Should Know Items:
Common ports (Dion's study guide) and corresponding services
RAID 0, 1, 5, 6, 10 (differences, benefits, drawbacks)
CI vs Continuous Delivery vs Continuous Deployment
Cloud: IaaS vs PaaS vs SaaS (also MaaS, XaaS, MSP/MSSP, DaaS), edge computing, fog computing, IaC, snowflakes, idempotence
Security tools: Nmap, Wireshark, Nessus, memdump, FTK Imager, etc. (and whether they're open-source or commercial)
CLI tools: ping, tracert/traceroute, nslookp/dig, ipconfig/ifconfig, netstat, cat, grep, etc. (and what command goes with what OS)
Suggest spending time learning more about these in the command line itself and looking at some of the flags with --help
RFC1918 addresses: 10.x.x.x, 172.16.x.x-172.31.x.x, 198.186.x.x
TPM vs HSM vs Pluggable Auth. Module
Social engineering principles: authority, consensus, urgency, etc.
Regulatory frameworks: FISMA, COPPA, FERPA, GLBA, SOX, PCI-DSS, GDPR (at least be able to give a 1 sentence summary of what it is and who it applies to)
Security frameworks: SABSA, COBIT, NIST 800-53, ITIL, CSA CCM, CSA RA, ISO standards (yeah I’m weak on these…)
Quantitative risk assessment vs qualitative risk assessment, SLE, ALE, ARO
WEP (weak IV, RC4) < WPA (TKIP, MIC, RC4) < WPA2 (AES, CCMP, integrity checking) < WP3 (enterprise: AES-256, personal: CCMP-128, no PSK, has SAE, has MFP, has PFS)
Known vs partially known vs unknown environment testing
Active vs passive recon (what’s the difference)
DAC (weakest) vs ABAC vs lattice-based access control (not very common) vs rule-base access control vs RBAC vs MAC (strongest commonly used)
Symmetric vs asymmetric encryption algorithms (and which are block vs stream ciphers)
Digital signatures (who’s key is used?)
Email/message encryption / decryption (who’s keys are used where?)
Vulnerability vs risk vs threat
Physical controls vs technical controls vs administrative controls
Data ownership roles (data owner, steward, custodian, controller, processor) – I’m still weak on these, just can’t entangle them in my head very well
Device deployment models
Authentication (RADIUS, LDAP/S, 802.1x) and EAP (EAP-FAST, PEAP, LEAP) – I’m okay on the authentication technologies and weak on EAP…
Recommend memorizing all the acronyms in the official exam guide (Cram is a free flashcard maker)
Recommend having 1-sentence knowledge of the domain topics/subtopics in the exam guide (duh)
Useful Items:
IR Process: PICERL (this one's not mine - someone else posted it here in r/CompTIA
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned
Lockheed Martin Kill Chain (needs a better acronym): Round Wheels Do Exceptionally In Certain Areas
Recon, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objective
Diamond Model of Intrusion Analysis: Anyone Can Ingest Viagra
Adversary, Capability, Infrastructure, Victim
Order of Volatility: CSS Looks Cool Always
CPU registers and cache memory, System memory (RAM, process table, ARP cache, routing table, swapfiles), Storage (HDD, SDD, flash drives/removeable media), Logging and monitoring
data, Configuration and topology information, Archival/backup media
Hash sizes increase alphabetically (not mine - someone else posted it in this subreddit):
Md5 and Ntlm – 128-bit
� Ripemd and Sha1 – 160-bit
Sha256 – 256-bit (other hash sizes too)
Playbook comes alphabetically before runbook (playbook is checklist of actions to perform to respond to a specific kind of incident, runbook is an automated version of a playbook with room for human
input/interaction)
Kerberos is used with Windows and implements mutual authentication with tickets
Private cloud != virtual private cloud
Caching proxy != forward / reverse proxy
XSS != XSRF/XSRF
Cold site (power/Internet connectivity but not hardware/software or data) vs warm site (same as cold site + hardware/infrastructure but no data) vs hot site (warm site + data)
Alert types: can’t tell you the number of times I got stumped because I couldn’t work out the difference between false negative and true positive in my head… ‘False’ means ‘incorrectly’ and ‘true’ means
‘correctly’ and ‘positive’ means ‘malicious activity/file’ (or vulnerability) and ‘negative’ means ‘legit activity/file’:
false positive: traffic/activity was incorrectly identified as malicious (or system was incorrectly identified as vulnerable)
true negative: traffic/activity was correctly identified as legitimate/non-malicious
Password spraying sounds like it’s brute forcing passwords but it’s trying a set of passwords with a bunch of accounts/usernames (try one then move onto the next username)
Netflow is metadata (sender/receiver, content size, but not content) vs pcaps (metadata and content; content is usually / should be encrypted though)
Bluejacking is taking control of a Bluetooth device (think hijacking) but not actually stealing data – that’s bluesnarfing
MTTR and MTBF are different from RPO and RTO
Hashing -> integrity, encryption -> confidentiality
