Domain 1 of 5 · Chapter 2 of 4

Fundamental Security Concepts

CIA, DAD, and non-repudiation: the goals every control serves

Pin a control to the CIA leg it defends and an attack to the leg it breaks, and a surprising share of Domain 1 answers itself. Knowing C, I, and A as labels is the starting line, not the finish; the cheat sheet frames the triad as the three axes every SY0-701 control maps to. This section goes a layer below the labels into the mechanisms the exam pairs with each goal, the DAD inverse used to phrase attack questions, and why non-repudiation is treated as a separate, fourth idea rather than a leg of the triad.

Mapping mechanisms to each leg

Confidentiality keeps information from disclosure to unauthorized parties. The canonical SY0-701 mechanisms are encryption (at rest and in transit), access control, data masking/tokenization, and steganography. Integrity ensures data and systems are not altered without authorization and that any alteration is detectable; its mechanisms are hashing, digital signatures, checksums, and HMACs (a MAC, or Message Authentication Code, is a keyed integrity tag). Availability ensures authorized users reach resources when needed; its mechanisms are redundancy, fault tolerance, load balancing, backups, and DDoS protection. On the exam you classify a control by which leg it protects, and you classify an attack by which leg it violates. the two are mirror images. The figure below groups each leg with its mechanisms and the DAD violation that mirrors it, and shows non-repudiation sitting outside the triad as a distinct goal.

DAD is the attacker-side mirror of CIA

The DAD model names the violation of each leg: Disclosure attacks confidentiality, Alteration attacks integrity, and Denial (or Destruction) attacks availability. A stem that describes data being leaked is a disclosure/confidentiality event; one that describes records being tampered with is alteration/integrity; one that describes a service being knocked offline is denial/availability. Knowing the mapping in both directions lets you answer 'which security goal was violated' questions mechanically.

The three legs are in tension, not co-maximized

The most common conceptual trap is treating CIA as three dials you turn to maximum simultaneously. They trade off: heavy encryption and strict key custody (confidentiality) can reduce availability if a key is lost; aggressive integrity controls and change freezes can slow legitimate access; maximizing availability with broad replication can widen the confidentiality attack surface. Security design is therefore a balancing act keyed to the data's sensitivity and the business's risk appetite. a recurring SY0-701 theme.

Non-repudiation is a distinct goal, achieved by signatures

Non-repudiation is the assurance that a party cannot credibly deny having performed an action. CompTIA lists it alongside CIA, AAA, zero trust, and deception as one of the fundamental security concepts in the SY0-701 General Security Concepts domain[1], not as a leg of the triad. It is achieved primarily through digital signatures, which bind an action to the signer's private key so only that key holder could have produced it, backed by tamper-evident logging that records who did what and when. The distinction the exam probes: a system can keep data confidential (confidentiality) and unaltered (integrity) yet still fail to prove which subject produced it. When a scenario demands both message integrity and proof of origin, the digital signature is the canonical answer; a plain hash or MAC gives integrity but not non-repudiation, because a shared symmetric key does not uniquely identify one signer.

CIA triad: goal, mechanisms, and DAD violationConfidentialityDAD: DisclosureEncryption (rest/transit)Access controlMasking / tokenizationSteganographyIntegrityDAD: AlterationHashingDigital signaturesChecksumsHMACsAvailabilityDAD: Denial / DestructionRedundancyFault toleranceLoad balancingBackupsDDoS protectionNon-repudiation (distinct goal, not a CIA leg)Achieved by digital signatures + tamper-evident logging
Each CIA goal pairs with its mechanisms and its DAD violation; non-repudiation sits outside the triad as a distinct goal achieved by digital signatures.

AAA in depth: factors, people vs systems, RADIUS vs TACACS+

AAA, authentication, authorization, accounting, is the access-management spine of the General Security Concepts domain, listed by CompTIA among the fundamental concepts of security[1]. The overview establishes the three-step order; this section pins down the factor taxonomy, the people-vs-systems split the blueprint calls out explicitly, and the two protocols SY0-701 associates with centralized AAA.

The three steps, strictly ordered

  1. Authentication proves who a subject is by verifying one or more factors. 2. Authorization then determines what that proven identity may do, enforcing least privilege. 3. Accounting (sometimes 'auditing') records what the subject actually did, producing the audit trail used for billing, forensics, and non-repudiation. The order is load-bearing: authorization without prior authentication is meaningless, and accounting is worthless if you cannot tie an action back to an authenticated identity. The figure below traces a single request through the three gates in that fixed order.

Authentication factors

The factor categories the exam tests:

Factor category What it is Examples
Something you know Knowledge Password, PIN, security question
Something you have Possession TOTP token, smart card, hardware key, phone push
Something you are Inherence (biometric) Fingerprint, face, iris, voice
Somewhere you are Location GPS / geofence, source IP range
Something you do Behavior Typing cadence, gait, signature dynamics

Multi-factor authentication (MFA) requires factors from different categories. two passwords are not MFA because both are 'something you know'. A password plus a TOTP code is MFA because it combines knowledge and possession.

Authenticating people vs authenticating systems

The SY0-701 blueprint deliberately separates authenticating people from authenticating systems. People authenticate with passwords, tokens, and biometrics. Systems and devices authenticate with certificates (PKI), pre-shared keys, or hardware roots of trust. a server proving its identity in a TLS handshake, or an endpoint presenting a device certificate to join a network via 802.1X, is the same AAA model applied to a non-human subject. NIST SP 800-207 reinforces this framing for zero trust, defining subjects to include non-person entities such as applications and services that request information from resources[2], not just human users. A frequent exam distinction: device authentication with a certificate is generally stronger evidence than a user credential alone, which is why NIST notes subject credentials by themselves are insufficient for device authentication to an enterprise resource.

RADIUS vs TACACS+

Two protocols centralize AAA for network and device access, and the exam tests their differences:

Aspect RADIUS TACACS+
Origin Open standard (IETF) Cisco-developed
Transport UDP TCP
Encryption Encrypts only the password in the packet Encrypts the entire payload
AAA separation Combines authentication and authorization Separates authentication, authorization, and accounting into distinct functions
Typical use Network access (Wi-Fi, VPN, 802.1X) Device administration (router/switch admin)

The distractor pattern: choosing RADIUS for granular per-command device-administration authorization is weaker than TACACS+, which separates authorization and encrypts the full payload; conversely, TACACS+ is rarely the answer for general network-access authentication where RADIUS dominates.

Subject request1. Authenticationprove who the subject is (factors)2. Authorizationwhat the identity may do (least privilege)3. Accountingrecord what the subject did (audit trail)
AAA evaluates one request in a fixed order: authentication, then authorization, then accounting. Each step is meaningless without the one before it.

Zero trust per NIST SP 800-207: planes, components, and tenets

Zero trust is the densest concept in this subtopic, and SY0-701 tests it at the granularity of NIST SP 800-207's named components. The overview introduces the control-plane/data-plane split and the PE/PA/PDP/PEP roles; this section grounds every term in the authoritative NIST wording and maps it onto the exact sub-bullets the CompTIA objectives enumerate.

The core premise and the seven tenets

Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership[2]; every request is authenticated and authorized before access. NIST defines seven basic tenets, the ones the exam draws stems from being: (1) all data sources and computing services are considered resources; (2) all communication is secured regardless of network location[2]. network location alone does not imply trust; (3) access to individual resources is granted on a per-session basis with least privilege; (4) access is determined by dynamic policy including the observable state of identity, the requesting asset, and behavioral/environmental attributes; (5) the enterprise monitors and measures the integrity and security posture of all assets, because no asset is inherently trusted[2]; (6) all authentication and authorization are dynamic and strictly enforced before access; (7) the enterprise collects telemetry to continually improve its security posture. The single exam-portable idea: trust is never granted by where you are on the network.

Control plane vs data plane

NIST states the ZTA logical components use a separate control plane to communicate, while application data is communicated on a data plane[2]. The control plane is where access decisions are made and the communication path is configured; the data plane is where the actual application traffic flows once access is enforced. The CompTIA objectives map their sub-bullets onto exactly these two planes: the decision machinery sits in the control plane, the enforcement point and the protected resource sit on the data plane. The figure below shows that split and where each named component lives.

The four named components (NIST wording)

NIST breaks the policy decision point into two logical components and pairs it with an enforcement point:

CompTIA's objective sub-bullets, mapped

The SY0-701 objectives list zero trust under two planes; here is how each named term lands:

Plane CompTIA sub-bullet Meaning
Control plane Adaptive identity Trust adjusts dynamically from context (device posture, behavior, risk) so the same user may be allowed or challenged depending on conditions
Control plane Threat scope reduction Shrinking implicit trust zones and access scope to limit blast radius. NIST frames ZT as shrinking implicit trust zones[2]
Control plane Policy-driven access control Access governed by centrally defined policy evaluated per request, not static perimeter rules
Control plane Policy Administrator (PA) Executes the decision, establishing/tearing down the path (NIST definition above)
Control plane Policy Engine (PE) Makes and logs the grant/deny/revoke decision via the trust algorithm
Data plane Implicit trust zones An area where all entities are trusted to at least the level of the last PDP/PEP gateway[2]; ZT works to make these as small as possible
Data plane Subject / System The user or device requesting access
Data plane Policy Enforcement Point (PEP) Enables, monitors, and terminates the connection to the resource

NIST adds that the implicit trust zone must be as small as possible[2] so the PDP/PEP can apply policy as specifically as possible. the conceptual reason a flat internal network with broad implicit trust is exactly the architecture zero trust replaces.

Control planePolicy decision point (PDP)Policyengine (PE)Policyadmin (PA)Data planeSubject / SystemPolicy enforcementpoint (PEP)Protected resourceconfigures
How NIST SP 800-207's zero-trust components split across planes: PE plus PA form the PDP on the control plane; the subject, PEP, and resource sit on the data plane.

Deception and disruption: honeypot, honeynet, honeyfile, honeytoken

Deception and disruption technology is the fourth fundamental concept CompTIA groups in this subtopic, alongside CIA, non-repudiation, AAA, and zero trust, in the SY0-701 General Security Concepts objectives[1]. The overview defines each decoy; this section sharpens the distinctions the exam exploits and the operational rules that decide whether a decoy is a tripwire or a liability.

The four decoys, by scope

They form a ladder from a whole network down to a single record, and the figure below stacks them in that order with each decoy's trigger:

Term Scope What it is Trigger
Honeypot One system A single decoy host with no legitimate purpose Any connection/interaction with it
Honeynet A network A network of honeypots imitating a realistic environment Any traffic to or within the decoy network
Honeyfile One file A bait file (e.g., a fake passwords.txt) The file being opened, copied, or exfiltrated
Honeytoken One record A bogus data record (fake credential, fake DB row, canary API key) The token being used anywhere

Why deception yields high-confidence, low-false-positive alerts

The defining property is that these assets have no legitimate business purpose, so any interaction is, by construction, suspicious. A real user never opens the fake password file and never authenticates with the canary credential. That makes a deception alert far higher signal than a generic IDS hit: the false-positive rate is near zero because there is no benign reason to touch a decoy. This is why deception is positioned as an early, high-confidence intrusion-detection mechanism rather than a primary defense.

Disruption: slowing and studying the attacker

The 'disruption' half of the term covers the way decoys waste an attacker's time and surface their tradecraft. A honeynet that imitates a real environment lures an intruder into exploring fake systems, consuming their effort while generating intelligence on the tactics, tools, and lateral-movement patterns they use. Intelligence that then feeds detection rules for the real network. A honeytoken planted in a database means that if an attacker exfiltrates and later uses the record, its appearance anywhere (a credential-stuffing attempt, a query against a fake row) immediately reveals the breach and its path.

The cardinal operational rule

A decoy must contain no production data and no live access. A honeypot that is poorly isolated, or a honeyfile that contains real credentials, inverts its purpose: instead of a tripwire it becomes an attacker foothold and a real data-leak source. Proper deployment isolates the decoy from production networks and ensures any 'secret' it holds is itself bait. The exam distractor to reject is any option that places genuine sensitive data or real network reachability inside a decoy.

Scope ladder: broadest (network) to narrowest (record)HoneynetScope: a network of honeypotsTrigger: any traffic to the decoy networkHoneypotScope: one decoy systemTrigger: any interaction with itHoneyfileScope: one bait fileTrigger: file opened, copied, exfiltratedHoneytokenScope: one bait recordTrigger: the token used anywhere
The four decoys form a scope ladder from a whole network down to a single record; each fires on any interaction because no legitimate user touches a decoy.

Exam-pattern recognition: reading SY0-701 Domain 1 stems

General Security Concepts is 12% of the SY0-701 exam[1], and the fundamental-concepts questions follow a handful of repeatable shapes. Each pattern below names a stem shape, points back to the section that explains the underlying rule, and adds the tell-words and distractors that let you score on recognition under time pressure rather than recall.

Pattern 1: 'Which CIA goal does this control/attack address?'

The stem describes a control or an incident and asks which security goal it serves or violates. Resolve it with the mechanism and DAD maps from CIA, DAD, and non-repudiation above. The classic distractor offers a control from the wrong leg, e.g., proposing a backup (availability) to solve a data-leak (confidentiality) problem.

Pattern 2: 'Integrity AND proof of origin' → non-repudiation via digital signature

When the stem requires both that a message was not altered and that a specific party demonstrably sent it, the answer is a digital signature, which delivers non-repudiation (the signature-vs-hash reasoning is in CIA, DAD, and non-repudiation above). The tell is the phrase 'cannot deny' or 'prove who sent it'. The trap answer is a plain hash or a MAC/HMAC, fine when the stem only needs tamper-detection, wrong when it needs proof of origin.

Pattern 3: 'Is this MFA?' and the AAA-step swap

Two AAA traps recur (the factor categories and step order are in AAA in depth above). First, an option presenting two factors from the same category (password + PIN) is not MFA. Second, stems conflate the steps: a user who logged in successfully but cannot perform an action has passed authentication and is being stopped by authorization (or accounting/logging if the question is about the audit trail). Map the symptom to the correct A before picking.

Pattern 4: 'Modernize a flat, perimeter-trusted network' → zero trust, not a product

A stem describing a flat internal network where being on the LAN grants broad access is a zero-trust scenario. The correct answer replaces implicit network-location trust with per-request, policy-driven verification (a PE/PA decision enforced at a PEP, from Zero trust per NIST SP 800-207 above). The dominant distractor equates zero trust with buying a single appliance: a VPN, a next-gen firewall, or 'microsegmentation' alone. Per NIST, zero trust is a set of guiding principles and an architecture[2], not a product.

Pattern 5: Naming the zero-trust component

Granular SY0-701 stems quote one component's job and ask for its name. 'Makes and logs the grant/deny decision' → Policy Engine. 'Establishes or tears down the session path / executes the decision' → Policy Administrator. 'PE + PA together' → Policy Decision Point. 'Enables, monitors, and terminates the connection to the resource' → Policy Enforcement Point. The distractor swaps decide (PE/PA → PDP, control plane) with enforce (PEP, data plane). Anchor on the verb in the stem: decide/log/execute lives in the control plane; enforce/enable/terminate the connection is the PEP on the data plane.

Pattern 6: 'Earliest, highest-confidence breach signal' → deception

When a stem wants a low-false-positive tripwire that fires the instant an attacker touches something, the answer is a deception asset (honeypot/honeynet for systems, honeyfile for a bait file, honeytoken for a bait record) because legitimate users never interact with them (see Deception and disruption above). The distractor to reject is any choice that puts real data or live access inside the decoy, which turns a tripwire into a foothold.

Zero-trust logical components (NIST SP 800-207)

ComponentPlaneResponsibility
Policy engine (PE)Control planeMakes and logs the grant/deny/revoke decision via a trust algorithm; half of the PDP
Policy administrator (PA)Control planeExecutes the PE's decision, establishing or tearing down the session path; half of the PDP
Policy decision point (PDP)Control planeLogical pairing of PE + PA that decides access for each request
Policy enforcement point (PEP)Spans control & data planeEnables, monitors, and terminates the connection between subject and resource
Protected resourceData planeApplication or data the subject ultimately reaches once access is enforced

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Classify every control by which CIA leg it protects

The CIA triad is the three goals every security control serves: confidentiality (preserving authorized restrictions on access and disclosure), integrity (guarding against improper modification or destruction, including authenticity), and availability (timely, reliable access to information). SY0-701 items make you tag a control by its leg: encryption, access control, and masking serve confidentiality; hashing, digital signatures, and checksums serve integrity; redundancy, backups, and DDoS protection serve availability.

Trap Mislabeling which CIA leg a control serves, such as tagging hashing or a digital signature as confidentiality when both serve integrity.

6 questions test this
DAD names the violation of each CIA leg

DAD is the attacker-side mirror of CIA: Disclosure violates confidentiality, Alteration violates integrity, and Denial (or Destruction) violates availability. Use it to label incidents: a data leak is disclosure/confidentiality, tampering is alteration/integrity, and an outage is denial/availability.

Trap Mismatching a DAD term to its CIA leg, such as mapping Alteration to availability instead of integrity.

1 question tests this
The CIA legs trade off; they are not co-maximized

CIA goals are in tension, not three dials all pushed to maximum. Hardening confidentiality with heavy encryption and strict key custody can cost availability if a key is lost, and replicating broadly for availability widens the confidentiality attack surface. Good design balances the legs against data sensitivity and risk appetite rather than maxing one in isolation.

Non-repudiation proves who acted so they cannot deny it

Non-repudiation is assurance that a party cannot credibly deny having performed an action, such as sending a message or approving a transaction. NIST ties it to proof of origin verifiable by a third party via the signer's private key. It is a goal distinct from confidentiality and integrity: a system can keep data intact and secret yet still fail to prove which user produced it.

8 questions test this
Use a digital signature when you need integrity AND non-repudiation

A digital signature is the answer when a scenario demands both that a message was not altered and that one specific party demonstrably sent it, because it binds the action to the signer's private key. A plain hash or a symmetric MAC/HMAC gives integrity only: a hash carries no identity, and a MAC's shared key cannot single out one signer.

Trap Offering a hash or HMAC for non-repudiation: both prove integrity, but a shared MAC key can't pin the action to one signer.

6 questions test this
AAA runs authentication, then authorization, then accounting

AAA is authentication (proving who a subject is), authorization (determining what that proven identity may do, enforcing least privilege), and accounting/auditing (recording what it actually did). The order is load-bearing: authorization without prior authentication is meaningless, so a stem that authorizes before identifying is wrong.

Trap Conflating authorization with authentication, treating the check of what a subject may do as the same step that proves who it is.

10 questions test this
Know the five authentication factor categories the exam tests

SY0-701 tests five factor categories: something you know (knowledge: password, PIN), something you have (possession: TOTP token, smart card, hardware key), something you are (inherence/biometric: fingerprint, face, iris), somewhere you are (location: GPS/geofence, source IP), and something you do (behavior: typing cadence, gait). NIST's classic three are know/have/are; CompTIA adds location and behavior.

Trap Miscategorizing a factor, such as calling a smart card or hardware token 'something you know' when possession of the device makes it 'something you have'.

MFA combines factors from different categories, not duplicates

Multi-factor authentication requires more than one distinct TYPE of factor, not two of the same kind. A password plus a PIN is NOT MFA because both are 'something you know'; a password plus a TOTP code IS MFA because it pairs knowledge with possession. The category mix is the testable point, not the number of prompts.

Trap Counting password-plus-security-question (or password-plus-PIN) as MFA: two knowledge factors are still a single category.

People and systems authenticate by different means

SY0-701 separates authenticating people from authenticating systems. People use passwords, tokens, and biometrics; systems and devices use certificates (PKI), pre-shared keys, or hardware roots of trust, for example a server proving identity in a TLS handshake, or an endpoint presenting a device certificate via 802.1X.

Zero trust never grants trust from network location

Zero trust grants no implicit trust to an asset or account based solely on its physical or network location or ownership; every request is authenticated and authorized before access. The exam-portable idea: being inside the perimeter earns nothing. A flat internal network with implicit trust is exactly what zero trust replaces.

Trap Assuming traffic from inside the corporate LAN is trusted: under zero trust, internal location grants no implicit trust.

3 questions test this
Zero trust separates a control plane from a data plane

Per NIST SP 800-207, a zero-trust architecture uses a control plane to make and communicate access decisions and configure communication paths, kept logically separate from the data plane where application traffic flows once access is enforced. The decision channel and the traffic channel are distinct.

2 questions test this
The policy engine decides; the policy administrator executes

In NIST SP 800-207 the policy engine (PE) makes and logs the ultimate grant/deny/revoke decision using a trust algorithm fed by enterprise policy and external signals. The policy administrator (PA) executes that decision by establishing or tearing down the communication path between subject and resource. Deciding versus enforcing the decision are two distinct logical roles.

Trap Crediting the policy administrator with making the grant/deny decision when it only executes the decision the policy engine reaches.

PE plus PA form the PDP; the PEP is separate

NIST SP 800-207 groups the policy engine and policy administrator into one logical policy decision point (PDP). The policy enforcement point (PEP) is the distinct component that actually enables, monitors, and terminates the connection between the subject and the protected resource: it acts on the PDP's decision rather than making it.

Trap Having the policy enforcement point decide access when it only acts on the PDP's decision by enabling or terminating the connection.

3 questions test this
Zero-trust access is dynamic and adapts to context

Zero-trust access is governed by dynamic policy evaluated per request, not static perimeter rules. Adaptive identity adjusts trust using context such as device posture, observed behavior, and risk signals, so the same user may be allowed, challenged, or denied depending on conditions at that moment.

1 question tests this
Zero trust grants access per session with least privilege

Among the NIST SP 800-207 tenets the exam leans on: all data sources and computing services are treated as resources; all communication is secured regardless of network location; access to a resource is granted per session with least privilege and does not carry to other resources; and all authentication and authorization are dynamic and strictly enforced before access is allowed.

Trap Assuming one access grant carries over to other resources, when zero trust scopes each grant per session to a single resource.

Any touch of a decoy is high-confidence evidence of attack

Deception technology plants assets with no legitimate business purpose, so any interaction with them is high-confidence evidence of malicious activity. The false-positive rate is near zero because no normal user has a reason to touch a decoy, which makes deception an early, high-confidence intrusion-detection layer rather than a preventive control.

Trap Classifying deception as a preventive control, when planting decoys detects and alerts on intrusion rather than blocking it.

Honeypot is one decoy host; honeynet is a decoy network

A honeypot is a single decoy system with no legitimate purpose, alerting on any connection to it. A honeynet is a network of honeypots imitating a realistic environment, luring an intruder into exploring fake systems while generating intelligence on their tactics and lateral-movement patterns.

Honeyfile is a bait file; honeytoken is a bait record

A honeyfile is a decoy file (such as a fake passwords.txt) that triggers an alert when opened, copied, or exfiltrated. A honeytoken is a bogus data record: a fake credential, fake database row, or canary API key, whose use anywhere reveals a breach.

A decoy must hold no real data and grant no live access

A deception asset works as a tripwire only if it contains no real data and grants no live access. A poorly isolated honeypot or honeyfile becomes an attacker foothold rather than a detection mechanism, converting your tripwire into their pivot point.

Trap Stocking a honeypot with real credentials or live network reach to make it convincing: that turns the decoy into a usable foothold.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification
  2. NIST SP 800-207: Zero Trust Architecture