CompTIA Security+ Study Notes: Threats, Crypto, and Risk

Most engineers build systems without a clear picture of who is trying to break them or how. Working through CompTIA Security+ changes that fast.

---

Who Is Coming After You: Threat Actors and Social Engineering

Threat actors are the people or groups behind cyberattacks, and Security+ is precise about the distinctions. Nation-states have deep resources, long time horizons, and geopolitical motives. Organized crime is chasing money — ransomware, fraud, credential theft. Hacktivists want to make a point. Insiders have access and a reason to misuse it. Script kiddies run tools they barely understand, but volume makes them dangerous. Knowing which category of attacker is relevant to your business shapes everything from your controls to your incident response priorities.

Social engineering is how attackers exploit people rather than systems, and it accounts for a disproportionate share of real breaches. Phishing emails impersonate trusted senders to steal credentials or deliver malware. Vishing is the same idea over a phone call. Pretexting involves fabricating a believable scenario, posing as IT support or a vendor, to extract access. The uncomfortable reality is that a well-crafted phishing email bypasses the most sophisticated firewall. No technical control fully compensates for an untrained user who clicks the wrong link.

---

Physical Security and Malware: The Overlooked Layers

Physical security covers what happens in the real world before a single packet travels over a network. Badge readers, mantraps (double-door entry that traps tailgaters between two locked doors), surveillance cameras, and secure hardware disposal are all part of the Security+ domain. An attacker with physical access to a server room has bypassed every software control you have. Engineering teams tend to underestimate this layer because it does not live in a pull request or a JIRA ticket.

Malware is software designed to cause harm, and the distinctions between types matter in practice. Viruses attach to legitimate files and spread when those files are executed. Worms self-propagate across networks without user action. Ransomware encrypts data and demands payment for the decryption key. Trojans disguise themselves as legitimate software. Spyware collects data silently. Rootkits embed deep into the operating system to evade detection and persist across reboots. Each has a different propagation method and a different remediation path, and knowing the difference shapes how you triage an incident.

---

Data Protection and Cryptographic Solutions

Data protection starts with classification: you cannot defend what you have not labeled. Security+ covers classification tiers (public, internal, confidential, restricted) and how they drive decisions about encryption, access control, and retention. Data Loss Prevention tools enforce where data can go and who can touch it, both at rest (stored data) and in transit (data moving across a network).

Cryptography is how you make data unreadable to anyone without the right key. Symmetric algorithms like AES use a single shared key for both encryption and decryption: fast and efficient for large volumes of data. Asymmetric algorithms like RSA and ECC use a key pair. Anything encrypted with the public key can only be decrypted with the corresponding private key, which makes key distribution safe over untrusted channels. In practice, TLS uses both: asymmetric cryptography for the handshake that establishes trust and exchanges session keys, symmetric cryptography for the actual session data that follows. Hash functions like SHA-256 add a third tool, one-way transformations that verify file integrity and underpin digital signatures without exposing the original data.

If you build with AI coding tools, I covered my own setup in Claude Code Best Practices. Understanding how those tools handle credentials and data in transit becomes directly relevant the deeper you get into security. The cryptography fundamentals from Security+ make those conversations much easier.

---

Risk Management: The Framework Behind Every Security Decision

Risk management gives you a structured vocabulary for what can go wrong and what to do about it. Risk is framed as likelihood multiplied by impact: a high-likelihood, high-impact threat demands immediate action; a low-likelihood, low-impact one might reasonably be accepted. The NIST Risk Management Framework and ISO 27001 are the two dominant standards that formalize this process across identification, assessment, response, and continuous monitoring.

The four risk treatment options are worth internalizing: accept the risk and document it, avoid the risk by eliminating the activity that creates it, mitigate the risk by implementing controls that reduce likelihood or impact, or transfer the financial consequence through insurance or contracts. For engineering leaders, this language matters because it bridges security decisions and business decisions. Every security investment is a trade-off, and framing it in terms of risk treatment is what makes those arguments land with finance and the board.

---

Security+ is not a deep technical certification — it is a broad one. The value is not in any single topic but in the common vocabulary it gives you for having security conversations across your organization.