Objective 1.2: Summarize fundamental security concepts
Cert: CompTIA Security+ (SY0-701) Domain: 1.0 General Security Concepts Weight: ~12% of SY0-701 (Domain 1 total) Depth: Summarize. Be able to name and explain CIA, AAA, Zero Trust (control plane + data plane), non-repudiation, gap analysis, physical security controls, and deception/disruption technology.
What this objective tests
You should be able to name the three letters of the CIA triad, the three letters of AAA, the five factor categories of authentication, and the building blocks of Zero Trust. You should also recognize physical controls and deception technology when they show up in scenario questions. This is foundational. Every later Security+ objective (and every SOC interview you ever sit) assumes you can speak in these cornerstones without slowing down.
Key facts
The CIA triad
CIA stands for Confidentiality, Integrity, and Availability. Every security control protects at least one of these. Most attacks break at least one.
| Letter | Plain English | Real example | Common control |
|---|---|---|---|
| Confidentiality | Only the right people can read the data | A patient's medical chart is hidden from other patients | Encryption, access lists, MFA (Multi-Factor Authentication) |
| Integrity | The data has not been changed in an unauthorized way | A wire-transfer amount is not edited in transit | Hashing, digital signatures, file-integrity monitoring |
| Availability | The data and systems are reachable when needed | The payroll app is up on payday | Backups, redundancy, DDoS (Distributed Denial of Service) protection |
A ransomware attack usually breaks all three at once. The files are encrypted by the attacker (confidentiality), potentially altered or destroyed (integrity), and unreachable until paid (availability). Knowing which letter a control protects tells you why it exists.
AAA: Authentication, Authorization, Accounting
AAA is the framework that answers three questions in order. Who are you? What are you allowed to do? What did you actually do?
- Authentication. Proving identity. The system asks for a password, a fingerprint, or a token, and checks it against what is stored.
- Authorization. Granting permissions. After the system knows who you are, it decides which files, apps, or commands you are allowed to touch.
- Accounting. Recording the activity. Every login, file open, and command gets a log entry with a timestamp and a user identifier. Sometimes called auditing.
Authentication uses one or more factors. MFA combines two or more factors from different categories. Two passwords is not MFA. Two factors from the same category (two things you know) is not MFA.
| Factor category | Plain English | Examples |
|---|---|---|
| Something you know | A secret only you should know | Password, PIN, security question |
| Something you have | A physical item only you should have | Smart card, hardware token (YubiKey), authenticator app on your phone |
| Something you are | A biometric trait of your body | Fingerprint, face scan, iris scan, voice print |
| Somewhere you are | Your physical or network location | GPS location, IP address range, geofencing rule |
| Something you do | A behavioral pattern unique to you | Typing rhythm, signature dynamics, walking gait |
Non-repudiation
Non-repudiation means a user cannot credibly deny that they did something. If Alice signs a contract with her private key, she cannot later claim that the contract was forged, because only her private key could have produced that signature.
Digital signatures provide non-repudiation in three steps. Alice hashes the message, encrypts the hash with her private key, and attaches that encrypted hash. Bob decrypts the hash with Alice's public key and recomputes the hash himself. If they match, the message came from Alice and was not altered. PKI (Public Key Infrastructure) is the system of certificates and authorities that makes this trustworthy at scale.
Gap analysis
A gap analysis compares where you are to where you want to be, then lists the work needed to close the distance. In security it usually compares the current control set against a target framework like NIST CSF (Cybersecurity Framework) or PCI DSS (Payment Card Industry Data Security Standard).
The workflow is straightforward:
- Pick the target standard or baseline.
- Inventory the current controls, policies, and processes.
- Map current state against target state, control by control.
- List every gap with a risk rating and an owner.
- Build a remediation plan with timelines and budget.
The output is usually a spreadsheet or report that drives the next year of security work.
Zero Trust
Zero Trust is the assumption that no user, device, or network segment is trusted by default. Every request is verified using identity, device health, and context, even from inside the corporate network. The old "trust the LAN, distrust the internet" model is dead in Zero Trust. NIST SP 800-207 is the canonical Zero Trust reference.
Zero Trust splits into two planes. The control plane decides whether a request is allowed. The data plane carries the actual user traffic once the decision is made.
| Plane | Element | What it does |
|---|---|---|
| Control plane | Adaptive identity | Identity that adjusts based on context (device, location, time, risk score) |
| Control plane | Threat scope reduction | Shrinking the blast radius if any one account or device is compromised |
| Control plane | Policy-driven access control | Decisions based on written policy rules, not static network location |
| Control plane | Policy Administrator | The component that issues commands to allow or block traffic |
| Control plane | Policy Engine | The brain that evaluates the request against policy and decides allow or deny |
| Data plane | Implicit trust zones | Areas where traffic flows freely once a decision is made (kept as small as possible) |
| Data plane | Subject/System | The user, app, or device making the request |
| Data plane | Policy Enforcement Point (PEP) | The gate that actually blocks or allows the traffic based on the control-plane decision |
Think of it this way. The control plane is the bouncer with the guest list. The data plane is the velvet rope. The Policy Engine reads the guest list, the Policy Administrator tells the bouncer what to do, and the PEP (Policy Enforcement Point) is the bouncer's arm that opens or closes the rope.
Physical security
Physical controls protect the people, hardware, and facilities that everything else depends on. A locked server room beats a fancy firewall when the attacker can walk in and unplug the rack.
- Bollards. Short, sturdy posts that block vehicles from ramming a building or lobby.
- Access control vestibule (mantrap). A small room with two interlocking doors. Only one door opens at a time, so a person cannot tailgate another person through.
- Fencing. A perimeter that slows and channels intruders. Height, gauge, and topping (barbed wire or razor wire) all matter.
- Video surveillance. Cameras that record activity. CCTV (Closed Circuit Television) is the classic example. Useful for both deterrence and after-the-fact investigation.
- Security guards. Humans who patrol, monitor, and respond. Expensive but flexible.
- Access badges. Cards or fobs that authenticate the holder at a door reader. Often tied to AAA on the back end.
- Lighting. Bright, even lighting removes hiding spots and helps cameras see at night.
- Sensors. Devices that detect motion or presence. Common types:
- Infrared. Detects body heat.
- Pressure. Detects weight on a mat or floor.
- Microwave. Bounces microwaves and notices when an object disrupts them.
- Ultrasonic. Uses high-frequency sound waves to detect movement.
Deception and disruption technology
Deception technology lures attackers into fake assets so defenders can watch them, learn their tactics, and waste their time. Disruption technology takes that a step further by slowing or breaking the attacker's progress.
| Tool | What it is | Why it matters |
|---|---|---|
| Honeypot | A fake system designed to attract attackers | Any traffic to it is suspicious by definition |
| Honeynet | A whole network of honeypots | Lets defenders watch attacker lateral movement |
| Honeyfile | A fake file (often labeled "passwords.xlsx") placed on a real system | An alert fires the moment anything reads or copies it |
| Honeytoken | A fake credential, API key, or database record planted as bait | Use of the token in any log is a sure sign of compromise |
The point of all four is detection, not prevention. A real attacker triggers the alert before they reach the real systems.
Common gotchas
- Mixing up the CIA letters. Confidentiality is about reading. Integrity is about changing. Availability is about reaching. A defaced website is integrity, not confidentiality. A DDoS attack is availability, not integrity. Drill this until it is reflex.
- Confusing authentication with authorization. Authentication is who you are. Authorization is what you can do. A correct password gets you in (authentication) but the admin role decides what you can edit (authorization).
- Calling MFA "two passwords." Two passwords is two of the same factor (something you know). MFA requires factors from at least two different categories. Password plus authenticator-app code is MFA. Password plus security question is not.
- Thinking Zero Trust means no user has access. Zero Trust means no implicit trust. Users still get access, but every request is verified against policy. The principle is "never trust, always verify," not "deny everyone."
- Thinking honeypots replace real security. Honeypots are a detection tool, not a substitute for patching, MFA, or firewalls. An attacker who skips the honeypot still owns the real systems.
- Treating accounting as optional. Without logs, you cannot prove who did what. Accounting is what makes incident response and audits possible. Skipping it kills non-repudiation too.
- Confusing non-repudiation with confidentiality. Encryption keeps data secret. Digital signatures prove who sent it. Both use keys, but they answer different questions.
- Calling a vestibule a "double door." The access-control vestibule (mantrap) interlocks the two doors. Only one opens at a time. Two doors that open together is just a foyer.
Real-world context
In a SOC (Security Operations Center) Tier 1 analyst seat, CIA shows up in every ticket. A phishing alert reads "user clicked link, credentials likely captured" and the analyst notes "confidentiality at risk, potential session takeover." A web-defacement ticket reads "homepage altered" and the analyst flags it as an integrity incident. A site-down ticket from monitoring is an availability incident until proven otherwise. Triage speed comes from naming the letter early.
AAA shows up in SIEM (Security Information and Event Management) logs constantly. A failed login is an authentication event. A user trying to access a folder they should not see is an authorization event. The whole audit trail is accounting. When an analyst pivots from a phishing alert to "what did this user touch in the last 24 hours," that pivot only works because accounting logs exist.
Zero Trust shows up in conditional access policies inside identity providers like Microsoft Entra ID or Okta. A policy might say "users from outside the United States, on a non-compliant device, requesting access to finance apps, must satisfy MFA and a managed-device check before the request reaches the Policy Enforcement Point." That sentence is Zero Trust in production: adaptive identity, policy-driven access, and a PEP gating the data plane.
Sample alert walkthrough. The SIEM fires "Impossible travel: user signed in from Chicago at 09:12 and from Lagos at 09:18." The Tier 1 analyst tags it as a confidentiality risk (the account may be compromised), runs an AAA review (when did the user last authenticate, what did they access, what got logged), and uses the conditional-access logs from the Zero Trust stack to see whether the Policy Engine flagged the Lagos sign-in as high risk. If yes, the PEP should have blocked it. If no, that is a policy gap and a candidate for the next gap analysis.
Sources
- CompTIA Security+ SY0-701 Exam Objectives, Section 1.2
- NIST SP 800-207, Zero Trust Architecture
- NIST SP 800-63 series, Digital Identity Guidelines
- CISA Zero Trust Maturity Model
- NIST Cybersecurity Framework (CSF) for gap-analysis context
