CompTIA Security+ SY0-701 Study Guide: Securing Systems and Networks
Course section: Securing Systems and Networks Estimated course time: 12 hours Coverage: 4 modules, 80 practice questions Purpose: Full exam-focused study notes for this Security+ course section. This is original study material, not a transcript, Coursera quiz copy, or real CompTIA exam content.
How To Use This Guide
- Read one module at a time.
- Memorize the high-yield anchors first.
- Work through the module details and lab notes.
- Take the matching practice-question bank.
- Review missed questions by returning to the named section.
- Retest until you can score at least 85%, with 90% or better as the comfort target.
Exam Context
- Exam code: SY0-701
- Official format: up to 90 questions in 90 minutes, with multiple-choice and performance-based items.
- Official passing score: 750 on a 100-900 scaled score. The app uses 85% as a stricter local practice pass target, 90% as the comfort target, and 95% as a strong signal.
- Official domains: General Security Concepts 12%; Threats, Vulnerabilities, and Mitigations 22%; Security Architecture 18%; Security Operations 28%; Security Program Management and Oversight 20%.
High-Yield Memory Anchors
- Use tools only with authorization: Nmap, Wireshark, tcpdump, PowerShell, bash, benchmark scanners, and log tooling are dual-use.
- Hardening reduces attack surface: patch, remove defaults, disable unnecessary services, restrict privileges, and monitor.
- Firewalls filter. IDS alerts. IPS blocks inline. Proxies mediate. Honeypots deceive and observe.
- PKI supports trust, certificates, TLS, signing, and authentication.
- Zero trust means verify explicitly, use least privilege, and assume breach.
- Wireless security depends on strong encryption, authentication, segmentation, updates, and monitoring.
Course Map
- Tools of the Trade - Security tools turn questions into evidence. The exam expects you to know which tool collects which evidence and how to use output safely. Tools are not magic: authorization, scope, timing, and interpretation matter.
- Securing Individual Systems - Endpoint security combines hardening, monitoring, protection, and recovery. A single workstation can become the path to credentials, lateral movement, data loss, or business disruption.
- Securing The Basic LAN - LAN security is architecture plus enforcement. You need segmentation, trust boundaries, cryptographic protection, monitoring, and secure access paths. The exam often asks where to place a control or which control best addresses a scenario.
- Securing Wireless LANs - Wireless extends the network beyond walls, so authentication, encryption, radio planning, and monitoring matter. The exam focuses on choosing secure standards, identifying attacks, and hardening wireless deployments.
Study Notes
Tools of the Trade
Big Picture
Security tools turn questions into evidence. The exam expects you to know which tool collects which evidence and how to use output safely. Tools are not magic: authorization, scope, timing, and interpretation matter.
Must Know
- Know Windows cmd, PowerShell, Linux shell, Nmap, Wireshark, tcpdump, log files, centralized logging, and benchmark tools.
- Understand the difference between host discovery, port scanning, packet capture, log review, and baseline auditing.
- Recognize why time synchronization matters for log correlation.
- Know that scanning and packet capture require permission and careful handling of sensitive data.
CLI fundamentals
The command line is fast, repeatable, and scriptable. PowerShell returns objects and is strong for Windows automation. Linux shells combine small text-processing tools through pipes and redirection.
Nmap
Nmap can discover hosts, open ports, service versions, and sometimes OS hints. In exam scenarios, use it when you need to identify exposed services or validate a network surface. Avoid confusing it with a vulnerability scanner or packet analyzer.
Wireshark and tcpdump
Packet capture answers what actually crossed the wire. Wireshark is graphical and rich for protocol decoding. tcpdump is lightweight and useful on servers. Captures may contain credentials, tokens, and personal data, so protect them.
Logs and centralized logging
Local logs are useful, but centralized logging improves retention and correlation. Security teams use SIEM-like workflows to correlate authentication, endpoint, firewall, DNS, and application events.
Benchmark tools
CIS-style benchmarks and configuration assessment tools compare systems to secure baselines. They help find drift, insecure defaults, and hardening gaps.
Time and evidence
NTP and consistent time zones matter because investigations depend on event sequence. A correct alert with wrong time can mislead responders.
Hands-On Practice
- Run Nmap only against a lab host you own. Record open ports and expected services.
- Capture DNS traffic in a lab and identify the query, response, source, destination, and protocol.
- Review Windows Event Viewer or Linux auth logs and identify successful and failed login events.
Exam Traps
- Nmap is not Wireshark.
- A scan result is a snapshot, not permanent truth.
- A benchmark failure is a finding to evaluate, not always an emergency.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Securing Individual Systems
Big Picture
Endpoint security combines hardening, monitoring, protection, and recovery. A single workstation can become the path to credentials, lateral movement, data loss, or business disruption.
Must Know
- Classify malware types and common endpoint attack paths.
- Recognize weak configurations and insecure defaults.
- Understand password attacks, overflow attacks, and botnets.
- Know what RAID does and does not do.
- Apply endpoint hardening: patching, EDR/AV, firewall, disk encryption, least privilege, secure boot, and configuration baselines.
Malware categories
Viruses attach to files, worms self-propagate, trojans masquerade as legitimate software, ransomware denies access for payment, spyware collects information, rootkits hide activity, and logic bombs trigger under conditions.
Weak configuration
Common weaknesses include default credentials, exposed admin interfaces, unnecessary services, permissive file shares, missing patches, weak TLS, open storage buckets, and excessive local admin rights.
Password attacks
Brute force tries many possibilities, dictionary attacks use wordlists, spraying tries a few common passwords against many accounts, stuffing reuses leaked credentials, and offline cracking attacks stolen password hashes.
Overflow attacks
Buffer overflows exploit memory handling errors. Modern protections such as ASLR, DEP, stack canaries, patching, and safe languages reduce risk but do not remove the need for secure coding.
Botnets
A botnet is a group of compromised devices controlled by an operator. It can support DDoS, credential attacks, spam, fraud, and proxying. IoT devices with weak defaults are common targets.
RAID and backups
RAID improves disk availability or performance depending on level, but it does not replace backups. RAID will not save you from deletion, corruption, ransomware, or site loss.
Endpoint encryption
Full-disk encryption protects data at rest if a device is lost or stolen. It is strongest when paired with TPM, strong authentication, recovery-key management, and screen-lock policies.
Hands-On Practice
- Build a workstation hardening checklist with patching, services, accounts, firewall, encryption, and logging.
- Compare RAID 0, 1, 5, 6, and 10 for availability and capacity tradeoffs.
- Review a mock incident where default credentials led to compromise and list the preventive controls.
Exam Traps
- RAID is not backup.
- Antivirus alone is not endpoint hardening.
- Weak configuration is often more important than exotic malware.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Securing The Basic LAN
Big Picture
LAN security is architecture plus enforcement. You need segmentation, trust boundaries, cryptographic protection, monitoring, and secure access paths. The exam often asks where to place a control or which control best addresses a scenario.
Must Know
- Understand certificates, PKI, trust models, and certificate validation.
- Recognize ARP poisoning, Layer 2 attacks, VLAN misuse, and segmentation needs.
- Know zero trust, firewalls, proxies, NAT, IPsec, VPNs, IDS/IPS, honeypots, and load balancers.
- Understand secure network architecture planning and documentation.
- Connect cryptographic methods to data protection and network protocols.
Certificates and PKI
Certificates bind identities to public keys. PKI includes CAs, RAs, certificate policies, issuance, renewal, revocation, and trust chains. Common certificate problems include expiration, hostname mismatch, untrusted issuer, weak key, and missing private-key protection.
Layer 2 risks
ARP poisoning, MAC flooding, VLAN hopping, rogue DHCP, and spoofing exploit local trust assumptions. Mitigations include DHCP snooping, dynamic ARP inspection, port security, disabling unused ports, restricting trunking, and segmentation.
Zero trust architecture
Zero trust removes implicit trust based on network location. It emphasizes explicit verification, continuous evaluation, least privilege, device posture, strong identity, segmentation, and monitoring.
Firewalls
Firewalls enforce traffic policy. Host firewalls protect individual systems; network firewalls protect boundaries or segments; stateful firewalls track sessions; application-aware devices understand higher-layer behavior.
Proxies and filtering
Forward proxies mediate outbound client traffic. Reverse proxies front-end servers. Proxies may filter URLs, inspect content, cache, authenticate, or provide application-layer protection.
NAT and PAT
NAT rewrites addressing information, commonly translating private internal addresses to public connectivity. PAT maps many internal sessions to one public address using ports. NAT is not a security boundary by itself.
VPNs and IPsec
VPNs protect traffic across untrusted networks. Site-to-site VPNs connect networks; remote-access VPNs connect users. Split tunneling can improve performance but may increase risk.
IDS and IPS
IDS is usually out-of-band or passive and alerts on suspicious activity. IPS is inline and can block. Both may use signatures, behavior, heuristics, or anomaly detection.
Honeypots
Honeypots are decoys used for detection, deception, and intelligence. They must be isolated and monitored so they do not become an attacker platform.
Hands-On Practice
- Draw a small LAN with user VLAN, server VLAN, guest Wi-Fi, firewall, IDS/IPS, and management network.
- Write firewall rules for public web access while blocking direct database access.
- Review a certificate warning and identify whether it is expired, untrusted, or name-mismatched.
Exam Traps
- NAT is not encryption.
- IDS does not block by default; IPS can.
- A valid certificate chain does not guarantee the application is safe.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Securing Wireless LANs
Big Picture
Wireless extends the network beyond walls, so authentication, encryption, radio planning, and monitoring matter. The exam focuses on choosing secure standards, identifying attacks, and hardening wireless deployments.
Must Know
- Prefer WPA3 or strong WPA2-AES/CCMP; avoid WEP and weak PSKs.
- Know personal vs enterprise authentication at a high level.
- Recognize evil twin, rogue AP, deauthentication, jamming, weak passphrase, and captive portal attacks.
- Understand Bluetooth, RFID, and NFC risk at a conceptual level.
- Apply hardening: disable WPS, update firmware, segment guests, use strong auth, monitor, and tune coverage.
Wi-Fi encryption standards
WEP is obsolete and broken. WPA2 with AES/CCMP remains common. WPA3 improves protections such as SAE for personal networks. Enterprise deployments commonly use 802.1X with RADIUS-backed authentication.
Wireless discovery and attacks
Attackers may create evil twin APs, deploy rogue APs, force deauthentication, jam radio frequencies, capture handshakes, or trick users into credential portals. Hiding an SSID is not meaningful security.
Coverage and performance
Too much signal leakage can increase exposure, while poor coverage can cause roaming problems and support calls. Channel planning, power tuning, antenna choice, and site surveys help.
Bluetooth, RFID, and NFC
Short-range technologies can still expose pairing, tracking, relay, or skimming risks. Disable unused radios, use strong pairing, and segment or monitor dedicated device networks.
Wireless segmentation
Guest Wi-Fi should be isolated from internal systems. IoT and unmanaged wireless devices often deserve separate VLANs and firewall policy.
Hands-On Practice
- Inventory wireless SSIDs and document intended users, authentication, VLAN, and internet/internal access.
- Review router/AP settings in a lab and identify insecure defaults.
- Sketch how guest Wi-Fi should be segmented from corporate systems.
Exam Traps
- WPS convenience often creates risk.
- SSID hiding is not a substitute for encryption and authentication.
- Open Wi-Fi is not encrypted just because the website later uses HTTPS.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Final Review Checklist
- I can map the course topics to the SY0-701 domains.
- I can explain each major control in plain language and identify whether it is preventive, detective, corrective, deterrent, compensating, managerial, operational, technical, or physical.
- I can answer scenario questions by identifying the asset, threat, vulnerability, impact, and best next action.
- I can distinguish implementation/tool questions from governance/process questions.
- I can describe how I would perform labs safely and only with authorization.
- I can score at least 85% locally and preferably 90% or better across multiple randomized tests.
Deep Review Tables
Tool Selection Table
| Task | Tool Or Source | Reason |
|---|---|---|
| Identify open ports on an authorized host | Nmap | Discovers exposed services |
| Inspect packet contents | Wireshark | Decodes protocols in a GUI |
| Capture packets on a headless Linux server | tcpdump | Lightweight command-line capture |
| Audit Windows configuration | PowerShell | Scriptable object-based administration |
| Analyze failed SSH logins | Linux auth logs | Shows authentication events |
| Correlate firewall and endpoint alerts | Centralized logging/SIEM | Combines multiple evidence sources |
| Compare server settings to hardening guidance | Benchmark tool | Finds configuration drift |
Endpoint Hardening Checklist
| Area | Baseline Action | Exam Reason |
|---|---|---|
| Patching | Apply OS, application, firmware, and driver updates | Removes known vulnerabilities |
| Accounts | Remove local admin where not needed | Enforces least privilege |
| Services | Disable unused services and ports | Reduces attack surface |
| Malware defense | Use EDR/AV and behavior monitoring | Detects or blocks suspicious activity |
| Firewall | Enable host firewall rules | Limits inbound and outbound exposure |
| Disk protection | Use full-disk encryption | Protects lost or stolen devices |
| Configuration | Apply secure baseline | Reduces weak defaults |
| Logging | Enable useful security logs | Supports detection and forensics |
| Recovery | Maintain tested backups | Supports restoration after failure or attack |
Network Control Placement
| Need | Control | Placement Cue |
|---|---|---|
| Block internet to database | Firewall rule | Between trust zones or on host |
| Inspect malicious traffic inline | IPS | In path of traffic |
| Alert on suspicious mirrored traffic | IDS | Connected to tap/SPAN/mirror |
| Mediate outbound web browsing | Forward proxy | Between clients and internet |
| Protect public web app | Reverse proxy/WAF | In front of application |
| Isolate guest Wi-Fi | VLAN and firewall policy | Separate network segment |
| Detect attacker interaction | Honeypot | Isolated decoy network |
| Secure remote user access | VPN/ZTNA | Remote access boundary |
Wireless Security Checklist
| Area | Secure Choice | Avoid |
|---|---|---|
| Encryption | WPA3 or WPA2-AES/CCMP | WEP, TKIP, open networks for sensitive access |
| Authentication | Enterprise 802.1X where appropriate | Shared PSKs for large organizations |
| Convenience features | Disable WPS | Push-button enrollment on production networks |
| Guest access | Segment and restrict | Same VLAN as internal systems |
| Firmware | Keep APs updated | Unsupported AP firmware |
| Monitoring | Watch rogue APs and evil twins | Assuming hidden SSID is security |
| RF design | Use site surveys and channel planning | Excessive leakage or co-channel interference |
Protocol And Port Awareness
Security+ is not a port-memorization exam only, but you should recognize common services in scenarios. Know why secure replacements matter:
- SSH replaces Telnet for encrypted remote administration.
- HTTPS protects web sessions with TLS.
- SFTP or FTPS replaces cleartext FTP for file transfer.
- SNMPv3 adds authentication and encryption compared with older community-string use.
- DNS is essential and often abused, so DNS logs and filtering can be security evidence.
- RDP should be restricted, monitored, and protected with MFA/VPN/ZTNA rather than exposed broadly.
Scenario Drills
- Users report slow Wi-Fi and disconnects in one area. Think coverage, interference, channel plan, power, and AP placement before assuming compromise.
- A server has many failed logins from one username across many passwords. That looks like brute force. One password across many accounts looks like spraying.
- A sensor only alerts from mirrored traffic. That is IDS behavior. A device dropping malicious traffic inline is IPS behavior.
- A database is not directly exposed to the internet but is reachable from a compromised web server. Segmentation and least privilege matter inside the LAN.
- A scan finds open SSH on a public host. The next action depends on business need, source restrictions, authentication, patching, and monitoring.
Command And Evidence Quick Reference
Use these as recognition anchors for exam scenarios. You do not need to memorize every switch, but you should know which command family fits the evidence need.
| Need | Windows Direction | Linux Direction | Evidence Produced |
|---|---|---|---|
| View IP configuration | ipconfig /all | ip addr or ifconfig | Addresses, gateways, DNS hints |
| Test reachability | ping | ping | Basic ICMP reachability and latency |
| Trace path | tracert | traceroute or tracepath | Hop-by-hop routing path |
| View listening connections | netstat or PowerShell cmdlets | ss or netstat | Ports, protocols, process hints |
| Resolve DNS | nslookup | dig or nslookup | Name resolution records |
| Review logs | Event Viewer or Get-WinEvent | journalctl, auth.log, syslog | Authentication and system evidence |
| Check processes | Task Manager or Get-Process | ps, top | Running process state |
| Inspect firewall | Windows Defender Firewall tools | iptables, nftables, ufw, firewalld | Host traffic policy |
Evidence Handling For Tool Output
- Record the time, host, command, and user when collecting evidence.
- Preserve original logs where possible and work from copies for analysis.
- Avoid running intrusive scans against fragile systems without approval.
- Sanitize packet captures before sharing because they may contain credentials, tokens, or personal data.
- Pair tool output with business context before deciding severity.
More Scenario Drills
- A packet capture shows cleartext credentials. Identify the insecure protocol and recommend an encrypted replacement.
- A benchmark report flags local administrator membership. Tie the finding to least privilege and account review.
- A host firewall blocks inbound traffic, but the application still cannot reach a database. Check outbound policy, network firewall rules, DNS, routing, and service status.
- A wireless client connects but cannot get an IP address. Investigate DHCP scope, VLAN tagging, relay, firewall, and AP-to-switch trunk configuration.
- A vulnerability scanner reports a missing patch on a domain controller. Prioritize with asset criticality and maintenance/change-management requirements.