Understanding General Security Concepts for CompTIA Security+


Diary Entry 001: Security+ Domain 1
Hello everyone, and welcome to The Analyst Diaries, a college student’s blog into all things cybersecurity! I am currently preparing to take my CompTIA Security+ and wanted to share what I have been learning here in hopes of making the information a whole lot more approachable, digestible, and (hopefully) helpful to those of y’all like me, just diving into the field!
What to Expect
This post is packed with quick definitions and simple breakdowns of tricky concepts. I’ve included infographics, diagrams, and helpful visuals to make everything easier to digest. Whether you’re just getting started or brushing up for the exam, I hope this helps make domain 1 feel a little less overwhelming!
The CompTIA Security+ covers 5 domains:
General Security Concepts (12%)
Threats, Vulnerabilities, and Mitigations (22%)
Security Architecture (18%)
Security Operations (28%)
Security Program Management and Oversight (20%)
This article will be covering the first (General Security Concepts)! Though domain 1 only makes up 12% of the exam, the information contained within is fundamental to the understanding of any higher level security concepts. Domain 1 focuses on four main areas:
Security Controls
Fundamental Concepts
Change Management
Cryptographic Solutions
Over the next few sections, I’ll break down what I’ve learned during my Security+ prep. These are the foundation and building blocks for later domains, so my goal is to really understand them— and help you do the same!
So grab your coffee and lets get started!
Content
Security Controls
A security control is something that is put in place by an organization to reduce risk and safeguard assets. In the ‘Security+ (V7) Exam Objectives Summary’ the broad term of security controls can be broken down by function and type.
Below are types of security controls which define how they are implemented:
Security controls can also be broken down by function which defines what they do:
Fundamental Concepts
The exam objectives also list some fundamental concepts to be familiar with, below are summaries of each of those terms:
CIA Triad:
non-repudiation: assurance that someone cannot deny the validity of something. A service that is maintained so that a sender and recipient cannot deny having participated in the communication
zero-trust: paradigm shift from traditional perimeter-based security, ensures a system does not automatically trust any user device or network component, regardless of it’s location
deception/disruption technology:
honeypot: computer or host is set up specifically to become a target of attacks
honeyfiles: similar to a honeypot but applies to individual files
honeynet: network setup intentionally for attack, an entire infrastructure to lure hackers
AAA:
Change Management
Moving onto change management, a super important concept to be aware of in any line of business. The term change management refers to business and IT processes in place that ensures all changes are planned, tested, documented, approved, and communicated before being implemented, and reflected on after.
The change management process, specifically business processes impacting security operations have a few key terms:
Approval Process: the formal workflow used to review, evaluate, and authorize a a change, including the approval chain and ticket details (notification process, change collisions, SOP)
- is this process manual or automated?
Ownership/ Key Stakeholders: people involved in the review and approval process, often affected by or have interest in the change, these people will receive continuous updates
Impact Analysis: a structured assessment of how a change will affect systems, users, security, compliance, and business operations, identifies best and worst case
Test Results: the documented outcomes of testing the change in a test environment when possible, define rollback procedures
Maintenance Window: a scheduled, acceptable time to perform maintenance, notification, rollback, validation, and success criteria
Standard Operating Procedures (SOPs): set of standardized directions (how tasks are accomplished, what things are to be upgraded, how issues are handled, approval and escalation procedures, services, platforms, and environments impacted)
Some technical implications in the change management process are:
Allow/Deny List
Restricted Activities
Downtime (planned or unplanned)
Service/App Restart
Legacy Applications
Dependencies
Documenting the change is also imperative to ensure access to references and lessons learned during future changes. Updating diagrams, policies, and procedures could be aspects of documenting the change.
Version control is another key topic which refers to the tracked changes of coded in a database. Version control tools enable quick rollback, identification of who was in charge of the change, collaboration and code review among teams, and are typically annotated by revision number for easy reference.
- examples of version control tools: Git, GitHub (here’s mine ;)), GitLab, Bitbucket, Ansible, Puppet, Chef
Cryptographic Solutions
The last topic covered in domain one of the Security+ exam is Cryptographic Solutions. This was one that I struggled with a little bit more on my understanding, but am getting the hang of it!
The idea of encryption lays the groundwork for some of the more advanced topics. Since encryption is everywhere, it can work for or against us. Encryption refers to the process of converting plaintext into ciphertext to protect data from unauthorized access.
Before diving deep into encryption, we must first discuss Public Key Infrastructure (PKI). PKI is a system that manages digital certificates and public-private key pairs to enable secure communication and authentication. Consisting of:
Certificate Authority (CA): issues and verifies digital certificates, our browsers trust this authority to assume the validity of the certificate is valid
Certificate Revocation List (CRL): (exactly what it sounds like) a list of websites that have had their certificate revoked
Certificate Signing Request (CSR): how an applicant applies to the CA for a digital certificate
Public/Private Keys: used for encryption, decryption, and signing
Digital Certificates: tie public keys to identities
Key Escrow: trusted third party that holds the keys needed to decrypt data
Information can be encrypted via two different algorithms:
Symmetric and asymmetric encryption both have their respective pros and cons and each have different use cases based on their strengths.
Symmetric: faster, bulk encryption, less secure, must manage keys
- transport layer security (TLS), secure communication, mass IP encryption, VPNs, file sharing
Asymmetric: enhanced security, transparency, slow processing, can lose a private key
- cryptocurrencies, extremely confidential message sharing
There are other ways to make data more difficult to access, through the use of obfuscation and hashing.
Obfuscation: a technique used to hide information in plain sight, not truly encryption
- steganography: hiding information within an image
Hashing: converts data into a fixed-size, unique string (hash value)
- a mathematical algorithm is applied to a file before and after transmission and if anything changes within the file, the hash will be completely different
Our last term to cover today is the blockchain, which refers to the immutable, decentralized digital open public ledger that is distributed around a network of many computers. The blockchain provides trust and transparency and is transfer resistant. Blocks in the blockchain contain the data, hash, and hash of previous block.
Resources
If you’re studying for the Security+ Exam, I highly recommend the following resources, they have been invaluable in my learning and creating this post!
Professor Messer YouTube Videos (https://www.youtube.com/professormesser)
- great resource to get familiar with the material, I listened to these in the car, on walks, and really at every chance I could! (plus they are free)
PluralSight CompTIA Security+ (https://app.pluralsight.com/paths/certificate/comptia-security-sy0-701)
- unfortunately it is a paid resource, but the labs and information coverage was great! I watched each module and took extensive notes. I am just getting into the labs now, but they have been great so far (I’ll keep y’all updated)
Final Thoughts and Additional Considerations
In my review of the CompTIA Security+ material, there were some more terms that came up that may be worth looking over if you, too, are studying for the exam.
Key Stretching (PBKDF2, Derived Key)
Salting
IP Address Masking/Data Masking
Tokenization (High Value vs Low Value Token)
Tools (Trusted Platform Module, Hardware Security Module, Secure Enclave)
Key Exchange, Out-of-Band and In-Band
Gap Analysis
Threat Types (Script Kiddies, Hacktivists, Organized Crime, Nation States, Insiders)
Thank you so much for coming along with me on my exploration into all things ‘General Security Concepts’ for the CompTIA Security+ Exam. I hope that this was helpful and that you learned something new!
I am super excited to continue to learn more about the world of cybersecurity and continue to share it on this blog: The Analyst Diaries.
Until next time,
Jewels from The Analyst Diaries :)
Subscribe to my newsletter
Read articles from Jewels Wolter directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Jewels Wolter
Jewels Wolter
Hi! I’m Jewels, a passionate cybersecurity enthusiast and aspiring SOC analyst. I’m currently building hands-on experience through a home cybersecurity lab where my goal is to simulate real-world attacks and monitor them using SIEM tools like Wazuh and Splunk. I’m also working toward industry certifications like the CompTIA Security+. This is my personal space to share what I’m learning, whether it’s setting up virtual environments, analyzing security alerts, or exploring defense strategies. My goal is to document my journey so that others new to cybersecurity can follow along and learn with me! If you’re interested in practical tips, lab walkthroughs, and foundational SOC skills, you’re in the right place. Feel free to reach out or follow along as I grow my skills and prepare for a career protecting digital systems.