Virtualization – CompTIA Security+ Lesson 12

Virtualization. A popular word. But what does it mean, what is it and how do you use it. But most important: What does it have to do with CompTIA Sec+?

Simply put virtualization is kinda like inception, for pcs. You can install multiple workstation/ servers on one hardware machine, instead of having to buy each machine individually. These machines then share the ressources of the hardware machine. This is why it’s important for cloud computing.vm xzibit inception

It enhances agility and flexibility for machines, since you’re not relying on hardware but on software. So you can easily adjust the specs to changing requirements from business.

You can even run your own virtualization and create virtual machines at home for free, using open source hypervisors. However there are two types of hypervisors:

  • Type I – This hypervisor boots before an OS, it’s also called bare-metal
  • Type II – This hypervisor boots as software on your OS (like the one I linked above)

The CompTIA Security+ exam focuses on this topics, which we are going to discuss:

  • Snapshots
  • Patch compatibility
  • Host availability/ Elasticity
  • Security Control Testing
  • Sandboxing


Snapshots create an image of a system at a certain point in time. This images contain copies of the VM settings, informations about attached virtual disks and the memory state of the machine. You can create them as sort of back-up or to create a second, similar machine.

Patch compatibility

First of all, you’ll always have to verify the source of patches and test them on lab machines before running them in production.

With VMWare for example patches should always be compatible with the previous version, but if you skip a couple of updates you might need to test it.

Host availability/ Elasticity

The availability of a host should meet the standart of five 9s: 99.999% Uptime. It should also be possible to upscale ressources like ram on the fly for your customers. It should almost seem unlimited to end users. Especially for cloud services.

These issues and requirements are often addressed in the Service Level Agreement.

Security Control Testing

This part is more similar to penetraion testing than to security measures, maybe because it is a subset of PenTesting. It consists of interviews, examinations and testing of systems with focus on previous breaches, shared ressources and dedicated servers as well.


This video explains what a sandbox is for a simple pdf reader. A sandbox in virtualization is the same, but for a whole vm instead of “just” an application.