Threats and Vulnerabilities
Know your enemy before you can defend against them.
Overview
Security+ expects you to identify, classify, and reason about threats and vulnerabilities β not just name them. Answer the five questions below. For each one, go beyond definitions: explain the mechanism, give an example, or describe what a defender should do in response.
Read before you answer
A threat is any potential event or actor that could cause harm to a system; a vulnerability is a weakness that a threat can exploit; and a risk is the likelihood and impact of a threat successfully exploiting a vulnerability. These three concepts are foundational to Security+ and to real-world security work. Understanding the taxonomy of threats β who the adversaries are, what they want, and how they operate β is the starting point for building effective defences. Threat actors range from script kiddies using off-the-shelf tools to nation-state APTs (Advanced Persistent Threats) with substantial resources and long-term objectives.
Attack types covered in Security+ include: malware (viruses, worms, Trojans, ransomware, spyware, rootkits, keyloggers β each with distinct propagation and payload behaviours); social engineering attacks (phishing, spear phishing, vishing, smishing, pretexting, tailgating); and technical exploitation techniques including SQL injection, buffer overflows, cross-site scripting (XSS), privilege escalation, and man-in-the-middle attacks. Phishing remains the leading initial access vector for enterprise breaches because it targets humans, not technology β and humans are harder to patch than software.
Vulnerability management is the ongoing process of identifying, classifying, prioritising, remediating, and verifying vulnerabilities in systems and applications. Key concepts include: CVE (Common Vulnerabilities and Exposures) identifiers that give vulnerabilities a standard reference; CVSS (Common Vulnerability Scoring System) scores that rate severity from 0β10; zero-day vulnerabilities, which are unknown to the vendor and have no available patch; and the distinction between vulnerability scanning (finding weaknesses) and penetration testing (actively exploiting them to assess real-world impact). Defenders must understand attackers' tools and techniques β including the MITRE ATT&CK framework, which catalogues real adversary tactics and techniques β to build meaningful detection and response capabilities.