The exam tests whether candidates understand both what cybersecurity insurance covers and what it does not. Insurance is a risk transfer strategy: it moves financial consequences to the insurer. It does not reduce the probability of an attack or remove any vulnerability.
Coverage that is frequently tested:
- Lost revenue from attack-caused service outages
- Data recovery costs after a breach or ransomware
- Losses from phishing attacks where employees were deceived
- Privacy lawsuit costs from affected customers
Exclusions that are frequently tested:
- Intentional acts by insured parties — if someone inside the organization deliberately caused or worsened the damage, the claim is denied
- Unauthorized fund transfers — business email compromise scenarios where the organization was tricked into initiating a transfer may have limits or exclusions
- Negligence that constitutes a policy condition violation (e.g., failing to maintain required MFA)
The exam trap: A question may present insurance as the answer to "how can the organization avoid all consequences of a breach." Insurance reduces financial consequences but does not prevent breaches, does not patch vulnerabilities, and does not cover every scenario. The correct framing: insurance is a backstop for residual financial risk that cannot be eliminated through technical controls.
VLAN segmentation is one of the most commonly tested network topics in the Security+ exam. The single most tested fact about VLANs: devices on different VLANs cannot communicate without a Layer 3 device (router or Layer 3 switch).
Why this matters for security: VLANs are the standard way to provide logical segmentation on shared physical hardware. A switch can have 48 ports all assigned to different VLANs, and none of them can communicate with ports in another VLAN unless a router routes the traffic between them. This is the enforcement mechanism that makes VLAN segmentation work as a security control — without routing, VLAN boundaries are absolute.
Physical vs. logical segmentation comparison:
- Physical segmentation — separate hardware, infrastructure, and cabling; maximum isolation but expensive and inflexible
- VLAN (logical segmentation) — same hardware, logically separated; requires Layer 3 to cross boundaries; cost-effective and standard in enterprise environments
- Air gap — most extreme; no network connectivity at all; eliminates remote exploit paths entirely
NGFW in segmentation: Next-generation firewalls placed between segments provide application-layer visibility on inter-segment traffic. A basic firewall allows or blocks by IP and port; an NGFW can identify the application and detect anomalous traffic patterns from systems that should not be generating them.
The exam tests the distinction between a compensating control and an exception/exemption. Both apply when a vulnerability cannot be immediately patched, but they are different responses with different implications.
Compensating controls:
- Technical measures deployed to reduce exploitation risk without patching
- Examples: disable the service, restrict access, add firewall rules, deploy host-based controls
- Intended as temporary bridges — they remain in place until the patch can be deployed
- Do not eliminate the vulnerability; reduce likelihood or impact of exploitation
Exception / Exemption:
- A formal, documented decision to accept the risk of an unremediated vulnerability
- Approved by a security committee or change control committee — not a single individual
- Granted when: patch causes conflicts; vendor no longer supports the system; exploitation requires physical access that is controlled; operational constraints prevent deployment
- Time-limited where possible; subject to periodic review; accompanied by documentation of compensating controls in place
The exam trap: A question may describe someone deciding unilaterally not to patch a system. This is not a valid exception — exceptions require a formal committee process. A single person cannot grant a valid exception, regardless of seniority.
The exam specifically tests validation of remediation. The most important concept: a patch management platform reporting deployment success is not the same as the vulnerability being remediated. These are two different things.
Why deployment reports fail silently:
- The deployment agent confirms the job completed; it does not confirm the patch persisted and is active
- Configuration conflicts or conflicting software can silently roll back a patch after the agent reports success
- Systems offline during deployment receive no patch but may not be flagged as failures if the agent did not attempt them
- The patch may install but fail to apply to the correct component (a partial installation)
The three validation methods in priority order for the exam:
- Rescan — run a vulnerability scan after patching; this is the standard post-patch validation step and should be performed for every significant patch deployment
- Audit — review logs and deployment records for anomalies; supports compliance documentation
- Verify — manually log into the system and confirm the patch is installed and active; used for critical systems or when automated scanning is insufficient
The exam scenario: An organization deploys a patch, the platform reports 100% success, and the team closes the ticket. The next scheduled scan (weeks later) still shows the vulnerability on several systems. Lesson: rescan immediately after patching, not weeks later in a scheduled scan cycle.