CompTIA Security+ SY0-601 Exam Practice Tests

​Chapter 1: Introduction

This book covers the entire Security+ certification exam. It isn’t designed to be somebody’s only preparation material. Instead, it is designed to be a practice test book and to complement other study material, such as a book or hands-on lab practice.

Additionally, you should have some real-world experience. Officially, the exam is aimed at people with at least two years of IT experience with a focus on security. That doesn’t have to be on an Information Security team specifically. But, you should have experience dealing with security. For example, maybe you work with Active Directory, firewalls, or manage end user devices. In such cases, you will routinely work on the security-related aspects of IT.

​1.1 About the Exam

Candidates are encouraged to use this document to help prepare for the CompTIA Security+ (SY0-601) certification exam. The CompTIA Security+ certification exam will verify the successful candidate has the knowledge and skills required to:

●  Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions

●  Monitor and secure hybrid environments, including cloud, mobile, and IoT

●  Operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance

●  Identify, analyze, and respond to security events and incidents

This is equivalent to two years of hands-on experience working in a security/systems administrator job role. These content examples are meant to clarify the test objectives and should not be construed as a comprehensive listing of all the content of this examination.

Exam Development: CompTIA exams result from subject matter expert workshops and industry-wide survey results regarding the skills and knowledge required of an IT professional.

​1.1 Exam Details

The table below lists the Security+ Exam and the extent to which they are represented:

​1.2 Security+ Domains

The table below lists the domains measured by this examination and the extent to which they are represented:

​Chapter 2: Security+ Exam Topics

​2.1 Given a scenario, analyze indicator of compromise and determine the type of malware

For this topic, you should be prepared to figure out what type of malware is on a computer in a given scenario. The exam objective outlines the following 13 types of malware:

​Viruses

A virus is a malicious program designed to replicate itself. Viruses are typically attached to legitimate files, such as documents or installation programs. Not all viruses are designed to do damage to a computer; sometimes they are humorous or pranks, and other times, they are written by hackers trying to achieve infamy. There are a ton of different types of viruses — macro viruses, boot-sector viruses and so on — but you don’t need to know about all the different types for this exam.

​Crypto-malware

Crypto-malware is a type of ransomware that uses encryption to block access to data. It is difficult to overcome without paying the ransom or having a backup of the data.

​Ransomware

Ransomware is malware designed to hold a computer or data hostage until a ransom is paid. This might be by blocking access to the data, changing the computer enough to make it hard to use or encrypting the data (this is known as crypto-malware, which is the next bullet item). Once a ransom is paid to the attackers, the data is usually released to the user.

​Worm

A worm is a type of malware whose sole purpose is to spread. Often, worms don’t cause any damage to a computer or data. However, because of the rapid spread of a worm, it can cause issues on a network (consuming most or all of the available bandwidth, for example). Occasionally, a worm will have a malicious payload that causes problems, such as deleting data on a computer.

​Trojan

Like a Trojan horse, a Trojan is a malicious application that misleads users. Trojans are often hidden in installers — for example, when a user installs a photo editing program, the Trojan is installed silently in the background, unbeknownst to the user. In general, once installed, Trojans do not try to replicate or propagate; instead, they often connect to a command and control server to report in and get further instructions. Trojans are often used to install backdoors (defined later in this list) on a computer, giving the attacker remote access to the computer.

​Rootkit

A rootkit is a type of malware designed to enable attackers to connect to and control a compromised computer remotely. Often, it gives them full control of the computer. Rootkits have

been known to record audio, video (from webcams), capture keystrokes and steal data.

​Keylogger

A keylogger, or keystroke logger, secretly captures all the keys pressed on the keyboard and  either sends them to a remote server or records them to a file for later retrieval by an attacker. For example, it might capture all keystrokes by a user visiting their banking website  — including their credentials. Two-factor authentication can help protect against keyloggers,  especially if it involves entering a unique code for each logon.

​Adware

Adware is a type of malware whose primary purpose is to display ads on your computer, earning money for their creators. Most adware attacks occur against browsers. Note that adware is different from legitimate applications that have online advertising because such applications typically get permission from the user, often by making that part of the agreement to download the software, whereas adware displays ads without the user’s permission.

​Spyware

Spyware is malware whose primary purpose is to steal sensitive information from a computer. Methods include intercepting keystrokes, stealing data directly, and hijacking microphones or webcams. Some spyware is designed specifically to obtain banking information.

​Bots

Computer bots come in two forms— good and bad. Good bots perform repetitive tasks, such

as automating manual tasks. Bad bots take over your computer, report back to a command and control server, and wait for instructions. Often, bots are part of a botnet — a bunch of bots connected to a command and control infrastructure. Botnets are routinely used to perform denial-of-service (DoS) attacks, but can also steal data, capture keystrokes and send unsolicited email.

​RAT

A remote access Trojan (RAT) is a type of malware designed to create a backdoor and provide administrative control to a computer. RATs can be packaged with legitimate downloads (for example, trial programs) and gain access to a computer without a user knowing about it.

​Logic bomb

When malware is designed to create havoc on a specific date and time or when a specific condition is met, it is known as a logic bomb. Logic bombs are often destructive, deleting data or taking applications offline. They are often associated with insider attacks. For example, a disgruntled developer might create a logic bomb, carefully configuring it to go off a while after he or she quits the company to reduce the risk of being held accountable for it.

​Backdoor

A backdoor is a type of malware that provides a secret way to gain access to a computer. For example, suppose a web page requires you to authenticate. A backdoor might provide a way to bypass the authentication by manipulating the URL or by performing a series of clicks in the right  place. Backdoors can be available to anybody who can find them, but are sometimes established by hackers to circumvent the normal access method.

​2.2 Compare and contrast types of attacks

This section details the various types of attacks that hackers use to try to gain unauthorized access to a network or a computer. At a minimum, you need to be familiar with each method at  a high level so if you are presented with a scenario on the exam, you can determine the type of  attack based on the information provided.

These attacks fall into the following categories:

●  Social engineering attacks

●  Application/service attacks

●  Wireless attacks

●  Cryptographic attacks

​Social engineering attacks

Social engineering is the art of deceiving people. Attacks happen via email, over the phone and

in person. Social engineering is one of the most dangerous types of attacks because it has a high success rate. Here are the types of social engineering attacks covered by the Security+ exam:

​Phishing

Phishing is the act of trying to deceive somebody to give up personal information or sensitive information. There are three avenues for phishing attacks:

●  Email (the most common method). Most people are familiar with the typical phishing email that pretends to be from your bank and asks you to confirm your information or reset your account. These types of phishing emails sometimes look legitimate and typically use malicious links. After clicking the malicious link, you might be directed to a fake bank website, malware might be secretly installed on your computer, or your browser might get hijacked. Email phishing typically targets many people at a time because it is easy and inexpensive.

●  Telephone (the second most common method). Phishing by telephone is similar — a person calls from IT support and mentions something about your computer being infected. The person then requests for you to go to a special support website to fix your computer. However, that special support website often secretly installs malware on your computer.

●  In person (the least common method). A phishing attack might also involve a person dressed as an electric utility employee who asks to repair your electrical infrastructure in order to gain unauthorized access to your facilities.

Defenses against phishing include employee training, internal phishing campaigns to test

and educate users, and technical defenses such as anti-phishing scams before email is delivered to end users.

​Spear phishing

Spear phishing is phishing that targets an individual or a small group of people. Typically, spear phishing attacks are more sophisticated than mass phishing attacks; the attackers often know more about their targets and often stand to gain more if the target is compromised.

​Whaling

Whaling is a type of spear phishing that targets high-profile individuals, such as executives at public companies. Whaling attackers often take pains to learn a lot about their targets and successful attacks can yield much higher gains than other phishing attacks.

​Vishing

Vishing is phishing by telephone. While some people refer to this as phishing, vishing is the official term. With vishing, the goal is to gain sensitive or personal information from the person answering the phone. Often, the caller will impersonate another person, attempt to sound important and have a reason for requests to be expedited.

​Tailgating

Tailgating is when someone follows an authorized person into a restricted area, such as a corporate office building, without providing their own credentials, such as swiping their keycard.

At small companies, it is hard for an attacker to pull off a tailgating attack because everybody

knows each other and no one will allow a stranger to tailgate in. However, at large companies

with thousands of people, it is common not to know most of your coworkers. But tailgating still

routinely occurs because in many countries people consider it common courtesy to hold the

door for the person behind them, especially if they look like they belong because they are appropriately dressed, seem to be the right age and so on. Some attackers carry a large amount of stuff (such as a lunch bag, drink and backpack) and ask for help to get through the door. Tailgating attacks are dangerous because they give attackers physical access to your environment and computers. Attackers can leave infected USB sticks in key locations or attempt to take over computers. To reduce risk, some companies forbid tailgating and require each employee to swipe their badge to enter, even if they arrive at the same time as somebody else.

​Impersonation

An impersonation attack is an attack where a malicious person attempts to impersonate a legitimate person or entity. Impersonation attacks can occur over email, over the web or in person. For example, suppose CompanyXYZ has the domain companyxyz.biz — and an attacker registers a domain name that is very similar, companyxyz.biz; the small difference between these names might go unnoticed in email or when visiting a website. Or an attacker might dress up as a janitor, carrying a backpack vacuum and wearing gloves; they might be able to easily wander around your office building without drawing too much attention.

​Dumpster diving

Dumpster diving has been around since before computers and the internet: Attackers simply sift through trash dumpsters looking for personal or sensitive information that they could use to carry out spear phishing or other attacks or enable them to steal somebody’s identity. Attackers often look for electronic waste, too, such as disk drives, USB sticks and backup tapes. To minimize the chances of being impacted by a dumpster diving attack, you should shred all sensitive documents and physically destroy all electronic storage before you discard it.

​Shoulder surfing

When a person secretly watches the computer screen or keyboard of another user, that person is shoulder surfing. It is an easy way to obtain passwords, logon methods and other sensitive information. It is a dangerous attack that often goes unnoticed. To protect against shoulder surfing, you can put a small mirror on your monitor or in your cubicle or office.

​Hoax

A hoax is a false claim to entice somebody to take a desired action. For example, an attacker might claim that you have won something or that they want to buy something from you so you will provide personal information, such as your Social Security number or bank account information. To minimize the chances of a hoax being effective against you, be skeptical when you see or hear something that is too good to be true or that is unusual in some way (such as coming at an unusual time or having an unusual sense of urgency).

​Watering hole attack

A watering hole attack typically targets a specific company. The attacker learns of websites that the company frequents (their watering holes) and attempts to place malware on those sites in hopes that someone at the company will get infected. Lesser known watering hole attacks can occur in person — an attacker might place infected USB sticks at the IT helpdesk or support area in a box with a sign reading, Free USB sticks.

Now that you have a good understanding of the types of social engineering attacks, let’s review the main reasons these attacks are effective:

​Authority

When the attacker conveys authority in a social engineering attack, the attack is more likely to succeed. For example, the attacker might impersonate a high-level executive or an IT support person. People often go out of their way to make such authority figures happy, which enables the attacker to gain access to sensitive information.

​Intimidation

There are several ways that attackers use intimidation during a social engineering attack. They might attempt to scare the victim (If you don’t send me the files, then the auditing firm can’t certify the company results) or threaten them (if you don’t want to validate your identity, then I’ll record your refusal and report it to HR). Intimidation often comes during an impersonation attack, where the attacker impersonates somebody in a high-level position of authority.

​Consensus

Attackers establish consensus by claiming that others are performing the requested action. For example, to obtain sensitive auditing information from a company, an attacker might call a low -level manager and mention that his colleague was able to provide the requested information during the last audit in order to make the victim more likely to comply with the request.

​Scarcity

When something is in short supply, it often becomes more desirable. Marketing companies often use scarcity to drive demand. Social engineering attackers also use it — for instance, during a hoax or phishing attack, an attacker might mention that a prize or giveaway has limited availability

​Familiarity

Familiarity can also help attacks succeed. For example, an attacker might dress like a maintenance worker and walk around a company’s office building for a week. Only after being  seen for a week does the attacker ask somebody to give him access to the telephone closet.

Because the attacker looks familiar (oh, he works here and fixes stuff), employees are more likely to hold a door open for him or help him gain access to restricted areas. Similarly, an attacker might call a high-level executive on the phone and be kind and courteous to the executive assistant. After a couple of weeks of these calls, the assistant might come to think of the attacker as familiar and therefore friendly, and the attacker can then attempt to exploit the assistant.

​Trust

Social engineering attacks sometimes involve trust. For example, an attacker might get a job at a target company. After a few months working there, the attacker is in a good position to carry out social engineering attacks against fellow employees. The attacker is trusted as one of us, which makes employees discard their normal skepticism.

​Urgency

A common tactic in social engineering attacks is to impart a sense of urgency. For instance, an attacker posing as a helpdesk admin might call a user and say, Hi, Terry. This is Chris over in IT. Your computer has a virus. We must immediately install a fix on your computer. Can I email you the file now? Such an attack can be very effective because victims often think that bad things will happen if they don’t act fast.

​Application/service attacks

Application and service attacks target specific applications or services. For example, an attacker might target web servers or try to reuse user credentials and authenticate as somebody else. As with the other topics, you must be able to differentiate between the various types of attacks and determine the type of attack in a scenario provided on the exam. The bullets below detail the types of application and service attacks:

​DoS

A denial of service attack attempts to overwhelm a network, computer or another part of the IT infrastructure to degrade performance or take a service offline. Most of the well known DoS attacks have targeted specific networks or services.

​DDoS

A distributed denial of service attack is a large-scale DoS attack that leverages botnets made up of many computers or computing devices, often thousands of devices or more. The botnet sends network requests or other communications to the same service or network until the service or network becomes overwhelmed and unusable.

​Man-in-the-middle

Communication over a network is typically between two parties, point A and point B. A man-in-the-middle attack spoofs one party to intercept traffic before relaying the information to the intended party. The attacker might be eavesdropping or trying to gather enough information to later circumvent authentication methods.

​Buffer Overflow

A buffer is where an application can write data temporarily. A buffer overflow occurs when more data is written or stored than the space is allocated for. Attackers can cause overflows deliberately in order to produce errors or cause applications to crash.

​Injection

Code injection is frequently associated with SQL injection, but can also use LDAP, SMTP and other methods. The attacker adds (injects) their malicious code into an application or service at runtime. This can cause a denial of service, data loss or complete takeover by the attacker.

​Cross-site scripting

Cross-site scripting (XSS) is a web application vulnerability that allows attackers to inject scripts into the website or application. The script targets either a vulnerability in the web app, the server the app is running on or a plug-in associated with the app. An XSS attack exploits the trust a user has for a website or application.

​Cross-site request forgery

A cross-site request forgery (XSRF) attack targets a website or application from a trusted user browser session. The user can (knowingly or unknowingly) transmit commands or scripts to attack an application. In contrast to an XSS attack, an XSRF attack exploits the trust a web application has in the user accessing the data.

​Privilege escalation

The process of attacking a system to gain access to that system or other resources that are typically protected is privilege escalation. There are two types of privilege escalation: horizontal and vertical. Horizontal escalation is where a user accesses systems or resources that are meant for other systems or users. Vertical escalation is where a user accesses systems or resources using a higher-level account, such as administrative or root access.

​ARP poisoning

The Address Resolution Protocol assists a system in identifying the hardware (MAC) address of a device. ARP poisoning is the process of spoofing or modifying that data so that information is transmitted to another device, typically one owned by the attacker, rather than to the intended recipient.

​Amplification

An amplification attack is a type of DDoS attack that commonly targets network services such as NTP and DNS. The attacker will attempt to overwhelm the target service with a large amount of UDP traffic to render the service and infrastructure inaccessible.

​DNS poisoning

A Domain Name System assists a system by translating friendly names to IP addresses. DNS poisoning is the process of spoofing or modifying DNS records so that when a friendly name is looked up, the wrong IP address is returned. This tactic can be used to redirect traffic in a denial of service attack, or to send the traffic to the attacker’s website instead of the correct site.

​Domain hijacking

All domain names are registered through an official IANA registrar, which controls the available top-level domains. If the registration of a domain name is stolen or compromised, that is domain hijacking. The attacker then has full control over the domain and therefore can change the name servers, contact information and more.

​Man-in-the-browser

A man-in-the-browser attack is a type of man-in-the-middle attack in which a web browser is attacked by code on a website. The result is that the attacker takes control of the web browser and allows the browser to insert code, make application changes or modify website content without the user or website knowing.

​Zero day

If an attacker identifies a new vulnerability and exploits it the same day, that is a zero day attack. A zero day attack is dangerous because even having the latest patches and security updates won’t protect you against unknown vulnerabilities. The attack occurs before anyone is aware the exploit exists and the vendor can issue a fix.

​Replay

A replay attack is a repeated (replayed) transmission of valid communication. The goal is to gain access to resources or data by resending a valid transmission. Using timestamps on communication can help minimize or block replay attacks. Additionally, using one-time keys or passwords for communication can also help.

​Pass the hash

A pass the hash attack bypasses the need to know a user account’s credentials by passing the hash of the previously authenticated user to the desired resource. These types of attacks are useful if passwords are not changed frequently and the resources do not require multi-factor authentication.

​Hijacking and related attacks

●  Clickjacking. Websites typically appear to be 2-dimensional, but attackers can conceal

clickable content beneath a legitimate hyperlink or clickable image. When a user clicks what they think is a legitimate link, they also click the hidden link, which executes malicious code.

●  Session hijacking. Most websites use cookies to identify individual sessions that have been authenticated on the website. These cookies can contain a session key. Attackers can gain access to the session by stealing the session key

●  URL hijacking. URL hijacking (also known as typosquatting) relies on users making typos and other mistakes when accessing a website; they are presented with a fake site that appears to be the real site.

​Driver manipulation

●  Shimming. Shims are used in programming to enable different API versions to operate

in an environment. This can also create security vulnerabilities when older APIs can be

used to manipulate hardware.

●  Refactoring. In a refactoring attack, the attacker changes the underlying source code in

order to gain full access to the hardware it is running on, enabling the attacker to use the

hardware for other attacks.

​MAC spoofing

All devices connected to a network have a physical address, or MAC address. MAC spoofing is the process of changing the physical address of a device. This tactic could be used to intercept traffic intended for the original device.

​IP spoofing

If a device is connected to a layer 3 network, then it uses IP addresses to communicate with other devices. To intercept traffic, an attacker can use IP spoofing to act like another device on the network.

​Wireless attacks

Wireless attacks are specific to wireless networks. Mostly these attacks attempt to gain unauthorized access to a wireless network. These attacks are especially dangerous because they often originate from outside of your business (such as in the parking lot or from a neighboring business).

​Replay

Like a denial of service attack, a replay attack repeatedly transmits data. However, the replay data is typically valid data to capture session information or other data to be used in an attack.

​IV

An initialization vector (IV) attack is a method of decrypting wireless traffic. An attacker learns the plaintext of a single wireless packet, and then computes the remaining key stream of the RC4 hash. All wireless traffic that uses the same initialization vector can then be decrypted by the attacker.

​Evil twin

An evil twin is a malicious access point that appears to be legitimate (for example, the network is named Visitor Wi-Fi) but that has been configured to eavesdrop and intercept wireless traffic. The access point (AP) can steal passwords, network keys and other information that is sent across the network.

​Rogue AP

A rogue access point is an AP that has been added to the network without authorization. This is typically done by employees who want easier access or their own Wi-Fi network. These access points can bypass company security requirements as well as interfere with the available wireless channels in a physical area.

​Jamming

Wireless networks operate on specific channels of wireless frequencies. The number of channels is determined by the specification of the wireless network. This limited number of channels makes it easy for an attacker to attack that signal range, like a denial-of-service attack to jam the network.

​WPS

Wi-Fi Protected Setup (WPS) provide an easy way to add new devices to a wireless network — in many implementations, you don’t need to enter the wireless password; you simply push a button on the AP and a button (or virtual button) on the device and automatically have the device join the network. However, this convenience comes with a security flaw — a brute-force attack on the PIN numbers used to add a device can enable other devices to authenticate to the network.

​Bluejacking

Bluejacking is the process of using Bluetooth to send messages to Bluetooth-enabled devices in an immediate radius. Bluejacking relies on having discoverable Bluetooth-enabled devices nearby.

​Bluesnarfing

Bluesnarfing is the process of using Bluetooth to connect to and steal data from another device. This attack relies on vulnerable Bluetooth implementations. To minimize the chances of being a victim, turn off Bluetooth in public places and keep your device up to date with the latest security updates.

​RFID

Radio-frequency identification (RFID) is a type of wireless technology that allows for shortrange communication, like Bluetooth. Several attacks can be performed specifically for RFID to spoof or disable communications.

​NFC

Near-field communication (NFC) is a type of wireless technology that allows for nearby communication, like RFID and Bluetooth. A few attacks can be performed specifically for NFC to spoof or disable communications.

​Disassociation

When a wireless client disconnects from a network, it performs a disassociation with the access point. An attacker can purposely disconnect other devices on the network by pretending to be those devices and disassociating them from the access point. The other devices are then not connected to the network and need to manually be joined again.

​Cryptographic attacks

Cryptographic attacks target technologies that rely on cryptographic functions. For example, cryptographic attacks often target passwords, which are often stored using encryption.

​Birthday

A form of brute-force attack, a birthday attack uses probability theory. The attack attempts to generate and identify portions of a hash, trying to find a match.

​Known plain text/cipher text

When an attacker already has access to both the plaintext and the encrypted ciphertext, then this information can be used to also identify secret keys that are used to create the ciphertext and use them to decrypt other encrypted text.

​Rainbow tables

Rainbow tables are pre-assembled tables for reversing encrypted hashes, typically password hashes. Rainbow tables are particularly effective when the plaintext target has a known or limited character length, such as a credit card number.

​Dictionary

A dictionary attack is a brute-force attack in which the decryption key or password is found by trying every string in a custom dictionary.

​Brute force

Brute-force attacks are repeated attempts to break the encryption of a password, file or system. Online brute force attacks attack a system that is on and could have other security protocols and checks enabled. Offline brute force attacks are performed while a system is offline, such as against a computed set of password hashes.

​Collision

When two different inputs produce the same hash value, this is known as a collision. A collision attack attempts to find two different input values that result in the same hash.

​Downgrade

A downgrade attack purposely uses an older, less secure protocol to communicate. Often, when clients communicate with servers, then they negotiate the communication method and security. In a downgrade attack, a client negotiates for the least security possible.

​Replay/playback

A replay attack repeats or delays a previously valid network communication. Repeating the information can enable an attacker to receive information from a server. Delaying the communication can have the same effect as a denial of service attack.

​Weak implementation

There are several cryptographic algorithms and protocols that can be used to encrypt data and traffic. Unfortunately, most of them have known vulnerabilities and flaws, and weak implementations of a protocol make its vulnerability more prominent. For example, PPTP is a VPN protocol that qualifies as a weak implementation of a VPN; it has known security issues, although it can still function for VPN connectivity.

​2.3 Explain threat actor types and attributes

So far, we’ve looked at the types of malware and the types of attacks. Now, we are going to look at the type of people engaging in attacks. On the exam, you need to be able to identify the type of attacker based on the methods and level of sophistication in a given scenario.

​Type of actors

The following are the common actors in an attack:

​Script kiddies

Script kiddies are new to attacks. They use existing scripts and tools to attack systems; they often lack the ability to create their own or even understand how the attack works.

​Hacktivist/hacktivism

A hacktivist uses an attack to promote a political message or social agenda. These attacks are more cosmetic than malicious.

​Organized crime

Groups of hackers can come together with a common target or idea in mind as part of an organized effort. Some existing organized crime rings are turning to phishing and hacking as another way to produce income.

​Nation states/APT

Countries and nations across the world are becoming increasingly more active in attacking other countries. Advanced persistent threats (APTs) are long-running attacks, often with a nation state directing or sponsoring the attack. These attacks can be sophisticated and dangerous, not only because of the threat of physical warfare, but also because so many resources can be put behind the attacks.

​Insiders

The most common and dangerous threat to networks and systems comes from insiders (employees, contractors, vendors). Insiders are granted access to resources or facilities, and then abuse that trust by using the access maliciously.

​Competitors

Organizations can use phishing or other attacks to find information about a competitor and its products, such as planned features, release dates or other inside information that could help them compete against the target.

​Attributes of actors

To help figure out the type of actor in a given scenario, you can use information about how they operate:

​Internal/external

The level of access that an attacker has can greatly increase their chances of being successful. External hackers typically have the benefit of being anonymous but must gain access through an attack, which can be difficult and comes with other risks. Internal attackers are trusted by an organization so they have the benefit of things like door badges to buildings, physical and wireless access to the network, and access to resources.

​Level of sophistication

The level of sophistication of an attack can help determine who might be behind it. For example, targeting an old, known exploit with simple scripts or tools might indicate a script kiddy. However, exploiting relatively unknown vulnerabilities can indicate a more sophisticated attack, which might point to organized crime or a nation state.

​Resources/funding

Although not all attacks are financially motivated, money can play a role in an attack. When you use more money and resources used for an attack, you can usually produce a more sophisticated attack.

​Intent/motivation

The motivation behind attacks can vary. If an attack is by an internal actor, it could be an act of sabotage or revenge, or be related to a dislike of the organization. External actors are typically motivated by money, but they could also be part of a hacktivist organization, or attack because they believe the target is unethical or immoral.

​Types of Intelligence

There are two primary types of intelligence:

​Open-source intelligence (OSINT)

OSINT is gathered from publicly available sources, such as public records or from social

media.

​Closed-source intelligence (CSINT)

CSINT is gathered from covert sources.

​2.4 Explain penetration testing concepts

Penetration testing (pen testing) involves testing the security controls of an organization. Such tests are often performed by outside companies without any inside knowledge of the network. Here are the pen testing concepts you should be familiar with:

​Active reconnaissance

Active reconnaissance tests the controls of a security infrastructure, for example, by trying different variables and methods to purposely return errors and other information about the target.

​Passive reconnaissance

Passive reconnaissance gathers information about the target without gaining access to the network or resources, such as information about the physical building or names and demographic information about the personnel who work there. Attackers often turn to social media and internet search engines to gain additional information.

​Pivot

A pen tester might need to access different networks or hosts to continue the tests, for instance because of network segregation, firewalls or other logical disconnects between devices. The process of bypassing these disconnects is called a pivot.

​Initial exploitation

Pen testing often uses multiple exploits to gain access to the target resources. The initial exploitation aims to gain access to the network. Then, additional exploits or techniques might be required to escalate privileges or move around the network.

​Persistent

Some pen testing involves scanning and testing resources one time to ensure that they are up to date on the latest patches and have a solid security configuration. Persistent pen testing extends these tests over time, which can help identify gaps in an organization’s procedures. For example, a web server might appear secure during the first pass of a pen test, but then doesn’t get patched for two months; a subsequent test will reveal the missing patches.

​Escalation of privilege

Privilege escalation is one of the most common methods of gaining access to resources. Attackers try to work their way up from a guest account with few rights to a user account to an account with complete administrative access.

​Black box

Block box pen testing mimics what a real attacker faces: The black box tester has no knowledge of the target system and is not provided with any additional information about the organization, architecture or goals. Therefore, black box pen testing relies heavily on public-facing resources and information. If the tester is