SYO-701 Threats, Vulnerabilities, and Mitigations Study Guide for the CompTIA Security+

Page 1

General Information

This is study material for the CompTIA Security+ SYO-701 exam, which is the replacement for the old (as of July 31, 2024) CompTIA Security+ SYO-601 exam. Be very sure that you are studying materials for the right test.

As far as the importance of the ideas and concepts presented in this study guide, the CompTIA Security+ exam allots about 22% of its questions to them. They will largely be questions that test your factual knowledge, with only about one out of every five questions beginning with a scenario.

Threat Actors

A threat actor is an individual, group, or community with the intent to cause disruptions in the cyber realm. You must be able to understand, differentiate between, and explain possible threat actors and their motivations for the CompTIA Security+ exam.

Attributes of Actors

Attributes of actors are the characteristics that can be used to classify a threat actor. Threat actors are differentiated by motivation, skill set, funding, and whether they are from within (internal) or without (external) the targeted entity.

Internal/External

An internal threat is a threat that comes from within the target network, such as a disgruntled employee, a third-party vendor, or a contractor. An external threat is a threat that originates from outside the target network.

Resources/Funding

Resources and funding are the financial backing behind the threat actor. They can vary from minimal, such as a script kiddie, to high, such as APTs and criminal syndicates.

Level of Sophistication/Capability

The level of sophistication or capability indicates the threat actor’s skill level, including the technical knowledge and technology available for use by the threat actor.

Types of Threat Actors

Different types of threat actors can be classified based on specific attributes that define who, why, and how a threat actor behaves. You should be familiar with different types of threat actors and their associated means and motivations.

Nation-State

Nation-state threat actors are government-funded threats and are typically advanced persistent threats (APTs) who target governmental targets. An APT is often a well-funded threat whose goal is to infiltrate and maintain a presence in the target network. APTs are usually motivated by political or economic considerations and are highly skilled external threats.

Unskilled Attacker

An unskilled attacker, derogatively referred to as a script kiddie, is usually an external threat and has a limited skill set. Unskilled attackers often employ the use of automated tools for hacking activities and are typically motivated by a desire to prove their skill set or by simple curiosity.

Hacktivist

Hacktivists are usually external threats but may also be internal, and they are motivated by activist goals. Hacktivists may work in groups or alone and can be either well funded or have limited resources. Skill levels of hacktivists vary, but they share a common goal of interrupting or drawing attention to a perceived wrong.

Insider Threat

An insider threat is a threat that originates from within the target network, such as disgruntled employees, third-party vendors, or contractors. Insider threats can be of any skill level, have varying motivations, and usually work with limited financial resources.

Organized Crime

An organized crime threat actor, also known as a criminal syndicate, is typically a well-funded, skilled external group who is motivated by financial gain.

Shadow IT

Shadow IT describes authorized users who use unauthorized technological solutions to perform functions. For example, an employee who installs a file-sharing program on their personal and work computers to sync information between the two devices without previous authorization from the employer has created shadow IT.

Motivations of Threat Actors

Motivation, or intent, is what drives a threat actor to do what they do. They can be driven by monetary gain, activism, corporate espionage, or political objectives, among other motives.

Data Exfiltration

Those motivated by data exfiltration seek to acquire sensitive or proprietary data from a target, commonly for personal or monetary gain.

Espionage

Those motivated by espionage seek to acquire secret or confidential data from a target, commonly for enemy nation-states or business competitors.

Service Disruption

Those motivated by service disruption seek to interrupt or stop availability to the target. Service disruption can be used to disrupt connection to an individual business, such as a website, or an entire network, such as an emergency response network.

Blackmail

Those motivated by blackmail seek to acquire data or information that can be used to force a target to complete a specified action, such as paying a monetary sum.

Financial Gain

Those motivated by financial gain seek to benefit monetarily by exploiting an attack surface. Organized crime is often motivated by financial gain.

Philosophical/Political Beliefs

Philosophical or political beliefs can motivate threat actors. In such cases, they act to forward an ideological belief or promote awareness of perceived issues. Hacktivists are often motivated by philosophical or political beliefs.

Ethical

An ethical motivation drives a threat actor to expose a vulnerability in a system with the aim of improving its security. White hat hackers are commonly ethically motivated.

Revenge

Those motivated by revenge seek retribution for a perceived threat, embarrassment, or injustice. Revenge-driven actors may target an individual or an entire organization.

Disruption/Chaos

Disruption or chaos can be a goal in itself. Those motivated by this goal will cause problems for the target and disrupt normal operations.

War

When war is a motivating factor, the threat actor usually attempts to disrupt military operations or affect the outcome of a conflict.

Threat Vectors and Attack Surfaces

An attack surface is a vulnerability within a system or application that can be exploited. A threat vector is the method used to exploit the attack surface to gain access to a device, system, or network. You must be able to explain common threat vectors and attack surfaces.

Message

A message-based attack surface is a vulnerability in messaging communications, such as an SMS (text message), email, or IM. A message-based threat vector is the communication used to exploit the attack surface, such as phishing messages.

Email

The email vector attacks a network through email vulnerabilities. Vulnerabilities can include insecure protocols or a lack of employee training and awareness regarding potentially dangerous email communications.

Short Message Service (SMS)

SMS is a text-based communication method that can be used to deliver potentially malicious content, such as phishing texts.

Instant Messaging (IM)

IM is a method of text-based communications that can be used to deliver malicious content to a target. The numerous IM applications create a significant exploitable threat vector.

Image

Malicious code can be embedded within image files, such as photos or graphics. When the image is accessed, the malicious code may be installed on the target system.

File

Malicious code may also be embedded within files. The file-based vector includes files of all sizes and all access methods, including internal/external storage and communication, such as email or text-based messaging.

Voice Call

A voice call can also be used as a vector for exploitation. Voice calls are primarily used to elicit information from call recipients or as a method of access via the call recipient.

Removable Device

The removable device vector includes all removable media. Removable media may contain malicious content that can exploit a device or system when connected. A malicious Universal Serial Bus (USB) is an example of a removable device threat.

Vulnerable Software

Vulnerable software is an attack surface that may be exploited by multiple threat vectors. Vulnerabilities may be present in the software itself or, if the vulnerability has been previously identified, in the lack of proper patch and update management.

Client-Based vs. Agentless

Software may be client-based, meaning it is directly installed on the client device, or agentless, which means the software does not require direct installation for operability.

Unsupported Systems and Applications

Unsupported systems and applications, or systems and applications that have reached end-of-life (EoL), are ones that are no longer receiving updates or security patches from the manufacturer, leaving the systems or software vulnerable to attack.

Unsecure Networks

A network is created when two or more devices are connected to one another, allowing communication. Network connections may be wired, wireless, or Bluetooth, and each connection method creates potential attack surfaces.

Wired

A wired network attack surface is a physical connection to a network that creates direct access to a device, system, or network.

Wireless

A wireless network does not require physical connection methods to establish communications. Wireless networks range from short-range connections, such as near-field communications (NFC), to long-range connections, such as cellular connections. The wireless vector is composed of all wirelessly enabled attack methods, including access point (AP) attacks, Bluetooth attacks, and RFID/NFC attacks.

Bluetooth

A Bluetooth network is a short-range network connection that can be exploited. Common examples of Bluetooth-based threat vectors are bluejacking and bluesnarfing.

Open Service Ports

Open ports and services allow threat actors to gain easy access to a network. Only ports and services that are essential to the network should be open, with all unnecessary ports closed.

Default Credentials

Default settings, such as default credentials, are a common vulnerability. When a product such as a router is initially installed, it may be set with a generic default password. This default password is often widely available via the manufacturer. Default settings should always be changed, and new equipment should never be left in its default state.

Supply Chain

The supply chain vector involves all entities and protocols related to a company’s supply chain or the products the company uses. Supply chain risks occur when the supply chain is insecure, such as when a host receives switches from a third party. While in transit to the host location, the ordered switches can be intercepted and injected with malware before delivery. This is a supply chain vulnerability.

Managed Service Provider (MSP)

MSPs are third-party entities that can be used to provide management of the supply chain and its related tasks. If the MSP is vulnerable, the networks the MSP manages are also vulnerable.

Vendors

A vendor in a supply chain is an entity that provides goods or services to another entity. Vendors may be the original manufacturers of goods or may acquire goods from other manufacturers.

Suppliers

Suppliers in the supply chain are entities that provide components, either raw or complete, to another entity, such as a microprocessor supplier.

Human Vectors/Social Engineering

Social engineering is a technique by which someone takes advantage of human nature, or the human vector, to manipulate a person into revealing information or performing a task they would not normally do. Social engineering leverages human emotion to elicit a response by preying on human weaknesses to authority, intimidation, consensus, scarcity, familiarity, trust, and/or urgency. Social engineering techniques can be technological in nature or physical interactions.

Phishing

Phishing is a technique that attempts to manipulate a target into revealing information or completing a desired task by fraudulent means. Phishing is most often done through email but includes other communication methods such as SMS and phone communications. Phishing messages need a user interaction to be successful, which can often involve clicking on an embedded link. Commonly targeted information includes credentials, credit card and bank information, and personally identifiable information.

Vishing

Vishing is a phishing technique that is done via telephone. Vishing often uses voice over Internet Protocol (VoIP) services to bypass or spoof caller ID data.

Smishing

Smishing is a phishing technique done through SMS or text messaging.

Misinformation/Disinformation

Misinformation or disinformation is a social engineering technique that uses false or misleading information to elicit a response from a target for the purpose of gaining information or access.

Impersonation

Impersonation is presenting oneself as someone else. Common impersonation tactics include pretending to work for the electric company or IT to access a protected area.

Business Email Compromise

When a business email is compromised, it can be used as a social engineering tool to elicit a response. A recipient may be tricked into trusting the email due to its relationship with the business.

Pretexting

Pretexting uses a false scenario or pretense to justify interaction with the target. It is often used in conjunction with impersonation.

Watering Hole

In a watering hole attack, the threat actor seeks out a specific website known to be frequented by the target (the “watering hole”) and attacks vulnerabilities within the website to gain access to the target.

Brand Impersonation

Brand impersonation occurs when a threat claims to be from a known or reputable brand, misleading the user into trusting the threat and responding based on that implicit brand trust. Brand impersonation is generally done through email or social media.

Typosquatting

Typosquatting is the process of taking advantage of common spelling mistakes, such as misspelling a legitimate URL, to redirect a target to a malicious site.

Next

All Study Guides for the CompTIA Security+ are now available as downloadable PDFs