SY0-601 Attacks, Threats, and Vulnerabilities Study Guide for the CompTIA Security+

General Information

Questions on the CompTIA Security+ SYO-601 exam pertaining to the following group of topics involve knowing about these dangers to your IT operation and fully understanding their causes and ramifications. About 24% of the questions on the entire test relate to these areas. The test sometimes presents a scenario at the beginning of a question, giving you a frame of reference for selecting an answer. About 37% of the Attacks, Threats, and Vulnerabilities questions begin with a scenario.

Social engineering is a technique by which someone takes advantage of human nature to manipulate a person into revealing information or performing a task that they would not normally do. Social engineering leverages human emotion to elicit a response by preying on human weaknesses to authority, intimidation, consensus, scarcity, familiarity, trust, and urgency. Social engineering techniques can be technological in nature or physical interactions.

Types of Techniques

The types of techniques used for social engineering can be both technological and in-person. Both types of techniques leverage human emotions to reach a desired outcome. Social engineering techniques may also be direct or indirect and targeted to a specific person or generalized to a broad group. The following techniques are included on the CompTIA Security+ exam.

phishing—Phishing is a technique that attempts to manipulate a target into revealing information or completing a desired task by fraudulent means. Phishing is most often done through email but includes other communication methods such as SMS and phone communications. Phishing messages need user interaction to be successful, which can involve clicking on an embedded link. Commonly targeted information includes credentials, credit card and bank information, and personally identifiable information.

smishing—Smishing is a phishing technique that is done through SMS or text messaging.

vishing—Vishing is a phishing technique that is done via telephone. Vishing often uses voice over IP (VoIP) services to bypass or spoof caller ID data.

spam—Spam, otherwise known as junk or unsolicited mail, is a broad term for messages that are not requested by the recipient. They are typically sent via email but can come through other methods like SMS. Spam uses social engineering to tempt the recipient into completing a task, such as following a link or buying a product.

spam over instant messaging (SPIM)—SPIM is unsolicited mail sent via instant messaging.

spear phishing—Spear phishing is a technique that directly targets a specific group or individuals in an organization. Spear phishing is a more complex type of phishing that is tailored to the targeted group.

dumpster diving—Dumpster diving is a physical social engineering technique where the threat actor attempts to collect sensitive information by literally going through a target’s trash or dumpster.

shoulder surfing—Shoulder surfing is the act of collecting information from a target by visually looking at the target screen, generally by looking over a shoulder or in a mirror.

pharming—Pharming is the act of redirecting traffic from legitimate websites to malicious websites, typically by changing the entries in a DNS server.

tailgating—Tailgating is physically following an authorized person through a security point like a door.

eliciting information—Eliciting information, also called elicitation, is a social engineering attack that attempts to lure or trick the target into revealing sensitive information. Elicitation uses techniques such as flattery or false ignorance to trick the target into revealing more information than intended.

whaling—Whaling is a phishing attack that targets specific high-level employees such as CEOs or CFOs.

prepending—Prepending is the act of adding additional information to elicit a response. Prepending, as a cyber threat, can mean any one of three things: adding an expression or phrase in the header of an email, attaching additional information to a cyber attack, or suggesting topics to steer the target into revealing sensitive information in a social engineering attack. Each of these methods is intended to trick the target into responding in a specific manner, such as clicking on a link or providing information to the threat actor.

identity fraud—Identity fraud occurs when a threat actor uses someone else’s identity. This can be done for financial gain or so the threat actor can be granted access to valuable information.

invoice scams—Invoice scams can be either electronic or physical and involve sending fake invoices to targets to elicit illegitimate payments.

credential harvesting—Credential harvesting is the act of collecting numerous credentials like a list of usernames and passwords, often through phishing or data breaches.

reconnaissance—Reconnaissance is the process of covertly collecting information about a target, such as information about a system or employee habits.

hoax—A hoax is a fictitious scenario, such as an outrageous news story or false virus alert, used to trick the target into revealing information or completing an action like clicking on a link.

impersonation—Impersonation is presenting oneself as someone else. Common impersonation tactics include pretending to work for the electric company or IT to gain access to a protected area.

watering hole attack—In a watering hole attack, the threat actor seeks out a specific website that is known to be frequented by the target (the “watering hole”) and attacks vulnerabilities within the website to gain access to the target.

typosquatting—Typosquatting is the process of taking advantage of common spelling mistakes, such as misspelling a legitimate URL, to redirect a target to a malicious site.

pretexting—Pretexting is using a false scenario or pretense to justify interaction with the target. It is often used in conjunction with impersonation.

Campaigns of Influence

Campaigns of influence are used to shift the view of public opinion to a desired viewpoint. Influence campaigns use disinformation and propaganda to alter the popular opinion of the target sector. They are often large-scale campaigns run by nation-states as a part of hybrid warfare.

Hybrid Warfare

Hybrid warfare is a type of offensive action that falls just short of physical warfare. Hybrid warfare involves political warfare, cyberwarfare, and information warfare designed to be subversive without being directly aggressive.

Social media is tightly coupled with influence campaigns and can be used to spread disinformation and propaganda quickly and efficiently by nation-state actors.

Principles That Enable Effectiveness

Social engineering relies on human emotion and reaction to be effective. A threat actor will use principles that target and elicit specific human reactions to achieve the desired outcome. Social engineers take advantage of morals, social traditions, and values to trigger a stress reaction and gain information.

Authority

Authority relies on the instinct of human nature to inherently obey someone who appears to be in a position of authority, such as a manager or a government official.

Intimidation

Intimidation uses fear, threats, or bullying tactics to elicit a specific response from a target.

Consensus

Consensus utilizes popular opinion or response to get a target to react in a desired fashion and relies on the human need to be accepted, not left out, and part of a majority group.

Scarcity

Scarcity is a social engineering principle that creates the appearance that something, such as a product or opportunity, is the last one or has very limited availability.

Familiarity

Familiarity relies on using a target’s knowledge of a person or organization to create a likeability or normalcy bond.

Trust

Trust uses a person’s knowledge of people or organizations to create an inherent trust bond to get the target to act accordingly.

Urgency

Urgency creates the sense that immediate action is required, typically followed by negative consequences if the action is not completed.