A first look at CompTIA’s new Security+ exam (SY0-601)

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

The new CompTIA Security+ exam, SY0-601, is likely to be released in the fall.Approximately every three years, CompTIA makes changes to their most popular vendor-neutral certification exams, and one of those being updated later this year is the Security+ exam (from SY0-501 to SY0-601). CompTIA has not formally announced a release date for the new exam, but the last version arrived on Oct. 4, 2017, so the timing is right.

The format of the exam, in terms of the number of questions (maximum of 90), time allotted (90 minutes), and passing score (750 on a scale from 100 to 900) are expected to stay the same. It’s entirely likely that the only changes made will be those that affect the content of the exam.

Comparing Domains

One of the existing domains, Technologies and Tools, is being folded into the other domains, and the total number of domains will drop from six to five. At the same time, governance and compliance are being lumped in with risk, and a few tweaks are being applied to overall domain weighting, as shown by the following comparison:

Domain (Weighting)
Threats, Attacks, and Vulnerabilities (21 percent)
Architecture and Design (15 percent)
Identity and Access Management (16 percent)
Risk Management (14 percent)
Cryptography and PKI (12 percent)
Technologies and Tools (22 percent)

Domain (Weighting)
Threats, Attacks, and Vulnerabilities (24 percent)
Architecture and Design (21 percent)
Operations and Incident Response (16 percent)
Governance, Risk, and Compliance (14 percent)
Implementation (25 percent)

network programming security concept with code program and server safe icon - vectorNote that the old domains and the new do not match up 1-for-1 in terms of the topics address. I have done my best to line them up according to where things fit best.

While the number of domains drops by one, the overall number of objectives has only dropped by two: from 37 to 35. Let’s take a closer look at the domains and objectives for SY0-601. I’ve shared a few key notes about each:

Domain: Threats, Attacks, and Vulnerabilities
Objective 1.1: Compare and contrast differed types of social engineering techniques — Social engineering has long been a topic on this exam, but now it is front and center leading the objectives. Not only that, but new entries include smishing, invoice scams, credential harvesting, and reconnaissance.
Objective 1.2: Given a scenario, analyze potential indicators to determine the type of attack — Some new entries to the list related to this objective are fileless virus, spraying (in terms of password attacks), and adversarial artificial intelligence.
Objective 1.3: Given a scenario, analyze potential indicators associated with application attacks — This is where scripting, injections, buffer overflows, driver manipulation, and other seminal attack types fall.
Objective 1.4: Given a scenario, analyze potential indicators associated with network attacks — Know the types of wireless attacks as well as those associated with DNS and DDoS.
Objective 1.5: Explain different threat actors, vectors, and intelligence sources — Some new actors and threats added to the list now are state actors, hacktivists, and criminal syndicates. The Dark Web and open source intelligence (OSINT) have been added as information sources to be aware of.
Objective 1.6: Explain the security concerns associated with various types of vulnerabilities — Zero day exploits appear here along with third-party risks and weak configurations.
Objective 1.7: Summarize the techniques used in security assessments — Threat hunting, vulnerability scans, and syslog/security information and event management (SIEM) are listed here.
Objective 1.8: Explain the techniques used in penetration testing — This is another topic that has been in various iterations of the exam for a while, but now expanded to include passive and active reconnaissance, and various exercise types (red team, blue team, white team, and purple team).

Domain: Architecture and Design
Objective 2.1: Explain the importance of security concepts in an enterprise environment — False telemetry has been added to the list of deceptions and disruptions possible beneath this objective
Objective 2.2: Summarize virtualization and cloud computing concepts — Many, but not all, things cloud appear here.
Objective 2.3: Summarize security application development, deployment, and automation concepts — Some cloud/virtualization concepts not appearing in 2.2 are here such as elasticity and scalability.
Objective 2.4: Summarize authentication and authorization design concepts — Gain analysis and efficacy rates have been added to the biometric methods to be familiar with.
Objective 2.5: Given a scenario, implement cybersecurity resilience — In addition to redundancy, replication, and some other categories, diversity has also been added (technologies, vendors, crypto, controls).
Objective 2.6: Explain the security implications of embedded and specialized systems — Be familiar with embedded systems such as Raspberry Pi, Field Programmable Gate Array (FPGA), and Arduino, as well as drones/AVs.
Objective 2.7: Explain the importance of physical security controls — Lock it down. Do so with physical locks, guards, cameras, and so on.
Objective 2.8: Summarize the basics of cryptographic concepts — Making a first appearance in the objective list is blockchain and public ledgers.

The new CompTIA Security+ exam, SY0-601, is likely to be released in the fall.Domain: Implementation
Objective 3.1: Given a scenario, implement security protocols — DNSSEC, SSH, S/MIME, SRTP, LDAPS, and the usual secure protocols.
Objective 3.2: Given a scenario, implement host or application security solutions — Endpoint protection, boot integrity, database/application security, and hardening are key topics.
Objective 3.3: Given a scenario, implement secure network designs — The focus here is on load balancing, VPNs, network segmentation, port security, and network appliances.
Objective 3.4: Given a scenario, install and configure wireless security settings — Cryptography protocols and authentication protocols associated with wireless.
Objective 3.5: Given a scenario, implement secure mobile solutions — While mobile has been one or two questions on the exam before, the topic is now a standalone and includes Mobile Device Management (MDM) and various deployment models.
Objective 3.6: Given a scenario, apply cybersecurity solutions to the cloud — Another new subtopic highlighting the importance of cloud security controls and solutions.
Objective 3.7: Given a scenario, implement identity and account management controls — All things related to account policies fall here.
Objective 3.8: Given a scenario, implement authentication and authorization solutions — Various types of authentication appear here, such as RADIUS, Kerberos, 802.1X, and others.
Objective 3.9: Given a scenario, implement pubic key infrastructure — Certificates, certificates, certificates. Be familiar with the most popular of them and the components of the infrastructure that makes PKI possible.

Operations and Incident Response
Objective 4.1: Given a scenario, use the appropriate tool to assess organizational security — Some new network reconnaissance and discovery tools now added to the list are hping, the harvester, sniper, scanless, dnsenum, and Cuckoo. Some forensic tools now added to the list are WinHex, FTK imager, and Autopsy.
Objective 4.2: Summarize the importance of policies, processes, and procedures for incident response — Know what should be in an incident response plan and how to follow an organized incident response process.
Objective 4.3: Given an incident, utilize appropriate data sources to support an investigation — The newest entries to this topic are journalctl and nxlog.
Objective 4.4: Given an incident, apply mitigation techniques or controls to secure an environment — A key topic to know here is Secure Orchestration, Automation, and Response (SOAR), and in particular the use of runbooks and playbooks.
Objective 4.5: Explain the key aspects of digital forensics — This is where the legal knowledge of the topic becomes important, with a focus on documentation, evidence, acquisition, and integrity.

Governance, Risk, and Compliance
Objective 5.1: Compare and contrast various types of controls — The six main types of controls (Preventative, Detective, Corrective, Deterrent, Compensating, and Physical) are the focus here.
Objective 5.2: Explain the importance of applicable regulations, standards, or frameworks that impact organizational security posture — New to the list is a focus on ISO 27001/27002/27701/31000 and SSAE SOC Type II/III along with the Cloud Security Alliance.
Objective 5.3: Explain the importance of policies to organizational security — In short: educate users — they are often the weakest security link.
Objective 5.4: Summarize risk management processes and concepts — Know the strategies for managing risk and how to analyze it and calculate it.
Objective 5.5: Explain privacy and sensitive data concepts in relation to security — The only real addition to this topic from previous iterations is the inclusion of privacy enhancing technologies: data minimization, data masking, tokenization, anonymization, and pseudo-anonymization.

The new CompTIA Security+ exam, SY0-601, is likely to be released in the fall.In addition to looking at the domains and objectives, when you are studying for an exam you should also look at the acronyms and terminology associated with that exam and make sure you know them. This can flag a topic to know that is hidden in the objectives and doesn’t otherwise stand out, but which can catch you off-guard when taking the exam.

For this particular exam, the acronym list is quite substantial and runs for a number of pages. The following acronyms are among those that have been added to the newest iteration of the Security+ exam that were not on the previous one. Some of them should have been there previously, some are from other CompTIA exams (mainly Network+), and some are unexpected surprises. Take a look:

AI: Artificial Intelligence
AIS: Automated Indicator Sharing
ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge
BASH: Bourne Again Shell
BGP: Border Gateway Protocol
CBT: Computer-based Training
CIS: Center for Internet Security
CVSS: Common Vulnerability Scoring System
DKIM: Domain Keys Identified Mail
DMARC: Domain Message Authentication Reporting and Conformance
DNSSEC: Domain Name System Security Extensions
DPO: Data Privacy Officer
EDR: Endpoint Detection and Response
EOS: End of Service
FPGA: Field Programmable Gate Array
GDPR: General Data Protection Regulation
IoC: Indicators of Compromise
ISO: International Organization of Standardization
MAM: Mobile Application Management
MFP: Multi-Function Printer
ML: Machine Language
MSA: Measurement Systems Approach
MSSP: Managed Security Service Provider
NAS: Network Attached Storage
NIC: Network Interface Card
OSI: Open Systems Interconnection
OSINT: Open Source Intelligence
OSPF: Open Shortest Path First
OT: Operational Technology
OTG: On The Go
OWASP: Open Web Application Security Projects
PAM: Privileged Access Management
PCI DSS: Payment Card Industry Data Security Standard
PDU: Power Distribution Unit
PKCS: Public Key Cryptography Standards
QA: Quality Assurance
QoS: Quality of Service
RACE: Research and Development in Advanced Communications Technologies in Europe
RAM: Random Access Memory
RCS: Rich Communication Services
RFC: Request for Comments
SAE: Simultaneous Authentication of Equals
SDV: Software Defined Visibility
SOAR: Security Orchestration, Automation, Response
SOC: Security Operations Center
SQLi: SQL Injection
STIX: Structured Threat Information eXchange
SWG: Secure Web Gateway
TAXII: Trusted Automated eXchange of Indicator Information
TTP: Tactics, Techniques, and Procedures
UEM: Unified Endpoint Management
VBA: Visual Basic
VPC: Virtual Private Cloud

While all of these were added, a fair number of acronyms were removed from the previous version. Here’s that list AV, BAC, CER, CSIRT, CTR, DFIR, DHE, DSU, EF, EMI, EMP, EULA, FAR, ID, IIS, IR, ISA, MIME, MOTD, NGAC, POODLE, RBAC, RDP, REST, RMF, SCP, SCSI, SIPS, SMB, SPoF, SSID, SSP, TCO, and WPA2.

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
Emmett Dulaney


Emmett Dulaney is an associate professor and the author of numerous certification study guides, including the CompTIA A+ Complete Deluxe Study Guide, Second Edition (ISBN: 978-1-118324066).

Posted in Certification|


Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>