Security+ Domain #3: Threats and Vulnerabilities (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Threats and vulnerabilities fall into the third domain of CompTIA’s Security+ exam (SYO-401) and contribute 20% to the exam score. To pass the Security+ exam, a candidate must understand the basic concepts and terminology related to threats and vulnerabilities, as discussed below.
Explain Types of Malware
Malware is malicious code that performs an illegitimate function from the perspective of the legitimate owner or user of a computer. Malware includes:
Adware and Spyware—Both adware and spyware are unwanted software that gathers information without authorization from the user.
Worms and Trojan Horses—Worms replicate themselves in order to penetrate in other computer systems. A Trojan horse is disguised as something legitimate or useful.
Rootkits—This is a type of malware that fools the operating system into thinking that active files and processes do not exist.
Logic Bomb-it’s an inactive malware that becomes active only when a specific operation linked to this malware is performed, such as triggering an event in a particular time and date.
Botnets and Ransomware—Botnets are networks of robots used by hackers to carry out massive attacks. Ransomware is also used by hackers to gain the illegitimate control of the computer.
Malware Countermeasures—the best countermeasure to malware programs is an antivirus program, which should be regularly updated.
Summarize Various Types of Attacks
When a computer connects to the Internet, it’s vulnerable to various kinds of attacks. Today, even the computers disconnected from the Internet are also subject to these attacks. For Security+ exam, the candidates must under these various attacks.
Man-in-the-Middle Attack—This is an eavesdropping attack in which an attacker positions himself in the communication channel between two entities.
Denial of Service (DoS)—A DoS attack prevents the computer or server from performing legitimate activities or services.
Spam and Phishing—Spam is an unsolicited E-mail. Phishing is used by the scammers to obtain sensitive information, such as credit card details.
Pharming—Hackers use pharming to redirect users from a valid web page’s URL to a fake web page’s URL.
DNS Poisoning—Hackers use this technique to exploit vulnerabilities in the DNS to divert traffic away from legitimate servers to fake ones.
Typo Squatting/URL Hijacking—This attack occurs when a user mistypes the domain name of an intended resource, aims at capturing traffic.
Summarize Social Engineering Attacks and the Associated Effectiveness with Each Attack
Shoulder Surfing—This is when someone watches the display or keyboard of another person to learn the password or other confidential information.
Dumpster Diving—This is the act of digging through trash to obtain information about a target individual or organization.
Impersonation—It’s the act of taking on the identity of someone else for illegitimate purposes.
Hoaxes—A hoax, often an email, is a social engineering attack that warns a user about an imminent threat and asks him/her to perform particular tasks to protect himself/herself.
Whaling—it’s a form of phishing attack that targets specific individuals (by title or by industry).
Principles of Social Engineering—many techniques are used in social engineering attacks. These techniques contain one or more principles, such as:
- Familiarity or liking
Explain Types of Wireless Attacks
Rogue Access Points—These are unauthorized access points that can be connected to any open network cable or port. If they are discovered within a secured network, they should be immediately removed.
Evil Twin Attacks—A hacker uses an evil twin attack to configure a system as a twin of a valid wireless access point. In this way, the victim is deceived into connecting with a fake twin instead of the valid wireless network.
War Driving—under this technique, the hackers use detection tools for gaining unauthorized access to wireless networks.
Bluesnarfing—it’s authorized access to data through Bluetooth connections. Bluesnarfing often occurs against mobile devices and PDAs.
Explain Types of Application Attacks
Cross-Site Scripting—it’s a form malware injection attack in which a hacker compromises a web server and injects malware into the contents sent to other users.
SQL Injection Attack—This attack allows the attackers to hack an SQL database by injecting the malicious code in it.
Cookies—Cookies are tracking mechanisms that are often used for identity theft.
Arbitrary Code Execution—it’s the ability to run any software on a target computer.
Select the Appropriate Type of Mitigation and Deterrent Techniques
Understand System Logs—The general rule for proper system-logging procedures comprises logging all attempts to access resources of a sensitive nature, duplicating all logs on the centralized logging server, and protecting all logs from unauthorized access.
Understand Operating System Hardening—OS hardening is a process of reducing the vulnerabilities, managing risks, and improving the security provided by or for an operating system. It can be achieved by taking advantage of operating system’s security features and supplementing them with the add-on applications, such as antivirus software and firewalls.
Use Appropriate Tools and Techniques to Identify Security Threats and Vulnerabilities
The following tools and techniques included in the Security+ exam are used to identify security threats and vulnerabilities.
Vulnerability Scanners—A vulnerability scanner is a tool specifically designed to scan a system for known vulnerabilities, holes, or weaknesses.
Honeypots—They are fictitious tools used to fool intruders and tempt them away from the secured network.
Port Scanners—A port scanner is a tool specifically designed for vulnerability assessment. a port scanner sends test packets to the ports of a target system to find out the status of these ports.
Banner grabbing—It helps in capturing the initial response from the network service. Often, the banner reveals the application’s developer name, its current version, and possibly much more.
Explain the Proper Use of Penetration Testing Verses Vulnerability Scanning
Penetration Testing—A penetration test is a type of vulnerability scan. A special team of white-hat security experts (not internal security administrators) use an automated tool to perform a penetration test. The purpose of penetration test is to check the deployed security infrastructure of the organization.
Vulnerability Scanning—Unlike penetration testing, a vulnerability scan is performed by security administrators using a wide variety of assessment tools. The purpose is to find out weaknesses or holes in deployed security system to improve it before a security breach occurs.
Black-Box Testing—It’s used to examine a program by providing various input scenarios and then testing the output.
White-Box Testing—It’s a testing technique that examines a program structure and derives test data from the program code.
Gray-Box Testing—This combines the black-box and white-box approaches. It is often used to validate software.
Performance-Based Questions in Security+ Exam
Performance-based questions (PBQs) test a candidate’s ability to solve problems in a simulated environment. The candidates can manage their time wisely when working on the PBQs. The exam requires the student to solve a specific problem for each performance-based question. After that, a simulated environment is provided in which the student completes the required steps. Also, the candidates cannot see a clock when solving the PBQs.
Question: Among the various types of underlying attacks, the candidates have to choose the right option to indicate which types of attack occurred in the network diagram showing below.
- Evil twin
- Evil Twin
This is a denial of service (DoS) attack that occurred on distributed machines communicating with a victim server. This attack prevents a victim server to perform legitimate services.
Where Should You Focus Your Study Time?
The quizzing and appearing in mock exams are the best way to assess your understanding of this subject and your preparation before taking the Security+ exam.
Moreover, studying the right material is also very important. Some official books recommended by the CompTIA for Security+ exam, SYO-401, include:
- Cert-SYO-401, written by David L. Prowse
- CompTIA Security + All-in-One Exam Guide: Fourth Edition, published by McGraw Hill
- CompTIA Security + Certification Study Guide, published by McGraw Hill
How Is This Information Useful in the Real World?
The applications of threats and vulnerabilities are implemented in the organizations worldwide, including:
- Business communities
- Governmental organizations (law enforcement, military, etc.)
- Non-governmental organizations (NGOs), such as UN AIDS, Orbis International, Acumen Fund, Danish Refugee Council, and so on.
Today, organizations employ threats and vulnerability prevention techniques to protect valuable assets (financial information, emails, spreadsheets, Word documents, etc.), websites, software, and intellectual property, and equipment. Moreover, the companies can save money by reducing the security breaches that involve some direct costs (e.g. cost of data recovery or fines for non-compliance) or indirect costs (e.g. investigation costs, lost customers and productivity).
InfoSec Security+ Boot Camp
The InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces theory with hands-on exercises that help you learn by doing.
InfoSec also offers thousands of articles on all manner of security topics.