The Security+ CBK Domains: Information And Updates
One of the key reasons why CompTIA’s Security+ is such a great entry-level certification is the fact that its domains are built on a simple premise: a strong focus on hands-on practical skills. By taking and passing the exam, certification holders validate they are ready to deal with real-world situations based on the latest trends and techniques in risk assessment and management, incident response, forensics, enterprise networks, hybrid/cloud operations and security controls.
Security+: An in-depth look at the five domains
In practical terms, by mastering the topics contained in the five Security+ domains, professionals prepare themselves for roles such as junior IT auditor/penetration tester, systems administrator, network administrator and security administrator. As most of these are in quite high demand, if you are considering how to strengthen your cybersecurity knowledge and skills and advance your career, having a Security+ certification should be at the top of your list.
The new CompTIA Security+ SY0-601 exam has been available since Nov. 12, 2020. To successfully pass, candidates must prove they have the knowledge and skills in several areas:
- Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions
- Monitor and secure hybrid environments, including cloud, mobile and IoT
- Operate with an awareness of applicable laws and policies, including principles of governance, risk and compliance
- Identify, analyze and respond to security events and incidents
Domain 1: Attacks, threats and vulnerabilities (24%)
The first domain, Attacks, threats and vulnerabilities, deals with a basic need of every information security professional: being able to recognize and understand the different sources of threats, types of attacks and vulnerabilities that may be exploited. The SY0-601 focuses on issues related to today’s popular technology, including IoT and embedded devices, and the latest attack trends such as the newest DDoS attacks and sophisticated social engineering attempts.
Candidates must also know how to compare and contrast types of attacks. A wide array of issues need to be tackled, including tactics for social engineering, including phishing, spear phishing, whaling, vishing, tailgating and impersonation; application/service attacks, including DoS/DDoS, man-in-the-middle, buffer overﬂow, injection, cross-site scripting, and privilege escalation; wireless attacks like replay, evil twin, rogue AP and jamming; and cryptographic attacks such as birthday, known plain text/cipher text, rainbow tables, dictionary, brute force, collision, replay and weak implementations.
It is also necessary to be able to explain concepts such as threat actor types and attributes. What is the difference between hacktivists and organized crime? How can nation-states be a threat? What level of sophistication should you expect from, and what are the differences in motivations, for insiders and external attackers? How can the use of open-source intelligence be implemented and help in creating a more effective cybersecurity strategy?
Testers are also expected to know the key concepts of penetration testing, including the different approaches (black-box, white-box and gray-box testing), and tactics (active reconnaissance, passive reconnaissance and escalation of privilege).
Other concepts in this domain include explaining vulnerability scanning like passively testing security controls, how to identify vulnerabilities and intrusive vs. non-intrusive methods. It’s also important to know the impact associated with types of vulnerabilities such as race conditions, improper input and error handling, untrained users, memory/buffer vulnerabilities, architecture/design weaknesses, new threats/zero-day, improper certificate and key management.
Domain 2: Architecture and design (21%)
Now it is time to put this knowledge to good use and demonstrate that you can apply security controls in practice and create a safe environment for company operations. This domain will require candidates to explain use cases and purposes for frameworks, best practices and secure configuration guides. It is also necessary to understand how to create benchmarks/secure configuration guides and how to use the concepts of defense-in-depth and layers as the basis for a secure architecture. Questions are especially focused on cloud technology due to the growing reliance of organizations on hybrid networks.
It is quite obvious that creating a safe design is just the first step, so candidates must demonstrate the ability to implement secure network architecture concepts when creating a secure topology with different zones (e.g., DMZ, intranet, extranet, wireless, honeypot), each with specific controls.
Embedded systems must also be protected, so candidates need to understand the security implications related to Supervisory Control And Data Acquisition (SCADA) and Industrial Control Systems (ICS) in general. But it does not stop there; candidates need to consider the protection of smart devices (e.g., wearables) and security controls for IoT (Internet of Things), proper protection of heating, ventilation, and air conditioning (HVAC) systems, camera systems and even special-purpose technology such as medical devices, smart vehicles, drones and unmanned aerial vehicles (UAVs).
Other topics related to secure Architecture and Design include summarizing secure application development and deployment concepts such as life-cycle models, secure DevOps, secure coding techniques, and code quality and testing, understanding cloud and virtualization concepts including the use of different types of hypervisors, cloud storage, cloud deployment models (SaaS, PaaS, IaaS, private, public, hybrid and community) the differences and security advantages of multiple strategies (on-premise vs. hosted vs. cloud) and the concepts of cloud access security broker and security as a service.
Candidates are also required to know the importance of physical security controls such as physical barriers (fencing, gate and cage), having security guards, proper signs, alarms, locks and cameras, the use of motion detection and key management.
Domain 3: Implementation (25%)
This domain covers the implementation of secure protocols, host or application security solutions, wireless security settings and secure solutions for mobile devices and the cloud, given real-world scenarios. This also includes identity control, authentication, authorization, PKI and account management in general.
Other required concepts include the practical use of tunneling/VPN (e.g., for site-to-site connections or providing users with remote access), correctly placing security devices such as firewalls, sensors, collectors and protecting SDN (software-defined networking) in an enterprise environment. Another important task is implementing secure systems design to safeguard aspects related to hardware/firmware security, operating systems and peripherals.
This is also the domain that covers questions on endpoint security (latest antivirus, anti-malware and intrusion prevention systems) as well as how to harden the entire company IT structure, how to secure applications and work with security protocols.
Domain 4: Operations and incident response (16%)
This domain is about the role of the security professional in the response to an incident. It covers anything from incident handling to disaster recovery and business continuity. The exam addresses both technical and administrative concepts. It not only tests on forensics, network reconnaissance and discovery concepts and the ability to reconfigure systems for incident mitigation, but it also covers the preparation phase that allows a business to be ready for unfortunate events like attacks: from tabletop exercises and simulations to the creation of plans.
Considering that some risks will eventually become real occurrences, candidates must understand the procedures for dealing with security incidents, such as creating a formal incident response plan that defines the methods for incident documentation and classification, clear roles and responsibilities, escalation procedures and who is the cyber-incident response team. Of course, the incident response process must also be considered, including phases such as preparation, identification, containment, eradication, recovery and lessons learned.
Candidates must understand and be able to explain concepts such as the different types of recovery sites (i.e., hot site, warm site and cold site), how to define the order of system/business processes restoration, how to use the different types of backup (differential, incremental, snapshots and full), the geographic considerations when choosing a disaster recovery strategy, such as having off-site backups, what is the necessary distance between the production environment and recovery facilities, even legal implications (i.e. can data be stored/recovered in a different country?) and a key point: how the continuity of operations will be tested to confirm disaster recovery plans work.
Testers are also required to summarize basic concepts of forensics, including the order of volatility, creating and maintaining a chain of custody, legal hold, data acquisition and preservation, recovery techniques and strategic intelligence/counterintelligence gathering. Basically, the candidate needs to be able to demonstrate the knowledge necessary not only to gather data needed for the investigation, but also to preserve it both from a technical and a legal perspective.
Domain 5: Governance, risk and compliance (14%)
With this domain, candidates are asked about all-important policies, plans and procedures related to organizational security, including standard operating procedures, different types of agreements (such as service level agreement, or SLA), and personnel management controls such as job rotation, mandatory vacations, segregation of duties, background checks and awareness training based on the user’s role.
Testers need to be able to summarize business impact analysis concepts such as recovery point objective (RPO) and recovery time objective (RTO), the mean time between failures (MTBF) and mean time to repair (MTTR). It is very important to have a proper understanding of what are mission-essential functions, how to perform an identification of critical systems and be able to explain how a single point of failure can negatively impact the organization.
As for risk management processes and concepts, candidates must be able to explain the different types of threat assessments, including the various threat sources (i.e., environmental, manmade, internal vs. external), apply risk assessment techniques such as combining the single-loss expectancy (SLE) with the annual rate of occurrence (ARO) and defining the annualized loss expectancy (ALE), understand how to best define asset value, identify threats and their likelihood of occurrence, calculate its impact and define risk levels both in quantitative and qualitative terms. They will also need to know risk response techniques that will define if it can be accepted as is, or if a risk must be transferred, mitigated or completely avoided.
As expected, candidates should be able to compare and contrast the various types of security controls (i.e., deterrent, preventive, detective, corrective, compensating, technical, administrative and physical) and also be able to carry out data security and privacy practices such as data destruction and media sanitization, data sensitivity labeling and handling, defining data roles (such as owner, steward/custodian and privacy officer), defining the required level of data retention and even understanding legal and compliance requirements.
Compliance is actually a very important topic in this domain; testers will have to have solid knowledge of the many important regulations that regulate every aspect of their work, including PCI-DSS, SOX, HIPAA, GDPR, FISMA, NIST and CCPA.
Apart from implementing and maintaining effective security systems, protecting digital assets entails necessarily addressing the risks related to the human element. As security is only as strong as the weakest link, awareness is thought of as a cardinal point in any effective defense strategy. The test, then, covers the importance of involving users from onboarding with directives, proper training (computer-based, role-based, simulations and more) and dissemination of clear policies.
Security+ is the most popular certification for cybersecurity professionals. Yes, I know what you are thinking: The five domains are quite extensive and include a lot of topics and concepts. And yes, for a successful exam, candidates must be familiar with most of them.
This may seem a little overwhelming at a first, but the Security+ would not be a great certification if it did not prepare you thoroughly for taking the first steps in your information security/cybersecurity career. Also, this is an entry-level certification. While it covers a lot of concepts from different areas, and by no means it is an easy exam, it was designed to be the first security certification IT professionals should earn, so it is not as difficult as you may be thinking right now.
Provided you dedicate sufficient study time and create an adequate study plan, earning the Security+ can be done in a short time.
Security+, CompTIA, Inc.
Exam Objectives, CompTIA, Inc.