← CompTIA A+ Security Threats

CompTIA A+ Certification Study Guide

Key concepts, definitions, and exam tips organized by topic.

25 cards covered

CompTIA A+ Security Threats: Study Guide


Overview

Security threats are a core component of the CompTIA A+ exam, covering how attackers compromise systems through software, social manipulation, network exploitation, and physical access. Understanding the types, mechanisms, and distinguishing characteristics of each threat is essential for both the exam and real-world IT support roles. This guide organizes all major threat categories with key definitions, comparisons, and exam tips.


---


Malware Types


Summary

Malware (malicious software) encompasses a wide range of programs designed to damage, disrupt, or gain unauthorized access to systems. The A+ exam tests your ability to distinguish between malware types based on how they spread, how they hide, and what they do.


Key Malware Types


| Malware Type | How It Spreads | Key Characteristic |

|---|---|---|

| Virus | Requires host file + user action | Self-replicates by attaching to files |

| Worm | Self-replicates autonomously | No host file needed; exploits network vulnerabilities |

| Trojan Horse | User executes it (disguised as legitimate software) | Does NOT self-replicate |

| Ransomware | Phishing emails, malicious downloads | Encrypts files; demands payment for decryption key |

| Keylogger | Installed via malware or physical device | Records every keystroke; steals credentials |

| Rootkit | Bundled with other malware | Hides deep in OS/firmware/bootloader; maintains persistent access |

| Botnet | Malware infection across multiple systems | Network of "bots" controlled by a botmaster |


Key Terms

  • Host file – A file that a virus must attach to in order to execute and spread
  • Self-replication – The ability to copy and spread without user interaction (worms)
  • Payload – The malicious action a piece of malware performs after infection
  • Botmaster – The attacker who remotely controls a botnet
  • Kernel-level – The deepest level of OS access, where rootkits commonly operate
  • Backdoor – An unauthorized access point left open intentionally (by developers or attackers) for persistent entry
  • Logic bomb – Dormant malicious code triggered by a specific condition (date, event, or user action)

    • Critical Comparisons

  • Virus vs. Worm: A virus needs a host file and user action to spread. A worm spreads autonomously across networks with no host file required.
  • Trojan vs. Virus: A Trojan does not self-replicate — it relies on the user being deceived into running it. A virus self-replicates once executed.
  • Hardware Keylogger vs. Software Keylogger: A hardware keylogger is a physical device between the keyboard and computer — it requires no OS installation and is invisible to antivirus tools.

    • Watch Out For

    > ⚠️ Exam Tip: Students often confuse Trojans and viruses. Remember: Trojans = disguise, no self-replication. Viruses = self-replicate via host file.


    > ⚠️ Exam Tip: Rootkits are NOT easily removed by standard antivirus tools because they operate at the kernel or bootloader level — this detail frequently appears on exams.


    > ⚠️ Exam Tip: A logic bomb is NOT the same as ransomware. A logic bomb waits for a trigger condition; ransomware immediately begins encrypting files upon execution.


    ---


    Social Engineering


    Summary

    Social engineering attacks exploit human psychology rather than technical vulnerabilities. Attackers manipulate victims into revealing credentials, granting access, or performing actions that compromise security. The A+ exam heavily tests your ability to identify these attacks by their delivery method.


    Key Social Engineering Attacks


    | Attack | Delivery Method | Key Detail |

    |---|---|---|

    | Phishing | Email | Broad, mass-distributed; mimics trusted organizations |

    | Spear Phishing | Email | Targeted at a specific individual/organization; personalized |

    | Vishing | Phone/Voice call | Impersonates IT support or authority figure |

    | Smishing | SMS/Text message | Mimics banks, delivery services, etc. |

    | Tailgating/Piggybacking | Physical | Unauthorized person follows authorized person through a secured door |

    | Baiting | Physical (USB drop) | Infected USB left in public; relies on victim's curiosity |

    | Pretexting | Any channel | Fabricated scenario to manipulate victim into giving information |


    Key Terms

  • Phishing – Fraudulent emails designed to steal credentials or deliver malware
  • Spear phishing – Highly targeted phishing using personal/organizational details
  • Vishing – Voice-based phishing via phone calls
  • Smishing – SMS-based phishing via text messages
  • Tailgating – Physically following someone into a restricted area without authorization
  • Baiting – Luring victims with infected physical media (e.g., USB drives)
  • Pretexting – Creating a false identity or scenario to extract information

    • Critical Comparisons

  • Phishing vs. Spear Phishing: Phishing is broad and generic; spear phishing is targeted and personalized using research about the victim.
  • Vishing vs. Smishing: Vishing = voice calls; Smishing = SMS text messages.
  • Tailgating vs. Baiting: Tailgating is a physical access attack; baiting uses physical media (USB) to deliver malware.

    • Watch Out For

    > ⚠️ Exam Tip: Know all four phishing variants by delivery channel: Email = Phishing/Spear Phishing, Voice = Vishing, Text = Smishing.


    > ⚠️ Exam Tip: Pretexting is a technique, not just an attack type — it can be used within vishing, smishing, or in-person scenarios.


    > ⚠️ Exam Tip: Tailgating exploits human courtesy (holding doors open). Countermeasures include mantrap doors, security guards, and employee awareness training.


    ---


    Network-Based Threats


    Summary

    Network-based threats exploit weaknesses in protocols, infrastructure, or communication channels to intercept data, disrupt services, or gain unauthorized access. These attacks often require technical sophistication but can have organization-wide impact.


    Key Network Threats


    | Threat | What It Does | Key Detail |

    |---|---|---|

    | DoS Attack | Floods target with traffic; makes it unavailable | Single source |

    | DDoS Attack | Same as DoS but from multiple compromised systems | Coordinated via botnet |

    | Man-in-the-Middle (MITM) | Intercepts/alters communications between two parties | Both parties believe they're communicating directly |

    | Evil Twin | Rogue Wi-Fi AP mimicking a legitimate one | Captures credentials and session data |

    | DNS Poisoning | Corrupts DNS cache with fraudulent records | Redirects users to malicious sites |

    | Session Hijacking | Captures authentication tokens/session cookies | Impersonates authenticated user without knowing password |

    | Zero-Day Exploit | Targets unknown vulnerability with no patch | Zero days of warning for defenders |


    Key Terms

  • DoS (Denial of Service) – Attack flooding a target to make it unavailable
  • DDoS (Distributed DoS) – DoS attack sourced from multiple compromised systems simultaneously
  • MITM (Man-in-the-Middle) – Attacker secretly intercepts and possibly alters communications
  • Evil twin – Rogue wireless access point disguised as a legitimate one
  • DNS poisoning/spoofing – Corrupting DNS cache to redirect traffic to malicious sites
  • Session hijacking – Stealing session tokens to impersonate an authenticated user
  • Zero-day exploit – Attack targeting an unpatched, previously unknown vulnerability
  • Replay attack – Reusing captured valid credentials or tokens to gain unauthorized access

    • Critical Comparisons

  • DoS vs. DDoS: DoS = one source; DDoS = multiple sources (often a botnet). DDoS is much harder to block.
  • Evil Twin vs. Rogue AP: An evil twin specifically mimics a known legitimate network by name (SSID). A rogue AP is any unauthorized access point added to a network.
  • DNS Poisoning vs. Phishing: Both redirect users to malicious sites — DNS poisoning works at the network/infrastructure level, while phishing works at the user/email level.

    • Watch Out For

    > ⚠️ Exam Tip: Session hijacking ≠ knowing the password. The attacker steals the session token/cookie after authentication has already occurred.


    > ⚠️ Exam Tip: Zero-day exploits are dangerous because no patch exists yet — the defender has no technical fix available, only detection/mitigation strategies.


    > ⚠️ Exam Tip: Evil twin attacks target Wi-Fi users in public spaces — connecting to "free Wi-Fi" is a common vector. Always verify network legitimacy.


    ---


    Physical & Environmental Threats


    Summary

    Physical security threats bypass all technical controls by targeting people and physical spaces. The A+ exam expects you to recognize these low-tech but highly effective attack vectors and their corresponding countermeasures.


    Key Physical Threats


    | Threat | Method | Countermeasure |

    |---|---|---|

    | Shoulder Surfing | Visually observing screen/keyboard in public | Privacy screens, user awareness |

    | Dumpster Diving | Searching discarded trash for sensitive info | Shredding documents, secure hardware disposal |

    | Hardware Keylogger | Physical device inserted between keyboard and computer | Regular inspection of physical hardware, port locks |

    | Tailgating | Following authorized user through secured entry | Mantraps, security guards, access badges |

    | Baiting (USB Drop) | Infected USB left in public places | Disabling USB ports, user awareness training |


    Key Terms

  • Shoulder surfing – Visually stealing PINs, passwords, or data by observation
  • Dumpster diving – Recovering sensitive information from discarded materials
  • Hardware keylogger – Physical device recording keystrokes; undetectable by antivirus
  • Privacy screen – Physical screen filter that limits viewing angles; mitigates shoulder surfing
  • Secure disposal – Proper destruction of hardware (degaussing, shredding) to prevent data recovery

    • Watch Out For

    > ⚠️ Exam Tip: Hardware keyloggers are invisible to antivirus software because they don't exist as files on the OS — this is a key differentiator from software keyloggers.


    > ⚠️ Exam Tip: Dumpster diving is legal in many jurisdictions unless no-trespassing laws apply — this makes proper document disposal policies critical.


    ---


    Threat Indicators & Key Concepts


    Summary

    Some threats don't fit neatly into one category. Understanding backdoors and logic bombs rounds out your knowledge of how attackers establish persistence and delayed damage.


    Key Concepts


  • Backdoor

    • - An intentional or unintentional hidden access point in software or a system

    - Can be created by developers for maintenance or implanted by attackers through malware

    - Allows unauthorized persistent access without normal authentication


  • Logic Bomb

    • - Malicious code that remains dormant until a specific trigger condition is met

    - Triggers can include: a specific date/time, a user action, or a system event

    - Often planted by disgruntled insiders with system access

    - Difficult to detect before it triggers because it appears inactive


    Key Terms

  • Backdoor – Hidden access mechanism bypassing normal authentication
  • Logic bomb – Dormant malware with a conditional trigger
  • Persistence – An attacker's ability to maintain ongoing access to a compromised system
  • Zero-day – Unpatched, previously unknown vulnerability

    • Watch Out For

    > ⚠️ Exam Tip: Logic bombs are often associated with insider threats — disgruntled employees with system access. If a scenario describes malicious code that "activated on a specific date," think logic bomb.


    > ⚠️ Exam Tip: Backdoors are not always malicious in origin — developers create them intentionally. However, attackers also implant backdoors via malware for persistent access.


    ---


    Quick Review Checklist


    Use this checklist to confirm you can answer each item before your exam:


    Malware

  • • [ ] Explain the difference between a virus and a worm (host file + user interaction vs. autonomous)
  • • [ ] Describe how a Trojan horse works and why it does NOT self-replicate
  • • [ ] Define ransomware and explain how victims lose access to their data
  • • [ ] Explain what a rootkit does and why standard antivirus cannot easily remove it
  • • [ ] Distinguish between hardware and software keyloggers
  • • [ ] Define what a botnet is and name two common uses (DDoS, spam, crypto mining)
  • • [ ] Define backdoor and logic bomb and their key differences

    • Social Engineering

  • • [ ] Name all four phishing variants by delivery method (email, targeted email, voice, SMS)
  • • [ ] Explain the difference between phishing and spear phishing
  • • [ ] Define pretexting, baiting, and tailgating
  • • [ ] Identify countermeasures for each social engineering attack

    • Network Threats

  • • [ ] Explain the difference between DoS and DDoS
  • • [ ] Describe how a MITM attack works
  • • [ ] Define evil twin and how it differs from a standard rogue access point
  • • [ ] Explain DNS poisoning and its effect on users
  • • [ ] Define session hijacking — note that the password is NOT required
  • • [ ] Explain why a zero-day exploit is particularly dangerous

    • Physical Threats

  • • [ ] Define shoulder surfing and its primary countermeasure (privacy screen)
  • • [ ] Define dumpster diving and its countermeasure (shredding, secure disposal)
  • • [ ] Explain why hardware keyloggers are invisible to antivirus tools

    • ---


    Master these distinctions and you'll be well-prepared for security threat questions on the CompTIA A+ exam. Focus especially on how each threat spreads or is delivered — the exam frequently tests these differentiating characteristics.

    📝

    Take a Practice Test

    Test yourself with multiple choice questions
    📇

    Study with Flashcards

    Flip through all 25 cards

    Want more study tools?

    Subscribe for $7.99/mo and turn your own notes into personalized flashcards and study guides.

    View Pricing