Fundamental Security Concepts
CIA, DAD, and non-repudiation: the goals every control serves
Pin a control to the CIA leg it defends and an attack to the leg it breaks, and a surprising share of Domain 1 answers itself. Knowing C, I, and A as labels is the starting line, not the finish; the cheat sheet frames the triad as the three axes every SY0-701 control maps to. This section goes a layer below the labels into the mechanisms the exam pairs with each goal, the DAD inverse used to phrase attack questions, and why non-repudiation is treated as a separate, fourth idea rather than a leg of the triad.
Mapping mechanisms to each leg
Confidentiality keeps information from disclosure to unauthorized parties. The canonical SY0-701 mechanisms are encryption (at rest and in transit), access control, data masking/tokenization, and steganography. Integrity ensures data and systems are not altered without authorization and that any alteration is detectable; its mechanisms are hashing, digital signatures, checksums, and HMACs (a MAC, or Message Authentication Code, is a keyed integrity tag). Availability ensures authorized users reach resources when needed; its mechanisms are redundancy, fault tolerance, load balancing, backups, and DDoS protection. On the exam you classify a control by which leg it protects, and you classify an attack by which leg it violates. the two are mirror images. The figure below groups each leg with its mechanisms and the DAD violation that mirrors it, and shows non-repudiation sitting outside the triad as a distinct goal.
DAD is the attacker-side mirror of CIA
The DAD model names the violation of each leg: Disclosure attacks confidentiality, Alteration attacks integrity, and Denial (or Destruction) attacks availability. A stem that describes data being leaked is a disclosure/confidentiality event; one that describes records being tampered with is alteration/integrity; one that describes a service being knocked offline is denial/availability. Knowing the mapping in both directions lets you answer 'which security goal was violated' questions mechanically.
The three legs are in tension, not co-maximized
The most common conceptual trap is treating CIA as three dials you turn to maximum simultaneously. They trade off: heavy encryption and strict key custody (confidentiality) can reduce availability if a key is lost; aggressive integrity controls and change freezes can slow legitimate access; maximizing availability with broad replication can widen the confidentiality attack surface. Security design is therefore a balancing act keyed to the data's sensitivity and the business's risk appetite. a recurring SY0-701 theme.
Non-repudiation is a distinct goal, achieved by signatures
Non-repudiation is the assurance that a party cannot credibly deny having performed an action. CompTIA lists it alongside CIA, AAA, zero trust, and deception as one of the fundamental security concepts in the SY0-701 General Security Concepts domain[1], not as a leg of the triad. It is achieved primarily through digital signatures, which bind an action to the signer's private key so only that key holder could have produced it, backed by tamper-evident logging that records who did what and when. The distinction the exam probes: a system can keep data confidential (confidentiality) and unaltered (integrity) yet still fail to prove which subject produced it. When a scenario demands both message integrity and proof of origin, the digital signature is the canonical answer; a plain hash or MAC gives integrity but not non-repudiation, because a shared symmetric key does not uniquely identify one signer.
AAA in depth: factors, people vs systems, RADIUS vs TACACS+
AAA, authentication, authorization, accounting, is the access-management spine of the General Security Concepts domain, listed by CompTIA among the fundamental concepts of security[1]. The overview establishes the three-step order; this section pins down the factor taxonomy, the people-vs-systems split the blueprint calls out explicitly, and the two protocols SY0-701 associates with centralized AAA.
The three steps, strictly ordered
- Authentication proves who a subject is by verifying one or more factors. 2. Authorization then determines what that proven identity may do, enforcing least privilege. 3. Accounting (sometimes 'auditing') records what the subject actually did, producing the audit trail used for billing, forensics, and non-repudiation. The order is load-bearing: authorization without prior authentication is meaningless, and accounting is worthless if you cannot tie an action back to an authenticated identity. The figure below traces a single request through the three gates in that fixed order.
Authentication factors
The factor categories the exam tests:
| Factor category | What it is | Examples |
|---|---|---|
| Something you know | Knowledge | Password, PIN, security question |
| Something you have | Possession | TOTP token, smart card, hardware key, phone push |
| Something you are | Inherence (biometric) | Fingerprint, face, iris, voice |
| Somewhere you are | Location | GPS / geofence, source IP range |
| Something you do | Behavior | Typing cadence, gait, signature dynamics |
Multi-factor authentication (MFA) requires factors from different categories. two passwords are not MFA because both are 'something you know'. A password plus a TOTP code is MFA because it combines knowledge and possession.
Authenticating people vs authenticating systems
The SY0-701 blueprint deliberately separates authenticating people from authenticating systems. People authenticate with passwords, tokens, and biometrics. Systems and devices authenticate with certificates (PKI), pre-shared keys, or hardware roots of trust. a server proving its identity in a TLS handshake, or an endpoint presenting a device certificate to join a network via 802.1X, is the same AAA model applied to a non-human subject. NIST SP 800-207 reinforces this framing for zero trust, defining subjects to include non-person entities such as applications and services that request information from resources[2], not just human users. A frequent exam distinction: device authentication with a certificate is generally stronger evidence than a user credential alone, which is why NIST notes subject credentials by themselves are insufficient for device authentication to an enterprise resource.
RADIUS vs TACACS+
Two protocols centralize AAA for network and device access, and the exam tests their differences:
| Aspect | RADIUS | TACACS+ |
|---|---|---|
| Origin | Open standard (IETF) | Cisco-developed |
| Transport | UDP | TCP |
| Encryption | Encrypts only the password in the packet | Encrypts the entire payload |
| AAA separation | Combines authentication and authorization | Separates authentication, authorization, and accounting into distinct functions |
| Typical use | Network access (Wi-Fi, VPN, 802.1X) | Device administration (router/switch admin) |
The distractor pattern: choosing RADIUS for granular per-command device-administration authorization is weaker than TACACS+, which separates authorization and encrypts the full payload; conversely, TACACS+ is rarely the answer for general network-access authentication where RADIUS dominates.
Zero trust per NIST SP 800-207: planes, components, and tenets
Zero trust is the densest concept in this subtopic, and SY0-701 tests it at the granularity of NIST SP 800-207's named components. The overview introduces the control-plane/data-plane split and the PE/PA/PDP/PEP roles; this section grounds every term in the authoritative NIST wording and maps it onto the exact sub-bullets the CompTIA objectives enumerate.
The core premise and the seven tenets
Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership[2]; every request is authenticated and authorized before access. NIST defines seven basic tenets, the ones the exam draws stems from being: (1) all data sources and computing services are considered resources; (2) all communication is secured regardless of network location[2]. network location alone does not imply trust; (3) access to individual resources is granted on a per-session basis with least privilege; (4) access is determined by dynamic policy including the observable state of identity, the requesting asset, and behavioral/environmental attributes; (5) the enterprise monitors and measures the integrity and security posture of all assets, because no asset is inherently trusted[2]; (6) all authentication and authorization are dynamic and strictly enforced before access; (7) the enterprise collects telemetry to continually improve its security posture. The single exam-portable idea: trust is never granted by where you are on the network.
Control plane vs data plane
NIST states the ZTA logical components use a separate control plane to communicate, while application data is communicated on a data plane[2]. The control plane is where access decisions are made and the communication path is configured; the data plane is where the actual application traffic flows once access is enforced. The CompTIA objectives map their sub-bullets onto exactly these two planes: the decision machinery sits in the control plane, the enforcement point and the protected resource sit on the data plane. The figure below shows that split and where each named component lives.
The four named components (NIST wording)
NIST breaks the policy decision point into two logical components and pairs it with an enforcement point:
- Policy engine (PE): responsible for the ultimate decision to grant access to a resource for a given subject[2]. It feeds enterprise policy plus external signals into a trust algorithm to grant, deny, or revoke access, and it makes and logs the decision.
- Policy administrator (PA): responsible for establishing and/or shutting down the communication path between a subject and a resource[2] by issuing commands to the PEP. It executes the PE's decision: if authorized, it configures the PEP to allow the session; if denied, it signals the PEP to shut the connection.
- Policy decision point (PDP): NIST states the PDP is broken down into two logical components: the policy engine and policy administrator[2]. So PDP = PE + PA. NIST notes some implementations treat PE and PA as a single service, but the exam expects you to know they are two distinct logical roles: deciding versus executing the decision.
- Policy enforcement point (PEP): responsible for enabling, monitoring, and eventually terminating connections between a subject and an enterprise resource[2]. It communicates with the PA to enable or tear down sessions. Beyond the PEP lies the trust zone hosting the resource.
CompTIA's objective sub-bullets, mapped
The SY0-701 objectives list zero trust under two planes; here is how each named term lands:
| Plane | CompTIA sub-bullet | Meaning |
|---|---|---|
| Control plane | Adaptive identity | Trust adjusts dynamically from context (device posture, behavior, risk) so the same user may be allowed or challenged depending on conditions |
| Control plane | Threat scope reduction | Shrinking implicit trust zones and access scope to limit blast radius. NIST frames ZT as shrinking implicit trust zones[2] |
| Control plane | Policy-driven access control | Access governed by centrally defined policy evaluated per request, not static perimeter rules |
| Control plane | Policy Administrator (PA) | Executes the decision, establishing/tearing down the path (NIST definition above) |
| Control plane | Policy Engine (PE) | Makes and logs the grant/deny/revoke decision via the trust algorithm |
| Data plane | Implicit trust zones | An area where all entities are trusted to at least the level of the last PDP/PEP gateway[2]; ZT works to make these as small as possible |
| Data plane | Subject / System | The user or device requesting access |
| Data plane | Policy Enforcement Point (PEP) | Enables, monitors, and terminates the connection to the resource |
NIST adds that the implicit trust zone must be as small as possible[2] so the PDP/PEP can apply policy as specifically as possible. the conceptual reason a flat internal network with broad implicit trust is exactly the architecture zero trust replaces.
Deception and disruption: honeypot, honeynet, honeyfile, honeytoken
Deception and disruption technology is the fourth fundamental concept CompTIA groups in this subtopic, alongside CIA, non-repudiation, AAA, and zero trust, in the SY0-701 General Security Concepts objectives[1]. The overview defines each decoy; this section sharpens the distinctions the exam exploits and the operational rules that decide whether a decoy is a tripwire or a liability.
The four decoys, by scope
They form a ladder from a whole network down to a single record, and the figure below stacks them in that order with each decoy's trigger:
| Term | Scope | What it is | Trigger |
|---|---|---|---|
| Honeypot | One system | A single decoy host with no legitimate purpose | Any connection/interaction with it |
| Honeynet | A network | A network of honeypots imitating a realistic environment | Any traffic to or within the decoy network |
| Honeyfile | One file | A bait file (e.g., a fake passwords.txt) | The file being opened, copied, or exfiltrated |
| Honeytoken | One record | A bogus data record (fake credential, fake DB row, canary API key) | The token being used anywhere |
Why deception yields high-confidence, low-false-positive alerts
The defining property is that these assets have no legitimate business purpose, so any interaction is, by construction, suspicious. A real user never opens the fake password file and never authenticates with the canary credential. That makes a deception alert far higher signal than a generic IDS hit: the false-positive rate is near zero because there is no benign reason to touch a decoy. This is why deception is positioned as an early, high-confidence intrusion-detection mechanism rather than a primary defense.
Disruption: slowing and studying the attacker
The 'disruption' half of the term covers the way decoys waste an attacker's time and surface their tradecraft. A honeynet that imitates a real environment lures an intruder into exploring fake systems, consuming their effort while generating intelligence on the tactics, tools, and lateral-movement patterns they use. Intelligence that then feeds detection rules for the real network. A honeytoken planted in a database means that if an attacker exfiltrates and later uses the record, its appearance anywhere (a credential-stuffing attempt, a query against a fake row) immediately reveals the breach and its path.
The cardinal operational rule
A decoy must contain no production data and no live access. A honeypot that is poorly isolated, or a honeyfile that contains real credentials, inverts its purpose: instead of a tripwire it becomes an attacker foothold and a real data-leak source. Proper deployment isolates the decoy from production networks and ensures any 'secret' it holds is itself bait. The exam distractor to reject is any option that places genuine sensitive data or real network reachability inside a decoy.
Exam-pattern recognition: reading SY0-701 Domain 1 stems
General Security Concepts is 12% of the SY0-701 exam[1], and the fundamental-concepts questions follow a handful of repeatable shapes. Each pattern below names a stem shape, points back to the section that explains the underlying rule, and adds the tell-words and distractors that let you score on recognition under time pressure rather than recall.
Pattern 1: 'Which CIA goal does this control/attack address?'
The stem describes a control or an incident and asks which security goal it serves or violates. Resolve it with the mechanism and DAD maps from CIA, DAD, and non-repudiation above. The classic distractor offers a control from the wrong leg, e.g., proposing a backup (availability) to solve a data-leak (confidentiality) problem.
Pattern 2: 'Integrity AND proof of origin' → non-repudiation via digital signature
When the stem requires both that a message was not altered and that a specific party demonstrably sent it, the answer is a digital signature, which delivers non-repudiation (the signature-vs-hash reasoning is in CIA, DAD, and non-repudiation above). The tell is the phrase 'cannot deny' or 'prove who sent it'. The trap answer is a plain hash or a MAC/HMAC, fine when the stem only needs tamper-detection, wrong when it needs proof of origin.
Pattern 3: 'Is this MFA?' and the AAA-step swap
Two AAA traps recur (the factor categories and step order are in AAA in depth above). First, an option presenting two factors from the same category (password + PIN) is not MFA. Second, stems conflate the steps: a user who logged in successfully but cannot perform an action has passed authentication and is being stopped by authorization (or accounting/logging if the question is about the audit trail). Map the symptom to the correct A before picking.
Pattern 4: 'Modernize a flat, perimeter-trusted network' → zero trust, not a product
A stem describing a flat internal network where being on the LAN grants broad access is a zero-trust scenario. The correct answer replaces implicit network-location trust with per-request, policy-driven verification (a PE/PA decision enforced at a PEP, from Zero trust per NIST SP 800-207 above). The dominant distractor equates zero trust with buying a single appliance: a VPN, a next-gen firewall, or 'microsegmentation' alone. Per NIST, zero trust is a set of guiding principles and an architecture[2], not a product.
Pattern 5: Naming the zero-trust component
Granular SY0-701 stems quote one component's job and ask for its name. 'Makes and logs the grant/deny decision' → Policy Engine. 'Establishes or tears down the session path / executes the decision' → Policy Administrator. 'PE + PA together' → Policy Decision Point. 'Enables, monitors, and terminates the connection to the resource' → Policy Enforcement Point. The distractor swaps decide (PE/PA → PDP, control plane) with enforce (PEP, data plane). Anchor on the verb in the stem: decide/log/execute lives in the control plane; enforce/enable/terminate the connection is the PEP on the data plane.
Pattern 6: 'Earliest, highest-confidence breach signal' → deception
When a stem wants a low-false-positive tripwire that fires the instant an attacker touches something, the answer is a deception asset (honeypot/honeynet for systems, honeyfile for a bait file, honeytoken for a bait record) because legitimate users never interact with them (see Deception and disruption above). The distractor to reject is any choice that puts real data or live access inside the decoy, which turns a tripwire into a foothold.
Zero-trust logical components (NIST SP 800-207)
| Component | Plane | Responsibility |
|---|---|---|
| Policy engine (PE) | Control plane | Makes and logs the grant/deny/revoke decision via a trust algorithm; half of the PDP |
| Policy administrator (PA) | Control plane | Executes the PE's decision, establishing or tearing down the session path; half of the PDP |
| Policy decision point (PDP) | Control plane | Logical pairing of PE + PA that decides access for each request |
| Policy enforcement point (PEP) | Spans control & data plane | Enables, monitors, and terminates the connection between subject and resource |
| Protected resource | Data plane | Application or data the subject ultimately reaches once access is enforced |
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Classify every control by which CIA leg it protects
The CIA triad is the three goals every security control serves: confidentiality (preserving authorized restrictions on access and disclosure), integrity (guarding against improper modification or destruction, including authenticity), and availability (timely, reliable access to information). SY0-701 items make you tag a control by its leg: encryption, access control, and masking serve confidentiality; hashing, digital signatures, and checksums serve integrity; redundancy, backups, and DDoS protection serve availability.
Trap Mislabeling which CIA leg a control serves, such as tagging hashing or a digital signature as confidentiality when both serve integrity.
6 questions test this
- After a RADIUS server authenticates a VPN user, it applies role-based policies that restrict the user to only the finance department's…
- An enterprise configures its centralized AAA server to enforce role-based policies ensuring employees can only access documents matching…
- A security team implements centralized audit logging with write-once storage and cryptographic hash chaining for all log entries. Which…
- An administrator forwards all AAA server audit logs to a centralized write-protected server to prevent modification after collection. This…
- A healthcare organization restricts electronic access to patient records so that only physicians assigned to a specific case can view the…
- A security team stores centralized audit logs on write-once, append-only storage and applies strict access controls to prevent unauthorized…
- DAD names the violation of each CIA leg
DAD is the attacker-side mirror of CIA: Disclosure violates confidentiality, Alteration violates integrity, and Denial (or Destruction) violates availability. Use it to label incidents: a data leak is disclosure/confidentiality, tampering is alteration/integrity, and an outage is denial/availability.
Trap Mismatching a DAD term to its CIA leg, such as mapping Alteration to availability instead of integrity.
- The CIA legs trade off; they are not co-maximized
CIA goals are in tension, not three dials all pushed to maximum. Hardening confidentiality with heavy encryption and strict key custody can cost availability if a key is lost, and replicating broadly for availability widens the confidentiality attack surface. Good design balances the legs against data sensitivity and risk appetite rather than maxing one in isolation.
- Non-repudiation proves who acted so they cannot deny it
Non-repudiation is assurance that a party cannot credibly deny having performed an action, such as sending a message or approving a transaction. NIST ties it to proof of origin verifiable by a third party via the signer's private key. It is a goal distinct from confidentiality and integrity: a system can keep data intact and secret yet still fail to prove which user produced it.
8 questions test this
- A healthcare organization requires physicians to digitally sign all prescription approvals and records each signed approval in a…
- During an investigation, an employee denies having deleted sensitive files from a shared drive. The security team presents digitally signed…
- A security architect must select a cryptographic mechanism that simultaneously provides origin authentication, data integrity, and…
- An organization's audit logs show that the account 'admin_shared' deleted critical database records at 2:15 AM. Investigation reveals that…
- A software vendor digitally signs each update package before distribution. When a customer successfully verifies the signature using the…
- A financial institution requires that all electronically submitted contracts be verifiable for authorship and remain unaltered after…
- A development team requires that software updates distributed to customers can be verified as unaltered, traceable to the original…
- A hospital needs to ensure that physicians cannot deny having authorized electronic prescriptions. Which solution BEST provides…
- Use a digital signature when you need integrity AND non-repudiation
A digital signature is the answer when a scenario demands both that a message was not altered and that one specific party demonstrably sent it, because it binds the action to the signer's private key. A plain hash or a symmetric MAC/HMAC gives integrity only: a hash carries no identity, and a MAC's shared key cannot single out one signer.
Trap Offering a hash or HMAC for non-repudiation: both prove integrity, but a shared MAC key can't pin the action to one signer.
6 questions test this
- A healthcare organization requires physicians to digitally sign all prescription approvals and records each signed approval in a…
- A financial institution requires that customers who authorize wire transfers cannot later deny having initiated the transaction. Which…
- An enterprise deploys a contract management system where legal staff create and approve binding agreements. Management requires that every…
- A procurement manager digitally signs a purchase order using their private key. Later, the manager denies approving the purchase. The…
- A financial institution requires that all electronically submitted contracts be verifiable for authorship and remain unaltered after…
- A hospital needs to ensure that physicians cannot deny having authorized electronic prescriptions. Which solution BEST provides…
- AAA runs authentication, then authorization, then accounting
AAA is authentication (proving who a subject is), authorization (determining what that proven identity may do, enforcing least privilege), and accounting/auditing (recording what it actually did). The order is load-bearing: authorization without prior authentication is meaningless, so a stem that authorizes before identifying is wrong.
Trap Conflating authorization with authentication, treating the check of what a subject may do as the same step that proves who it is.
10 questions test this
- A network engineer authenticates to a router using TACACS+ and executes several configuration commands during the session. Later, the IT…
- An organization discovers unauthorized changes to a financial database. Audit logs confirm the changes were made using a service account…
- A network administrator configures a centralized AAA server to record every command executed on network switches, including the user…
- A hospital must ensure that every access to patient records is individually attributable to a specific employee for regulatory compliance.…
- A user logs into a cloud-based financial system and downloads a sensitive quarterly report. The AAA server verified the user's credentials…
- A company's security policy requires that all administrative actions on network devices be individually traceable to the person who…
- An enterprise deploys a contract management system where legal staff create and approve binding agreements. Management requires that every…
- An organization's audit logs show that the account 'admin_shared' deleted critical database records at 2:15 AM. Investigation reveals that…
- A security administrator must ensure that all user activities on the corporate network can be tracked and attributed to specific…
- A security team must generate a detailed record of all user sessions on the corporate network, including login timestamps, resources…
- Know the five authentication factor categories the exam tests
SY0-701 tests five factor categories: something you know (knowledge: password, PIN), something you have (possession: TOTP token, smart card, hardware key), something you are (inherence/biometric: fingerprint, face, iris), somewhere you are (location: GPS/geofence, source IP), and something you do (behavior: typing cadence, gait). NIST's classic three are know/have/are; CompTIA adds location and behavior.
Trap Miscategorizing a factor, such as calling a smart card or hardware token 'something you know' when possession of the device makes it 'something you have'.
- MFA combines factors from different categories, not duplicates
Multi-factor authentication requires more than one distinct TYPE of factor, not two of the same kind. A password plus a PIN is NOT MFA because both are 'something you know'; a password plus a TOTP code IS MFA because it pairs knowledge with possession. The category mix is the testable point, not the number of prompts.
Trap Counting password-plus-security-question (or password-plus-PIN) as MFA: two knowledge factors are still a single category.
- People and systems authenticate by different means
SY0-701 separates authenticating people from authenticating systems. People use passwords, tokens, and biometrics; systems and devices use certificates (PKI), pre-shared keys, or hardware roots of trust, for example a server proving identity in a TLS handshake, or an endpoint presenting a device certificate via 802.1X.
- Zero trust never grants trust from network location
Zero trust grants no implicit trust to an asset or account based solely on its physical or network location or ownership; every request is authenticated and authorized before access. The exam-portable idea: being inside the perimeter earns nothing. A flat internal network with implicit trust is exactly what zero trust replaces.
Trap Assuming traffic from inside the corporate LAN is trusted: under zero trust, internal location grants no implicit trust.
3 questions test this
- An organization's current network architecture automatically grants all internal LAN devices broad access to shared resources without…
- An organization grants all devices on the internal corporate LAN unrestricted access to file servers and databases after initial VPN…
- An organization replaces VLAN-based network segmentation with identity-based micro-segmentation as part of its Zero Trust Architecture.…
- Zero trust separates a control plane from a data plane
Per NIST SP 800-207, a zero-trust architecture uses a control plane to make and communicate access decisions and configure communication paths, kept logically separate from the data plane where application traffic flows once access is enforced. The decision channel and the traffic channel are distinct.
- The policy engine decides; the policy administrator executes
In NIST SP 800-207 the policy engine (PE) makes and logs the ultimate grant/deny/revoke decision using a trust algorithm fed by enterprise policy and external signals. The policy administrator (PA) executes that decision by establishing or tearing down the communication path between subject and resource. Deciding versus enforcing the decision are two distinct logical roles.
Trap Crediting the policy administrator with making the grant/deny decision when it only executes the decision the policy engine reaches.
- PE plus PA form the PDP; the PEP is separate
NIST SP 800-207 groups the policy engine and policy administrator into one logical policy decision point (PDP). The policy enforcement point (PEP) is the distinct component that actually enables, monitors, and terminates the connection between the subject and the protected resource: it acts on the PDP's decision rather than making it.
Trap Having the policy enforcement point decide access when it only acts on the PDP's decision by enabling or terminating the connection.
3 questions test this
- In a Zero Trust Architecture based on NIST SP 800-207, the policy engine and policy administrator operate on the control plane to evaluate…
- In a zero trust architecture as described by NIST SP 800-207, communication is logically separated into a control plane and a data plane.…
- A security architect designing a zero trust architecture must understand how access decisions are structured. According to NIST SP 800-207,…
- Zero-trust access is dynamic and adapts to context
Zero-trust access is governed by dynamic policy evaluated per request, not static perimeter rules. Adaptive identity adjusts trust using context such as device posture, observed behavior, and risk signals, so the same user may be allowed, challenged, or denied depending on conditions at that moment.
- Zero trust grants access per session with least privilege
Among the NIST SP 800-207 tenets the exam leans on: all data sources and computing services are treated as resources; all communication is secured regardless of network location; access to a resource is granted per session with least privilege and does not carry to other resources; and all authentication and authorization are dynamic and strictly enforced before access is allowed.
Trap Assuming one access grant carries over to other resources, when zero trust scopes each grant per session to a single resource.
- Any touch of a decoy is high-confidence evidence of attack
Deception technology plants assets with no legitimate business purpose, so any interaction with them is high-confidence evidence of malicious activity. The false-positive rate is near zero because no normal user has a reason to touch a decoy, which makes deception an early, high-confidence intrusion-detection layer rather than a preventive control.
Trap Classifying deception as a preventive control, when planting decoys detects and alerts on intrusion rather than blocking it.
- Honeypot is one decoy host; honeynet is a decoy network
A honeypot is a single decoy system with no legitimate purpose, alerting on any connection to it. A honeynet is a network of honeypots imitating a realistic environment, luring an intruder into exploring fake systems while generating intelligence on their tactics and lateral-movement patterns.
- Honeyfile is a bait file; honeytoken is a bait record
A honeyfile is a decoy file (such as a fake passwords.txt) that triggers an alert when opened, copied, or exfiltrated. A honeytoken is a bogus data record: a fake credential, fake database row, or canary API key, whose use anywhere reveals a breach.
- A decoy must hold no real data and grant no live access
A deception asset works as a tripwire only if it contains no real data and grants no live access. A poorly isolated honeypot or honeyfile becomes an attacker foothold rather than a detection mechanism, converting your tripwire into their pivot point.
Trap Stocking a honeypot with real credentials or live network reach to make it convincing: that turns the decoy into a usable foothold.