← Home

CompTIA Security+ Study Guide

Domain 1: General Security Concepts (12%)

This domain covers foundational security principles, control categories, and core cryptography concepts.

Security control categories: Technical (firewalls, encryption), Managerial (policies, risk assessments), Operational (training, procedures), Physical (locks, cameras)

Control types: Preventive, Detective, Corrective, Deterrent, Compensating, Directive

Zero Trust architecture: "Never trust, always verify." No implicit trust based on network location. Requires authentication and authorization for every resource request. Key pillars: verify explicitly, use least privilege, assume breach.

Concept	Definition
AAA	Authentication, Authorization, Accounting — the security triad for access control
CIA Triad	Confidentiality, Integrity, Availability — core security objectives
Non-repudiation	Proof that an action occurred and cannot be denied (digital signatures)
Gap analysis	Comparing current security posture to a desired baseline or framework

Cryptography basics:

Symmetric encryption (AES, 3DES): Same key for encrypt/decrypt. Fast, used for bulk data.
Asymmetric encryption (RSA, ECC): Public/private key pair. Slower, used for key exchange and digital signatures.
Hashing (SHA-256, SHA-3): One-way function producing fixed digest. Used for integrity verification.
PKI: Public Key Infrastructure — CAs issue digital certificates binding public keys to identities.

Key lengths to know: AES-128/256 (symmetric), RSA-2048+ (asymmetric), SHA-256/384/512 (hashing). Longer = stronger.

Domain 2: Threats, Vulnerabilities & Mitigations (22%)

The second-largest domain. Know threat actor types, attack techniques, and how to counter them.

Threat actor types: Nation-state (sophisticated, APT), Organized crime (financially motivated), Hacktivist (ideological), Insider threat (authorized access misused), Script kiddie (low skill, opportunistic)

Common attack types:

Phishing: Deceptive emails/messages. Spear phishing (targeted), Whaling (executives), Vishing (voice), Smishing (SMS)
Malware types: Ransomware (encrypts data for ransom), RAT (remote access trojan), Rootkit (hides in OS), Keylogger, Worm (self-replicating), Fileless malware (lives in memory)
Social engineering: Pretexting, Tailgating/Piggybacking, Baiting, Quid pro quo
Network attacks: DDoS (overwhelm resources), On-path/MitM (intercept traffic), DNS poisoning, ARP spoofing
Web attacks: SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), Directory traversal
Password attacks: Brute force, Dictionary, Credential stuffing, Rainbow table, Pass-the-hash

Vulnerability Type	Description
Zero-day	Unknown to vendor; no patch available yet
CVE	Common Vulnerabilities and Exposures — standardized vulnerability identifiers
CVSS	Common Vulnerability Scoring System — 0–10 severity rating
Supply chain attack	Compromising a vendor or software component upstream (e.g., SolarWinds)

Mitigation strategies: Patch management, network segmentation, MFA, least privilege, user training, EDR/AV, application whitelisting

Domain 3: Security Architecture (18%)

Covers secure network design, cloud security, infrastructure hardening, and resilience.

Network segmentation concepts:

DMZ: Demilitarized zone — hosts public-facing servers (web, email) isolated from internal network
VLAN: Virtual LAN — logical network segmentation on a physical switch
Microsegmentation: Fine-grained segmentation, often in virtualized/cloud environments
Air gap: Physical isolation — no network connection (used in critical infrastructure)

Firewall types: Packet filtering (stateless), Stateful inspection, Next-gen firewall (NGFW — app-aware, IPS, deep packet inspection), Web Application Firewall (WAF)

Cloud security architecture:

Model	Customer Responsibility	Provider Responsibility
IaaS	OS, apps, data, runtime	Physical, network, hypervisor
PaaS	Apps, data	OS, runtime, middleware, physical
SaaS	Data, access management	Everything else

Shared responsibility model: Security "in" the cloud = customer. Security "of" the cloud = provider. Misconfigurations are almost always the customer's fault.

Infrastructure resilience: HA clustering, load balancing, geographic redundancy, backup/restore (3-2-1 rule: 3 copies, 2 media types, 1 offsite), RAID for storage redundancy, UPS + generator for power.

Secure protocols: HTTPS (TLS), SFTP (SSH), LDAPS (TLS), SNMPv3 (encrypted), SSH (replaces Telnet), IPSec (VPN tunnels)

Domain 4: Security Operations (28%)

The largest domain. Covers monitoring, identity management, incident response, and operational security.

Identity and Access Management (IAM):

MFA: Something you know + have + are. TOTP, FIDO2/WebAuthn, push notifications
SSO: Single Sign-On — one login grants access to multiple systems (SAML, OAuth, OIDC)
PAM: Privileged Access Management — controls and audits admin/root access
Least privilege: Users get minimum access needed for their role
Role-based access control (RBAC): Permissions assigned to roles, not individuals
Directory services: Active Directory (AD), LDAP — central identity stores

Authentication factors: Type 1 = something you KNOW (password, PIN) | Type 2 = something you HAVE (smart card, token, phone) | Type 3 = something you ARE (biometric)

Security monitoring tools:

Tool	Function
SIEM	Security Information & Event Management — aggregates and correlates logs for threat detection
EDR	Endpoint Detection & Response — advanced endpoint monitoring, behavioral analysis, automated response
IDS/IPS	Intrusion Detection/Prevention System — monitors for attack signatures (NIDS/HIDS)
DLP	Data Loss Prevention — prevents unauthorized data exfiltration
SOAR	Security Orchestration, Automation & Response — automates incident response playbooks
Vulnerability scanner	Nessus, Qualys — identifies known CVEs in systems

Incident Response lifecycle (NIST SP 800-61):

Preparation: IR plan, team, tools in place
Detection & Analysis: Identify and confirm the incident
Containment: Limit damage (short-term + long-term containment)
Eradication: Remove root cause (malware, attacker persistence)
Recovery: Restore systems, verify normal operation
Post-Incident Activity: Lessons learned, improve defenses

Digital forensics order of volatility: CPU registers/cache → RAM → Swap/pagefile → Hard disk → Remote logs → Archived media. Always preserve most volatile evidence first.

Hardening techniques: Disable unused services/ports, patch management, configuration baselines, remove default credentials, enable host-based firewall, application control/whitelisting, full disk encryption (BitLocker, FileVault).

Domain 5: Security Program Management & Oversight (20%)

Covers governance, risk management, compliance, data privacy, and security frameworks.

Risk management fundamentals:

Risk = Threat × Vulnerability × Impact
Risk appetite: How much risk an organization is willing to accept
Risk responses: Accept, Transfer (insurance), Avoid (stop the activity), Mitigate (reduce likelihood/impact)
Qualitative risk: Descriptive (High/Med/Low). Quantitative risk: Monetary (ALE = SLE × ARO)

Key risk calculations: SLE (Single Loss Expectancy) = Asset Value × Exposure Factor | ALE (Annual Loss Expectancy) = SLE × ARO (Annual Rate of Occurrence)

Compliance frameworks and regulations:

Framework/Regulation	Scope
NIST CSF	Cybersecurity Framework — Identify, Protect, Detect, Respond, Recover
ISO 27001	International standard for information security management systems (ISMS)
PCI DSS	Payment Card Industry — protects cardholder data
HIPAA	Health Insurance Portability — protects healthcare data (PHI)
GDPR	EU General Data Protection Regulation — personal data rights
SOX	Sarbanes-Oxley — financial reporting integrity for public companies

Data classification: Public → Internal/Private → Confidential → Secret/Top Secret. Drives handling requirements, encryption, and access controls.

Security policies: Acceptable Use Policy (AUP), Information Security Policy, Incident Response Policy, BYOD Policy, Change Management Policy, Data Retention Policy.

Third-party risk: Vendor assessments, right-to-audit clauses, SLAs, MOU (Memorandum of Understanding), MSA (Master Service Agreement), NDA, BPA (Business Partner Agreement)

Security awareness training: Phishing simulations, annual security training, role-based training for privileged users, social engineering red flags. Human is the weakest link — and the first line of defense.