What should be on a CompTIA Security+ cheat sheet?
A Security+ cheat sheet should cover cryptographic algorithms and key lengths (AES-128/256, RSA-2048, SHA-256/512), common port numbers for security protocols (443 HTTPS, 22 SSH, 3389 RDP, 1433 SQL), attack type definitions, the CIA triad, authentication factor types, PKI components, and the incident response lifecycle stages. Condense this to one or two pages and review daily in the final two weeks before the exam.
The CompTIA Security+ SY0-701 exam tests a broad range of cybersecurity concepts across five domains. While the exam emphasizes scenario-based application rather than pure memorization, a significant portion of questions require rapid recall of specific terms, algorithms, protocols, and process sequences. A well-organized cheat sheet serves as the final-stage compression tool that keeps these high-frequency facts accessible until exam day.
This cheat sheet compilation covers the most commonly tested concepts organized by domain. It is designed to be printed or saved as a reference for the last two to three weeks of exam preparation.
Domain 1: General Security Concepts
Cryptography Quick Reference
| Algorithm | Type | Key Size | Use Case |
|---|---|---|---|
| AES | Symmetric, block | 128, 192, 256 bit | Data encryption, TLS |
| 3DES | Symmetric, block | 168 bit (effective) | Legacy systems |
| ChaCha20 | Symmetric, stream | 256 bit | Mobile TLS |
| RSA | Asymmetric | 2048+ bit | Key exchange, digital signatures |
| ECC | Asymmetric | 256+ bit (shorter than RSA) | Mobile, IoT certificates |
| Diffie-Hellman | Key exchange | Variable | Session key establishment |
| SHA-256 | Hash | 256-bit output | File integrity, digital signatures |
| SHA-512 | Hash | 512-bit output | High-security hashing |
| MD5 | Hash (weak) | 128-bit output | Legacy, not for security use |
| HMAC | MAC (keyed hash) | Variable | Message authentication |
| bcrypt | Password hash | Variable | Password storage |
Symmetric -- same key encrypts and decrypts; fast; used for bulk data Asymmetric -- public key encrypts, private key decrypts (or vice versa for signatures); slow; used for key exchange and authentication
Authentication Factor Types
| Factor Type | Examples |
|---|---|
| Something you know | Password, PIN, security question |
| Something you have | Hardware token, smart card, OTP app |
| Something you are | Fingerprint, face scan, retina |
| Somewhere you are | GPS location, IP geolocation |
| Something you do | Typing cadence, gait analysis |
"The Security+ exam frequently tests candidates on the correct classification of authentication factors. Know not just the three primary types but also the 'somewhere you are' and 'something you do' categories that appear in SY0-701." -- CompTIA Security+ instructor guidance
Domain 2: Threats, Vulnerabilities, and Mitigations
Common Attack Types
Phishing variants:
- Phishing -- mass email impersonating trusted sender
- Spear phishing -- targeted phishing against specific individual
- Whaling -- spear phishing targeting executives
- Vishing -- voice call phishing
- Smishing -- SMS text phishing
Malware types:
- Ransomware -- encrypts data, demands payment for key
- Trojan -- malicious software disguised as legitimate
- Worm -- self-replicating, spreads without user action
- Rootkit -- hides in OS, maintains persistent access
- Keylogger -- records keystrokes
- Spyware -- collects data without consent
- Adware -- displays unwanted advertising
- Fileless malware -- runs in memory, no disk footprint
- Logic bomb -- activates on specific trigger condition
- Backdoor -- unauthorized remote access mechanism
Network attacks:
- DDoS -- Distributed Denial of Service, overwhelms target
- Man-in-the-Middle (MitM) -- intercepts traffic between two parties
- ARP poisoning -- associates attacker MAC with victim IP
- DNS poisoning -- injects false DNS records
- SQL injection -- malicious SQL in application input
- XSS (Cross-site scripting) -- injects scripts into web pages
- CSRF (Cross-site request forgery) -- tricks browser into unauthorized requests
- Buffer overflow -- writes beyond memory bounds to execute code
Domain 3: Security Architecture
Common Ports and Protocols
| Port | Protocol | Secure Version |
|---|---|---|
| 21 | FTP | SFTP (22) or FTPS (990) |
| 22 | SSH / SFTP | N/A (already secure) |
| 23 | Telnet | SSH (22) |
| 25 | SMTP | SMTPS (465) or STARTTLS (587) |
| 53 | DNS | DNS over HTTPS (443) |
| 80 | HTTP | HTTPS (443) |
| 110 | POP3 | POP3S (995) |
| 143 | IMAP | IMAPS (993) |
| 389 | LDAP | LDAPS (636) |
| 443 | HTTPS / TLS | N/A |
| 445 | SMB | N/A (use only on trusted networks) |
| 1433 | MSSQL | TLS enabled MSSQL |
| 3306 | MySQL | TLS enabled MySQL |
| 3389 | RDP | TLS, NLA required |
Security Control Types
By function:
- Preventive -- prevents incident (firewall, access control)
- Detective -- detects incident (IDS, logging, SIEM)
- Corrective -- corrects after incident (patch, restore from backup)
- Deterrent -- discourages attack (warning banners, cameras)
- Compensating -- substitute when primary control unavailable
By implementation:
- Technical -- software/hardware controls (encryption, firewalls)
- Administrative -- policies and procedures (training, background checks)
- Physical -- physical barriers (locks, badges, guards)
Domain 4: Security Operations
Incident Response Lifecycle (NIST)
- Preparation -- policies, tools, training in place before incident
- Detection and Analysis -- identify and characterize the incident
- Containment -- limit spread; short-term and long-term containment
- Eradication -- remove threat from environment
- Recovery -- restore systems to normal operation
- Post-Incident Activity -- lessons learned, documentation update
Alternate framework (SANS PICERL): Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
"The SY0-701 exam tests incident response phases in order and sometimes asks which phase a specific action belongs to. Both NIST and SANS frameworks appear. Know both sequences." -- Security+ preparation course guidance
Log Types for Security Monitoring
| Log Type | What It Records | Primary Use |
|---|---|---|
| Authentication logs | Login attempts, failures, MFA events | Account compromise detection |
| Firewall logs | Allow/deny decisions, traffic flows | Network threat detection |
| DNS logs | Domain resolution queries | C2 communication detection |
| Application logs | Application events, errors | Application attack detection |
| System logs | OS events, startup, shutdown | System compromise detection |
| DHCP logs | IP address assignments | Asset tracking, rogue device detection |
Domain 5: Security Program Management
Risk Concepts
- Risk = Threat x Vulnerability x Impact
- Inherent risk -- risk before controls are applied
- Residual risk -- risk remaining after controls are applied
- Risk appetite -- amount of risk organization will accept
- Risk tolerance -- acceptable deviation from risk appetite
Risk response strategies:
- Mitigate -- implement controls to reduce risk
- Accept -- acknowledge risk, take no additional action
- Transfer -- shift risk to third party (insurance, vendor)
- Avoid -- eliminate the activity that creates the risk
Key Compliance Frameworks
| Framework | Applicability | Key Requirement |
|---|---|---|
| PCI DSS | Payment card data | Cardholder data environment controls |
| HIPAA | Healthcare (US) | PHI protection and breach notification |
| GDPR | EU personal data | Data subject rights, breach notification |
| SOC 2 | Service organizations | Trust service criteria (security, availability) |
| NIST CSF | General US | Identify, Protect, Detect, Respond, Recover |
| ISO 27001 | International | ISMS implementation and certification |
High-Frequency Exam Terms
CIA Triad:
- Confidentiality -- only authorized parties can access data
- Integrity -- data has not been altered without authorization
- Availability -- systems and data are accessible when needed
AAA (Authentication, Authorization, Accounting):
- Authentication -- verify identity (who are you?)
- Authorization -- verify permissions (what can you do?)
- Accounting -- record actions (what did you do?)
PKI Components:
- CA (Certificate Authority) -- issues digital certificates
- RA (Registration Authority) -- validates certificate requests
- CRL (Certificate Revocation List) -- list of revoked certificates
- OCSP -- real-time certificate status checking protocol
- CSR (Certificate Signing Request) -- request sent to CA
Frequently Asked Questions
How many acronyms does the Security+ exam test? The SY0-701 exam tests hundreds of acronyms and abbreviations across all domains. The exam does not provide a glossary. Candidates who are not fluent with security acronyms spend valuable time on terminology recognition that slows their overall exam pace. Flashcard systems like Anki are the most efficient tool for acronym memorization.
What formulas appear on the Security+ exam? Security+ is not a heavily formula-based exam compared to certifications like Project Management Professional or AWS certifications. However, basic cryptographic key length comparisons, risk calculation concepts (risk = threat x vulnerability x impact), and recovery time metrics (RTO, RPO) may appear in scenario questions.
Can I bring a cheat sheet into the exam? No. CompTIA exams are proctored and candidates cannot bring any external materials, including handwritten notes or printed reference sheets. The value of a cheat sheet is in the process of creating and reviewing it before the exam, not in having it available during the exam.
References
- CompTIA. (2024). Security+ SY0-701 Exam Objectives. CompTIA. https://www.comptia.org/certifications/security
- National Institute of Standards and Technology. (2012). Computer Security Incident Handling Guide (SP 800-61r2). NIST. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- SANS Institute. (2024). Incident Response Reference. https://www.sans.org/score/incident-forms/
- Internet Assigned Numbers Authority. (2024). Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/
- National Institute of Standards and Technology. (2018). Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF). https://www.nist.gov/cyberframework
- Chapple, M., and Seidl, D. (2023). CompTIA Security+ Study Guide: Exam SY0-701. Sybex/Wiley.