CertPrepNow
MicrosoftSC-73060 concepts

SC-730 Cheat Sheet

Quick reference for the Microsoft Certified: Cybersecurity Business Professional exam.

Core Security Definitions (Domain 1 — 27%)

Vulnerability
A weakness or flaw in a system, application, or process that COULD be exploited — it exists regardless of whether anyone acts on it.
Threat
A potential danger that COULD exploit a vulnerability to cause harm — the actor or event (hacker, malware, natural disaster) that acts on a weakness.
Risk
The likelihood and impact of a threat successfully exploiting a vulnerability — Risk = Threat × Vulnerability × Impact.
Exploit
The method, tool, or technique an attacker uses to take advantage of a vulnerability and perform unauthorized actions.
Encryption
Converting readable data (plaintext) into an unreadable format (ciphertext) that can only be decoded with the correct key — protects data confidentiality but does NOT prevent theft; encrypted data can still be exfiltrated, it just cannot be read without the key.
Deepfakes
AI-generated synthetic media (audio, video, images) that realistically impersonate real people or fabricate events — used for fraud, disinformation, and social engineering.
Shared Responsibility Model
On this exam: security is a joint duty between IT/security teams AND every individual employee — not solely IT's job.
Misinformation vs. Disinformation
Misinformation is false content spread WITHOUT deliberate intent; disinformation is false content spread WITH deliberate intent to deceive.

Phishing Attack Variants (Domain 2 — 33%)

Phishing (email)
Fraudulent emails impersonating trusted entities to trick recipients into clicking malicious links, opening attachments, or revealing credentials.
Smishing (SMS phishing)
Phishing conducted via SMS text messages — same urgency and impersonation tactics as email phishing but delivered by text.
Vishing (voice phishing)
Phishing conducted over phone calls — attacker impersonates tech support, bank, government agency, or a colleague.
Quishing (QR code phishing)
Malicious QR codes that redirect victims to fraudulent websites — often placed on physical materials or embedded in emails.
Phishing red flags
Mismatched sender address, urgency or fear tactics, generic greetings, grammatical errors, unexpected attachments, and requests for credentials or payments — a legitimate-looking email from a known contact can still be phishing if the address is spoofed or the account is compromised.
Malicious link detection
Hover over links to preview the real URL; check for misspelled domains, HTTP (not HTTPS), or shortened URLs before clicking.
Business Email Compromise (BEC)
Attacker impersonates an executive or vendor via email to trick employees into making unauthorized wire transfers or disclosing sensitive data.

Social Engineering Techniques (Domain 2 — 33%)

Social Engineering
Psychological manipulation exploiting human behavior to gain unauthorized access to systems, data, or physical spaces without needing technical attacks.
Pretexting
Attacker creates a fabricated scenario (pretext) and builds a believable backstory to manipulate victims — may occur over multiple interactions via phone, email, or in person.
Baiting
Enticing victims with something appealing — free USB drives, downloads, or prizes — to trick them into compromising their security.
Tailgating (piggybacking)
Physically following an authorized person through a secure door or access point without presenting credentials.
Phishing vs. Pretexting distinction
Phishing uses digital messages with urgency and impersonation for a quick strike; pretexting builds a believable backstory across multiple interactions over time.
Verifying suspicious requests
Always verify unexpected requests for payments, credentials, or sensitive actions through a SEPARATE, independently known communication channel — never trust the contact info in the suspicious message itself.

Malware and System Threats (Domain 2 — 33%)

Malware
Broad category of malicious software — includes viruses, worms, trojans, ransomware, and spyware — designed to damage, disrupt, or gain unauthorized access.
Ransomware
A specific type of malware that encrypts a victim's files or locks their system and demands payment for restoration — all ransomware is malware, but not all malware is ransomware.
Malware infection indicators
Unexpected system slowdowns, unusual pop-ups, programs launching without user action, unexplained file changes, disabled antivirus software, or unexpected network activity.
Insider Threat
Security risk originating from within the organization — includes malicious employees, negligent staff, or compromised accounts. Can be intentional OR accidental.
Insider threat indicators
Accessing systems outside normal job duties, downloading large volumes of data, working unusual hours without justification, or expressing dissatisfaction while holding sensitive access.
Public Wi-Fi risks
Unsecured public networks expose users to eavesdropping, man-in-the-middle attacks, rogue hotspots, and session hijacking — even password-protected coffee shop Wi-Fi is a shared public network.
Access Controls (least privilege)
Limiting access to systems and data to only what is needed for a specific role — business users should request access through proper channels, not self-configure permissions.

Authentication and Account Security (Domain 1 — 27%)

Multifactor Authentication (MFA)
Requiring two or more verification factors to access an account — a stolen password alone cannot compromise an MFA-protected account.
MFA factor types
Something you KNOW (password, PIN), something you HAVE (phone, hardware token), something you ARE (fingerprint, facial scan, retina).
Password Managers
Tools that generate strong unique passwords, securely store credentials, and auto-fill login forms — eliminate password reuse and remove the need to remember or write down passwords.
Strong password alone is NOT enough
The exam consistently positions MFA as essential even when a strong password is already in use — MFA is always the correct additional control.
Software updates and patches
Vendor-released updates that fix known security vulnerabilities — delaying patches leaves systems exposed to actively exploited weaknesses; apply promptly.

Data Classification and Sensitivity Labels (Domain 3 — 28%)

Public
Data approved for external sharing with anyone — poses no risk to the organization if disclosed. Examples: press releases, published marketing materials.
Internal
Data intended for employees only — not sensitive but not for external distribution. Examples: internal memos, general company announcements.
Confidential
Data restricted to specific teams or roles due to sensitivity — unauthorized disclosure could cause organizational or personal harm. Examples: customer records, financial data.
Highly Confidential
Strictest classification — need-to-know access only. Examples: executive strategy documents, M&A plans, PII combined with financial data.
Sensitivity Labels (user responsibility)
Labels are applied by USERS based on content sensitivity — the exam tests YOUR responsibility to classify documents correctly, not the system doing it automatically.
Rights Management
Technical controls that enforce restrictions on what users can DO with protected content — prevents copying, printing, forwarding, or editing sensitive documents.
Sensitivity Labels vs. Rights Management
Labels CLASSIFY data and communicate handling requirements; Rights Management ENFORCES restrictions on actions. Labels tell you what it is; Rights Management controls what you can do.

Data Handling and Protection Practices (Domain 3 — 28%)

Data lifecycle phases
Collect → Use → Transfer → Store → Retain → Destroy — each phase has specific handling obligations under organizational policy.
Proper data destruction
Simply deleting a file is NOT sufficient destruction — proper destruction ensures data cannot be recovered, per organizational procedures (e.g., secure wipe, shredding, degaussing).
Data backup best practice
Backups must be stored in a SEPARATE location from the primary data — backing up to the same device offers no protection against device failure or ransomware.
AI tool data risks
Never share confidential business data, customer PII, financial records, trade secrets, or internal strategy with public AI tools — they may store, train on, or expose submitted data.
Remote work security
Use VPN on public networks, enable screen lock, position screen to prevent shoulder surfing, avoid leaving devices unattended, and keep software updated.
Clean desk policy
Lock your computer when stepping away, secure physical documents, avoid leaving sensitive materials visible — prevents unauthorized physical access to information.
Data retention policy
Organizational rules specifying how long data must be kept and when it must be destroyed — employees must report data that exceeds retention periods rather than self-deleting.

Incident Reporting and Response (Domain 4 — 12%)

Always report phishing attempts
Report phishing EVEN IF you did not click the link — the security team needs to protect other employees and assess organizational exposure.
Always report lost or stolen devices
A lost encrypted, password-protected device MUST still be reported immediately — IT needs to remotely wipe it, revoke access, and assess potential data exposure.
Incident report contents
Date and time of the incident, type of incident (phishing, lost device, unauthorized access), affected data or systems, actions already taken, and any evidence preserved.
Correct reporting channels
IT help desk, dedicated incident reporting form, or the security team — use your organization's designated channel, never personal email or social media.
Ransomware response sequence
1. Disconnect the device from the NETWORK (Wi-Fi/Ethernet). 2. Notify IT immediately. Do NOT pay the ransom, do NOT turn off the computer (destroys forensic evidence), do NOT attempt self-remediation.
Disconnect vs. power off during incident
Remove the device from the NETWORK to stop spread — do NOT power it off, as this may destroy forensic evidence needed for investigation.
Business user incident role
Report, disconnect affected device from network, preserve evidence, and follow organizational procedures — do NOT investigate, fix, track the attacker, or pay ransom without authorization.
Escalation path
Escalation means following the organization's defined path (help desk → security team → management) — not going over a manager's head.

Exam Mindset: Business User vs. IT Admin

The golden rule
The SC-730 asks what a NON-TECHNICAL BUSINESS USER should do — the correct answer is almost always 'report to IT' or 'follow organizational procedures,' NOT 'troubleshoot it yourself.'
SC-730 vs. SC-900
SC-730 is vendor-agnostic, targets non-technical professionals, and asks what a business user should do. SC-900 is Microsoft-specific, targets IT professionals, and tests what the technology does.
Access requests (business user answer)
When you need access to a system or data you do not have: request access through proper channels — do NOT configure or grant access yourself.
When systems fail (business user answer)
Contact IT or follow organizational recovery procedures — do NOT troubleshoot, reinstall software, or attempt to fix the issue independently.
Passing score
700 out of 1000 (scaled score). 58 questions in 60 minutes of actual exam time. No penalty for wrong answers — always answer every question.

Ready to test yourself?

Start a timed SC-730 mock exam or review practice questions by domain.