Lesson 01intermediateKnowledge

Threats and Vulnerabilities

Know your enemy before you can defend against them.

Overview

Security+ expects you to identify, classify, and reason about threats and vulnerabilities β€” not just name them. Answer the five questions below. For each one, go beyond definitions: explain the mechanism, give an example, or describe what a defender should do in response.

Read before you answer

A threat is any potential event or actor that could cause harm to a system; a vulnerability is a weakness that a threat can exploit; and a risk is the likelihood and impact of a threat successfully exploiting a vulnerability. These three concepts are foundational to Security+ and to real-world security work. Understanding the taxonomy of threats β€” who the adversaries are, what they want, and how they operate β€” is the starting point for building effective defences. Threat actors range from script kiddies using off-the-shelf tools to nation-state APTs (Advanced Persistent Threats) with substantial resources and long-term objectives.

Attack types covered in Security+ include: malware (viruses, worms, Trojans, ransomware, spyware, rootkits, keyloggers β€” each with distinct propagation and payload behaviours); social engineering attacks (phishing, spear phishing, vishing, smishing, pretexting, tailgating); and technical exploitation techniques including SQL injection, buffer overflows, cross-site scripting (XSS), privilege escalation, and man-in-the-middle attacks. Phishing remains the leading initial access vector for enterprise breaches because it targets humans, not technology β€” and humans are harder to patch than software.

Vulnerability management is the ongoing process of identifying, classifying, prioritising, remediating, and verifying vulnerabilities in systems and applications. Key concepts include: CVE (Common Vulnerabilities and Exposures) identifiers that give vulnerabilities a standard reference; CVSS (Common Vulnerability Scoring System) scores that rate severity from 0–10; zero-day vulnerabilities, which are unknown to the vendor and have no available patch; and the distinction between vulnerability scanning (finding weaknesses) and penetration testing (actively exploiting them to assess real-world impact). Defenders must understand attackers' tools and techniques β€” including the MITRE ATT&CK framework, which catalogues real adversary tactics and techniques β€” to build meaningful detection and response capabilities.