CompTIA Security+ Study Notes: Threats, Crypto, and Risk

Most engineers build systems without a clear picture of who is trying to break them or how. Working through CompTIA Security+ changes that fast.

---

Security+ Threat Models: Who Is Actually Targeting Your Systems

Security+ breaks down attackers into categories, and the categories matter for how you prioritize controls. Nation-states have deep resources and long time horizons. They are a real concern for critical infrastructure and defense contractors. Most fintech and telecom companies are not their primary target. For those of us running payments infrastructure, organized crime is the bigger issue. They want money: ransomware, payment fraud, credential theft. They are patient and increasingly sophisticated. The other category that gets underestimated is insiders. They already have access. The damage they can do before detection is higher than most external attackers.

Social engineering is where the real volume of breaches comes from. Phishing, vishing, pretexting: all variations on the same idea. Fabricate a scenario, exploit trust, get access. The uncomfortable part is that no technical control fully addresses this. A well-crafted phishing email bypasses your firewall every time. Training reduces the risk. It does not eliminate it. For engineering leaders, the honest answer is: you are partly mitigating this with controls and partly accepting the residual risk.

---

Physical Security and Malware: The Overlooked Layers

Physical security is the layer engineering teams consistently underestimate. It does not live in a pull request or a JIRA ticket. Badge readers, mantraps, surveillance, secure hardware disposal: these matter. An attacker with physical access to a server room has bypassed every software control you have. This is not theoretical. Data center breaches happen. Decommissioned hardware with live credentials on it happens more often than anyone admits.

Of the malware types Security+ covers, two have the most direct architectural implications. Ransomware makes your backup strategy a first-class concern. If your backups live on the same domain as production, a ransomware deployment can encrypt both at once. Your recovery plan needs to account for that. Rootkits are the other one worth focusing on. They embed at the OS level, survive reboots, and are designed to evade detection. Standard antivirus does not catch them. Behavioral endpoint detection does. The rest of the malware taxonomy is useful context, but ransomware and rootkits are the ones that change how you architect.

---

Data Protection and Cryptographic Solutions

Data classification is the foundation most engineering teams skip. If you have not labeled your data, you cannot make consistent decisions about who accesses it or how it moves. Security+ covers the standard tiers: public, internal, confidential, restricted. The classification drives encryption requirements, access controls, and retention policies. Data Loss Prevention tools enforce where data can go. For fintech companies handling payment data, this is not optional. It is an audit requirement.

The cryptography section connects well-known concepts to the decisions behind them. Symmetric encryption like AES is fast and efficient for bulk data. Asymmetric encryption like RSA solves key distribution: encrypt with a public key, only the private key holder can decrypt. TLS uses both. Asymmetric for the handshake, symmetric for the session. Understanding that boundary matters when you audit your own configurations. A load balancer that downgrades TLS or terminates it at the wrong layer is not an abstract risk. In fintech, it is an audit finding.

If you build with AI coding tools, I covered my own setup in Claude Code Best Practices. Understanding how those tools handle credentials and data in transit becomes directly relevant the deeper you get into security. The cryptography fundamentals from Security+ make those conversations much easier.

---

Risk Management in Security+: The Framework Behind Every Decision

Risk management is where Security+ earns its relevance for engineering leaders. The formula is simple: risk = likelihood × impact. High likelihood, high impact means act now. Low likelihood, low impact means document it and move on. But the real value is not the formula. It is the vocabulary. When a security engineer asks for budget to address something, framing the conversation around likelihood, impact, and treatment options is what makes those arguments land with finance and the board.

The four treatment options are worth memorizing: accept, avoid, mitigate, transfer. Most engineering teams default to mitigate. Acceptance with documentation is underused. Transfer through insurance is often not in scope for engineering decisions, but it matters at the leadership level. The NIST Risk Management Framework and ISO 27001 formalize this process into a repeatable system. For teams doing PCI or SOC 2 compliance, these frameworks are not optional background reading. They are the structure your auditors are checking against.

---

Security+ is not a deep technical certification. It is a broad one. The value is the vocabulary it gives you to have security conversations across engineering, finance, and compliance.