Study CompTIA SY0-701 Threat Vectors and Attack Surfaces: key concepts, common traps, and exam decision cues.
Threat vectors describe how an attacker reaches the target. Security+ expects you to identify the path before you choose the control. If you misread the vector, you often recommend the wrong mitigation even when your general security instincts are good.
Attack surface: The set of reachable paths, services, users, devices, or integrations an attacker can try to exploit.
DMARC: Domain-based Message Authentication, Reporting, and Conformance, an email policy that helps receiving systems handle spoofed sender domains.
Rogue AP: A wireless access point that creates an unauthorized or unsafe network entry path.
CompTIA is usually checking whether you can:
| Vector family | What it looks like |
|---|---|
| Message-based | phishing, spear phishing, smishing, malicious links, malicious attachments |
| Social engineering | pretexting, baiting, tailgating, impersonation |
| Unsecure networks | rogue APs, evil twins, weak wireless, open services, MITM exposure |
| File-based | infected documents, macros, trojanized downloads, malicious scripts |
| Voice-call based | vishing, help-desk impersonation, urgent callback scams |
| Supply chain | compromised vendor updates, poisoned packages, third-party access abuse |
| Vulnerable software and exposed services | unpatched apps, public admin portals, weak APIs, insecure defaults |
| Scenario clue | Strongest first label |
|---|---|
| Malicious link or attachment arrives by email or text | Message-based vector |
| Caller pressures help desk to reset access | Voice or social-engineering vector |
| Unsanctioned update or package is trusted and installed | Supply-chain vector |
| Internet-facing admin service with weak protection | Exposed attack surface |
| Open wireless path or rogue AP | Unsecure-network vector |
flowchart LR
A["Threat actor"] --> B["Vector"]
B --> C["Attack surface"]
C --> D["Exploited weakness"]
D --> E["Impact"]
What to notice:
Attack surface is broader than “internet exposure.” It also includes:
Security+ often ties message-based attacks to SPF, DKIM, and DMARC:
1example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"
What to notice:
A company’s support staff receive calls from someone claiming to be an executive who urgently needs a password reset before a board meeting. The caller knows internal names and titles, and the support process currently allows resets after a few verbal checks. Which statement is strongest?
A. The main issue is only password complexity B. This is a social-engineering and voice-based vector abusing a weak help-desk attack surface C. The only solution is a larger firewall D. The event is best classified as a cold-site failure
Best answer: B. The attacker is reaching the target through a human support channel, which is part of the attack surface even though no malware attachment or public server is involved.
Separate the delivery path from the weakness it reaches. Email, phishing sites, removable media, exposed portals, and trusted vendor updates are vectors. Unnecessary internet exposure increases reachable attack surface even before exploitation happens. Security+ usually wants you to notice whether the scenario is about how the attacker got in, not just what happened next.
Continue with 2.3 Vulnerabilities to separate the entry path from the actual weakness being exploited.