The Security+ CBK Domains: Information And Updates
One of the key reasons why CompTIA’s Security+ is such a great entry-level certification is that its domains are built on a simple premise: A strong focus on hands-on practical skills. This ensures that, by taking on and succeeding in the exam, certification holders are ready to deal with real-world situations, scenarios based on the latest trends and techniques in risk management, risk mitigation, threat management, and intrusion detection.
In practical terms, by mastering the topics contained in the six Security+ domains, professionals actually prepare themselves for roles such as junior IT auditor/penetration tester, systems administrator, network administrator, and security administrator. Because most of these are in quite high demand, if you are considering how to strengthen your cybersecurity knowledge and skills and advance your career, having a Security+ certification should be right at the top of your list.
Here is an in-depth look at the six Security+ domains:
Domain 1 – Threats, Attacks, and Vulnerabilities (21%)
The first domain deals with a basic need of every information security professional: Being able to recognize and understand the different sources of threats, types of attacks and vulnerabilities that may be exploited.
For instance, given a scenario, candidates must be able to analyze indicators of compromise and determine the type of malware. Is it simply a virus? Or is it ransomware, ready to encrypt company data and ask for bitcoins? Or maybe an insider created a logic bomb, designed to wipe out files if he was terminated from the company? Or did that employee deploy a RAT (remote access Trojan) so he would still have access to the corporate network even after termination?
Candidates must also know how to compare and contrast types of attacks. From many different tactics for social engineering, including phishing, spear phishing, whaling, vishing, tailgating, and impersonation, to application/service attacks such as DOS/DDOS, man-in-the-middle, buffer overﬂow, injection, cross-site scripting, privilege escalation, wireless attacks like Replay, Evil Twin, Rogue AP, jamming and cryptographic attacks such as Birthday, known plain text/cipher text, rainbow tables, dictionary, brute force, collision, replay, and weak implementations.
It is also necessary to be able to explain concepts such as threat actor types and attributes: What is the difference between hacktivism and organized crime? How can nation states be a threat? What level of sophistication should you expect from, and what are the differences in motivations behind insiders and external attackers? How can the use of open-source intelligence be implemented to help create a more effective cybersecurity strategy?
Candidates are also expected to know the key concepts of penetration testing, including the various approaches (black box, white box, gray box) and tactics (active reconnaissance, passive reconnaissance, escalation of privilege).
Other concepts in this domain include explaining vulnerability scanning (i.e., passively testing security controls, how to identify vulnerabilities, Intrusive vs. non-intrusive methods) and the impact associated with types of vulnerabilities such as race conditions, Improper input and error handling, untrained users, memory/buffer vulnerabilities, architecture/design weaknesses, new threats/zero-day, Improper certificate and key management.
Domain 2 – Technologies and Tools (22%)
The second domain is all about the practical use of technology and tools against the threats, attacks, and vulnerabilities we just discussed.
Candidates are required to understand how to install and configure network components, both hardware- and software-based, to support organizational security. This includes firewalls, routers, switches, VPN concentrators, proxies, intrusion detection and prevention tools such as NIPS/NIDS, using a load balancer, protecting access points, applying security information and event management (SIEM) solutions, working with a DLP (data loss prevention) technologies, Implementing network access control (NAC), the security features of a mail gateway, SSL/TLS accelerators, SSL decryption, media gateways, and hardware security modules (HSM).
Again, as the focus is real-world situations, many aspects of the Security+ certification will be based on a ‘given a scenario’, requiring candidates to understand how to use appropriate software tools, such as protocol analyzers, network scanners, wireless scanners/crackers, password crackers, vulnerability scanners and exploitation frameworks to assess the security posture of an organization, troubleshoot common security issues including unencrypted credentials/clear text, logs and events anomalies, permission issues, access violations, certificate issues, data exfiltration, weak security configurations, personnel issues, unauthorized software and authentication issues.
It is also necessary to know how to analyze and interpret output from security technologies such as HIDS/HIPS, various types of firewalls, application whitelisting, removable media controls, antivirus and advanced malware tools, patch management tools, DLP, and WAF (web application firewall).
Candidates must also be able to deploy mobile devices securely, including using safe connection methods, understanding mobile device management concepts, enforcing policies/monitoring actions such as the use of third-party app stores, rooting and jailbreaking, and understanding different deployment models such as using corporate-owned devices and BYOD (bring your own device).
Another important technology-related security control with which candidates must be familiar is knowing how to implement secure protocols, including DNSSEC, SSH, S/MIME, SRTP, LDAPS, FTPS, SFTP, SNMPv3, SSL/TLS, HTTPS, and Secure POP/IMAP. In addition, candidates should know about their respective use cases, including voice and video, protecting both email and web access, ensuring file transfers are secure, protecting directory services, and providing remote access without compromising security controls.
Domain 3 – Architecture and Design (15%)
Security+’s two first domains detailed some of the basic concepts an information security professional should be familiar with. Now it is time to put this knowledge to good use and demonstrate that you are able to apply security controls in practice to create a safe environment for company operations.
Domain 3, Architecture and Design, will require candidates to explain use cases and purposes for frameworks, best practices, and secure configuration guides. This includes Industry-standard frameworks and reference architectures, both regulatory and non-regulatory, and industry-specific frameworks. Is the company under GDPR regulation? Or are you required to follow PCI-DDS? It is also necessary to understand how to create benchmarks/secure configuration guides and how to use the concepts of defense-in-depth and layers as the basis for a secure architecture.
It is quite obvious that creating a safe design is just the first step, so candidates must demonstrate the ability to implement secure network architecture concepts. From creating a secure topology with different zones (e.g. DMZ, Intranet, extranet, wireless, honeypot), each with specific controls, to implementing segregation, segmentation, and isolation, either by physical means or with virtualization. Other required concepts include the practical use of tunneling/VPN (e.g. for site-to-site connections or providing users with remote access), correctly placing security devices such as firewalls, sensors, collectors, and protecting SDN (software-defined networking). Another important task is implementing secure systems design, including aspects related to hardware/firmware security, protecting operating systems, and peripherals.
Candidates must also demonstrate they understand the importance of secure staging deployment concepts, such as sandboxing, segregation of environments (e.g., development, test, staging and production), defining a clear and understood secure baseline, and performing integrity measurement.
Embedded systems must also be protected, so candidates need to understand the security implications related to supervisory control and data acquisition (SCADA) and industrial control systems (ICSs) in general. But it does not stop there; candidates need to consider the protection of smart devices (e.g., wearables) and security controls for IoT (Internet of Things), proper protection of heating, ventilation, and air conditioning (HVAC) systems, camera systems, and even special-purpose technology, such as medical devices, smart vehicles, aircrafts, and unmanned aerial vehicles (UAVs).
Other topics related to secure architecture and design include summarizing secure application development and deployment concepts such as life-cycle models, secure devops, secure coding techniques, code quality and testing, understanding cloud and virtualization concepts, including the use of different types of hypervisors, cloud storage, cloud deployment models (SaaS, PaaS, IaaS, private, public, hybrid, community), the differences and security advantages of multiple strategies (on-premise vs. hosted vs. cloud), and the concepts of cloud access security broker and security as a service.
Not only that, but candidates are also required to explain how resiliency and automation strategies (e.g., using scripts and templates, having a master image, adopting elasticity and scalability, redundancy, and fault tolerance) can be used to reduce risk, and describe the importance of physical security controls such as physical barriers (fencing/gate/cage), having security guards, proper signs, alarms, locks and cameras, the use of motion detection, and key management.
Domain 4 – Identity and Access Management (16%)
IAM (identity and access management) is the focus of the fourth Security+ domain. The idea is ensuring that user access is securely managed throughout its entire lifecycle. In order to do so, Security+ candidates must be able to compare and contrast identity and access management concepts, such as identification, authentication, authorization and accounting (AAA), and multi-factor authentication by combining at least two of the following items: something you are, something you have, something you know, somewhere you are, and something you do. Other important concepts include federation, single sign-on, and transitive trust.
As the Security+ is focused on a hands-on approach, candidates must demonstrate the skills necessary to install and configure identity and access services, this includes LDAP, Kerberos, TACACS+, PAP/CHAP/MSCHAP, RADIUS, SAML, OpenID Connect, OAUTH, Shibboleth, Secure Token, and NTLM. As would be expected, it is also necessary to know how to implement identity and access management controls, such as access control models (i.e. MAC, DAC, role-based access control), physical access controls (e.g., proximity or smart cards), biometric factors (i.e. fingerprint, retinal or iris scanners, facial or voice recognition), using tokens and certificate-based authentication, file system and database security.
Candidates are also required to differentiate common account management practices, including understanding how to protect different account types from a simple user, to service even privileged credentials, applying concepts such as least privilege, onboarding/offboarding, and understanding how to properly execute auditing and review of user access. Another important IAM task is enforcing account policies, such as credential management and defining the complexity level of passwords, their expiration periods, how a user can recover a lost password, and the rules for locking out an account and making sure an attacker will not be able to use a brute force or dictionary attack to guess a password.
Domain 5 – Risk Management
Risk management is an essential practice for implementing proper information security. Should a vulnerability be fixed or do the costs for doing so far exceed whatever negative impact it may cause to the business? Should the company migrate most of its systems to a cloud environment or does the current infrastructure already provides the necessary level of protection for the current cyberthreats? All those questions are best answered using a risk management approach and that is exactly what the Security+ expects from its candidates.
For instance, it is necessary to explain the importance of policies, plans and procedures related to organizational security, including standard operating procedures, different types of agreements (i.e. a service level agreement, or SLA), personnel management controls such as job rotation, mandatory vacations, segregation of duties, background checks, and awareness training based on the user’s role.
Candidates must also be able to summarize business impact analysis concepts such as recovery point objective (RPO) and recovery time objective (RTO), the mean time between failures (MTBF) and mean time to repair (MTTR). It is very important to have a proper understanding of what are mission-essential functions, how to perform an identification of critical systems, and being able to explain how a single point of failure can negatively impact the organization. Actually, candidates are expected to understand and differentiate impacts in terms of life, property, safety, finance, and reputation.
As for risk management processes and concepts, candidates must be able to explain the different types of threat assessments, including the various threat sources (i.e., environmental, man-made, internal vs. external), apply risk assessment techniques such as combining the single-loss expectancy (SLE) with the annual rate of occurrence (ARO) and defining the annualized loss expectancy (ALE), understand how to best define asset value, identify threats and their likelihood of occurrence, calculate the impact and define risk levels both in quantitative and qualitative terms. You will also need to know how to perform tests and assessments, including vulnerability and penetration testing, and the risk response techniques that will determine whether it can be accepted as-is or whether the risk must be transferred, mitigated, or completely avoided.
Considering that some risks will eventually become real occurrences, candidates must understand the procedures for dealing with security incidents, such as creating a formal incident response plan that defines the methods for incident documentation and classification, clear roles and responsibilities, escalation procedures, and who is the cyber-incident response team. Of course, the incident response process must also be considered, including phases such as preparation, identification, containment, eradication, recovery, and lessons learned.
In another important incident-related topic, Security+ candidates are also required to summarize basic concepts of forensics, including order of volatility, creating and maintaining a chain of custody, legal hold, data acquisition and preservation, recovery techniques, and strategic intelligence/counterintelligence gathering.
Disaster recovery and business continuity are also covered in this domain. Candidates must understand and be able to explain concepts such as the different types of recovery sites (i.e., hot site, warm site and cold site), how to define the order of system/business processes restoration, how to use the various types of backup (differential, incremental, snapshots, and full), the geographic considerations when choosing a disaster recovery strategy, such as having off-site backups, what is the necessary distance between production environment and recovery facilities, even legal implications (i.e., can data be stored/recovered in a different country?), and a key point: how the continuity of operations will be tested to confirm disaster recovery plans really work.
As expected, candidates should be able to compare and contrast the various types of security controls (i.e., deterrent, preventive, detective, corrective, compensating, technical, administrative, physical) and also be able to carry out data security and privacy practices such as data destruction and media sanitization, data sensitivity labeling and handling, defining data roles (i.e., owner, steward/custodian, privacy officer), defining the required level of data retention, and even understanding legal and compliance requirements.
Domain 6 – Cryptography and PKI
Cryptography is one of the oldest information security techniques, going back to the time of the Roman Empire. It can be used to protect data confidentiality and integrity or, most recently, as a means for encrypting files at an insecure computer and asking for a ransom.
Either way, Security+’s final domain is a very important topic for cybersecurity professionals, so candidates are expected to have the necessary skills to compare and contrast basic concepts of cryptography, such as symmetric/asymmetric algorithms, the different modes of operation, hashing and salt, key exchange, collision, steganography, obfuscation, how to select and implement the best cryptography algorithm, define and understand the risks of security through obscurity, and the common use cases, including supporting confidentiality, integrity, obfuscation, authentication, and/or non-repudiation.
Candidates must also be able to explain cryptography algorithms and their basic characteristics, including symmetric algorithms (i.e., AES, DES, 3DES, RC4, Blowfish/Twofish), asymmetric algorithms (i.e., RSA, DSA, Diffie-Hellman), cipher modes (i.e., CBC, GCM, ECB, CTR), hashing algorithms (i.e., MD5, SHA, HMAC, RIPEMD), key stretching algorithms (i.e., BCRYPT, PBKDF2) and obfuscation (XOR, ROT13, substitution ciphers).
Another important task is installing and configuring wireless security settings. Security+ candidates must be able to comprehend both the use of cryptographic protocols such as WPA, WPA2, CCMP, and TKIP, and authentication protocols including EAP, PEAP, EAP-FAST, EAP-TLS, EAP-TTLS, IEEE 802.1x, and RADIUS Federation. It is also important to understand methods like pre-shared keys (PSK), enterprise, and open, Wi-Fi protected setup (WPS) and how to use captive portals.
As the final cryptography topic, candidates must know how to implement public key infrastructure, including the function of each component [i.e., certificate authority (CA), intermediate CA, public key, private key, object identifiers (OID)], and concepts such as online vs. ofﬂine CA, stapling, pinning, trust model, key escrow, and certificate chaining. Also, it is necessary to know the types of certificates (i.e., Wildcard, SAN, code signing, self-signed, root, user) and their various formats (i.e., DER, PEM, PFX, CER, P12, P7B).
Yes, I know what you are thinking: The six Security+ domains are quite extensive and include a lot of topics/concepts. And yes, for a successful exam, candidates must be familiar with most of them.
This may seem a little overwhelming at first (and most likely second) glance, but the Security+ would not be a great certification if it did not prepare you thoroughly for taking the first steps in your information security/cybersecurity career. Also, this is an entry-level certification, while it covers a lot of concepts from different areas, and by no means it is an easy, walk-in-the-park exam; it was designed to be the first security certification IT professionals should earn, so it is not as difficult as you may be thinking right now.
Provided you dedicate sufficient study time and create an adequate study plan, earning the Security+ can be done in a short time. If you still need some help, do not panic: The Infosec Institute offers a five-day Security+ Course Overview, providing IT professionals with the most comprehensive accelerated learning experience.