Threats are any circumstance or event with the potential to cause harm. The exam expects you to categorize threat actors by their attributes:
- Nation-state actors – highly sophisticated, well-funded, often conduct espionage or sabotage
- Hacktivists – motivated by ideology; use defacement, DDoS, and data leaks
- Insider threats – employees or contractors with legitimate access who misuse it (malicious or unintentional)
- Script kiddies – low skill, rely on existing tools; opportunistic
- Organized crime – financially motivated; common source of ransomware and fraud
Vulnerabilities are weaknesses that can be exploited. Key categories include:
- Application vulnerabilities – buffer overflows, SQL injection, cross-site scripting (XSS), improper input validation
- Operating system vulnerabilities – unpatched software, misconfigured services
- Hardware vulnerabilities – firmware weaknesses, end-of-life devices
- Zero-day vulnerabilities – unknown to the vendor; no patch exists yet
- Misconfiguration – default credentials, open ports, overly permissive access controls
Common attack types tested on the exam include:
- Malware – ransomware, trojans, spyware, worms, rootkits, logic bombs
- Social engineering – phishing, vishing, smishing, pretexting, tailgating, watering hole attacks
- Password attacks – brute force, dictionary, credential stuffing, pass-the-hash
- Man-in-the-middle (MitM) – intercepting communications between two parties
- Denial of Service (DoS/DDoS) – overwhelming resources to disrupt availability
- Supply chain attacks – compromising a vendor or software update to reach downstream targets
Mitigations reduce the likelihood or impact of threats and vulnerabilities:
- Patching and updates – closes known vulnerabilities promptly
- Network segmentation – limits lateral movement after a breach
- Least privilege – users receive only the access required for their role
- Multi-factor authentication (MFA) – reduces risk from stolen credentials
- Endpoint detection and response (EDR) – monitors endpoints for malicious behavior
- Security awareness training – addresses the human element of social engineering
- Intrusion Detection/Prevention Systems (IDS/IPS) – detect or block known attack patterns
The exam often presents scenario-based questions requiring you to match a described attack or vulnerability to the correct mitigation. Focus on understanding why each control works, not just memorizing definitions.