CompTIA Security+: Threats and Vulnerabilities

A deep understanding of threats and vulnerabilities forms the bedrock of cybersecurity. For the CompTIA Security+ exam and your professional practice, this knowledge isn't just about memorizing terms—it's about developing a security mindset.

Threat Actors and Their Motivations

A threat actor is any person or entity responsible for a cybersecurity incident. Knowing who they are and why they act is crucial for threat modeling and prioritizing defenses. The Security+ exam categorizes several key actors. Nation-state actors are state-sponsored groups engaged in cyber espionage, intellectual property theft, or sabotage; they are typically the most well-funded and persistent threat, targeting government agencies and critical infrastructure. An insider threat comes from within an organization, including malicious employees seeking financial gain or revenge, or simply negligent staff who accidentally expose data. Hacktivists are ideologically motivated actors who deface websites or launch denial-of-service attacks to promote a political or social cause, while organized crime groups are financially driven, focusing on data theft for resale or ransomware attacks. Finally, script kiddies are unskilled individuals who use pre-written scripts to launch attacks, often causing disproportionate damage due to their unpredictability and lack of sophistication.

Attack Vectors and Malware Types

An attack vector is the path or means by which an attacker gains unauthorized access. Common vectors include email attachments, malicious websites, unpatched software, and compromised credentials. These vectors often deliver malware, or malicious software. Ransomware is a type of malware that encrypts a victim's files, demanding a ransom payment for the decryption key, crippling business operations. A trojan horse disguises itself as legitimate software, tricking users into installing it to create a backdoor. Worms are self-replicating malware that spread across networks without user interaction, exploiting vulnerabilities to consume bandwidth and resources.

A more advanced threat is fileless malware, which resides in memory (RAM) rather than writing files to disk, making it harder for traditional antivirus to detect. It often uses legitimate system tools like PowerShell or WMI to execute malicious scripts. Another critical category is botnets, networks of compromised computers ("zombies") controlled by an attacker ("bot herder") to launch large-scale attacks. Understanding these types is essential for the Security+ exam, as you’ll be asked to identify them based on their behaviors and characteristics.

Social Engineering Techniques

Social engineering exploits human psychology rather than technical vulnerabilities to gain access to systems or information. Phishing is the most common form, using fraudulent emails that appear to come from a reputable source to trick recipients into revealing sensitive data or clicking malicious links. More targeted variants include spear phishing (targeting specific individuals) and whaling (targeting senior executives). Vishing (voice phishing) uses phone calls, often spoofing caller ID, to manipulate victims into providing information or transferring funds.

Similarly, smishing uses SMS/text messages to lure users into clicking malicious links or replying with personal data. Other important techniques include pharming, which redirects users from a legitimate website to a fraudulent one by compromising DNS settings, and tailgating, where an unauthorized person physically follows an employee into a restricted area. The human element is often the weakest link in security, and the Security+ exam tests your ability to recognize and recommend training to mitigate these attacks.

Vulnerability Management: Scanning and Penetration Testing

Proactive defense requires identifying weaknesses before attackers do. Vulnerability scanning is an automated, non-intrusive process that uses software to scan systems, networks, or applications against a database of known vulnerabilities (identified by CVE numbers). It produces a report of findings prioritized by severity, but it does not attempt to exploit the flaws. In contrast, penetration testing (pen testing) is an authorized, simulated cyberattack conducted by ethical hackers. It actively exploits vulnerabilities to determine their real-world impact and the extent of a breach.

For the Security+ exam, you must know the key concepts around these activities. This includes understanding the rules of engagement (a formal agreement defining the test's scope and limitations), the difference between credentialed scans (using authenticated access for deeper insight) and non-credentialed scans, and the critical distinction between false positives (reporting a vulnerability that doesn’t exist) and false negatives (failing to report a real vulnerability). You’ll also need to be familiar with the phases of a penetration test: planning, scanning, gaining access, maintaining access, and analysis/reporting.

The Cyber Kill Chain Framework

To understand and disrupt attacks, security professionals use models like the Cyber Kill Chain, developed by Lockheed Martin. This framework breaks a targeted attack into seven sequential stages, allowing defenders to identify and stop an attack at various points. For the Security+ exam, you are expected to know each stage and its corresponding defensive actions.

The stages are:

1. Reconnaissance: The attacker researches and identifies targets (e.g., harvesting email addresses). Defense: Monitor for information leakage.
2. Weaponization: Pairing a remote access Trojan with an exploit into a deliverable payload (e.g., a malicious PDF). Defense: Application whitelisting.
3. Delivery: Transmitting the weapon to the target (e.g., via phishing email). Defense: Email filtering, network segmentation.
4. Exploitation: Triggering the exploit to execute code on the victim's system. Defense: Patch management, intrusion prevention systems (IPS).
5. Installation: Installing malware on the asset. Defense: Antivirus, endpoint detection and response (EDR).
6. Command and Control (C2): The malware establishes a connection for the attacker to remotely control the system. Defense: Network monitoring for suspicious outbound traffic.
7. Actions on Objectives: The attacker achieves their goal, such as data exfiltration or destruction. Defense: Data loss prevention (DLP), robust backups.

Understanding the Cyber Kill Chain moves you from simply identifying isolated threats to analyzing sophisticated, multi-stage attacks.

Common Pitfalls

1. Confusing Vulnerability Scanning with Penetration Testing: A common exam trap is to equate these two distinct processes. Remember: scanning is automated, broad, and non-intrusive, focused on finding potential weaknesses. Pen testing is manual, targeted, intrusive, and focused on exploiting weaknesses to prove risk. Selecting a "vulnerability scan" when a question describes an active exploitation exercise is a critical error.

1. Overlooking the Insider Threat: While nation-state actors may seem more dramatic, the Security+ exam emphasizes that insider threats—both malicious and negligent—are incredibly dangerous and common. Failing to recommend internal controls like the principle of least privilege and user activity monitoring in a scenario question can lead to a wrong answer.

1. Misidentifying Social Engineering Attacks: It’s easy to label every email-based scam as "phishing." You must distinguish between the broader category of phishing and its more specific forms (spear phishing, whaling) as well as other vectors like vishing (phone) and smishing (SMS). Pay close attention to the delivery channel described in the question.

1. Misapplying the Cyber Kill Chain: A typical mistake is to confuse the stages, such as thinking "weaponization" involves active network intrusion. Remember, weaponization happens offline on the attacker's own systems. Also, defensive actions should align with the specific stage; recommending patching (exploitation defense) during the reconnaissance stage is incorrect.

Summary

• Threat actors range from nation-states and organized crime to insiders and hacktivists, each with distinct motivations and resources that shape their attacks.
• Malware includes ransomware, trojans, worms, and fileless variants, each propagating and causing damage through different mechanisms that you must be able to identify.
• Social engineering attacks like phishing, vishing, and smishing exploit human trust; defense hinges on comprehensive user awareness training and technical controls.
• Vulnerability scanning is an automated discovery process for known flaws, while penetration testing is an authorized, active exploitation to assess real-world risk—do not conflate them on the exam.
• The Cyber Kill Chain framework provides a structured model for understanding the stages of a cyberattack (from Reconnaissance to Actions on Objectives), enabling targeted defensive countermeasures at each step.