Threats and Vulnerabilities

This section covers Exam Objective 2 of the CompTIA Security+ SY0-701 exam. It explains the types of threat actors, attack vectors, vulnerabilities, and risks that cybersecurity professionals must understand and mitigate. attack vectors, vulnerabilities, and risks that cybersecurity professionals must understand and mitigate.

👥 Threat Actors & Motivations

• Script Kiddies: Inexperienced attackers using pre-built tools.
• Hacktivists: Attack systems for ideological reasons.
• Insider Threats: Can be malicious (disgruntled employee) or unintentional (negligent user).
• Criminal Syndicates: Well-funded, often focused on financial gain.
• State-Sponsored Actors (APTs): Persistent, well-resourced, often geopolitical in motivation.

🎯 Attack Surfaces & Vectors

The attack surface includes all points an attacker could exploit. Attack vectors are specific paths used to breach systems, such as:

• Direct Access: Physical access to devices.
• Email & Messaging: Phishing, malicious attachments, or links.
• Removable Media: USB drives containing malware.
• Network Exploits: Open ports, weak protocols, or misconfigurations.
• Cloud Services: Exploiting weak APIs or stolen credentials.
• Web & Social Media: Malicious posts, drive-by downloads, fake profiles.

⚠️ Software & Network Vulnerabilities

• Vulnerable Software: Bugs and flaws exploited via remote or local access.
• Unsupported Systems: Lack updates and patches, increasing risk.
• Default Credentials: Unchanged admin passwords are easy targets.
• Open Service Ports: Can allow unauthenticated remote access.

🎣 Lure-Based & Message-Based Vectors

• Phishing: Mass emails trying to trick users.
• Spear Phishing: Highly targeted phishing attempts.
• Whaling: Targets executives with tailored messages.
• Smishing & Vishing: Text or phone call-based scams.
• Baiting: Leaving infected USBs to tempt users.

🔗 Third-Party Risks

When relying on vendors or cloud providers, risks include:

• Data Hosting: Sensitive data stored outside your control.
• Access Requirements: Vendors might need internal access.
• Compliance Gaps: Ensure third parties meet regulatory standards.

🧠 Social Engineering Threats

• Tailgating/Piggybacking: Gaining physical access by following authorized personnel.
• Shoulder Surfing: Observing user credentials over their shoulder.
• Dumpster Diving: Retrieving sensitive data from trash.
• Pretexting & Impersonation: Pretending to be someone trustworthy.
• Influence Campaigns: Large-scale disinformation and manipulation, often by state actors.

📚 Additional Resources

• Practice Questions for Security+ Exam
• Official CompTIA Website