CompTIA Security+ Cheat Sheet (Updated for Latest Exam)

CompTIA Security+ Cheat Sheet (Updated for Latest Exam)

You’ve made a great choice pursuing the CompTIA Security+ certification if you aspire to work in cyber security. It makes you a catch to employers, but the huge amount of study materials can make this a challenging exam.

This CompTIA Security+ Cheat Sheet is a brief roadmap in your preparation for this crucial exam. It gives you a bird’s-eye view of key concepts and abbreviations in Security+. Owing to Security+’s overlap with Network+, CCNA, and other networking-related certifications, this cheat sheet excludes material on networking, which we encourage you to review separately.

Download this CompTIA Security+ Cheat Sheet here. When you’re ready, let’s dive in.

What Is the CompTIA Security+ Certification?

The CompTIA Security+ certification shows employers that you’ve mastered the fundamental skills to perform essential cyber security functions and pursue a relevant career. Hence, the CompTIA Security+ exam focuses on the day-to-day real-time application of IT security knowledge at work.

You’ll need to answer at most 90 questions in this 90-minute examination and complete a survey after it ends. The passing score is 750 on a scale of 100–900.

The latest CompTIA Security+ exam code is SY0-601. The associated exam is available from November 2020 to sometime in 2023–2024. New topics include supply chain management and the Internet of Things (IoT).

Security+ Domains (SY0-601)

The following illustration shows the assessment criteria and the weighting in this examination:

CompTIA Security+ Domains (SY0-601) - graphic by StationX team
CompTIA Security+ Domains (SY0-601)

This cheat sheet arranges concepts according to the subtopics in our Total Seminars Security+ course, and some topics span several Security+ domains. Hence, we’ve provided you a key to finding items according to Security+ domain:

Hashtag (Remember to type the # symbol)Domain (SY0-601)
#ATVAttacks, Threats, and Vulnerabilities
#ADArchitecture and Design
#practicalImplementation
#opOperations and Incident Response
#riskGovernance, Risk, and Compliance

Type these tags into the search bar to find key points related to a specific domain.

Risk Management

The following topics pertain to real-life applications of cyber security. When you review the abbreviations, think: “Do I comprehend the ideas encapsulated by them?”

DomainConceptElaboration
#ATVThreat ActorVulnerability exploiter
#ATVTTP(Adversary) tactics, techniques, and procedures
#ATVHackerIT infrastructure penetrator
#ATVHacktivistPolitically motivated agent
#ATVScript kiddieExecutor of pre-made programs
#ATVInsiderSaboteur inside an organization
#ATVCompetitor/RivalSaboteur outside an organization but in the same industry
#ATVShadow ITIT systems deployed without the central IT department’s oversight
#ATVCriminal syndicate (organized crime)Profit-driven agent with intent to blackmail
#ATVState actorForeign government agent
#ATVAPTAdvanced persistent threat: long-term intelligence-mining hacking
#ATVOSINTOpen-source intelligence
• Government reports
• Media
• Academic papers
#ATVCVEsCommon Vulnerabilities and Exposures
#ATVAISAutomated Indicator Sharing
#ATVSTIXStructured Threat Information Expression
#ATVTAXIITrusted Automated Exchange of Intelligence Information
#riskGDPRGeneral Data Protection Regulation
#riskPCI DSSPayment Card Industry Data Security Standard
#riskISOInternational Organization for Standardization
#riskCSACloud Security Alliance
#riskAVAsset Value
#riskEFExposure Factor
#riskSLESingle Loss Expectancy = AV × EF
#riskAROAnnualized Rate of Occurrence
#riskALEAnnualized Loss Expectancy = SLE × ARO
#riskBIABusiness impact analysis
#riskMTBFMean time between failures
#riskMTTFMean time to failure
#riskMTTRMean time to repair
#riskRTORecovery time objective
#riskRPORecovery point objective
#riskResidual riskRemaining risk after mitigation
#ATV #riskSupply chain attackTargets insecure elements in the supply chain
Pentesting Team Colors Decoded: red=attack, blue=defense, yellow=build, white=mediator, other colors=combination of these roles - graphic by author
What do terms like “red team” and “blue team” mean in penetration testing?

The primary colors red, blue, and yellow refer to attackers, defenders, and builders of a system respectively. The secondary colors are combinations of these roles. For example, purple team members have dual attack/defense roles. The white team supervises the hack.

Cryptography

The following concepts are about obfuscating data from attackers and restoring them once they reach the intended destination.

DomainConceptElaboration
#ATVCryptographic attack/cryptanalysisFinding weaknesses in the cryptosystem
#ADData at restOn computer storage
#ADData in use/processingIn RAM being accessed
#ADData in transit/motionTraveling along cables or broadcasting wirelessly
#ADSymmetric cipherStreaming:
• RC4
Block:
• DES
• Blowfish
• 3DES
Considerations:
• key length
• block size
• number of rounds
#ADAsymmetric cipherExamples:Diffie-Hellman key exchangeRSAElliptic-curve cryptography
#ADHashingOne-way, deterministic process of transforming a string of characters into another
#ADSaltingCharacters appended to a string (e.g., password) before hashing
#ADSteganographyHide data inside other data
#ADQuantumExploit quantum mechanics
#ADPost-quantumSecure against cryptanalysis by quantum computer
#ADLightweight cryptographySmall footprint, low computational complexity
#ADHomomorphic encryptionMakes performing operations on encrypted data possible
#AD #practicalCACertificate authority
#AD #practicalCRLCertificate revocation list
#AD #practicalStaplingChecks regularly for certificate invalidity
#AD #practicalPinningAssociates certificate against known copy
#AD #practicalTrust model• Direct
• Third-party
• Hierarchical
• Distributed
#AD #practicalKey escrowThird party safeguarding private keys
#AD #practicalCertificate chainingTop-down CA trust model
#AD #practicalDigital signaturePublic key sender verified to own corresponding private key
#practicalP7B√ certificate
√ chain certificates
✕ private key
#practicalP12√ certificate
√ chain certificates
√ private key
#practicalPKIPublic Key Infrastructure
#practicalPKCSPublic Key Cryptography Standards
#ATV #ADBrute-force attackTrying character combinations
Variant: spraying (trying the same password across different accounts)
#ATV #ADDictionary attackUsing lists of probable passwords
#ATV #ADRainbow tablesUsing pre-calculated password hashes
#ATV #ADKey stretchingMethod that strengthens weak passwords

Identity and Account Management

The following concepts deal with methods showing that you are the legitimate owner of an account.

DomainConceptElaboration
#practical #ADMulti-factor Authentication (MFA)Factors:
• Something you know
• Something you have
• Something you are
Attributes:
• Something you do
• Something you exhibit
• Someone you know
• Somewhere you are
#ADEfficacy rate• False acceptance
• False rejection
• Crossover error rate
#AD #practicalAccess control schemes• Attribute-based access control (ABAC)
• Role-based access control
• Rule-based access control
• MAC
• Discretionary access control (DAC)
• Conditional access
• Privileged access management
• Filesystem permissions
#practicalPAPPassword AuthenticationProtocol
#practicalCHAPChallenge-HandshakeAuthentication Protocol
Example: MS-CHAP-v2
#practicalSandboxingLimiting access privileges of an application to minimize its impact on the rest of the system
#AD #practicalIdentity federationDelegate authentication to trusted third party

Tools of the Trade

We omit terminal commands because practice is more important than rote memorization for performance-based questions on Security+.

DomainConceptKey points to review
#opSPANSwitch port analyzer
#opIoCIndicators of Compromise
#opSNMPSimple Network Management Protocol
#opNXLogOpen-source log collection tool
#op #ATVSIEMSecurity Information and Event Management

Securing Individual Systems

The table below lists vital security concepts.

DomainConceptElaboration
#ATVMalware• Virus
• Polymorphic virus
• Fileless virus
• Worm
• Trojan
• Rootkit
• Keylogger
• Adware
• Spyware
• Ransomware
• Bots
• Remote access Trojan (RAT)
• Logic bomb
• Cryptomalware
• Potentially unwanted programs (PUPs)
• Command and control (C2/C&C)
• Keyloggers
• Backdoor
#ATVZero-day attack (ZDI)Previously unknown vulnerability
#ATVDNS SinkholingGive certain domain names invalid addresses
#ATVReplay attackIntercept data and replay later
#ATVPointer/object dereference attackUsing a null-value pointer as if its value is valid to bypass security logic
#ATVDynamic-link Library (DLL) injectionForce-run code in place of other code
#ATVResource exhaustionAttacks using up bandwidth
Examples: DoS, DDoS
#ATVRace conditionsTrying to perform two or more operations that should follow a proper order—clash
#ATVDriver attacks• Driver shimming
• Driver refactoring
#ATVOverflow attacks• Integer overflow
• Buffer overflow
#ATV #AD #practicalSecuring hardware• TPM
• Hardware redundancy
• UPS
• PDU
• Cloud redundancy
#practicalSecuring endpoints• Antivirus/Anti-malware
• EDR
• HIDS
• HIPS
• NGFW
• Allowlist/whitelist
• Block/deny lists,
• blacklist
#ADEmbedded systemCombination of hardware and software for a specific purpose
Examples:
• Raspberry Pi
• Field-programmable gate array (FPGA)
• Arduino
#ADSpecialized systemCombination of mechanical and digital interfaces for specific purposes
Examples:
• Medicine
• Aviation
• Smart meters
#ADInternet of Things (IoT)Network of physical devices
#ADSCADASupervisory control and data acquisition
#ADICSIndustrial control system

The Basic LAN, Securing Wireless LANs, Securing Public Servers

We omit networking topics such as the above in this cheat sheet, and we encourage you to review them independently.

Physical Security

The best security measures are real-world limitations imposed on digital access. Here are a few concepts worth reviewing:

DomainConceptElaboration
#ADAir gapPhysical isolation of secure computer network from unsecured networks
#ADProtected cable distribution (Protected Distribution System)Wired communications system with sufficient physical protection to carry unencrypted classified information without leakage
#ADScreened subnet (demilitarized zone)Five components:
• External network
• External router
• Perimeter network
• Internal router
• Internal network
#ADHot and cold aislesDraw in cool air to equipment, and draw out hot air from equipment
#ADTwo-person integrity/controlContinuous monitoring by at least two authorized individuals, each capable of detecting incorrect or unauthorized security procedures
#ADSecure data destruction• Burning
• Shredding
• Pulping
• Pulverizing
• Degaussing
• Third-party solutions
#ADMonitoring sensors• Motion detection
• Noise detection
• Proximity reader
• Moisture detection
• Cards
• Temperature

Secure Protocols and Applications

This table excludes material overlapping with the Network+ exam objectives.

DomainConceptElaboration
#practicalS/MIMESecure/Multipurpose Internet Mail Extensions
#ATVCross-site request forgery (CSRF/XSRF)Hijack authenticated sessions
#ATVServer-side request forgery (SSRF)Cause servers to make outbound HTTP requests
#ATVCross-site scripting (XSS) attackInject malicious scripts into otherwise benign and trusted websites
#ATV #AD #practicalInjection attackAffects:
• SQL
• LDAP
• XML
#ATV #AD #practicalSecure coding practices• Input validation, sanitation
• Secure Web browser cookies
• HTTP headers
• Code signing
• Trusted components and APIs
#ATV #AD #practicalSoftware development life cycle (SDLC)• Planning
• Defining
• Designing
• Building
• Testing
• Deployment

Testing Infrastructure

This section is about social engineering and penetration testing. Manipulating perception leads to much damage because humans are the weakest link in cyber security.

DomainConceptElaboration
#ATVSocial engineeringPrinciples (reasons for effectiveness):
• Authority
• Intimidation
• Consensus
• Scarcity
• Familiarity
• Trust
• Urgency
#ATVInfluence campaignPropaganda:
• Hybrid warfare
• Social media
#ATVWatering hole attackInfect a trusted website
#ATVSpamMass mailing of unsolicited messages
Variation: Spam over instant messaging (SPIM)
#ATVPhishingAttack by email; single target
#ATVSmishingAttack by SMS text message
#ATVVishingAttack by telephone or voicemail
#ATVSpear phishingAttack by email; multiple targets
#ATVWhalingPhishing that targets high-ranking people, such as C-suite executives
#ATVInvoice scamSolicit payment from fraudulent invoice, often paired with whaling
#ATVDumpster divingRecover information from trash
#ATVShoulder surfingLook over someone’s shoulder, often with a recording device
#ATVTailgatingUnauthorized entity follows authorized party into secured premises
#ATVPiggybackingTailgating with the authorized party’s consent
#ATVCredential harvesting (farming)Attacks to obtain credentials or personal information
#ATVPharmingPhishing + farming; making and redirecting users to a fake website
#ATVPrependingAdding username mentions to social media posts
#ATVPretextingDigital gunpoint with the ransom being one’s private information
#ATVImpersonation,identity fraud/theftAttacks using stolen credentials or personal information
#ATVEliciting informationStrategic casual conversation without coercion to extract information from targets
#ATVReconnaissanceCovert information-gathering
#ATVHoaxFalse alarm
#ATVTyposquattingAttacks using mistyped web addresses
#ATVVulnerability scanningTest for weaknesses
• Passive (monitoring)
• Active
◦ Credentialed
◦ Non‐credentialed
#ATVPenetration testing (pentesting)Actively exploit vulnerabilities
#ATVIntrusive scanDamage-causing pentesting
#ATVBlack boxZero-knowledge pentesting
#ATVWhite boxExtensive-knowledge pentesting
#ATVGray boxPartial-knowledge pentesting
#ATV #practicalFuzzingInput random characters and expect spurious results
#ATVPivotAccess network through vulnerable host—then attack
#ATVPrivilege escalationGet administrator access

Dealing With Incidents

The following is a list of paradigms for handling, preventing, and mitigating cyber security breaches.

DomainConceptElaboration
#opBCPBusiness continuity plan
#opCOOPContinuity of operations
#op #riskDRPDisaster Recovery Plan
#opIRPIncident Response Plan
#opIoCIndicators of Compromise
#opCyber Kill Chain AnalysisTrace steps of a successful hack
#opMITRE ATT&CK FrameworkIdentify attacker techniques
#opDiamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis illustrates the relationships among four entities: Adversary, Capabilities, Infrastructure, Victim. - graphic by author using Canva stock image
Show how threat actors (adversaries) exploit capabilities in infrastructure against victims
#op #ATVSecurity Orchestration, Automation, and Response (SOAR)Automate incident responses, thus reducing response time
#AD #opLegal holdProcess to preserve all forms of potentially relevant information for potential litigation
#AD #opChain of custody (CoC)Paper trail of physical and electronic evidence
#AD #opDisaster Recovery Sites• Hot
• Warm
• Cold
#ADRAIDRedundant array of inexpensive disks
#ADUPSUninterruptiblepower supply
#ADPDUsPower distribution units
#ADNASNetwork-attached storage
#ADMultipathHaving multiple physical paths between devices
#ADNetwork interface card (NIC) teamingPhysical network adapters grouped together
#ADLoad balancerDistributes traffic across servers
#ADScalabilityEase of growing and managing increased demand on infrastructure
#ADBackup types• Full
• Copy
• Differential
• Incremental
• Snapshot

Conclusion

This CompTIA Security+ Cheat Sheet is a checklist covering the examination syllabus, and we hope it gives you a bird’s-eye view of non-networking key topics to remember.
Remember that we offer a complete course to passing the Security+ exam and practice exams to test your abilities. No matter how you prepare for it, we wish you success.

Frequently Asked Questions

About The Author

>