CompTIA Security+ Course

Today’s Security Professional

• Cybersecurity Objectives
• Data Breach Risks
• The DAD Triad
• Breach Impact 5
• Implementing Security Controls
• Security Control Categories
• Security Control Types
• Data Protection
• Summary

Cybersecurity Threat Landscape

• Exploring Cybersecurity Threats
• Classifying Cybersecurity Threats
• Threat Actors
• Threat Vectors
• Threat Data and Intelligence
• Open Source Intelligence
• Proprietary and Closed-Source Intelligence
• Assessing Threat Intelligence
• Threat Indicator Management and Exchange
• Public and Private Information Sharing Centers
• Conducting Your Own Research
• Summary

Malicious Code

• Malware
• Ransomware
• Trojans
• Worms
• Rootkits
• Backdoors
• Bots
• Keyloggers
• Logic Bombs
• Viruses
• Fileless Viruses
• Spyware
• Potentially Unwanted Programs (PUPs)
• Malicious Code
• Adversarial Artificial Intelligence
• Summary
• Exam Essentials
• Review Questions

Social Engineering, Physical, and Password Attacks

• Social Engineering
• Social Engineering Techniques 67
• Influence Campaigns
• Password Attacks
• Physical Attacks
• Summary

Security Assessment and Testing 83

• Vulnerability Management
• Identifying Scan Targets
• Determining Scan Frequency
• Configuring Vulnerability Scans
• Scanner Maintenance
• Vulnerability Scanning Tools
• Reviewing and Interpreting Scan Reports
• Validating Scan Results
• Security Vulnerabilities
• Patch Management
• Legacy Platforms
• Weak Configurations
• Error Messages
• Insecure Protocols
• Weak Encryption
• Penetration Testing
• Adopting the Hacker Mindset
• Reasons for Penetration Testing
• Benefits of Penetration Testing
• Penetration Test Types
• Rules of Engagement
• Reconnaissance
• Running the Test
• Cleaning Up
• Training and Exercises
• Summary

Secure Coding

• Software Assurance Best Practices
• The Software Development Life Cycle
• Software Development Phases
• Software Development Models
• DevSecOps and DevOps
• Designing and Coding for Security
• Secure Coding Practices
• API Security
• Code Review Models
• Software Security Testing
• Analyzing and Testing Code
• Injection Vulnerabilities
• SQL Injection Attacks
• Code Injection Attacks
• Command Injection Attacks
• Exploiting Authentication Vulnerabilities
• Password Authentication
• Session Attacks
• Exploiting Authorization Vulnerabilities
• Insecure Direct Object References
• Directory Traversal
• File Inclusion
• Privilege Escalation
• Exploiting Web Application Vulnerabilities
• Cross-Site Scripting (XSS)
• Request Forgery
• Application Security Controls
• Input Validation
• Web Application Firewalls
• Database Security
• Code Security
• Secure Coding Practices
• Source Code Comments
• Error Handling
• Hard-Coded Credentials
• Memory Management
• Race Conditions
• Unprotected APIs
• Driver Manipulation
• Summary

Cryptography and the Public Key Infrastructure

• An Overview of Cryptography
• Historical Cryptography
• Goals of Cryptography
• Confidentiality
• Integrity
• Authentication
• Nonrepudiation
• Cryptographic Concepts
• Cryptographic Keys
• Ciphers
• Modern Cryptography
• Cryptographic Secrecy
• Symmetric Key Algorithms
• Asymmetric Key Algorithms
• Hashing Algorithms
• Symmetric Cryptography
• Data Encryption Standard
• Triple DES
• Advanced Encryption Standard
• Symmetric Key Management
• Asymmetric Cryptography
• RSA
• Elliptic Curve
• Hash Functions
• SHA
• MD5
• Digital Signatures
• HMAC
• Digital Signature Standard
• Public Key Infrastructure
• Certificates
• Certificate Authorities
• Certificate Generation and Destruction
• Certificate Formats
• Asymmetric Key Management
• Cryptographic Attacks
• Emerging Issues in Cryptography
• Tor and the Dark Web
• Blockchain
• Lightweight Cryptography
• Homomorphic Encryption
• Quantum Computing
• Summary

Identity and Access Management

• Identity
• Authentication and Authorization
• Authentication and Authorization Technologies
• Directory Services
• Authentication Methods
• Multifactor Authentication
• One-Time Passwords
• Biometrics
• Knowledge-Based Authentication
• Managing Authentication
• Accounts
• Account Types
• Account Policies and Controls
• Access Control Schemes
• Filesystem Permissions
• Summary

Resilience and Physical Security

• Building Cybersecurity Resilience
• Storage Resiliency: Backups and Replication
• Response and Recovery Controls
• Physical Security Controls
• Site Security
• Summary
• Exam Essentials
• Review Questions

Cloud and Virtualization Security

• Exploring the Cloud
• Benefits of the Cloud
• Cloud Roles
• Cloud Service Models
• Cloud Deployment Models
• Shared Responsibility Model
• Cloud Standards and Guidelines
• Virtualization
• Hypervisors
• Cloud Infrastructure Components
• Cloud Compute Resources
• Cloud Storage Resources
• Cloud Networking
• Cloud Security Issues
• Availability
• Data Sovereignty
• Virtualization Security
• Application Security
• Governance and Auditing
• Cloud Security Controls
• Cloud Access Security Brokers
• Resource Policies
• Secrets Management
• Summary

Endpoint Security

• Protecting Endpoints
• Preserving Boot Integrity
• Endpoint Security Tools
• Hardening Endpoints and Systems
• Service Hardening
• Operating System Hardening
• Hardening the Windows Registry
• Configuration, Standards, and Schemas
• Disk Security and Sanitization
• File Manipulation and Other Useful Command-Line Tools
• Scripting, Secure Transport, and Shells
• Securing Embedded and Specialized Systems
• Embedded Systems
• SCADA and ICS
• Securing the Internet of Things
• Specialized Systems
• Communication Considerations
• Security Constraints of Embedded Systems
• Summary

Network Security

• Designing Secure Networks
• Network Segmentation
• Network Access Control
• Port Security and Port-Level Protections
• Port Spanning/Port Mirroring
• Virtual Private Network
• Network Appliances and Security Tools
• Network Security, Services, and Management
• Deception and Disruption
• Secure Protocols
• Using Secure Protocols
• Secure Protocols
• Attacking and Assessing Networks
• On-Path Attacks
• Domain Name System Attacks
• Layer 2 Attacks
• Distributed Denial-of-Service Attacks
• Network Reconnaissance and Discovery Tools and Techniques

Wireless and Mobile Security 419

• Building Secure Wireless Networks
• Connectivity Methods
• Wireless Network Models
• Attacks Against Wireless Networks
• Designing a Network
• Controller and Access Point Security
• Wi-Fi Security Standards
• Wireless Authentication
• Managing Secure Mobile Devices
• Mobile Device Deployment Methods
• Mobile Device Management
• Specialized Mobile Device Security Tools

Incident Response

• Incident Response
• The Incident Response Process
• Attack Frameworks and Identifying Attacks
• Incident Response Data and Tools
• Security Information and Event Management Systems
• Alerts and Alarms
• Correlation and Analysis
• Rules 465
• Mitigation and Recovery

Digital Forensics

• Digital Forensic Concepts
• Legal Holds and e-Discovery
• Conducting Digital Forensics
• Acquiring Forensic Data
• Acquisition Tools
• Validating Forensic Data Integrity
• Data Recovery
• Forensic Suites and a Forensic Case Example
• Reporting
• Digital Forensics and Intelligence

Security Policies, Standards, and Compliance

• Understanding Policy Documents
• Policies
• Standards
• Procedures
• Guidelines
• Exceptions and Compensating Controls
• Personnel Management
• Least Privilege
• Separation of Duties
• Job Rotation and Mandatory Vacations
• Clean Desk Space
• Onboarding and Offboarding
• Nondisclosure Agreements
• Social Media
• User Training
• Third-Party Risk Management
• Winding Down Vendor Relationships
• Complying with Laws and Regulations
• Adopting Standard Frameworks
• NIST Cybersecurity Framework
• NIST Risk Management Framework
• ISO Standards
• Benchmarks and Secure Configuration Guides
• Security Control Verification and Quality Control

Risk Management and Privacy

• Analyzing Risk
• Risk Identification
• Risk Calculation
• Risk Assessment
• Managing Risk
• Risk Mitigation
• Risk Avoidance
• Risk Transference
• Risk Acceptance
• Risk Analysis
• Disaster Recovery Planning
• Disaster Types
• Business Impact Analysis
• Privacy
• Sensitive Information Inventory
• Information Classification
• Data Roles and Responsibilities
• Information Lifecycle
• Privacy Enhancing Technologies
• Privacy and Data Breach Notification