Understanding General Security Concepts for CompTIA Security+

Jewels WolterJewels Wolter
7 min read

Table of contents

Diary Entry 001: Security+ Domain 1

Hello everyone, and welcome to The Analyst Diaries, a college student’s blog into all things cybersecurity! I am currently preparing to take my CompTIA Security+ and wanted to share what I have been learning here in hopes of making the information a whole lot more approachable, digestible, and (hopefully) helpful to those of y’all like me, just diving into the field!

What to Expect

This post is packed with quick definitions and simple breakdowns of tricky concepts. I’ve included infographics, diagrams, and helpful visuals to make everything easier to digest. Whether you’re just getting started or brushing up for the exam, I hope this helps make domain 1 feel a little less overwhelming!

The CompTIA Security+ covers 5 domains:

  • General Security Concepts (12%)

  • Threats, Vulnerabilities, and Mitigations (22%)

  • Security Architecture (18%)

  • Security Operations (28%)

  • Security Program Management and Oversight (20%)

This article will be covering the first (General Security Concepts)! Though domain 1 only makes up 12% of the exam, the information contained within is fundamental to the understanding of any higher level security concepts. Domain 1 focuses on four main areas:

  • Security Controls

  • Fundamental Concepts

  • Change Management

  • Cryptographic Solutions

Over the next few sections, I’ll break down what I’ve learned during my Security+ prep. These are the foundation and building blocks for later domains, so my goal is to really understand them— and help you do the same!

So grab your coffee and lets get started!

Content

Security Controls

A security control is something that is put in place by an organization to reduce risk and safeguard assets. In the ‘Security+ (V7) Exam Objectives Summary’ the broad term of security controls can be broken down by function and type.

Below are types of security controls which define how they are implemented:

infographic of the different security control types

Security controls can also be broken down by function which defines what they do:

infographic of the different security control functions

Fundamental Concepts

The exam objectives also list some fundamental concepts to be familiar with, below are summaries of each of those terms:

CIA Triad:

  • non-repudiation: assurance that someone cannot deny the validity of something. A service that is maintained so that a sender and recipient cannot deny having participated in the communication

  • zero-trust: paradigm shift from traditional perimeter-based security, ensures a system does not automatically trust any user device or network component, regardless of it’s location

  • deception/disruption technology:

    • honeypot: computer or host is set up specifically to become a target of attacks

    • honeyfiles: similar to a honeypot but applies to individual files

    • honeynet: network setup intentionally for attack, an entire infrastructure to lure hackers

AAA:

Change Management

Moving onto change management, a super important concept to be aware of in any line of business. The term change management refers to business and IT processes in place that ensures all changes are planned, tested, documented, approved, and communicated before being implemented, and reflected on after.

The change management process, specifically business processes impacting security operations have a few key terms:

  • Approval Process: the formal workflow used to review, evaluate, and authorize a a change, including the approval chain and ticket details (notification process, change collisions, SOP)

    • is this process manual or automated?

  • Ownership/ Key Stakeholders: people involved in the review and approval process, often affected by or have interest in the change, these people will receive continuous updates

  • Impact Analysis: a structured assessment of how a change will affect systems, users, security, compliance, and business operations, identifies best and worst case

  • Test Results: the documented outcomes of testing the change in a test environment when possible, define rollback procedures

  • Maintenance Window: a scheduled, acceptable time to perform maintenance, notification, rollback, validation, and success criteria

  • Standard Operating Procedures (SOPs): set of standardized directions (how tasks are accomplished, what things are to be upgraded, how issues are handled, approval and escalation procedures, services, platforms, and environments impacted)

Some technical implications in the change management process are:

  • Allow/Deny List

  • Restricted Activities

  • Downtime (planned or unplanned)

  • Service/App Restart

  • Legacy Applications

  • Dependencies

Documenting the change is also imperative to ensure access to references and lessons learned during future changes. Updating diagrams, policies, and procedures could be aspects of documenting the change.

Version control is another key topic which refers to the tracked changes of coded in a database. Version control tools enable quick rollback, identification of who was in charge of the change, collaboration and code review among teams, and are typically annotated by revision number for easy reference.

  • examples of version control tools: Git, GitHub (here’s mine ;)), GitLab, Bitbucket, Ansible, Puppet, Chef

Cryptographic Solutions

The last topic covered in domain one of the Security+ exam is Cryptographic Solutions. This was one that I struggled with a little bit more on my understanding, but am getting the hang of it!

The idea of encryption lays the groundwork for some of the more advanced topics. Since encryption is everywhere, it can work for or against us. Encryption refers to the process of converting plaintext into ciphertext to protect data from unauthorized access.

Before diving deep into encryption, we must first discuss Public Key Infrastructure (PKI). PKI is a system that manages digital certificates and public-private key pairs to enable secure communication and authentication. Consisting of:

  • Certificate Authority (CA): issues and verifies digital certificates, our browsers trust this authority to assume the validity of the certificate is valid

    • Certificate Revocation List (CRL): (exactly what it sounds like) a list of websites that have had their certificate revoked

    • Certificate Signing Request (CSR): how an applicant applies to the CA for a digital certificate

  • Public/Private Keys: used for encryption, decryption, and signing

  • Digital Certificates: tie public keys to identities

  • Key Escrow: trusted third party that holds the keys needed to decrypt data

Information can be encrypted via two different algorithms:

Symmetric and asymmetric encryption both have their respective pros and cons and each have different use cases based on their strengths.

  • Symmetric: faster, bulk encryption, less secure, must manage keys

    • transport layer security (TLS), secure communication, mass IP encryption, VPNs, file sharing

  • Asymmetric: enhanced security, transparency, slow processing, can lose a private key

    • cryptocurrencies, extremely confidential message sharing

There are other ways to make data more difficult to access, through the use of obfuscation and hashing.

  • Obfuscation: a technique used to hide information in plain sight, not truly encryption

    • steganography: hiding information within an image

  • Hashing: converts data into a fixed-size, unique string (hash value)

    • a mathematical algorithm is applied to a file before and after transmission and if anything changes within the file, the hash will be completely different

Our last term to cover today is the blockchain, which refers to the immutable, decentralized digital open public ledger that is distributed around a network of many computers. The blockchain provides trust and transparency and is transfer resistant. Blocks in the blockchain contain the data, hash, and hash of previous block.

Resources

If you’re studying for the Security+ Exam, I highly recommend the following resources, they have been invaluable in my learning and creating this post!

  • Professor Messer YouTube Videos (https://www.youtube.com/professormesser)

    • great resource to get familiar with the material, I listened to these in the car, on walks, and really at every chance I could! (plus they are free)

  • PluralSight CompTIA Security+ (https://app.pluralsight.com/paths/certificate/comptia-security-sy0-701)

    • unfortunately it is a paid resource, but the labs and information coverage was great! I watched each module and took extensive notes. I am just getting into the labs now, but they have been great so far (I’ll keep y’all updated)

Final Thoughts and Additional Considerations

In my review of the CompTIA Security+ material, there were some more terms that came up that may be worth looking over if you, too, are studying for the exam.

  • Key Stretching (PBKDF2, Derived Key)

  • Salting

  • IP Address Masking/Data Masking

  • Tokenization (High Value vs Low Value Token)

  • Tools (Trusted Platform Module, Hardware Security Module, Secure Enclave)

  • Key Exchange, Out-of-Band and In-Band

  • Gap Analysis

  • Threat Types (Script Kiddies, Hacktivists, Organized Crime, Nation States, Insiders)

Thank you so much for coming along with me on my exploration into all things ‘General Security Concepts’ for the CompTIA Security+ Exam. I hope that this was helpful and that you learned something new!

I am super excited to continue to learn more about the world of cybersecurity and continue to share it on this blog: The Analyst Diaries.

Until next time,

Jewels from The Analyst Diaries :)

0
Subscribe to my newsletter

Read articles from Jewels Wolter directly inside your inbox. Subscribe to the newsletter, and don't miss out.

theanalystdiariescomptia security+#cybersecuritySecuritytraining

Written by

Jewels Wolter
Jewels Wolter

Hi! I’m Jewels, a passionate cybersecurity enthusiast and aspiring SOC analyst. I’m currently building hands-on experience through a home cybersecurity lab where my goal is to simulate real-world attacks and monitor them using SIEM tools like Wazuh and Splunk. I’m also working toward industry certifications like the CompTIA Security+. This is my personal space to share what I’m learning, whether it’s setting up virtual environments, analyzing security alerts, or exploring defense strategies. My goal is to document my journey so that others new to cybersecurity can follow along and learn with me! If you’re interested in practical tips, lab walkthroughs, and foundational SOC skills, you’re in the right place. Feel free to reach out or follow along as I grow my skills and prepare for a career protecting digital systems.