CompTIA Security+ SY0-701 Study Guide: Security Fundamentals and Identity Management
Course section: Security Fundamentals and Identity Management Estimated course time: 8 hours Coverage: 5 modules, 75 practice questions Purpose: Full exam-focused study notes for this Security+ course section. This is original study material, not a transcript, Coursera quiz copy, or real CompTIA exam content.
How To Use This Guide
- Read one module at a time.
- Memorize the high-yield anchors first.
- Work through the module details and lab notes.
- Take the matching practice-question bank.
- Review missed questions by returning to the named section.
- Retest until you can score at least 85%, with 90% or better as the comfort target.
Exam Context
- Exam code: SY0-701
- Official format: up to 90 questions in 90 minutes, with multiple-choice and performance-based items.
- Official passing score: 750 on a 100-900 scaled score. The app uses 85% as a stricter local practice pass target, 90% as the comfort target, and 95% as a strong signal.
- Official domains: General Security Concepts 12%; Threats, Vulnerabilities, and Mitigations 22%; Security Architecture 18%; Security Operations 28%; Security Program Management and Oversight 20%.
High-Yield Memory Anchors
- CIA triad: confidentiality controls access, integrity protects correctness, availability keeps services usable.
- Risk is likelihood times impact in plain language; treatment is avoid, transfer, mitigate, accept, or share.
- Controls have both type and function: managerial, operational, technical, physical; preventive, detective, corrective, deterrent, compensating.
- Hashing is not encryption. Hashing supports integrity and password storage; encryption supports confidentiality.
- MFA requires factors from different categories. Two passwords are not MFA.
- Authorization happens after authentication. Accounting records what happened.
Course Map
- Getting Started with CompTIA Security+ (SY0-701) - Security+ is an applied security exam. It rewards candidates who can choose a control, process, or tool for a scenario rather than merely reciting definitions. Treat each topic as a decision point: what asset is at risk, what threat is active, what control reduces the risk, and what evidence proves the control worked?
- Risk Management - Risk management connects technical security to business outcomes. A vulnerability is not automatically the top priority; priority depends on asset value, exposure, likelihood, impact, existing controls, compliance requirements, and business tolerance.
- Foundations of Cryptography - Cryptography protects confidentiality, integrity, authentication, and non-repudiation when implemented correctly. The exam usually tests which cryptographic tool fits the job and what can go wrong when keys, algorithms, or protocols are weak.
- Physical Security - Physical access often bypasses logical controls. Security+ expects you to connect facilities controls, environmental protections, and hardware threats to confidentiality, integrity, and availability.
- Identity and Account Management - Identity is the control plane for modern security. The exam expects you to distinguish identification, authentication, authorization, and accounting, then apply MFA, federation, account lifecycle, and network authentication to realistic access problems.
Study Notes
Getting Started with CompTIA Security+ (SY0-701)
Big Picture
Security+ is an applied security exam. It rewards candidates who can choose a control, process, or tool for a scenario rather than merely reciting definitions. Treat each topic as a decision point: what asset is at risk, what threat is active, what control reduces the risk, and what evidence proves the control worked?
Must Know
- Know the five SY0-701 domains and their weights.
- Practice under time pressure: roughly one minute per question, with extra time reserved for PBQ-style scenarios.
- Expect wording that asks for BEST, FIRST, MOST likely, or NEXT action.
- Separate official scaled scoring from local practice percentages. The local target is intentionally higher.
Exam strategy
Read the final sentence first when a question is long. Identify whether it asks for a technology, governance action, detection clue, or response step. Eliminate answers that are true but do not answer the scenario.
PBQ mindset
Performance-based items usually test process and architecture: place controls, interpret logs, match ports/protocols, order response steps, or classify data and access. Even when practicing with multiple-choice items, think through the action you would take in a lab.
Readiness target
Use 85% as the minimum local practice pass because the real exam is scaled and includes PBQs. Use 90% or better across several randomized attempts before treating the result as an exam-ready comfort signal.
Hands-On Practice
- Build a personal objective checklist. Mark each objective as explain, apply, or weak.
- Do short timed runs and review every miss by concept, not by memorizing the answer letter.
Exam Traps
- Do not convert 750/900 into a simple percent. CompTIA scoring is scaled.
- Do not ignore PBQ-style practice just because a local test is multiple choice.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Risk Management
Big Picture
Risk management connects technical security to business outcomes. A vulnerability is not automatically the top priority; priority depends on asset value, exposure, likelihood, impact, existing controls, compliance requirements, and business tolerance.
Must Know
- Define asset, threat, vulnerability, exploit, likelihood, impact, inherent risk, residual risk, and risk appetite.
- Compare quantitative and qualitative risk assessments.
- Recognize risk treatment decisions: avoid, transfer, mitigate, accept, and share.
- Classify controls by type and function.
- Apply the data lifecycle from creation through destruction.
CIA triad
Confidentiality limits unauthorized disclosure, integrity limits unauthorized or accidental alteration, and availability keeps systems and data accessible when needed. Many questions hide the CIA property inside a scenario: ransomware often affects availability first, tampering affects integrity, and leaked records affect confidentiality.
Threat actors
Actors vary by motivation and capability. Nation-states tend to have funding and patience; organized crime seeks profit; insiders have trusted access; hacktivists seek influence; unskilled attackers often rely on existing tools; shadow IT creates unmanaged exposure even without malicious intent.
Threat intelligence
Threat intelligence can be strategic, tactical, operational, or technical. Indicators of compromise are useful, but context matters: a hash, IP, or domain should feed detection, blocking, hunting, or awareness only after validation.
Controls
Preventive controls stop or reduce events before they occur. Detective controls identify events. Corrective controls restore normal operation. Deterrent controls discourage behavior. Compensating controls are alternatives when the preferred control is not practical.
Quantitative risk
Know SLE, ARO, and ALE conceptually. Single loss expectancy estimates one event; annualized rate of occurrence estimates frequency; annualized loss expectancy estimates yearly impact.
Qualitative risk
Qualitative ranking uses labels such as low, medium, and high. It is faster and common when exact numbers are unavailable, but it must still be consistent and documented.
Data lifecycle
Creation, classification, storage, usage, sharing, retention, archiving, and destruction all need controls. Classification drives handling: public, internal, confidential, restricted, regulated, or other local labels.
Data destruction
Match the destruction method to the medium and sensitivity. Wiping overwrites, cryptographic erase destroys keys, degaussing affects magnetic media, shredding or pulverizing physically destroys media, and certificates of destruction support audit evidence.
Hands-On Practice
- Create a small risk register with asset, threat, vulnerability, likelihood, impact, control, owner, and residual risk.
- Classify several sample data types such as public marketing copy, payroll records, source code, and authentication logs.
Exam Traps
- Insurance transfers financial risk; it does not remove technical risk.
- Deleting a file is not secure destruction.
- A high-severity vulnerability on an isolated low-value asset may rank below a moderate issue on a critical exposed system.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Foundations of Cryptography
Big Picture
Cryptography protects confidentiality, integrity, authentication, and non-repudiation when implemented correctly. The exam usually tests which cryptographic tool fits the job and what can go wrong when keys, algorithms, or protocols are weak.
Must Know
- Distinguish hashing, symmetric encryption, asymmetric encryption, digital signatures, certificates, and key exchange.
- Know why salts and slow password hashing matter.
- Understand public/private key roles at a high level.
- Recognize common cryptographic attacks and poor implementation choices.
Hashing
A hash produces a fixed-length digest. It should be one-way and collision-resistant for security uses. Hashes verify integrity, but a bare fast hash is not enough for password storage. Password storage needs salts and slow/adaptive algorithms.
Symmetric encryption
Symmetric encryption uses the same secret to encrypt and decrypt. It is efficient for files, disks, databases, VPN payloads, and bulk data. The main challenge is securely sharing and protecting the secret key.
Asymmetric encryption
Asymmetric systems use public and private keys. They are useful for key exchange, signatures, certificates, and authentication. They are slower than symmetric encryption, so real protocols often use asymmetric methods to establish symmetric session keys.
Digital signatures
A signature is created with a private key and verified with the public key. It supports integrity, origin authentication, and non-repudiation when the private key is protected.
Certificates and trust
Certificates bind identity information to public keys. Trust depends on certificate authorities, expiration, revocation, subject/SAN matching, and correct chain validation.
Password cracking
Offline cracking becomes easier when password hashes are stolen and are unsalted or computed with fast algorithms. MFA, lockout, rate limiting, salted slow hashing, and password managers all reduce different parts of password risk.
SSH public key authentication
The server stores the public key. The user protects the private key. A passphrase on the private key protects it if the key file is stolen.
Hands-On Practice
- Generate an SSH key pair in a lab and identify which file is public and which must remain private.
- Compare a file hash before and after editing a file to see integrity detection.
Exam Traps
- Hashing is not reversible encryption.
- Encoding is not encryption.
- A certificate can be validly signed but still wrong for the hostname if the subject/SAN does not match.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Physical Security
Big Picture
Physical access often bypasses logical controls. Security+ expects you to connect facilities controls, environmental protections, and hardware threats to confidentiality, integrity, and availability.
Must Know
- Identify physical access controls such as locks, badges, guards, mantraps, visitor logs, cages, and cameras.
- Recognize environmental controls: HVAC, humidity, fire suppression, power, UPS, generators, and water detection.
- Understand physical attack examples such as keyloggers, malicious USB devices, shoulder surfing, tailgating, and device theft.
Layered facility controls
A secure facility usually layers perimeter controls, reception controls, access badges, mantraps, locked rooms, racks or cages, cameras, and logs. No single control is enough for high-value equipment.
Environmental availability
Temperature, humidity, smoke, fire, water, and unstable power can become security issues because they affect availability and safety. UPS devices cover short outages; generators support longer outages; fire suppression should match the environment.
Physical audit evidence
Visitor logs, badge records, camera footage, maintenance records, and rack access records can support investigations and compliance reviews.
Hardware keyloggers and malicious peripherals
A hardware keylogger between a keyboard and workstation can capture credentials. Malicious USB devices can emulate keyboards or network adapters. Port control and user awareness matter.
Hands-On Practice
- Walk through a room and list what protects access, power, cooling, fire, water, and visitor activity.
- Draw a simple control map from building entrance to server rack.
Exam Traps
- Encryption does not make physical security irrelevant.
- A camera is detective, not preventive, unless paired with active monitoring and response.
- Fire suppression and HVAC are availability controls, not just facilities concerns.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Identity and Account Management
Big Picture
Identity is the control plane for modern security. The exam expects you to distinguish identification, authentication, authorization, and accounting, then apply MFA, federation, account lifecycle, and network authentication to realistic access problems.
Must Know
- Define identification, authentication, authorization, and accounting.
- Know MFA factor categories: something you know, have, are, do, or somewhere you are.
- Compare DAC, MAC, RBAC, ABAC, and rule-based access.
- Understand provisioning, deprovisioning, privileged access, reviews, and shared account risks.
- Recognize federation and SSO concepts such as SAML, OAuth, and OIDC at a high level.
AAA and IAM
Identification is the identity claim, authentication verifies it, authorization grants or denies access, and accounting records activity. A user may authenticate successfully and still be denied access because authorization fails.
MFA
True MFA uses different factor categories. Password plus PIN is still one category. Password plus authenticator app or hardware token uses two categories. Biometrics are convenient but require secure template storage and fallback planning.
Access control schemes
DAC is owner controlled, MAC is label and policy controlled, RBAC maps access to job roles, ABAC uses attributes such as user, resource, action, device, and location, and rule-based systems apply defined conditions.
Least privilege and separation of duties
Users should receive only the access needed for their role. Sensitive processes may require two people or separate roles to prevent fraud or mistakes.
Account lifecycle
Provisioning, modification, review, suspension, and deprovisioning should tie to HR and management processes. Dormant accounts, shared accounts, and unmanaged service accounts create investigation and privilege risk.
Network authentication
802.1X, EAP, RADIUS, TACACS+, Kerberos, and certificates can control network or service access. Know the purpose more than vendor syntax.
Federation and SSO
Federation lets an identity provider assert identity to service providers. SSO improves user experience and centralizes control, but it increases the importance of protecting the identity provider.
Hands-On Practice
- Create a sample joiner-mover-leaver checklist for access changes.
- Map three job roles to least-privilege access and identify one separation-of-duties conflict.
Exam Traps
- Authentication is not authorization.
- Two knowledge factors are not MFA.
- Shared admin accounts reduce accountability even when they seem convenient.
Quick Self-Check
- Can you explain the concept without looking at the acronym?
- Can you choose the best control or next step in a scenario?
- Can you name what evidence would prove the control worked?
- Can you identify the most likely distractor answer and why it is wrong?
Final Review Checklist
- I can map the course topics to the SY0-701 domains.
- I can explain each major control in plain language and identify whether it is preventive, detective, corrective, deterrent, compensating, managerial, operational, technical, or physical.
- I can answer scenario questions by identifying the asset, threat, vulnerability, impact, and best next action.
- I can distinguish implementation/tool questions from governance/process questions.
- I can describe how I would perform labs safely and only with authorization.
- I can score at least 85% locally and preferably 90% or better across multiple randomized tests.
Deep Review Tables
Risk And Governance Terms
| Term | What To Remember | Scenario Cue |
|---|---|---|
| Asset | Anything valuable to the organization | Protect customer records, servers, source code, identities, or facilities |
| Threat | A possible cause of harm | Insider, ransomware group, power failure, storm, misconfiguration |
| Vulnerability | A weakness that can be exploited | Missing patch, weak password, exposed admin port, default credential |
| Likelihood | Chance the event will occur | Internet exposure, active exploitation, frequent incidents |
| Impact | Business harm if it occurs | Downtime, fines, data loss, safety, reputation |
| Inherent risk | Risk before additional controls | Baseline exposure before mitigation |
| Residual risk | Risk left after controls | What management accepts or treats further |
| Risk appetite | Amount of risk leadership is willing to accept | Determines whether residual risk is acceptable |
Control Classification Drill
| Control | Type | Function | Why It Matters |
|---|---|---|---|
| Security policy | Managerial | Directive | Sets expected behavior and accountability |
| Firewall rule | Technical | Preventive | Blocks or permits network traffic by policy |
| SIEM alert | Technical | Detective | Identifies suspicious activity for response |
| Backup restore | Operational/technical | Corrective | Restores service after failure or attack |
| Security camera | Physical | Detective/deterrent | Records or discourages physical access |
| Guard at entrance | Physical/operational | Preventive/deterrent | Challenges unauthorized entry |
| Cyber insurance | Managerial | Compensating/transfer | Transfers some financial exposure |
| Tabletop exercise | Operational | Corrective/preparatory | Improves future response capability |
Cryptography Decision Guide
| Need | Best Fit | Watch For |
|---|---|---|
| Verify file did not change | Hash | Hash alone does not prove who created the file |
| Encrypt a disk | Symmetric encryption | Key recovery and boot authentication matter |
| Establish trust for HTTPS | Certificate and PKI | Expiration, revocation, hostname mismatch |
| Prove software publisher | Digital signature | Protect private signing key |
| Store passwords | Salted slow password hashing | Avoid fast unsalted hashes |
| Remote Linux authentication | SSH key pair | Protect the private key with permissions and passphrase |
Identity Decision Guide
| Scenario | Best Concept | Why |
|---|---|---|
| User enters a username | Identification | The user is claiming an identity |
| User provides password and token | Authentication/MFA | The system verifies identity using multiple factor categories |
| User is denied payroll access after login | Authorization | Permission decision occurs after authentication |
| Admin action is logged | Accounting | Activity is recorded for audit and investigation |
| Access based on job role | RBAC | Permissions map to roles |
| Access based on user, device, location, and data label | ABAC | Multiple attributes drive the decision |
| One login grants SaaS access | Federation/SSO | Identity provider asserts identity to service providers |
Scenario Drills
- A finance server stores sensitive records and is missing a critical patch, but it is not internet-facing. A public test server is internet-facing and has a medium vulnerability. Which is higher priority? The answer depends on impact, exposure, exploitability, and business context. Do not rank by severity label alone.
- A user can sign in but cannot access a folder. This is not an authentication failure; it is authorization.
- A web download has a published SHA-256 hash. Use it to verify integrity, not confidentiality.
- A company keeps old backup tapes. Choose destruction by sensitivity and medium; do not assume deletion or formatting is enough.
- A camera catches tailgating after the fact. The camera is detective; a mantrap or guard is more preventive.