Threats and Vulnerabilities

This section covers Exam Objective 2 of the CompTIA Security+ SY0-701 exam. It explains the types of threat actors, attack vectors, vulnerabilities, and risks that cybersecurity professionals must understand and mitigate.

👥 Threat Actors & Motivations

Understanding who is attacking you is crucial. From Script Kiddies to Advanced Persistent Threats (APTs), each actor has different motivations and capabilities.

🎯 Attack Surfaces & Vectors

The attack surface includes all points an attacker could exploit. Attack vectors are specific paths used to breach systems, such as:

• ▸ Direct Access: Physical access to devices.
• ▸ Email & Messaging: Phishing, malicious attachments, or links.
• ▸ Removable Media: USB drives containing malware.
• ▸ Network Exploits: Open ports, weak protocols, or misconfigurations.
• ▸ Cloud Services: Exploiting weak APIs or stolen credentials.
• ▸ Web & Social Media: Malicious posts, drive-by downloads, fake profiles.

⚠️ Vulnerabilities & Exploits

A vulnerability is a weakness; an exploit is the way to use it. Learn about Zero-Day attacks, Supply Chain compromises, and common software flaws.

🎣 Lure-Based & Message-Based Vectors

• ▸ Phishing: Mass emails trying to trick users.
• ▸ Spear Phishing: Highly targeted phishing attempts.
• ▸ Whaling: Targets executives with tailored messages.
• ▸ Smishing & Vishing: Text or phone call-based scams.
• ▸ Baiting: Leaving infected USBs to tempt users.

🔗 Third-Party Risks

When relying on vendors or cloud providers, risks include:

• ▸ Data Hosting: Sensitive data stored outside your control.
• ▸ Access Requirements: Vendors might need internal access.
• ▸ Compliance Gaps: Ensure third parties meet regulatory standards.

🧠 Social Engineering

Hacking the human is often easier than hacking the network. Explore Phishing, Vishing, Tailgating, and the psychological principles of influence.

📚 Additional Resources

• ▸ Practice Questions for Security+ Exam
• ▸ Official CompTIA Website