⚡ Why this matters on the exam
The Security+ exam doesn't just ask you to name attacks — it gives you a scenario and asks you to identify what type of attack is occurring and what the appropriate response is. Understanding how each attack works is what separates candidates who pass from those who memorized definitions and still failed.
Social engineering attacks
Social engineering attacks exploit people rather than technology. They're the most common attack vector in real-world breaches and heavily tested on both A+ and Security+.
Phishing
Fraudulent emails or messages that appear to come from a trusted source, designed to trick the recipient into revealing credentials, clicking malicious links, or downloading malware.
Variants
Spear phishing (targeted), whaling (targeting executives), vishing (voice/phone), smishing (SMS)
Defence
User training, email filtering, MFA, DMARC/DKIM/SPF email authentication
Pretexting
An attacker creates a fabricated scenario (pretext) to manipulate a victim into providing information or access — for example, impersonating IT support to get a password reset.
Example
"Hi, this is IT support. We're seeing unusual activity on your account. Can you confirm your password?"
Defence
Identity verification procedures, security awareness training, call-back verification
Tailgating / Piggybacking
Physically following an authorized person through a secured door without using credentials. Tailgating is without the victim's knowledge; piggybacking is with their (mistaken) cooperation.
Example
Attacker carries boxes and asks employee to hold the door, gaining access to a secure area
Defence
Mantraps, security guards, badge-only access, security awareness training
Baiting
Leaving infected USB drives or other media in a location where a curious victim will find and plug them in, automatically installing malware.
Example
USB drives labelled "Payroll Q4" left in a company car park
Defence
Disable autorun, USB port controls, security awareness training
Network-based attacks
Man-in-the-Middle (MitM)
Network
An attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other.
Methods
ARP poisoning, DNS spoofing, SSL stripping, rogue Wi-Fi hotspot
Defence
HTTPS/TLS, certificate pinning, VPN, mutual authentication, HSTS
DoS — Denial of Service
Network
An attack that overwhelms a system, server, or network with traffic or requests, making it unavailable to legitimate users. Comes from a single source.
Types
Flood attacks (SYN flood, ping flood), Smurf attack, Ping of Death
Defence
Firewalls, rate limiting, IPS, ISP-level filtering
DDoS — Distributed Denial of Service
Network
A DoS attack launched simultaneously from many compromised systems (a botnet), making it far harder to block since traffic comes from thousands of different IP addresses.
Key difference
DoS = single attacker. DDoS = many attackers (often a botnet of infected machines)
Defence
DDoS mitigation services (Cloudflare, Akamai), scrubbing centres, anycast routing
Replay Attack
Network
An attacker captures valid authentication data (like a session token) and retransmits it later to gain unauthorized access, without needing to know the actual credentials.
Example
Capturing an authentication token on an unencrypted network and replaying it to log in
Defence
Session tokens with expiry, timestamps, nonces (one-time-use values), TLS
ARP Poisoning / Spoofing
Network
An attacker sends fake ARP (Address Resolution Protocol) replies to associate their MAC address with a legitimate IP address, redirecting traffic through their machine.
Used for
Enabling man-in-the-middle attacks on a local network segment
Defence
Dynamic ARP inspection (DAI), static ARP entries, VLANs, encrypted traffic
DNS Poisoning / Spoofing
Network
Corrupting a DNS cache so that domain name lookups return malicious IP addresses, redirecting users to attacker-controlled servers without their knowledge.
Example
User types bank.com but DNS returns attacker's IP — they land on a fake login page
Defence
DNSSEC, encrypted DNS (DoH/DoT), monitoring for DNS anomalies
Application and web attacks
SQL Injection
Web / Application
An attacker inserts malicious SQL code into an input field (login form, search box) that gets executed by the database, potentially exposing or deleting data.
Classic example
Entering
admin' OR '1'='1 in a login field to bypass authenticationDefence
Parameterised queries / prepared statements, input validation, WAF, least privilege DB accounts
Cross-Site Scripting (XSS)
Web / Application
An attacker injects malicious scripts into web pages viewed by other users. The script runs in the victim's browser, potentially stealing session cookies or credentials.
Types
Stored XSS (persisted in DB), Reflected XSS (via URL), DOM-based XSS
Defence
Output encoding, Content Security Policy (CSP), input validation, HTTPOnly cookies
Cross-Site Request Forgery (CSRF)
Web / Application
Tricks an authenticated user's browser into sending unintended requests to a web application — for example, transferring funds without the user's knowledge.
Key distinction
XSS exploits the user's trust in a site. CSRF exploits the site's trust in the user's browser.
Defence
CSRF tokens, SameSite cookies, re-authentication for sensitive actions
Password and credential attacks
Brute Force Attack
Credential
Systematically trying every possible password combination until the correct one is found. Effective against short or simple passwords but slow against long, complex ones.
Variant
Dictionary attack — tries words from a list rather than every combination. Much faster for common passwords.
Defence
Account lockout policies, MFA, long complex passwords, rate limiting login attempts
Rainbow Table Attack
Credential
Uses precomputed tables of hash values to reverse password hashes. Instead of hashing guesses in real time, the attacker looks up the hash in the table to find the original password instantly.
Why it works
Unsalted hashes — if two users have the same password, their hashes match, making table lookups possible
Defence
Salting passwords (adds random data before hashing, making precomputed tables useless)
Password Spraying
Credential
Rather than trying many passwords against one account (brute force), the attacker tries one common password against many accounts simultaneously — avoiding account lockouts.
Why it evades detection
Only 1–2 attempts per account — most lockout policies trigger after 5+ failed attempts
Defence
MFA, banned common password lists, anomaly detection across accounts
Malware types
| Malware Type | How it works | Key characteristic |
|---|---|---|
| Virus | Attaches to a legitimate file and spreads when that file is executed | Requires human action to spread — running an infected file |
| Worm | Self-replicates and spreads across networks without user interaction | No host file needed — spreads autonomously |
| Trojan | Disguises itself as legitimate software to trick users into installing it | Does not self-replicate — relies on social engineering to spread |
| Ransomware | Encrypts victim's files and demands payment for the decryption key | High-impact — can shut down organisations; spread often via phishing |
| Rootkit | Hides deep in the OS to conceal malware presence, often at kernel level | Difficult to detect — designed to evade antivirus and monitoring tools |
| Spyware | Silently monitors user activity and sends data to attacker | Keyloggers are a common type — captures credentials as typed |
| Adware | Displays unwanted advertisements, often bundled with free software | Lowest severity — annoying but not typically destructive |
| Botnet / Zombie | Compromised machines controlled remotely by an attacker (C2 server) | Used to launch DDoS attacks, send spam, or spread more malware |
⚡ Virus vs Worm vs Trojan — the exam distinction
Virus: Needs a host file and human action to spread.
Worm: Self-replicates automatically across networks — no human needed.
Trojan: Disguised as something useful — no self-replication. The user installs it themselves.
The exam frequently gives a scenario and asks you to identify which type. Focus on the spread mechanism and whether user interaction is required.
Exam scenarios
💬 "An employee receives an email appearing to be from the CEO asking them to wire money urgently. What type of attack is this?" → Whaling (spear phishing targeting executives)
💬 "An attacker intercepts traffic between a user and their bank without either party knowing. What type of attack is this?" → Man-in-the-middle (MitM)
💬 "A web server is receiving millions of SYN packets from thousands of IP addresses and becomes unavailable. What type of attack is this?" → DDoS SYN flood
💬 "A piece of malware spreads through a network automatically without any user interaction. What type is it?" → Worm
💬 "An attacker tries the password 'Password1' against 10,000 user accounts. What attack is this?" → Password spraying
💬 "A user downloads a free game that secretly installs remote access software. What type of malware is this?" → Trojan
💬 "An attacker uses precomputed hash values to crack stolen password hashes. What attack is this?" → Rainbow table attack
💬 "Malicious code is injected into a login form that gets executed by the database. What attack is this?" → SQL injection
💬 "Which control is most effective at preventing rainbow table attacks against stolen password hashes?" → Salting
💬 "An attacker leaves USB drives in a company's car park. What type of attack is this?" → Baiting
Studying for Security+?
See the study guide, practice exams, and free course worth your time for SY0-701.