2.5 - CompTIA A+ Core 2

Phishing

A social engineering attack that involves impersonation of a legitimate organization, often delivered by email or text.

Vishing

A phishing attack conducted over a phone call.

Smishing/SMS-shing

A phishing attack conducted with SMS messages.

Spear phishing

A targeted phishing attack designed to deceive a specific person or group by using personal information.

Whaling

A phishing attack targeting senior-level executives, such as CEOs or CFOs.

Shoulder surfing

A social engineering attack involving someone looking over a target's shoulder to see sensitive information.

Tailgating

A security breach method where an unauthorized person follows an authorized individual into a secured area, WITHOUT the authorized person’s knowledge.

Piggybacking

A similar security breach method to tailgating, where an authorized person allows an unauthorized individual to gain access to a secured area, often done without knowledge that the person is unauthorized.

Impersonation

Pretending to be someone else to gain unauthorized access to systems or sensitive information.

Dumpster diving

Searching through trash or recycling bins to find discarded items that may provide personal information.

Evil twin

A spoofing attack where an attacker creates a fraudulent Wi-Fi access point that appears to be legitimate. Use encryption (HTTPS and a VPN) to mitigate.

Denial of service (DoS)

A cyber attack where an attacker overloads a service to cause it to fail.

Distributed denial of service (DDoS)

A type of DoS attack using multiple compromised systems to flood a target with traffic.

Zero-day Attacks

Attacks that exploit unpatched vulnerabilities in software before a fix is released.

Common Vulnerabilities or Exposures Database (CVE)

Database offered by the MITRE corporation that tracks vulnerabilities and the operating systems/software they target.

On-path attack

An attack where an attacker intercepts communication between two devices. The attacker can read and alter the data sent between the two devices.

ARP poisoning attack

Occurs when an attacker manipulates the Address Resolution Protocol (ARP) cache in a network, allowing them to intercept traffic intended for a different device by associating their MAC address with the IP address of the target device.

Brute-force attack

A password attack that attempts every possible combination of characters to find the correct password.

Dictionary attack

A password attack using a predefined list of words and phrases (a wordlist) to guess the user's password.

Insider Threats

Risks that originate from within an organization due to employees or contractors exploiting their access.

SQL injection

A security attack that manipulates a database by using crafted SQL queries.

Cross-site scripting (XSS)

An injection attack where malicious scripts are inserted into trusted websites.

Non-compliant systems

Systems that fail to adhere to established security controls or standards.

Unpatched systems

Systems that are missing relevant OS manufacturer patches or software updates.

Unprotected systems

Systems missing crucial security components like antivirus or firewall. Mitigation requires balancing application troubleshooting (that often requires disabling security components) without removing security controls.

End of life (EOL)

A point when a manufacturer stops providing updates for software, leaving it vulnerable.

Bring your own device (BYOD)

A policy allowing employees to use personal devices for work, raising security concerns.

Spoofing

A fraudulent practice where an attacker disguises themselves as a legitimate entity, often through techniques like email spoofing, MAC address spoofing, or IP address spoofing.