Future Skills Fiesta:
 Get up to 30% OFF on Career Booster Combos
AVAIL NOW
D H M S

Common Threat Vectors & Attack Surfaces

Author by: Ruchi Bisht
Apr 18, 2025 853

The CompTIA Security+ (SY0-701) certification arms IT professionals with essential knowledge to protect organizations against cyber threats. A crucial part of this certification is Domain 2 Section 2, which focuses on common threat vectors and attack surfaces. This section teaches how to identify and defend against an attacker’s pathways to exploit vulnerabilities within systems and networks.

Common Threat Vectors & Attack Surfaces

This blog delves into Domain 2.2 of the CompTIA Security+ certification, which is pivotal for anyone aspiring to enhance their information security knowledge.

2.2 Explain Common Threat Vectors and Attack Surfaces

This section explores the common threat vectors and attack surfaces, which are key concepts for developing strong cybersecurity defenses. Threat vectors encompass the various methods through which an unauthorized person can access a network or system. On the other hand, attack surfaces represent the vulnerable points that attackers may exploit to gain unauthorized access or extract data. Let us delve into each category outlined in this section.

Message-based:

  • Email: Malicious emails that can trick recipients into providing sensitive information like passwords. For example, an attacker may send an email that looks like it is from a trusted bank, asking the user to confirm their account details via a malicious link.
  • Short Message Service (SMS): Text messages that can contain links to redirect to malicious sites or requests for sensitive information. For example, a smishing attack that involves a text message claiming the recipient has won a prize and must click on a link to claim it. The malicious link leads to a fake website designed to steal personal information.
  • Instant Messaging (IM): Similar to email, IM can be used to send harmful links or files that install malware or spyware, allowing attackers to monitor the victim’s activities. For example, a message might claim to share an interesting article, but the link downloads a keylogger instead.

Image-based: This could refer to steganography, where attackers might embed malicious code within an image or images that exploit vulnerabilities when processed by image software. An example could be an image posted on a social network that, when downloaded and opened, executes malware that infects the user’s system.

File-based: This involves malware concealed within a document or a PDF file, which triggers when the file is accessed or downloaded. For example, a PDF file containing important information might carry hidden malware that exploits vulnerabilities in the PDF reader software, enabling unauthorized access or initiating harmful activities on the user’s device.

Voice Call: Voice phishing or vishing uses phone calls to trick individuals into giving out private information or to deceive them into performing harmful actions. For example, an attacker might pose as a victim’s bank representative, claiming account irregularities to extract account details from the victim.

Removable Device: Devices like USB drives can be used to transfer malware to a system when connected. For example, an attacker could drop an infected USB drive in a public place, counting on someone’s curiosity to plug it into their system, unwittingly installing malware.

Vulnerable Software: This refers to programs or applications with known security weaknesses or flaws that could be exploited by hackers to compromise systems or steal data. For example, an outdated web browser that has not been patched for known security vulnerabilities, making it susceptible to malicious attacks targeting its weaknesses.

Unsupported Systems and Applications: These systems no longer receive security updates, making them susceptible to known exploits. For example, suppose a company uses an outdated operating system that no longer receives security patches. In that case, it is exposed to known exploits already addressed in newer versions.

Unsecure Networks:

  • Wireless: Vulnerable to unauthorized access due to weak encryption or default settings, enabling interception of transmitted data. For example, an open Wi-Fi network at a café that allows eavesdropping on transmitted data and compromises user privacy.
  • Wired: Physical access can compromise security, as network cables are accessible. Without encryption, data transmitted over wires can be intercepted. For example, an unsecured Ethernet port in an office allows an unauthorized individual to plug in and access sensitive information.
  • Bluetooth: Susceptible to attacks like Bluejacking or Bluesnarfing due to pairing vulnerabilities, allowing unauthorized access to devices or data transfer without user consent. For example, an unsecured Bluetooth device in a crowded area might expose personal data to nearby hackers.

Open Service Ports: This refers to network ports on any system or device that are actively listening and awaiting incoming network connections. These ports allow communication between applications, services, and external networks. However, if these ports are left open unintentionally or without proper security measures, they can potentially expose the device to unauthorized access, exploitation, or attacks from malicious actors on the internet.

Default Credentials: A network router may have a default admin username and password that are widely known. If these remain unchanged, an attacker could easily log in to change configurations or intercept data.

Supply Chain: This refers to the risk of inserting or installing malicious software or hardware while a product is being manufactured or distributed.

  • Managed Service Providers (MSPs): Attackers target MSPs to gain access to their clients’ networks. For example, if an MSP is compromised, the attacker can deploy ransomware to all the MSP’s clients simultaneously.
  • Vendors: A company’s vendor may have inadequate security; if compromised, the attacker could access the company’s systems. For example, an attacker breaches a vendor’s system and uses it as a launch point to attack the company’s network.
  • Suppliers: Similar to vendors, but might also include physical components. For example, if a supplier’s hardware is compromised, it could include a hardware Trojan that affects all products made with it.

Human Vectors/Social Engineering: Human vectors or social engineering techniques are deceptive methods exploiting human psychology for malicious purposes. Here are some common techniques:

  • Phishing: An attacker sends an email masquerading as a trusted entity, like a bank, urging users to divulge personal details.

For example, an email appearing to be from a bank asks users to update account information by clicking on a link. The link leads to a counterfeit website designed to steal login credentials.

  • Vishing: A phone scam where the attacker pretends to be a tech support agent and convinces the employee to give remote access to their computer.

For example, an individual posing as a technical support agent calls an employee who claims to be from the IT department and needs remote access to resolve a purported issue. Through convincing dialogue, they gain access to the employee’s system.

  • Smishing: A text message scam where an attacker sends a deceptive message that seems to be from a trusted organization, urging the recipient to reveal personal information.

For example, a person receives a text claiming to be from a delivery service, stating a package delivery failed and urging them to click a link to provide updated details. Clicking the link installs malware on their device.

  • Misinformation/Disinformation: Spreading false information to manipulate or deceive individuals.

For example, spreading rumors about a company to manipulate stock prices.

  • Impersonation: An attacker may deceive staff or systems by pretending to be someone else, such as a company executive, to gain access to sensitive areas or information.

For example, a hacker impersonates a company’s CEO via email, instructing an employee in accounting to wire a significant sum of money to a fraudulent account.

  • Business Email Compromise (BEC): A targeted attack where a hacker gains unauthorized access to a corporate email account and impersonates the owner’s identity to deceive and defraud the company.

For example, a cybercriminal gains access to a company’s email system, impersonates the CEO, and instructs the finance department to transfer funds to a fake account.

  • Pretexting: An attacker creates a fabricated scenario to extract personal information, such as pretending to be a bank official to obtain a victim’s account details.

For example, an individual calls a victim pretending to be from the HR department, fabricating an urgent situation and requesting the victim’s personal information under the guise of updating records.

  • Watering Hole: A cyber attack strategy where cybercriminals target specific groups or organizations by infecting websites the targeted group frequently visits.

For example, an attacker targets a finance-related forum frequently visited by employees of a financial institution. They infect the forum with malware.

  • Brand Impersonation: Falsely representing a known brand or company to deceive individuals into sharing personal or financial information.

For example, an attacker creates a spoof website or social media profile imitating a well-known retailer, enticing customers to enter personal details to win a non-existent contest.

  • Typosquatting: Registering domains that are misspellings of popular websites to catch users who make typographical errors and direct them to potentially malicious sites.

For example, a user mistakenly types “facebok.com” instead of “facebook.com,” leading them to a fraudulent site imitating the social media platform, aiming to capture login credentials.

Master CompTIA Security+ with InfosecTrain

Join InfosecTrain’s CompTIA Security+ certification training course as we navigate the intricate details of common threat vectors and attack surfaces, a critical component of the CompTIA Security+ curriculum. This training equips participants with crucial skills and techniques essential for executing effective threat assessments, fortifying network defenses, and adeptly responding to evolving cybersecurity challenges.

CompTIA Security+

TRAINING CALENDAR of Upcoming Batches For Security+ SY0-701

Start Date End Date Start - End Time Batch Type Training Mode Batch Status
25-May-2025 05-Jul-2025 19:00 - 23:00 IST Weekend Online [ Open ]
28-Jun-2025 03-Aug-2025 19:00 - 23:00 IST Weekend Online [ Open ]
26-Jul-2025 31-Aug-2025 19:00 - 23:00 IST Weekend Online [ Open ]
Mastering Security+: Exam Readiness Bootcamp
TOP