Free CompTIA Security+ Training (SY0-701)

Lesson 1 — Security Foundations (CIA/AAA, Controls, Crypto Basics, Zero Trust)

Master the fundamentals you’ll use everywhere. Every later domain builds on these ideas.

High-yield: CIA triad, AAA, control types (administrative / technical / physical + preventive / detective / corrective), risk = likelihood × impact, hashing vs. encryption, symmetric vs. asymmetric, PKI, least privilege, defense-in-depth, zero trust, authentication factors & MFA.

1) CIA Triad

Confidentiality — only authorized can view (encryption, access controls, data classification).
Integrity — accurate & unaltered (hashing, digital signatures, checksums).
Availability — usable when needed (redundancy, backups, DDoS protection).

Exam tip: “Prevent unauthorized disclosure” → Confidentiality. “Prevent tampering” → Integrity. “Keep online during outage” → Availability.

2) AAA & Least Privilege

Authentication (prove identity), Authorization (what you can do), Accounting (record activity).

MFA factors: know (password), have (token), are (biometric), do (behavior), where (geolocation).

Least Privilege: grant only the minimum access required; pair with need-to-know and separation of duties.

3) Control Types

By nature

Administrative: policies, training, change management.
Technical: firewalls, EDR, encryption, IAM.
Physical: locks, guards, cameras, mantraps.

By purpose

Preventive: hardening, least privilege, patching.
Detective: SIEM/IDS, logs, CCTV review.
Corrective: backups/restore, hotfix.
Deterrent: warning banners, visible cams.
Compensating: alternative control when ideal isn’t possible.

4) Risk in one line

Risk = Likelihood × Impact → reduce by mitigation, avoidance, transference, or acceptance.

5) Crypto in 90 seconds

Hashing (SHA-256): one-way → integrity; no decryption.
Symmetric (AES): one shared key → fast for bulk data.
Asymmetric (RSA/ECC): public/private pair → key exchange, signatures, TLS.
HMAC: hash + secret → integrity + authenticity.
PKI: CAs issue X.509 certs; clients validate chain + hostname.

6) Defense-in-Depth & Zero Trust

Defense-in-depth: independent layers (endpoint → network → identity → data → monitoring).

Zero Trust: never trust, always verify; continuous authZ, micro-segmentation, explicit policy checks.

Real-World Mini-Scenario

A finance app must be reachable 24/7 (Availability). You deploy a load balancer + two app instances (Preventive/Corrective), enable WAF and TLS (Confidentiality), log to SIEM (Accounting/Detective), and restrict DB access to the app role only (Least Privilege). Nightly SHA-256/HMAC checks catch file tampering (Integrity).

Lesson 1 Quiz — 10 Questions

1) A control that prevents unauthorized disclosure addresses which CIA element?

Integrity Availability Confidentiality Accounting

Confidentiality prevents unauthorized disclosure of information.

2) Which is primarily a detective control?

Patching baseline CCTV review Door badge requirement Account lockout

Detective controls discover events: logs, IDS, CCTV review.

3) Asymmetric cryptography relies on:

A shared secret key Two keys: public and private Salting and hashing Stream ciphers only

Asymmetric uses a public/private key pair (e.g., RSA, ECC).

4) Which best describes a hash?

Two-way function for confidentiality One-way function for integrity Key exchange mechanism Protocol for identity federation

Hashing is one-way; it verifies integrity (e.g., SHA-256).

5) Which example best demonstrates least privilege?

Grant domain admin to on-call engineers Provide read-only access to a reporting user Allow “everyone” read access to file shares Share a service account across teams

Give only what’s necessary: read-only for reports, not write.

6) Which is a valid MFA combination?

Username + password Password + hardware token (FIDO2 key) Face ID + fingerprint Password + security questions

MFA = two different factors; password (know) + token (have).

7) HMAC primarily provides:

Non-repudiation only Confidentiality Integrity and authenticity Availability

Keyed hash → integrity + assurance it came from someone with the secret.

8) In qualitative terms, risk is most often expressed as:

Impact ÷ Asset Value Likelihood × Impact Exposure – Mitigation ALE × ARO

Classic shorthand: Risk = Likelihood × Impact.

9) Enterprise SSO with an IdP and SP commonly uses:

SAML FTP IPSec IMAP

SAML is frequently used for federated SSO.

10) Which statement best reflects Zero Trust?

Trust internal networks by default Allow all and alert on anomalies Never trust, always verify; continuous authorization Rely on perimeter firewalls only

Continuous verification of user, device, and context.

Partner Offers — support free training

NordVPN — up to 75% off

Stay private online, block trackers, and secure unsafe Wi-Fi.

Get NordVPN Deal →

NordPass — up to 70% off

Generate, store, and autofill unique passwords the safe way.

Get NordPass Deal →

Surfshark VPN — up to 82% off

Unlimited devices, strong privacy, great streaming access.

Get Surfshark Deal →

Affiliate links — using these helps keep BitsSecured 100% free.

⬅ Back to Overview Next → Lesson 2