cerf

Content domains

The 5 domains of SY0-701, with every task statement and its objectives from the official guide. Study a whole domain, or drill a single task.

1General Security Concepts

12% of examStudy domain
1.1Compare and contrast various types of security controls>

Knowledge of

  • Categories (Technical, Managerial, Operational, Physical)
  • Control types (Preventive, Deterrent, Detective, Corrective, Compensating, Directive)
1.2Summarize fundamental security concepts>

Knowledge of

  • Confidentiality, Integrity, and Availability (CIA)
  • Non-repudiation
  • Authentication, Authorization, and Accounting (AAA) (Authenticating people, Authenticating systems, Authorization models)
  • Gap analysis
  • Zero Trust (Control Plane, Adaptive identity, Threat scope reduction, Policy-driven access control, Policy Administrator, Policy Engine, Data Plane, Implicit trust zones, Subject/System, Policy Enforcement Point)
  • Physical security (Bollards, Access control vestibule, Fencing, Video surveillance, Security guard, Access badge, Lighting, Sensors, Infrared, Pressure, Microwave, Ultrasonic)
  • Deception and disruption technology (Honeypot, Honeynet, Honeyfile, Honeytoken)
1.3Explain the importance of change management processes and the impact to security>

Knowledge of

  • Business processes impacting security operation (Approval process, Ownership, Stakeholders, Impact analysis, Test results, Backout plan, Maintenance window, Standard operating procedure)
  • Technical implications (Allow lists/deny lists, Restricted activities, Downtime, Service restart, Application restart, Legacy applications, Dependencies)
  • Documentation (Updating diagrams, Updating policies/procedures)
  • Version control
1.4Explain the importance of using appropriate cryptographic solutions>

Knowledge of

  • Public key infrastructure (PKI) (Public key, Private key, Key escrow)
  • Encryption (Level, Full-disk, Partition, File, Volume, Database, Record, Transport/communication, Asymmetric, Symmetric, Key exchange, Algorithms, Key length)
  • Tools (Trusted Platform Module (TPM), Hardware security module (HSM), Key management system, Secure enclave)
  • Obfuscation (Steganography, Tokenization, Data masking)
  • Hashing
  • Salting
  • Digital signatures
  • Key stretching
  • Blockchain
  • Open public ledger
  • Certificates (Certificate authorities, Certificate revocation lists (CRLs), Online Certificate Status Protocol (OCSP), Self-signed, Third-party, Root of trust, Certificate signing request (CSR) generation, Wildcard)

2Threats, Vulnerabilities, and Mitigations

22% of examStudy domain
2.1Compare and contrast common threat actors and motivations>

Knowledge of

  • Threat actors (Nation-state, Unskilled attacker, Hacktivist, Insider threat, Organized crime, Shadow IT)
  • Attributes of actors (Internal/external, Resources/funding, Level of sophistication/capability)
  • Motivations (Data exfiltration, Espionage, Service disruption, Blackmail, Financial gain, Philosophical/political beliefs, Ethical, Revenge, Disruption/chaos, War)
2.2Explain common threat vectors and attack surfaces>

Knowledge of

  • Message-based (Email, Short Message Service (SMS), Instant messaging (IM))
  • Image-based
  • File-based
  • Voice call
  • Removable device
  • Vulnerable software (Client-based vs. agentless)
  • Unsupported systems and applications
  • Unsecure networks (Wireless, Wired, Bluetooth)
  • Open service ports
  • Default credentials
  • Supply chain (Managed service providers (MSPs), Vendors, Suppliers)
  • Human vectors/social engineering (Phishing, Vishing, Smishing, Misinformation/disinformation, Impersonation, Business email compromise, Pretexting, Watering hole, Brand impersonation, Typosquatting)
2.3Explain various types of vulnerabilities>

Knowledge of

  • Application (Memory injection, Buffer overflow, Race conditions, Time-of-check (TOC), Time-of-use (TOU), Malicious update)
  • Operating system (OS)-based
  • Web-based (Structured Query Language injection (SQLi), Cross-site scripting (XSS))
  • Hardware (Firmware, End-of-life, Legacy)
  • Virtualization (Virtual machine (VM) escape, Resource reuse)
  • Cloud-specific
  • Supply chain (Service provider, Hardware provider, Software provider)
  • Cryptographic
  • Misconfiguration
  • Mobile device (Side loading, Jailbreaking)
  • Zero-day
2.4Given a scenario, analyze indicators of malicious activity>

Knowledge of

  • Malware attacks (Ransomware, Trojan, Worm, Spyware, Bloatware, Virus, Keylogger, Logic bomb, Rootkit)
  • Physical attacks (Brute force, Radio frequency identification (RFID) cloning, Environmental)
  • Network attacks (Distributed denial-of-service (DDoS), Amplified, Reflected, Domain Name System (DNS) attacks, Wireless, On-path, Credential replay, Malicious code)
  • Application attacks (Injection, Buffer overflow, Replay, Privilege escalation, Forgery, Directory traversal)
  • Cryptographic attacks (Downgrade, Collision, Birthday)
  • Password attacks (Spraying, Brute force)
  • Indicators (Account lockout, Concurrent session usage, Blocked content, Impossible travel, Resource consumption, Resource inaccessibility, Out-of-cycle logging, Published/documented, Missing logs)
2.5Explain the purpose of mitigation techniques used to secure the enterprise>

Knowledge of

  • Segmentation
  • Access control (Access control list (ACL), Permissions)
  • Application allow list
  • Isolation
  • Patching
  • Encryption
  • Monitoring
  • Least privilege
  • Configuration enforcement
  • Decommissioning
  • Hardening techniques (Encryption, Installation of endpoint protection, Host-based firewall, Host-based intrusion prevention system (HIPS), Disabling ports/protocols, Default password changes, Removal of unnecessary software)

3Security Architecture

18% of examStudy domain
3.1Compare and contrast security implications of different architecture models>

Knowledge of

  • Architecture and infrastructure concepts (Cloud, Responsibility matrix, Hybrid considerations, Third-party vendors, Infrastructure as code (IaC), Serverless, Microservices, Network infrastructure, Physical isolation ը Air-gapped, Logical segmentation, Software-defined networking (SDN), On-premises, Centralized vs. decentralized, Containerization, Virtualization, IoT, Industrial control systems (ICS)/supervisory control and data acquisition (SCADA), Real-time operating system (RTOS), Embedded systems, High availability)
  • Considerations (Availability, Resilience, Cost, Responsiveness, Scalability, Ease of deployment, Risk transference, Ease of recovery, Patch availability, Inability to patch, Power, Compute)
3.2Given a scenario, apply security principles to secure enterprise infrastructure>

Knowledge of

  • Infrastructure considerations (Device placement, Security zones, Attack surface, Connectivity, Failure modes, Fail-open, Fail-closed, Device attribute, Active vs. passive, Inline vs. tap/monitor, Network appliances, Jump server, Proxy server, Intrusion prevention system (IPS)/intrusion detection system (IDS), Load balancer, Sensors, Port security, 802.1X, Extensible Authentication Protocol (EAP), Firewall types, Web application firewall (WAF), Unified threat management (UTM), Next-generation firewall (NGFW), Layer 4/Layer 7)
  • Secure communication/access (Virtual private network (VPN), Remote access, Tunneling, Transport Layer Security (TLS), Internet protocol security (IPSec), Software-defined wide area network (SD-WAN), Secure access service edge (SASE))
  • Selection of effective controls
3.3Compare and contrast concepts and strategies to protect data>

Knowledge of

  • Data types (Regulated, Trade secret, Intellectual property, Legal information, Financial information, Humanand non-human-readable)
  • Data classifications (Sensitive, Confidential, Public, Restricted, Private, Critical)
  • General data considerations (Data states, Data at rest, Data in transit, Data in use, Data sovereignty, Geolocation)
  • Methods to secure data (Geographic restrictions, Encryption, Hashing, Masking, Tokenization, Obfuscation, Segmentation, Permission restrictions)
3.4Explain the importance of resilience and recovery in security architecture>

Knowledge of

  • High availability (Load balancing vs. clustering)
  • Site considerations (Hot, Cold, Warm, Geographic dispersion)
  • Platform diversity
  • Multi-cloud systems
  • Continuity of operations
  • Capacity planning (People, Technology, Infrastructure)
  • Testing (Tabletop exercises, Fail over, Simulation, Parallel processing)
  • Backups (Onsite/offsite, Frequency, Encryption, Snapshots, Recovery, Replication, Journaling)
  • Power (Generators, Uninterruptible power supply (UPS))

4Security Operations

28% of examStudy domain
4.1Given a scenario, apply common security techniques to computing resources>

Knowledge of

  • Secure baselines (Establish, Deploy, Maintain)
  • Hardening targets (Mobile devices, Workstations, Switches, Routers, Cloud infrastructure, Servers, ICS/SCADA, Embedded systems, RTOS, IoT devices)
  • Wireless devices (Installation considerations, Site surveys, Heat maps)
  • Mobile solutions (Mobile device management (MDM), Deployment models, Bring your own device (BYOD), Corporate-owned, personally enabled (COPE), Choose your own device (CYOD), Connection methods, Cellular, Wi-Fi, Bluetooth)
  • Wireless security settings (Wi-Fi Protected Access 3 (WPA3), AAA/Remote Authentication Dial-In User Service (RADIUS), Cryptographic protocols, Authentication protocols)
  • Application security (Input validation, Secure cookies, Static code analysis, Code signing)
  • Sandboxing
  • Monitoring
4.2Explain the security implications of proper hardware, software, and data asset management>

Knowledge of

  • Acquisition/procurement process
  • Assignment/accounting (Ownership, Classification)
  • Monitoring/asset tracking (Inventory, Enumeration)
  • Disposal/decommissioning (Sanitization, Destruction, Certification, Data retention)
4.3Explain various activities associated with vulnerability management>

Knowledge of

  • Identification methods (Vulnerability scan, Application security, Static analysis, Dynamic analysis, Package monitoring, Threat feed, Open-source intelligence (OSINT), Proprietary/third-party, Information-sharing organization, Dark web, Penetration testing, Responsible disclosure program, Bug bounty program, System/process audit)
  • Analysis (Confirmation, False positive, False negative, Prioritize, Common Vulnerability Scoring System (CVSS), Common Vulnerability Enumeration (CVE), Vulnerability classification, Exposure factor, Environmental variables, Industry/organizational impact, Risk tolerance)
  • Vulnerability response and remediation (Patching, Insurance, Segmentation, Compensating controls, Exceptions and exemptions)
  • Validation of remediation (Rescanning, Audit, Verification)
  • Reporting
4.4Explain security alerting and monitoring concepts and tools>

Knowledge of

  • Monitoring computing resources (Systems, Applications, Infrastructure)
  • Activities (Log aggregation, Alerting, Scanning, Reporting, Archiving, Alert response and remediation/validation, Quarantine, Alert tuning)
  • Tools (Security Content Automation Protocol (SCAP), Benchmarks, Agents/agentless, Security information and event management (SIEM), Antivirus, Data loss prevention (DLP), Simple Network Management Protocol (SNMP) traps, NetFlow, Vulnerability scanners)
4.5Given a scenario, modify enterprise capabilities to enhance security>

Knowledge of

  • Firewall (Rules, Access lists, Ports/protocols, Screened subnets)
  • IDS/IPS (Trends, Signatures)
  • Web filter (Agent-based, Centralized proxy, Universal Resource Locator (URL) scanning, Content categorization, Block rules, Reputation)
  • Operating system security (Group Policy, SELinux)
  • Implementation of secure protocols (Protocol selection, Port selection, Transport method)
  • DNS filtering
  • Email security (Domain-based Message Authentication Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), Gateway)
  • File integrity monitoring
  • DLP
  • Network access control (NAC)
  • Endpoint detection and response (EDR)/extended detection and response (XDR)
  • User behavior analytics
4.6Given a scenario, implement and maintain identity and access management>

Knowledge of

  • Provisioning/de-provisioning user accounts
  • Permission assignments and implications
  • Identity proofing
  • Federation
  • Single sign-on (SSO) (Lightweight Directory Access Protocol (LDAP), Open authorization (OAuth), Security Assertions Markup Language (SAML))
  • Interoperability
  • Attestation
  • Access controls (Mandatory, Discretionary, Role-based, Rule-based, Attribute-based, Time-of-day restrictions, Least privilege)
  • Multifactor authentication (Implementations, Biometrics, Hard/soft authentication tokens, Security keys, Factors, Something you know, Something you have, Something you are, Somewhere you are)
  • Password concepts (Password best practices, Length, Complexity, Reuse, Expiration, Age, Password managers, Passwordless)
  • Privileged access management tools (Just-in-time permissions, Password vaulting, Ephemeral credentials)
4.7Explain the importance of automation and orchestration related to secure operations>

Knowledge of

  • Use cases of automation and scripting (User provisioning, Resource provisioning, Guard rails, Security groups, Ticket creation, Escalation, Enabling/disabling services, and access, Continuous integration and testing, Integrations and Application programming interfaces (APIs))
  • Benefits (Efficiency/time saving, Enforcing baselines, Standard infrastructure configurations, Scaling in a secure manner, Employee retention, Reaction time, Workforce multiplier)
  • Other considerations (Complexity, Cost, Single point of failure, Technical debt, Ongoing supportability)
4.8Explain appropriate incident response activities>

Knowledge of

  • Process (Preparation, Detection, Analysis, Containment, Eradication, Recovery, Lessons learned)
  • Training
  • Testing (Tabletop exercise, Simulation)
  • Root cause analysis
  • Threat hunting
  • Digital forensics (Legal hold, Chain of custody, Acquisition, Reporting, Preservation, E-discovery)
4.9Given a scenario, use data sources to support an investigation>

Knowledge of

  • Log data (Firewall logs, Application logs, Endpoint logs, OS-specific security logs, IPS/IDS logs, Network logs, Metadata)
  • Data sources (Vulnerability scans, Automated reports, Dashboards, Packet captures)

5Security Program Management and Oversight

20% of examStudy domain
5.1Summarize elements of effective security governance>

Knowledge of

  • Guidelines
  • Policies (Acceptable use policy (AUP), Information security policies, Business continuity, Disaster recovery, Incident response, Software development lifecycle (SDLC), Change management)
  • Standards (Password, Access control, Physical security, Encryption)
  • Procedures (Change management, Onboarding/offboarding, Playbooks)
  • External considerations (Regulatory, Legal, Industry, Local/regional, National, Global)
  • Monitoring and revision
  • Types of governance structures (Boards, Committees, Government entities, Centralized/decentralized)
  • Roles and responsibilities for systems and data (Owners, Controllers, Processors, Custodians/stewards)
5.2Explain elements of the risk management process>

Knowledge of

  • Risk identification
  • Risk assessment (Ad hoc, Recurring, One-time, Continuous)
  • Risk analysis (Qualitative, Quantitative, Single loss expectancy (SLE), Annualized loss expectancy (ALE), Annualized rate of occurrence (ARO), Probability, Likelihood, Exposure factor, Impact)
  • Risk register (Key risk indicators, Risk owners, Risk threshold)
  • Risk tolerance
  • Risk appetite (Expansionary, Conservative, Neutral)
  • Risk management strategies (Transfer, Accept, Exemption, Exception, Avoid, Mitigate)
  • Risk reporting
  • Business impact analysis (Recovery time objective (RTO), Recovery point objective (RPO), Mean time to repair (MTTR), Mean time between failures (MTBF))
5.3Explain the processes associated with third-party risk assessment and management>

Knowledge of

  • Vendor assessment (Penetration testing, Right-to-audit clause, Evidence of internal audits, Independent assessments, Supply chain analysis)
  • Vendor selection (Due diligence, Conflict of interest)
  • Agreement types (Service-level agreement (SLA), Memorandum of agreement (MOA), Memorandum of understanding (MOU), Master service agreement (MSA), Work order (WO)/statement of work (SOW), Non-disclosure agreement (NDA), Business partners agreement (BPA))
  • Vendor monitoring
  • Questionnaires
  • Rules of engagement
5.4Summarize elements of effective security compliance>

Knowledge of

  • Compliance reporting (Internal, External)
  • Consequences of non-compliance (Fines, Sanctions, Reputational damage, Loss of license, Contractual impacts)
  • Compliance monitoring (Due diligence/care, Attestation and acknowledgement, Internal and external, Automation)
  • Privacy (Legal implications, Local/regional, National, Global, Data subject, Controller vs. processor, Ownership, Data inventory and retention, Right to be forgotten)
5.5Explain types and purposes of audits and assessments>

Knowledge of

  • Attestation
  • Internal (Compliance, Audit committee, Self-assessments)
  • External (Regulatory, Examinations, Assessment, Independent third-party audit)
  • Penetration testing (Physical, Offensive, Defensive, Integrated, Known environment, Partially known environment, Unknown environment, Reconnaissance, Passive, Active)
5.6Given a scenario, implement security awareness practices>

Knowledge of

  • Phishing (Campaigns, Recognizing a phishing attempt, Responding to reported suspicious messages)
  • Anomalous behavior recognition (Risky, Unexpected, Unintentional)
  • User guidance and training (Policy/handbooks, Situational awareness, Insider threat, Password management, Removable media and cables, Social engineering, Operational security, Hybrid/remote work environments)
  • Reporting and monitoring (Initial, Recurring)
  • Development
  • Execution