SY0-701 Exam Objectives
Click any objective to expand detailed topics, exam tips, and practice questions
Domain 1: General Security Concepts
Categories
- Technical
- Managerial
- Operational
- Physical
Control Types
- Preventive
- Deterrent
- Detective
- Corrective
- Compensating
- Directive
Know how to classify controls by BOTH category AND type. A firewall is Technical + Preventive.
A security guard checking IDs at the entrance is an example of which type of control?
CIA Triad
- Confidentiality
- Integrity
- Availability
AAA
- Authentication
- Authorization
- Accounting
Other Concepts
- Non-repudiation
- Gap analysis
- Zero Trust
- Physical security
CIA + AAA are foundational. Every security control maps to one or more of these.
Which security concept ensures that a sender cannot deny sending a message?
Business Processes
- Approval process
- Ownership
- Stakeholders
- Impact analysis
- Test results
- Backout plan
- Maintenance window
- Standard operating procedures
Technical Implications
- Allow lists/deny lists
- Downtime
- Restarts
- Legacy applications
- Dependencies
Documentation
- Updating diagrams
- Policies/procedures
- Version control
Change management reduces risk of outages. Always have a backout plan!
Before implementing a major system update, what should be created first?
Public Key Infrastructure (PKI)
- Public key
- Private key
- Key escrow
- Certificate authorities
- Certificate types
- Certificate formats
- Key management
Encryption
- Symmetric vs Asymmetric
- Key exchange
- Algorithms (AES, RSA, ECC)
- Key strength
Tools
- TPM
- HSM
- Key management system
- Secure enclave
Obfuscation
- Steganography
- Tokenization
- Data masking
Hashing
- SHA
- MD5
- Salting
- Digital signatures
- Key stretching
- Blockchain
Certificates
- Types
- Formats
- Online vs offline CA
- Revocation
- OCSP vs CRL
Symmetric = same key (fast), Asymmetric = key pair (secure exchange). AES-256 is the standard.
Which encryption type uses the same key for both encryption and decryption?
Domain 2: Threats, Vulnerabilities, and Mitigations
Threat Actors
- Nation-state
- Unskilled attacker
- Hacktivist
- Insider threat
- Organized crime
- Shadow IT
Attributes
- Internal/External
- Resources/Funding
- Level of sophistication
Motivations
- Data exfiltration
- Espionage
- Service disruption
- Blackmail
- Financial gain
- Philosophical beliefs
- Ethical hacking
- Revenge
- Disruption/chaos
- War
Nation-states have the most resources and patience (APT). Insiders have the most access.
Which threat actor is most likely to conduct long-term espionage campaigns?
Message-based
- SMS
- Instant messaging
Image-based
- Steganography
- Malicious images
File-based
- Malicious documents
- Executables
Voice/Call
- Vishing
- Spam over IP
- War dialing
Removable Device
- USB
- Flash drives
- Memory cards
Vulnerable Software
- Client-based
- Agentless
- Unsupported systems
Unsecure Networks
- Wireless
- Wired
- Bluetooth
Open Ports/Services
- Unnecessary services
- Default configurations
Default Credentials
- IoT devices
- Network equipment
Supply Chain
- Hardware
- Software
- Service providers
Attack surface = all possible entry points. Minimize it by disabling unnecessary services.
An attacker leaving infected USB drives in a parking lot is using which attack vector?
Application
- Memory injection
- Buffer overflow
- Race conditions
- Malicious update
OS-based
- Unpatched systems
- Misconfigurations
Web-based
- SQL injection
- XSS
- CSRF
- Directory traversal
Hardware
- Firmware
- End-of-life
- Legacy systems
Virtualization
- VM escape
- Resource reuse
Cloud
- Misconfigurations
- Shared tenancy
Supply Chain
- Service providers
- Hardware/software
Cryptographic
- Weak algorithms
- Implementation errors
Misconfiguration
- Default settings
- Open permissions
Mobile
- Sideloading
- Jailbreaking
Zero-day
- Unknown vulnerabilities
Zero-days are unknown to vendors - no patch exists yet. These are the most dangerous.
A vulnerability that is exploited before the vendor knows about it is called?
Malware Attacks
- Ransomware
- Trojan
- Worm
- Spyware
- Bloatware
- Virus
- Keylogger
- Logic bomb
- Rootkit
Physical Attacks
- Brute force
- RFID cloning
- Environmental
Network Attacks
- DDoS
- DNS attacks
- Wireless attacks
- On-path attacks
- Credential replay
- Malicious code
Application Attacks
- Injection
- Buffer overflow
- Replay
- Privilege escalation
- Forgery
- Directory traversal
Cryptographic Attacks
- Downgrade
- Collision
- Birthday attack
Password Attacks
- Spraying
- Brute force
- Dictionary
Indicators
- Account lockout
- Concurrent sessions
- Blocked content
- Impossible travel
- Resource consumption
- Log anomalies
- Missing logs
Know the difference: Virus needs host file; Worm spreads on its own; Trojan disguises itself.
Self-replicating malware that spreads across networks without user interaction is a?
Segmentation
- Network segmentation
- Micro-segmentation
Access Control
- ACLs
- Permissions
- Least privilege
Application Allow List
- Approved software only
Isolation
- Air gap
- Sandboxing
Patching
- Regular updates
- Hotfixes
Encryption
- Data at rest
- Data in transit
Monitoring
- SIEM
- Log analysis
Hardening
- Default configs
- Unnecessary services
- Secure baselines
Decommissioning
- Secure disposal
- Data sanitization
Configuration Management
- Baselines
- Automation
Defense in depth = multiple layers. Never rely on a single control.
Which mitigation technique involves creating physically separate networks?
Domain 3: Security Architecture
Architecture Models
- Cloud
- IaaS
- PaaS
- SaaS
- XaaS
- On-premises
- Hybrid
- Fog computing
Deployment
- Public
- Private
- Community
- Hybrid
Considerations
- Scalability
- Availability
- Resilience
- Cost
- Responsibility matrix
Third-party
- Vendors
- MSPs
- MSSPs
Know the shared responsibility model: IaaS (you manage most), SaaS (provider manages most).
In which cloud model does the customer have the MOST responsibility for security?
Device Placement
- Firewall zones
- Proxy
- Sensors
- Jump server
Security Zones
- DMZ
- Internal
- External
- Screened subnet
Network Appliances
- IDS/IPS
- WAF
- Load balancer
- Reverse proxy
Port Security
- 802.1X
- MAC filtering
- STP
Firewalls
- Types
- Rules
- Stateful/stateless
VPN
- Site-to-site
- Remote access
- IPSec
- SSL/TLS
SD-WAN
- Software-defined networking
- SASE
DMZ is for public-facing servers. Never place internal resources in the DMZ.
A web server that needs to be accessed from the internet should be placed in the?
Data States
- Data at rest
- Data in transit
- Data in use
Data Types
- Regulated
- Trade secret
- Intellectual property
- Legal holds
- PII
- PHI
Classifications
- Public
- Private
- Sensitive
- Confidential
- Critical
- Proprietary
Methods
- Encryption
- Tokenization
- Masking
- Hashing
- Obfuscation
- Segmentation
- Permission restrictions
Lifecycle
- Create
- Store
- Use
- Share
- Archive
- Destroy
Know all three data states and appropriate protections for each.
Data being processed by an application is in which state?
High Availability
- Load balancing
- Clustering
Site Considerations
- Hot site
- Cold site
- Warm site
- Geographic dispersal
Platform Diversity
- Multiple vendors
- Technology diversity
Multi-cloud
- Multiple providers
- Avoiding lock-in
Backups
- Full
- Incremental
- Differential
- Snapshots
- Journaling
- Offsite
- 3-2-1 rule
Power
- UPS
- Generator
- Dual supply
Capacity Planning
- People
- Technology
- Infrastructure
Hot site = ready immediately (expensive). Cold site = empty building (cheap, slow recovery).
A backup site with equipment installed but no data is called a?
Domain 4: Security Operations
Secure Baselines
- Configuration standards
- Hardening guides
Hardening Targets
- Mobile
- Workstations
- Servers
- Cloud
- Network devices
- IoT
- SCADA
Wireless
- WPA3
- Authentication protocols
- Site surveys
Mobile Solutions
- MDM
- MAM
- BYOD
- COPE
- CYOD
Deployment Models
- BYOD
- Corporate-owned
- VDI
Connection Methods
- Cellular
- WiFi
- Bluetooth
- NFC
- Satellite
- USB
WPA3-Enterprise is the standard for corporate wireless. Always use certificate-based auth.
Which wireless security protocol provides the strongest protection?
Asset Types
- Hardware
- Software
- Data
Assignment/Accounting
- Ownership
- Classification
- Tracking
Acquisition/Procurement
- Vendor assessment
- Supply chain
Monitoring/Tracking
- Inventory
- Enumeration
Disposal/Decommissioning
- Sanitization methods
- Certificate of destruction
- Data retention
Asset management is foundational. You can't protect what you don't know you have.
Before disposing of old hard drives, what should be performed?
Identification Methods
- Vulnerability scans
- Penetration testing
- Static/Dynamic analysis
- Bug bounty
- Threat feeds
Analysis
- CVE
- CVSS
- Prioritization
- Attack surface
Remediation
- Patching
- Configuration changes
- Compensating controls
Validation
- Rescanning
- Audit
- Verification
Reporting
- Stakeholder communication
- Documentation
CVSS scores range 0-10. Critical = 9.0-10.0. Always prioritize by risk, not just score.
A vulnerability with a CVSS score of 9.5 should be classified as?
Monitoring
- Log aggregation
- SIEM
- SOAR
- Alerting
- Scan/query
Tools
- Vulnerability scanners
- SCAP
- Protocol analyzers
- NetFlow
- SNMP
Log Sources
- Firewall
- IDS/IPS
- Endpoint
- Application
- Network
- Operating system
Alerting
- Automated response
- Escalation
- Benchmarks
SIEM correlates logs; SOAR automates response. Together they speed up incident handling.
Which tool would automate the response to detected security incidents?
Firewall
- Rules
- WAF
- ACLs
- Zones
IDS/IPS
- Signatures
- Trending
- Alerting
Web Filtering
- Categories
- Block pages
- Reputation
Email Security
- Gateway
- DMARC
- DKIM
- SPF
DLP
- Network
- Endpoint
- Cloud
EDR/XDR
- Agents
- Detection
- Response
NAC
- Host health
- Remediation
- Posture
DMARC, DKIM, SPF work together for email authentication. Know what each does.
Which email security technology validates the sender domain?
Provisioning
- Onboarding
- Offboarding
- Identity proofing
Permission Concepts
- Least privilege
- Just-in-time
- Separation of duties
Roles and Policies
- RBAC
- Attribute-based
- Mandatory
- Discretionary
AAA
- Authentication methods
- MFA
- SSO
- Federation
Access Controls
- Conditional
- Time-based
- Location-based
Account Types
- User
- Service
- Shared
- Guest
- Privileged
Separation of duties = no single person can complete a critical task. Prevents fraud.
Requiring two employees to approve large financial transactions is an example of?
Use Cases
- User provisioning
- Guard rails
- Security groups
- Ticket creation
- Escalation
- Secure resource development
Benefits
- Efficiency
- Time savings
- Consistency
- Workforce multiplier
Considerations
- Complexity
- Cost
- Single point of failure
- Technical debt
- Support
Automation reduces human error and speeds response. But test thoroughly - bugs scale too!
Automatically creating firewall rules when new servers are deployed is an example of?
Process
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Lessons learned
Training
- Tabletop exercises
- Simulations
Testing
- Walkthrough
- Simulation
Root Cause Analysis
- 5 Whys
- Fishbone diagram
Threat Hunting
- IoCs
- Advisories
- Intelligence fusion
Digital Forensics
- Legal hold
- Chain of custody
- Acquisition
- Reporting
- Preservation
- E-discovery
IR order: Preparation → Detection → Analysis → Containment → Eradication → Recovery → Lessons.
After containing an incident, what is the NEXT step in the incident response process?
Log Data
- Firewall
- Application
- Endpoint
- Network
- OS
- IDS/IPS
Data Sources
- Metadata
- Vulnerability scans
- Automated reports
- Dashboards
- Packet captures
Context
- Threat feeds
- OSINT
- Intelligence sharing
Logs are your best friend in investigations. Centralize them in a SIEM.
To determine the source of a network attack, which logs would be MOST useful?
Domain 5: Security Program Management and Oversight
Policies
- AUP
- Information security
- Business continuity
- Disaster recovery
- Incident response
- SDLC
- Change management
Standards
- Password
- Access control
- Physical security
- Encryption
Procedures
- Change management
- Onboarding/offboarding
- Playbooks
Guidelines
- Best practices
- Recommendations
Governance Structures
- Boards
- Committees
- Centralized vs decentralized
Roles
- CISO
- Data owner
- Data custodian
- Data controller
- Data processor
Policy = what; Procedure = how; Standard = specific requirement; Guideline = recommendation.
Which document provides mandatory requirements that must be followed?
Risk Identification
- Ad hoc
- Recurring
- One-time
- Continuous
Risk Assessment
- Qualitative
- Quantitative
- SLE
- ALE
- ARO
- Impact
- Likelihood
Risk Analysis
- Risk register
- Risk matrix
- Risk heat map
Risk Handling
- Transfer
- Accept
- Avoid
- Mitigate
Risk Monitoring
- KPIs
- KRIs
- Reporting
Risk formulas: SLE = AV × EF; ALE = SLE × ARO. Know these for the exam!
Purchasing cyber insurance is an example of which risk handling strategy?
Vendor Assessment
- Penetration testing
- Audit results
- Financial stability
- Right to audit
Supply Chain
- Hardware manufacturers
- Software vendors
- Service providers
Questionnaires
- Security assessments
- Due diligence
Agreement Types
- SLA
- MOA
- MOU
- MSA
- NDA
- BPA
SLA = specific metrics and penalties. MOU = general understanding (less formal than contract).
Which agreement type would specify required uptime percentages and response times?
Compliance Reporting
- Internal
- External
- Due diligence
- Due care
Regulations
- GDPR
- HIPAA
- PCI-DSS
- SOX
Standards
- ISO 27001
- NIST CSF
- NIST 800-53
- CIS
Consequences
- Fines
- Reputation
- Legal
- License revocation
Monitoring
- Internal audit
- External audit
- Attestation
GDPR = EU data privacy. HIPAA = US healthcare. PCI-DSS = payment cards. Know the scope of each.
Which regulation specifically protects the privacy of EU residents?
Organizational Privacy
- Data minimization
- Purpose limitation
- Consent
- Privacy by design
Privacy Roles
- Controller
- Processor
- Owner
- Steward
- Custodian
Data Types
- PII
- PHI
- Sensitive
- Proprietary
Privacy Concepts
- Right to be forgotten
- Data portability
- Breach notification
Data Lifecycle
- Collection
- Processing
- Storage
- Retention
- Disposal
Data minimization = collect only what you need. It's a core privacy principle.
Collecting only the information necessary for a specific purpose is called?
Phishing Campaigns
- Simulations
- Testing
- Reporting
Anomalous Behavior
- Reporting
- Monitoring
User Guidance
- Password management
- Social engineering
- Physical security
- Operational security
Training
- Role-based
- Recurring
- Development
Reporting
- Initial
- Recurring
- Executive
Security awareness training should be ongoing, not just annual. Test with phishing simulations.
The BEST way to test employee awareness of phishing is to?
Ready to Master These Objectives?
Use our interactive tools to practice and reinforce your knowledge