The Security+ CBK Domains: Information And Updates (SY0-401) [DECOMMISSIONED ARTICLE]

July 13, 2017 by Infosec

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Contemplating earning your CompTIA Security+ certification and entering the world of IT security? It can be a very rewarding choice. Not only is the IT security industry seeing immense growth due to the rising number of threats to businesses, organizations and government agencies, but the Security+ certificate has become one of the most sought-after credentials by employers seeking entry-level IT security professionals to join their team.

According to CompTIA, those who pass the Security+ exam and earn their certificate will have the skills and knowledge to “identify risk, participate in risk mitigation activities, provide infrastructure, application, information and operational security, and apply security controls to maintain confidentiality, integrity and availability. They will also be able to identify appropriate technologies and products, troubleshoot security events and incidents, and operate with an awareness of applicable polices, laws and regulations.”

The Security+ exam consists of up to 90 questions, all of which are either multiple choice or performance based. They’re also tied directly to the six CBK (common body of knowledge) domains that CompTIA feels are most important for aspiring IT security professionals to know.

These six domains comprise the entirety of the exam, so it’s important that you have at least some understanding of what they are and what each covers prior to taking the exam.

What Are the Six Domains of the Security+ CBK?

There are six domains within the Security+ CBK. These are as follows:

  • Network security
  • Compliance and operational security
  • Threats and vulnerabilities
  • Application, data and host security
  • Access control and identity management
  • Cryptography

However, each of those domains makes up a different percentage of the exam questions – each is weighted differently. For instance, you’ll find that network security comprises 20% of the exam, while compliance and operational security only makes up 18% of the questions. The actual weighting of each domain can be found below:

  • 20% – Network security
  • 18% – Compliance and operational security
  • 20% – Threats and vulnerabilities
  • 15% – Application, data and host security
  • 15% – Access control and identity management
  • 12% – Cryptography

However, just because a particular domain might not be weighted as heavily as another, that doesn’t mean that you should only prepare for those that make up the highest percentage of the test questions.

You need to ensure that you prepare for all of them. Remember – you have to score at least 750 out of 900 points to pass the exam. Not preparing for a domain because it only comprises 12% or 15% of the exam could mean failure, which is not something you can afford.

Now, let’s take a look at what is covered under each of those domains so you can see how crucial it is that you prepare for the exam.

Network Security: In this domain, you will be required to know how to “implement security and configuration parameters on network devices and other technologies.” You’ll find firewalls, routers, switches and load balancers covered here, as well as proxies, protocol analyzers, spam filters, application aware devices, UTM security appliances and a great deal more covered.

Other aspects of this domain on the exam include being required to use secure network administration principles within specified scenarios, explaining network design elements and components, implementing common protocols and services, and troubleshooting wireless networking security issues.

Compliance and Operational Security: This domain focuses on explaining the importance of risk related concepts, security concerns stemming from the integration of data and systems with third parties, and more. Risk mitigation strategy implementation, forensic procedure implementation, incident responses, security awareness and training, and physical security and environmental controls are also covered.

Two other important areas of this domain are risk management best practices, including business continuity concepts, fault tolerance and disaster recovery concepts, and how to select controls in order to meet security goals for an organization.

Threats and Vulnerabilities: Within this domain, the focus shifts to the various types of malware that may threaten an organization’s IT infrastructure, including adware, backdoors, armored viruses, ransomware and many others. Attack types, social engineering attacks, wireless attacks, and application attacks are also dealt with.

Other sections within this domain include attack mitigation and deterrent techniques, tools and techniques used to discover vulnerabilities and threats, penetration testing and vulnerability scanning.

Application, Data and Host Security: This domain focuses on application security controls and techniques, including fuzzing, secure coding concepts, NoSQL database/SQL databases, application hardening and more. It also focuses on mobile security concepts and technologies, host security establishment, data security controls and static environment security risk mitigation techniques.

Access Control and Identity Management: In this domain, the focus is on how authentication services work and their purpose, as well as choosing the right access, authorization or authentication tool.

Other focus areas include the installation and configuring of security controls in account management, and industry best practices.

Cryptography: The final domain also carries the least weight on the exam. However, this is a crucial domain to understand, and it covers general cryptographic concepts, the use of appropriate methods, PKI usage, and certificate management.

SYO-301 vs SYO-401: What’s the Difference?

The syllabus for the Security+ certificate changes periodically – every three years, as a matter of fact. Each is denoted by a code that includes the letters SYO and then a numeric sequence. SYO-301 is the most recently outdated syllabus, while SYO-401 is the current syllabus for the Security+ exam.

There are far more differences between SYO-301 and SYO-401 than just the code, though. SYO-401 introduced quite a few changes. One of those changes was different weighting for various domains on the exam. For instance, network security went from making up 21% of the exam to making up 20% of the exam with the introduction of SYO-401.

There are numerous other changes between the two bodies of knowledge, as well. An exhaustive list of these can be found here, but we’ll outline them as well.

Six new sections were added to the syllabus with the introduction of SYO-401, including the section on integration with third parties, one on incident response, another on physical security, one on confidentiality, integrity, availability and safety controls, another on mobile security (which was completely missing from the previous version), and a final one for static environment risk mitigation.

Interested in self-paced security plus training? Check out InfoSec Institute’s boot camp by filling out the form below.

Now, with all of that being said, SYO-401 will be retired in 2018, and SYO-501 will take its place. CompTIA has not announced any information about what the changes between 401 and 501 will be, but based on the historical evolution of the CBK, it’s safe to say that there will most likely be some substantial changes, at least in the form of additional sections for each domain. Most of those additions will likely deal with newer and emerging threats, such as spear phishing and the like.

How Often Is the Security+ CBK Updated?

The Security+ CBK is updated roughly every three years, although the previous CBK does not necessarily expire when the new one is implemented. For instance, SYO-401 is slated to expire in 2018, but SYO-501 will debut late in 2017.

It’s also important to understand that your certification expires every three years, and you will need to recertify before that point. Of course, CompTIA’s continuing education program allows you to avoid the need to recertify while staying abreast of changes to the CBK and best practices as they emerge.

How Long Has Security+ Been a Certification?

CompTIA’s Security+ certification has been around since 2002. Since that time, it has become one of the most popular entry-level IT security credentials in the world, and is accepted by the DoD.

According to CompTIA, “Since the CompTIA Security+ certification was introduced in 2002, over a quarter-million people have earned the credential in order to land a job, get a promotion, or just further their own cybersecurity knowledge.”

In 2005, it became accepted by the DoD. In 2010, CompTIA announced that anyone earning their Security+ certificate before 2011 would maintain it for life, but those earning it after that date would need to recertify every three years. This change was made due to the increasingly rapid evolution of security threats to which companies, organizations and government agencies were exposed on a daily basis and the need for IT security professionals to remain abreast of those changes.

How Does the Security+ CBK Compare with Other Similar Certifications?

Wondering how the Security+ CBK compares to other certification options out there? This is actually a crucial question to answer, particularly if you’re interested in starting a new career in the IT security sector. It’s important that you have the right credentials to get your foot in the door, or to move up with your current performer. So, how does Security+ stack up?

It’s important to understand that the Security+ certificate is a true entry-level credential. Therefore, comparing the CBK for Security+ to most other certifications, even those that seem similar, is difficult.

For instance, the CISSP is billed as an entry-level certificate, but the CBK here covers 10 domains, as compared to just six with the Security+ CBK. The exams are also very dissimilar, and the CISSP exam is much more exhaustive.

This is because the CISSP is designed for those who have experience in IT security, and have worked as a professional in the industry for some time. The Security+ certificate is for those who have little to no direct experience with IT security, but do have familiarity with IT administration. There’s also the SSCP certification (from ISC2, the same organization behind CISSP). This is another difficult comparison, as the SSCP exam sort of bridges the gap between Security+ and the CISSP, and has an additional domain in its CBK. So, it’s also not a true entry-level credential.

So, when it comes to an actual entry-level IT security certification, Security+ stands pretty much alone. Yes, there are similar certifications out there, but most of them are designed for those with a year or more of hands-on infosec experience, rather than those just looking to get into the industry.

If you’re in search of a certification program that will help you build the foundation needed for a successful career, and that can work as a stepping stone to reach higher certifications, then Security+ is a good choice. The CBK is robust enough that those with limited or no experience will find it challenging, while being highly relevant to the ever-changing world of information security.

Ready to Take the Exam?

While it’s possible to take the Security+ exam without any preparation, it’s not highly advised, particularly if you lack the foundational knowledge necessary, as is common for those without much real world experience in IT security.

You need to ensure that you’re prepared for the exam, and all the questions that come with it. That requires education and training to build your knowledge base. Our Security+ boot camp has a 95% success rate, and our training has garnered 42 awards in the 17 years of our history. If you’re ready to take the first step toward a career as an information security professional, we invite you to learn more about our boot camp.



Posted: July 13, 2017
View Profile