Study Risk, Vulnerability, Exploit & CIA for Network+ (N10-009)
Keep security terminology straight so scenario questions do not collapse into vague security language.
Security terminology questions are classification questions. CompTIA uses them to check whether you can keep the basic security language straight under pressure. If you confuse the weakness with the attack method or the risk with the control objective, you usually pick the wrong answer later in the scenario.
Exploit: A method or code path used to take advantage of a vulnerability.
CIA triad: Confidentiality, integrity, and availability, the three core security objectives used to describe what needs protection.
Vulnerability: A weakness that could be used by a threat or exploit path.
What CompTIA is really testing
The strongest answers usually depend on whether you can separate:
- threat from vulnerability
- vulnerability from exploit
- exploit from impact
- confidentiality from integrity from availability
Keep the terms straight
| Term | What it means |
|---|---|
| threat | a possible danger, actor, event, or condition that could cause harm |
| vulnerability | a weakness that can be taken advantage of |
| exploit | the method used to take advantage of that weakness |
| risk | the potential for loss or harm when threats meet vulnerabilities |
| confidentiality | only authorized parties can access the information |
| integrity | data or systems remain accurate and trustworthy |
| availability | systems or data remain reachable when needed |
A simple reasoning chain
flowchart LR
A["Threat or attacker"] --> B["Vulnerability exists"]
B --> C["Exploit path is used"]
C --> D["Impact affects confidentiality, integrity, or availability"]
What to notice:
- these words describe different parts of the same chain
- if you collapse them together, you choose vague or mismatched controls
CIAhelps you describe what was actually harmed or what the control is trying to protect
Small scenario example
1Weak admin password
2-> vulnerability
3Credential stuffing script
4-> exploit technique
5Unauthorized config change
6-> integrity impact
What to notice:
- the weakness is not the same thing as the attack technique
- the resulting impact is not the same thing as the vulnerability
- CompTIA often hides the correct answer in that distinction
Common traps
- using threat and vulnerability interchangeably
- assuming confidentiality is always the main issue when integrity or availability is the better fit
- naming a control before identifying the weakness
- calling the attacker action itself “the risk” without describing the underlying weakness or impact
What strong answers usually do
- identify the weakness before choosing the control
- classify the attacker action separately from the underlying vulnerability
- use the
CIAlens to describe what is actually being harmed - keep the terminology precise enough that the mitigation choice makes sense
Quiz
Continue with 4.5 Audits, Compliance & Data Locality to keep the domain flow intact.