The New CompTIA Security+: SY0-401 vs. SY0-301

CompTIA, one of the leading vendor-neutral IT certification agencies has released an updated version of the Security+ exam, which focuses on how to keep a company’s network and data secure. This update sees the usual pattern of adding more things for the IT professional to know, with very little material retired. The “latest and greatest” technologies and methods are added, with more emphasis is given to cloud computing, mobile devices, reflecting the continual rise in off-site and network-based security. We also see a focus shift towards procedures and followthrough, as well as incident review – all ways to maintain vigilance and evaluate efficacy, as the Information Security world becomes more complicated. One thing that hasn’t changed is the requirements for the aspiring Security+ IT professional. This is in contrast to the recent A+ upgrade, which vastly increased the experience needed for candidates. To qualify for the Security+ exam, you still need:

  • 2 years of IT administration experience, focusing on security
  • ”Day to day technical information security experience"
  • ”Broad knowledge” of security risks, technologies, and methods, such as those listed in the exam outline

Another thing that didn’t change much is the distribution of weight for each domain:

  1. Network Security: 20% (-1%)
  2. Compliance and Operational Security: 18% (0%)
  3. Threats and Vulnerabilities: 20% (-1%)
  4. Application, Data, and Host Security: 15% (-1%)
  5. Access Control and Identity Management: 15% (+2%)
  6. Cryptography: 12% (+1%)

But don’t be fooled, there is a lot of new material added! In the Acronym Glossary alone there are 76 new terms and only two retired terms (BOTS and LANMAN). There is also a whole new list of “Suggested Classroom Equipment” for Security+ training, which will be invaluable for teachers and self-studiers alike. Let’s break down the changes domain by domain, shall we?

1.0 Network Security

1.1: Implement security configuration parameters on network devices and other technologies. Candidates are now expected to implement security configuration parameters on Application Aware Devices, including:

  • Firewalls,
  • IPS,
  • IDS, and
  • Proxies

1.2: Given a scenario, use secure network administration principles Unified Threat Management replaces “Al in One” Security applications that candidates should know their network administration principles for. 1.3: Explain network design elements and components Of the network design elements and components a candidate should know, Layered Security / Defense in depth is added, as are several types of cloud computing:

  • private,
  • public,
  • hybrid,
  • community.

1.4: Given a scenario, implement common protocols and services Also expanded is the list of protocols and services the candidate should be able to implement, now including:

  • iSCSI,
  • Fibre Channel,
  • FCoE,
  • FTP,
  • TFTP,
  • HTTP,
  • NetBIOS, and
  • OSI Relevance.

1.5: Given a scenario, troubleshoot security issues related to wireless networking There are also more security issues to troubleshoot: Captive portals,

  • antennae types site surveys, and
  • VPN over open wireless.

  SSID Broadcast now also explicitly mentions disable.

2.0 : Compliance and Operational Security

There is a lot of new material in this domain, a good but of rearranging of material, as well as an increased focus on scenario analysis. Most noticeably there are three whole new subdomains:

      • 2.2: "Summarize the security implications of integrating systems and data with third parties,”
      • 2.3: "Given a scenario, implement appropriate risk mitigation strategies" and
      • 2.9: "Given a scenario, select the appropriate control to meet the goals of security”.

2.1 Explain the importance of risk related concepts. New risk related concepts to explain are:

      • False negatives,
      • SLE, ARO, MTTR, MTTF, MTBF Risk calculations,
      • Vulnerabilities,
      • Threat Vectors, and
      • Recovery time objective and recovery point objective.

(New) 2.2: Summarize the security implications of integrating systems and data with third parties This subdomain focuses on security considerings of working with business parters and social media, which is increasingly crucial as the internet becomes even more interconnected and integrated with APIs and cross-platform interoperability. Besides the basic “privacy considerations”, “risk awareness”, and “data ownership”, this subdomain also focuses on indifferent types of interoperability agreements (SLA, PBA, MOU, and ISA), and also following “security policy and procedures” and reminding candidates to “review agreement requirements and verify compliance and performance standards.” Good stuff. (New) 2.3: Given a scenario, implement appropriate risk mitigation strategies (Was 2.2 in SY0-301) on risk mitigation is now emphasized as “Given a scenario…” and now includes enforcing technology controls, including Data Loss Prevention (DLP) 2.4: Given a scenario, implement basic forensic procedures Forensic procedures (from 301’s 2.3) has been broken out into its own subdomain, again scenario based. The only new procedure added however, is “Big Data analysis” 2.5: Summarize common incident response procedures This section has the non-forensic procedures from 301’s 2.3, and expands them to include

  • Preparation
  • Incident Identification
  • Escalation and notification
  • Mitigation steps
  • Lessons learned
  • Reporting
  • Recovery/reconstitution procedures
  • Incident isolation (quarantine and device removal), and
  • Data breach

2.6: Explain the importance of security related awareness and training This is the same subdomain as 2.5 in 301, expanded to include:

  • Role-based training
  • More types of information classification: High, medium, low, confidential, private, and public (previously: hard and soft)
  • Follow up and gather training metrics to validate compliance and security posture

2.7: Compare and contrast physical security and environmental controls. This merges what was subdomains 2.6 (environmental controls) and 3.6 (physical security) in SY0-301, and also expands on the types of physical security the candidate should be familiar with to include:

  • Proper lighting
  • Signs
  • Guards
  • Barricades
  • Biometrics
  • Protected distribution (Cabling)
  • Alarms
  • Motion Detection

Also new are Control Types, including

  • Deterrent
  • Preventative
  • Detective
  • Compensating
  • Technical
  • Administrative

2.8: Summarize risk management best practices. This section combines 2.5 (business continuity) and 2.7 (disaster recovery) from 301, though there is not much change, only two new business continuity concepts:

  • Identification of critical systems and components
  • Tabletop exercises

(New) 2.9: Given a scenario, select the appropriate control to meet the goals of security. This is a whole new subdomain added for 401, and has four major components:

  • Confidentiality: Encryption, access controls, and steganography
  • Integrity: Hashing, digital signatures, certificates, and non-repudiation
  • Availability: Redundancy, fault tolerance, patching
  • Safety: Fencing, lighting, locks, CCTV, escape plans, drills, escape rotes, and testing controls.

3.0: Threats and Vulnerabilities

There is some minor additions to this domain, focusing on new types of popular attacks, but it remains primarily the same. 3.1: Explain types of malware New malware to be aware of:

  • Ransomware
  • Polymorphic malware
  • Armored virus

3.2: Summarize various types of attacks Several types of password attacks are added, including

  • Brute force attacks
  • dictionary attacks
  • hybrid
  • Birthday attacks
  • Rainbow tables

  Also new are “Typo squatting/URL hijacking” and “Watering hole attack” 3.3:. Summarize social engineering attacks and the associated effectiveness with each attack Candidates now have to know the reasons for attack effectiveness, called, “Principles”, including:

  • Authority
  • Intimidation
  • Consensus/Social proof
  • Scarcity
  • Urgency
  • Familiarity/liking
  • Trust

3.4: Explain types of wireless attacks New ones here are:

  • Jamming
  • New field communication
  • Replay attacks
  • WEP/WPA attacks
  • WPS attacks

3.5: Explain types of application attacks Added for 401 are:

  • Integer overflow
  • LSO (locally shared objects)
  • Flash Cookies
  • Arbitrary code execution / remote code execution

3.6: Analyze a scenario and select the appropriate type of mitigation and deterrent techniques. Physical security has been moved up to section 2.7, and "Manual bypassing of electronic controls” has been removed entirely. Newly added in “Network Security” are

  • Disabling unused interfaces, and
  • Rogue machine detection

3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities. Again a focus on scenario questions. Sniffers are gone from the list of tools, but “Passive vs. active tools” is new. 3.8: Explain the proper use of penetration testing versus vulnerability scanning. Newly added to vulnerability scanning are

  • Intrusive vs. non-intrusive
  • credentials vs. non-credentials
  • False positive
  • Application, Data, and Host Security


4.0: Application, Data and Host Security

Mobile (4.2) makes its broadway debut here, having been merely a brief sub-section of a subdomain in 301. Also expanded are virtualization and cloud/“big data” concerns. Also  new is a subdomain on security risks in static environments. (4.5) 4.1: Explain the importance of application security controls and techniques New here:

  • NoSQL databases vs. SQL databases
  • Server-side vs. Client-side validation

(New) 4.2: Summarize mobile security concepts and technologies Too many to list here, so go review this section in the Exam Objectives (available in full, free from CompTIA), on pages 11 and 12. The main subsections are:

  • Device security (this section actually existed in 301 4.2, but is greatly expanded here)
  • Application Security
  • BYOD (“Bring Your Own Device”) Concerns.

Mobile has become a huge part of how companies communicate and interact with their data that this section is critical to maintaining information security. 4.3: Given a scenario, select the appropriate solution to establish host security. Lots of new stuff here:

  • OS hardening
  • White listing vs. black listing applications
  • Trusted OS
  • Host-based intrusion detection
  • Virtualization considerations: Snapshots, Patch compatibility, host availability/elasticity, Security control testing, sandboxing

4.4: Implement the appropriate controls to ensure data security Data loss prevention has been moved to 2.3 and “Cloud Computing” has been focused to “Cloud Storage." But here's what's been added for 401:

  • SAN
  • Handling Big Data
  • Data in-transit, Data at-rest, Data in-use
  • Permissions
  • Data policies: wiping, disposing, retention, and storage

(New) 4.5: Compare and contrast alternative methods to mitigate security risks in static environments. Another whole new section. Those static environments are:

  • Embedded (Printer, Smart TV, HVAC,
  • Android and iOS
  • Mainframe
  • Game consoles
  • In-vehicle computing systems

And the methods are:

  • Network segmentation
  • Security layers
  • Application firewalls
  • Manual updates
  • Firmware version control
  • Wrappers
  • Control redundancy and diversity

5.0 Access Control and Identity Management

Some new stuff here, but no major changes 5.1: Compare and contrast the functions and purposes of authentication services. TACACS is now only TACACS+ And freshly added are:

  • SAML
  • Secure LDAP

5.2: Given a scenario, select the appropriate authentication, authorization, or access control. Again we see that increased scenario focus. New authentication protocols are:

  • TOTP
  • HOTP
  • CHAP
  • PAP
  • Authentication Factors: Something you are, something you have, something you know, somewhere you are, and something you do.
  • Username is now explicitly mentioned as a type of Identification
  • Federation
  • Transitive trust/authentication

5.3: Install and configure security controls when performing account management, best on best practices. New types of account policy enforcement:

  • Credential management
  • Group policy
  • Password history
  • Password reuse
  • Generic account prohibition

Also new:

  • User access reviews
  • Continuous monitoring

6.0 Cryptography

The home stretch! Again, not too much new here, just some expansion to keep pace with new crypto technologies. 6.1: Given a scenario, utilize general cryptography concepts New stuff:

  • Session keys
  • In-band vs. out-of-band key exchange
  • Ephemeral key
  • Perfect forward secrecy

6.2: Given a scenario, use appropriate cryptographic methods. The new ones here:

  • Diffie-Hellman
  • DHE
  • Cipher suites: strong v. weak ciphers
  • Key streching: PBKDF2, Bcrypt
  • Whole disc encryption is no longer on the list

6.3 Given a scenario, use appropriate PKI certificate management and associated components. Just a couple of new certificate types here:

  • OSCP
  • CSR

  Congrats! You've made it to the end of the the list of changes. Looking to start studying now? Check out PracticeQuiz's  CompTIA Security+ free test prep questions. Bonus section: Here are the new need-to-know acronyms. Just a quick list – if you don’t recognize any in an information security context, look them up! API,ASP, BAC, BIA, BPA, BYOD, CAPTCHA, CAR, CIO, COOP, CP, CSR, CSU, CTO, DBA, DES, DHE, DNAT, DSL, DSU, ECDHE, ESN, FDE, FTPS, GPG, GPO, GPS, HTML, IDS, IR, IRP, ISA, ISSO, ITCP, JBOD, LAN, MaaS, MPLS, MTBF, MTTR, MTTF, NDA, NFC, OSCP, OLA, P2P, PAC, PAM, PBKDF2, PCAP, PIV, RC4, RIPEMD, RPO, SAML, SAN, SCADA, SCEP, SEH, SFTP, SIEM, SOAP, TGT, TOTP, TSIG, UEFI, UDP, URI, UTM, VDI, WPA2, WPS, WTLS