# CompTIA Security+ SY0-701 Cheat Sheet

**VantagePoint Networks** | Exam-focused study reference

---

## 1. Threat Actors

| Actor | Motivation | Skill | Resources | Examples |
|---|---|---|---|---|
| Nation-state / APT | Espionage, sabotage, strategic advantage | Very high | Unlimited | Lazarus (DPRK), APT28 (Russia), APT41 (China) |
| Organised crime | Financial gain | High | Significant | REvil, Conti, LockBit |
| Hacktivist | Political / ideological | Medium-high | Moderate | Anonymous, LulzSec |
| Insider (malicious) | Revenge, profit, ideology | Varies | Legitimate access | Snowden, Manning |
| Insider (unintentional) | Accidental | Varies | Legitimate access | Misconfiguration, lost laptop |
| Script kiddie | Notoriety, curiosity | Low | Pre-made tools | Low-skill exploit users |
| Shadow IT | Speed / convenience | Varies | Internal | Unsanctioned SaaS, personal devices |
| Competitor | Corporate espionage | Varies | Significant | IP theft, DDoS |

### Attack Attributes
- **Internal vs External**: Inside vs outside organisation
- **Level of sophistication**: From point-and-click to zero-day custom malware
- **Intent / motivation**: Financial, political, ideological, revenge, chaos
- **Resources / funding**: Individual vs state-sponsored

## 2. Attack Types

### Social Engineering
| Attack | Description |
|---|---|
| Phishing | Broad email-based deception |
| Spear phishing | Targeted at specific individual / role |
| Whaling | Targets executives (C-suite) |
| Vishing | Voice phishing (phone) |
| Smishing | SMS phishing |
| Pretexting | Fabricated scenario to extract info |
| Baiting | Leave infected media (USB) to be found |
| Tailgating | Follow authorised person through access control |
| Shoulder surfing | Visual observation |
| Dumpster diving | Physical document recovery |
| Typosquatting | Similar domain names (gooogle.com) |
| Pharming | DNS redirection to malicious site |
| Watering hole | Compromise site target visits |
| BEC | Business Email Compromise (CEO fraud) |
| Influence campaigns | Misinformation / disinformation |
| Brand impersonation | Fake company communications |

### Password Attacks
| Attack | Description |
|---|---|
| Brute force | Try all combinations |
| Dictionary | Try common words |
| Hybrid | Dictionary + variations (Password123!) |
| Rainbow table | Pre-computed hash lookups |
| Credential stuffing | Reuse breached credentials |
| Password spraying | One password across many accounts |
| Pass-the-hash | Use captured hash without cracking |
| Kerberoasting | Extract service account hashes from AD |
| Birthday attack | Hash collision exploitation |

### Network Attacks
| Attack | Description |
|---|---|
| DoS | Flood target, single source |
| DDoS | Flood target, many sources (botnet) |
| ARP poisoning | Fake ARP replies, redirect traffic |
| DNS poisoning / spoofing | Inject false DNS records |
| DNS tunneling | Hide C2 traffic in DNS queries |
| MITM / On-path | Intercept communications |
| Replay | Capture and resend valid traffic |
| Session hijacking | Steal session token |
| Evil twin | Rogue Wi-Fi mimicking legitimate |
| Deauthentication | Force Wi-Fi reconnect (capture handshake) |
| SYN flood | Half-open TCP connections |
| Smurf | ICMP amplification via broadcast |
| Teardrop | Overlapping IP fragments |
| DNS amplification | Spoofed source, large DNS responses |
| NTP amplification | Abuse monlist command |

### Application Attacks
| Attack | Description |
|---|---|
| SQL Injection | Malicious SQL via user input |
| XSS (Cross-Site Scripting) | Inject script to execute in victim browser |
| CSRF | Trick user into submitting request |
| XXE (XML External Entity) | Abuse XML parsers |
| Command injection | Execute OS commands via app |
| LDAP injection | Manipulate LDAP queries |
| Directory traversal | ../../../etc/passwd |
| Buffer overflow | Write past allocated memory |
| Race condition (TOCTOU) | Time-of-check vs time-of-use |
| Integer overflow | Arithmetic wrap-around |
| Deserialization | Malicious object reconstruction |
| Memory leak | Unreleased memory |
| SSRF | Server-Side Request Forgery |
| API abuse | Exploit exposed APIs |

## 3. Malware Types

| Type | Description |
|---|---|
| Virus | Attaches to host file, needs execution |
| Worm | Self-propagating, no host needed |
| Trojan | Disguised as legitimate software |
| Ransomware | Encrypts files, demands payment |
| Fileless malware | Lives in RAM, uses legitimate tools (PowerShell) |
| Crypto-malware | Specific type of ransomware |
| Spyware | Tracks user activity |
| Adware | Displays unwanted advertisements |
| Rootkit | Hides presence at kernel level |
| Bootkit | Infects boot sector / MBR |
| Keylogger | Records keystrokes |
| RAT | Remote Access Trojan (full remote control) |
| Logic bomb | Triggered by specific event/date |
| Cryptominer | Uses victim CPU/GPU for cryptocurrency |
| Botnet | Network of compromised hosts (zombies) |
| Backdoor | Bypasses normal authentication |
| Polymorphic | Changes code to evade signatures |
| Metamorphic | Completely rewrites itself |
| Dropper / Stager | Minimal initial payload that downloads more |

## 4. Vulnerabilities & Risk

### Vulnerability Lifecycle
- **Zero-day**: Unknown to vendor, no patch
- **N-day**: Known, may or may not be patched
- **Published CVE**: Listed in Common Vulnerabilities and Exposures
- **Exploited**: Active exploitation observed

### CVSS Scoring (v3.1)
| Score | Severity |
|---|---|
| 0.1 - 3.9 | Low |
| 4.0 - 6.9 | Medium |
| 7.0 - 8.9 | High |
| 9.0 - 10.0 | Critical |

Base metrics: Attack Vector, Complexity, Privileges Required, User Interaction, Scope, CIA impact

### Common Vulnerability Categories
- **Buffer overflow** (stack, heap)
- **Race condition / TOCTOU**
- **Injection flaws** (SQL, XSS, XML, LDAP, command)
- **Misconfigurations** (default creds, open ports, verbose errors)
- **Weak cryptography** (MD5, DES, RC4, small keys)
- **Zero-day**
- **Supply chain** (compromised dependency, e.g., SolarWinds)

## 5. Cryptography

### Symmetric (same key both sides)
| Algorithm | Key Size | Notes |
|---|---|---|
| AES | 128/192/256 | Current standard |
| 3DES | 168 (effective 112) | Legacy, deprecated |
| DES | 56 | Broken |
| ChaCha20 | 256 | Stream, mobile-friendly |
| Blowfish | Variable | Legacy |
| Twofish | 128/192/256 | AES finalist |
| RC4 | Variable | Broken (do not use) |

### Asymmetric (public/private key pair)
| Algorithm | Purpose | Key Size |
|---|---|---|
| RSA | Encryption, signatures, key exchange | 2048/3072/4096 |
| DSA | Digital signatures only | 2048/3072 |
| ECC | Signatures, key exchange (smaller keys) | 256/384/521 |
| ElGamal | Encryption | Variable |
| Diffie-Hellman (DH) | Key exchange only (not encryption) | 2048+ |
| ECDH | Elliptic curve key exchange | 256/384 |

### Hashing (one-way)
| Algorithm | Output | Status |
|---|---|---|
| MD5 | 128-bit | Broken (collisions) |
| SHA-1 | 160-bit | Deprecated |
| SHA-2 (SHA-256/384/512) | 256/384/512-bit | Current standard |
| SHA-3 | 224/256/384/512-bit | Current, different design |
| bcrypt | Variable | Password hashing |
| scrypt | Variable | Password hashing, memory-hard |
| Argon2 | Variable | Password hashing, winner of 2015 PHC |
| HMAC | Depends on underlying hash | Message authentication |

### Key Concepts
- **Digital signature**: Hash + encrypt hash with private key -> verify with public key (non-repudiation)
- **Digital certificate**: Public key + identity, signed by CA (X.509 standard)
- **PKI**: Public Key Infrastructure (CA, RA, CRL, OCSP)
- **Certificate fields**: Subject, Issuer, Serial, Validity, Public Key, Signature, SAN
- **Salt**: Random data added to password before hashing (prevents rainbow tables)
- **Pepper**: Secret value added like salt but shared and stored separately
- **Key stretching**: Intentionally slow hashing (bcrypt, Argon2)
- **Nonce**: Number used once (prevents replay)
- **IV (Initialisation Vector)**: Random input to block cipher

### Modes of Operation
- **ECB**: Electronic Codebook (insecure, patterns visible)
- **CBC**: Cipher Block Chaining (needs IV, no integrity)
- **GCM**: Galois/Counter Mode (authenticated encryption, preferred)
- **CCM**: CTR + CBC-MAC (authenticated)

## 6. Identity and Access Management

### Authentication Factors
| Factor | Examples |
|---|---|
| Something you know | Password, PIN, security question |
| Something you have | Smart card, token, phone (OTP app) |
| Something you are | Fingerprint, face, iris, voice |
| Somewhere you are | GPS, IP geolocation |
| Something you do | Typing pattern, gait |

**MFA**: Two or more factors from different categories
**2SV (Two-Step Verification)**: Two checks, may be same factor (password + SMS)

### Auth Protocols
| Protocol | Use Case |
|---|---|
| Kerberos | AD SSO, time-sensitive tickets |
| LDAP / LDAPS | Directory queries (389/636) |
| RADIUS | Network device / 802.1X auth |
| TACACS+ | Cisco admin auth (separates AAA) |
| SAML | Federated SSO (XML-based, enterprise) |
| OAuth 2.0 | Delegated authorization |
| OpenID Connect | Authentication on top of OAuth |
| FIDO2 / WebAuthn | Passwordless hardware-backed auth |
| EAP | Extensible Authentication Protocol framework |

### Access Control Models
- **DAC** (Discretionary): Owner decides (file permissions)
- **MAC** (Mandatory): Labels and clearances (government)
- **RBAC** (Role-Based): Permissions by role
- **ABAC** (Attribute-Based): Policy engine using attributes
- **Rule-based**: ACLs, firewall rules
- **Time-based**: Access valid only during work hours

### Privileged Access
- **PAM**: Privileged Access Management (vault, session recording)
- **JIT**: Just-in-Time access
- **Jump server / Bastion host**: Controlled gateway
- **Password vault**: Centralised credential storage

## 7. Network Security

### Firewalls
| Type | Layer | Description |
|---|---|---|
| Stateless / Packet filter | 3-4 | Rules on IP/port only |
| Stateful | 3-4 | Tracks connection state |
| NGFW | 3-7 | Adds app awareness, IPS, URL filtering |
| WAF | 7 | Application-layer (HTTP-specific) |
| Host-based | 3-7 | On the endpoint |
| Proxy | 7 | Terminates and re-originates connection |

### IDS vs IPS
| Feature | IDS | IPS |
|---|---|---|
| Deployment | Out-of-band (SPAN/TAP) | Inline |
| Action | Detect + alert | Detect + block |
| Latency impact | None | Some |
| Detection methods | Signature, anomaly, heuristic, behavioural |
| Types | NIDS, HIDS | NIPS, HIPS |

### VPN Technologies
- **IPsec**: Layer 3 tunnel (AH for integrity, ESP for confidentiality+integrity)
  - **IKEv1 / IKEv2**: Key exchange (v2 is preferred)
  - **Tunnel mode**: Entire packet encapsulated (site-to-site)
  - **Transport mode**: Only payload encrypted (host-to-host)
- **SSL/TLS VPN**: Layer 4-7, browser-based or client (OpenVPN, AnyConnect)
- **WireGuard**: Modern, fast, uses ChaCha20 + Curve25519
- **L2TP/IPsec**: L2TP for tunnel, IPsec for encryption
- **GRE**: Tunnel without encryption (often combined with IPsec)

### NAC (Network Access Control)
- Pre-admission: Check device posture before allowing access
- Post-admission: Monitor behaviour after connection
- 802.1X: Port-based authentication (EAP over LAN)
- Quarantine VLAN for non-compliant devices

### Network Segmentation
- **VLANs**: L2 separation
- **Micro-segmentation**: East-west traffic control (zero trust)
- **DMZ / Perimeter network**: Public-facing isolation
- **Air gap**: Physical isolation from any network
- **Zero Trust**: Never trust, always verify; assume breach

## 8. Wireless Security

### Protocols
| Protocol | Year | Encryption | Key Exchange | Strength |
|---|---|---|---|---|
| Open | - | None | None | None |
| WEP | 1997 | RC4 (40/104-bit) | Static | Broken |
| WPA | 2003 | TKIP (RC4) | PSK / Enterprise | Weak |
| WPA2 | 2004 | AES-CCMP | PSK (PBKDF2) / Enterprise (802.1X) | Strong |
| WPA3 | 2018 | AES-GCMP-256 | SAE / Enterprise (192-bit) | Strongest |

### WPA3 Improvements
- **SAE** (Simultaneous Authentication of Equals) replaces PSK 4-way handshake
- Forward secrecy (captured traffic can't be decrypted later even if password leaks)
- Protects against offline dictionary attacks
- Stronger encryption (192-bit for Enterprise mode)

### EAP Types (for Enterprise)
| EAP Type | Client Cert | Server Cert | Notes |
|---|---|---|---|
| EAP-TLS | Required | Required | Most secure, certificate-based |
| PEAP | No | Required | Protects MS-CHAPv2 inside TLS |
| EAP-TTLS | No | Required | Similar to PEAP, more flexible |
| EAP-FAST | No | Optional (PAC) | Cisco, replaces LEAP |
| LEAP | No | No | Cisco legacy, broken |

### Wireless Attacks
- **Evil twin**: Rogue AP with legitimate SSID
- **Deauthentication**: Force reconnect to capture handshake
- **KRACK**: Key Reinstallation Attack (WPA2 protocol flaw)
- **Dragonblood**: WPA3 SAE side-channel attacks
- **Jamming**: RF interference
- **Wi-Fi Pineapple**: Automated MITM tool
- **WPS brute force**: PIN recoverable in hours

## 9. Cloud Security

### Shared Responsibility Model
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data | Customer | Customer | Customer |
| Application | Customer | Customer | Provider |
| OS | Customer | Provider | Provider |
| Virtualisation | Provider | Provider | Provider |
| Physical | Provider | Provider | Provider |

### Cloud Security Tools
- **CASB** (Cloud Access Security Broker): Policy enforcement between users and cloud apps
- **SWG** (Secure Web Gateway): URL filtering, DLP, anti-malware for outbound web
- **SASE** (Secure Access Service Edge): Combines SD-WAN + security (SWG, CASB, ZTNA, FWaaS)
- **SSE** (Security Service Edge): Security subset of SASE
- **CSPM** (Cloud Security Posture Mgmt): Detect cloud misconfigurations
- **CWPP** (Cloud Workload Protection): Protect VMs, containers, serverless
- **CIEM** (Cloud Infrastructure Entitlement Mgmt): Manage cloud permissions

## 10. Incident Response

### NIST SP 800-61 Phases
1. **Preparation** - policies, tools, training, jump bag
2. **Detection and Analysis** - identify, prioritise, document
3. **Containment, Eradication, and Recovery** - stop spread, remove threat, restore
4. **Post-Incident Activity** - lessons learned, update playbooks

### Order of Volatility (RFC 3227)
1. CPU registers and cache
2. Routing tables, ARP cache, process list, kernel stats, memory
3. Temporary files
4. Disk
5. Remote logging data
6. Physical configuration and network topology
7. Archival media

### Chain of Custody Elements
- Who collected, when, where, what
- Hash of evidence (before/after)
- Seal and signature
- Secure storage
- Transfer log (everyone who touched it)
- Admissibility depends on unbroken chain

### Forensic Tools
- **FTK Imager** / **dd**: Create forensic images
- **Autopsy** / **Sleuth Kit**: Analyse images
- **Volatility**: Memory analysis
- **Wireshark**: Packet analysis
- **Write blocker**: Prevent modification during imaging

## 11. Governance, Risk, Compliance (GRC)

### Risk Management
| Strategy | Description |
|---|---|
| Accept | Acknowledge and absorb (low impact or low likelihood) |
| Mitigate | Reduce likelihood or impact via controls |
| Transfer | Shift to third party (insurance, outsourcing) |
| Avoid | Don't engage in the risky activity |

**Risk = Likelihood x Impact**

Qualitative: High/Med/Low
Quantitative: ALE = SLE x ARO
  - SLE (Single Loss Expectancy) = Asset Value x Exposure Factor
  - ARO (Annualised Rate of Occurrence)
  - ALE (Annualised Loss Expectancy)

### Regulations & Standards
| Name | Region/Scope | Focus |
|---|---|---|
| GDPR | EU | Data privacy |
| UK GDPR / DPA 2018 | UK | Data privacy |
| HIPAA | US | Healthcare data |
| PCI-DSS | Global | Payment card data |
| SOX | US public companies | Financial reporting controls |
| GLBA | US financial | Consumer financial privacy |
| CCPA / CPRA | California | Consumer privacy |
| FedRAMP | US federal cloud | Cloud security baseline |
| ISO 27001 | Global | ISMS certification |
| ISO 27002 | Global | Security controls guidance |
| NIST CSF | US (global use) | Cybersecurity framework |
| NIST SP 800-53 | US federal | Security controls |
| CIS Controls | Global | Prioritised security controls |
| SOC 2 | US (global use) | Service org controls (Trust Service Criteria) |

### Data Classification
- **Public**: No harm if disclosed
- **Internal**: Minor harm if leaked
- **Confidential**: Damaging if disclosed
- **Restricted / Top Secret**: Severe harm

### Data Roles
- **Data Owner**: Accountable for data (business exec)
- **Data Steward**: Quality, policies
- **Data Custodian**: Technical care (IT)
- **Data Processor**: Third party handling data
- **Data Controller**: Determines purpose of processing (GDPR)
- **DPO**: Data Protection Officer

## 12. Security Tools

| Tool | Category | Description |
|---|---|---|
| Wireshark | Packet analysis | GUI protocol analyser |
| tcpdump | Packet capture | CLI packet capture |
| nmap | Network scanner | Port/service discovery |
| Nessus / OpenVAS | Vulnerability scanner | CVE-based scanning |
| Metasploit | Exploitation framework | Pen test / research |
| Burp Suite | Web app testing | Intercept, modify HTTP |
| OWASP ZAP | Web app testing | Open source alternative to Burp |
| hping / hping3 | Packet crafter | Custom TCP/UDP/ICMP |
| John the Ripper | Password cracker | CPU-based |
| Hashcat | Password cracker | GPU-accelerated |
| Aircrack-ng | Wi-Fi cracking | WEP/WPA2 handshake capture |
| Hydra | Online brute force | Many protocols |
| Responder | LLMNR/NBT-NS poisoner | Internal AD attacks |
| BloodHound | AD attack paths | Graph-based |
| OpenSSL | Crypto toolkit | Certificates, encryption |
| Sysinternals | Windows toolkit | Process Explorer, Autoruns |
| Splunk / ELK / Graylog | SIEM | Log aggregation and search |
| osquery | Endpoint telemetry | SQL-queryable OS info |

## 13. Security-Relevant Port Numbers

| Port | Service | Notes |
|---|---|---|
| 22 | SSH / SFTP / SCP | Secure shell |
| 23 | Telnet | Insecure (plaintext) |
| 25 | SMTP | Email relay |
| 53 | DNS | Query and zone transfer |
| 80 | HTTP | Insecure web |
| 88 | Kerberos | AD authentication |
| 110 | POP3 | Email retrieval (insecure) |
| 123 | NTP | Time sync |
| 135 | MS RPC | Windows RPC |
| 137-139 | NetBIOS | Legacy Windows |
| 143 | IMAP | Email retrieval (insecure) |
| 161/162 | SNMP | Network mgmt (v3 for security) |
| 389 | LDAP | Directory (insecure) |
| 443 | HTTPS | Secure web |
| 445 | SMB | Windows file share |
| 465 | SMTPS | Secure SMTP (deprecated in favour of 587+STARTTLS) |
| 500 | IKE | IPsec key exchange |
| 514 | Syslog | Log collection |
| 587 | SMTP submission | Email submission with STARTTLS |
| 636 | LDAPS | Secure LDAP |
| 989/990 | FTPS | Secure FTP |
| 993 | IMAPS | Secure IMAP |
| 995 | POP3S | Secure POP3 |
| 1433 | MS SQL | Database |
| 1701 | L2TP | Tunneling |
| 1723 | PPTP | Legacy VPN |
| 1812/1813 | RADIUS | Auth/Accounting |
| 1883 | MQTT | IoT messaging |
| 3389 | RDP | Windows remote desktop |
| 4500 | IPsec NAT-T | NAT traversal |
| 5060/5061 | SIP / SIP-TLS | VoIP |
| 6514 | Syslog TLS | Secure syslog |
| 8443 | HTTPS alt | Admin portals |

## 14. Acronym Reference (80 Top Acronyms)

AAA, ACL, AES, AH, APT, ARP, ASLR, ATT&CK, BCP, BGP, BIA, C2, CA, CAC, CAPTCHA, CASB, CBC, CCE, CIA, CIS, CISO, CMDB, CNAPP, CRL, CSA, CSIRT, CSRF, CSR, CVE, CVSS, CWPP, DAC, DDoS, DEP, DES, DH, DHCP, DKIM, DLP, DMARC, DMZ, DNS, DNSSEC, DoS, DPO, DRP, DSA, DSS, EAP, ECC, EDR, EFS, EOL, ESP, FIM, FIPS, GCM, GDPR, GPG, GPO, GRC, HIDS, HIPAA, HMAC, HOTP, HSM, HTTPS, IaC, IAM, ICS, IDS, IKE, IOC, IPS, IPsec, IR, IoC, IoT, IPv4/6, ISA, ISO, IV, JBOH, JIT, JWT, KRI, L2TP, LDAP, MAC, MD5, MDM, MFA, MITRE, MOU, MSP, MTBF, MTTR, MTTD, NAC, NAT, NDA, NFV, NGFW, NIDS, NIST, NOC, NTLM, NTP, OAUTH, OCSP, OSINT, OTP, OWASP, PAM, PAT, PBKDF2, PCI-DSS, PGP, PHI, PII, PKI, POAM, POP, PPTP, RADIUS, RAT, RBAC, RCE, REST, RFID, RMM, RPO, RSA, RTO, SAE, SAML, SAN, SASE, SCAP, SCIM, SDLC, SDN, SED, SFTP, SHA, SIEM, SLA, SLE, SMB, SMS, SOAR, SOC, SoC, SPF, SQL, SSH, SSL, SSO, STIX, STP, SYN, TACACS, TAXII, TCP, TGT, TLS, TOTP, TPM, TTP, UAC, UDP, UEFI, UEM, UID, UPS, UTM, VLAN, VM, VPN, WAF, WAP, WEP, WIDS, WIPS, WPA, XDR, XML, XSS, ZTA, ZTNA

---

**VantagePoint Networks** - vantagepointnetworks.com

End of document