CompTIA, one of the leading vendor-neutral IT certification agencies has released an updated version of the Security+ exam, which focuses on how to keep a company’s network and data secure. This update sees the usual pattern of adding more things for the IT professional to know, with very little material retired. The “latest and greatest” technologies and methods are added, with more emphasis is given to cloud computing, mobile devices, reflecting the continual rise in off-site and network-based security. We also see a focus shift towards procedures and followthrough, as well as incident review - all ways to maintain vigilance and evaluate efficacy, as the Information Security world becomes more complicated. One thing that hasn’t changed is the requirements for the aspiring Security+ IT professional. This is in contrast to the recent A+ upgrade, which vastly increased the experience needed for candidates. To qualify for the Security+ exam, you still need:
Another thing that didn’t change much is the distribution of weight for each domain:
But don’t be fooled, there is a lot of new material added! In the Acronym Glossary alone there are 76 new terms and only two retired terms (BOTS and LANMAN). There is also a whole new list of “Suggested Classroom Equipment” for Security+ training, which will be invaluable for teachers and self-studiers alike. Let’s break down the changes domain by domain, shall we?
1.1: Implement security configuration parameters on network devices and other technologies. Candidates are now expected to implement security configuration parameters on Application Aware Devices, including:
1.2: Given a scenario, use secure network administration principles Unified Threat Management replaces “Al in One” Security applications that candidates should know their network administration principles for. 1.3: Explain network design elements and components Of the network design elements and components a candidate should know, Layered Security / Defense in depth is added, as are several types of cloud computing:
1.4: Given a scenario, implement common protocols and services Also expanded is the list of protocols and services the candidate should be able to implement, now including:
1.5: Given a scenario, troubleshoot security issues related to wireless networking There are also more security issues to troubleshoot: Captive portals,
SSID Broadcast now also explicitly mentions disable.
There is a lot of new material in this domain, a good but of rearranging of material, as well as an increased focus on scenario analysis. Most noticeably there are three whole new subdomains:
2.1 Explain the importance of risk related concepts. New risk related concepts to explain are:
(New) 2.2: Summarize the security implications of integrating systems and data with third parties This subdomain focuses on security considerings of working with business parters and social media, which is increasingly crucial as the internet becomes even more interconnected and integrated with APIs and cross-platform interoperability. Besides the basic “privacy considerations”, “risk awareness”, and “data ownership”, this subdomain also focuses on indifferent types of interoperability agreements (SLA, PBA, MOU, and ISA), and also following “security policy and procedures” and reminding candidates to “review agreement requirements and verify compliance and performance standards.” Good stuff. (New) 2.3: Given a scenario, implement appropriate risk mitigation strategies (Was 2.2 in SY0-301) on risk mitigation is now emphasized as “Given a scenario…” and now includes enforcing technology controls, including Data Loss Prevention (DLP) 2.4: Given a scenario, implement basic forensic procedures Forensic procedures (from 301’s 2.3) has been broken out into its own subdomain, again scenario based. The only new procedure added however, is “Big Data analysis” 2.5: Summarize common incident response procedures This section has the non-forensic procedures from 301’s 2.3, and expands them to include
2.6: Explain the importance of security related awareness and training This is the same subdomain as 2.5 in 301, expanded to include:
2.7: Compare and contrast physical security and environmental controls. This merges what was subdomains 2.6 (environmental controls) and 3.6 (physical security) in SY0-301, and also expands on the types of physical security the candidate should be familiar with to include:
Also new are Control Types, including
2.8: Summarize risk management best practices. This section combines 2.5 (business continuity) and 2.7 (disaster recovery) from 301, though there is not much change, only two new business continuity concepts:
(New) 2.9: Given a scenario, select the appropriate control to meet the goals of security. This is a whole new subdomain added for 401, and has four major components:
There is some minor additions to this domain, focusing on new types of popular attacks, but it remains primarily the same. 3.1: Explain types of malware New malware to be aware of:
3.2: Summarize various types of attacks Several types of password attacks are added, including
Also new are “Typo squatting/URL hijacking” and “Watering hole attack” 3.3:. Summarize social engineering attacks and the associated effectiveness with each attack Candidates now have to know the reasons for attack effectiveness, called, “Principles”, including:
3.4: Explain types of wireless attacks New ones here are:
3.5: Explain types of application attacks Added for 401 are:
3.6: Analyze a scenario and select the appropriate type of mitigation and deterrent techniques. Physical security has been moved up to section 2.7, and "Manual bypassing of electronic controls” has been removed entirely. Newly added in “Network Security” are
3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities. Again a focus on scenario questions. Sniffers are gone from the list of tools, but “Passive vs. active tools” is new. 3.8: Explain the proper use of penetration testing versus vulnerability scanning. Newly added to vulnerability scanning are
Mobile (4.2) makes its broadway debut here, having been merely a brief sub-section of a subdomain in 301. Also expanded are virtualization and cloud/“big data” concerns. Also new is a subdomain on security risks in static environments. (4.5) 4.1: Explain the importance of application security controls and techniques New here:
(New) 4.2: Summarize mobile security concepts and technologies Too many to list here, so go review this section in the Exam Objectives (available in full, free from CompTIA), on pages 11 and 12. The main subsections are:
Mobile has become a huge part of how companies communicate and interact with their data that this section is critical to maintaining information security. 4.3: Given a scenario, select the appropriate solution to establish host security. Lots of new stuff here:
4.4: Implement the appropriate controls to ensure data security Data loss prevention has been moved to 2.3 and “Cloud Computing” has been focused to “Cloud Storage." But here's what's been added for 401:
(New) 4.5: Compare and contrast alternative methods to mitigate security risks in static environments. Another whole new section. Those static environments are:
And the methods are:
Some new stuff here, but no major changes 5.1: Compare and contrast the functions and purposes of authentication services. TACACS is now only TACACS+ And freshly added are:
5.2: Given a scenario, select the appropriate authentication, authorization, or access control. Again we see that increased scenario focus. New authentication protocols are:
5.3: Install and configure security controls when performing account management, best on best practices. New types of account policy enforcement:
Also new:
The home stretch! Again, not too much new here, just some expansion to keep pace with new crypto technologies. 6.1: Given a scenario, utilize general cryptography concepts New stuff:
6.2: Given a scenario, use appropriate cryptographic methods. The new ones here:
6.3 Given a scenario, use appropriate PKI certificate management and associated components. Just a couple of new certificate types here:
Congrats! You've made it to the end of the the list of changes. Looking to start studying now? Check out PracticeQuiz's CompTIA Security+ free test prep questions. Bonus section: Here are the new need-to-know acronyms. Just a quick list - if you don’t recognize any in an information security context, look them up! API,ASP, BAC, BIA, BPA, BYOD, CAPTCHA, CAR, CIO, COOP, CP, CSR, CSU, CTO, DBA, DES, DHE, DNAT, DSL, DSU, ECDHE, ESN, FDE, FTPS, GPG, GPO, GPS, HTML, IDS, IR, IRP, ISA, ISSO, ITCP, JBOD, LAN, MaaS, MPLS, MTBF, MTTR, MTTF, NDA, NFC, OSCP, OLA, P2P, PAC, PAM, PBKDF2, PCAP, PIV, RC4, RIPEMD, RPO, SAML, SAN, SCADA, SCEP, SEH, SFTP, SIEM, SOAP, TGT, TOTP, TSIG, UEFI, UDP, URI, UTM, VDI, WPA2, WPS, WTLS