CompTIA Security+ SY0-401 vs. SY0-301 Changes
A new version of the popular CompTIA Security+ certification is out, and the content it covers has expanded significantly over the past three years. The six domains the exam covers remain the same, but four new sections were added to deal with cloud computing, incident response, mobile devices and network-enabled devices that could accidentally become part of your network. Two more new sections increase coverage of physical security and application of the “CIA triad” (confidentiality, integrity and availability).
In addition to these six new sections, dozens of other changes were made to existing sections to cover evolving malware, business continuity, big data, secure file transfer and other issues. The new SY0-401 “Certification Exam Objectives” document (which replaces 2010’s SY0-301 of the same name) also adds dozens of terms to its glossary and adds new but incomplete advice on suggested classroom equipment.
New Section: Implications of Integrating with Third Parties
A brand new section in SY0-401’s compliance and operational security domain was added to deal with business use of cloud services. The new section is entitled “summarize the security implications of integrating systems and data with third parties” (2.2) and contains ten topics.
Three new technical topics in this section are onboarding and offboarding business partners, social media networks and applications and data backups. Five new policy and risk topics are privacy considerations, risk awareness, unauthorized data sharing, data ownership and security policy and procedures.
Finally, there are two topics devoted to legal agreements and contracts. One, entitled “interoperability agreements,” covers service level agreements (SLA), blanket purchase agreements (BPA), memorandum of understanding (MOU) and Interoperability Solutions for (European Public) Administration (ISA). The second topic is entitled “review agreement requirements to verify compliance and performance standards” and contains no subtopics.
New Section: Incident Response
SY0-301’s one line entry about “Incident response” has been replaced with a whole new section (2.5) with eleven topics in SY0-401’s compliance and operational security domain. The new section begins with preparation, followed by first responder, incident identification and incident isolation (including quarantine and device removal). Next comes escalation and notification, mitigation steps, damage and loss control and data breach. Finally, lessons learned, reporting, recovery and reconstitution procedures are covered.
New Section: Physical Security
Limited coverage of physical security in SY0-301 has been replaced with an new “physical security and environmental controls section” (2.7) in SY0-401’s compliance and operational security domain. All of the existing environmental controls, including HVAC and EMU shielding are the same as the previous version. All of the of the old physical security controls, such a hardware locks and mantraps, were also carried forward.
The new content creates two new top-level topics physical security and control types. New physical security controls include proper lighting, signs, guards, barricades, biometrics, protected distribution (e.g., cabling), alarms and motion detection. Control types cover theoretical security design and are listed as deterrent, preventative, detective, compensating, technical and administrative. (CISSP and other security students may find this section strange because they are used to using these control types to design security for any system, not just physical systems.)
New Section: Confidentiality, Integrity, Availability and Safety Controls
SY0-401’s fleshes out brief mention of the “CIA triad” (confidentiality, integrity and available) from previous versions in a new section (2.9) in the compliance and operational security domain.
There are four major topics in this section (confidentiality, integrity, availability and safety) but most of the subtopics in this section are covered in more depth elsewhere. For example, confidentiality topics include encryption, access controls and stenography, two of which are covered elsewhere.
The full list of integrity topics found here includes hashing, digital signatures, certificates and non-repudiation. Availability topics include redundancy, fault tolerance and patching. Finally, safety topics cover fencing, lighting, locks, CCTV, escape plans, drills, escape routes and testing controls.
New Section: Mobile Security
A new mobile security section (4.2) is a welcome addition to the application, data and host security domain. A handful of topics such as device encryption and GPS were covered in SYO-301, but SY0-401 adds dozens more and organizes the content into device security, application security and BYOD concerns.
The new device security category includes information about full device encryption (“full” is new), remote wiping, lockout, screen-locks, GPS, application control, storage segmentation, asset tracking, inventory control, mobile device management, device access control, removable storage and disabling unused features.
The new application security category includes information about key management, credential management, authentication, geo-tagging, encryption, application whitelisting and transitive trust and authentication.
Finally, the new BYOD concerns category includes information about data ownership, support ownership, patch management, antivirus management, forensics, privacy, on-boarding and off-boarding, adherence to corporate policies, user acceptance, architecture and infrastructure considerations, legal concerns, acceptable use policy and on-board camera and video.
New Section: “Static Environment” Risk Mitigation
The new “static environment” section (4.5) in the application, data and host security domain requires some explanation. The term tries to encompass all the legacy devices, “smart” hardware, handheld game units, stationary bicycles, icemakers, car-borne computers and other network-enabled technology that may be entering or interacting with your business network. Since you generally have little or no control over the technology itself, CompTIA refers to the technologies as participating in a “static environment.”
Environment topics specifically called out in this section include SCADA (“supervisory control and data acquisition”; common in industrial automation), embedded (including printers, smart TVs and HVAC controls). Android, iOS, mainframe, game consoles and in-vehicle computing systems.
Method topics (i.e., mitigation methods) include network segmentation, security layers, application firewalls, manual updates, firmware version control, wrappers and control redundancy and diversity.
Mostly Marketing Terms: Two Out, One In
Three changes reflected the changing marketing climate in security. SY0-401 finally removed references to “all-in-one security appliances” (without having to note that such devices probably never existed in the first place.) It also removed references to “capability maturity model” (CMM), a framework usually more valuable to product marketing departments than security practitioners.
In its place, SY0-401 added a dubious reference to “Monitoring as a Service” (“MaaS”). Since “(item) as a service” is the modern equivalent of “e(item),” including a class of commercial cloud offerings that is not in NIST’s accepted definition of cloud computing (i.e., SaaS, PaaS and IaaS) was interesting.
Changes to CompTIA 1.0 Network Security Domain
SY0-401 made several tweaks to the network security domain (1.0).
In the sections about configuring network devices and other technologies (1.1 and 1.2), references to “sniffers” were replaced with “Unified Threat Management (UTM) security appliances.” References to Intrusion Prevention and Intrusion Detection Systems (IDS/IPS) were also added as “application aware devices.”
The network design section’s cloud computing section (1.3) was bulked up with the addition of private, public, hybrid and community cloud definitions. It also gained a topic on layered security and defense in depth.
SY0-401’s extensive protocols section (1.4) added nearly ten entries. New protocols on the list were ICMP, iSCSI, Fibre Channel, FCoE, TFTP, TELNET, HTTP and NetBIOS. Port names were switched over to port numbers, and a new port (3389 for RDP) was added to the list.
Finally, four scenarios were added to the existing wireless networking troubleshooting section (1.5). These were captive portals, antenna types, site surveys and VPN over open wireless.
Other Changes to CompTIA 2.0 Compliance and Operational Security
The Security+ compliance and operational security domain (2.0) experienced some of the most dramatic changes in SY0-401, with new third party integration, incident response, physical security and CIA sections added as detailed above. However, there were significant changes in other 2.0 sections as well.
SY0-401 bulked up its risk assessment section (2.1) with the inclusion of false negatives, vulnerabilities, threat vectors, probability, threat likelihood and recovery objectives. Some of this material was covered elsewhere in SY0-301, but explicit references to industry standards like ARO, MTTR, MTTF and MTBF (Annualized Rate if Occurance, Mean Time To Recover, Mean Time To Failure and Mean Time Between Failures, respectively) were a welcome addition.
Existing SY0-301 forensic procedures were broken out into a new section (2.4). New chain of custody and big data analysis topics were added to the existing content.
Other 2.0 sections had minor changes. The existing risk mitigation section (2.3) picked up a Data Loss Prevention (DLP) topic as a technology control. The existing security training section (2.6) picked up topics on role-based training and training metrics to validate compliance and security posture.
Finally, a consolidated “risk management best practices” section (2.8) replaces both “disaster recovery” and “business continuity” sections from SY0-301.
Changes to CompTIA 3.0 Threats and Vulnerabilities
Reflecting the evolutionary nature of new threads, CompTIA left the structure of its threats and vulnerabilities section (3.0) intact, but added a great deal of new content.
The most controversial change in this domain was probably the removal of “worms” from the malware section. With major worms such as Stuxnet (2010 vs. SCADA), Morto (2011 vs. RDP), NGRBot (2012 vs. IRC) still appearing every year or so, its removal struck me as premature.
Other additions to the malware section (3.1) include ransomware (such as 2013’s CryptoLocker) and two defenses against anti-virus detection: polymorphic malware and armored viruses.
Three new types of were added the general attacks section (3.2). New password attacks include brute force, dictionary attacks, hybrid, birthday attacks and rainbow tables, all of which are commonly encountered by administrators of Internet-facing systems. Typo squatting and URL hijacking (e.g., “http://www.yahooo.com“) and water hole attacks (e.g., trolling an unofficial company employee forum) received their own entries, nicely complementing existing phishing entries as “soft” hacking techniques.
Several other attack sections were also changed. The social engineering section (3.3) gained a new “reasons for effectiveness” subsection that includes authority, intimidation, consensus, scarcity, urgency, familiarity and trust. The wireless attacks section (3.4) also gained new topics for near field communication, replay attacks, WEP/WPA attacks and WPS attacks. Finally, the application attacks section (3.5) gained entries for integer overflow, locally shared objects (LSO), Flash cookies and arbitrary or remote code execution.
Several other vulnerability sections were also changed. The tools and techniques section (3.7) picked up a discussion on passive versus active tools and banner grabbing. The “when to use vulnerability scanning (instead of penetration testing)” section (3.8) also picked up three topics: “intrusive vs. non-intrusive,” “credentialed vs. non-credentialed” and “false positive.”
Finally, the mitigation and deterrent section replaced its “disable ports” topic with “disable unused interfaces and unused application service ports” and added a new rogue machine detection topic. SY0-301’s “manual bypassing of electric controls” and “failsafe/secure vs. failopen” material was simply removed from the existing mitigation section (3.6).
Other Changes to CompTIA 4.0 Application, Data and Host Security
The biggest changes to the application, data and host security domain (4.0) were the new mobile security and static environment mitigation sections, but there were many other changes as well.
The data security section (4.4) nearly doubled in size. New topics included SAN, handling big data and permissions. Another new data topic encompassed data in transit, data at rest and data in use, and yet another covered data policies including wiping, disposing, retention and storage.
In other sections, the application security controls (4.1) gained “NoSQL databases vs. SQL databases” and “Server-side vs. Client-side validation” topics. The host security solutions (4.3) gained OS hardening, “whitelisting vs. black listing applications,” trusted OS and host-based intrusion detection topics. The virtualization element of host security was also expanded into distinct snapshots, patch compatibility, host availability and elasticity, security control testing and sandboxing topics.
Changes to CompTIA 5.0 Access Control and Identity Management
The structure of the existing access control and identity management domain (5.0) remained intact but it gained topics in all three of its sections.
The authentication, authorization and access control section (5.2) added or updated five topics. Four new authentication topics were TOTP, HOTP, CHAP and PAP. A new “authentication factors” topic featuriñg something you are, something you have and something you do. Username information was added to the existing identification topic.
Finally, two new topics about federation and transitive trust and authentication were added.
The account management security controls section (5.3) gained topics on credential management, group policy, password history, password reuse, generic account prohibition, user access reviews and continuous monitoring.
The authentication services section (5.1) also gained two topics: SAML and Secure LDAP.
Changes to CompTIA 6.0 Cryptography
The existing Cryptography domain (6.0) received additional content in all three of its existing sections. Session keys, “in-band vs. out-of-band key exchange,” ephemeral key and perfect forward secrecy were added to the existing cryptography concepts section (6.1). Diffie-Hellman, DHE, ECDHE, cipher suites and key stretching (including PBKDF2 and Bcrypt) were all added to the existing cryptographic methods section (6.2). Finally, online certificate status protocol (OCSP) and certificate signing request (CSR) topics were added to the certificate authority (CA) section of the PKI section (6.3).
The revised Cryptographic domain also condensed SY0-301’s redundant “public key” and “PKI” sections into a single section. (No content was really lost.)
Changes to CompTIA Exam Content
The domains coverage in the updated CompTIA exam barely changed from SY0-301 to SY0-401. None of the six categories’ “percentage of examination” changed by more than three percent. If there was a biggest winner (up 2% to 15%), it was “5.0 Access Control and Identity Management”. “6.0 Cryptography” (now 12%) also gained a percentage point. The three categories losing a percentage point were “1.0 Network Security” (now 20%), “4.0 Application, Data and Host Security” (now 15%) and “3.0 Threats and Vulnerabilities” (now 20%). “2.0 Compliance and Operational Security” (still 18%) was unchanged.
Changes to Security+ Acronyms
Many changes were made to the extensive list of Security+ Acronyms at the end of the certification exam objectives document.
In addition to removing CMM (see “Marketing Terms” above), the following acronyms were dropped.
- BOTS (Network Robots): In practice, this has been replaced with “automation,” “agents” or other terms that also infer the intent of the BOT.
- LANMAN: An odd removal, considering NTLM (literally “New Technology LANMAN”) remains in the glossary.
New acronyms included the following.
- BAC – Business Availability Center
- BIA – Business Impact Analysis
- BPA – Business Partners Agreement
- BYOD – Bring Your Own Device
- CAPTCHA – Completely Automated Public Turing Test to Tell Computers and Humans Apart
- ARC – Corrective Action Report
- CIO – Chief Information Officer
- CTO – Chief Technology Officer
- DBA – Database Administrator
- DHE – Data Handling Electronics
- DHE – Diffie Hellman Ephemeral
- DNAT – Destination Network Address Translation
- ECDHE – Elliptic Curve Diffie Hellman Ephemeral
- ESN – Electronic Serial Number
- FACL – File System Access Control List
- FDE – Full Disk Encryption
- FTPS – Secured File Transfer Protocol
- GPS – Global Positioning System
- HOTP – HMAC based One Time Password
- IDS – Intrusion Detection System
- IR – Incident Response
- ISA – Interconnection Security Agreement
- ISSO – Information Systems Security Officer
- JBOD – Just a Bunch of Disks
- MaaS – Monitoring as a Service
- MTTF – Mean Time to Failure
- NFC – Near Field Communication
- P2P – Peer to Peer
- PAC – Proxy Auto Configuration
- PBKDF2 – Password Based Key Derivation Function 2
- RC4 – RSA Variable Key Size Encryption Algorithm
- SAN – Storage Area Network
- SCADA – System Control and Data Acquisition
- SCEP – Simple Certificate Enrollment Protocol
- SFTP – Secured File Transfer Protocol
- SIEM – Security Information and Event Management
- SQL – Structured Query Language
- TGT – Ticket Granting Ticket
- TOTP – Time Based One Time Password
- UDP – User Datagram Protocol
- UTM – Unified Threat Management
- WPA2 – WiFi Protected Access 2
- WPS – WiFi Protected Setup
Some additional terms that I wish I had seen in SY0-401:
- CSR (Certificate Signing Request): In practice, administrators of Internet-facing servers deal with these constantly, and this meaning of CSR is much more common than “Control Status Register.”
- GPG (Gnu Privacy Guard): The free open-source edition of PGP. Also much more common than “Global Property Object.”
Coming from a secure file transfer background, I also wish that they would have added notes to the SFTP, SCP and FTPS definitions noting that the first two are single-port protocols secured with SSH, and the second is is a multi-port protocol secured with SSL. (The details make a big difference when trying to implement or support these protocols!)
New Suggested Classroom Equipment List
A new chapter in the Certifications Exam Objectives may prove to be controversial when it hits the training community. Titled “Suggested Classroom Equipment…for Security+ Certification Training,” it lists thirteen devices ranging from the poorly named (“all in one appliance”) to the undefined (“client”) to the expensive (“enterprise security managers / SIEM suite”). It also lists about twenty applications from specific toolsets such as Metasploit to general capabilities like “virtualization software.”
Given these limitations, my general impression of the list is that this is a “first pass” rather than a definitive checklist. A future revision will hopefully regroup suggested items in a way that mirrors the organization of the domains, link software and *aaS solutions to their intended purpose, and maybe even provide a recommended configuration diagram or two. I would also hope to see future mention of OWASP’s excellent Zed Attack Proxy (ZAP)- essentially the defacto replacement for the WebScarab attack proxy plus tests for many of the OWASP Top Ten web vulnerabilities.
Interested in formal CompTIA Security+ Training? Fill out the form below to receive a syllabus and price quote for our Self Paced, Live Online and Boot Camp training options.