This section covers the landscape of cybersecurity threats, the actors behind them, various attack vectors, types of malware, system vulnerabilities, and the countermeasures used to protect against these risks.
Understanding threats and vulnerabilities is fundamental to implementing effective security controls. This section represents approximately 22% of the Security+ exam.
Focus on understanding how different threats exploit specific vulnerabilities and which mitigations are most effective for each scenario.
Threat actors are individuals or groups responsible for security incidents. Understanding their motivations, capabilities, and characteristics helps in developing appropriate defenses.
| Type | Motivation | Resources | Typical Targets |
|---|---|---|---|
| Nation-State | Political, economic, military advantage | Extensive (government funding) | Critical infrastructure, government systems, intellectual property |
| Organized Crime | Financial gain | High (professional operations) | Financial institutions, healthcare, retail |
| Hacktivists | Political/social ideology | Variable | Government websites, corporations, political organizations |
| Insiders | Revenge, financial gain, ideology | Legitimate access | Employer systems, sensitive data |
| Script Kiddies | Curiosity, notoriety | Low (pre-built tools) | Low-hanging fruit, poorly secured systems |
Sophisticated, long-term campaigns typically associated with nation-states:
One of the most dangerous threat types due to legitimate access:
Be prepared to match threat actor types with their characteristics, motivations, and typical targets in scenario-based questions.
Attack vectors are the pathways or methods that threat actors use to gain unauthorized access to systems or networks.
| Vector | Description | Example |
|---|---|---|
| Phishing | Deceptive emails/messages to trick users | Fake login page for credential theft |
| Malvertising | Malicious code in online advertisements | Compromised ad networks delivering malware |
| Watering Hole | Compromising frequently visited websites | Industry-specific site infected with exploit kit |
| Supply Chain | Attacking through third-party vendors | Compromised software updates |
| Zero-Day | Exploiting unknown vulnerabilities | Attack before vendor patch available |
Defense in depth is crucial - no single control can protect against all attack vectors. Combine technical, administrative, and physical controls.
Malware (malicious software) encompasses various types of software designed to harm, exploit, or otherwise compromise computer systems.
| Type | Characteristics | Propagation | Primary Purpose |
|---|---|---|---|
| Virus | Attaches to legitimate programs, requires user action | File sharing, email attachments | Data corruption, system damage |
| Worm | Self-replicating, spreads without user interaction | Network vulnerabilities | Rapid infection, backdoor creation |
| Trojan Horse | Disguised as legitimate software | User deception | Backdoor access, data theft |
| Ransomware | Encrypts files and demands payment | Exploit kits, phishing | Financial extortion |
| Spyware | Secretly monitors user activity | Software bundles, drive-by downloads | Information theft, surveillance |
| Rootkit | Hides deep in system, hard to detect | Exploits, social engineering | Persistent access, stealth |
| Botnet | Network of compromised devices (zombies) | Malware infection | DDoS, spam, credential theft |
| Logic Bomb | Dormant until triggered by specific conditions | Insider placement | Data destruction, system damage |
Modern malware defense requires multiple layers: signature-based detection, behavioral analysis, sandboxing, and user education to prevent initial infection.
Vulnerabilities are weaknesses in systems, processes, or human factors that can be exploited by threat actors.
| Category | Examples | Impact |
|---|---|---|
| Software Vulnerabilities | Buffer overflows, SQL injection, XSS | Remote code execution, data theft |
| Configuration Weaknesses | Default credentials, open ports, weak permissions | Unauthorized access, privilege escalation |
| Network Vulnerabilities | Unencrypted protocols, weak encryption | Eavesdropping, man-in-the-middle |
| Human Factors | Social engineering, weak passwords | Credential theft, unauthorized access |
| Physical Security | Unsecured devices, lack of access controls | Theft, tampering, unauthorized access |
Community-developed list of common software security weaknesses:
Vulnerabilities unknown to the vendor with no available patch:
Systematic process of identifying and classifying vulnerabilities:
Know the difference between vulnerability (weakness), threat (potential danger), and risk (likelihood × impact). Be familiar with common CVEs and their mitigations.
Mitigations are security controls and countermeasures designed to reduce risk by addressing threats and vulnerabilities.
Layered security approach using multiple controls:
| Threat/Vulnerability | Primary Mitigations | Additional Controls |
|---|---|---|
| Malware | Antivirus, application whitelisting | User education, email filtering |
| Social Engineering | Security awareness training | Multi-factor authentication, least privilege |
| Network Attacks | Firewalls, IDS/IPS | Network segmentation, VPNs |
| Web Application Attacks | Input validation, WAF | Secure coding practices, regular patching |
| Insider Threats | Least privilege, separation of duties | User behavior analytics, audit logs |
| Physical Threats | Access controls, surveillance | Asset tracking, environmental controls |
The most effective security programs combine technical controls with strong policies and ongoing user education. Regular testing and updates are essential as threats evolve.