This section covers Exam Objective 2 of the CompTIA Security+ SY0-701 exam. It explains the types of threat actors, attack vectors, vulnerabilities, and risks that cybersecurity professionals must understand and mitigate.
👥 Threat Actors & Motivations
- ▸ Script Kiddies: Inexperienced attackers using pre-built tools.
- ▸ Hacktivists: Attack systems for ideological reasons.
- ▸ Insider Threats: Can be malicious (disgruntled employee) or unintentional (negligent user).
- ▸ Criminal Syndicates: Well-funded, often focused on financial gain.
- ▸ State-Sponsored Actors (APTs): Persistent, well-resourced, often geopolitical in motivation.
🎯 Attack Surfaces & Vectors
The attack surface includes all points an attacker could exploit. Attack vectors are specific paths used to breach systems, such as:
- ▸ Direct Access: Physical access to devices.
- ▸ Email & Messaging: Phishing, malicious attachments, or links.
- ▸ Removable Media: USB drives containing malware.
- ▸ Network Exploits: Open ports, weak protocols, or misconfigurations.
- ▸ Cloud Services: Exploiting weak APIs or stolen credentials.
- ▸ Web & Social Media: Malicious posts, drive-by downloads, fake profiles.
⚠️ Software & Network Vulnerabilities
- ▸ Vulnerable Software: Bugs and flaws exploited via remote or local access.
- ▸ Unsupported Systems: Lack updates and patches, increasing risk.
- ▸ Default Credentials: Unchanged admin passwords are easy targets.
- ▸ Open Service Ports: Can allow unauthenticated remote access.
🎣 Lure-Based & Message-Based Vectors
- ▸ Phishing: Mass emails trying to trick users.
- ▸ Spear Phishing: Highly targeted phishing attempts.
- ▸ Whaling: Targets executives with tailored messages.
- ▸ Smishing & Vishing: Text or phone call-based scams.
- ▸ Baiting: Leaving infected USBs to tempt users.
🔗 Third-Party Risks
When relying on vendors or cloud providers, risks include:
- ▸ Data Hosting: Sensitive data stored outside your control.
- ▸ Access Requirements: Vendors might need internal access.
- ▸ Compliance Gaps: Ensure third parties meet regulatory standards.
🧠 Social Engineering Threats
- ▸ Tailgating/Piggybacking: Gaining physical access by following authorized personnel.
- ▸ Shoulder Surfing: Observing user credentials over their shoulder.
- ▸ Dumpster Diving: Retrieving sensitive data from trash.
- ▸ Pretexting & Impersonation: Pretending to be someone trustworthy.
- ▸ Influence Campaigns: Large-scale disinformation and manipulation, often by state actors.
📚 Additional Resources
🎯 Ready to Test Your Knowledge?
Take our free Security+ Practice Quiz and see how well you understand threats and vulnerabilities!
Start Practice Quiz →