DEV Community

TiltedLunar123
TiltedLunar123

Posted on

Every insecure protocol on Security+ has a secure twin, and the port gives it away

If you have studied for the SY0-701 for more than a week, you have hit a question that names a plaintext protocol and asks what you should use instead. FTP shows up in one question, Telnet in another. The four answer choices all look plausible. The trick is that the exam is not testing whether you know what FTP does. It wants the encrypted replacement, and usually the port that replacement runs on.

Once you start seeing protocols in pairs, a whole category of questions stops being memorization and turns into pattern matching.

The pairs worth knowing cold

Here is the short list that keeps showing up. Left side is the plaintext version you are supposed to flag. Right side is what CompTIA wants you to reach for.

  • HTTP (80) becomes HTTPS (443). Web traffic wrapped in TLS.
  • FTP (20/21) becomes FTPS (implicit 990) or SFTP (22). Watch this one, more below.
  • Telnet (23) becomes SSH (22). Remote shell, now encrypted.
  • SMTP (25) becomes SMTP with STARTTLS (587) or SMTPS (465).
  • LDAP (389) becomes LDAPS (636). Directory lookups over TLS.
  • SNMPv1 and v2c (161) become SNMPv3 (161). Same port, the version is the upgrade.
  • DNS (53) becomes DNS over TLS (853) or DNS over HTTPS (443).
  • POP3 (110) becomes POP3S (995). IMAP (143) becomes IMAPS (993).
  • Kerberos (88), RADIUS (1812/1813), and TACACS+ (49) round out the auth-adjacent set.

You do not need every obscure port for the exam. The ones above earn their keep.

The two that trip everyone

FTPS versus SFTP. Same protocol with the letters shuffled? Not even close. FTPS is ordinary FTP with a TLS layer bolted on, and it still uses FTP's command and data channel model. SFTP is a completely different protocol that rides inside SSH on port 22. If a question mentions SSH, key-based auth, or a single connection, it is pointing at SFTP. Certificates or a TLS handshake for file transfer? That is FTPS. Same goal, different plumbing.

Then SNMPv3. Here the upgrade is invisible at the port layer. Authentication and encryption get added to the same service on 161, and the version number is the whole tell. Plenty of people expect the port to change and get baited by an answer choice that swaps the number. Do not fall for it.

Why the port is often the real answer

A lot of SY0-701 questions hand you a scenario. It might be a captured packet or a firewall rule or a scan result, followed by a question about what is happening or what to allow. The port is the fingerprint: 636 leaving a domain controller is secure directory traffic, no problem; 389 where policy says everything must be encrypted is your finding. The exam rewards you for reading the number and knowing what it implies. Reciting a definition does not help here.

This is also why "implement secure protocols" sits in Domain 3 rather than off in some trivia section. It ties into firewall rules and hardening, and into the logs you will be asked to interpret elsewhere on the test.

How to actually learn these

Do not sit and stare at a table. So what actually works? Three things.

Build the pairs yourself from memory. Insecure on the left, secure on the right, port on both sides. Rebuild it cold every day for a week. The act of reconstructing it is what makes it stick, not rereading it.

Turn each pair into a one-line scenario. "A junior admin left Telnet enabled on a switch, what do you recommend and on what port." Answer out loud. If you can write the question, you understand it.

Drill mixed questions, not topic-sorted ones. Why does that matter? On the real exam these protocol items show up scattered between a risk-management question and an incident-response question, with no heading to warn you that the next one is about ports, so practicing them in a neat labeled block builds a fluency that evaporates the second the topics get shuffled. That is the trap.

That last point is where a bank of practice questions earns its place. I built SecPlus Mastery around this kind of applied drilling, and the free diagnostic at https://secplusmastery.com/diagnostic will tell you fast whether protocol and port questions are a strength or a gap, before you spend a real exam attempt finding out.

The one-sentence version

Learn protocols in insecure-secure pairs, memorize the port that changes or stays the same, and treat a port number in a scenario as a clue rather than decoration. Do that and a whole slice of the exam turns into recognition instead of recall.

Top comments (0)