The Security+ exam repeatedly tests SNMP port numbers. Memorize both and know which is which:
- UDP 161 — SNMP polling; management station sends request to device; device responds with current metric value
- UDP 162 — SNMP trap; device proactively sends notification to management station when threshold is exceeded
Memory hook: The trap (162) uses a higher number because the device is going "above and beyond" the normal poll (161) to proactively alert you. Or: polling asks (161); trapping tells (162).
The functional distinction the exam tests:
- Polling requires the management station to initiate; the device waits to be asked
- Traps are initiated by the device when a threshold condition occurs; the management station does not need to poll to receive them
- Polling has built-in latency equal to the polling interval; traps are immediate
Also memorize: the SNMP data structures: MIB (Management Information Base) is the database of metrics on the device; each metric is identified by an OID (Object Identifier, a numerical sequence).
The exam presents DLP scenarios where a single deployment appears to protect against data loss but fails because the attacker uses a different channel. The key principle: sensitive data has many exit paths; a DLP deployment covering only one path leaves all others unprotected.
The four DLP deployment layers to know:
- Email gateway DLP — inspects outbound email attachments and content; does not cover USB, web uploads, cloud storage, or direct network transfers
- Endpoint DLP client — monitors data on workstations and laptops; catches USB copies, local application data leakage; requires installation on each device
- Network / perimeter DLP — inspects outbound traffic at the network edge; covers web uploads, FTP, and other protocols leaving the organization
- Cloud DLP — monitors data in cloud storage, email platforms, and collaboration tools; required because cloud traffic bypasses on-premises network inspection
The exam trap: A question describes an organization with "DLP deployed" (implying one layer) and an exfiltration that succeeds through a different channel. The answer is always: add the appropriate DLP layer for that channel. One DLP deployment is not comprehensive DLP.
SCAP and SIEM are both security management tools that deal with data from multiple security systems, but they solve different problems. The exam tests whether candidates can distinguish them.
SCAP (Security Content Automation Protocol):
- Solves: diverse tools using different names for the same vulnerability
- Provides: a common language / standard format for vulnerability identification and reporting
- Enables: automated compliance checking and patch remediation across different tools
- Managed by: NIST at scap.nist.gov
- Think of it as: a translation standard that makes tools speak the same language
SIEM (Security Information and Event Management):
- Solves: security event data scattered across many different log sources
- Provides: centralized log aggregation, correlation, reporting, and forensic analysis
- Enables: detecting attack patterns that span multiple systems; historical investigation
- Think of it as: a central database and analytics engine for security events
The exam question pattern: A scenario describes tools that cannot share vulnerability data or automate patching → the answer is SCAP. A scenario describes attack patterns that only become visible by correlating logs from multiple systems → the answer is SIEM.
The exam tests the limitations of agentless monitoring in scenarios designed to make it seem like an equivalent alternative to agent-based monitoring. It is not. The critical distinction: an agentless system cannot generate alerts or detect violations during periods when it is not running.
When agentless checks run:
- When the device first connects to the network
- When the user authenticates through a VPN concentrator
- When manually triggered on demand
When agentless checks do NOT run:
- Continuously between the above trigger points
- When the device is already connected and no new authentication event occurs
- When a policy violation happens between check windows
The exam scenario: A question describes a device that passes an agentless check at login, then a policy violation occurs two hours later (malware installed, encryption disabled, etc.). The agentless system does not detect it. The question asks what monitoring approach would have caught it in real time. The answer: agent-based monitoring, which runs continuously and detects violations the moment they occur.
Agentless is appropriate for: guest devices, contractor devices where installation is not permitted, and broad-coverage initial compliance checks. It is not a substitute for agent-based monitoring on high-risk or continuously-managed systems.