Table of Contents

Click Here to Return To the CompTIA Security+ Course Page

General Security Concepts is 12% of the CompTIA Security+ SY0-701 exam. This module covers security controls, core principles, change management, cryptography, PKI, and Zero Trust. These fundamentals appear throughout the exam, so build a solid base here.

Every other domain builds on these ideas. You classify controls, protect the three pillars of security, verify identity, and encrypt data. This module gives you the vocabulary and the mental models the rest of the course assumes.

Security Controls

You classify controls by category and by function.

CategoryExample
TechnicalFirewall, encryption, MFA
ManagerialPolicies, risk assessments
OperationalSecurity training, guards
PhysicalLocks, fences, cameras

Controls also have a function:

FunctionPurpose
PreventiveStops an event (firewall)
DetectiveIdentifies an event (IDS)
CorrectiveFixes after an event (backup restore)
DeterrentDiscourages an attacker (warning sign)
CompensatingAn alternative when the primary control fails
DirectiveGuides behavior (policy)

Fundamental Security Concepts

You protect the CIA triad:

  • Confidentiality keeps data secret from unauthorized access.
  • Integrity ensures data is not altered.
  • Availability keeps data and systems accessible.

Non-repudiation proves an action happened and who did it, using digital signatures. AAA is the access trio:

TermMeaning
AuthenticationProve who you are
AuthorizationWhat you are allowed to do
AccountingRecord what you did

Zero Trust assumes no implicit trust. It splits into a control plane (policy decisions) and a data plane (policy enforcement), and verifies every request.

Change Management

You control change so security and uptime stay intact.

  • Approval process routes changes through a change board.
  • Impact analysis assesses what a change could break.
  • Backout plans restore the prior state if a change fails.
  • Maintenance windows schedule change for low-impact times.
  • Version control tracks configuration and code over time.

Unmanaged change is a top cause of outages and security gaps.

Cryptographic Solutions

You protect data with the right cryptographic tool.

ToolProvides
Symmetric encryption (AES)Fast confidentiality, one shared key
Asymmetric encryption (RSA, ECC)Key exchange, two keys
Hashing (SHA-256)Integrity, one-way fingerprint
Digital signatureIntegrity plus non-repudiation
HMACIntegrity with a shared key

Salting adds random data to a hash to defeat rainbow tables. Key stretching slows brute force. A TPM and HSM store keys in hardware. Learn the practical side in how to get hashes of files on Linux .

Public Key Infrastructure (PKI)

You manage trust with certificates.

  • A Certificate Authority (CA) issues and signs certificates.
  • A Registration Authority (RA) verifies identity before issuance.
  • A Certificate Revocation List (CRL) and OCSP report revoked certificates.
  • Key escrow stores keys for recovery.
Certificate typeUse
WildcardCovers all subdomains
SANMultiple specific domains
RootTop of the trust chain
Self-signedInternal, not publicly trusted

Authentication and Access

You verify identity with multiple factors.

MFA combines factors: something you know, have, are, do, or somewhere you are. SSO lets one login reach many apps, often with federation through SAML or OpenID Connect. Strong, unique passwords remain the baseline, covered in how to create strong passwords .

Next Steps

Continue with Threats, Vulnerabilities, and Mitigations and Security Architecture . Operationalize these concepts in Security Operations . Return to the CompTIA Security+ Course and review tips for passing CompTIA exams .