Threat Vectors & Attack Surfaces

An attack surface is the sum of all the potential points (vulnerabilities) through which an attacker can interact with or compromise a system or network, indicating the overall exposure to potential threats. Examples of attack surfaces can be all software, hardware, and network interfaces with known security flaws. A threat vector represents the method or means through which a cyber threat is introduced or delivered to a target system. It outlines the pathway or avenue used by attackers to exploit vulnerabilities. Common threat vector types include phishing emails, malware, drive-by downloads, and social engineering techniques.

True

Which of the answers listed below refers to an email-based threat vector?

• Spoofing

• Phishing

• BEC attacks

• Malicious link

• Malware attachments

Which of the following terms refers to a threat vector commonly associated with SMS-based communication?

Smishing 

Which of the answers listed below refers to an example of a potential threat vector in IM-based communication?

•  Phishing attack

•    Malware distribution

•    Spoofing attack

•    Eavesdropping

•    Account hijacking

•    Malicious link/attachment

Which of the answers listed below refers to an example of a potential threat vector in IM-based communication?

•   Phishing attack

  •    Malware distribution

  •    Spoofing attack

  •    Eavesdropping

  •    Account hijacking

  •    Malicious link/attachment

Which of the following answers refer to examples of image-based threat vectors? (Select 3 answers)

• Steganography

• Image spoofing (deepfakes)

• Malware-embedded images

Which of the answers listed below refers to a file-based threat vector?

• PDF exploits

•    Malicious macros in documents

•    Compressed files (ZIP, RAR)

•    Malicious scripts in web pages

•    Infected images

•    Malicious executables

Which of the following answer choices is an example of a threat vector type that is typical for voice communication?

Vishing

Examples of threat vectors directly related to the use of removable devices include: (Select 2 answers)

• Malware delivery

• Data exfiltration

Which of the answers listed below refer(s) to client-based software threat vector(s)? (Select all that apply)

• Drive-by download via web browser

• Malicious macro

• USB-based attack

• Infected executable file

• Malicious attachment in email application

Which of the following answers refer to agentless software threat vectors? (Select 2 answers)

• Network protocol vulnerability

• Packet sniffing

Exploiting known vulnerability is a common threat vector for:

Unsupported systems/apps

Which of the wireless technologies listed below are considered potential threat vectors and should be avoided due to their known vulnerabilities? (Select all that apply)

• WPS

• WPA

• WPA2

• WEP

Which of the following answers refers to a threat vector characteristic only to wired networks?

Cable tapping

Examples of threat vectors related to Bluetooth communication include: bluesmacking (a type of DoS attack that targets Bluetooth devices by overwhelming them with excessive traffic), bluejacking (the practice of sending unsolicited messages or data to a Bluetooth-enabled device), bluesnarfing (gaining unauthorized access to a Bluetooth device and data theft), and bluebugging (gaining remote control over a Bluetooth device).

True

Which of the answers listed below refers to the most probable cause of an unauthorized access caused by the exploitation of a specific network entry point?

Open service ports

The importance of changing default usernames and passwords can be illustrated by the example of certain network devices (such as routers), which are often shipped with default and well-known admin credentials that can be looked up on the web. Leaving the default credentials unchanged expands the attack surface by providing an easy entry point for unauthorized access.

True

Which of the following answers refer to common threat vectors that apply to MSPs, vendors, and suppliers in the supply chain?

• Propagation of malware

• Social engineering techniques