Exam Identity and Use
This independent Quick Reference supports candidates preparing for CompTIA Security+ V8 (SY0-801) from CompTIA. Use it as a compact review sheet for high-yield distinctions, decision points, and common traps. Always align final study with the current CompTIA exam objectives for SY0-801.
Security Foundations
CIA, AAA, and Non-Repudiation
| Concept | Meaning | Exam cue | Common control examples |
|---|
| Confidentiality | Prevent unauthorized disclosure | “Protect sensitive data from being viewed” | Encryption, access control, data masking |
| Integrity | Prevent unauthorized modification | “Detect tampering” or “ensure data is unchanged” | Hashing, digital signatures, file integrity monitoring |
| Availability | Ensure systems/data are usable when needed | “Minimize downtime” | Redundancy, backups, clustering, DDoS protection |
| Identification | Claiming an identity | Username, account ID, certificate subject | User ID, device ID |
| Authentication | Proving identity | “Verify who the user is” | Password, MFA, certificate, Kerberos |
| Authorization | Granting permissions | “What can the user access?” | RBAC, ABAC, ACLs |
| Accounting | Tracking actions | “Who did what and when?” | Logs, audit trails, SIEM |
| Non-repudiation | Prevent denying an action | “Prove sender/action later” | Digital signatures, timestamping, signed logs |
Control Categories and Functions
| Dimension | Options | How to recognize |
|---|
| Control category | Managerial, operational, technical, physical | Managerial = policy/risk; operational = people/process; technical = systems; physical = facilities |
| Control function | Preventive, detective, corrective, deterrent, compensating, directive | Prevent = stop; detect = alert; correct = restore; deter = discourage; compensate = alternative; direct = require behavior |
| Security model | Zero trust, defense in depth, least privilege, separation of duties | Zero trust = verify continuously; defense in depth = layered controls; least privilege = only required access; SoD = split critical tasks |
High-Yield Security Principles
| Principle | Practical meaning | Trap |
|---|
| Least privilege | Grant only needed permissions | “Admin by default” violates it |
| Need to know | Access based on business need | Different from clearance alone |
| Defense in depth | Multiple overlapping controls | Not one “perfect” control |
| Secure by design | Build security into architecture | Not added only after deployment |
| Fail secure | Failure leaves system protected | Not the same as fail open |
| Default deny | Block unless explicitly allowed | Stronger baseline than allow by default |
| Implicit deny | Unmatched traffic/access is denied | Common in firewalls and ACLs |
| Separation of duties | Split sensitive responsibilities | Reduces fraud and single-person abuse |
| Job rotation | Rotate roles to detect abuse and reduce dependency | Not primarily an access-control model |
| Dual control | Two people required for one action | Stronger than review after the fact |
Risk, Governance, and Compliance
Risk Terms
| Term | Meaning | Exam cue |
|---|
| Asset | Something valuable | Data, system, facility, reputation |
| Threat | Potential cause of harm | Attacker, storm, insider, malware |
| Vulnerability | Weakness that can be exploited | Unpatched service, weak password |
| Risk | Likelihood and impact of threat exploiting vulnerability | “What could happen?” |
| Inherent risk | Risk before controls | Baseline exposure |
| Residual risk | Risk remaining after controls | Must be accepted, transferred, avoided, or mitigated |
| Risk appetite | Amount of risk organization is willing to accept | Strategic tolerance |
| Risk tolerance | Acceptable variation around appetite | Operational threshold |
| Control | Safeguard that reduces risk | Preventive, detective, corrective, etc. |
| Compensating control | Alternative control when preferred control is not feasible | Used to meet intent, not identical method |
Risk Response Decisions
| Response | Choose when | Example |
|---|
| Mitigate | Reduce likelihood or impact | Patch, segment, encrypt |
| Avoid | Stop the risky activity | Decommission vulnerable public service |
| Transfer | Shift financial/operational impact | Cyber insurance, outsourced service with contractual responsibility |
| Accept | Residual risk is within tolerance | Documented risk acceptance |
| Escalate | Risk exceeds local authority | Send to risk owner or executive committee |
Use these for exam math-style scenarios. Values are usually provided in the question.
\[
\text{SLE} = \text{Asset Value} \times \text{Exposure Factor}
\]\[
\text{ALE} = \text{SLE} \times \text{Annualized Rate of Occurrence}
\]\[
\text{Risk} = \text{Likelihood} \times \text{Impact}
\]
| Formula item | Meaning |
|---|
| AV | Asset value |
| EF | Percent loss from one event |
| SLE | Single loss expectancy |
| ARO | Expected frequency per year |
| ALE | Annualized loss expectancy |
| RTO | Maximum acceptable time to restore service |
| RPO | Maximum acceptable data loss measured in time |
| MTD / MAO | Maximum tolerable downtime/outage |
| MTTR | Mean time to repair/recover |
| MTBF | Mean time between failures |
Policy and Governance Artifacts
| Artifact | Purpose | Trap |
|---|
| Policy | High-level mandatory rule | Says what/why, not every step |
| Standard | Specific mandatory requirement | Example: encryption algorithm standard |
| Procedure | Step-by-step instructions | Operational “how to” |
| Guideline | Recommended practice | Usually not mandatory |
| Baseline | Minimum secure configuration | Used for consistent hardening |
| SLA | Service performance commitment | Availability/support expectations |
| MOU/MOA | Agreement between parties | Often less formal than contract |
| BPA | Blanket purchase agreement | Procurement arrangement |
| NDA | Confidentiality agreement | Protects shared sensitive information |
| AUP | Acceptable use policy | Defines permitted/prohibited use |
| BIA | Business impact analysis | Determines criticality, RTO/RPO |
| Risk register | Tracks risks, owners, status | Living governance document |
Threats and Attacks
Social Engineering
| Attack | Key indicator | Best defense |
|---|
| Phishing | Broad fraudulent email/message | Awareness, filtering, reporting, MFA |
| Spear phishing | Targeted phishing | User training, email security, verification |
| Whaling | Targets executives | Executive awareness, payment verification |
| Vishing | Voice phishing | Call-back procedures |
| Smishing | SMS phishing | Mobile awareness, link protection |
| Pretexting | Fabricated scenario | Identity verification |
| Baiting | Enticing item/link/media | Removable media controls |
| Tailgating | Following authorized person | Mantraps, badges, awareness |
| Shoulder surfing | Observing screens/keystrokes | Privacy filters, clean desk |
| Impersonation | Pretending to be trusted party | Challenge-response, verification |
| Invoice scam | Fraudulent payment request | Dual approval, vendor validation |
Malware and Host-Based Threats
| Threat | What it does | High-yield distinction |
|---|
| Virus | Attaches to files; requires execution | Needs host file or user action |
| Worm | Self-replicates over networks | Does not need file attachment |
| Trojan | Appears legitimate but malicious | Often installs backdoor |
| Ransomware | Encrypts/exfiltrates data for extortion | Backups and segmentation are critical |
| Spyware | Collects information covertly | Privacy/data theft focus |
| Keylogger | Captures keystrokes | Credential theft |
| Rootkit | Hides privileged compromise | Hard to detect; may require rebuild |
| Logic bomb | Triggers on condition/date | Insider threat cue |
| Botnet | Compromised hosts controlled centrally | DDoS/spam/credential attacks |
| Fileless malware | Uses memory/native tools | EDR, script controls, logging |
| PUP/PUA | Potentially unwanted program/app | May be grayware, not always overt malware |
Password and Credential Attacks
| Attack | Description | Better defense |
|---|
| Brute force | Tries many combinations | MFA, lockout/rate limiting, strong passwords |
| Dictionary | Uses wordlists | Block common passwords, password managers |
| Password spraying | Tries few common passwords across many users | MFA, detection by distributed failures |
| Credential stuffing | Reuses breached credentials | MFA, breached-password checks |
| Pass-the-hash | Uses captured hash without cracking | Credential Guard-like controls, limit admin reuse |
| Kerberoasting | Targets Kerberos service tickets | Strong service account passwords, gMSA-like practices |
| Rainbow table | Precomputed hash lookup | Salting, modern hashing |
| Offline cracking | Attacker has password database/hash | Strong hashing/KDF, salting, peppering |
Network Attacks
| Attack | Symptom | Mitigation |
|---|
| DoS/DDoS | Service unavailable from traffic flood | DDoS protection, rate limiting, CDN, filtering |
| On-path/MITM | Intercepted or altered traffic | TLS, certificate validation, VPN, secure Wi-Fi |
| ARP poisoning | Local network traffic redirection | Dynamic ARP inspection, segmentation |
| DNS poisoning | Wrong DNS responses | DNSSEC, secure resolvers, monitoring |
| DHCP starvation | Exhausts leases | DHCP snooping, port security |
| Rogue DHCP | Malicious IP configuration | DHCP snooping |
| VLAN hopping | Access to unauthorized VLAN | Disable unused ports, avoid native VLAN exposure |
| Evil twin | Fake Wi-Fi AP | WPA3/WPA2-Enterprise, certificate validation |
| Deauthentication | Wi-Fi disconnection attack | Protected management frames where supported |
| Replay | Captured valid data resent | Nonces, timestamps, session tokens |
| Session hijacking | Attacker takes active session | Secure cookies, TLS, token rotation |
Web and Application Attacks
| Attack | What to look for | Primary mitigation |
|---|
| SQL injection | User input changes database query | Parameterized queries, input validation |
| Command injection | Input executes OS command | Avoid shell calls, sanitize input, least privilege |
| XSS | Script runs in user browser | Output encoding, CSP, input validation |
| CSRF | User’s browser submits unwanted action | CSRF tokens, SameSite cookies |
| SSRF | Server fetches attacker-chosen internal URL | Egress filtering, metadata protection, allowlists |
| Path traversal | ../ accesses unauthorized files | Canonicalization, allowlists, permissions |
| Directory listing | Exposes files | Disable listing, proper web config |
| Insecure deserialization | Malicious object triggers code/logic | Safe formats, validation, signing |
| Race condition | Timing changes outcome | Locking, atomic operations |
| API abuse | Excessive/unauthorized API calls | AuthZ, rate limits, schema validation |
| IDOR | Access by changing object ID | Object-level authorization |
| Buffer overflow | Memory overwrite | Memory-safe languages, bounds checking, ASLR/DEP |
Threat Actor Types
| Actor | Motivation | Typical capability |
|---|
| Script kiddie | Curiosity/status | Uses existing tools |
| Hacktivist | Ideology | Defacement, leaks, DDoS |
| Insider | Revenge, money, negligence | Trusted access |
| Organized crime | Financial gain | Phishing, ransomware, fraud |
| Nation-state/APT | Espionage/disruption | Persistent, well-resourced |
| Competitor | Business advantage | IP theft, intelligence |
| Shadow IT user | Convenience | Unapproved systems/services |
Vulnerability Management and Testing
Assessment Types
| Activity | Goal | Permission level | Output |
|---|
| Vulnerability scan | Find known weaknesses | Authorized | Findings list |
| Vulnerability assessment | Validate and prioritize weaknesses | Authorized | Risk-ranked remediation plan |
| Penetration test | Exploit to prove impact | Authorized, scoped | Exploit evidence and recommendations |
| Red team | Test detection/response against realistic adversary | Authorized, often stealthy | Operational security gaps |
| Blue team | Defend and respond | Internal defensive role | Improved detection/response |
| Purple team | Collaborative red + blue improvement | Joint | Tuned controls and lessons |
| Bug bounty | External researchers report flaws | Program-defined | Validated reports |
Scan and Test Distinctions
| Option | Choose when | Tradeoff |
|---|
| Credentialed scan | Need deeper, more accurate host findings | Requires safe credential handling |
| Non-credentialed scan | External attacker perspective | More false negatives |
| Agent-based scan | Roaming or intermittently connected endpoints | Agent management overhead |
| Agentless scan | Network-visible assets | May miss offline/segmented systems |
| Passive scan | Avoid disrupting sensitive networks | Less complete |
| Active scan | Need direct validation | Can disrupt fragile systems |
| Static testing | Analyze code without running it | Earlier in SDLC |
| Dynamic testing | Test running application | Finds runtime behavior |
| Fuzzing | Send unexpected inputs | Good for crash/input handling defects |
Prioritize using more than severity alone:
- Internet exposure.
- Known exploitation in the wild.
- Business criticality.
- Data sensitivity.
- Privilege level affected.
- Ease of exploitation.
- Compensating controls.
- Patch availability and operational risk.
| Finding | Likely first action |
|---|
| Critical internet-facing RCE with known exploitation | Emergency patch or isolate |
| Unsupported OS on isolated lab system | Plan replacement, segment, document risk |
| Weak cipher on internal admin interface | Update configuration, verify compatibility |
| Missing patch on fragile OT device | Test patch, apply maintenance window, use segmentation if patch delayed |
| False positive | Document evidence and suppress/tune appropriately |
Identity and Access Management
Authentication Factors
| Factor | Examples | Trap |
|---|
| Something you know | Password, PIN | Security questions are also knowledge |
| Something you have | Token, smart card, phone app | SMS is weaker than app/hardware token |
| Something you are | Fingerprint, face, iris | Biometric cannot be “changed” like password |
| Somewhere you are | Geolocation, network location | Usually contextual, not standalone strong factor |
| Something you do | Typing pattern, behavior | Behavioral biometrics |
MFA means using factors from different categories. Two passwords are not MFA.
Access Control Models
| Model | Who controls access? | Best fit | Trap |
|---|
| DAC | Data owner | Flexible file sharing | Owner can grant access |
| MAC | Central authority/classification | Military/high-security labels | Users cannot override labels |
| RBAC | Role/job function | Enterprise access at scale | Role explosion if poorly designed |
| ABAC | Attributes and policies | Dynamic/cloud/zero trust | More complex policy design |
| Rule-based | System rules | Firewalls, time-based access | Often confused with RBAC |
| PBAC | Policy-based decisions | Centralized fine-grained control | Often implemented with attributes |
IAM Technologies
| Technology | Primary purpose | Exam distinction |
|---|
| LDAP | Directory access protocol | Queries directory services |
| Kerberos | Ticket-based authentication | Uses KDC/TGT/service tickets |
| RADIUS | AAA for network access | Common for VPN/Wi-Fi; UDP-based |
| TACACS+ | Device administration AAA | Separates authN/authZ/accounting; TCP-based |
| SAML | Federated SSO using XML assertions | Common enterprise browser SSO |
| OAuth 2.0 | Delegated authorization | “Allow app to access resource” |
| OpenID Connect | Identity layer on OAuth 2.0 | Authentication/identity tokens |
| SCIM | Identity provisioning/deprovisioning | Automates user lifecycle |
| FIDO2/WebAuthn | Phishing-resistant authentication | Public-key based, passwordless-capable |
| PAM | Controls privileged accounts | Vaulting, session recording, JIT access |
Privileged Access Controls
| Control | What it solves |
|---|
| Just-in-time access | Reduces standing privilege |
| Just-enough access | Grants only specific admin capability |
| Privileged session management | Records/monitors admin sessions |
| Password vaulting | Protects shared/admin secrets |
| Break-glass account | Emergency access with monitoring |
| Separate admin accounts | Reduces risk from daily-use compromise |
| Service account governance | Prevents unmanaged persistent privilege |
Network Security
Network Zones and Segmentation
| Zone/pattern | Purpose | Common controls |
|---|
| DMZ | Hosts public-facing services | Firewalls, reverse proxy, WAF |
| Internal LAN | User and business systems | NAC, segmentation, EDR |
| Management network | Admin interfaces | MFA, bastion host, allowlists |
| Guest network | Untrusted visitor access | Internet-only, client isolation |
| OT/ICS network | Industrial/control systems | Strict segmentation, monitoring, change control |
| Extranet | Partner access | VPN/ZTNA, least privilege |
| Cloud VPC/VNet | Cloud network boundary | Security groups, route tables, NACLs |
| Microsegmentation | Workload-level isolation | Identity-aware policies, east-west filtering |
Security Device Selection
| Control | Best for | Not best for |
|---|
| Stateless firewall | Simple packet filtering | App-aware decisions |
| Stateful firewall | Connection-aware filtering | Deep application attacks |
| NGFW | App/user-aware filtering | Replacing secure coding |
| WAF | HTTP/HTTPS application attacks | Non-web protocols |
| IDS | Detect and alert | Blocking by itself |
| IPS | Inline blocking | Passive-only monitoring |
| NDR | Network detection and response | Endpoint-only visibility |
| EDR | Endpoint detection/response | Network-only unmanaged devices |
| XDR | Correlated detection across tools | Substitute for good telemetry |
| Proxy | Intermediary control and filtering | Full endpoint control |
| Reverse proxy | Protect/publish backend services | User endpoint inspection |
| Load balancer | Distribute traffic, improve availability | Security control by default unless configured |
| VPN | Encrypted tunnel | Fine-grained app-only access by itself |
| ZTNA | App-specific identity-aware access | Legacy full-network access needs |
| NAC | Control device network admission | Application-layer authorization |
| CASB | Cloud app visibility/control | On-prem-only traffic |
| DLP | Detect/prevent data leakage | Asset inventory by itself |
Common Ports and Protocols
| Protocol/service | Port(s) | Security note |
|---|
| FTP | 20/21 | Avoid for sensitive data; use secure alternatives |
| SSH/SFTP/SCP | 22 | Secure remote admin/file transfer |
| Telnet | 23 | Insecure; avoid |
| SMTP | 25 | Mail transfer |
| DNS | 53 | UDP/TCP; protect against poisoning/tunneling |
| DHCP | 67/68 | Use snooping/segmentation |
| HTTP | 80 | Unencrypted web |
| Kerberos | 88 | Ticket-based auth |
| POP3 | 110 / 995 | 995 uses TLS |
| NTP | 123 | Important for logs/auth; secure time sources |
| IMAP | 143 / 993 | 993 uses TLS |
| SNMP | 161/162 | Prefer SNMPv3 |
| LDAP | 389 | Directory protocol |
| HTTPS | 443 | HTTP over TLS |
| SMB | 445 | File sharing; high-value lateral movement target |
| LDAPS | 636 | LDAP over TLS |
| Syslog | 514 / 6514 | 6514 commonly TLS-protected |
| RADIUS | 1812/1813 | AAA |
| TACACS+ | 49 | Device admin AAA |
| RDP | 3389 | Protect with VPN/ZTNA/MFA; avoid public exposure |
Wireless Security
| Standard/control | Meaning | Exam cue |
|---|
| WPA2-Personal | Pre-shared key | Home/small office |
| WPA2/WPA3-Enterprise | 802.1X authentication | Enterprise Wi-Fi with RADIUS |
| SAE | WPA3 password-authenticated key exchange | Better than WPA2-PSK handshake |
| Captive portal | Web-based acceptance/login | Not strong encryption by itself |
| MAC filtering | Allows listed MACs | Weak; MACs can be spoofed |
| WPS | Easy setup PIN/button | Disable where possible |
| Site survey | Identify signal/interference/rogue APs | Wireless planning/security |
Cryptography and PKI
Crypto Building Blocks
| Concept | Purpose | Example use |
|---|
| Symmetric encryption | Fast encryption with same key | Bulk data encryption |
| Asymmetric encryption | Public/private key pair | Key exchange, digital signatures |
| Hashing | One-way integrity digest | File integrity, password storage input to KDF |
| HMAC | Keyed hash for integrity/authenticity | API/message integrity |
| Digital signature | Integrity, authenticity, non-repudiation | Signed software, certificates |
| Key exchange | Establish shared secret | TLS session setup |
| KDF | Derives strong key from password/secret | Password hashing, key derivation |
| Salt | Unique random value added before hashing | Defeats rainbow tables |
| Pepper | Secret value added server-side | Extra protection if DB leaks |
| Nonce | Number used once | Prevents replay |
| IV | Initialization vector | Adds uniqueness to encryption mode |
| AEAD | Authenticated encryption with associated data | Confidentiality plus integrity |
Algorithm Recognition
| Type | Examples | Notes |
|---|
| Symmetric | AES, ChaCha20 | Fast; key distribution is challenge |
| Asymmetric | RSA, ECC | Slower; supports public-key operations |
| Hash | SHA-256, SHA-3 | Integrity only, not encryption |
| Legacy/weak | MD5, SHA-1, DES, RC4, WEP | Avoid for modern security |
| Password hashing/KDF | bcrypt, scrypt, Argon2, PBKDF2 | Designed to resist brute force |
| Transport security | TLS | Protects data in transit |
| Disk/data encryption | AES-based FDE, database encryption | Protects data at rest |
PKI and Certificate Terms
| Term | Meaning | Trap |
|---|
| CA | Issues/signs certificates | Trust anchor if root CA |
| RA | Validates identity before issuance | Does not usually sign certs |
| CSR | Certificate signing request | Contains public key and subject info |
| Root CA | Top of trust chain | Must be highly protected |
| Intermediate CA | Issues certificates under root | Limits root exposure |
| Certificate chain | Path from leaf cert to trusted root | Chain errors break trust |
| CRL | Revocation list | Can become large/stale |
| OCSP | Online revocation status | More real-time than CRL |
| OCSP stapling | Server provides OCSP proof | Reduces client lookup burden |
| SAN | Subject alternative name | Modern hostname validation uses SAN |
| Wildcard cert | Covers subdomains at one level | Does not cover every possible name |
| Code signing cert | Verifies software publisher/integrity | Does not prove software is vulnerability-free |
| Certificate pinning | Restricts accepted cert/key | Can cause outages if rotation mishandled |
Secure Architecture and Hardening
Hardening Checklist
| Area | Key actions |
|---|
| Operating system | Patch, remove unnecessary services, enforce secure baseline |
| Accounts | Disable defaults, remove stale users, enforce MFA/admin separation |
| Services | Stop unused daemons, restrict binding interfaces |
| Network | Host firewall, least-required ports, segmentation |
| Logging | Enable security logs, centralize, protect integrity |
| Time | Synchronize trusted time source |
| Files | Least privilege, integrity monitoring, encryption where needed |
| Configuration | Version control, change control, drift detection |
| Secrets | Vault, rotate, avoid hardcoding |
| Firmware | Update, secure boot, trusted platform protections |
| Disposal | Sanitize media, document chain of custody when needed |
Endpoint and Mobile Controls
| Control | Purpose |
|---|
| EDR/anti-malware | Detect and respond to endpoint threats |
| Host firewall | Limit inbound/outbound host traffic |
| Application allowlisting | Run only approved software |
| MDM/UEM | Enforce mobile configuration |
| Remote wipe | Protect lost/stolen devices |
| Full-disk encryption | Protect data at rest |
| Screen lock | Prevent casual physical access |
| Containerization | Separate work/personal data |
| Jailbreak/root detection | Identify compromised mobile OS controls |
| USB/removable media control | Reduce malware and data exfiltration risk |
Cloud and Virtualization Security
| Topic | Security focus | Common exam distinction |
|---|
| Shared responsibility | Provider and customer each secure different layers | Customer usually still owns identity, data, configuration |
| IaaS | Customer manages OS and above | Most control, more responsibility |
| PaaS | Provider manages runtime/platform | Customer focuses on app/data/config |
| SaaS | Provider manages application stack | Customer focuses on users, data, settings |
| Public cloud | Shared provider infrastructure | Strong logical isolation needed |
| Private cloud | Dedicated to one organization | More control, not automatically more secure |
| Hybrid cloud | Mix of on-prem and cloud | Connectivity and identity integration matter |
| Multi-cloud | Multiple providers | Governance/visibility complexity |
| Security group | Instance/resource-level filtering | Often stateful |
| Network ACL | Subnet/network-level filtering | Often stateless depending on platform |
| IAM policy | Identity/resource permission | Misconfiguration is common cloud risk |
| CSPM | Cloud security posture management | Finds misconfigurations |
| CWPP | Cloud workload protection platform | Protects workloads such as VMs/containers |
| CASB | Cloud access security broker | SaaS visibility/control |
| KMS | Key management service | Central key lifecycle and access control |
Containers and Kubernetes-Style Concepts
| Control | Why it matters |
|---|
| Minimal base images | Reduces attack surface |
| Image scanning | Finds vulnerable packages/secrets |
| Signed images | Verifies provenance |
| Read-only filesystem | Limits runtime tampering |
| Non-root containers | Reduces privilege impact |
| Secrets management | Avoids secrets in images/env files |
| Network policies | Controls east-west traffic |
| Admission control | Blocks noncompliant deployments |
| Runtime monitoring | Detects unexpected behavior |
| Resource limits | Reduces DoS/blast radius |
Data Protection
| Technique | Protects against | High-yield distinction |
|---|
| Encryption | Unauthorized reading | Reversible with key |
| Hashing | Tamper detection | Not reversible |
| Tokenization | Replaces sensitive value with token | Original stored in token vault |
| Masking | Hides part of data | Often for display/non-prod use |
| Anonymization | Removes identifying links | Hard to reverse if done well |
| Pseudonymization | Replaces identifiers but can be re-linked | Re-identification possible |
| DLP | Detect/prevent sensitive data movement | Needs classification and tuning |
| DRM/IRM | Controls document usage | Protects after distribution |
| Data minimization | Collect only needed data | Privacy-by-design principle |
| Retention policy | Keep data for defined period | Must include disposal |
| Secure deletion | Prevent recovery | Method depends on media type |
Secure Software and DevSecOps
SDLC Security Activities
| Phase | Security activity |
|---|
| Requirements | Security/privacy requirements, abuse cases |
| Design | Threat modeling, architecture review |
| Development | Secure coding, peer review, secrets scanning |
| Build | Dependency scanning, signed artifacts |
| Test | SAST, DAST, IAST, fuzzing, penetration testing |
| Deploy | IaC scanning, change approval, secure configuration |
| Operate | Monitoring, patching, incident feedback |
| Retire | Data migration, sanitization, decommissioning |
| Tool/type | Best for | Limitation |
|---|
| SAST | Source code flaws before runtime | May miss runtime/config issues |
| DAST | Running web app behavior | May not identify exact code line |
| IAST | Runtime app testing with instrumentation | Requires integration |
| SCA | Third-party dependency risk | Does not replace code review |
| Fuzzing | Unexpected input handling | Needs triage |
| Secrets scanning | Hardcoded credentials/tokens | Needs false-positive handling |
| IaC scanning | Cloud/config misconfigurations | Must align with deployment context |
Secure Coding Traps
| Bad pattern | Risk | Better pattern |
|---|
| String-built SQL | SQL injection | Parameterized queries |
| Direct object IDs without checks | IDOR | Object-level authorization |
| Storing plaintext passwords | Credential compromise | Salted password KDF |
| Hardcoded API keys | Secret leakage | Secrets manager |
| Verbose errors to users | Information disclosure | Generic user errors, detailed logs |
| Missing rate limits | Brute force/API abuse | Throttling, lockout, risk-based controls |
| Trusting client validation | Bypass | Server-side validation |
| Unvalidated redirects | Phishing/token theft | Allowlisted redirects |
Security Operations and Monitoring
Telemetry Sources
| Source | What it shows | Use case |
|---|
| Authentication logs | Logins, failures, MFA events | Credential attacks |
| Endpoint logs | Process, file, registry, memory events | Malware/lateral movement |
| Firewall logs | Allowed/denied traffic | Network policy validation |
| DNS logs | Domain lookups | Malware C2, tunneling |
| Proxy logs | Web requests | User web activity, exfiltration |
| VPN/ZTNA logs | Remote access sessions | Impossible travel, unusual access |
| Cloud audit logs | API calls and config changes | Cloud compromise/misconfiguration |
| Application logs | Business logic events | Fraud and app attacks |
| Database logs | Queries, admin actions | Data access monitoring |
| EDR/XDR alerts | Correlated endpoint activity | Threat investigation |
| IDS/IPS alerts | Network signatures/anomalies | Intrusion detection |
| DLP alerts | Sensitive data movement | Exfiltration/handling violations |
SIEM, SOAR, and Detection
| Tool | Purpose | Trap |
|---|
| SIEM | Central log collection, correlation, alerting | Needs tuning and good data |
| SOAR | Automated orchestration and response | Automates playbooks; does not replace judgment |
| UEBA | Behavior analytics | Detects anomalies; false positives possible |
| Threat intelligence platform | Manage indicators/context | Indicators expire or become noisy |
| Honeypot/honeynet | Decoy for detection/research | Must be isolated and monitored |
| File integrity monitoring | Detect unauthorized changes | Needs baseline and tuning |
Alert Triage Quick Path
| Alert | First checks | Likely containment |
|---|
| Multiple failed logins | Source, user, pattern, success after failures | Disable account, enforce MFA, block source |
| Impossible travel | VPN/proxy use, user confirmation, device | Revoke sessions, reset credentials |
| Malware detection | Host, process tree, hash, spread | Isolate endpoint, preserve evidence |
| Suspicious PowerShell/script | Parent process, encoded commands, user context | Isolate host, collect script/logs |
| Data exfiltration | Destination, volume, data type, user | Block channel, suspend token/account |
| New admin account | Change ticket, creator, source IP | Disable account, review privilege changes |
| Public cloud storage exposure | Resource, data sensitivity, access logs | Remove public access, rotate exposed secrets |
| DNS to known malicious domain | Host process, frequency, payload | Isolate host, block domain/IP |
Incident Response Lifecycle
| Phase | Goal | Key actions |
|---|
| Preparation | Be ready before incident | Playbooks, contacts, logging, tools, training |
| Identification | Confirm incident | Triage alerts, scope impact, classify severity |
| Containment | Limit damage | Isolate hosts, disable accounts, block indicators |
| Eradication | Remove cause | Delete malware, patch, close persistence |
| Recovery | Restore operations | Rebuild, restore, monitor, validate |
| Lessons learned | Improve | Root cause, timeline, control updates |
Evidence and Forensics
| Concept | Meaning |
|---|
| Chain of custody | Document who handled evidence, when, and why |
| Order of volatility | Collect most volatile evidence first |
| Legal hold | Preserve relevant data from deletion |
| Write blocker | Prevent alteration of storage evidence |
| Hashing evidence | Prove integrity of collected image/file |
| Timeline analysis | Reconstruct sequence of events |
| Memory capture | Useful for malware, keys, processes |
| Disk image | Bit-level copy for analysis |
| E-discovery | Identify, preserve, collect, review electronic information |
CompTIA Security+ questions usually test tool purpose more than full syntax.
## DNS investigation
dig example.com
nslookup example.com
## Check listening connections
ss -tulpen
netstat -ano
## Test TLS certificate and handshake
openssl s_client -connect example.com:443 -servername example.com
## Capture limited packets
tcpdump -i eth0 host 10.0.0.5
## Inspect HTTP headers
curl -I https://example.com
| Tool | Use |
|---|
ping | Basic reachability; ICMP may be blocked |
traceroute / tracert | Path and routing troubleshooting |
nslookup / dig | DNS queries |
netstat / ss | Connections and listening ports |
nmap | Port/service discovery |
tcpdump / Wireshark | Packet capture/analysis |
curl | HTTP/API testing |
openssl | Certificate/TLS inspection |
grep / find | Log/file searching |
hashcat / John the Ripper | Password cracking/testing |
ipconfig / ifconfig / ip | Network interface configuration |
arp | ARP cache inspection |
Resilience, Backup, and Disaster Recovery
Availability Patterns
| Pattern | Purpose | Trap |
|---|
| Redundancy | Extra components | Not useful if same failure affects all |
| Fault tolerance | Continue despite component failure | Usually more expensive/complex |
| High availability | Minimize downtime | Does not guarantee no outage |
| Load balancing | Distribute traffic | Needs health checks |
| Clustering | Multiple nodes operate together | Can be active-active or active-passive |
| Geographic diversity | Survive regional events | Data consistency and latency matter |
| Replication | Copy data/systems | Can replicate corruption/ransomware |
| Snapshot | Point-in-time copy | Not always independent backup |
| Immutable backup | Cannot be altered for retention period | Strong ransomware defense |
| Air-gapped backup | Offline/isolated copy | Slower restore, stronger isolation |
| Tabletop exercise | Discussion-based DR/IR test | Does not prove technical recovery |
| Failover test | Validate alternate site/system | Requires planning to avoid disruption |
Backup Types
| Type | What it backs up | Restore implication |
|---|
| Full | Everything selected | Simplest restore, more storage/time |
| Incremental | Changes since last backup | Faster backup, restore needs chain |
| Differential | Changes since last full | Restore needs full + latest differential |
| Snapshot | Point-in-time state | Fast rollback, platform-dependent |
| Continuous replication | Near-real-time copy | Low RPO, can replicate bad changes |
Physical, Environmental, and Safety Controls
| Control | Primary purpose |
|---|
| Badge/access card | Identify and authorize entry |
| Biometric reader | Stronger identity verification |
| Mantrap | Prevent tailgating |
| Security guard | Deterrence and response |
| CCTV | Detective/deterrent evidence |
| Motion sensor | Detect unauthorized movement |
| Door lock | Prevent unauthorized access |
| Faraday cage | Block electromagnetic signals |
| Cable lock | Deter device theft |
| Privacy screen | Reduce shoulder surfing |
| Fire suppression | Protect people/equipment |
| HVAC | Maintain safe operating environment |
| UPS | Short-term power continuity |
| Generator | Longer-term backup power |
| Hot/cold aisles | Data center cooling efficiency |
| Equipment disposal | Prevent data recovery and leakage |
Privacy and Data Governance
Data Roles
| Role | Responsibility |
|---|
| Data owner | Determines classification, access, and handling requirements |
| Data steward | Manages data quality and governance processes |
| Data custodian | Implements storage, backup, and technical controls |
| Data controller | Determines purposes and means of processing personal data |
| Data processor | Processes data on behalf of controller |
| Data subject | Individual the personal data relates to |
| Privacy officer/DPO-style role | Oversees privacy program where applicable |
Data Classification and Handling
| Classification | Typical handling |
|---|
| Public | Approved for public release |
| Internal | Business use; not public |
| Confidential | Limited access; protect from disclosure |
| Restricted/highly sensitive | Strong controls, strict need-to-know |
| Regulated data | Handle according to applicable contractual/regulatory obligations |
| Lifecycle phase | Security focus |
|---|
| Create/collect | Minimize, classify, notify if required |
| Store | Encrypt, control access, backup |
| Use | Least privilege, monitoring |
| Share | DLP, agreements, secure transfer |
| Archive | Retention and access controls |
| Destroy | Sanitization, certificate/record of destruction if needed |
Common Exam Traps
| If the question says… | Prefer… | Avoid assuming… |
|---|
| “Most secure remote admin” | SSH, VPN/ZTNA, MFA, bastion, logging | Telnet or public RDP |
| “Protect web app from SQLi/XSS” | Secure coding plus WAF as compensating/detective layer | WAF alone fixes bad code |
| “Prove file was not modified” | Hash or digital signature | Encryption alone |
| “Prove who signed/sent it” | Digital signature | Hash alone |
| “Encrypt large data efficiently” | Symmetric encryption | Asymmetric for bulk data |
| “Exchange keys over insecure channel” | Asymmetric key exchange / TLS | Pre-shared secrets without protection |
| “Stop data leaving organization” | DLP, classification, egress controls | Firewall alone sees all sensitive content |
| “Least privilege for dynamic cloud access” | ABAC/PBAC, JIT/JEA | Permanent broad admin roles |
| “Centralize log analysis” | SIEM | Syslog alone as full analysis |
| “Automate response workflow” | SOAR | SIEM alone |
| “Detect endpoint behavior” | EDR/XDR | Antivirus signatures only |
| “Network admission based on device posture” | NAC | Firewall rule only |
| “Federated authorization to app data” | OAuth 2.0 | OAuth as pure authentication |
| “Federated login with identity token” | OIDC or SAML | LDAP by itself for web SSO |
| “Protect passwords in database” | Salted adaptive hash/KDF | Encryption of passwords for login comparison |
| “Lost laptop with sensitive files” | Full-disk encryption and remote wipe | Password-only protection |
| “Untrusted removable media” | Disable/control USB, scan, awareness | User caution only |
| “Legacy OT cannot be patched” | Segment, monitor, compensating controls | Ignore vulnerability |
| “Ransomware resilience” | Immutable/offline backups, EDR, least privilege, segmentation | Snapshots alone if attacker can delete them |
Quick Review Checklist
Before the exam, make sure you can quickly answer:
- Which control category and function fits a scenario?
- Whether the question asks for confidentiality, integrity, availability, authentication, authorization, or accounting.
- Which IAM technology is authentication, authorization, federation, provisioning, or privileged access.
- When to choose firewall, WAF, IDS, IPS, EDR, XDR, SIEM, SOAR, DLP, CASB, NAC, VPN, or ZTNA.
- Which attack matches the indicators: SQLi, XSS, CSRF, SSRF, replay, on-path, DNS poisoning, credential stuffing, password spraying.
- How symmetric encryption, asymmetric encryption, hashing, HMAC, digital signatures, and certificates differ.
- How to prioritize vulnerabilities using exploitability, exposure, business impact, and compensating controls.
- The incident response phase implied by the action.
- The difference between RTO, RPO, MTTR, MTBF, MTD, SLE, ARO, and ALE.
- Which data protection method fits: encryption, hashing, tokenization, masking, anonymization, pseudonymization, or DLP.
Practical Next Step
Use this Quick Reference as a final-pass checklist, then move into timed SY0-801 practice questions and performance-based scenarios. For each missed item, write down the decision cue that would have pointed you to the correct security control, attack type, protocol, or process.