\n\tCompTIA, one of the leading vendor-neutral IT certification agencies has released an updated version of the Security+ exam, which focuses on how to keep a company’s network and data secure. This update sees the usual pattern of adding more things for the IT professional to know, with very little material retired. The “latest and greatest” technologies and methods are added, with more emphasis is given to cloud computing, mobile devices, reflecting the continual rise in off-site and network-based security. We also see a focus shift towards procedures and followthrough, as well as incident review – all ways to maintain vigilance and evaluate efficacy, as the Information Security world becomes more complicated. One thing that hasn’t changed is the requirements for the aspiring Security+ IT professional. This is in contrast to the recent A+ upgrade, which vastly increased the experience needed for candidates. To qualify for the Security+ exam, you still need:<\/p>\n
\n\tAnother thing that didn’t change much is the distribution of weight for each domain:<\/p>\n
\n\tBut don’t be fooled, there is a lot<\/i> of new material added! In the Acronym Glossary alone there are 76 new terms and only two retired terms (BOTS and LANMAN). There is also a whole new list of “Suggested Classroom Equipment” for Security+ training, which will be invaluable for teachers and self-studiers alike. Let’s break down the changes domain by domain, shall we?<\/p>\n\n\t1.0 Network Security<\/h2>\n
\n\t1.1: Implement security configuration parameters on network devices and other technologies.<\/b> Candidates are now expected to implement security configuration parameters on Application Aware Devices, including:<\/p>\n \n\t1.2: Given a scenario, use secure network administration principles <\/b> Unified Threat Management replaces “Al in One” Security applications that candidates should know their network administration principles for. 1.3: Explain network design elements and components<\/b> Of the network design elements and components a candidate should know, Layered Security \/ Defense in depth is added, as are several types of cloud computing:<\/p>\n \n\t1.4: Given a scenario, implement common protocols and services<\/b> Also expanded is the list of protocols and services the candidate should be able to implement, now including:<\/p>\n \n\t1.5: Given a scenario, troubleshoot security issues related to wireless networking <\/strong> There are also more security issues to troubleshoot: Captive portals,<\/p>\n \n\t SSID Broadcast now also explicitly mentions disable.<\/p>\n \n\tThere is a lot of new material in this domain, a good but of rearranging of material, as well as an increased focus on scenario analysis. Most noticeably there are three whole new subdomains:<\/p>\n \n\t2.1 Explain the importance of risk related concepts.<\/strong> New risk related concepts to explain are:<\/p>\n \n\t(New)<\/span> 2.2: Summarize the security implications of integrating systems and data with third parties<\/strong> This subdomain focuses on security considerings of working with business parters and social media, which is increasingly crucial as the internet becomes even more interconnected and integrated with APIs and cross-platform interoperability. Besides the basic “privacy considerations”, “risk awareness”, and “data ownership”, this subdomain also focuses on indifferent types of interoperability agreements (SLA, PBA, MOU, and ISA), and also following “security policy and procedures” and reminding candidates to “review agreement requirements and verify compliance and performance standards.” Good stuff. (New) <\/span>2.3: Given a scenario, implement appropriate risk mitigation strategies<\/strong> (Was 2.2 in SY0-301) on risk mitigation is now emphasized as “Given a scenario…” and now includes enforcing technology controls, including Data Loss Prevention (DLP) 2.4: Given a scenario, implement basic forensic procedures<\/strong> Forensic procedures (from 301’s 2.3) has been broken out into its own subdomain, again scenario based. The only new procedure added however, is “Big Data analysis” 2.5: Summarize common incident response procedures<\/strong> This section has the non-forensic procedures from 301’s 2.3, and expands them to include<\/p>\n \n\t2.6: Explain the importance of security related awareness and training<\/strong> This is the same subdomain as 2.5 in 301, expanded to include:<\/p>\n \n\t2.7: Compare and contrast physical security and environmental controls.<\/strong> This merges what was subdomains 2.6 (environmental controls) and 3.6 (physical security) in SY0-301, and also expands on the types of physical security the candidate should be familiar with to include:<\/p>\n \n\tAlso new are Control Types, including<\/p>\n \n\t2.8: Summarize risk management best practices.<\/strong> This section combines 2.5 (business continuity) and 2.7 (disaster recovery) from 301, though there is not much change, only two new business continuity concepts:<\/p>\n \n\t(New)<\/span> 2.9: Given a scenario, select the appropriate control to meet the goals of security.<\/strong> This is a whole new subdomain added for 401, and has four major components:<\/p>\n \n\tThere is some minor additions to this domain, focusing on new types of popular attacks, but it remains primarily the same. 3.1: Explain types of malware <\/strong>New malware to be aware of:<\/p>\n \n\t3.2: Summarize various types of attacks <\/strong>Several types of password attacks are added, including <\/span><\/p>\n \n\t Also new are “Typo squatting\/URL hijacking” and “Watering hole attack” 3.3:. Summarize social engineering attacks and the associated effectiveness with each attack <\/strong>Candidates now have to know the reasons for attack effectiveness, called, “Principles”, including:<\/p>\n \n\t3.4: Explain types of wireless attacks <\/strong>New ones here are:<\/p>\n \n\t3.5: Explain types of application attacks <\/strong>Added for 401 are:<\/p>\n \n\t3.6: Analyze a scenario and select the appropriate type of mitigation and deterrent techniques. <\/strong>Physical security has been moved up to section 2.7, and "Manual bypassing of electronic controls” has been removed entirely. Newly added in “Network Security” are<\/p>\n \n\t3.7 Given a scenario, use appropriate tools and techniques to discover security threats and vulnerabilities. <\/strong>Again a focus on scenario questions. Sniffers are gone from the list of tools, but “Passive vs. active tools” is new. 3.8: Explain the proper use of penetration testing versus vulnerability scanning. <\/strong>Newly added to vulnerability scanning are<\/p>\n \n\tMobile (4.2) makes its broadway debut here, having been merely a brief sub-section of a subdomain in 301. Also expanded are virtualization and cloud\/“big data” concerns. Also new is a subdomain on security risks in static environments. (4.5) 4.1: Explain the importance of application security controls and techniques <\/strong>New here:<\/p>\n\n
\n
\n
\n
\n\t2.0 : Compliance and Operational Security<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n\t3.0: Threats and Vulnerabilities<\/h2>\n
\n
\n
\n
\n
\n
\n
\n
\n\t <\/h2>\n
\n\t4.0: Application, Data and Host Security<\/h2>\n
\n