Security+ Last Minute Review Guide (SY0-701)

Domain 1:
General Security Concepts

We can also classify security controls into six different

types, based upon what they are designed to achieve:

Type Description
Y
LIT

Preventive Stops an adversary from violating security policies.

TIA

Deterrent Discourages an adversary from even attempting

EN

an attack.
ID

Detective Identifies potential violations of security policies.

IN
NF

TE

Corrective Restores the original state after a security incident.

CO

GR

Compensating Fills the gap when it is not possible to implement

ITY

a required control.

AVAILABILITY Directive Informs employees and others what they should

do to achieve security objectives.

The main goals of information security are: The defense-in-depth principle requires the use of
• Confidentiality prevents unauthorized disclosure. overlapping controls to meet the same control objective,
• Integrity prevents unauthorized alteration. protecting against the failure of an individual control.
• Availability ensures authorized access.
• Non-repudiation means that someone who During a gap analysis, you review control objectives
performed some action, such as sending a message, and examine the controls designed to achieve those
cannot later deny having taken that action. objectives. If there are any cases where the controls
• Digital signatures are commonly used to achieve do not meet the control objective, that is an example
non-repudiation. of a gap.

Security controls are divided into four categories, based Sensor Type Description
upon how they function:
Infrared Detects the presence of people using heat radiation

Category Description Pressure Detects shifting weight on a pressure plate

Managerial Procedural mechanisms that focus on the Microwave Detects people and objects present in an area
mechanics of the risk management process
Ultrasonic Detects inaudible sound waves
Operational Processes that we put in place to manage
technology in a secure manner

Technical Uses technological means to meet a security

Zero Trust network access never grants trust implicitly,
objective such as based upon an IP address, but continuously
reevaluates trust. The Control Plane makes decisions
Physical Uses physical constraints to meet a security
about access and the Data Plane is where those
objective
decisions are enforced.

© 2023, CertMike.com 1
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 1:
General Security Concepts

Core Zero Trust Logical Components

CDM Data Access

System Control Plane Policy
Policy Engine
Policy
Decision
Policy Point
Industry Administrator PKI
Compliance

Threat ID
Intelligence Untrusted Policy Trusted Management
Subject System Enforcement Point Enterprise
Resource

Activity SEIM
Data Plane
Logs System

Fencing may be used to prevent or deter anyone from Symmetric encryption uses the same shared secret key
entering an area. Bollards may be used to prevent for encryption and decryption.
vehicles from entering an area while permitting
pedestrian access. They should be used in conjunction In asymmetric encryption, users each have their own
with proper lighting and security guards. public/private key pair. Keys are used as follows:

Deception Description Confidentiality Digital Signature

Technology
Sender Encrypts with… Recipient’s public key Sender’s private key
Honeypot System that serves as a decoy to attract attackers
Recipient Decrypts with… Recipient’s private key Sender’s public key
Honeynet Unused network designed to capture probing traffic

Honeyfile File that serves as a decoy to attract attackers

Anything encrypted with one key from a pair may only
Honeytoken Information that looks legitimate but is designed to
identify attackers when accessed be decrypted with the other key from that same pair.

Symmetric Asymmetric
Encryption protects sensitive information from Cryptography Requires Cryptography Requires
unauthorized disclosure by making it unreadable to
n(n-1) 2 n keys
anyone without the appropriate decryption key. keys
2

Common use cases for encryption include:

• Providing confidentiality for sensitive information Secure symmetric algorithms include 3DES, AES,
• Confirming the integrity of stored or transmitted Twofish, and Blowfish. DES and RC4 are not secure.
information Secure asymmetric algorithms include RSA, El Gamal,
• Authenticating users and elliptic curve (ECC).

© 2023, CertMike.com 2
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 1:
General Security Concepts

The Diffie-Hellman algorithm may be used for secure Blockchain creates a data store that nobody can
exchange of symmetric keys. tamper with by using a distributed and immutable open
public ledger.
Hashes are one-way functions that produce a unique
value for every input and cannot be reversed. Digital certificates are a secure means to provide an
unknown third party with a trusted copy of the public
Common hashing algorithms include SHA, HMAC, and key belonging to an individual, organization, or device.
RIPEMD. The MD5 hashing algorithm is still widely used Digital certificates are issued by a trusted Certificate
but has significant security vulnerabilities. Authority (CA). When creating a digital certificate, the
CA takes a copy of the subject’s public key along with
The hardware root of trust is established through the other certificate information and then digitally signs
use of the trusted platform module (TPM) and provides the certificate using the CA’s private key. When a user
assurance that hardware has not been tampered or application wishes to verify the digital certificate,
with. The boot process for a system is managed by they do so by validating the digital signature using the
the Unified Extensible Firmware Interface (UEFI) CA’s public key. If the signature is authentic and the CA
which replaces the older BIOS approach. High security is trusted, the public key may then be trusted.
applications may require the use of a trusted foundry
for chips that establishes a high degree of assurance Certificate authorities may revoke a digital certificate
that the chip was securely built. by placing it on the Certificate Revocation List (CRL).
However, this approach is slow and is replaced by the
Data minimization techniques lower risk by Online Certificate Status Protocol (OCSP) which
decreasing the amount of sensitive information provides real-time certificate verification.
maintained by the organization. When data can’t be
eliminated, data obfuscation techniques may render it Organizations not wishing to purchase a digital
less sensitive. certificate from a CA may create their own self-signed
certificates. These certificates are fine for internal use
Data obfuscation techniques include: but will not be trusted by external users.
• Hashing uses a hash function to transform a value
in our dataset to a corresponding hash value. Digital certificates issued by CAs come in three
• Tokenization replaces sensitive values with a varieties. They differ in the amount of verification
unique identifier using a lookup table. performed by the CA before issuing the certificate.
• Data masking partially redacts sensitive
information by replacing some or all of sensitive Certificate Type Validation Performed
fields with blank characters.
Domain CA verifies that the certificate subject controls
• Steganography embeds information in an image,
validation (DV) the domain name. Weakest form of validation.
video, audio, or other binary file to escape detection.
Organization CA verifies the name of the business purchasing
validation (OV) the certificate in addition to domain ownership.
Key stretching is used to create encryption keys from
passwords in a strong manner. PBKDF2 uses thousands Extended CA performs additional checks to verify the
of iterations of salting and hashing to generate validation (EV) physical presence of the organization at a
registered address.
encryption keys that are resilient against attack.

© 2023, CertMike.com 3
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 2:
Threats, Vulnerabilities, and Mitigations

You should be familiar with the most common • Image-based

categories of cybersecurity threat actor: • File-based
• Nation-state actors hack into foreign • Voice call
governments or corporations. The motive can be • Removable devices
political or economic. • Vulnerable software
• Unskilled attackers are generally low-skilled • Unsupported systems/applications
attackers seeking a quick thrill. • Unsecure networks
• Hacktivists use hacking techniques to • Open service ports
accomplish some activist goal motivated by the • Default credentials
greater good. • Supply chain vulnerabilities
• Insider threats occur when an employee or other • Human vectors
individual with authorized access uses that access
to attack the organization. Malware comes in many different forms. You should
• Organized crime groups use cyberattacks for be able to review a scenario and identify the type of
financial gain. malware involved. Major malware types include:
• Shadow IT takes place where individuals and
groups seek out their own technology solutions. Malware Type Description
It poses a risk to the organization because it puts
Virus Spreads between systems based upon some user
sensitive information in the hands of vendors action.
outside of the organization’s control.
Worm Spreads between systems by exploiting
vulnerabilities; no user action required.
Zero-day attacks exploit vulnerabilities that are yet
Trojan Masquerades as desirable software to trick users
not known to other attackers or cybersecurity teams. into installing it.
Remote Trojan horse that allows an attacker to gain remote
Attackers may be internal to the organization Access Trojan access to a system.
or external threats. They have varying levels of
Spyware Monitors user activity, such as keystrokes and web
sophistication and funding and may be motivated by: visits. Keyloggers are an example of spyware.
• Data exfiltration
Ransomware Encrypts user files and demands a ransom before
• Espionage releasing the key.
• Service disruption
Logic Bomb Waits until certain conditions are met before
• Blackmail triggering a malicious action.
• Financial gain
Rootkit Elevates privileges of a normal user to gain
• Philosophical/political beliefs administrative rights.
• Ethical intent
Backdoor Provides an unauthorized mechanism for accessing
• Revenge a system.
• Disruption/chaos
Botnet Network of compromised systems that an attacker
• War controls through the use of a command and control
mechanism. Commonly used in denial of service
As adversaries plan their attacks, they take advantage of attacks.
different threat vectors: Bloatware Unwanted software installed at the same time as a
legitimate application install.
• Message-based (Email, SMS, IM)

© 2023, CertMike.com 4
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 2:
Threats, Vulnerabilities, and Mitigations

Social engineering attacks manipulate individuals to On-path attacks intercept a client’s initial request for
gain unauthorized access or information. a connection to a server and proxy that connection
to the real service. The client is unaware that they
Social engineering attacks exploit seven main are communicating through a proxy and the attacker
mechanisms: authority, intimidation, consensus, can eavesdrop on the communication and inject
scarcity, familiarity, trust, and urgency. Variants of commands.
social engineering attacks include:
Password attacks seek to defeat the security of
Attack Type Description password-based authentication. Common password
attacks include:
Phishing Solicits information via email.
• Brute force attacks attempt to simply guess
Spear Phishing Solicits information via highly targeted email
designed for one person.
passwords repeatedly.
• Dictionary attacks guess passwords using a
Whaling Targets high value individuals, such as senior
executives. dictionary of words and phrases.
• Password spraying attacks are similar to dictionary
Vishing Solicits information via voice telephone calls.
attacks, using lists of common passwords.
Smishing Solicits information via SMS text message.
• Credential stuffing attacks take lists of usernames
Pretexting Uses a fake scenario to manipulate someone and passwords from a compromised site and
into divulging confidential information.
attempt to use them to login at another site.
Brand Mimics the identity of a trusted entity or brand • Rainbow table attacks precompute the hashes
Impersonation to deceive individuals.
of common passwords and use them against a
Typosquatting Registers misspellings of common domain
names to attract traffic.
stolen password file. Rainbow table attacks may be
defeated by using salted passwords.
Business Email Impersonates a company executive or other
Compromise high-level employee in an attempt to deceive
• Pass the hash attacks reuse hashed credentials
(BEC) someone within the company. Commonly from one machine to login to another machine.
involves requests to transfer funds, fraudulent
invoices, or impersonating attorneys. Birthday attacks seek to find collisions in hash
Tailgating Accesses a building by having someone hold functions, where the hash function generates the same
the door open.
value for two different inputs.
Dumpster Discovers sensitive information discarded in the
Diving trash.
The OWASP Top Ten Web application security risks are:
Shoulder Monitors user activity by watching them as they 1. Broken access control
Surfing enter/read information
2. Cryptographic failures
Watering Hole Places malware on a site where users are known 3. Injection
to visit.
4. Insecure design
Impersonation Attacks where the attacker is able to appear to a
remote user/system as another individual.
5. Security misconfiguration
6. Vulnerable and outdated components
7. Identification and authentication failures
Misinformation is the dissemination of false information 8. Software and data integrity failures
without malicious intent, while disinformation involves 9. Security logging and monitoring failures
malicious intent. 10. Server-side request forgery (SSRF)

© 2023, CertMike.com 5
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 2:
Threats, Vulnerabilities, and Mitigations

Attack Type Description

Type 2 Hypervisor
SQL injection Manipulates web applications to send unauthorized
commands to the back-end database Guest Virtual Guest Virtual Guest Virtual
Machine Machine Machine
Overflow Places more data than expected in a memory
buffer in an attempt to execute unauthorized code
Other Applications Hypervisor Other Applications
Remote code Allows an attacker to execute code of their
execution choosing without accessing the system directly Host Operating System
Directory Embeds periods and slashes in URLs in an attempt
traversal to navigate the web server’s file system Physical Hardware

Privilege Exploits that allow an attacker to take a normal user

escalation account and manipulate it to gain administrative When deploying services in the cloud, organizations
access. Often performed using a rootkit. may choose from three major cloud strategies:
Session Attacks where the adversary steals a cookie or • Software as a Service (SaaS) deploys entire
hijacking other session credential to take over a user’s applications to the cloud. The customer is only
existing authenticated session. responsible for supplying data and manipulating the
application.
Cross-site Attacks where the adversary tricks the user’s
scripting (XSS) browser into executing embedded scripts that are • Infrastructure as a Service (IaaS) sells basic
either stored on a web server (persistent XSS) or use building blocks, such as servers and storage. The
input that is repeated as output (reflected XSS). customer manages the operating system and
configures and installs software.
Race condition Attacks that depend upon the timing of two
operations.
• Platform as a Service (PaaS) provides the customer
with a managed environment to run their own
TOC/TOU Race condition that occurs when a program software without concern for the underlying
checks access permissions too far ahead of a hardware.
resource request.

Cloud services may be built and/or purchased in several

Virtual machines allow us to run multiple operating forms:
system instances on a single physical server. In a • Public cloud providers sell services to many
virtualized environment, the hypervisor is responsible different customers and many customers may share
for enforcing isolation. the same physical hardware.
• Private cloud environments dedicate hardware to a
Type 1 Hypervisor single user.
• Hybrid cloud environments combine elements of
Guest Virtual Guest Virtual Guest Virtual public and private cloud in a single organization.
Machine Machine Machine
• Community cloud environments use a model
similar to the public cloud but with access restricted
Hypervisor
to a specific set of customers.
Physical Hardware

© 2023, CertMike.com 6
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 2:
Threats, Vulnerabilities, and Mitigations

Indicators of compromise (IoC) are items of unusual • Two-person control requires two people to perform
activity that may suggest a security incident and require a sensitive activity.
further investigation. Examples of IoC include: • Mandatory vacations and job rotation seek to prevent
• Unexpected account lockout fraudulent activity by uncovering malfeasance.
• Concurrent session usage
• Blocked content Endpoint monitoring provides important operational
• Impossible travel time information to cybersecurity analysts because endpoint
• Excessive resource consumption behavior is often the first indicator of a compromise.
• Resource inaccessibility
• Out-of-cycle logging Endpoint detection and response (EDR) systems provide
• Missing logs this insight, while user and entity behavior analytics
(UEBA) solutions allow deeper behavioral inspection.
When configuring security for a wireless network, you
should use recent versions of Wi-Fi Protected Access
(WPA2 or WPA3). The original version of WPA, which
used the Temporal Key Integrity Protocol (TKIP) is no
longer secure. WPA2 uses CCMP to provide security,
while WPA3 uses Simultaneous Authentication of
Equals (SAE).

Network segmentation places different types of

systems on different network segments, minimizing
the likelihood of cross-infection. This may be done with
physically separate networks or with virtual networks
(VLANs). Extremely sensitive network segments may
be separated by an air gap, meaning they are not
connected to any other network. Virtual private clouds
(VPCs) are used to create virtual network segmentation
in cloud environments.

Access control lists (ACLs) form the basis of many access

management systems and provide a listing of subjects
and their permissions on objects and groups of objects.

Personnel security principles include:

• Need to know requires a legitimate business need
to access information.
• Least privilege grants individuals the minimum
necessary permissions to perform their jobs.
• Separation of duties blocks someone from having
two sensitive privileges in combination.

© 2023, CertMike.com 7
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 3:
Security Architecture

Tool Description Know the secure alternatives to commonly used protocols:

Intrusion Detection Monitors a host or network for signs of
System intrusion and reports to administrators. Insecure Protocol Secure Alternative(s)
Intrusion Monitors a host or network for signs of Telnet SSH
Prevention System intrusion and attempts to block malicious
traffic automatically. HTTP HTTPS
LDAP LDAPS
Security Aggregates and correlates security
Information & information received from other systems. FTP FTPS or SFTP
Event Management
System DNS DNSSEC
SNMPv1/2 SNMPv3
Firewall Restricts network traffic to authorized
connections.
Application Allow Limits applications to those on an
Power Issue Brief Duration Prolonged Duration
List approved list.
Loss of power Fault Power loss/power failure
Application Deny List Blocks applications on an unapproved list.
Sandboxing Provides a safe space to run potentially Low voltage Sag Under-voltage event
malicious code. High voltage Spike Surge
DNS Sinkhole Uses false DNS replies to block access to Disturbance Transient Noise
known malicious sites
VPN Concentrator Provides a central aggregation point
for VPN connections. Access control vestibules use a set of double doors that
Proxy Server Makes requests to other servers on behalf of
open one at a time to restrict physical access to a facility.
an end user, providing anonymization and
performance enhancement. In addition to maintaining current and patched
Data Loss Prevention Blocks the exfiltration of sensitive platforms, one of the most effective application
information from an organization. security techniques is input validation which ensures
Mail Gateway Screens inbound messages for malicious that user input matches the expected pattern before
content. using it in code.
Cloud Access Service that intercepts requests headed for
Security Broker cloud services to confirm their compliance The core activities of identity and access management are:
(CASB) with organizational security policies • Identification where a user makes a claim of identity.
Hardware Security Stores and manages encryption keys • Authentication where the user proves the claim of
Module (HSM) identity.
• Authorization where the system confirms that the
Split tunnel VPNs only send traffic destined for the user is permitted to perform the requested action.
corporate network through the VPN while full tunnel
VPNs send all traffic through the VPN. Network Access In access control systems, we seek to limit the access
Control systems screen devices before allowing them that subjects (e.g. users, applications, processes) have
to connect to the network. This screening may include to objects (e.g. information resources, systems).
both user authentication and device health checking.

© 2023, CertMike.com 8
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 3:
Security Architecture

Multifactor authentication (MFA) systems combine Business continuity planning conducts a business
authentication technologies from two or more of the impact assessment and then implements controls
following categories: designed to keep the business running during adverse
• Something you know factors rely upon secret circumstances.
information, such as a password.
• Something you have factors rely upon physical Backups provide an important disaster recovery control.
possession of an object, such as a smartphone. Remember that there are three major categories of backup:
• Something you are factors rely upon biometric
characteristics of a person, such as a face scan or Backup Type Description
fingerprint.
Full Backup Copies all files on a system.
• Somewhere you are factors rely upon a user’s
physical location. Differential Copies all files on a system that have changed
Backup since the most recent full backup.

Authentication technologies may experience two types Incremental Copies all files on a system that have changed
of errors. False positive errors occur when a system Backup since the most recent full or incremental backup.
accepts an invalid user as correct. It is measured using
the false acceptance rate (FAR). False negative errors Disaster recovery sites fit into three major categories:
occur when a system rejects a valid user, measured
using the false rejection rate (FRR). We evaluate the Site Type HVAC/Power Configured Servers Real-time Data
effectiveness of an authentication technology using
Cold Site Yes No No
the crossover error rate (CER), as shown in the
Warm Site Yes Yes No
diagram below:
Hot Site Yes Yes Yes

Disaster recovery plans require testing. There are four

FAR major test types:
FRR
DR Test Type Description
Tabletop Plan participants review the plan and their
Error Rate

exercises specific role as a group or individually.

Simulation DR team participates in a scenario-based exercise
CER that uses the DR plan without implementing
technical recovery controls.
Parallel DR team activates alternate processing
processing capabilities without taking down the primary site.
Fail over DR team switches the primary site to a secondary
site to simulate a disaster.

Sensitivity TCP is a connection-oriented protocol, while UDP is a

connectionless protocol that does not guarantee delivery.

© 2023, CertMike.com 9
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 3:
Security Architecture

TCP Three-Way Handshake Routers generally work at layer 3 and connect networks
to each other. Firewalls are the primary network
security control used to separate networks of differing
SYN security levels. TLS should be used to secure network
communications. SSL is no longer secure.
SYN/ACK
ACK IPSec uses Authentication Headers (AH) to provide
authentication, integrity and non-repudiation, and
Encapsulating Security Payload (ESP) to provide
DNS converts between IP addresses and domain names. confidentiality, authentication and integrity.
ARP converts between MAC addresses and IP addresses.
NAT converts between public and private IP addresses. Data State Description

Load balancers distribute connection requests among Data at Rest Data stored on a system or media device
many identical servers. Data in Transit Data in motion over a network

OSI Model Data in Use Data being actively processed in memory

Layer Description
Common classes of sensitive information include:
Application Serves as the point of integration for user • Personally identifiable information (PII) uniquely
applications with the network identifies individuals and is regulated by many
national, state and local laws. The most well known
Presentation Transforms user-friendly data into machine-friendly of these are the European Union’s General Data
data; encryption
Protection Regulation (GDPR) and the California
Session Establishes, maintains, and terminates sessions Consumer Privacy Act (CCPA).
• Protected health information (PHI) includes
Transport Manages connection integrity; TCP, UDP, SSL, TLS individual health records and is regulated by the
Health Insurance Portability and Accountability
Network Routes packets over the network; IP, ICMP, BGP,
Act (HIPAA).
IPSec, NAT
• Payment card information (PCI) includes credit
Data Link Formats packets for transmission; Ethernet, ARP, and debit card data and is regulated by the
MAC addresses Payment Card Industry Data Security Standard
(PCI DSS).
Physical Encodes data into bits for transmission over wire, • Proprietary information includes trade secrets
fiber, or radio
maintained by an organization.

Network switches generally work at layer 2 and

connect directly to endpoints or other switches.
Switches may also create virtual LANs (VLANs) to
further segment internal networks at layer 2.

© 2023, CertMike.com 10
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 3:
Security Architecture

Data retention standards describe how long the

TOP SECRET CRITICAL
organization should preserve records. Data that is no
RESTRICTED longer needed should be securely destroyed.
The principle of data sovereignty says that data is
INCREASING SENSITIVITY

PR
NT

SECRET
CONFIDENTIAL subject to the legal requirements of any jurisdiction
IV
ME

AT

where it is collected, stored, processed, or

RN

SENSITIVE
SE
VE

CONFIDENTIAL transmitted. Security frameworks provide templates

CT
GO

PRIVATE for security activities. These include COBIT, NIST CSF,

OR

and ISO 27001/2.

UNCLASSIFIED PUBLIC
Due care is taking reasonable steps to protect the
INFORMATION CLASSIFICATION interest of the organization. Due diligence ensures
those steps are carried out.

Information should be labeled with its classification and

security controls should be defined and appropriate for
each classification level.

Security in the cloud follows the shared responsibility

model where vendors and customers have different
responsibilities depending upon the category of cloud
service.

IaaS PaaS SaaS

Data Data Data

Application Application Application

OS OS OS

Hardware Hardware Hardware

Data Center Data Center Data Center

Customer Vendor
Responsibilities Responsibilities

© 2023, CertMike.com 11
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

Threat intelligence allows an organization to learn Structured Threat Information eXpression (STIX) is
about changes in the threat landscape, including used to provide a standardized format for exchanging
attacker identities, tools, and techniques. Common threat information, while the Trusted Automated
threat intelligence sources include: eXchange of Intelligence Information (TAXII) defines
• Open source intelligence (OSINT) a protocol for the transmission of this information
• Proprietary threat intelligence from security vendors between components of a security automation
• Vulnerability databases environment.
• Information sharing and analysis centers (ISACs)
• Dark web sites Enterprises may deploy mobile devices in a variety of
• Indicators of compromise models:
• Corporate-owned (CO) provides devices for
Threat hunting exercises presume that attackers have business use only.
already compromised an organization and then seek out • Corporate-owned, personally enabled (COPE)
evidence of that compromise. allows users to mix business and personal use.
• Choose your own device (CYOD) allows users
Port(s) Service to pick a device of their choice for business and
personal use.
20, 21 FTP
• Bring your own device (BYOD) allows users to
22 SSH access corporate data on their personally-owned
23 Telnet devices.
25 SMTP
Companies should use mobile device management
53 DNS
(MDM) tools to enforce a variety of mobile security
80 HTTP controls, including:
110 POP3 • Restricting application
123 NTP • Remote wiping of lost/stolen devices
• Geolocation and geofencing services
135, 137-139, 445 Windows File Sharing
• Screen locking and password/PIN requirements
143 IMAP • Full device encryption
161/162 SNMP
443 HTTPS Network discovery scanning uses tools like Nmap to
check for active systems and open ports. Common
636 LDAPS
scanning techniques include:
1433/1434 SQL Server • TCP SYN scans send a single packet with the SYN
1521 Oracle flag set.
1720 H.323 • TCP Connect scans attempt to complete the three
way handshake.
1723 PPTP
• TCP ACK scans seek to impersonate an established
3389 RDP connection.
9100 HP JetDirect Printing • Xmas scans set the FIN, PSH, and URG flags.

© 2023, CertMike.com 12
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

Network vulnerability scanning first discovers • Open Vulnerability and Assessment Language
active services on the network and then probes those (OVAL)
services for known vulnerabilities. Web application
vulnerability scans use tools that specialize in probing The Common Vulnerability Scoring System (CVSS) rates the
for web application weaknesses. severity of security vulnerabilities based upon eight criteria:
1. Attack Vector (AV)
The vulnerability management workflow includes three 2. Attack Complexity (AC)
basic steps: detection, remediation, and validation. 3. Privileges Required (PR)
4. User Interaction (UI)
Validation of remediation includes verifying the 5. Scope (S)
remediation, rescanning the affected system(s), and 6. Confidentiality (C)
periodic auditing. 7. Integrity (I)
8. Availability (A)
Common parameters that you may tune when
configuring vulnerability scans include: The CVSS base score combines all eight of these factors
• Using credentialed scans to log onto target into a single score from 0.0 to 10.0, with the following
systems and improve scan accuracy. severity descriptions:
• Using a combination of server-based scans that
run over the network and agent-based scans that CVSS Score Rating
run on the local system.
0.0 None
• Using different scan perspectives to determine the
external view that an outside attacker would see and 0.1-3.9 Low
the internal view available to an insider or an attacker 4.0-6.9 Medium
that has already gained a foothold on the network.
7.0-8.9 High
Active scanning techniques engage with the target 9.0-10.0 Critical
system to probe it for known vulnerabilities while
passive scanning techniques are stealthier. Passive
scans do not engage with the target system but attempt Does the vulnerability actually exist?
to identify vulnerabilities by observing network traffic Yes No
and other system characteristics.
Was a vulnerability

Yes True Positive False Positive

reported?

The Security Content Automation Protocol (SCAP)

provides a standard framework for vulnerability
assessment. It includes the following components: No False Negative True Negative
• Common Vulnerabilities and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS)
• Common Configuration Enumeration (CCE)
• Common Platform Enumeration (CPE) Bug bounty programs offer public rewards to security
• Extensible Configuration Checklist Description researchers who submit reports of new vulnerabilities
Format (XCCDF) to a firm.

© 2023, CertMike.com 13
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

Security information and event management • Standard infrastructure configurations

(SIEM) systems aggregate and correlate security log • Scaling in a secure manner
information received from many different sources. • Employee retention
• Reaction time
Security orchestration, automation, and response • Workforce multiplier
(SOAR) systems use runbooks to trigger automated
responses after security incidents occur. Administrators should also be aware of some
other considerations related to automation and
orchestration:
• Complexity
Management • Cost
console • Creation of a single point of failure
ts • Technical debt
er
Al • Ongoing supportability
Aggregation
Security professionals working with specialized
A
systems, such as Supervisory Control and Data
SIEM Reuto Acquisition (SCADA) and Industrial Control Systems
sp ma
on te (ICS) should isolate those systems from other
se d
s networks to the greatest extent possible.
Rules

Specialized technologies support the Internet of

Information Security Things (IoT) and its embedded devices. These include
Sources Devices real-time operating systems (RTOS) that are designed
to serve as streamlined, efficient operating systems
Analysts, vendors for use on IoT devices as well as system on a chip
and threat feeds (SoC) technology that includes an operating system in
firmware stored directly on a device.
Common use cases for automation and orchestration
include: The principle of defense-in-depth says that
• User and resource provisioning organizations should use a variety of overlapping
• Creation of guard rails security controls to prevent against the failure of a
• Security group management single control. When designing overlapping controls,
• Ticket creation and escalation strive for diversity of vendors and control types.
• Enabling/disabling services and access
• Continuous integration and testing The most common firewall deployment topology uses
• Integrations and APIs three zones: a trusted intranet, an untrusted Internet,
and a screened subnet that houses publicly accessible
The benefits of automation and orchestration include: servers. These networks are often created using a triple-
• Efficiency/time saving homed firewall.
• Enforcing baselines

© 2023, CertMike.com 14
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

The implicit deny principle says that any action that is

not explicitly authorized for a subject should be denied.

Internet Firewall Internal Network Access control lists (ACLs) form the basis of many
access management systems and provide a listing of
subjects and their permissions on objects and groups
of objects.
Screened Subnet
Discretionary access control (DAC) systems allow
the owners of objects to modify the permissions that
other users have on those objects. Mandatory access
control (MAC) systems enforce predefined policies
that users may not modify.
Firewall Type Description
Role-based access control assigns permissions to
Layer 4 Works at the transport layer, moderating individual users based upon their assigned role(s) in
connections between networks the organization. For example, backup administrators
Layer 7 Works at the application layer, inspecting might have one set of permissions while sales
network traffic with a great deal of context representatives have an entirely different set.
Web Application Special type of layer 7 firewall focused
Firewall (WAF) specifically on web applications Attribute-based access control (ABAC) makes access
Next-Generation Firewall that incorporates information about decisions based upon attributes of a user’s identity,
Firewall (NGFW) users, applications, and other context into such as department membership or job title.
decision-making
Unified Threat Combines several security functions, including Rule-based access control makes decisions based
Management firewall capabilities into a single device. Typically upon pre-defined rules. Firewalls are a common
(UTM) used in a small/medium business environment.
example of devices that enforce a rule-based policy.

When managing security of a system, keep in mind the Transport Layer Security (TLS) is the replacement
following operating system security principles: for Secure Sockets Layer (SSL) and uses public key
• Disable unnecessary services and applications cryptography to exchange a shared secret key used to
• Close unneeded network ports secure web traffic and other network communications.
• Disable default accounts and passwords
• Apply all security patches Email headers provide information about the path
traveled by email messages across the network,
RADIUS is an authentication protocol commonly although they are susceptible to forgery. DomainKeys
used for backend services. TACACS+ serves a similar Identified Mail (DKIM) allows organizations to sign
purpose and is the only protocol from the TACACS both the body of the message and elements of the
family that is still commonly used. header to prove their authenticity. Sender Policy
Framework (SPF) allows organizations to publish
a list of authorized mail servers for their domains.

© 2023, CertMike.com 15
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

Domain-based Message Authentication, Reporting, As you prepare for an incident response effort, you
and Conformance (DMARC) uses SPF and DKIM to should develop an incident communication plan
determine whether messages are authentic. that uses a secure means of communication to limit
communication to trusted parties and prevent the
When responding to a security incident, organizations inadvertent release of information.
should follow a six-step incident response process,
shown in the figure below: Generally, you are not required to disclose security
incidents to law enforcement unless you choose to do
so or are subject to legal or regulatory requirements.
Preparation
Your incident response team should include
representatives from all relevant internal teams:
• Cybersecurity
Lessons • Other technology experts
Learned Detection • Legal
• Human resources
• Public relations
• Senior leadership

Recovery Analysis You should also have your team prepared to

coordinate with external groups that are not
represented directly on the team, including law
enforcement and regulatory bodies.

Eradication Containment Incident response plans should base the severity of

an incident on the criticality of data involved, paying
particular attention to:
Forensic investigators must take steps to ensure that • Personally identifiable information (PII)
they do not accidentally tamper with evidence and • Protected health information (PHI)
that they preserve the chain of custody documenting • Personal financial information
evidence handling from collection until use in court. • Sensitive personal information (SPI)
• Intellectual property and other corporate high-
When performing forensic analysis, be certain to value assets
observe the order of volatility and capture information
that is not likely to exist for a long period of time first. The preparation phase of incident response should
include training, testing, and documentation of
Forensic analysts should perform their work using an procedures.
image of original evidence whenever possible. MInimize
the handling of the original evidence.

© 2023, CertMike.com 16
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 4:
Security Operations

The detection and analysis phases of incident Level Level Keyword

response determine that an incident is underway and 0 Emergencies
determine the severity level and appropriate response.
1 Alerts
The objective of the containment phase is to limit the
damage caused by the incident through the isolation 2 Critical
of affected systems and assets. This is closely linked to 3 Errors
eradication and recovery efforts that seek to restore
4 Warnings
normal operations.
5 Notifications
During the post-incident activities phase, the organization 6 Informational
conducts a lessons learned process, updates change 7 Debugging
management records, determines what evidence should
be retained, writes an incident report, and makes any
necessary updates to the incident response plan. Analysts can collect network traffic using the graphical
Wireshark packet capture tool or the command-line
Many different data sources can support security tcpdump packet capture tool. They may send captured
investigations. These include: packets back out on the network using the tcpreplay tool.
• Firewall logs
• Application logs Data should be retained no longer than necessary. Use
• Endpoint logs sanitization technology to ensure that no traces of data
• OS-specific security logs remain on media (data remnance) before discarding it.
• IPS/IDS logs
• Network logs • Erasing performs a delete operation on a file but the
• Metadata data remains on disk.
• Vulnerability scans • Clearing overwrites the data with random values to
• Automated reports ensure that it is sanitized.
• Dashboards
• Packet captures

Log review provides cybersecurity analysts with insight

into the behavior of users, systems, and network
devices. Logs may be sent to a centralized log
repository using the syslog protocol.

Network device logs often arrive using the Simple

Network Management Protocol (SNMP) and may be
accessed using vendor-specific commands. On Cisco
devices, the show logging command provides access
to router logs. Cisco devices report log events using
a standard system of log levels that are numbered in
decreasing order of severity:

© 2023, CertMike.com 17
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 5:
Security Program
Management and Oversight

Security activities must be aligned with business Common standards define technical requirements for:
strategy, mission, goals, and objectives. This requires • Passwords
strategic, tactical, and operational planning. • Access controls
• Physical security
Security frameworks provide templates for security • Encryption
activities. These include COBIT, NIST CSF, and ISO
27001/2. Organizations create step-by-step procedures for many
routine activities, including:
Due care is taking reasonable steps to protect the • Change management
interest of the organization. Due diligence ensures • Onboarding and offboarding
those steps are carried out. • Incident response playbooks

Security governance is carried out through Data Role Responsibilities

• Policies which state high-level objectives
Data Owner Senior-level executive who establishes rules and
(mandatory compliance). determines appropriate controls for information.
• Standards which state detailed technical Data Person who is delegated authority for data by the
requirements (mandatory compliance). Steward data owner and acts on the data owner’s behalf.
• Procedures which provide step-by-step processes Data Organization or person within an organization
(mandatory compliance). Controller who determines the purpose and means of data
• Guidelines which offer advice and best practices processing. Special significance under GDPR.
(optional compliance). Data Individuals who are responsible for managing data
Custodians and data security controls for an organization. This
role is commonly found within IT teams.
Security Policy Description Data An organization that handles information on behalf
Processor of another organization, typically a business-to-
Acceptable Use Defines how individuals may use corporate business relationship.
Policy (AUP) computing resources and information. Data Users Individuals who interact with information during the
normal course of business.
Information Creates the framework for the information
Security Policy security program and establishes authority Data Individuals who may be individually identified
for security activities. Subjects by name or another identifier within the records
maintained by an organization.
Business Defines the organization’s approach to
Continuity/Disaster business continuity and disaster recovery
Recovery Policy planning and activities. Security audits use testing and assessment techniques
but are performed by independent auditors. There are
Incident Response Creates requirements for handling three types of security audits:
Policy security and privacy incidents within the • Internal audits are performed by an organization’s
organization.
internal audit staff, normally led by a Chief Audit
SDLC Policy Defines the organization’s software Executive who reports directly to the CEO.
development lifecycle (SDLC) approach. • External audits are performed by an outside
auditing firm.
Change Establishes the organization’s change and
Management Policy configuration management program.
• Third-party audits are conducted by, or on behalf
of, another organization, such as a regulator.

© 2023, CertMike.com 18
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 5:
Security Program
Management and Oversight

Security baselines, such as NIST SP 800-53, provide a AssetValue * ExposureFactor

standardized set of controls that an organization may AnnualizedLossExpectancy =
use as a benchmark. AnnualizedRateofOccurence * SLE

Typically, organizations don’t adopt a baseline standard Responses to a risk include:

wholesale, but instead tailor a baseline to meet their • Avoid risk by changing business practices.
specific security requirements. • Mitigate risk by implementing controls.
• Accept risk and continue operations.
Audits of cloud service providers and other managed • Transfer risk through insurance or contract.
service providers should take place using the System
and Organization Controls (SOC) standard, published When accepting a risk, the organization may choose
in the Statement on Standards for Attestation to grant an exception to or exemption from security
Engagements #18 (SSAE 18). policies and standards.

There are three categories of SOC audits: Risks should be documented in a risk register which
• SOC 1 audits provide customers with the level of includes details on the key risk indicators (KRIs), risk
assurance they need when conducting their own owners, and risk thresholds.
financial audits.
• SOC 2 audits evaluate the service provider’s Organizations may have different levels of risk appetite:
confidentiality, integrity, and availability controls. • Expansionary risk appetites accept significant risks
They contain sensitive information. in the hope of significant rewards.
• SOC 3 audits also evaluate confidentiality, integrity, • Conservative risk appetites accept very little risk to
and availability but are meant for public disclosure. preserve the status quo.
• Neutral risk appetites take a balanced approach
And there are two types of SOC 1 and SOC 2 audits: to risk.
• Type I audits describe the controls that the service
provider has in place and offer an opinion on their BIA Metric Meaning
suitability, but not their effectiveness.
Recovery Time The maximum amount of time the organization is
• Type II audits describe the controls that the service Objective (RTO) willing to accept a system outage.
provider has in place, offer an opinion on their
suitability, and also provide the results of auditors’ Recovery Point The maximum amount of time from which the
Objective (RPO) organization is willing to accept data loss.
effectiveness tests.
Mean Time to The average time required to restore a system,
Repair (MTTR) application, or device to operation after a failure.
SOC 1 and 2 audits can have type I or II reports. SOC 3
audits do not have different type reports. Mean Time The average time between failures of a system,
Between application, or device.
Failures (MTBF)
Risks are the combination of a threat and a
corresponding vulnerability.

Quantitative risk assessment uses the following formulas:

SingleLossExpectancy =

© 2023, CertMike.com 19
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 5:
Security Program
Management and Oversight

When working with vendors, ensure that the vendor’s Penetration testing goes beyond vulnerability scanning and
security policies and controls execute at least the attempts to exploit vulnerabilities. It includes five steps:
same degree of care that you would take internally. The
vendor management lifecycle follows vendors from
selection through termination:
Planning

Vendor
Selection

Information
Reporting Gathering &
Discovery

Offboarding Onboarding

Monitoring
Vulnerability
Exploitation
Scanning

Customers should document their vendor relationships

using a variety of agreements: There are three different types of penetration test:
• Service Level Agreements (SLA) document the • During known environment penetration tests,
requirements for service performance in a written testers have full access to information about the
contract. target systems.
• Memorandums of Understanding (MOU) and • During unknown environment penetration tests,
Memorandums of Agreement (MOA) are used to testers conduct their work without any knowledge
document relationships in a less formal manner. of the target environment.
• Business Partners Agreements (BPA) document • Partially known environment penetration tests
the parameters of a business partnership. reside in the middle, providing testers with some
• Master Service Agreements (MSA) are used knowledge about the environment.
to create umbrella relationships with specific
engagements documented in Statements of Work
(SOW) and Work Orders (WO) that refer to the MSA.
• Non-disclosure Agreements (NDA) document
the confidentiality requirements of a business
relationship.

© 2023, CertMike.com 20
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 5:
Security Program
Management and Oversight

When developing new systems, organizations move The spiral model uses a more iterative approach:
them through a four-stage process using different
environments: 1. Determine Progress 2. Identity
1. Development environments are where developers objectives and resolve risks
create and modify the system.
2. Test environments are where the system is tested. If
flaws are discovered, it is returned to development.
3. Staging environments are where approved code is
placed, awaiting release to production.
4. Production environments contain systems that are
currently serving customer needs.

The waterfall model of software development is fairly rigid, Release Requirements

plan Prototype 1 Prototype 2
Operational
prototype

allowing the process to return only to the previous step: Concept of

operation
Concept of
Requirements Draft Detailed
design
Requirements
Development Verification Code
plan & Validation
System
Requirements Integration
Test plan

Test

Software Release Implementation

Requirements
4. Plan the 3. Development
next iteration and Test
Preliminary
Design
While the agile approach uses a series of incremental
deliverables created using a process that values:
Detailed • Individuals and interactions instead of processes
Design and tools
• Working software instead of comprehensive
documentation
Code and • Customer collaboration instead of contract
Debug negotiation
• Responding to change instead of following a plan

Testing Static analysis evaluates software code without

executing it, while dynamic analysis executes the code
during the test. Fuzz testing supplies invalid input to
Operations applications in an attempt to trigger an error state.
and
Maintenance

© 2023, CertMike.com 21
Prepared exclusively for [email protected] Transaction: 0142574716
 Security+ Last Minute Review Guide (SY0-701)

Domain 5:
Security Program
Management and Oversight

Organizations are subject to a wide variety of legal and • Removable media and cables
regulatory compliance obligations from: • Social engineering
• Criminal laws that may involve prison or fines. • Phishing
• Civil laws that regulate non-criminal disputes. • Operational security
• Administrative laws set by government agencies. • Hybrid/remote work environments
• Regulations from industry bodies. • Anomalous behavior recognition

Legal holds should be sent as soon as an organization

reasonably anticipates litigation. Collection should
occur when directed by the legal team. Production
turns records over to the opposing side. All of these
activities are part of the e-Discovery process.

Consequences of failure to comply with laws and

regulations include:
• Fines/sanctions
• Reputational damage
• Loss of licenses
• Contractual impacts

Organizations should design their privacy programs

to follow the Generally Accepted Privacy Principles
(GAPP). These principles include:
1. Management
2. Notice
3. Choice and Consent
4. Collection
5. Use, Retention, and Disposal
6. Access
7. Disclosure to Third Parties
8. Security for Privacy
9. Quality
10. Monitoring and Enforcement

Organizations should create security awareness and

training programs that inform users of their security
responsibilities. Topics covered should include:
• Policy/handbooks
• Situational awareness
• Insider threat
• Password management

© 2023, CertMike.com 22
Prepared exclusively for [email protected] Transaction: 0142574716