Practice Exams
Timed ยท Auto-gradedExam: Ch 1โ5
Security controls, CIA triad, non-repudiation, AAA, gap analysis. 20 questions ยท 25 min.
Start Exam โExam: Ch 6โ11
Zero trust, physical security, deception, change management, PKI. 20 questions ยท 25 min.
Start Exam โExam: Ch 12โ15
Encryption, key exchange, crypto technologies, obfuscation. 20 questions ยท 30 min.
Start Exam โExam: Ch 19โ25
Threat actors, social engineering, phishing, impersonation, watering hole. 20 questions ยท 25 min.
Start Exam โExam: Ch 26โ32
Memory injection, buffer overflows, race conditions, malicious updates, OS vulnerabilities, SQLi, XSS. 20 questions ยท 25 min.
Start Exam โExam: Ch 33โ34
Hardware vulnerabilities, firmware patching, EOL/EOSL, legacy platforms, virtualization attacks, VM escape. 20 questions ยท 20 min.
Start Exam โExam: Ch 36โ39
Supply chain, misconfigurations, mobile device vulnerabilities, zero-day attacks. 20 questions ยท 25 min.
Start Exam โExam: Ch 40โ43
Malware overview, viruses & worms, spyware & bloatware, keyloggers, logic bombs & rootkits. 20 questions ยท 25 min.
Start Exam โExam: Ch 44โ53
Physical, DoS, DNS, wireless, on-path, replay, malicious code, application, cryptographic & password attacks. 20 questions ยท 30 min.
Start Exam โExam: Ch 102–107
Incident Planning, Digital Forensics, Log Data, Security Policies, Security Standards, Security Procedures. 20 questions · 25 min.
Start Exam →Exam: Ch 95–101
Endpoint Security, IAM, Access Controls, MFA, Password Security, Scripting & Automation, Incident Response. 20 questions · 25 min.
Start Exam →Exam: Ch 108–112
Security Considerations, Data Roles, Risk Management, Risk Analysis, Risk Strategies. 20 questions · 25 min.
Start Exam →Exam: Ch 113–117
Business Impact Analysis, Third-party Risk, Agreement Types, Compliance, Privacy. 20 questions · 25 min.
Start Exam →Exam: Ch 118–121
Audits & Assessments, Penetration Tests, Security Awareness, User Training. 20 questions · 25 min.
Start Exam →🏆 Full Mock Exam โ SY0-701
90 questions ยท 120 minutes ยท all five domains ยท randomised questions and answer order ยท instant results with category breakdown.
Start Mock Exam โAll Chapters
Story ยท Glossary ยท Concepts ยท Examples ยท Flashcards ยท Quiz ยท TricksSecurity Controls
Technical, managerial, operational & physical controls. Preventive, detective, corrective and more.
The CIA Triad
Confidentiality, Integrity, and Availability โ the foundational principles of information security.
Non-Repudiation
Proof of integrity and proof of origin. Hashing, digital signatures, and cryptographic accountability.
AAA Framework
Authentication, Authorization, and Accounting. Certificate auth, authorization models, and VPN access.
Gap Analysis
Current state vs desired state. NIST 800-171, ISO 27001 baselines, and building the gap analysis report.
Zero Trust
Never trust, always verify. Planes of operation, adaptive identity, PEP, PDP, and security zones.
Physical Security
Bollards, vestibules, fencing, CCTV, guards, access badges, lighting, and sensors.
Deception & Disruption
Honeypots, honeynets, honeyfiles, DNS sinkholes, and fake telemetry to mislead attackers.
Change Management
CAB, approval workflows, change requests, rollback procedures, and risk assessment.
Technical Change Management
Patching, version control, configuration baselines, dependencies, and regression testing.
Public Key Infrastructure
Certificate authorities, trust chains, key pairs, certificate types, and PKI hierarchy design.
Encrypting Data
BitLocker, EFS, column-level encryption, IPsec VPN, key stretching, and Kerckhoffs's principle.
Key Exchange
Out-of-band vs in-band, session keys, ephemeral keys, forward secrecy, DH/DHE/ECDHE, TLS handshake.
Encryption Technologies
TPM, HSM, KMS, Secure Enclave, measured boot, PCRs, and tamper-responsive hardware.
Obfuscation
LSB steganography, tokenization, token vaults, PCI scope reduction, static and dynamic data masking.
Hashing & Digital Signatures
MD5, SHA-256, salting, rainbow tables, bcrypt/Argon2, HMAC, digital signatures, non-repudiation.
Blockchain
Hash chaining, genesis block, proof of work/stake, 51% attacks, smart contracts, permissioned ledgers.
Digital Certificates
X.509, CA hierarchy, CSR, self-signed certs, wildcard vs SAN, CRL, OCSP Stapling, Heartbleed.
Threat Actors
Nation-state APTs, hacktivists, organized crime, insider threats, unskilled attackers, shadow IT, TTPs, MITRE ATT&CK.
Social Engineering
Cialdini's 6 principles, BEC anatomy, pretexting, tailgating, vishing, smishing, whaling, quid pro quo.
Common Threat Vectors
Message, image, file, voice, USB, software, unsupported systems, unsecure networks, open ports, default credentials, supply chain.
Phishing
Typosquatting, pretexting, vishing, smishing, BEC, fake check scam, CEO scam, advance-fee scam, caller ID spoofing.
Impersonation
Display name spoofing, cousin domains, ARP/DNS spoofing, deepfakes, SIM swapping, badge cloning, DAI.
Watering Hole Attacks
Drive-by downloads, exploit kits, malvertising, SolarWinds SUNBURST, island hopping, SBOM, browser isolation.
Other Social Attacks
Spam, SPIM, hoaxes, disinformation, elicitation, USB drops, HID devices, invoice fraud, influence ops.
Memory Injection
DLL injection, reflective DLL, process hollowing, fileless malware, LSASS/Mimikatz, DEP, ASLR, CFG.
Buffer Overflows
Stack smashing, return address hijacking, heap overflows, ROP chains, stack canaries, DEP, ASLR, safe languages.
Race Conditions
TOCTOU attacks, race windows, atomic operations, mutex locking, deadlock, double-spend exploits, privilege escalation via timing.
Malicious Updates
Supply chain attacks, build pipeline compromise, SolarWinds SUNBURST, dependency confusion, code signing limits, SBOM, and behavioral detection.
OS Vulnerabilities
RCE, EoP, security feature bypass, information disclosure, DoS, spoofing โ Patch Tuesday, zero-days, staged rollouts, MSRC.
SQL Injection
Code injection, SQLi mechanics, OR 1=1, authentication bypass, UNION-based extraction, parameterized queries, WAF, least privilege defense stack.
Cross-Site Scripting
XSS trust exploitation, reflected vs. stored XSS, JavaScript as attack vector, Subaru 2017, output encoding, CSP, XSS worms.
Hardware Vulnerabilities
Firmware patching limits, IoT attack surface, EOL vs. EOSL, legacy platforms, compensating controls: firewall rules, IPS signatures, network segmentation.
Virtualization Vulnerabilities
VM escape, Pwn2Own 2017 three-step chain, resource reuse memory leakage, VM sprawl, hypervisor patching, memory scrubbing, VM lifecycle management.
Supply Chain Vulnerabilities
Island hopping, Target/HVAC service provider attack, counterfeit hardware, SolarWinds SUNBURST build pipeline compromise, code signing limits, vendor management, SBOM.
Misconfiguration Vulnerabilities
Open permissions, unsecured admin accounts, insecure protocols, default settings, open ports, firewall rule creep.
Mobile Device Vulnerabilities
Jailbreaking, rooting, sideloading, MDM enforcement limits, AUP policy, BYOD risks, app store vetting.
Zero-Day Vulnerabilities
Zero-day lifecycle, why signature detection fails, Chrome/Microsoft/Apple 2023 examples, CVE system, EDR behavioral defense.
An Overview of Malware
Nine malware types surveyed: virus, worm, ransomware, trojan, rootkit, keylogger, spyware, bloatware, logic bomb. Multi-stage attack chains, infection vectors, four defense fundamentals.
Viruses and Worms
Virus types (program, boot sector, script, macro, fileless), worm autonomous propagation, EternalBlue SMB exploit, WannaCry 2017 ransomware worm.
Spyware and Bloatware
Browser monitoring, keylogger credential theft, affiliate fraud, scareware delivery, Lenovo Superfish 2015, Carrier IQ 2011, bloatware attack surface risk, Malwarebytes.
Other Malware Types
Keyloggers bypass encryption, DarkComet RAT, logic bombs and time bombs, South Korea 2013, Ukraine 2016 SCADA attack, rootkits hiding in the kernel, Secure Boot prevention.
Physical Attacks
Physical brute force, RFID badge cloning ($50 device), MFA as the defense, environmental attacks on power and HVAC, fire suppression as denial-of-service, man-traps.
Denial of Service
DoS vs. DDoS, friendly DoS (L2 loops, bandwidth saturation), botnets and Zeus (3.6M devices), asymmetric threat, DNS amplification 86ร, NTP 550ร, smokescreen attacks.
DNS Attacks
DNS poisoning (server, host file, on-path), domain hijacking โ Brazil bank 2016 (36 domains, 6 hours, 5M customers), URL hijacking, typosquatting, brandjacking, DNSSEC defense.
Wireless Attacks
802.11 deauthentication attacks, 802.11w Management Frame Protection, Rogue AP, Evil Twin, fox hunting with Yagi antenna, WPS PIN attacks, channel jamming.
On-Path Attacks
ARP poisoning, Dynamic ARP Inspection (DAI), on-path browser (MITB), SSL interception, victim-to-attacker-to-gateway chain, layer 2 vs layer 7 MITM.
Replay Attacks
Pass-the-hash (NTLM challenge-response reuse), session hijacking, Firesheep cookie capture, session token theft, anti-replay sequence numbers, credential reuse without cracking.
Malicious Code
WannaCry ransomware+worm hybrid, kill switch domain, British Airways Magecart formjacking, client-side script injection into payment pages, supply chain code compromise.
Application Attacks
SQL injection (admin'-- auth bypass), CSRF hidden image tags, directory traversal, command injection, IDOR, privilege escalation through application-layer vulnerabilities.
Cryptographic Attacks
Birthday attack (โN collisions), MD5 weaknesses (collisions 2004, CA forgery 2008), POODLE downgrade + padding oracle, SSL stripping, HSTS, TLS_FALLBACK_SCSV.
Password Attacks
Plaintext storage, password spraying (many accounts, few passwords), online vs offline brute force, salting defeats rainbow tables, account lockout limits, MFA as universal backstop.
Indicators of Compromise
Account lockouts, blocked content, impossible travel, resource consumption spikes, log anomalies โ recognizing attack evidence across network, host, and application layers.
Segmentation and Access Control
VLANs, ACLs, screened subnets, jump servers, privileged access workstations โ enforcing least privilege at the network and access layer.
Mitigation Techniques
Patching cadence, SOAR playbooks, SIEM correlation, network segmentation, deception technologies, and quarantine workflows for active incidents.
Hardening Techniques
CIS benchmarks, secure baselines, default credential changes, unnecessary service removal, endpoint protection, host-based firewall, and full-disk encryption.
Cloud Infrastructure
IaaS/PaaS/SaaS shared responsibility model, cloud-native security controls, IAM in the cloud, microsegmentation, and data sovereignty considerations.
Network Infrastructure Concepts
Air gaps, physical segmentation, VLANs (802.1Q), inter-VLAN routing, SDN data/control/management planes, VLAN hopping prevention, management plane attack surface.
Other Infrastructure Concepts
On-prem vs. cloud trade-offs, hypervisor/VM/container isolation, IoT weak defaults, SCADA/ICS air-gap requirements, RTOS constraints, high availability active/passive vs. active/active.
Infrastructure Considerations
Availability SLAs (five nines), MTTR/MTTF/MTBF, scalability and elasticity security, orchestration vs. manual deployment, cybersecurity insurance, inability-to-patch compensating controls, UPS and generator layers.
Secure Infrastructures
Device placement (firewalls, honeypots, jump servers, load balancers, sensors), security zones (trusted/untrusted/DMZ), attack surface reduction, IPsec site-to-site VPNs, and defense-in-depth layering.
Intrusion Prevention
IDS vs. IPS (detect vs. block), fail-open vs. fail-closed failure modes, active inline monitoring, passive SPAN/tap monitoring, signature-based and anomaly-based detection, and IPS tuning to prevent false-positive outages.
Network Appliances
Jump servers (bastion hosts), forward and reverse proxies, open proxy risks, transparent vs. explicit proxies, load balancer active/active and active/passive modes, SSL/TLS offloading, content switching, and SIEM correlation engines.
Port Security
EAP (Extensible Authentication Protocol), IEEE 802.1X Port-based Network Access Control, the supplicant/authenticator/authentication server three-component model, EAP-TLS vs. PEAP, RADIUS integration with Active Directory, and MAC Authentication Bypass for legacy devices.
Firewall Types
Traditional network-based firewalls (Layer 4), Unified Threat Management (UTM) all-in-one appliances, Next-Generation Firewalls (NGFW) with deep packet inspection and application-layer control, and Web Application Firewalls (WAF) for SQL injection and XSS protection โ and when to deploy each.
Secure Communication
VPN concentrators, IPsec encrypted tunnel packet structure, SSL/TLS remote access VPN (TCP 443), site-to-site IPsec VPN, always-on VPN, SD-WAN for cloud-era routing, and SASE โ the unified cloud networking and security platform with ZTNA, CASB, FWaaS, and more.
Data Types and Classifications
Regulated data, trade secrets, intellectual property, legal and financial information, human-readable vs. non-human-readable formats, PII, PHI, proprietary data, and the full classification spectrum โ from Public to Critical โ and how classification determines the security controls applied to each data set.
States of Data
Data at rest (stored), data in transit (in motion), and data in use (in RAM) โ three states requiring different controls. Full disk, database, and file encryption for stored data; TLS and IPsec for network data; why RAM is almost always decrypted and the Target breach proves it. Plus data sovereignty (GDPR) and geolocation access control.
Protecting Data
Geographic restrictions and geofencing (GPS, 802.11, IP geolocation), encryption vs. hashing vs. tokenization โ and why each is chosen. Obfuscation and data masking as view-layer controls. Tokenization in mobile payments (Apple Pay / Google Pay). Data segmentation to limit breach blast radius. Permission restrictions: authentication controls and post-login authorization (least privilege, separation of duties).
Resiliency
High availability (active/active) vs. mere redundancy, server clustering (shared storage, same OS), and load balancing (servers unaware of each other, different OSes OK). Hot site (exact replica, real-time sync), warm site (middle ground), and cold site (empty building). Geographic dispersion, platform diversity to spread OS vulnerability risk, multi-cloud provider dispersion, and COOP manual procedures when all technology fails.
Capacity Planning
Matching supply to demand across people, technology, and infrastructure โ the three dimensions of capacity. People capacity is the hardest and slowest to scale. Web services scale via load balancers; databases via clustering and sharding; cloud via on-demand auto-scaling. Vertical scaling adds resources to one server (ceiling exists); horizontal scaling adds more servers (no ceiling, built-in redundancy). Elasticity eliminates the fixed-capacity dilemma. Physical infrastructure is CapEx with weeks of lead time; cloud is OpEx in minutes. Right-sizing, monitoring, and forecasting complete the discipline.
Recovery Testing
Validating disaster recovery plans before real events occur. Rules of engagement keep tests from disrupting production. Tabletop exercises surface procedural and coordination gaps through discussion โ no systems touched. Failover testing verifies redundant infrastructure switches automatically and transparently (users should notice nothing). Phishing simulations measure two independent defenses: email filter controls and human behavior. Parallel processing distributes work across multiple CPUs for both performance and graceful degradation โ partial failure loses capacity, not the whole service.
Backups
Complete backup strategy across six dimensions: data volume, backup type, media, storage location, software, and schedule. On-site is fast; off-site survives disasters โ most organizations use both. Backup frequency determines RPO. Encryption is mandatory for off-site and cloud (stolen tapes must be unreadable); recovery key must be stored separately. Snapshots capture full VMs instantly; every snapshot after the first is incremental (changes only). Recovery testing verifies backups actually restore. Replication is near-real-time but propagates ransomware โ cannot replace periodic backups. Journaling prevents corruption from interrupted writes by recording intent before committing to storage.
Power Resiliency
Power is the foundation of all technology โ and organizations can't control their utility provider. Three disturbances: blackout (zero voltage), brownout (voltage drop, causes instability), surge (overvoltage, damages hardware). Three UPS types: offline/standby (basic, brief transfer delay), line-interactive (active voltage regulation, best for brownout-prone areas), online/double-conversion (zero transfer time, equipment always runs from battery/inverter, used in data centers). Generators provide long-term backup but need 60โ90 seconds to start โ the UPS bridges that gap. UPS and generator are partners, not alternatives.
Security Baselines
Standardized security configurations that every application instance must follow โ firewall settings, patch levels, OS file versions. Build from manufacturer sources (application developer, OS vendor, appliance maker; Microsoft SCT for Windows). Deploy via automation: Active Directory Group Policy, MDM, configuration management tools. Monitor for configuration drift through continuous integrity measurements. Update when new vulnerabilities emerge, applications are upgraded, or OS changes occur. Audit for compliance evidence.
Hardening Targets
No default configuration is secure. Nine distinct targets each need platform-specific hardening: mobile devices (MDM, data segmentation, updates), workstations (OS/app/firmware patches, remove unused software, Group Policy), network infrastructure (change defaults, embedded OS, rare but critical firmware patches), cloud (secure management workstation, least privilege, EDR, C2C backup), servers (patches, account controls, limit network access, EDR), SCADA/ICS (air-gap, no internet access, physical consequence if breached), embedded systems (segment + firewall when patching is impossible), RTOS (deterministic timing, isolation, minimum services), IoT (change defaults, patch quickly, dedicated VLAN).
Securing Wireless and Mobile
Site surveys map the RF environment before deployment โ heat maps visualize coverage, spectrum analyzers find non-Wi-Fi interference (microwave, cordless phone) that survey tools miss. MDM enforces security policy across BYOD and corporate devices: feature control, data segmentation, screen lock, remote wipe. Three ownership models: BYOD (employee-owned, org manages work profile), COPE (company-owned, personal use allowed, full org control), CYOD (company-owned, employee picks from approved list). Three Wi-Fi threats: data capture (encrypt), on-path/rogue AP (WPA3 + certs), deauthentication DoS (802.11w). Cellular risks: traffic monitoring, location tracking, global exposure. Bluetooth: pairing protects against unauthorized connections; disable when not in use.
Wireless Security Settings
Three wireless security objectives: confidentiality (encrypt), authentication (who gets access), integrity (MIC). WPA2 PSK flaw: four-way handshake transmits a crackable hash โ offline brute-force with no lockout or rate limit; no forward secrecy. WPA3 fixes both: GCMP (AES encryption + GMAC integrity in one algorithm); SAE/dragonfly handshake (Diffie-Hellman derivation, no hash transmitted, mutual auth, per-session keys, forward secrecy). Three modes: Open (no auth), WPA3-Personal/PSK (shared key, SAE-protected), WPA3-Enterprise/802.1X (individual RADIUS auth). AAA: Identification โ Authentication โ Authorization โ Accounting. RADIUS: centralized AAA protocol; 802.1X: port-based NAC; EAP: extensible auth framework (EAP-TLS, PEAP, EAP-TTLS). Three 802.1X roles: Supplicant (asks), Authenticator/AP (enforces โ does NOT validate), Authentication Server/RADIUS (decides).
Application Security
Secure coding balances speed against security โ vulnerabilities not found in QA are found by attackers. Input validation enforces expected type, length, format, and character set on every input; normalization decodes/standardizes input first so encoded bypass attacks fail. Fuzzing tests with automated random/malformed input to find edge cases. Secure cookies use the Secure attribute (HTTPS only) and HttpOnly (no JS access); never store sensitive data in cookies. SAST scans source code for buffer overflows, SQL injection, insecure function calls โ cannot evaluate cryptographic correctness, auth logic, or business logic; false positives require human review. Code signing: CA signs developer's public key; developer signs code with private key; OS validates using developer's public key. Sandboxing limits blast radius after compromise (VMs, mobile OS, browser iframes, Windows UAC). Application monitoring: real-time visibility, blocked attack logs, audit trails, anomaly detection.
Asset Management
Procurement: user request → IT/purchasing review → supplier negotiation (price, terms, SLA) → purchase/delivery → invoice/payment. Assignment: central asset tracking system; ownership associates device to responsible person; classification: hardware=CapEx (depreciates), software=OpEx (does not depreciate). Monitoring: full inventory of all assets; enumeration documents individual components (CPU, RAM, storage, peripherals); asset tags (barcode, RFID, visible number) link physical device to database record — also theft deterrence. Media sanitization: secure overwrite for reuse; physical destruction for decommission; one-way process. Destruction methods: shredding/pulverization, drilling/hammering, degaussing (HDDs only — NOT SSDs), incineration. Certificate of destruction: third-party confirmation with serial numbers — chain-of-custody for compliance. Data retention: regulatory compliance (HIPAA, SOX, FINRA), operational recovery (backup/DR), data type differentiation.
Vulnerability Scanning
Scanning vs. pen testing: scanning identifies potential weaknesses without exploiting them (minimally invasive); pen testing actively exploits (invasive). Port scanning: open ports = attack surface, not inherently vulnerable. Internal + external scans both required — external covers internet-facing; internal covers insider threats, unauthorized devices, shadow IT. False positives: verify before acting; severity does not replace verification. SAST: static analysis of code; finds code patterns; cannot find auth design flaws, improper crypto usage, or business logic errors. Fuzzing: dynamic; running application; malformed input → crash/exception/error = vulnerability indicator; synonyms: fault injection, robustness testing, negative testing, syntax testing. History: 1988, Univ. of Wisconsin, Prof. Barton Miller, "Fuzz Generator." CERT BFF. Package monitoring: supply chain risk; CVE tracking for installed dependencies; digital signatures + hash validation + repository auth; tools: OWASP Dependency-Check, Dependabot, Snyk.
Threat Intelligence
Threat intelligence: proactive defense by understanding adversaries before they act; used by SOC analysts, IR teams, threat hunters, vuln management, and executives. OSINT: publicly available sources (internet forums, government advisories, commercial data); free but requires validation before operational use — quality varies and disinformation exists. Proprietary intelligence: commercial services with cross-organization correlation; detect campaigns at one client, warn all others; provides IOCs, malware analysis, TTPs. Information-sharing organizations: collective defense; peer organizations share first-hand attack evidence; zero-day and ransomware scenarios. Cyber Threat Alliance (CTA): members submit standardized intelligence → CTA validates and scores → distributes to all members. Dark web: overlay network; requires specialized software (Tor) to access; criminal forums and markets host stolen data, malware, hacking services, access listings; monitor for company names, executive names, credential dumps, planned attack mentions.
Penetration Testing
Rules of engagement: required before any testing; defines type of testing, permitted timing, in-scope systems, out-of-scope systems, emergency contacts, sensitive data handling. Four phases: (1) Initial exploitation — first foothold via buffer overflow, phishing, SQL injection, social engineering; (2) Lateral movement — expand to internal systems using stolen credentials, pass-the-hash; internal network is less protected; (3) Persistence — backdoors, unauthorized accounts, startup modification, scheduled tasks survive patching; (4) Pivot — compromised system as relay to reach architecturally isolated segments. Responsible disclosure: researcher reports privately → vendor creates fix → patch deployed → public disclosure; 90-day industry norm. Bug bounty programs: financial reward for valid documented findings submitted privately within defined scope; Google, Microsoft, Meta run major programs.
Analyzing Vulnerabilities
False positives and negatives, CVSS scoring, CVE databases, exposure factor, environmental variables, and risk tolerance.
Security Monitoring
SIEM log aggregation, continuous scanning, actionable reporting, archiving mandates, real-time alerting, quarantine response, and alert tuning.
Security Tools
SCAP standardization, CIS benchmarks, agent vs. agentless, DLP, SNMP polling and traps, NetFlow traffic analysis, and vulnerability scanners.
Firewalls
Network-based firewalls and NGFWs, application layer gateways, firewall rules and implicit deny, ACLs, screened subnets, and IPS signature-based and anomaly-based detection.
Operating System Security
Active Directory as the centralized Windows identity store, Group Policy for enterprise-wide configuration enforcement, SELinux adding mandatory access control to Linux, and the DAC vs. MAC access control model distinction.
Web Filtering
Content filtering, URL scanning and category-based block rules, agent-based filtering, explicit and transparent proxies, forward proxy, reputation-based filtering, and DNS filtering as a pre-connection defense.
Secure Protocols
Insecure-to-secure protocol replacements (Telnet→SSH, FTP→SFTP, HTTP→HTTPS, IMAP→IMAPS), why port numbers do not guarantee encryption, Wireshark verification, open Wi-Fi risks, WPA3 per-session keys, and VPN as a transport-layer wrapper for all applications.
Email Security
Why SMTP enables spoofing, the mail gateway as gatekeeper, SPF authorized-server validation, DKIM digital signatures and public-key verification, DMARC disposal policy (none/quarantine/reject) and aggregate reporting, and the correct deployment sequence for all three DNS-based technologies.
Monitoring Data
File Integrity Monitoring with SFC (Windows) and Tripwire (Linux); DLP across three data states (in use, in motion, at rest); USB blocking and the 2008 DoD agent.btz worm incident; cloud-based DLP; and email DLP for inbound threats and outbound leakage including the 2016 Boeing spreadsheet incident.
Endpoint Security
Defense in depth layers, NAC posture assessment with persistent/dissolvable/agentless agents, EDR behavioral analysis and automated response, XDR cross-domain correlation, and UBA for insider threat detection.
Identity and Access Management
Identity lifecycle (hire/transfer/separation), access creep and orphaned accounts, identity proofing, SSO, LDAP directory structure with container and leaf objects, SAML limitations on mobile, OAuth vs. OpenID Connect, and federation.
Access Controls
Least privilege, MAC (OS-enforced labels), DAC (owner-controlled), RBAC (group membership and implicit rights), Rule-based (system ACL conditions), ABAC (simultaneous attribute evaluation for zero-trust), and time-of-day restrictions.
Multifactor Authentication
Four factor categories, smart cards and hardware tokens, SMS OTP SIM-swap weakness, biometrics as mathematical representations (cannot be changed if compromised), FAR/FRR/CER metrics, and location-based authentication.
Password Security
Entropy and why length beats complexity, NIST SP 800-63B passphrase guidance, expiration and history policies, password managers (encrypted vault, unique per service, enterprise vs. consumer), passwordless authentication with TPM, JIT permissions with clearinghouse, and password vaulting with session proxying.
Scripting and Automation
Automation benefits (time savings, baseline enforcement, secure scaling, workforce multiplier), use cases (provisioning, guard rails, security groups, ticket creation, escalation, CI/CD, API integration), and scripting risks (complexity, cost, single point of failure, technical debt, ongoing supportability).
Incident Response
NIST SP 800-61 four-phase lifecycle, incident go bag contents, detection sources (IPS/AV/FIM/traffic), sandbox analysis and self-destruct malware challenge, eradication and recovery steps, post-incident meeting timing and the four retrospective questions, and IR training (tabletop, simulation, red team).
Incident Planning
Tabletop exercises vs. simulations, phishing simulation testing of users and filters, root cause analysis methodology (ask why repeatedly, avoid tunnel vision, multiple root causes, blame-free), and proactive threat hunting using SIEM, EDR, and behavioral analytics.
Digital Forensics
RFC 3227 best practices, legal hold (initiated by legal counsel, custodian ESI preservation), chain of custody (hashes, digital signatures, labeling, sealing), acquisition types by volatility (RAM/disk/firmware/VM/artifacts), preservation from copies, live collection for encrypted systems, and e-discovery vs. forensics.
Log Data
Firewall and NGFW logs (source/destination/disposition/application ID), application and OS security logs (Windows Event Viewer, Linux /var/log), IPS/IDS log fields, network device logs (switches/routers/WAPs/VPN), metadata types (email headers, GPS, file author), SIEM correlation and impossible travel detection, dashboards vs. historical reports, and packet captures.
Security Policies
Policy (what+why) vs. technical controls (how), AUP and legal liability through employee acknowledgment, business continuity planning with required testing, disaster recovery sites (cold/warm/hot), RTO and RPO, five incident response roles, NIST SP 800-61 vs. NIST CSF, Agile vs. Waterfall SDLC, and change management policy elements.
Security Standards
Password standards (bcrypt/Argon2/PBKDF2 hashed+salted storage, NIST 800-63B guidance), access control models (MAC/DAC/RBAC/ABAC) and immediate access removal on separation, physical security personnel classification (employee/visitor/contractor) and escort requirements, encryption standards for three data states (at rest/in transit/in use), and ISO/IEC 27001.
Security Procedures
Change Control Board (CCB) seven-step workflow and mandatory backout plans, emergency change procedures, onboarding (AUP signing, least privilege account creation, pre-configured hardware), offboarding (disable not delete, hardware recovery, data management), security playbooks with conditional logic, SOAR orchestration and automation, and centralized/decentralized/federated governance structures.
Security Considerations
SOX (publicly traded companies, financial data integrity), HIPAA (PHI protection, 60-day breach notification, encryption safe harbor), legal hold and spoliation risk, GDPR 72-hour notification, OT/SCADA air-gap and availability priority, cross-border data sovereignty and jurisdictional conflicts.
Data Roles & Responsibilities
Data owner (senior business leader, organizational accountability), data controller (determines purpose and means, primary GDPR liability), data processor (third-party handler under controller instructions), data custodian (day-to-day technical controls, sensitivity labels: public / internal / confidential / restricted).
Risk Management
Four risk assessment types: one-time (acquisition, new system), ad hoc (concern-triggered, team forms and disbands), recurring (PCI DSS annual mandate), continuous (integrated into change control). Risk identification, threat assessment, and the change-management risk integration model.
Risk Analysis
Qualitative (traffic light grids, expert judgment) vs. quantitative (SLE = AV × EF, ALE = ARO × SLE) methods. Five impact categories (Life > Property > Safety > Finance > Reputation). Risk appetite vs. tolerance (speed limit vs. ticketing threshold). Risk register: KRIs, risk owners, thresholds.
Risk Management Strategies
Six strategies: Transfer (cyber insurance, financial shift), Accept (documented decision), Exemption (policy cannot apply, permanent), Exception (temporary deviation), Avoid (only complete elimination), Mitigate (most common, controls reduce risk). Risk reporting for senior management: critical and emerging risks in business terms.
Business Impact Analysis
RTO (max acceptable downtime, business target), RPO (max acceptable data loss, drives backup frequency), MTTR (avg repair time = total repair time ÷ count, must be < RTO), MTBF (avg uptime between failures = total uptime ÷ breakdowns). RTO/RPO are targets; MTTR/MTBF are measurements.
Third-party Risk Assessment
Penetration test (active exploitation) vs. vulnerability scan (passive identification). Rules of engagement: scope, timing, authorized techniques, emergency contacts. Right-to-audit clause vs. SOC 2. SolarWinds supply chain attack: trusted build pipeline, valid digital signature, 18,000 orgs compromised. Conflict of interest indicators in vendor selection.
Agreement Types
SLA (quantified performance + financial penalties), MOU (broad intent, not binding), MOA (specific commitments, conditionally binding), MSA (legal framework for entire relationship), WO/SOW (specific project under MSA), NDA (unilateral / bilateral / multilateral), BPA (ownership stake, governance rights, contingency provisions).
Compliance
SOX (publicly traded, CEO/CFO attestation, up to 20 years), HIPAA tiers ($50K unknowing, $100K false pretenses, $250K selling PHI), GLBA (financial institutions, Safeguards Rule). Due care (internal controls) vs. due diligence (vendor vetting). Uber: 2016 breach concealed 14 months, CSO convicted. Attestation = personal criminal liability.
Privacy
GDPR: extraterritorial scope, IP addresses are personal data, up to 4% global turnover penalty. Right to erasure (Article 17): all copies including backups. Data Owner (senior executive, business accountability), Controller (GDPR purpose-setter), Processor (per controller instructions), Custodian (technical implementation). Data inventory required for erasure and breach response.
Audits and Assessments
Cybersecurity audit: structured IT environment examination. Attestation: formal professional opinion after evidence gathering (not the same as the audit). Audit committee starts AND stops all internal audits. Self-assessments: department evaluates itself. External audits: mandated by SOX/HIPAA/PCI DSS/CMMC/FedRAMP, cannot be skipped. Examination: hands-on evidence gathering phase.
Penetration Tests
Physical pentest: modify boot, boot from external media, modify OS files. Red team (offensive), Blue team (defensive), Integrated (continuous feedback loop). Known (white box / full disclosure), Partially known (gray box), Unknown (blind / black box). Passive recon: public sources, no network traffic, very hard to detect. Active recon: ping, port scan, OS fingerprint, version scan โ generates logs.
Security Awareness
Phishing campaigns: click rate = primary metric. Anomalous behavior: Risky (dangerous action: hosts file, OS file replacement, unauthorized upload), Unexpected (pattern deviation: foreign login, transfer spike), Unintentional (accident: wrong domain, misplaced USB). Metrics: click rate, MFA adoption, password manager adoption. Minimum awareness baseline + job-function layers.
User Training
Pre-access training: before any access, includes third parties, must be documented. Situational awareness: digital (phishing, URLs) and physical (USB devices, unlocked doors). Insider threat: least privilege + active monitoring + multiple approvals. BadUSB: firmware-reprogrammed keyboards. OPSEC: attacker's perspective, minimize exposure. Remote work: VPN + EDR/MDM + no family device sharing.
About This Study Hub
This site covers 116 chapters from Prof. Messer's CompTIA Security+ SY0-701 lecture notes and transcripts. Each chapter contains seven learning modes: a story-based learning page with three helper references (Glossary, Concepts Map, Real-World Examples), interactive flashcards, a multi-format quiz, and trick & performance questions to sharpen exam-day thinking. Timed practice exams cover Ch 1โ5, Ch 6โ11, Ch 12โ15, Ch 16โ18, Ch 19โ25, Ch 26โ32, Ch 33โ34, Ch 36โ39, Ch 40โ43, Ch 44โ53, Ch 95โ101, Ch 102โ107, Ch 108โ112, Ch 113โ117, and Ch 118โ121. A full 90-question SY0-701 Mock Exam with a 120-minute timer, randomised question selection across all five exam domains, and instant results with per-domain analysis is available from the Practice Exams section above.