An overview of changes to CompTIA’s new Security+ exam

Posted on
Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone

CompTIA recently overhauled its popular Security+ certification exam. Here's what changed.While CompTIA regularly makes changes to its most popular vendor-neutral certification exams, usually there is a bit of time staggered between them. This year, however, they updated both the Security+ and the Network+ exams in a very short timespan. In a previous article, we looked at the changes to Network+ (from N10-006 to N10-007), and in this article, we will focus on the changes to Security+ (from SY0-401 to SY0-501).


The SY0-401 exam consisted of 90 questions and there were 90 minutes in which to complete them with a minimum passing score of 750 (on a scale from 100 to 900). It was/is (as long as it still available) divided into six domains and weighted as follows:

1) Network Security 20 percent
2) Compliance and Operational Security 18 percent
3) Threats and Vulnerabilities 20 percent
4) Application, Data and Host Security 15 percent
5) Access Control and Identity Management 15 percent
6) Cryptography 12 percent

The SY0-501 exam has the same number of questions, time, and minimum passing score. It six domains and weighting have changed as follows:

1) Threats, Attacks and Vulnerabilities 21 percent
2) Technologies and Tools  22 percent
3) Architecture and Design 15 percent
4) Identity and Access Management 16 percent
5) Risk Management 14 percent
6) Cryptography and PKI 12 percent

While the number of domains stays the same, the overall number of objectives has actually gone up: from 33 to 37. The following table lists the domains/objectives on SY0-501 and offers a few notes on each:


Threats, Attacks and Vulnerabilities 
1.1 Given a scenario, analyze indicators of compromise and determine the type of malware Know the difference between worms, Trojans, backdoors, rootkits, and the various types of viruses
1.2 Compare and contrast types of attacksThis one objective covers enough topics to be an exam in and of itself. The four main topic areas are: social engineering, application/service attacks (think DoS), wireless attacks, and cryptographic attacks (brute force, birthday, etc.)
1.3 Explain threat actor types and attributesA tiny topic where commonsense can help you identify the right answer to any question asked
1.4 Explain penetration testing conceptsKnow the various types: black box, white box, and gray box
1.5 Explain vulnerability scanning conceptsBe able to identify common misconfigurations and differentiate between intrusive and non-intrusive testing
1.6 Explain the impact associated with types of vulnerabilitiesZero day exploits have been moved to this objective as have a lot of catchall topics like untrained users, buffer overflows, and the like
Technologies and Tools
2.1 Install and configure network components, both hardware- and software-based, to support organizational securityFirewalls are but one topic here – you also have routers, switches, proxies, NIPS/NIDS, SIEM, DLP, load balancers, and access points
2.2 Given a scenario, use appropriate software tools to assess the security posture of an organizationAmong the topics to know here are the command line tools commonly used in troubleshooting (ping, netstat, arp, tracert, and so on)
2.3 Given a scenario, troubleshoot common security issuesMisconfigured devices factors in heavily here along with those unhappy employees who are able to wreak harm from the inside
2.4 Given a scenario, analyze and interpret output from security technologiesAntivirus software is an easy one, but there is also patch management tools, web application firewall and data execution prevention
2.5 Given a scenario, deploy mobile devices securelyFor this objective, you need to know connection methods (lifted from Network+), and deployment models
2.6 Given a scenario, implement secure protocolsThink of every protocol you can think of that has an “S” with it implying Secure/SSL and you’ll have what you need to know for this objective: LDAPS, S/MIME, SFTP, FTPS, HTTPS, and so on
Architecture and Design
3.1 Explain use cases and purpose for frameworks, best practices and secure configuration guidesThink benchmarking, layered security, and the value of creating/having guides to assist with security-related implementations
3.2 Given a scenario, implement secure network architecture conceptsHoneynets have been moved to here along with DMZ, extranets, NAT, and some security devices
3.3 Given a scenario, implement secure systems designTPM and HSM now reside here along with patch management and some good security practices (disabling unnecessary ports, application white- blacklisting, and the concept of least functionality)
3.4 Explain the importance of secure staging deployment conceptsSandboxing, sandboxing, sandboxing
3.5 Explain the security implications of embedded systemsSCADA/ICS became test topics with the previous iteration of the exam and now reside beneath this objective
3.6 Summarize secure application development and deployment conceptsBe familiar with the software development lifecycle and secure coding techniques. Sandboxing pops up once again
3.7 Summarize cloud and virtualization conceptsThis is, once again, pretty much a straight lift from the Network+ exam and expects you to know the basics of hypervisors/containers and the most popular deployment models
3.8 Explain how resiliency and automation strategies reduce riskFault tolerance, RAID, and high availability topics reside here along with individual technologies to make them possible
3.9 Explain the importance of physical security controlsLock it down. Do so with physical locks, guards, cameras, and so on.
Identity and Access Management
4.1 Compare and contrast identity and access management conceptsMultifactor authentication focuses on:
● Something you are
● Something you have
● Something you know
● Something you are
● Something you do
4.2 Given a scenario, install and configure identity and access services RADIUS is here for remote connectivity along with the old standbys CHAP, PAP, and MSCHAP.  Kerberos and Shibboleth now join them
4.3 Given a scenario, implement identity and access management controlsThe various access methods are here (such as MAC, DAC, RBAC), biometric methods, and certificate-based authentication
4.4 Given a scenario, differentiate common account management practicesHave different levels of accounts, follow best practices, and be sure to enforce them
Risk Management
5.1 Explain the importance of policies, plans and procedures related to organizational securityVendor agreements and personnel agreements fall beneath this objective along with policies related to email and social media usage
5.2 Summarize business impact analysis conceptsBe able to quantify risk using MTBF, MTTR, RTO/RPO and associated forms of assessment
5.3 Explain risk management processes and conceptsContinuing on with what was is 5.2, add in SLE, ALE, ARO, and other methods of assigning quantitative numbers to risk
5.4 Given a scenario, follow incident response proceduresKnow what should be in an incident response plan and how to follow an organized incident response process
5.5 Summarize basic concepts of forensicsFrom a legal standpoint, you need to document everything. Similarly, during data collection you need to gather as much information as possible and be able to build a case
5.6 Explain disaster recovery and continuity of operation conceptsTypes of recovery sites (hot, cold, warm), backups (full, incremental, differential), and considerations (geographic) fact in heavily to being back up following a crisis
5.7 Compare and contrast various types of controlsThere are eight different categories of controls and you need to be able to identity which one certain steps or actions would be classified as
5.8 Given a scenario, carry out data security and privacy practicesKnow the data destruction and sanitization methods from the popular (shredding) to less widespread (pulping) and everything in between
Cryptography and PKI
6.1 Compare and contrast basic concepts of cryptographyThis is another objective which could easily be an entire exam in and of itself. Know the meaning of various phrases used to describe cryptography
6.2 Explain cryptography algorithms and their basic characteristicsThis objective is an extension of 6.1 and it adds algorithms for each of the phrases. Be able to identify whether any given algorithm is classified as symmetric, asymmetric, hashing, or other
6.3 Given a scenario, install and configure wireless security settingsKnow which protocols are used with wireless technologies and for what purpose (authentication versus cryptographic)
6.4 Given a scenario, implement public key infrastructureCertificates, certificates, certificates.  Be familiar with the most popular of them and the components of the infrastructure that makes PKI possible.


CompTIA recently overhauled its popular Security+ certification exam. Here's what changed.In addition to looking at the domains/objectives, when you are studying for an exam you should also look at the acronyms/terminology associated with that exam and make sure you know them. The following acronyms are among those that have been added to the newest iteration of the Security+ exam that were not on the previous one:

ABAC: Attribute-based Access Control
CBC: Cipher Block Chaining
COPE: Corporate Owned, Personally Enabled
CTM: Counter-Mode
CYOD: Choose Your Own Device
DER: Distinguished Encoding Rules
ECB: Electronic Code Book
EMP: Electro Magnetic Pulse
MMS: Multimedia Message Service
MDA: Memorandum of Agreement
MSP: Managed Service Provider
OTA: Over The Air
PEM: Privacy-enabled Electronic Mail
PFX: Personal Exchange Format
RAT: Remote Access Trojan
RTOS: Real-time Operating System
SDN: Software Defined Network
SED: Self-encrypting Drive
SoC: System on Chip
WORM: Write Once Read Many
XOR: Exclusive Or

While these were added, only a few acronyms were removed from the previous version, including: FQDN, HSRP, JBOD, NOS, OLA, RDP, SONET, and TFTP.

Share on Google+Share on LinkedInShare on FacebookShare on RedditTweet about this on TwitterEmail this to someone
Emmett Dulaney


Emmett Dulaney is a professor at a small university and the author of the CompTIA Network+ Exam Cram, CompTIA Security+ Study Guide and CompTIA Cloud+ LiveLessons.

Posted in Certification|