CompTIA
Intermediate
SY0-701
CompTIA Security+
The CompTIA Security+ (SY0-701) certification is the global benchmark for establishing a career in cybersecurity. It is one of the most widely adopted and recognized cybersecurity certifications worldwide, often required for government and military cybersecurity positions (DoD 8570 baseline certification). Security+ validates the baseline skills necessary to perform core security functions and pursue an IT security career.
The exam covers five domains: General Security Concepts (12%), Threats, Vulnerabilities, and Mitigations (22%), Security Architecture (18%), Security Operations (28%), and Security Program Management and Oversight (20%). Candidates must demonstrate knowledge of risk management, cryptography, identity and access management (IAM), network security, secure network design, security assessments, incident response, vulnerability management, threat intelligence, security awareness training, governance frameworks, and compliance requirements.
CompTIA Security+ is ideal for security administrators, systems administrators, security specialists, security engineers, and network administrators responsible for securing networks and systems. The SY0-701 version was updated in November 2023 with expanded coverage of cloud security, automation, zero trust architectures, IoT security, and modern attack techniques including ransomware and supply chain attacks. It is recommended for professionals with 2+ years of IT administration experience with a security focus.
Updated Nov 2023
Cybersecurity
90
Questions
6
Tests Pratiques
83%
Score de Réussite
57
Vues
0
Tentatives Totales
0%
Score Moyen
0%
Taux de Réussite
0
Discussions
SY0-701 Practice Exam 1
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
SY0-701 Practice Exam 2
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
SY0-701 Practice Exam 3
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
SY0-701 Practice Exam 4
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
SY0-701 Practice Exam 5
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
SY0-701 Practice Exam 6
Comprehensive 90-question practice exam covering all five SY0-701 domains: general security concepts, threats vulnerabilities and mitigations, security architecture, security operations, and security program management and oversight.
90 Q
90 minutes
83%
Débloquer Tout le Contenu pour SY0-701
6 Test(s) Pratique(s) + Flash Cards — accès de 3 mois
€39.99
€26.99
Économisez 30%
ou inclus avec l'abonnement Mensuel / Pack de Contenu
Aperçu (10 / 120)
What are the three components of the CIA triad?
Confidentiality, Integrity, and Availability. These three principles form the foundation of information security, ensuring data is protected, accurate, and accessible when needed.
What does confidentiality ensure in information security?
Confidentiality ensures that data is accessible only to authorized individuals. It is enforced through encryption, access controls, and data classification to prevent unauthorized disclosure.
What does integrity ensure in information security?
Integrity ensures data remains accurate and unaltered by unauthorized parties. Hashing, digital signatures, and change detection mechanisms verify that information has not been tampered with.
What does availability ensure in information security?
Availability ensures systems and data are accessible to authorized users when needed. Redundancy, failover clustering, and backups help maintain uptime during outages or attacks.
What is the AAA framework in security?
Authentication, Authorization, and Accounting. Authentication verifies identity, authorization determines access permissions, and accounting logs user activity for auditing purposes.
What is the zero trust security model?
A model that never implicitly trusts any user or device. Every access request is verified regardless of network location, following the principle "never trust, always verify."
What is a gap analysis in security?
A comparison of an organization's current security posture against a desired framework or standard. It identifies weaknesses and prioritizes remediation to close the gaps.
What are the four security control types?
Technical, managerial, operational, and physical. Technical uses technology like firewalls, managerial involves policies, operational covers procedures, and physical protects facilities.
What is non-repudiation in security?
A guarantee that the sender of a message cannot deny having sent it. Digital signatures and audit logs provide proof of origin and delivery that cannot be disputed.
What is defense in depth?
A layered security strategy using multiple overlapping controls. If one layer fails, the next layer provides protection, reducing the chance of a complete breach.
Flash Cards
cartes couvrant les concepts clés de 120 SY0-701
ou inclus avec l'abonnement Mensuel / Pack de Contenu
110 cartes supplémentaires disponibles après déblocage
Langues Disponibles
English
Japanese
Portuguese
Spanish
German
Sujets de l'Examen
1
11 Q
General Security Concepts
Compare and contrast security controls, summarize fundamental security concepts including CIA triad, AAA, gap analysis, zero trust, and physical security.
2
20 Q
Threats, Vulnerabilities, and Mitigations
Compare and contrast common threat actors, attack vectors, vulnerability types, security implications of application and infrastructure vulnerabilities, and mitigation techniques.
3
16 Q
Security Architecture
Compare and contrast security implications of different architecture models, apply security principles to secure enterprise infrastructure, and summarize secure application development concepts.
4
25 Q
Security Operations
Apply common security techniques to computing resources, explain security alerting and monitoring, modify enterprise capabilities to enhance security, and implement identity and access management.
5
18 Q
Security Program Management and Oversight
Summarize elements of effective security governance, explain elements of the risk management process, and explain the processes associated with third-party risk assessment and management.
SY0-701 Cheat Sheet
Guide de référence rapide - 6 sections
CompTIA Security+ (SY0-701)
The CompTIA Security+ SY0-701 certification validates the baseline skills necessary to perform core security functions and pursue an IT security career. Released in November 2023, SY0-701 replaced the SY0-601 and was streamlined from six domains down to five, with a stronger emphasis on security operations, automation, zero trust architecture, and cloud security. Security+ is globally recognized and is approved by the U.S. Department of Defense to meet directive 8570.01-M requirements, making it essential for government and military IT security roles. It is vendor-neutral and covers a wide range of security technologies, concepts, and best practices that apply across platforms and environments. Security+ is the most widely held certification in the cybersecurity industry and serves as a springboard to more advanced certifications such as CySA+, PenTest+, CASP+, and CISSP.
Exam Details
| Exam Code | SY0-701 |
| Duration | 90 minutes |
| Maximum Questions | Up to 90 questions |
| Passing Score | 750 / 900 |
| Cost | $404 USD |
| Validity | 3 years (renewable via CE credits or retaking) |
| Question Types | Performance-based questions (PBQs), multiple choice (single and multiple select), drag-and-drop |
| Testing Options | Pearson VUE testing center or online proctored |
| Recommended Experience | 2+ years in IT administration with a security focus; CompTIA Network+ recommended but not required |
| Certification Level | Professional / Intermediate |
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: General Security Concepts | 12% |
| Domain 2: Threats, Vulnerabilities, and Mitigations | 22% |
| Domain 3: Security Architecture | 18% |
| Domain 4: Security Operations | 28% |
| Domain 5: Security Program Management and Oversight | 20% |
Study Tips
- Domain 4 (Security Operations) is the heaviest at 28%; focus heavily on incident response, monitoring, vulnerability management, alerting, and security automation concepts
- Tackle the PBQs last during the exam; they are time-consuming and typically appear first; flag them and return after completing the multiple-choice questions
- Understand the CIA triad (Confidentiality, Integrity, Availability) as a foundational framework; many questions map back to which pillar is being protected or violated
- Know the difference between similar concepts: IDS vs IPS, symmetric vs asymmetric encryption, SIEM vs SOAR, vulnerability scan vs penetration test, RPO vs RTO
- Zero trust is a major theme in SY0-701; understand the principles of never trust always verify, least privilege, microsegmentation, and continuous verification
- Memorize port numbers for common services: SSH (22), DNS (53), HTTP (80), HTTPS (443), RDP (3389), LDAP (389), LDAPS (636), SMTP (25/587), IMAP (143/993), POP3 (110/995)
- Compliance frameworks are heavily tested; know the purpose and scope of GDPR, PCI-DSS, HIPAA, SOX, NIST, and ISO 27001 at a high level
Exam Day Checklist
- Arrive 15 minutes early for testing center appointments or start online check-in 30 minutes before your scheduled time
- Bring two valid forms of identification (one government-issued photo ID) for testing center; clear desk and quiet room for online proctoring
- You have 90 minutes for up to 90 questions; budget approximately 1 minute per question with time reserved for PBQ review
- PBQs often appear at the beginning; skip them initially, complete multiple-choice questions first, then return to PBQs with remaining time
- Your score is on a scale of 100-900; you need 750 to pass; score reports show performance per domain
- If you do not pass, you can retake after 14 calendar days; there is no limit on attempts but each attempt costs $404
- Read every question carefully; CompTIA often uses double negatives and qualifiers like BEST, MOST, FIRST, and MOST LIKELY
CIA Triad
| Principle | Definition | Controls & Examples |
|---|---|---|
| Confidentiality | Ensuring information is accessible only to authorized individuals; preventing unauthorized disclosure of data | Encryption (AES, TLS), access controls (ACLs, RBAC), data classification, DLP, masking, steganography |
| Integrity | Ensuring data has not been altered or tampered with in an unauthorized manner; maintaining accuracy and trustworthiness | Hashing (SHA-256, SHA-3), digital signatures, checksums, version control, input validation, HMAC |
| Availability | Ensuring systems and data are accessible when needed by authorized users; minimizing downtime | Redundancy, load balancing, backups, failover clustering, UPS/generators, DDoS protection, SLAs |
AAA Framework (Authentication, Authorization, Accounting)
| Component | Purpose | Examples |
|---|---|---|
| Authentication | Verifying the identity of a user, device, or system; proving you are who you claim to be | Passwords, biometrics, smart cards, tokens, MFA, certificates, RADIUS, TACACS+ |
| Authorization | Determining what an authenticated user is permitted to access or do; enforcing permissions | RBAC, DAC, MAC, ABAC, ACLs, group policies, permission levels, conditional access |
| Accounting | Tracking and logging user activities for audit trails, billing, and forensic analysis | Syslog, SIEM, audit logs, session logs, login/logout tracking, RADIUS accounting |
Zero Trust Model
Zero trust is a security framework that assumes no user, device, or network should be trusted by default, regardless of whether they are inside or outside the network perimeter. Every access request must be continuously verified before granting access.
| Principle | Description |
|---|---|
| Never Trust, Always Verify | Every request is treated as if it originates from an untrusted network; authenticate and authorize every user, device, and application on every request regardless of location |
| Least Privilege Access | Grant only the minimum permissions necessary to perform a task; use just-in-time (JIT) and just-enough-access (JEA) policies to limit exposure |
| Microsegmentation | Divide networks into small, isolated segments to contain breaches; enforce policies at the workload level rather than the perimeter; prevents lateral movement |
| Assume Breach | Operate under the assumption that a breach has already occurred or will occur; minimize blast radius, segment access, verify end-to-end encryption, use analytics for threat detection |
| Control Plane vs Data Plane | Control plane handles policy decisions (authentication, authorization, policy enforcement); data plane handles actual data transfer after access is granted; both must be secured independently |
Defense in Depth
A layered security strategy that employs multiple security controls at different levels so that if one layer fails, subsequent layers continue to provide protection. No single control is relied upon exclusively.
| Layer | Controls |
|---|---|
| Physical | Fences, locks, guards, mantraps, biometric access, security cameras, cable locks |
| Network | Firewalls, IDS/IPS, network segmentation, VPNs, NAC, DMZ, ACLs |
| Host | Antivirus/antimalware, host-based firewall, HIDS/HIPS, endpoint detection and response (EDR), patch management |
| Application | Input validation, secure coding, WAF, code signing, application whitelisting, sandboxing |
| Data | Encryption at rest and in transit, DLP, data classification, rights management, database encryption |
| Administrative | Security policies, procedures, training, background checks, separation of duties, acceptable use policies |
Security Control Categories
| Category | Purpose | Examples |
|---|---|---|
| Preventive | Stop an incident before it occurs | Firewalls, encryption, access controls, security guards, locks, training |
| Detective | Identify and alert on incidents during or after occurrence | IDS, SIEM, log monitoring, security cameras, audits, motion detectors |
| Corrective | Restore systems and fix issues after an incident | Backups, patching, antivirus remediation, incident response procedures |
| Deterrent | Discourage potential attackers from attempting an attack | Warning banners, security signage, visible cameras, login warnings |
| Compensating | Alternative control when the primary control is not feasible | Using MFA when biometrics is unavailable, manual review when automated system is down |
| Directive | Specify required actions or behaviors through policies and procedures | Acceptable use policy, security policy, compliance mandates, standard operating procedures |
Exam Tip: Controls are also classified by implementation type: Technical (firewalls, encryption), Managerial (policies, risk assessments), Operational (guards, training), and Physical (locks, fences). Be able to categorize any given control by both its category and implementation type.
Authentication Factors
| Factor | Description | Examples |
|---|---|---|
| Something You Know | Knowledge-based factor | Passwords, PINs, security questions, passphrases |
| Something You Have | Possession-based factor | Smart cards, hardware tokens (FIDO2, YubiKey), OTP apps, mobile phone |
| Something You Are | Biometric factor (inherence) | Fingerprint, facial recognition, retina/iris scan, voice recognition |
| Somewhere You Are | Location-based factor | GPS coordinates, IP geolocation, geofencing |
| Something You Do | Behavioral factor | Typing patterns (keystroke dynamics), gait analysis, signature dynamics |
Exam Tip: MFA requires two or more DIFFERENT factor types. A password + PIN is NOT MFA (both are something you know). A password + fingerprint IS MFA (knowledge + biometric).
Threat Actor Types
| Threat Actor | Motivation | Sophistication & Resources |
|---|---|---|
| Nation-State (APT) | Espionage, sabotage, political influence, intellectual property theft, warfare | Very high sophistication; state-funded; zero-day exploits; persistent and patient; well-resourced teams |
| Organized Crime | Financial gain through ransomware, fraud, identity theft, data exfiltration | High sophistication; well-funded criminal syndicates; operate as businesses with specialization |
| Hacktivist | Political or social ideology; public embarrassment of targets; protest actions | Low to moderate; use publicly available tools; strength in numbers; DDoS and defacement attacks |
| Insider Threat | Disgruntlement, financial gain, accidental negligence, coercion | Varies; already has legitimate access; can bypass perimeter controls; most damaging due to trust |
| Script Kiddie | Curiosity, notoriety, bragging rights; no deep technical understanding | Low sophistication; uses pre-built tools and scripts without understanding them; opportunistic |
| Shadow IT | Convenience; employees using unauthorized tools or services to bypass IT policies | Not malicious but creates unmanaged risk; unapproved cloud services, personal devices, rogue apps |
Social Engineering Attacks
| Attack Type | Description |
|---|---|
| Phishing | Mass email attack impersonating a trusted entity to steal credentials, deliver malware, or trick users into taking action; uses urgency, fear, or curiosity as lures |
| Spear Phishing | Targeted phishing directed at a specific individual or organization; uses personalized information from OSINT to increase credibility and success rate |
| Whaling | Spear phishing targeting high-value executives (CEO, CFO, CTO); typically impersonates business partners, legal entities, or other executives |
| Vishing | Voice phishing over phone calls; attacker impersonates IT support, banks, or government agencies to extract sensitive information |
| Smishing | SMS/text message phishing; delivers malicious links or social engineering prompts via text messages |
| Business Email Compromise (BEC) | Attacker compromises or spoofs a business email account to redirect wire transfers, steal data, or manipulate employees; targets finance departments |
| Pretexting | Creating a fabricated scenario (pretext) to engage a victim and gain their trust; attacker assumes a false identity to extract information or gain access |
| Tailgating / Piggybacking | Following an authorized person through a secured door without using credentials; tailgating is without consent, piggybacking is with the person's knowledge |
| Watering Hole | Compromising a website frequently visited by the target group; injects malicious code into the trusted site to infect visitors |
Malware Types
| Malware | Behavior |
|---|---|
| Ransomware | Encrypts victim's files and demands payment (typically cryptocurrency) for the decryption key; double extortion variants also threaten to leak stolen data; most common and costly malware today |
| Trojan Horse | Malware disguised as legitimate software; does not self-replicate; requires user action to install; often delivers backdoors, RATs, or other payloads |
| Worm | Self-replicating malware that spreads across networks without user interaction; exploits vulnerabilities to propagate; can cause network congestion and system disruption |
| Virus | Malicious code that attaches to a host file and spreads when the file is executed; requires user action to propagate; infects boot sectors, macros, or executable files |
| Rootkit | Hides deep in the operating system (kernel or firmware level); conceals the presence of other malware; extremely difficult to detect and remove; may survive OS reinstall if firmware-based |
| Spyware | Secretly monitors user activity including keystrokes, browsing habits, and credentials; sends collected data to the attacker; includes keyloggers and screen capture tools |
| Fileless Malware | Operates entirely in memory without writing files to disk; leverages legitimate tools (PowerShell, WMI, macros); evades traditional antivirus; detected by behavioral analysis and EDR |
| Logic Bomb | Malicious code that triggers when a specific condition is met (date, event, user action); often planted by insiders; dormant until activation condition occurs |
Common Vulnerability Types
| Vulnerability | Description & Mitigation |
|---|---|
| SQL Injection (SQLi) | Injecting malicious SQL commands through input fields to manipulate the database; mitigate with parameterized queries, input validation, stored procedures, WAF, and least privilege database accounts |
| Cross-Site Scripting (XSS) | Injecting malicious scripts into web pages viewed by other users; stored XSS persists on the server, reflected XSS is returned in the response; mitigate with output encoding, CSP headers, input validation |
| Cross-Site Request Forgery (CSRF) | Tricks an authenticated user's browser into making unintended requests to a web application; mitigate with anti-CSRF tokens, SameSite cookies, re-authentication for sensitive actions |
| Buffer Overflow | Writing data beyond allocated memory boundaries to overwrite adjacent memory; can allow arbitrary code execution; mitigate with ASLR, DEP/NX, stack canaries, bounds checking, safe coding practices |
| Zero-Day | Vulnerability that is unknown to the vendor and has no available patch; extremely dangerous because no signature-based detection exists; mitigate with behavioral detection, EDR, network segmentation, threat intelligence |
| Race Condition (TOCTOU) | Exploiting the time gap between checking a condition and using the result; Time of Check to Time of Use; mitigate with atomic operations, mutex locks, proper synchronization |
| Privilege Escalation | Gaining higher privileges than authorized; vertical (user to admin) or horizontal (user A accessing user B's data); mitigate with least privilege, patching, proper access controls |
Indicators of Compromise (IoC)
- Account lockouts: Unusual number of failed login attempts across multiple accounts may indicate brute force or credential stuffing attacks
- Concurrent session usage: Same account logged in from multiple geographic locations simultaneously; indicates compromised credentials
- Impossible travel: Login attempts from geographically distant locations within an impossible timeframe
- Resource consumption anomalies: Unexpected CPU/memory spikes may indicate cryptomining malware or data exfiltration
- Blocked content: Increased blocked requests to malicious domains or command-and-control (C2) servers
- Missing logs: Gaps in log data may indicate an attacker has tampered with or deleted logs to cover their tracks
- Unexpected outbound traffic: Data exfiltration often appears as large or unusual outbound network flows to unknown external IPs
Cryptography Fundamentals
| Type | How It Works | Algorithms | Use Cases |
|---|---|---|---|
| Symmetric Encryption | Same key encrypts and decrypts; fast; key distribution is the challenge | AES (128/192/256-bit), 3DES (legacy), ChaCha20, Blowfish | Bulk data encryption, disk encryption, VPN tunnels, database encryption, file encryption |
| Asymmetric Encryption | Key pair: public key encrypts, private key decrypts (or private signs, public verifies); slower than symmetric; solves key distribution | RSA (2048/4096-bit), ECC (Elliptic Curve), Diffie-Hellman (key exchange), DSA | Digital signatures, key exchange, TLS handshake, email encryption (PGP/S-MIME), certificate signing |
| Hashing | One-way function producing a fixed-length digest; cannot be reversed; any change to input produces a completely different hash; used for integrity verification | SHA-256, SHA-3, SHA-512, MD5 (weak/legacy), HMAC (hash + key) | Password storage (with salt), file integrity verification, digital signatures, blockchain, certificate fingerprints |
Exam Tip: Symmetric encryption is faster and used for bulk data. Asymmetric encryption solves the key exchange problem. In practice, TLS uses asymmetric encryption to exchange a symmetric session key, then symmetric encryption for the actual data transfer. This is called hybrid encryption.
PKI and Certificates
| Component | Description |
|---|---|
| Certificate Authority (CA) | Trusted entity that issues, signs, and revokes digital certificates; root CA is the trust anchor; intermediate CAs issue end-entity certificates; examples: DigiCert, Let's Encrypt, Sectigo |
| Digital Certificate (X.509) | Binds a public key to an identity (domain, organization, individual); contains subject name, issuer, public key, validity dates, serial number, and digital signature of the CA |
| Certificate Signing Request (CSR) | Generated by the entity requesting a certificate; contains the public key and identity information; submitted to the CA for signing |
| Certificate Revocation List (CRL) | A published list of certificates that have been revoked before their expiration date; maintained by the CA; clients check the CRL to verify certificate validity |
| OCSP (Online Certificate Status Protocol) | Real-time protocol to check the revocation status of a single certificate; faster than downloading entire CRL; OCSP stapling embeds the response in the TLS handshake for performance |
| Certificate Types | DV (Domain Validation): verifies domain ownership only; OV (Organization Validation): verifies organization identity; EV (Extended Validation): highest trust level with strict vetting; Wildcard: covers *.domain.com; SAN: multiple domains in one cert |
| Certificate Pinning | Associates a specific certificate or public key with a host; prevents MITM attacks using rogue certificates; implemented in applications or HPKP header (deprecated in browsers) |
Network Security Devices and Technologies
| Technology | Function |
|---|---|
| Firewall | Filters traffic based on rules; stateless (per-packet), stateful (tracks connections), or next-gen (NGFW: application awareness, IPS, deep packet inspection, TLS inspection); can be network-based or host-based |
| IDS (Intrusion Detection System) | Monitors and alerts on suspicious traffic; passive; does NOT block traffic; uses signature-based (known patterns) or anomaly-based (behavioral baseline) detection; NIDS (network) or HIDS (host) |
| IPS (Intrusion Prevention System) | Monitors AND actively blocks malicious traffic inline; sits in the traffic path; can drop packets, reset connections, or block source IPs; risk of false positives blocking legitimate traffic |
| VPN (Virtual Private Network) | Creates encrypted tunnel over public networks; site-to-site connects networks (IPsec); remote access connects individual users (SSL/TLS or IPsec); split tunnel vs full tunnel routing options |
| NAC (Network Access Control) | Enforces security policies before granting network access; checks device health (patches, antivirus, compliance); uses 802.1X for port-based authentication; quarantines non-compliant devices |
| WAF (Web Application Firewall) | Protects web applications by filtering HTTP/HTTPS traffic; defends against SQLi, XSS, CSRF, and OWASP Top 10 attacks; operates at Layer 7; can be inline or reverse proxy mode |
| SIEM (Security Information and Event Management) | Aggregates and correlates log data from multiple sources; provides real-time alerting, dashboards, and forensic analysis; examples: Splunk, Microsoft Sentinel, QRadar, LogRhythm |
| SOAR (Security Orchestration, Automation, and Response) | Automates incident response workflows and playbooks; integrates with SIEM, ticketing, and security tools; reduces mean time to respond (MTTR); orchestrates actions across multiple platforms |
Identity and Access Management (IAM)
| Protocol / Technology | Description |
|---|---|
| LDAP / LDAPS | Lightweight Directory Access Protocol; queries and manages directory services (Active Directory); port 389 (LDAP) / 636 (LDAPS encrypted); hierarchical structure: OU, CN, DC |
| RADIUS | Remote Authentication Dial-In User Service; centralized AAA for network access; encrypts only the password in transit; uses UDP ports 1812/1813; common for Wi-Fi (802.1X) and VPN authentication |
| TACACS+ | Terminal Access Controller Access-Control System Plus; Cisco-proprietary AAA protocol; encrypts entire payload (more secure than RADIUS); uses TCP port 49; separates authentication, authorization, and accounting |
| SAML | Security Assertion Markup Language; XML-based SSO protocol for web applications; uses identity provider (IdP) and service provider (SP); exchanges authentication assertions via browser redirects; enterprise SSO standard |
| OAuth 2.0 | Authorization framework (NOT authentication); grants third-party applications limited access to user resources without sharing credentials; uses access tokens; powers "Sign in with Google/Facebook" authorization flows |
| OpenID Connect (OIDC) | Authentication layer built on top of OAuth 2.0; adds identity verification with ID tokens (JWT); provides both authentication and authorization; modern SSO for web and mobile applications |
| SSO (Single Sign-On) | Authenticate once, access multiple applications; reduces password fatigue and helpdesk calls; implemented via SAML, OAuth/OIDC, or Kerberos; risk: single point of compromise if SSO account is breached |
| MFA (Multi-Factor Authentication) | Requires two or more distinct authentication factors; combines knowledge, possession, biometric, location, or behavioral factors; dramatically reduces account compromise risk; required by most compliance frameworks |
Incident Response Process
| Phase | Activities |
|---|---|
| 1. Preparation | Develop IR plan and playbooks; establish IR team (CSIRT); deploy monitoring tools; conduct tabletop exercises; define communication procedures; maintain call trees and escalation paths |
| 2. Detection & Analysis | Identify indicators of compromise (IoC); analyze alerts from SIEM, IDS/IPS, EDR; triage and classify the incident severity; determine scope and impact; document findings |
| 3. Containment | Short-term: isolate affected systems (disconnect network, disable accounts); long-term: apply temporary fixes while maintaining evidence; prevent further spread without destroying forensic evidence |
| 4. Eradication | Remove the root cause: delete malware, close vulnerabilities, remove attacker access; rebuild compromised systems from clean images; patch exploited vulnerabilities; reset compromised credentials |
| 5. Recovery | Restore systems to normal operations; restore from clean backups; verify system integrity; monitor closely for signs of re-infection; gradually return to production; validate functionality |
| 6. Lessons Learned | Post-incident review meeting; document what happened, timeline, root cause; identify improvements to processes, tools, and training; update IR plan and playbooks; create after-action report |
Disaster Recovery and Business Continuity
| Concept | Definition | Key Details |
|---|---|---|
| RPO (Recovery Point Objective) | Maximum acceptable amount of data loss measured in time | RPO of 4 hours means you can tolerate losing up to 4 hours of data; drives backup frequency; lower RPO = more frequent backups = higher cost |
| RTO (Recovery Time Objective) | Maximum acceptable time to restore operations after a disruption | RTO of 2 hours means systems must be back online within 2 hours; drives DR infrastructure investment; lower RTO = faster recovery = higher cost |
| MTTR (Mean Time to Repair) | Average time to repair a failed component or restore service | Measures operational efficiency of recovery processes; lower is better; includes diagnosis, repair, and testing time |
| MTBF (Mean Time Between Failures) | Average time between system failures | Measures reliability of a system; higher is better; used for capacity planning and predicting hardware replacement schedules |
Backup Types
| Type | What It Backs Up | Speed & Storage | Restore Time |
|---|---|---|---|
| Full | All selected data every time | Slowest backup; most storage | Fastest restore (single backup needed) |
| Incremental | Only data changed since last backup (any type) | Fastest backup; least storage | Slowest restore (full + all incrementals needed) |
| Differential | All data changed since last full backup | Moderate backup speed; moderate storage (grows over time) | Moderate restore (full + latest differential needed) |
| Snapshot | Point-in-time copy of an entire volume or VM state | Very fast; uses copy-on-write; minimal initial storage | Instant rollback to the snapshot point |
Site Recovery Types
| Type | Description | Recovery Time | Cost |
|---|---|---|---|
| Hot Site | Fully operational duplicate facility with live data replication; ready to take over immediately | Minutes to hours | Most expensive |
| Warm Site | Has hardware and connectivity but requires data restoration and configuration before use | Hours to days | Moderate |
| Cold Site | Empty facility with power and network; all equipment and data must be brought in and configured | Days to weeks | Least expensive |
Risk Management Concepts
| Concept | Definition |
|---|---|
| Risk | The probability that a threat will exploit a vulnerability and the resulting impact on the organization; Risk = Threat x Vulnerability x Impact |
| Threat | Any potential event or action that could cause harm to an asset; natural disasters, malicious actors, system failures, human error |
| Vulnerability | A weakness in a system, process, or control that can be exploited by a threat; unpatched software, misconfigurations, weak passwords |
| Risk Register | Document that lists all identified risks, their likelihood, impact, risk level, owner, and planned response; central tracking document for risk management |
| Risk Assessment | Process of identifying, analyzing, and evaluating risks; can be qualitative (subjective: high/medium/low) or quantitative (numeric: ALE = SLE x ARO) |
Risk Response Strategies
| Strategy | Description | Example |
|---|---|---|
| Mitigation (Reduce) | Implement controls to reduce the likelihood or impact of a risk | Deploy a firewall, enable MFA, apply patches, conduct training |
| Transfer | Shift the financial or operational impact of a risk to a third party | Purchase cyber insurance, outsource to a managed security provider, use SLAs with penalties |
| Acceptance | Acknowledge the risk and decide to accept the potential impact without additional controls | Risk is too low-probability or too costly to mitigate; document the decision and risk owner approval |
| Avoidance | Eliminate the risk entirely by removing the activity or asset that creates it | Discontinue a vulnerable service, stop collecting sensitive data you do not need, exit a risky market |
Quantitative Risk Analysis
| Formula | Meaning | Example |
|---|---|---|
| AV (Asset Value) | Total value of the asset | Server worth $100,000 |
| EF (Exposure Factor) | Percentage of asset lost in a single incident | 50% destroyed = 0.5 |
| SLE = AV x EF | Single Loss Expectancy: dollar loss per incident | $100,000 x 0.5 = $50,000 |
| ARO (Annual Rate of Occurrence) | How many times per year the event is expected to occur | 2 times per year = 2 |
| ALE = SLE x ARO | Annual Loss Expectancy: expected yearly cost of risk | $50,000 x 2 = $100,000/year |
Exam Tip: If the cost of a control is less than the ALE, implementing the control is justified. This is the basis for cost-benefit analysis in risk management. Memorize: ALE = SLE x ARO and SLE = AV x EF.
Compliance Frameworks and Regulations
| Framework / Regulation | Scope | Key Requirements |
|---|---|---|
| GDPR | EU data protection regulation; applies globally to any organization processing EU residents' personal data | Right to be forgotten, data portability, 72-hour breach notification, Data Protection Officer (DPO), consent requirements, fines up to 4% of global revenue or 20M EUR |
| PCI-DSS | Payment Card Industry Data Security Standard; applies to any entity that stores, processes, or transmits cardholder data | 12 requirements including network segmentation, encryption of cardholder data, access control, regular testing, vulnerability management, and maintaining security policies |
| HIPAA | Health Insurance Portability and Accountability Act; applies to healthcare providers, insurers, and business associates in the US | Protect PHI (Protected Health Information); Privacy Rule, Security Rule, Breach Notification Rule; administrative, physical, and technical safeguards |
| SOX (Sarbanes-Oxley) | US financial reporting regulation; applies to publicly traded companies | Internal controls over financial reporting; CEO/CFO certification of reports; audit trail requirements; whistleblower protections |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework; voluntary for private sector, mandatory for US federal agencies | Five functions: Identify, Protect, Detect, Respond, Recover; risk-based approach; widely adopted as a security maturity model |
| ISO 27001 / 27002 | International standard for information security management systems (ISMS); globally recognized | 27001: requirements for establishing an ISMS; 27002: best practice controls; Plan-Do-Check-Act cycle; certifiable standard |
Security Governance Concepts
| Concept | Description |
|---|---|
| Acceptable Use Policy (AUP) | Defines how employees may use organizational IT resources; covers internet usage, email, social media, personal device use; signed acknowledgment required |
| Data Classification | Categorizing data by sensitivity level to apply appropriate controls; common levels: Public, Internal, Confidential, Restricted/Secret; drives encryption, access, and retention decisions |
| Data Roles | Data Owner: executive responsible for data classification and policy; Data Custodian: implements technical controls (backups, access); Data Steward: ensures data quality and compliance; Data Processor: processes data on behalf of the controller |
| Separation of Duties | No single person should control all phases of a critical process; prevents fraud and errors; requires collusion for abuse; example: person who approves purchases cannot also process payments |
| Least Privilege | Users receive only the minimum permissions necessary to perform their job functions; reduces attack surface; applies to accounts, applications, and services |
| Change Management | Formal process for requesting, reviewing, approving, and implementing changes to IT systems; includes impact analysis, rollback plans, testing, and documentation; prevents unauthorized changes |
Third-Party Risk Management
- Vendor Assessment: Evaluate the security posture of vendors and suppliers before engagement; review SOC 2 reports, penetration test results, security certifications, and compliance attestations
- Supply Chain Risk: Risks introduced through hardware, software, and service providers; compromised updates (e.g., SolarWinds), counterfeit hardware, malicious libraries in code dependencies
- Service Level Agreements (SLA): Contractual agreements defining expected service performance, uptime, and security responsibilities; should include breach notification timelines and data handling requirements
- Business Partners Agreement (BPA): Defines roles, responsibilities, and expectations between business partners; includes liability, data sharing, and security obligations
- Non-Disclosure Agreement (NDA): Legally binding agreement to protect confidential information shared between parties; prevents unauthorized disclosure of sensitive business or technical information
- Right to Audit: Contractual clause allowing the organization to audit the vendor's security controls, processes, and compliance; essential for maintaining oversight of third-party risk
IDS vs IPS
| Aspect | IDS | IPS |
|---|---|---|
| Action | Detects and alerts only; passive monitoring | Detects AND blocks; active prevention inline |
| Placement | Out of band (mirror/span port); does not sit in traffic path | Inline; sits directly in the traffic path |
| Impact on Traffic | No impact; traffic flows regardless of alerts | Can cause latency; false positives may block legitimate traffic |
| Risk | May miss attacks (false negatives); cannot prevent damage | False positives may disrupt operations; single point of failure if not properly deployed |
Symmetric vs Asymmetric Encryption
| Aspect | Symmetric | Asymmetric |
|---|---|---|
| Keys | Single shared key for encrypt and decrypt | Key pair: public key and private key |
| Speed | Fast; suitable for large data volumes | Slow; computationally expensive |
| Key Distribution | Challenge: must securely share the key | Solved: public key can be freely shared |
| Algorithms | AES, 3DES, ChaCha20, Blowfish | RSA, ECC, Diffie-Hellman, DSA |
| Use Case | Bulk data encryption, disk encryption, VPN data | Digital signatures, key exchange, TLS handshake, email encryption |
SIEM vs SOAR
| Aspect | SIEM | SOAR |
|---|---|---|
| Primary Function | Log aggregation, correlation, and alerting | Automated incident response and workflow orchestration |
| Focus | Detection and visibility; what is happening | Response and automation; what to do about it |
| Human Involvement | Analysts investigate and respond to alerts | Automates repetitive tasks; playbooks execute without manual intervention |
| Relationship | SOAR integrates with SIEM; SIEM detects the threat, SOAR automates the response; they are complementary, not replacements for each other | |
Vulnerability Scan vs Penetration Test
| Aspect | Vulnerability Scan | Penetration Test |
|---|---|---|
| Approach | Automated; scans systems for known vulnerabilities using a database of signatures | Manual and automated; ethical hacker actively attempts to exploit vulnerabilities |
| Depth | Broad and shallow; identifies potential weaknesses | Narrow and deep; proves exploitability and measures impact |
| Frequency | Regular and frequent (weekly, monthly, continuous) | Periodic (annually or after major changes) |
| Output | List of vulnerabilities with severity ratings (CVE, CVSS) | Detailed report with exploit chains, evidence, business impact, and remediation recommendations |
| Risk | Low risk; non-intrusive by default | Higher risk; may cause disruption; requires rules of engagement and authorization |
RADIUS vs TACACS+
| Aspect | RADIUS | TACACS+ |
|---|---|---|
| Protocol | UDP (ports 1812/1813) | TCP (port 49) |
| Encryption | Encrypts only the password | Encrypts the entire payload (more secure) |
| AAA Functions | Combines authentication and authorization | Separates authentication, authorization, and accounting |
| Vendor | Open standard (RFC 2865); widely supported | Cisco proprietary; primarily used for network device administration |
| Common Use | Network access control (Wi-Fi 802.1X, VPN) | Network device administration (router/switch management) |
RPO vs RTO
| Aspect | RPO (Recovery Point Objective) | RTO (Recovery Time Objective) |
|---|---|---|
| Measures | Maximum acceptable data loss (time) | Maximum acceptable downtime (time) |
| Question It Answers | How much data can we afford to lose? | How long can we afford to be down? |
| Drives | Backup frequency and replication strategy | DR infrastructure investment and recovery procedures |
| Example | RPO of 1 hour = backups every hour minimum | RTO of 4 hours = systems restored within 4 hours |
Authentication Protocols Compared
| Protocol | Type | Format | Best For |
|---|---|---|---|
| SAML | Authentication + Authorization | XML-based assertions via browser redirect | Enterprise web SSO between IdP and SP |
| OAuth 2.0 | Authorization only (NOT authentication) | JSON-based access tokens | Delegated API access; third-party app authorization |
| OpenID Connect | Authentication + Authorization | JWT ID tokens on top of OAuth 2.0 | Modern web/mobile SSO; consumer applications |
| Kerberos | Authentication | Ticket-based (TGT from KDC) | Active Directory / on-premises SSO |
Exam Tip: OAuth 2.0 is for AUTHORIZATION, not authentication. It lets apps access resources on your behalf. OpenID Connect adds the authentication layer on top of OAuth. SAML is the enterprise standard for web SSO. Kerberos is the on-premises Active Directory authentication protocol. These distinctions are heavily tested on SY0-701.
Essential Port Numbers
| Port | Protocol | Service |
|---|---|---|
| 21 | TCP | FTP (File Transfer Protocol) - unencrypted; use SFTP/FTPS instead |
| 22 | TCP | SSH / SFTP / SCP - secure remote access and file transfer |
| 23 | TCP | Telnet - unencrypted remote access; never use in production |
| 25 / 587 | TCP | SMTP - email sending; 587 for submission with STARTTLS |
| 53 | TCP/UDP | DNS - domain name resolution |
| 80 | TCP | HTTP - unencrypted web traffic |
| 443 | TCP | HTTPS - encrypted web traffic (TLS) |
| 110 / 995 | TCP | POP3 / POP3S - email retrieval (downloads to client) |
| 143 / 993 | TCP | IMAP / IMAPS - email retrieval (syncs with server) |
| 389 / 636 | TCP | LDAP / LDAPS - directory services |
| 3389 | TCP | RDP - Remote Desktop Protocol (Windows remote access) |
| 1812 / 1813 | UDP | RADIUS - authentication / accounting |
| 49 | TCP | TACACS+ - network device AAA |
| 514 | UDP | Syslog - centralized logging |