A comprehensive study guide aligned with the CompTIA Security+ SY0-701 exam objectives. Master the five core domains of cybersecurity — from foundational security concepts and threat analysis to security architecture, operations, and governance — and build the knowledge you need to earn one of the most widely recognized entry-level security certifications in the industry.
Security controls are the safeguards or countermeasures employed to protect the confidentiality, integrity, and availability of information systems. Technical controls are implemented through technology, such as firewalls, encryption, and intrusion detection systems. Managerial controls are administrative in nature and include policies, risk assessments, and security awareness programs. Operational controls are carried out by people, covering procedures like change management, incident response plans, and security guard patrols. Physical controls protect the tangible environment and include locks, surveillance cameras, mantrap doors, and fencing. Frameworks such as the NIST Cybersecurity Framework (CSF) provide a structured approach organized around five functions: Identify, Protect, Detect, Respond, and Recover. ISO/IEC 27001 specifies requirements for establishing and maintaining an information security management system (ISMS), while the CIS Critical Security Controls offer a prioritized set of defensive actions that map directly to the most common attack patterns observed in the wild.
The CIA triad is the foundational model for information security. Confidentiality ensures that data is accessible only to authorized individuals, enforced through mechanisms like encryption, access control lists, and data masking. Integrity guarantees that data has not been altered in an unauthorized manner, verified through hashing algorithms (SHA-256, for example) and digital signatures. Availability ensures that systems and data are accessible when needed, achieved through redundancy, failover clustering, and proper capacity planning. The AAA framework extends these principles in networked environments: Authentication verifies identity (passwords, biometrics, tokens), Authorization determines what resources an authenticated user may access (role-based permissions, ACLs), and Accounting (or auditing) tracks user activity for compliance and forensic purposes. Non-repudiation ensures that a sender cannot deny having sent a message or performed a transaction, typically enforced through digital signatures and audit logs.
Understanding who your adversaries are is critical to designing effective defenses. Nation-state actors are government-sponsored groups with substantial resources, targeting critical infrastructure, intellectual property, and foreign governments through sophisticated campaigns known as Advanced Persistent Threats (APTs). Organized crime groups are financially motivated and operate ransomware-as-a-service platforms, business email compromise schemes, and large-scale data theft operations. Hacktivists are ideologically driven and use DDoS attacks, website defacements, and data leaks to further political or social causes. Insider threats originate from current or former employees, contractors, or partners who have legitimate access and can cause damage either intentionally (disgruntled employees) or unintentionally (careless handling of data). Script kiddies are unskilled attackers who rely on pre-built tools and public exploits. Each threat actor category varies in sophistication, resources, and intent, and mapping them helps organizations prioritize security investments based on their specific threat landscape.
Cryptography is the mathematical foundation of information security. Symmetric encryption uses a single shared key for both encryption and decryption; algorithms like AES-256 are fast and well-suited for encrypting bulk data, but the challenge lies in securely distributing the shared key. Asymmetric encryption uses a key pair (public and private) and is employed in algorithms like RSA and Elliptic Curve Cryptography (ECC) for secure key exchange, digital signatures, and encrypted communications. Hashing produces a fixed-size digest from arbitrary input and is a one-way function; SHA-256 is widely used for file integrity verification and password storage (when combined with a salt). Digital signatures combine hashing with asymmetric encryption to provide authentication, integrity, and non-repudiation — the sender hashes a message and encrypts the hash with their private key, and the recipient decrypts it with the sender's public key to verify. Public Key Infrastructure (PKI) manages digital certificates issued by a trusted Certificate Authority (CA), binding public keys to identities and enabling trust across systems through a chain of trust hierarchy.
Malware refers to any software intentionally designed to cause harm. Ransomware encrypts a victim's files and demands payment for the decryption key; modern variants like double-extortion ransomware also exfiltrate data and threaten public disclosure. Trojans disguise themselves as legitimate software to trick users into execution, often creating backdoors for remote access. Rootkits operate at the kernel or firmware level to hide their presence from security tools, making detection and removal extremely difficult. Spyware covertly monitors user activity, capturing keystrokes, screenshots, and browsing history. Worms are self-replicating and spread across networks without user interaction by exploiting vulnerabilities in services and protocols. Fileless malware resides entirely in memory and leverages legitimate system tools like PowerShell or WMI, leaving no files on disk for traditional antivirus to detect. Analysts identify infections through Indicators of Compromise (IoCs), which include suspicious file hashes, IP addresses, domain names, registry modifications, and unusual process behavior. Sharing IoCs via platforms like STIX/TAXII allows organizations to collectively strengthen defenses.
Social engineering exploits human psychology rather than technical vulnerabilities. Phishing is the most prevalent vector, using fraudulent emails that impersonate trusted entities to trick recipients into revealing credentials or executing malicious attachments; spear phishing targets specific individuals, while whaling focuses on executives. Vishing (voice phishing) uses phone calls, often spoofing caller IDs, to extract sensitive information by impersonating IT support or financial institutions. Smishing delivers the same tactics via SMS text messages, often with shortened URLs that redirect to credential-harvesting sites. Pretexting involves creating a fabricated scenario to establish trust and justify the request for information — for example, an attacker posing as an auditor requesting employee records. Baiting lures victims with the promise of something desirable, such as a USB drive labeled "Salary Report" left in a parking lot. Watering hole attacks compromise websites frequently visited by a target group, injecting malicious code that infects visitors. Defending against social engineering requires layered security awareness training, simulated phishing campaigns, and verification procedures for sensitive requests.
Application-layer attacks target vulnerabilities in software logic. SQL injection inserts malicious SQL statements into input fields to manipulate backend databases, potentially extracting, modifying, or deleting data; parameterized queries and stored procedures are the primary defenses. Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users, enabling session hijacking and credential theft; input validation and output encoding are essential mitigations. Cross-site request forgery (CSRF) tricks an authenticated user's browser into executing unwanted actions on a web application, countered by anti-CSRF tokens and same-site cookie attributes. Buffer overflow attacks write data beyond the boundaries of allocated memory, potentially enabling arbitrary code execution; defenses include ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and secure coding practices. Directory traversal manipulates file path references (using ../ sequences) to access files outside the intended directory. At the network layer, DDoS attacks overwhelm target systems with traffic from distributed botnets, while DNS poisoning corrupts cache entries to redirect users to attacker-controlled servers.
Vulnerability management is the continuous process of identifying, classifying, remediating, and mitigating security weaknesses. Vulnerability scanning uses automated tools such as Nessus, Qualys, or OpenVAS to discover known vulnerabilities across network assets, applications, and configurations. Discovered vulnerabilities are cataloged using the CVE (Common Vulnerabilities and Exposures) system, which assigns unique identifiers, and scored using CVSS (Common Vulnerability Scoring System) on a 0-10 severity scale incorporating attack vector, complexity, impact, and exploitability metrics. Patch management is the structured process of testing and deploying vendor-supplied fixes, prioritized by CVSS score and asset criticality; organizations typically follow a cycle of scan, assess, test, deploy, and verify. Penetration testing goes beyond scanning by simulating real-world attacks to validate whether vulnerabilities are exploitable; tests can be performed as black-box (no prior knowledge), white-box (full knowledge), or gray-box (partial knowledge). Zero-day vulnerabilities are flaws with no available patch, making them highly valuable to attackers and emphasizing the importance of defense-in-depth strategies that do not rely solely on patching.
Designing a secure network architecture limits the blast radius of a compromise and enforces the principle of least privilege at the network level. A DMZ (Demilitarized Zone) places public-facing services like web servers in an isolated network segment between the external and internal networks, controlled by firewalls on both sides. Network segmentation divides the internal network into isolated zones (e.g., separating HR, finance, and development), so that an attacker who breaches one segment cannot freely move laterally. Zero Trust is an architectural philosophy that assumes no implicit trust, requiring continuous verification of every user, device, and network flow regardless of location; the mantra is "never trust, always verify." Microsegmentation extends segmentation to the workload level, applying granular security policies to individual applications or virtual machines. VPNs encrypt traffic between endpoints, and Network Access Control (NAC) solutions enforce security posture checks (patch level, antivirus status) before granting devices access to the network. Software-Defined Networking (SDN) separates the control plane from the data plane, enabling centralized and programmable network security policy enforcement.
Cloud computing introduces a shared responsibility model where security obligations are divided between the provider and the customer. In IaaS (Infrastructure as a Service), the provider secures the physical infrastructure while the customer manages the OS, applications, and data. In PaaS (Platform as a Service), the provider also handles the runtime and middleware. In SaaS (Software as a Service), the provider manages nearly everything, and the customer is primarily responsible for data and access control. A Cloud Access Security Broker (CASB) sits between users and cloud services to enforce security policies, providing visibility into shadow IT usage, data loss prevention, and threat protection. Hypervisor security is critical in virtualized environments; Type 1 (bare-metal) hypervisors like ESXi are generally more secure than Type 2 (hosted) hypervisors, but VM escape vulnerabilities remain a concern. Container security requires scanning images for vulnerabilities, enforcing least-privilege runtime policies, and isolating containers with namespaces and cgroups. Cloud-native security also extends to serverless functions, where the attack surface shifts to the application code itself and its dependencies, making secure coding practices and dependency scanning essential.
Integrating security throughout the Software Development Life Cycle (SDLC) is far more cost-effective than patching vulnerabilities after deployment. Security requirements should be defined during the planning phase, threat modeling during design, secure coding standards during implementation, and security testing during the testing phase. The OWASP Top 10 is the industry-standard list of the most critical web application security risks, including injection flaws, broken authentication, sensitive data exposure, security misconfiguration, and server-side request forgery (SSRF). Input validation is a fundamental defense that ensures all user-supplied data is checked against expected formats before processing, preventing injection attacks. Static Application Security Testing (SAST) analyzes source code for vulnerabilities without executing it, while Dynamic Application Security Testing (DAST) tests running applications by simulating attacks. DevSecOps embeds security into CI/CD pipelines through automated scanning, infrastructure-as-code security checks, and container image scanning at build time. API security requires authentication (OAuth 2.0, API keys), rate limiting, input validation, and proper error handling to prevent data exposure through programmatic interfaces.
Resilience and recovery planning ensures that critical systems can withstand failures and resume operations quickly. RAID (Redundant Array of Independent Disks) provides disk-level fault tolerance: RAID 1 mirrors data across two disks, RAID 5 stripes data with distributed parity across three or more disks, and RAID 10 combines mirroring and striping for both performance and redundancy. Backup strategies include full backups (complete copy of all data), incremental backups (only data changed since the last backup of any type), and differential backups (all data changed since the last full backup). RPO (Recovery Point Objective) defines the maximum acceptable data loss measured in time, while RTO (Recovery Time Objective) specifies the maximum acceptable downtime. A system with an RPO of 1 hour and an RTO of 4 hours means backups must occur at least hourly, and recovery must complete within 4 hours. High availability architectures use redundant components, load balancers, and clustering to eliminate single points of failure. Disaster recovery sites range from hot sites (fully operational duplicates), to warm sites (partially equipped), to cold sites (empty facilities requiring setup time), each balancing cost against recovery speed.
Identity and Access Management (IAM) ensures that the right individuals have the right access to the right resources at the right time. Multi-Factor Authentication (MFA) combines two or more authentication factors: something you know (password), something you have (hardware token, smartphone), and something you are (fingerprint, facial recognition). Single Sign-On (SSO) allows users to authenticate once and access multiple applications, reducing password fatigue while centralizing the authentication point, often implemented via SAML, OAuth 2.0, or OpenID Connect. Role-Based Access Control (RBAC) assigns permissions based on organizational roles (e.g., "network admin" or "help desk"), simplifying management at scale. Attribute-Based Access Control (ABAC) makes access decisions based on attributes of the user, resource, action, and environment, enabling fine-grained policies such as "allow access only from managed devices during business hours." The principle of least privilege dictates that users and processes should receive only the minimum permissions necessary to perform their functions. Privileged Access Management (PAM) provides additional controls for high-risk accounts, including credential vaulting, session recording, and just-in-time access elevation.
Network security relies on a layered deployment of monitoring and enforcement tools. Firewalls filter traffic based on rules; next-generation firewalls (NGFWs) add deep packet inspection, application awareness, and threat intelligence integration. Intrusion Detection Systems (IDS) passively monitor traffic and alert on suspicious patterns, while Intrusion Prevention Systems (IPS) are inline and can actively block malicious traffic in real time. Security Information and Event Management (SIEM) platforms like Splunk, Microsoft Sentinel, or Elastic Security aggregate logs from diverse sources, correlate events, and generate alerts based on detection rules and behavioral analytics. Security Orchestration, Automation, and Response (SOAR) integrates with SIEM to automate repetitive incident response tasks, such as blocking IP addresses, quarantining endpoints, or enriching alerts with threat intelligence. Proxy servers act as intermediaries that can inspect, filter, and log web traffic. Web Application Firewalls (WAFs) specifically protect web applications from attacks like SQL injection and XSS. Data Loss Prevention (DLP) solutions monitor and control data in motion, at rest, and in use, preventing sensitive information from leaving the organization through unauthorized channels.
The incident response lifecycle, as defined by NIST SP 800-61, consists of six phases. Preparation involves building the IR team, establishing communication plans, deploying monitoring tools, and developing playbooks for common incident types. Detection and Analysis relies on alerts from SIEM, IDS/IPS, endpoint detection and response (EDR) tools, and user reports; analysts triage alerts, determine scope, and classify severity. Containment aims to limit the damage, with short-term containment isolating affected systems (e.g., disabling network access) and long-term containment applying temporary fixes while preserving evidence. Eradication removes the root cause, whether that means deleting malware, closing exploited vulnerabilities, or disabling compromised accounts. Recovery restores systems to normal operation from clean backups or rebuilt images, with careful monitoring for signs of reinfection. Lessons Learned (post-incident review) documents what happened, what worked, and what needs improvement, feeding back into preparation to strengthen future response. Incident response playbooks provide step-by-step procedures for specific scenarios such as ransomware, data breach, or insider threat events.
Digital forensics is the practice of collecting, preserving, analyzing, and presenting electronic evidence in a legally defensible manner. The chain of custody is a documented record that tracks evidence from the moment of collection through analysis and into court, recording who handled it, when, and what actions were taken; any break in the chain can render evidence inadmissible. Disk imaging creates a bit-for-bit copy of storage media using tools like FTK Imager or dd, and write-blockers prevent any modifications to the original evidence. Memory forensics analyzes volatile RAM contents to uncover running processes, network connections, encryption keys, and fileless malware artifacts using tools like Volatility. Log analysis involves examining logs from operating systems, applications, firewalls, and authentication systems to reconstruct timelines of events; centralized logging via syslog or Windows Event Forwarding is essential for correlation. The Security Content Automation Protocol (SCAP) is a collection of specifications (including CVE, CVSS, CPE, and OVAL) that standardize vulnerability management and compliance assessment, enabling automated scanning and reporting against security benchmarks like DISA STIGs or CIS Benchmarks.
Security governance establishes the organizational framework for managing and directing security efforts. Policies are high-level statements of management intent that define the organization's security direction (e.g., an Acceptable Use Policy). Standards are mandatory requirements that implement policies with specificity, such as requiring AES-256 for data encryption. Procedures are detailed step-by-step instructions for carrying out specific tasks, like the exact steps for onboarding a new employee's access. Guidelines are recommended practices that provide flexibility in implementation. Together, these documents form a governance hierarchy that ensures consistent security practices. Regulatory compliance involves meeting legal and industry requirements, and organizations must understand which regulations apply based on their data types, industry, and geography. Internal and external audits verify that controls are implemented correctly and operating effectively, with findings tracked in audit reports and remediated according to risk-based prioritization. Governance structures include a board of directors, security steering committees, a Chief Information Security Officer (CISO), and clearly defined roles and responsibilities across the organization.
Risk management is the ongoing process of identifying, assessing, and treating risks to an acceptable level. Qualitative risk assessment uses descriptive scales (high, medium, low) and often employs a risk matrix that maps likelihood against impact to prioritize threats. Quantitative risk assessment assigns monetary values: the Single Loss Expectancy (SLE) represents the cost of one incident, the Annualized Rate of Occurrence (ARO) estimates how often it will happen per year, and the Annualized Loss Expectancy (ALE = SLE x ARO) quantifies the expected yearly financial impact. A risk register is a centralized document that tracks all identified risks along with their owners, severity ratings, treatment plans, and current status. A Business Impact Analysis (BIA) identifies critical business functions, determines the impact of their disruption, and establishes recovery priorities (RPO, RTO, MTTR, MTBF). Risk treatment strategies include mitigation (implementing controls to reduce risk), acceptance (acknowledging the risk is within tolerance), avoidance (eliminating the activity causing risk), and transference (shifting risk to a third party through insurance or contracts). Third-party risk management evaluates the security posture of vendors and partners through questionnaires, SOC 2 reports, and right-to-audit clauses.
People are consistently the most targeted attack vector, making security awareness training a critical control. Effective programs go beyond annual compliance checkboxes to build a genuine security culture where every employee understands their role in protecting the organization. Training should be role-specific: executives need to understand business email compromise risks, developers need secure coding training, and all staff need to recognize phishing, social engineering, and physical security threats. Phishing simulations are controlled exercises that send realistic phishing emails to employees and measure click rates, reporting rates, and time-to-report, providing actionable data to target additional training at the most susceptible groups. An Acceptable Use Policy (AUP) defines permitted and prohibited uses of organizational systems, while a social media policy addresses the risks of oversharing information that attackers can weaponize for social engineering or reconnaissance. Insider threat programs combine technical monitoring (DLP, UEBA) with behavioral indicators and reporting channels to detect and deter internal threats. The effectiveness of awareness programs is measured through metrics such as phishing simulation failure rates over time, incident reporting rates, and security policy acknowledgment completion rates.
Data classification assigns sensitivity labels that determine the appropriate handling, storage, and disposal requirements for information. Common classification levels include Public (no harm if disclosed), Private/Internal (limited to the organization), Confidential (could cause significant harm if exposed), and Restricted/Top Secret (the most sensitive data requiring the strictest controls). Classification drives encryption requirements, access controls, retention periods, and destruction methods. GDPR (General Data Protection Regulation) is the EU regulation that mandates strict rules for processing personal data of EU residents, including the right to erasure, data portability, breach notification within 72 hours, and requirements for a Data Protection Officer. HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) in the healthcare sector with the Privacy Rule and Security Rule. PCI-DSS (Payment Card Industry Data Security Standard) defines requirements for organizations that process, store, or transmit cardholder data, including network segmentation, encryption, and regular vulnerability assessments. Data sovereignty refers to the principle that data is subject to the laws of the country in which it is stored or processed, which is critical for organizations with international cloud deployments. A thorough data lifecycle management strategy addresses creation, storage, use, sharing, archival, and destruction of data, ensuring compliance at every stage.
Put your CompTIA Security+ SY0-701 skills to the test with free practice questions covering all five exam domains.
Start Practice Test →