CompTIA Security+ SY0-401 vs. SY0-301 Changes by @InfosecEdu

A new version of the popular CompTIA Security+ certification is out, and the content it covers has expanded significantly over the past three years. The six domains the exam covers remain the same, but four new sections were added to deal with cloud computing, incident response, mobile devices and network-enabled devices that could accidentally become part of your network. Two more new sections increase coverage of physical security and application of the “CIA triad” (confidentiality, integrity and availability).

In addition to these six new sections, dozens of other changes were made to existing sections to cover evolving malware, business continuity, big data, secure file transfer and other issues. The new SY0-401 “Certification Exam Objectives” document (which replaces 2010’s SY0-301 of the same name) also adds dozens of terms to its glossary and adds new but incomplete advice on suggested classroom equipment.

New Section: Implications of Integrating with Third Parties

A brand new section in SY0-401’s compliance and operational security domain was added to deal with business use of cloud services. The new section is entitled “summarize the security implications of integrating systems and data with third parties” (2.2) and contains ten topics.

Three new technical topics in this section are onboarding and offboarding business partners, social media networks and applications and data backups. Five new policy and risk topics are privacy considerations, risk awareness, unauthorized data sharing, data ownership and security policy and procedures.

Finally, there are two topics devoted to legal agreements and contracts. One, entitled “interoperability agreements,” covers service level agreements (SLA), blanket purchase agreements (BPA), memorandum of understanding (MOU) and Interoperability Solutions for (European Public) Administration (ISA). The second topic is entitled “review agreement requirements to verify compliance and performance standards” and contains no subtopics.

New Section: Incident Response

SY0-301’s one line entry about “Incident response” has been replaced with a whole new section (2.5) with eleven topics in SY0-401’s compliance and operational security domain. The new section begins with preparation, followed by first responder, incident identification and incident isolation (including quarantine and device removal). Next comes escalation and notification, mitigation steps, damage and loss control and data breach. Finally, lessons learned, reporting, recovery and reconstitution procedures are covered.

New Section: Physical Security

Limited coverage of physical security in SY0-301 has been replaced with an new “physical security and environmental controls section” (2.7) in SY0-401’s compliance and operational security domain. All of the existing environmental controls, including HVAC and EMU shielding are the same as the previous version. All of the of the old physical security controls, such a hardware locks and mantraps, were also carried forward.

The new content creates two new top-level topics physical security and control types. New physical security controls include proper lighting, signs, guards, barricades, biometrics, protected distribution (e.g., cabling), alarms and motion detection. Control types cover theoretical security design and are listed as deterrent, preventative, detective, compensating, technical and administrative. (CISSP and other security students may find this section strange because they are used to using these control types to design security for any system, not just physical systems.)

New Section: Confidentiality, Integrity, Availability and Safety Controls

SY0-401’s fleshes out brief mention of the “CIA triad” (confidentiality, integrity and available) from previous versions in a new section (2.9) in the compliance and operational security domain.

There are four major topics in this section (confidentiality, integrity, availability and safety) but most of the subtopics in this section are covered in more depth elsewhere. For example, confidentiality topics include encryption, access controls and stenography, two of which are covered elsewhere.

The full list of integrity topics found here includes hashing, digital signatures, certificates and non-repudiation. Availability topics include redundancy, fault tolerance and patching. Finally, safety topics cover fencing, lighting, locks, CCTV, escape plans, drills, escape routes and testing controls.

New Section: Mobile Security

A new mobile security section (4.2) is a welcome addition to the application, data and host security domain. A handful of topics such as device encryption and GPS were covered in SYO-301, but SY0-401 adds dozens more and organizes the content into device security, application security and BYOD concerns.

The new device security category includes information about full device encryption (“full” is new), remote wiping, lockout, screen-locks, GPS, application control, storage segmentation, asset tracking, inventory control, mobile device management, device access control, removable storage and disabling unused features.

The new application security category includes information about key management, credential management, authentication, geo-tagging, encryption, application whitelisting and transitive trust and authentication.

Finally, the new BYOD concerns category includes information about data ownership, support ownership, patch management, antivirus management, forensics, privacy, on-boarding and off-boarding, adherence to corporate policies, user acceptance, architecture and infrastructure considerations, legal concerns, acceptable use policy and on-board camera and video.

New Section: “Static Environment” Risk Mitigation

The new “static environment” section (4.5) in the application, data and host security domain requires some explanation. The term tries to encompass all the legacy devices, “smart” hardware, handheld game units, stationary bicycles, icemakers, car-borne computers and other network-enabled technology that may be entering or interacting with your business network. Since you generally have little or no control over the technology itself, CompTIA refers to the technologies as participating in a “static environment.”

Environment topics specifically called out in this section include SCADA (“supervisory control and data acquisition”; common in industrial automation), embedded (including printers, smart TVs and HVAC controls). Android, iOS, mainframe, game consoles and in-vehicle computing systems.

Read the rest at the InfoSec Institute


1 reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.