Requirement | Better approach |
|---|
| Reduce password reuse risk | Password manager, breached-password checks, MFA |
| Stop brute force | Lockout/throttling, MFA, monitoring |
| Reduce help desk resets | Self-service reset with strong verification |
| Secure service accounts | Managed service accounts, vaulting, rotation, least privilege |
| Prevent orphaned accounts | Automated deprovisioning tied to HR process |
| Reduce shared admin risk | Individual privileged accounts with PAM |
Network Security Reference
Common Ports and Protocols
| Port | Protocol | Secure? | Use |
|---|
| 20/21 | FTP | No | File transfer control/data |
| 22 | SSH/SFTP/SCP | Yes | Secure remote shell/file transfer |
| 23 | Telnet | No | Legacy remote shell |
| 25 | SMTP | Usually no by itself | Mail transfer |
| 53 | DNS | Usually no by itself | Name resolution |
| 67/68 | DHCP | No | IP assignment |
| 80 | HTTP | No | Web |
| 88 | Kerberos | Yes by design | Ticket authentication |
| 110 | POP3 | No | Mail retrieval |
| 123 | NTP | No by itself | Time sync |
| 135/139/445 | RPC/NetBIOS/SMB | Depends | Windows file/admin services |
| 143 | IMAP | No | Mail retrieval |
| 161/162 | SNMP | v3 preferred | Monitoring/traps |
| 389 | LDAP | No by itself | Directory |
| 443 | HTTPS | Yes with TLS | Secure web/API |
| 445 | SMB | Depends | Windows file sharing |
| 465/587 | SMTPS/Submission | TLS capable | Secure mail submission |
| 514 | Syslog | No by default | Logging |
| 636 | LDAPS | Yes | LDAP over TLS |
| 993 | IMAPS | Yes | Secure IMAP |
| 995 | POP3S | Yes | Secure POP3 |
| 1433 | MS SQL Server | Depends | Database |
| 1521 | Oracle DB | Depends | Database |
| 3306 | MySQL/MariaDB | Depends | Database |
| 3389 | RDP | Encrypted but high-risk | Remote desktop |
| 5060/5061 | SIP/SIPS | 5061 uses TLS | VoIP signaling |
Network Device Selection
| Need | Choose | Why |
|---|
| Filter traffic by IP/port/protocol | Firewall | Enforces network access policy |
| Filter web app attacks | WAF | Understands HTTP/app-layer patterns |
| Detect suspicious traffic | IDS | Alerts without blocking |
| Block suspicious traffic inline | IPS | Prevents/interrupts detected attacks |
| Isolate public-facing services | DMZ | Limits exposure of internal network |
| Segment internal users/systems | VLANs/subnets/firewalls | Limits lateral movement |
| Secure remote access | VPN or ZTNA | Encrypted and authenticated access |
| Authenticate network port access | NAC/802.1X | Checks user/device before network access |
| Hide internal IP addresses | NAT | Address translation, not a full security control |
| Improve availability/performance | Load balancer | Distributes traffic |
| Resist DDoS | Scrubbing/CDN/rate limiting | Absorbs or filters attack traffic |
| Secure DNS resolution | DNS filtering/DNSSEC validation | Blocks malicious domains or validates records |
Segmentation Patterns
| Pattern | Use case | Notes |
|---|
| DMZ | Public web, mail relay, reverse proxy | Do not place sensitive databases directly in DMZ. |
| Microsegmentation | Fine-grained workload isolation | Common in virtualized/cloud environments. |
| VLAN segmentation | Separate broadcast domains | Needs routing/firewall policy to enforce security. |
| Air gap | Maximum isolation | Operationally difficult; removable media remains a risk. |
| Jump host/bastion | Controlled admin entry point | Log and restrict access heavily. |
| Screened subnet | Layered perimeter design | Internet-facing systems isolated from internal network. |
VPN and Remote Access
| Option | Best for | Watch for |
|---|
| Full-tunnel VPN | Route all client traffic through corporate controls | More bandwidth, stronger central inspection |
| Split-tunnel VPN | Only corporate traffic uses VPN | Better performance, more endpoint risk |
| Client-to-site VPN | Remote users | Requires endpoint security posture |
| Site-to-site VPN | Office/cloud network connection | Protects network-to-network traffic |
| SSL/TLS VPN | Browser/client remote access | Easier through firewalls |
| IPsec VPN | Network-layer secure tunnel | Common for site-to-site |
| ZTNA | App-specific access without broad network access | Aligns with zero trust |
Security Architecture and Design
Secure Architecture Concepts
| Concept | Practical meaning |
|---|
| Secure by design | Security built into requirements and architecture |
| Secure by default | Default settings minimize exposure |
| Fail secure | Failure denies access or preserves safety |
| Resilience | System continues or recovers under stress |
| Redundancy | Duplicate components reduce single points of failure |
| Scalability | Handles growth without redesign |
| Elasticity | Dynamically adjusts capacity |
| High availability | Reduces downtime through redundancy/failover |
| Fault tolerance | Continues despite component failure |
| Single point of failure | One failure can break service |
| Attack surface reduction | Remove/disable unnecessary exposure |
Availability and Recovery Terms
| Term | Meaning | Exam clue |
|---|
| RTO | Maximum acceptable recovery time | “How long can system be down?” |
| RPO | Maximum acceptable data loss | “How much data can be lost?” |
| MTBF | Average time between failures | Reliability measure |
| MTTR | Average time to repair/recover | Maintainability measure |
| Hot site | Ready quickly; systems/data near current | Highest readiness, higher cost |
| Warm site | Partially ready | Middle option |
| Cold site | Facility only/basic infrastructure | Lower cost, longer recovery |
| Full backup | All selected data | Slower backup, simpler restore |
| Incremental backup | Changes since last backup | Fast backup, more restore steps |
| Differential backup | Changes since last full backup | Middle ground |
Cloud and Virtualization
| Concept | Security responsibility clue |
|---|
| IaaS | Customer manages OS, apps, data, identity configs |
| PaaS | Provider manages more platform; customer secures apps/data/access |
| SaaS | Provider manages app stack; customer manages identities, data, configuration |
| Public cloud | Shared provider infrastructure |
| Private cloud | Dedicated to one organization |
| Hybrid cloud | Mix of cloud and on-premises |
| Community cloud | Shared by organizations with common requirements |
| Multicloud | Uses multiple cloud providers |
| CASB | Visibility/control for SaaS/cloud usage |
| CSPM | Finds cloud configuration risks |
| CWPP | Protects cloud workloads |
| Secrets manager | Stores API keys/passwords securely |
| Security groups | Instance-level virtual firewall concept |
| Network ACLs | Subnet-level stateless filtering concept in many cloud designs |
Cloud Exam Traps
| Scenario | Better answer |
|---|
| “Storage bucket exposed publicly” | Remove public access, use least privilege, monitor policy |
| “Need encryption but provider manages infrastructure” | Use provider-managed encryption or customer-managed keys as required |
| “Developers hardcoded cloud keys” | Move secrets to secrets manager/vault; rotate exposed keys |
| “Need detect misconfigured cloud resources” | CSPM |
| “Need govern SaaS use and shadow IT” | CASB |
| “Need isolate workloads in cloud” | Security groups, subnets, microsegmentation |
| “Need short-lived cloud admin access” | JIT privileged access, federation, MFA |
Secure Application and DevSecOps
| Practice | Purpose |
|---|
| Threat modeling | Identify design-level threats early |
| Secure coding standards | Reduce recurring coding flaws |
| Code review | Find logic/security issues before release |
| SAST | Analyze source/static code before runtime |
| DAST | Test running application from outside |
| IAST | Runtime testing with instrumentation |
| SCA | Find vulnerable third-party dependencies |
| Fuzzing | Send malformed/random inputs to find crashes |
| CI/CD security | Automate tests, signing, approvals |
| Secrets scanning | Detect credentials in code/repos |
| IaC scanning | Detect insecure infrastructure templates |
| Container image scanning | Find vulnerable packages/configs |
| SBOM | Inventory software components |
Container and Virtualization Security
| Risk | Control |
|---|
| Vulnerable image | Use trusted base images, scan images |
| Container escape | Patch host/runtime, least privilege |
| Excessive container permissions | Drop capabilities, avoid privileged mode |
| Hardcoded secrets | Secrets manager, environment controls |
| Lateral movement | Network policies, segmentation |
| Untrusted registry | Signed images, private registry |
| Hypervisor compromise | Patch hypervisor, isolate management plane |
| VM sprawl | Inventory, lifecycle management |
Data Security and Privacy
Data States and Controls
| Data state | Meaning | Best controls |
|---|
| At rest | Stored on disk/database/object storage | Encryption, access control, backups |
| In transit | Moving across network | TLS, VPN, secure protocols |
| In use | Being processed in memory/app | Access controls, secure enclaves where applicable, memory protection |
| In processing | Actively transformed/analyzed | Least privilege, monitoring, masking |
| In disposal | End of lifecycle | Sanitization, destruction, retention policy |
Data Classification
| Classification | Typical handling |
|---|
| Public | Approved for general release |
| Internal | For organization use; not public |
| Confidential | Restricted business/sensitive data |
| Restricted/Highly confidential | Highest sensitivity; strict access and monitoring |
| Regulated data | Governed by legal/contractual obligations |
Data Protection Techniques
| Technique | Use | Trap |
|---|
| Encryption | Protect confidentiality | Key management is critical |
| Hashing | Integrity verification | Not reversible |
| Tokenization | Replace sensitive value with token | Requires token vault or mapping system |
| Masking | Hide part/all of data | Often for display/test use |
| Anonymization | Remove identifiers | Hard to reverse if done well |
| Pseudonymization | Replace identifiers but mapping may exist | Re-identification possible |
| DLP | Detect/prevent data exfiltration | Needs tuning to reduce false positives |
| DRM/IRM | Control document usage | Can restrict copy/print/forward |
| Watermarking | Trace ownership/leaks | Does not prevent copying by itself |
| Geofencing | Restrict by location | Context signal, not sole control |
| Retention policy | Defines how long to keep data | Over-retention increases risk |
| Secure disposal | Prevent data recovery | Shred, wipe, degauss, destroy as appropriate |
Data Loss Prevention Placement
| Placement | Monitors | Best for |
|---|
| Endpoint DLP | User devices | USB, local copy, print, endpoint exfiltration |
| Network DLP | Network traffic | Email/web uploads, unencrypted outbound traffic |
| Storage/Discovery DLP | Repositories | Finding sensitive data at rest |
| Cloud/SaaS DLP | Cloud apps | Sharing controls, SaaS data movement |
Vulnerability Management and Hardening
Vulnerability Management Workflow
flowchart LR
A[Inventory assets] --> B[Scan and discover]
B --> C[Validate findings]
C --> D[Prioritize risk]
D --> E[Remediate or mitigate]
E --> F[Verify fix]
F --> G[Report and improve]
Scan and Test Types
| Type | Purpose | Key distinction |
|---|
| Vulnerability scan | Finds known weaknesses | Can be credentialed or non-credentialed |
| Credentialed scan | Authenticated local checks | More accurate; sees patch/config state |
| Non-credentialed scan | External perspective | Shows exposed services |
| Penetration test | Exploits to prove impact | Authorized, goal-based |
| Red team | Adversary simulation | Tests detection/response too |
| Blue team | Defenders | Monitor and respond |
| Purple team | Collaborative red + blue | Improves controls and detection |
| Bug bounty | External researchers report flaws | Requires scope and rules |
| Compliance scan | Checks against baseline/regulation | Passing compliance is not full security |
| Configuration review | Examines settings | Finds insecure defaults/misconfigs |
| Finding | Preferred action |
|---|
| Patch available and low disruption | Patch |
| Patch unavailable | Mitigate with compensating controls |
| False positive | Document validation and suppress carefully |
| Business accepts risk | Record risk acceptance with owner |
| Legacy system cannot be changed | Segment, monitor, restrict access |
| Internet-exposed critical vulnerability | Prioritize immediate remediation |
| Vulnerability on low-value isolated asset | Prioritize based on risk, not score alone |
Hardening Checklist
| Area | High-yield actions |
|---|
| OS | Patch, disable unused services, remove default accounts, enforce least privilege |
| Network device | Change defaults, secure management plane, disable insecure protocols, backup configs |
| Application | Secure headers, input validation, least privilege service accounts, dependency updates |
| Database | Restrict network access, encrypt sensitive fields, audit queries, least privilege |
| Endpoint | EDR, host firewall, disk encryption, application control, patching |
| Mobile | MDM, screen lock, encryption, remote wipe, app control |
| Cloud | Least privilege IAM, no public storage by default, logging, encryption, guardrails |
| Wireless | WPA3/WPA2-Enterprise, strong authentication, rogue AP detection |
| IoT/OT | Segment, change defaults, monitor, patch carefully, account for safety/uptime |
Secure Baselines
| Item | Purpose |
|---|
| Standard image | Consistent secure build |
| Configuration baseline | Defines approved settings |
| Drift detection | Finds unauthorized changes |
| GPO/MDM policy | Enforces endpoint configuration |
| CIS-style benchmark concept | Prescriptive hardening guidance |
| Exception process | Documents approved deviations |
Security Operations
Incident Response Lifecycle
| Phase | Goal | Typical actions |
|---|
| Preparation | Be ready before incident | Plans, contacts, tools, training, logging |
| Detection/Analysis | Confirm and scope | Triage alerts, collect indicators, classify severity |
| Containment | Limit damage | Isolate host, disable account, block IOC |
| Eradication | Remove cause | Delete malware, close vulnerability, reset credentials |
| Recovery | Restore normal operations | Rebuild, restore backup, monitor |
| Lessons learned | Improve | Post-incident review, update controls/playbooks |
First Response Decision Points
| Scenario | First/best action |
|---|
| Active malware spreading | Contain affected systems |
| Compromised user account | Disable/reset account, revoke sessions/tokens |
| Suspected disk evidence | Preserve evidence; avoid unnecessary changes |
| Production web app exploited | Contain traffic, preserve logs, patch after analysis |
| Ransomware detected | Isolate systems; do not immediately wipe before evidence/scope |
| Lost mobile device | Remote lock/wipe if policy allows; revoke tokens |
| Public data leak | Escalate per incident plan; preserve evidence |
| False positive alert | Document validation and tune detection |
Digital Forensics Essentials
| Concept | Meaning |
|---|
| Chain of custody | Document who handled evidence, when, and why |
| Order of volatility | Collect most volatile evidence first |
| Legal hold | Preserve relevant data for legal/investigative needs |
| Forensic image | Bit-level copy for analysis |
| Hash verification | Proves image/evidence integrity |
| Write blocker | Prevents modification of storage evidence |
| Timeline analysis | Reconstructs event sequence |
| E-discovery | Identification/collection of electronically stored information |
Order of Volatility Reference
| More volatile | Examples |
|---|
| CPU/register/cache | Extremely transient |
| RAM | Processes, network connections, keys |
| Network state | Active sessions, ARP/cache |
| Running processes | Process tree, handles |
| Disk | Files, logs, artifacts |
| Backups/archives | Least volatile |
Logging and Monitoring
| Source | What it helps detect |
|---|
| Authentication logs | Brute force, impossible travel, account misuse |
| Endpoint logs | Malware, process execution, persistence |
| Firewall logs | Blocked/allowed traffic, scans, exfiltration paths |
| DNS logs | Malware C2, domain generation algorithms |
| Proxy logs | User web activity, data uploads |
| Email logs | Phishing, spoofing, malware delivery |
| Cloud audit logs | IAM changes, resource creation, public exposure |
| Application logs | Errors, auth events, transaction abuse |
| Database logs | Unusual queries, privilege abuse |
| NetFlow/metadata | Traffic patterns without full packet payload |
| Packet capture | Deep investigation of network traffic |
| Physical access logs | Badge anomalies, facility access |
| Tool | Purpose | Best clue |
|---|
| SIEM | Aggregate/correlate logs and alerts | Central visibility and alerting |
| SOAR | Automate response workflows | Playbooks, enrichment, ticketing |
| EDR | Endpoint detection and response | Process behavior, isolation |
| XDR | Correlates across endpoint/network/cloud/email | Broader detection integration |
| NDR | Network detection and response | Suspicious traffic patterns |
| UEBA | User/entity behavior analytics | Anomalous user/device activity |
| IDS | Detects suspicious activity | Alerts only |
| IPS | Blocks suspicious activity | Inline prevention |
| FIM | File integrity monitoring | Unauthorized file changes |
| HIDS/HIPS | Host-based detection/prevention | Runs on endpoint/server |
| NIDS/NIPS | Network-based detection/prevention | Monitors network segments |
Common Command-Line Clues
Use commands conceptually on the exam: know what the output would help determine.
## Network connections and listening ports
ss -tulpen
netstat -ano
## DNS troubleshooting
nslookup example.com
dig example.com
## Path and connectivity
ping 10.0.0.5
traceroute example.com
tracert example.com
## Basic packet capture
tcpdump -i eth0 host 10.0.0.5
## File integrity
sha256sum evidence.img
Security Automation Example
trigger: suspicious_login
conditions:
- impossible_travel: true
- mfa_failed_count: ">=3"
actions:
- revoke_sessions
- require_password_reset
- open_incident_ticket
- notify_security_team
Endpoint, Mobile, and Email Security
Endpoint Controls
| Control | Use |
|---|
| EDR | Detect and respond to endpoint threats |
| Antivirus/anti-malware | Signature and behavior-based malware protection |
| Host firewall | Restrict inbound/outbound host traffic |
| Application allowlisting | Only approved apps execute |
| Disk encryption | Protect lost/stolen devices |
| Secure boot | Prevent boot-level tampering |
| TPM/HSM | Hardware-backed key protection |
| Patch management | Reduce known vulnerabilities |
| MDM/UEM | Manage mobile and endpoints |
| Remote wipe | Protect lost/stolen device data |
Mobile Security
| Risk | Control |
|---|
| Lost device | Lock, encryption, remote wipe |
| Malicious app | App store control, MDM, app vetting |
| BYOD data mixing | Containerization, MAM |
| Jailbreak/root | Compliance check, block access |
| Untrusted Wi-Fi | VPN, avoid auto-join |
| SMS phishing | Awareness, filtering |
| Excessive permissions | App permission review |
Email Security Controls
| Control | Purpose |
|---|
| SPF | Identifies authorized sending servers |
| DKIM | Cryptographically signs email |
| DMARC | Policy/reporting using SPF/DKIM alignment |
| Secure email gateway | Filters spam, malware, phishing |
| Sandboxing | Detonates suspicious attachments/links |
| URL rewriting | Checks links at click time |
| User reporting button | Speeds phishing response |
| Banner warning | Labels external/suspicious mail |
Governance, Risk, and Compliance
Policy Hierarchy
| Document | Role |
|---|
| Policy | High-level management intent |
| Standard | Mandatory specific requirement |
| Procedure | Step-by-step instructions |
| Guideline | Recommended practice |
| Baseline | Minimum secure configuration |
| Playbook | Repeatable operational response steps |
| Runbook | Detailed operational task execution |
Risk Terms
| Term | Meaning |
|---|
| Asset | Something of value |
| Threat | Potential cause of harm |
| Vulnerability | Weakness that can be exploited |
| Likelihood | Probability/frequency of event |
| Impact | Business effect if event occurs |
| Inherent risk | Risk before controls |
| Residual risk | Risk remaining after controls |
| Risk appetite | Amount of risk organization is willing to accept |
| Risk tolerance | Acceptable variation around appetite |
| Risk register | Documented list of risks, owners, treatment status |
| Control | Safeguard that reduces risk |
| Compensating control | Alternative control when preferred control is not feasible |
Risk Response Options
| Option | Meaning | Example |
|---|
| Avoid | Stop activity causing risk | Retire vulnerable public service |
| Mitigate | Reduce likelihood/impact | Patch, segment, add MFA |
| Transfer | Shift financial/operational impact | Cyber insurance, outsourcing with contract |
| Accept | Acknowledge and monitor | Business owner signs off residual risk |
| Share | Distribute responsibility | Joint venture or shared control arrangement |
Business Impact and Continuity
| Term | Purpose |
|---|
| BIA | Identifies critical processes and impact of disruption |
| BCP | Keeps business operating during disruption |
| DRP | Restores IT systems after disruption |
| COOP | Continuity of operations planning |
| Tabletop exercise | Discussion-based test of plan |
| Simulation | More realistic process exercise |
| Failover test | Validates backup system activation |
| After-action report | Documents lessons and improvements |
Third-Party and Supply Chain Security
| Area | What to check |
|---|
| Due diligence | Assess vendor before onboarding |
| Due care | Ongoing responsible oversight |
| SLA | Availability/support expectations |
| MSA/SOW | Contractual services and responsibilities |
| NDA | Confidentiality obligations |
| Right to audit | Permission to assess vendor controls |
| Data processing agreement | Data handling responsibilities |
| Vendor risk assessment | Security posture and residual risk |
| SBOM | Software component transparency |
| Attestation/report | Independent assurance evidence |
| Offboarding | Data return/destruction, access removal |
Awareness and Training
| Topic | Exam-relevant purpose |
|---|
| Phishing simulations | Measure and improve user reporting |
| Role-based training | Tailor content to job risk |
| Executive training | BEC, whaling, crisis decisions |
| Developer training | Secure coding and dependency risk |
| Insider threat training | Reporting and behavioral indicators |
| Acceptable use | Defines allowed technology behavior |
| Clean desk | Reduces physical information exposure |
Physical and Environmental Security
Physical Controls
| Control | Function |
|---|
| Bollards | Stop vehicles |
| Fences/gates | Perimeter control |
| Guards | Deterrent and response |
| Badges | Identify authorized personnel |
| Mantrap | Prevent tailgating |
| Locks | Restrict access |
| Biometrics | Strong physical authentication |
| CCTV | Detective/deterrent |
| Motion sensors | Detect movement |
| Alarms | Alert on intrusion |
| Faraday cage | Block electromagnetic signals |
| Cable locks | Deter equipment theft |
| Safes | Protect high-value items/media |
Environmental Controls
| Control | Protects against |
|---|
| HVAC | Heat/humidity problems |
| Hot/cold aisles | Data center cooling efficiency |
| Fire detection | Early fire warning |
| Fire suppression | Fire damage reduction |
| UPS | Short power interruption |
| Generator | Longer power outage |
| PDU | Power distribution |
| EPO | Emergency power off |
| Water detection | Leaks/flooding |
| EMI shielding | Electromagnetic interference |
High-Yield “Choose the Best Control” Matrix
| If the question says… | Think… |
|---|
| “Prevent unauthorized access after password theft” | MFA |
| “Limit blast radius after compromise” | Segmentation, least privilege |
| “Detect unusual user behavior” | UEBA/SIEM |
| “Automate repetitive incident response” | SOAR |
| “Protect public web app from injection” | WAF plus secure coding |
| “Protect data on stolen laptop” | Full-disk encryption |
| “Verify file integrity” | Hash |
| “Verify sender and integrity” | Digital signature |
| “Stop use of exposed hardcoded credentials” | Rotate credentials and use secrets manager |
| “Employees use unsanctioned SaaS” | CASB |
| “Find cloud misconfigurations” | CSPM |
| “Enforce device compliance before network access” | NAC/802.1X |
| “Reduce phishing success” | Training, filtering, MFA, DMARC |
| “Recover from ransomware” | Tested offline/immutable backups |
| “Contain infected host” | Isolate network connection |
| “Need evidence integrity” | Hash and chain of custody |
| “Legacy system cannot be patched” | Compensating controls, segmentation, monitoring |
| “Need temporary admin access” | JIT/PAM |
| “Need central log correlation” | SIEM |
| “Need block malicious traffic inline” | IPS |
| “Need detect without blocking” | IDS |
| “Need govern privileged accounts” | PAM |
| “Need prove compliance with configuration” | Baseline scan/audit |
| “Need assess business process criticality” | BIA |
| “Need keep business operating” | BCP |
| “Need restore IT systems” | DRP |
Common SY0-701 Exam Traps
| Trap | Avoid it by remembering |
|---|
| Confusing encryption and hashing | Encryption is reversible; hashing is not. |
| Choosing a detective control when asked to prevent | IDS detects; IPS/firewall can block. |
| Treating MFA as authorization | MFA authenticates; permissions still require authorization. |
| Assuming cloud provider secures everything | Customer still manages identity, data, configuration, and app choices depending on model. |
| Overlooking business impact | Security+ scenarios often want the practical control aligned to risk. |
| Ignoring evidence preservation | In incident questions, contain without destroying evidence. |
| Choosing wipe/rebuild too early | First identify, contain, and preserve what is needed. |
| Thinking VLAN alone is security | VLANs need routing/firewall policy enforcement. |
| Selecting “most secure” over “best fit” | Consider cost, downtime, usability, and requirement wording. |
| Confusing SAML and OAuth | SAML is federated SSO; OAuth is delegated authorization; OIDC adds authentication. |
| Assuming backups solve ransomware automatically | Backups must be tested, protected, and not encrypted by attacker. |
| Treating NAT as a firewall | NAT hides addresses but does not replace access control. |
| Forgetting deprovisioning | Orphaned accounts are a major IAM risk. |
| Using shared admin accounts | Breaks accountability and non-repudiation. |
Final Review Checklist
Before practice sessions, confirm you can quickly:
- Match threats to mitigations without overengineering.
- Distinguish preventive, detective, corrective, deterrent, directive, and compensating controls.
- Choose between IDS, IPS, SIEM, SOAR, EDR, XDR, NDR, WAF, NAC, CASB, CSPM, and DLP.
- Explain hashing, encryption, signatures, certificates, tokenization, masking, and salting.
- Identify when to use RBAC, ABAC, federation, PAM, JIT, SSO, and MFA.
- Read logs and command outputs conceptually.
- Follow incident response order: prepare, detect/analyze, contain, eradicate, recover, learn.
- Preserve evidence using chain of custody and hashing.
- Connect BIA, BCP, DRP, RTO, and RPO.
- Apply risk responses: avoid, mitigate, transfer, accept, share.
- Prioritize the answer that best satisfies the scenario objective and constraint.
Practical Next Step
Use this Quick Reference as a checklist while completing timed CompTIA Security+ (SY0-701) practice questions. After each missed question, tag the miss by category: concept gap, keyword trap, control-selection error, or scenario-reading error, then drill that category with additional original practice.