A first look at CompTIA’s new Security+ exam (SY0-601)
Approximately every three years, CompTIA makes changes to their most popular vendor-neutral certification exams, and one of those being updated later this year is the Security+ exam (from SY0-501 to SY0-601). CompTIA has not formally announced a release date for the new exam, but the last version arrived on Oct. 4, 2017, so the timing is right.
The format of the exam, in terms of the number of questions (maximum of 90), time allotted (90 minutes), and passing score (750 on a scale from 100 to 900) are expected to stay the same. It’s entirely likely that the only changes made will be those that affect the content of the exam.
One of the existing domains, Technologies and Tools, is being folded into the other domains, and the total number of domains will drop from six to five. At the same time, governance and compliance are being lumped in with risk, and a few tweaks are being applied to overall domain weighting, as shown by the following comparison:
Threats, Attacks, and Vulnerabilities (21 percent)
Architecture and Design (15 percent)
Identity and Access Management (16 percent)
Risk Management (14 percent)
Cryptography and PKI (12 percent)
Technologies and Tools (22 percent)
Threats, Attacks, and Vulnerabilities (24 percent)
Architecture and Design (21 percent)
Operations and Incident Response (16 percent)
Governance, Risk, and Compliance (14 percent)
Implementation (25 percent)
Note that the old domains and the new do not match up 1-for-1 in terms of the topics address. I have done my best to line them up according to where things fit best.
While the number of domains drops by one, the overall number of objectives has only dropped by two: from 37 to 35. Let’s take a closer look at the domains and objectives for SY0-601. I’ve shared a few key notes about each:
Domain: Threats, Attacks, and Vulnerabilities
Objective 1.1: Compare and contrast differed types of social engineering techniques — Social engineering has long been a topic on this exam, but now it is front and center leading the objectives. Not only that, but new entries include smishing, invoice scams, credential harvesting, and reconnaissance.
Objective 1.2: Given a scenario, analyze potential indicators to determine the type of attack — Some new entries to the list related to this objective are fileless virus, spraying (in terms of password attacks), and adversarial artificial intelligence.
Objective 1.3: Given a scenario, analyze potential indicators associated with application attacks — This is where scripting, injections, buffer overflows, driver manipulation, and other seminal attack types fall.
Objective 1.4: Given a scenario, analyze potential indicators associated with network attacks — Know the types of wireless attacks as well as those associated with DNS and DDoS.
Objective 1.5: Explain different threat actors, vectors, and intelligence sources — Some new actors and threats added to the list now are state actors, hacktivists, and criminal syndicates. The Dark Web and open source intelligence (OSINT) have been added as information sources to be aware of.
Objective 1.6: Explain the security concerns associated with various types of vulnerabilities — Zero day exploits appear here along with third-party risks and weak configurations.
Objective 1.7: Summarize the techniques used in security assessments — Threat hunting, vulnerability scans, and syslog/security information and event management (SIEM) are listed here.
Objective 1.8: Explain the techniques used in penetration testing — This is another topic that has been in various iterations of the exam for a while, but now expanded to include passive and active reconnaissance, and various exercise types (red team, blue team, white team, and purple team).
Domain: Architecture and Design
Objective 2.1: Explain the importance of security concepts in an enterprise environment — False telemetry has been added to the list of deceptions and disruptions possible beneath this objective
Objective 2.2: Summarize virtualization and cloud computing concepts — Many, but not all, things cloud appear here.
Objective 2.3: Summarize security application development, deployment, and automation concepts — Some cloud/virtualization concepts not appearing in 2.2 are here such as elasticity and scalability.
Objective 2.4: Summarize authentication and authorization design concepts — Gain analysis and efficacy rates have been added to the biometric methods to be familiar with.
Objective 2.5: Given a scenario, implement cybersecurity resilience — In addition to redundancy, replication, and some other categories, diversity has also been added (technologies, vendors, crypto, controls).
Objective 2.6: Explain the security implications of embedded and specialized systems — Be familiar with embedded systems such as Raspberry Pi, Field Programmable Gate Array (FPGA), and Arduino, as well as drones/AVs.
Objective 2.7: Explain the importance of physical security controls — Lock it down. Do so with physical locks, guards, cameras, and so on.
Objective 2.8: Summarize the basics of cryptographic concepts — Making a first appearance in the objective list is blockchain and public ledgers.
Objective 3.1: Given a scenario, implement security protocols — DNSSEC, SSH, S/MIME, SRTP, LDAPS, and the usual secure protocols.
Objective 3.2: Given a scenario, implement host or application security solutions — Endpoint protection, boot integrity, database/application security, and hardening are key topics.
Objective 3.3: Given a scenario, implement secure network designs — The focus here is on load balancing, VPNs, network segmentation, port security, and network appliances.
Objective 3.4: Given a scenario, install and configure wireless security settings — Cryptography protocols and authentication protocols associated with wireless.
Objective 3.5: Given a scenario, implement secure mobile solutions — While mobile has been one or two questions on the exam before, the topic is now a standalone and includes Mobile Device Management (MDM) and various deployment models.
Objective 3.6: Given a scenario, apply cybersecurity solutions to the cloud — Another new subtopic highlighting the importance of cloud security controls and solutions.
Objective 3.7: Given a scenario, implement identity and account management controls — All things related to account policies fall here.
Objective 3.8: Given a scenario, implement authentication and authorization solutions — Various types of authentication appear here, such as RADIUS, Kerberos, 802.1X, and others.
Objective 3.9: Given a scenario, implement pubic key infrastructure — Certificates, certificates, certificates. Be familiar with the most popular of them and the components of the infrastructure that makes PKI possible.
Operations and Incident Response
Objective 4.1: Given a scenario, use the appropriate tool to assess organizational security — Some new network reconnaissance and discovery tools now added to the list are hping, the harvester, sniper, scanless, dnsenum, and Cuckoo. Some forensic tools now added to the list are WinHex, FTK imager, and Autopsy.
Objective 4.2: Summarize the importance of policies, processes, and procedures for incident response — Know what should be in an incident response plan and how to follow an organized incident response process.
Objective 4.3: Given an incident, utilize appropriate data sources to support an investigation — The newest entries to this topic are journalctl and nxlog.
Objective 4.4: Given an incident, apply mitigation techniques or controls to secure an environment — A key topic to know here is Secure Orchestration, Automation, and Response (SOAR), and in particular the use of runbooks and playbooks.
Objective 4.5: Explain the key aspects of digital forensics — This is where the legal knowledge of the topic becomes important, with a focus on documentation, evidence, acquisition, and integrity.
Governance, Risk, and Compliance
Objective 5.1: Compare and contrast various types of controls — The six main types of controls (Preventative, Detective, Corrective, Deterrent, Compensating, and Physical) are the focus here.
Objective 5.2: Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture — New to the list is a focus on ISO 27001/27002/27701/31000 and SSAE SOC Type II/III along with the Cloud Security Alliance.
Objective 5.3: Explain the importance of policies to organizational security — In short: educate users — they are often the weakest security link.
Objective 5.4: Summarize risk management processes and concepts — Know the strategies for managing risk and how to analyze it and calculate it.
Objective 5.5: Explain privacy and sensitive data concepts in relation to security — The only real addition to this topic from previous iterations is the inclusion of privacy enhancing technologies: data minimization, data masking, tokenization, anonymization, and pseudo-anonymization.
In addition to looking at the domains and objectives, when you are studying for an exam you should also look at the acronyms and terminology associated with that exam and make sure you know them. This can flag a topic to know that is hidden in the objectives and doesn’t otherwise stand out, but which can catch you off-guard when taking the exam.
For this particular exam, the acronym list is quite substantial and runs for a number of pages. The following acronyms are among those that have been added to the newest iteration of the Security+ exam that were not on the previous one. Some of them should have been there previously, some are from other CompTIA exams (mainly Network+), and some are unexpected surprises. Take a look:
● AI: Artificial Intelligence
● AIS: Automated Indicator Sharing
● ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge
● BASH: Bourne Again Shell
● BGP: Border Gateway Protocol
● CBT: Computer-based Training
● CIS: Center for Internet Security
● CVSS: Common Vulnerability Scoring System
● DKIM: Domain Keys Identified Mail
● DMARC: Domain Message Authentication Reporting and Conformance
● DNSSEC: Domain Name System Security Extensions
● DPO: Data Privacy Officer
● EDR: Endpoint Detection and Response
● EOS: End of Service
● FPGA: Field Programmable Gate Array
● GDPR: General Data Protection Regulation
● IoC: Indicators of Compromise
● ISO: International Organization of Standardization
● MAM: Mobile Application Management
● MFP: Multi-Function Printer
● ML: Machine Language
● MSA: Measurement Systems Approach
● MSSP: Managed Security Service Provider
● NAS: Network Attached Storage
● NIC: Network Interface Card
● OSI: Open Systems Interconnection
● OSINT: Open Source Intelligence
● OSPF: Open Shortest Path First
● OT: Operational Technology
● OTG: On The Go
● OWASP: Open Web Application Security Projects
● PAM: Privileged Access Management
● PCI DSS: Payment Card Industry Data Security Standard
● PDU: Power Distribution Unit
● PKCS: Public Key Cryptography Standards
● QA: Quality Assurance
● QoS: Quality of Service
● RACE: Research and Development in Advanced Communications Technologies in Europe
● RAM: Random Access Memory
● RCS: Rich Communication Services
● RFC: Request for Comments
● SAE: Simultaneous Authentication of Equals
● SDV: Software Defined Visibility
● SOAR: Security Orchestration, Automation, Response
● SOC: Security Operations Center
● SQLi: SQL Injection
● STIX: Structured Threat Information eXchange
● SWG: Secure Web Gateway
● TAXII: Trusted Automated eXchange of Indicator Information
● TTP: Tactics, Techniques, and Procedures
● UEM: Unified Endpoint Management
● VBA: Visual Basic
● VPC: Virtual Private Cloud
While all of these were added, a fair number of acronyms were removed from the previous version. Here’s that list AV, BAC, CER, CSIRT, CTR, DFIR, DHE, DSU, EF, EMI, EMP, EULA, FAR, ID, IIS, IR, ISA, MIME, MOTD, NGAC, POODLE, RBAC, RDP, REST, RMF, SCP, SCSI, SIPS, SMB, SPoF, SSID, SSP, TCO, and WPA2.