An overview of changes to CompTIA's new Security+ exam
Posted on
December 5, 2017
by
CompTIA recently overhauled its popular Security+ certification exam. Here's what changed.

While CompTIA regularly makes changes to its most popular vendor-neutral certification exams, usually there is a bit of time staggered between them. This year, however, they updated both the Security+ and the Network+ exams in a very short timespan. In a previous article, we looked at the changes to Network+ (from N10-006 to N10-007), and in this article, we will focus on the changes to Security+ (from SY0-401 to SY0-501).

Domains

The SY0-401 exam consisted of 90 questions and there were 90 minutes in which to complete them with a minimum passing score of 750 (on a scale from 100 to 900). It was/is (as long as it still available) divided into six domains and weighted as follows:

1) Network Security 20 percent
2) Compliance and Operational Security 18 percent
3) Threats and Vulnerabilities 20 percent
4) Application, Data and Host Security 15 percent
5) Access Control and Identity Management 15 percent
6) Cryptography 12 percent

The SY0-501 exam has the same number of questions, time, and minimum passing score. It six domains and weighting have changed as follows:

1) Threats, Attacks and Vulnerabilities 21 percent
2) Technologies and Tools  22 percent
3) Architecture and Design 15 percent
4) Identity and Access Management 16 percent
5) Risk Management 14 percent
6) Cryptography and PKI 12 percent

While the number of domains stays the same, the overall number of objectives has actually gone up: from 33 to 37. The following table lists the domains/objectives on SY0-501 and offers a few notes on each:

Objective Note
Threats, Attacks and Vulnerabilities
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware Know the difference between worms, Trojans, backdoors, rootkits, and the various types of viruses
1.2 Compare and contrast types of attacks This one objective covers enough topics to be an exam in and of itself. The four main topic areas are: social engineering, application/service attacks (think DoS), wireless attacks, and cryptographic attacks (brute force, birthday, etc.)
1.3 Explain threat actor types and attributes A tiny topic where commonsense can help you identify the right answer to any question asked
1.4 Explain penetration testing concepts Know the various types: black box, white box, and gray box
1.5 Explain vulnerability scanning concepts Be able to identify common misconfigurations and differentiate between intrusive and non-intrusive testing
1.6 Explain the impact associated with types of vulnerabilities Zero day exploits have been moved to this objective as have a lot of catchall topics like untrained users, buffer overflows, and the like
Technologies and Tools
2.1 Install and configure network components, both hardware- and software-based, to support organizational security Firewalls are but one topic here – you also have routers, switches, proxies, NIPS/NIDS, SIEM, DLP, load balancers, and access points
2.2 Given a scenario, use appropriate software tools to assess the security posture of an organization Among the topics to know here are the command line tools commonly used in troubleshooting (ping, netstat, arp, tracert, and so on)
2.3 Given a scenario, troubleshoot common security issues Misconfigured devices factors in heavily here along with those unhappy employees who are able to wreak harm from the inside
2.4 Given a scenario, analyze and interpret output from security technologies Antivirus software is an easy one, but there is also patch management tools, web application firewall and data execution prevention
2.5 Given a scenario, deploy mobile devices securely For this objective, you need to know connection methods (lifted from Network+), and deployment models
2.6 Given a scenario, implement secure protocols Think of every protocol you can think of that has an “S” with it implying Secure/SSL and you’ll have what you need to know for this objective: LDAPS, S/MIME, SFTP, FTPS, HTTPS, and so on
Architecture and Design
3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guides Think benchmarking, layered security, and the value of creating/having guides to assist with security-related implementations
3.2 Given a scenario, implement secure network architecture concepts Honeynets have been moved to here along with DMZ, extranets, NAT, and some security devices
3.3 Given a scenario, implement secure systems design TPM and HSM now reside here along with patch management and some good security practices (disabling unnecessary ports, application white- blacklisting, and the concept of least functionality)
3.4 Explain the importance of secure staging deployment concepts Sandboxing, sandboxing, sandboxing
3.5 Explain the security implications of embedded systems SCADA/ICS became test topics with the previous iteration of the exam and now reside beneath this objective
3.6 Summarize secure application development and deployment concepts Be familiar with the software development lifecycle and secure coding techniques. Sandboxing pops up once again
3.7 Summarize cloud and virtualization concepts This is, once again, pretty much a straight lift from the Network+ exam and expects you to know the basics of hypervisors/containers and the most popular deployment models
3.8 Explain how resiliency and automation strategies reduce risk Fault tolerance, RAID, and high availability topics reside here along with individual technologies to make them possible
3.9 Explain the importance of physical security controls Lock it down. Do so with physical locks, guards, cameras, and so on.
Identity and Access Management
4.1 Compare and contrast identity and access management concepts Multifactor authentication focuses on:
● Something you are
● Something you have
● Something you know
● Something you are
● Something you do
4.2 Given a scenario, install and configure identity and access services RADIUS is here for remote connectivity along with the old standbys CHAP, PAP, and MSCHAP. Kerberos and Shibboleth now join them
4.3 Given a scenario, implement identity and access management controls The various access methods are here (such as MAC, DAC, RBAC), biometric methods, and certificate-based authentication
4.4 Given a scenario, differentiate common account management practices Have different levels of accounts, follow best practices, and be sure to enforce them
Risk Management
5.1 Explain the importance of policies, plans and procedures related to organizational security Vendor agreements and personnel agreements fall beneath this objective along with policies related to email and social media usage
5.2 Summarize business impact analysis concepts Be able to quantify risk using MTBF, MTTR, RTO/RPO and associated forms of assessment
5.3 Explain risk management processes and concepts Continuing on with what was is 5.2, add in SLE, ALE, ARO, and other methods of assigning quantitative numbers to risk
5.4 Given a scenario, follow incident response procedures Know what should be in an incident response plan and how to follow an organized incident response process
5.5 Summarize basic concepts of forensics From a legal standpoint, you need to document everything. Similarly, during data collection you need to gather as much information as possible and be able to build a case
5.6 Explain disaster recovery and continuity of operation concepts Types of recovery sites (hot, cold, warm), backups (full, incremental, differential), and considerations (geographic) fact in heavily to being back up following a crisis
5.7 Compare and contrast various types of controls There are eight different categories of controls and you need to be able to identity which one certain steps or actions would be classified as
5.8 Given a scenario, carry out data security and privacy practices Know the data destruction and sanitization methods from the popular (shredding) to less widespread (pulping) and everything in between
Cryptography and PKI
6.1 Compare and contrast basic concepts of cryptography This is another objective which could easily be an entire exam in and of itself. Know the meaning of various phrases used to describe cryptography
6.2 Explain cryptography algorithms and their basic characteristics This objective is an extension of 6.1 and it adds algorithms for each of the phrases. Be able to identify whether any given algorithm is classified as symmetric, asymmetric, hashing, or other
6.3 Given a scenario, install and configure wireless security settings Know which protocols are used with wireless technologies and for what purpose (authentication versus cryptographic)
6.4 Given a scenario, implement public key infrastructure Certificates, certificates, certificates. Be familiar with the most popular of them and the components of the infrastructure that makes PKI possible.

CompTIA recently overhauled its popular Security+ certification exam. Here's what changed.

In addition to looking at the domains/objectives, when you are studying for an exam you should also look at the acronyms/terminology associated with that exam and make sure you know them. The following acronyms are among those that have been added to the newest iteration of the Security+ exam that were not on the previous one:

  • ABAC: Attribute-based Access Control
  • CBC: Cipher Block Chaining
  • COPE: Corporate Owned, Personally Enabled
  • CTM: Counter-Mode
  • CYOD: Choose Your Own Device
  • DER: Distinguished Encoding Rules
  • ECB: Electronic Code Book
  • EMP: Electro Magnetic Pulse
  • MMS: Multimedia Message Service
  • MDA: Memorandum of Agreement
  • MSP: Managed Service Provider
  • OTA: Over The Air
  • PEM: Privacy-enabled Electronic Mail
  • PFX: Personal Exchange Format
  • RAT: Remote Access Trojan
  • RTOS: Real-time Operating System
  • SDN: Software Defined Network
  • SED: Self-encrypting Drive
  • SoC: System on Chip
  • WORM: Write Once Read Many
  • XOR: Exclusive Or

While these were added, only a few acronyms were removed from the previous version, including: FQDN, HSRP, JBOD, NOS, OLA, RDP, SONET, and TFTP.

About the Author

Emmett Dulaney is a professor at Anderson University and the author of several books including Linux All-in-One For Dummies and the CompTIA Network+ N10-008 Exam Cram, Seventh Edition.

Posted to topic:
Certification