An overview of changes to CompTIA's new Security+ exam

Posted on

December 5, 2017

by
‍

CompTIA recently overhauled its popular Security+ certification exam. Here's what changed.

While CompTIA regularly makes changes to its most popular vendor-neutral certification exams, usually there is a bit of time staggered between them. This year, however, they updated both the Security+ and the Network+ exams in a very short timespan. In a previous article, we looked at the changes to Network+ (from N10-006 to N10-007), and in this article, we will focus on the changes to Security+ (from SY0-401 to SY0-501).

Domains

The SY0-401 exam consisted of 90 questions and there were 90 minutes in which to complete them with a minimum passing score of 750 (on a scale from 100 to 900). It was/is (as long as it still available) divided into six domains and weighted as follows:

1) Network Security 20 percent
2) Compliance and Operational Security 18 percent
3) Threats and Vulnerabilities 20 percent
4) Application, Data and Host Security 15 percent
5) Access Control and Identity Management 15 percent
6) Cryptography 12 percent

The SY0-501 exam has the same number of questions, time, and minimum passing score. It six domains and weighting have changed as follows:

1) Threats, Attacks and Vulnerabilities 21 percent
2) Technologies and Tools 22 percent
3) Architecture and Design 15 percent
4) Identity and Access Management 16 percent
5) Risk Management 14 percent
6) Cryptography and PKI 12 percent

While the number of domains stays the same, the overall number of objectives has actually gone up: from 33 to 37. The following table lists the domains/objectives on SY0-501 and offers a few notes on each:
‍

Objective	Note
Threats, Attacks and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware	Know the difference between worms, Trojans, backdoors, rootkits, and the various types of viruses
1.2 Compare and contrast types of attacks	This one objective covers enough topics to be an exam in and of itself. The four main topic areas are: social engineering, application/service attacks (think DoS), wireless attacks, and cryptographic attacks (brute force, birthday, etc.)
1.3 Explain threat actor types and attributes	A tiny topic where commonsense can help you identify the right answer to any question asked
1.4 Explain penetration testing concepts	Know the various types: black box, white box, and gray box
1.5 Explain vulnerability scanning concepts	Be able to identify common misconfigurations and differentiate between intrusive and non-intrusive testing
1.6 Explain the impact associated with types of vulnerabilities	Zero day exploits have been moved to this objective as have a lot of catchall topics like untrained users, buffer overflows, and the like
Technologies and Tools
2.1 Install and configure network components, both hardware- and software-based, to support organizational security	Firewalls are but one topic here – you also have routers, switches, proxies, NIPS/NIDS, SIEM, DLP, load balancers, and access points
2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization	Among the topics to know here are the command line tools commonly used in troubleshooting (ping, netstat, arp, tracert, and so on)
2.3 Given a scenario, troubleshoot common security issues	Misconfigured devices factors in heavily here along with those unhappy employees who are able to wreak harm from the inside
2.4 Given a scenario, analyze and interpret output from security technologies	Antivirus software is an easy one, but there is also patch management tools, web application firewall and data execution prevention
2.5 Given a scenario, deploy mobile devices securely	For this objective, you need to know connection methods (lifted from Network+), and deployment models
2.6 Given a scenario, implement secure protocols	Think of every protocol you can think of that has an “S” with it implying Secure/SSL and you’ll have what you need to know for this objective: LDAPS, S/MIME, SFTP, FTPS, HTTPS, and so on
Architecture and Design
3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides	Think benchmarking, layered security, and the value of creating/having guides to assist with security-related implementations
3.2 Given a scenario, implement secure network architecture concepts	Honeynets have been moved to here along with DMZ, extranets, NAT, and some security devices
3.3 Given a scenario, implement secure systems design	TPM and HSM now reside here along with patch management and some good security practices (disabling unnecessary ports, application white- blacklisting, and the concept of least functionality)
3.4 Explain the importance of secure staging deployment concepts	Sandboxing, sandboxing, sandboxing
3.5 Explain the security implications of embedded systems	SCADA/ICS became test topics with the previous iteration of the exam and now reside beneath this objective

3.6 Summarize secure application development and deployment concepts	Be familiar with the software development lifecycle and secure coding techniques. Sandboxing pops up once again
3.7 Summarize cloud and virtualization concepts	This is, once again, pretty much a straight lift from the Network+ exam and expects you to know the basics of hypervisors/containers and the most popular deployment models
3.8 Explain how resiliency and automation strategies reduce risk	Fault tolerance, RAID, and high availability topics reside here along with individual technologies to make them possible
3.9 Explain the importance of physical security controls	Lock it down. Do so with physical locks, guards, cameras, and so on.
Identity and Access Management
4.1 Compare and contrast identity and access management concepts	Multifactor authentication focuses on: ● Something you are ● Something you have ● Something you know ● Something you are ● Something you do
4.2 Given a scenario, install and configure identity and access services	RADIUS is here for remote connectivity along with the old standbys CHAP, PAP, and MSCHAP. Kerberos and Shibboleth now join them
4.3 Given a scenario, implement identity and access management controls	The various access methods are here (such as MAC, DAC, RBAC), biometric methods, and certificate-based authentication
4.4 Given a scenario, differentiate common account management practices	Have different levels of accounts, follow best practices, and be sure to enforce them
Risk Management
5.1 Explain the importance of policies, plans and procedures related to organizational security	Vendor agreements and personnel agreements fall beneath this objective along with policies related to email and social media usage
5.2 Summarize business impact analysis concepts	Be able to quantify risk using MTBF, MTTR, RTO/RPO and associated forms of assessment
5.3 Explain risk management processes and concepts	Continuing on with what was is 5.2, add in SLE, ALE, ARO, and other methods of assigning quantitative numbers to risk
5.4 Given a scenario, follow incident response procedures	Know what should be in an incident response plan and how to follow an organized incident response process
5.5 Summarize basic concepts of forensics	From a legal standpoint, you need to document everything. Similarly, during data collection you need to gather as much information as possible and be able to build a case
5.6 Explain disaster recovery and continuity of operation concepts	Types of recovery sites (hot, cold, warm), backups (full, incremental, differential), and considerations (geographic) fact in heavily to being back up following a crisis
5.7 Compare and contrast various types of controls	There are eight different categories of controls and you need to be able to identity which one certain steps or actions would be classified as
5.8 Given a scenario, carry out data security and privacy practices	Know the data destruction and sanitization methods from the popular (shredding) to less widespread (pulping) and everything in between
Cryptography and PKI
6.1 Compare and contrast basic concepts of cryptography	This is another objective which could easily be an entire exam in and of itself. Know the meaning of various phrases used to describe cryptography
6.2 Explain cryptography algorithms and their basic characteristics	This objective is an extension of 6.1 and it adds algorithms for each of the phrases. Be able to identify whether any given algorithm is classified as symmetric, asymmetric, hashing, or other
6.3 Given a scenario, install and configure wireless security settings	Know which protocols are used with wireless technologies and for what purpose (authentication versus cryptographic)
6.4 Given a scenario, implement public key infrastructure	Certificates, certificates, certificates. Be familiar with the most popular of them and the components of the infrastructure that makes PKI possible.

‍

In addition to looking at the domains/objectives, when you are studying for an exam you should also look at the acronyms/terminology associated with that exam and make sure you know them. The following acronyms are among those that have been added to the newest iteration of the Security+ exam that were not on the previous one:
‍

ABAC: Attribute-based Access Control
CBC: Cipher Block Chaining
COPE: Corporate Owned, Personally Enabled
CTM: Counter-Mode
CYOD: Choose Your Own Device
DER: Distinguished Encoding Rules
ECB: Electronic Code Book
EMP: Electro Magnetic Pulse
MMS: Multimedia Message Service
MDA: Memorandum of Agreement
MSP: Managed Service Provider
OTA: Over The Air
PEM: Privacy-enabled Electronic Mail
PFX: Personal Exchange Format
RAT: Remote Access Trojan
RTOS: Real-time Operating System
SDN: Software Defined Network
SED: Self-encrypting Drive
SoC: System on Chip
WORM: Write Once Read Many
XOR: Exclusive Or

While these were added, only a few acronyms were removed from the previous version, including: FQDN, HSRP, JBOD, NOS, OLA, RDP, SONET, and TFTP.

About the Author

Emmett Dulaney is a professor at Anderson University and the author of several books including Linux All-in-One For Dummies and the CompTIA Network+ N10-008 Exam Cram, Seventh Edition.

Posted to topic:

Certification

Important Update: We have updated our Privacy Policy to comply with the California Consumer Privacy Act (CCPA)