Security+ Domain 1.0: Threats, Attacks and Vulnerabilities

Chapter 1: Malware and Indicators of Compromise


Polymorphic malware


Armored virus (encryption)











Logic Bombs


Indicators of Compromise

IOC Tools

from FireEye (Mandiant)


from MITRE




Chapter 2: Attacks

Social Engineering

Social Engineering – tricking a person into allowing access to a system; this includes dumpster diving and phishing

Password Guessing – this includes brute force (throwing thousands of passwords at a system), dictionary attacks (hashing every word in the dictionary to compare that hash value to user’s hashed password, looking for matches) and software exploitation (like buffer overflows).

Weak Keys – algorythms that allow the creation of keys with detectable patterns or structures allow weak keys.

Mathematical Attacks – usually these are statistical analyses that attempt to discover keys

Birthday Attacks – taking advantage of the birthday paradox, which is the greater possibility of finding something in common (like a birthday) if you start looking from a known value (like a certain date) rather than trying to analyze all values (like all dates).

WEP Cracking

Man-In-The-Middle Attacks (MIM) – The attacker looks like the server to the client, and looks like the client to the server, thus intercepting traffic and information.

Replay Attacks – These are similar to MIM attacks, except the traffic or information is changed before it is relayed.

TCP/IP Hijacking – setting up a device that appears to be valid to perform an MIM attack; spoofing is the act of falsifying one’s IP address to do this; Address Resolution Protocol (ARP) spoofing does this at the level of MAC addresses, by falsifying the MAC address resolution table.

In Windows, use the shell command:

arp -a

to view your ARP table. Note that you can use the arp -s command to add new entries manually, and the arp -d command to delete them, arp /? for detailed information.

arp -d *
arp /?

Rogue Access Point

SYN/ACK Attacks – Understand the basic nature of client/server connections in order to understand these attacks. A client sends a SYN packet to a server as its opening request, to initiate a “handshake.” The server, if it receives this SYN packet, responds with a SYN-ACK. The client, then, responds with an ACK. Think of it this way:


This is a bit of an oversimplification, because after the very first packet from the client, every packet contains an ACKnowledgement of response, and the final packet exchange will be FIN packets (“we’re finished”).

Here lies the basis of the SYN flood attack. See this Cloudflare page for a longer explanation:
and this Imperva page:
Basically, if I’m an attacker, I can send a server a SYN package, but never acknowledge the ACK that comes back. The server holds a half-open connection for me, but I never reply. Instead I send a new SYN packet from yet another spoofed IP address, opening but never acknowledging another connection. Before long the server is overwhelmed with these faked connections, and DOS results: this is a SYN flood.

A Ping Flood is a bombardment with ping requests, and also the reason ICMP is tightly controlled on secure networks. See Imperva’s page:

The similar Smurf attack occurs when an attacker sends forged ICMP echo request packets to every computer on a network, using a false source IP (usually a server’s). This causes them to send responses to the victim, the server that really holds that IP address. This floods the network, resulting in DOS. A Smurf is made possible by misconfigured network devices that respond to ICMP echoes sent to broadcast addresses (x.x.x.255).

A Fraggle attack is the same technique, used over UDP rather than ICMP.

The Ping of Death is a variant of Smurf that sends deliberately oversized ICMP ping packets (larger than 65,535 bytes), attacking older OSs susceptible to this malformation. It won’t  work any more.

A Land attack is also an older one that sends a packet with the same host (IP) specified as both sender and receiver. This locks up some systems.

Distributed Denial-of-Service (DDoS) Attacks – These attacks amplify the situation by using dozens, hundreds, or thousands of “zombie” computers. If you’re already in this situation, obviously, life is bad.

The Security+ test gets very picky about the differences between these categories. Know these intimately.

Viruses – These attach themselves to something, whether a document or a program. They are executable code. The most common vector is e-mail attachments. The victim has to do something to activate a virus; typically this is clicking on the attachment. Anti-virus software is the (putative) cure.

Worms – These travel by themselves. They do not have to attach themselves to something else. They do not require action by the victim to be launched into action. They do often use e-mail as a convenient vector of propagation. You’ll need both procedures (“Never even open e-mails from unknown sources!”) and products (hardware and software firewalls) to protect against worms.

Logic Bombs – A specific event triggers a logic bomb, which then does its damage. This can be a date or an event like a person’s account being deactivated. Policies like code reviews, practices like network surveillance and monitoring programs, and products like Tripwire (which monitors signatures of executable files for changes) are all necessary, but not sufficient to protect against logic bombs.

Trojan Horses – Some programs disguise themselves as one thing, then reveal an ugly side when they’re opened. People addicted to internet freebie programs are very susceptible to this threat. These things are tough to fight, typically requiring anti-virus and other software to prevent, and often forcing disinfection after an infection occurs. These in particular force me to enforce a rule: “If you don’t HAVE to have a piece of software to do your job, you are FORBIDDEN to have it.” Needless to say this is very unpopular; but I’ve seen more than one business literally bankrupted by violating this practice.

Back Doors – Worms, trojans or viruses may install secret entrances to systems. Sometimes an innocent intent opens this vulnerability, like a programmer’s testing procedure that’s never removed. Sometimes an evil virus like MyDoom creates the opening. Your only protection is network scanning. Visit, for instance, Gibson Research and follow the ShieldsUp! link for a scan of your home PC.

For more malware types and examples, see this Certified Ethical Hacker page on our other site,

Chapter 3: Threat Actors



Chapter 4: Vulnerability Scanning and Penetration Testing

Pen Test Concepts

Active vs Passive reconnaissance




Types of Pen Testing

Black Box

White Box

Gray Box

Vulnerability Scanning


Nessus / OpenVAS


Chapter 5: Vulnerabilities and Impacts

System vulns

Improper input handling

Improper error handling

Misconfiguration / Weak Configuration

Vulnerable users

Improperly configured user accounts

Vulnerable business processes

Weak encryption

Memory vulns

Undocumented assets

Architecture/Design weaknesses

New threats

Improper Certificate and Key Management