10 Security+ Topics Everyone Fails (And How to Master Them)
These are the Security+ topics that trip up most candidates—cryptography, access control models, incident response, and more. Here's what makes them hard and exactly how to master each one before exam day.
EpicDetect Team
16 min read
10 Security+ Topics Everyone Fails (And How to Master Them)
You've been studying for Security+ for weeks. You're crushing most of the practice questions.
Then you hit a question about asymmetric encryption key lengths, or the difference between RBAC and ABAC, and suddenly your brain goes blank.
Here's the reality: there are about 10 topics on Security+ that consistently trip people up. These are the areas where most people lose points on exam day.
The good news? Once you know what they are, you can focus your study time where it actually matters.
Let's break down the 10 hardest Security+ topics—and how to master each one.
---
Topic #1: Cryptography (Symmetric vs Asymmetric vs Hashing)
Why people fail this:
Too many acronyms. AES, 3DES, RSA, ECC, SHA-256, MD5, HMAC—it all blurs together.
Plus, you need to know when to use each one, not just what they are.
What You Actually Need to Know:
Symmetric Encryption (same key for encrypt and decrypt):
- Examples: AES, 3DES, DES (legacy)
- Use case: Fast, good for encrypting large amounts of data
- Problem: Key distribution (how do you securely share the key?)
- Key sizes: AES-128, AES-192, AES-256
Asymmetric Encryption (public/private key pairs):
- Examples: RSA, ECC (Elliptic Curve Cryptography)
- Use case: Secure key exchange, digital signatures
- Problem: Slower than symmetric
- Key sizes: RSA-2048, RSA-4096 (ECC uses smaller keys for same strength)
Hashing (one-way function, creates fixed-size output):
- Examples: SHA-256, SHA-3, MD5 (broken), SHA-1 (deprecated)
- Use case: Password storage, file integrity verification
- Not encryption: You can't "decrypt" a hash
How to Master It:
1. Make a comparison table:
| Type | Speed | Key Type | Use Case |
|------|-------|----------|----------|
| Symmetric | Fast | Single shared key | Encrypting data |
| Asymmetric | Slow | Public/private pair | Key exchange, signatures |
| Hashing | Fast | No key | Integrity, passwords |
2. Memorize key algorithms:
- Symmetric: AES (most common), 3DES (legacy)
- Asymmetric: RSA (most common), ECC (newer, smaller keys)
- Hashing: SHA-256 (current standard), MD5/SHA-1 (broken/deprecated)
3. Practice scenario questions:
- "What should be used to encrypt a hard drive?" → AES (symmetric, fast)
- "What should be used for digital signatures?" → RSA (asymmetric)
- "What should be used to verify file integrity?" → SHA-256 (hashing)
---
Topic #2: Access Control Models (DAC, MAC, RBAC, ABAC)
Why people fail this:
The acronyms are confusing, and the differences between them are subtle.
What You Actually Need to Know:
DAC (Discretionary Access Control):
- Owner of the resource decides who gets access
- Example: File permissions in Windows (you own a file, you decide who can read it)
- Weakness: Users can grant access to anyone (less secure)
MAC (Mandatory Access Control):
- System enforces access based on security labels/clearances
- Example: Military/government systems (Top Secret, Secret, Confidential)
- Strength: Very secure, centrally controlled
- Weakness: Rigid, hard to manage
RBAC (Role-Based Access Control):
- Access based on job role
- Example: "All SOC analysts can read security logs"
- Strength: Easy to manage (assign role, not individual permissions)
- Most common in business environments
ABAC (Attribute-Based Access Control):
- Access based on attributes (role + time + location + device, etc.)
- Example: "SOC analysts can read logs only during work hours from office network"
- Strength: Very granular, flexible
- Weakness: Complex to set up
How to Master It:
Memory trick:
- DAC = Discretionary = Decided by owner
- MAC = Mandatory = Military (clearance-based)
- RBAC = Role-Based = Role determines access
- ABAC = Attribute-Based = All attributes considered
Practice questions:
- "Users can decide who accesses their files" → DAC
- "Access based on security clearance levels" → MAC
- "Access granted based on job title" → RBAC
- "Access granted based on job title AND location AND time" → ABAC
---
Topic #3: Port Numbers and Protocols
Why people fail this:
You need to memorize dozens of port numbers and their associated protocols.
What You Actually Need to Know:
Must-memorize ports:
| Port | Protocol | Purpose |
|------|----------|---------|
| 20/21 | FTP | File transfer (20=data, 21=control) |
| 22 | SSH | Secure shell (encrypted remote access) |
| 23 | Telnet | Insecure remote access (don't use!) |
| 25 | SMTP | Email sending |
| 53 | DNS | Domain name resolution |
| 80 | HTTP | Web traffic (unencrypted) |
| 110 | POP3 | Email retrieval |
| 143 | IMAP | Email retrieval (better than POP3) |
| 443 | HTTPS | Web traffic (encrypted) |
| 445 | SMB | Windows file sharing |
| 3389 | RDP | Remote Desktop Protocol |
| 161/162 | SNMP | Network monitoring |
Secure vs Insecure versions:
- FTP (21) vs SFTP (22) vs FTPS (989/990)
- HTTP (80) vs HTTPS (443)
- Telnet (23) vs SSH (22)
- SMTP (25) vs SMTPS (465) vs SMTP+TLS (587)
How to Master It:
1. Make flashcards (physical or Anki/Quizlet)
2. Group by category:
- Email: 25, 110, 143, 465, 587, 993, 995
- Web: 80, 443
- File transfer: 20, 21, 22, 445, 989, 990
- Remote access: 22, 23, 3389
- DNS: 53
3. Practice daily (5-10 minutes with flashcards)
4. Focus on secure vs insecure:
- Insecure: FTP, Telnet, HTTP, plain SMTP/POP3/IMAP
- Secure: SFTP, SSH, HTTPS, encrypted email versions
---
Topic #4: Wireless Security Protocols (WEP, WPA, WPA2, WPA3)
Why people fail this:
You need to know which ones are broken, which to use, and specific technical details.
What You Actually Need to Know:
WEP (Wired Equivalent Privacy):
- Status: Broken, don't use
- Weakness: Easily cracked in minutes
- Encryption: RC4 (weak)
WPA (Wi-Fi Protected Access):
- Status: Better than WEP but still vulnerable
- Weakness: TKIP has known attacks
- Encryption: TKIP
WPA2 (Wi-Fi Protected Access 2):
- Status: Current standard (as of 2023)
- Encryption: AES (strong)
- Modes: Personal (PSK - Pre-Shared Key) or Enterprise (802.1X + RADIUS)
- Weakness: Vulnerable to KRACK attack (but patched)
WPA3 (Wi-Fi Protected Access 3):
- Status: Newest, most secure
- Improvements:
- SAE (Simultaneous Authentication of Equals) instead of PSK
- Better protection against brute-force
- Forward secrecy
802.1X:
- Not a wireless protocol itself—it's an authentication framework
- Used with WPA2/WPA3 Enterprise
- Requires RADIUS server
How to Master It:
Simple progression:
WEP (broken) → WPA (vulnerable) → WPA2 (current) → WPA3 (newest/best)
Memorize:
- WEP = RC4 = Broken
- WPA = TKIP = Vulnerable
- WPA2 = AES = Current standard
- WPA3 = SAE = Newest/best
Enterprise vs Personal:
- Personal (PSK): Everyone uses same password
- Enterprise: Each user has unique credentials (via RADIUS/802.1X)
---
Topic #5: Incident Response Steps (PICERL)
Why people fail this:
You need to know the exact order of steps, and exam questions test your ability to identify which step comes next.
What You Actually Need to Know:
The 6 Steps of Incident Response:
1. Preparation - Have IR plan, tools, training ready before incidents happen
2. Identification - Detect and confirm that an incident occurred
3. Containment - Stop the spread (short-term and long-term containment)
4. Eradication - Remove the threat completely
5. Recovery - Restore systems to normal operation
6. Lessons Learned - Post-incident review, update procedures
Memory trick: PICERL (Pick-Earl)
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
How to Master It:
Understand the logic:
- You prepare before incidents (duh)
- You identify that something is wrong
- You contain it (stop the bleeding)
- You eradicate the threat (remove the infection)
- You recover (bring systems back online)
- You learn from it (improve for next time)
Practice scenario questions:
- "Malware detected on a workstation. What's the FIRST step?" → Containment (isolate the system)
- "After removing malware and restoring systems, what's NEXT?" → Lessons Learned
- "Before an incident occurs, what should be done?" → Preparation
Common mistake:
People confuse Containment and Eradication:
- Containment = stop the spread (isolate infected systems)
- Eradication = remove the threat completely (clean the malware)
---
Topic #6: Business Continuity vs Disaster Recovery
Why people fail this:
These terms sound similar but mean different things, and you need to know specific metrics (RTO, RPO, MTTR, MTBF).
What You Actually Need to Know:
Business Continuity (BC):
- Keeping critical business functions running during/after a disaster
- Focus: Processes, people, communications
- Example: Using backup site, work-from-home, alternate suppliers
Disaster Recovery (DR):
- Restoring IT systems and data after a disaster
- Focus: Technology, backups, infrastructure
- Example: Restoring from backups, failover to redundant systems
Think of it this way:
- BC = Keep the business running
- DR = Get the tech back online
Key Metrics:
RTO (Recovery Time Objective):
- Maximum acceptable downtime
- "We need to be back online within 4 hours"
RPO (Recovery Point Objective):
- Maximum acceptable data loss
- "We can't lose more than 1 hour of data"
MTTR (Mean Time To Repair):
- Average time to fix something
- Lower is better
MTBF (Mean Time Between Failures):
- Average time between system failures
- Higher is better
How to Master It:
Memory tricks:
- RTO = Time = How long can we be down?
- RPO = Point = How much data can we lose?
- MTTR = Time to Repair (lower = better)
- MTBF = Time Between Failures (higher = better)
Practice questions:
- "Maximum acceptable downtime is 2 hours" → RTO
- "Can't lose more than 15 minutes of data" → RPO
- "Average time between system crashes" → MTBF
---
Topic #7: Authentication Factors (Something You Know/Have/Are)
Why people fail this:
Exam questions test whether you can correctly categorize authentication methods.
What You Actually Need to Know:
Type 1 - Something You Know:
- Password
- PIN
- Security question
Type 2 - Something You Have:
- Smart card
- Hardware token (RSA SecurID)
- Mobile phone (for SMS/app codes)
- Key fob
Type 3 - Something You Are:
- Fingerprint
- Retina/iris scan
- Facial recognition
- Voice recognition
Type 4 - Somewhere You Are (less common):
- Geolocation
- IP address
Type 5 - Something You Do (less common):
- Typing patterns
- Signature dynamics
Multifactor Authentication (MFA):
Must use factors from DIFFERENT categories:
- Password + SMS code = MFA ✅ (know + have)
- Password + PIN = NOT MFA ❌ (both "know")
- Password + fingerprint = MFA ✅ (know + are)
How to Master It:
Simple categorization:
- Can you forget it? → Know
- Can you lose it? → Have
- Is it part of your body? → Are
Practice questions:
- "Smart card + PIN" → MFA? YES (have + know)
- "Password + security question" → MFA? NO (both "know")
- "Fingerprint + password" → MFA? YES (are + know)
---
Topic #8: Cloud Service Models (IaaS, PaaS, SaaS)
Why people fail this:
The differences are subtle, and you need to know who's responsible for what in the "shared responsibility model."
What You Actually Need to Know:
IaaS (Infrastructure as a Service):
- Provider gives you virtual infrastructure (VMs, storage, network)
- You manage: OS, applications, data
- Provider manages: Physical hardware, networking, virtualization
- Example: AWS EC2, Azure VMs
- Think: "You rent a virtual computer"
PaaS (Platform as a Service):
- Provider gives you a platform to build/deploy apps
- You manage: Applications, data
- Provider manages: OS, runtime, middleware
- Example: Heroku, Google App Engine
- Think: "You build the app, they handle the infrastructure"
SaaS (Software as a Service):
- Provider gives you ready-to-use software
- You manage: Your data and user settings
- Provider manages: Everything else
- Example: Gmail, Office 365, Salesforce
- Think: "You just use the app"
Responsibility Progression:
| Responsibility | IaaS | PaaS | SaaS |
|----------------|------|------|------|
| Applications | You | You | Vendor |
| Data | You | You | You* |
| Runtime | You | Vendor | Vendor |
| OS | You | Vendor | Vendor |
| Virtualization | Vendor | Vendor | Vendor |
| Physical | Vendor | Vendor | Vendor |
*You control your data, but it's stored on their systems
How to Master It:
Memory trick:
- IaaS = Infrastructure = You get VMs (most control)
- PaaS = Platform = You build apps (medium control)
- SaaS = Software = You just use it (least control)
Practice questions:
- "You manage the OS and applications" → IaaS
- "You just upload code and the platform runs it" → PaaS
- "You access email via web browser" → SaaS
---
Topic #9: RAID Levels (0, 1, 5, 6, 10)
Why people fail this:
You need to memorize which RAID levels provide redundancy, speed, or both.
What You Actually Need to Know:
RAID 0 (Striping):
- Data split across multiple disks
- Performance: Fast (reads/writes split across disks)
- Redundancy: NONE (one disk fails = all data lost)
- Use case: Speed more important than safety
RAID 1 (Mirroring):
- Data duplicated on two disks
- Performance: Normal
- Redundancy: HIGH (one disk can fail, data still safe)
- Use case: Critical data, simple redundancy
RAID 5 (Striping with Parity):
- Data + parity spread across 3+ disks
- Performance: Good
- Redundancy: Can lose ONE disk
- Use case: Balance of speed and redundancy
- Minimum disks: 3
RAID 6 (Striping with Double Parity):
- Like RAID 5 but with extra parity
- Performance: Good
- Redundancy: Can lose TWO disks
- Use case: Extra safety
- Minimum disks: 4
RAID 10 (1+0, Mirrored Stripes):
- RAID 1 + RAID 0 combined
- Performance: Excellent
- Redundancy: HIGH (can lose one disk per mirrored pair)
- Use case: High performance + high redundancy
- Minimum disks: 4
How to Master It:
Quick reference:
| RAID Level | Speed | Redundancy | Min Disks | Fault Tolerance |
|------------|-------|------------|-----------|-----------------|
| 0 | Fast | None | 2 | 0 disks |
| 1 | Normal | High | 2 | 1 disk |
| 5 | Good | Good | 3 | 1 disk |
| 6 | Good | Better | 4 | 2 disks |
| 10 | Excellent | High | 4 | 1 per pair |
Memory tricks:
- RAID 0 = Zero redundancy (one fails = all lost)
- RAID 1 = One copy = mirroring
- RAID 5 = 5 sounds like "stay alive" (one disk can fail)
- RAID 6 = 6 is more = two disks can fail
---
Topic #10: Attack Types (Phishing, Vishing, Smishing, Whaling, etc.)
Why people fail this:
Too many similar-sounding attack types, and you need to know specific examples.
What You Actually Need to Know:
Social Engineering Attacks:
Phishing:
- Fake emails trying to steal credentials
- Example: "Your account will be closed, click here to verify"
Spear Phishing:
- Targeted phishing (specific person/organization)
- Example: Email that looks like it's from your CEO
Whaling:
- Phishing targeted at executives/high-value targets
- Example: Fake email to CFO requesting wire transfer
Vishing:
- Phishing via voice/phone calls
- Example: "This is your bank, verify your account number"
Smishing:
- Phishing via SMS/text
- Example: "Click this link to claim your prize"
Pharming:
- Redirect users to fake website (via DNS poisoning)
- Example: You type "bank.com" but get redirected to "bank-fake.com"
Pretexting:
- Creating a fake scenario to get information
- Example: "I'm from IT, what's your password?"
Tailgating:
- Following someone through a secure door
- Example: "Hey, can you hold the door? I forgot my badge"
Memory Tricks:
- Phishing = Phony email
- Vishing = Voice (phone)
- Smishing = SMS (text)
- Whaling = Whale = big target (executive)
- Pharming = Phony farm (fake website)
How to Master It:
Practice categorization:
- Fake email? → Phishing
- Fake email to CEO? → Whaling (or Spear Phishing)
- Fake phone call? → Vishing
- Fake text message? → Smishing
- Fake website redirect? → Pharming
---
How to Practice These Weak Topics
Knowing what the hard topics are is one thing. Actually mastering them is another.
Here's the strategy:
1. Identify YOUR Weak Spots
Take a full practice exam and track which domains you score lowest in. Those are your weak areas.
2. Do Targeted Practice
Don't just retake full exams. Do 20-30 questions only on your weak topic.
Example:
- Bombed cryptography? Do 50 crypto questions.
- Confused about access control models? Do 30 RBAC/DAC/MAC questions.
3. Use Multiple Question Sources
Different question banks phrase things differently. Variety helps you actually understand concepts, not just memorize specific wording.
4. Explain It Out Loud
If you can explain a concept to someone else (or even to yourself), you understand it.
5. Make Comparison Charts
For topics with similar options (RAID levels, wireless protocols, cloud models), make side-by-side comparison tables.
---
TL;DR – The 10 Topics That Trip Everyone Up
The hardest Security+ topics: cryptography (symmetric/asymmetric/hashing), access control models (DAC/MAC/RBAC/ABAC), port numbers, wireless security (WEP/WPA/WPA2/WPA3), incident response steps (PICERL), BC vs DR (RTO/RPO), authentication factors (know/have/are), cloud models (IaaS/PaaS/SaaS), RAID levels, and attack types (phishing/vishing/smishing). Master these with targeted practice, comparison charts, and memory tricks. Don't just study harder—study the stuff that actually matters.
---
FAQs
Are these really the hardest topics?
Based on score reports and student feedback, yes. These are consistently the areas where people lose the most points.
Should I focus only on these topics?
No, but prioritize them. Make sure you're solid on these before spending time on easier topics.
How many practice questions should I do on each topic?
Aim for 30-50 questions per weak topic. Keep going until you're consistently scoring 85%+ on that topic.
What if I'm still struggling after practicing?
Go back to video explanations (Professor Messer) or read a different study guide. Sometimes a different explanation makes it click.
Are these topics weighted more heavily on the exam?
Not necessarily, but they show up frequently and are easy to get wrong if you don't understand them deeply.
---
Sources & References:
- CompTIA Security+ Exam Objectives (SY0-701)
- Professor Messer's Security+ Course
- NIST Incident Response Guide
---
> Don't waste study time on stuff you already know. Find your weak spots, attack them with focused practice, and master the topics that actually separate passing from failing.
Master These Topics With Targeted Practice
Here's the thing: knowing these topics are hard doesn't help unless you practice them specifically.
EpicDetect's Security+ practice exams track your performance by topic—so you can see exactly where you're weak (cryptography? incident response? access control?) and drill those specific areas.
Plus, our procedurally generated questions mean you can practice each weak topic 20-30 times without seeing the same questions repeated. That's how you build actual understanding, not just memorization.
Get targeted practice on your weak areas:
EpicDetect Security+ Prep — 7-day free trial, cancel anytime.