Analyze Threat Vectors and Attack Surfaces for Security+ (SY0-701)
Recognize phishing, social engineering, exposed services, unsecure networks, supply-chain paths, and other attack surfaces on Security+.
Threat vectors describe how an attacker reaches the target. Security+ expects you to identify the path before you choose the control. If you misread the vector, you often recommend the wrong mitigation even when your general security instincts are good.
Attack surface: The set of reachable paths, services, users, devices, or integrations an attacker can try to exploit.
DMARC: Domain-based Message Authentication, Reporting, and Conformance, an email policy that helps receiving systems handle spoofed sender domains.
Rogue AP: A wireless access point that creates an unauthorized or unsafe network entry path.
What the exam is really testing
CompTIA is usually checking whether you can:
- separate the delivery path from the exploited weakness
- identify the part of the attack surface that is unnecessarily reachable
- choose the strongest control for the abused path, not just for the final symptom
Common vector families
| Vector family | What it looks like |
|---|---|
| Message-based | phishing, spear phishing, smishing, malicious links, malicious attachments |
| Social engineering | pretexting, baiting, tailgating, impersonation |
| Unsecure networks | rogue APs, evil twins, weak wireless, open services, MITM exposure |
| File-based | infected documents, macros, trojanized downloads, malicious scripts |
| Voice-call based | vishing, help-desk impersonation, urgent callback scams |
| Supply chain | compromised vendor updates, poisoned packages, third-party access abuse |
| Vulnerable software and exposed services | unpatched apps, public admin portals, weak APIs, insecure defaults |
Vector chooser
| Scenario clue | Strongest first label |
|---|---|
| Malicious link or attachment arrives by email or text | Message-based vector |
| Caller pressures help desk to reset access | Voice or social-engineering vector |
| Unsanctioned update or package is trusted and installed | Supply-chain vector |
| Internet-facing admin service with weak protection | Exposed attack surface |
| Open wireless path or rogue AP | Unsecure-network vector |
Attack path model
flowchart LR
A["Threat actor"] --> B["Vector"]
B --> C["Attack surface"]
C --> D["Exploited weakness"]
D --> E["Impact"]
What to notice:
- the vector is not the same thing as the vulnerability
- the attack surface is the reachable target area
- CompTIA often wants the strongest control at the vector or surface layer, not only after impact
Attack-surface reminder
Attack surface is broader than “internet exposure.” It also includes:
- exposed admin interfaces
- weak wireless entry points
- over-broad SaaS sharing
- file-import paths
- trusted vendor or third-party integration channels
Example: mail authentication record
Security+ often ties message-based attacks to SPF, DKIM, and DMARC:
1example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
What to notice:
- DMARC helps enforce sender-domain policy
- it does not replace user awareness, mail filtering, or attachment controls
- the exam may ask for the strongest additional control when spoofed mail is part of the scenario
Common traps
- calling a phishing email the vulnerability instead of the vector
- ignoring exposed management interfaces on the internet
- treating supply-chain risk like ordinary patching risk
- forgetting that voice and human channels are part of the attack surface
- treating “the attack surface” as only ports and IP addresses
What strong answers usually do
- identify the first abusive path before recommending a control
- distinguish the reachable surface from the weakness that will be exploited later
- choose the control that reduces that specific path, such as email protections for message delivery or access narrowing for exposed admin services
- remember that users, help desks, wireless, and third-party channels are part of the attack surface too
Harder scenario question
A company’s support staff receive calls from someone claiming to be an executive who urgently needs a password reset before a board meeting. The caller knows internal names and titles, and the support process currently allows resets after a few verbal checks. Which statement is strongest?
A. The main issue is only password complexity B. This is a social-engineering and voice-based vector abusing a weak help-desk attack surface C. The only solution is a larger firewall D. The event is best classified as a cold-site failure
Best answer: B. The attacker is reaching the target through a human support channel, which is part of the attack surface even though no malware attachment or public server is involved.
Quiz
Continue with 2.3 Vulnerabilities to separate the entry path from the actual weakness being exploited.