Domain 2 – Full Cross-Topic Review: Threats, Vulnerabilities, and Mitigations

This review integrates:

• Threat Actors and Motivations
• Attack Vectors and Surfaces
• Social Engineering Techniques
• Vulnerability Categories (software, hardware, configuration, third-party)
• Malware Types and Indicators
• Application, Network, and Cryptographic Attacks
• Mitigation Techniques and Countermeasures

Expect questions that require identifying the threat actor, the vector, and the appropriate mitigation together.

Question 1

A financially motivated threat actor sends targeted emails to the accounts payable department. The emails impersonate the CEO and request urgent wire transfers to a new vendor account.

What type of attack is this, and what is the MOST effective mitigation?

A. Phishing; deploy email encryption for all outbound messages
B. Business email compromise (BEC) via spear phishing; implement out-of-band verification procedures for financial requests
C. Whaling; block all external email to the accounts payable department
D. Vishing; require multi-factor authentication on email accounts

Question 2

A security analyst reviews logs and discovers that an attacker exploited a known vulnerability in an unpatched web server to install a web shell. The attacker used the web shell to pivot to internal database servers.

Which combination describes the initial vector and the secondary technique?

A. Zero-day exploit for initial access; lateral movement via web shell
B. Social engineering for initial access; privilege escalation via web shell
C. Known vulnerability exploitation for initial access; lateral movement via web shell
D. Supply chain attack for initial access; data exfiltration via web shell

Question 3

An employee receives a phone call from someone claiming to be from the IT help desk. The caller asks the employee to install a "security update" by downloading a file from a URL. The file installs a Remote Access Trojan (RAT).

What TWO attack categories does this scenario illustrate?

A. Vishing and malware deployment
B. Smishing and ransomware
C. Phishing and rootkit installation
D. Pretexting and keylogger installation

Question 4

A vulnerability scan reveals that a production application accepts user input directly into SQL queries without parameterization. The development team argues the application is behind a WAF, so no fix is needed.

What is the BEST response?

A. Require input validation and parameterized queries regardless of WAF presence
B. Accept the risk since the WAF provides sufficient protection
C. Disable the WAF to test if the vulnerability is exploitable
D. Replace the SQL database with a NoSQL database to eliminate injection risk

Question 5

An advanced persistent threat (APT) group targets a defense contractor. The attackers compromise a software vendor's update mechanism and inject malicious code into a routine patch distributed to the contractor.

What type of attack vector is this?

A. Watering hole attack
B. Supply chain attack
C. Drive-by download
D. On-path (man-in-the-middle) attack

Question 6

A company discovers that ransomware has encrypted file servers across three departments. Investigation reveals the ransomware entered through a macro-enabled email attachment opened by a single user. The malware spread via SMB shares with weak permissions.

What mitigation would have been MOST effective at preventing the spread?

A. Full-disk encryption on all workstations
B. Stronger email encryption between internal users
C. Implementing a SIEM to detect the encryption activity
D. Network segmentation and least privilege file share permissions

Question 7

A security analyst notices that a workstation is making DNS queries to domains with unusually long, randomized subdomains at regular intervals. The workstation shows no other signs of compromise.

What does this activity MOST likely indicate?

A. The workstation is performing legitimate software update checks
B. The DNS cache is corrupted and generating malformed queries
C. DNS tunneling is being used for command-and-control or data exfiltration
D. A brute-force attack against the DNS server is in progress

Question 8

An insider threat assessment reveals that a disgruntled employee with database administrator privileges has been accessing customer records outside of normal business hours. No data exfiltration has been confirmed.

What is the MOST appropriate immediate action?

A. Terminate the employee immediately
B. Confront the employee about the access patterns
C. Encrypt the customer database to prevent further access
D. Implement enhanced monitoring and restrict access to least privilege while investigating

Question 9

A penetration test reveals that an application is vulnerable to cross-site scripting (XSS). The tester demonstrates stealing session cookies from authenticated users by injecting JavaScript into a forum post.

What type of XSS is this, and what is the PRIMARY mitigation?

A. Reflected XSS; implement HTTPS encryption
B. Stored XSS; implement output encoding and Content Security Policy headers
C. DOM-based XSS; disable JavaScript in all browsers
D. Reflected XSS; require multi-factor authentication

Question 10

A nation-state threat actor deploys a zero-day exploit against a critical infrastructure organization. The exploit targets a vulnerability in industrial control system (ICS) firmware for which no patch exists.

What mitigation strategy is MOST appropriate while waiting for a vendor patch?

A. Disconnect all ICS systems from the network permanently
B. Apply a generic firmware update from a third-party vendor
C. Implement network isolation, enhanced monitoring, and compensating controls around the vulnerable systems
D. Ignore the threat until the vendor releases an official patch

Question 11

An attacker creates a rogue Wi-Fi access point with the same SSID as a popular coffee shop. Customers connect automatically, and the attacker intercepts their unencrypted web traffic.

What attack type is this, and what would protect the users?

A. Evil twin attack; users should verify they are using a VPN on public networks
B. Bluetooth sniffing; users should disable Bluetooth
C. Deauthentication attack; the coffee shop should implement WPA3
D. ARP poisoning; users should use static ARP entries

Question 12

A security team discovers that a legacy application stores passwords using MD5 without salting. The application serves 50,000 active users.

What is the PRIMARY vulnerability, and what is the recommended mitigation?

A. MD5 is an encryption algorithm that can be decrypted; switch to AES
B. MD5 is too slow for 50,000 users; switch to a faster hashing algorithm
C. The vulnerability is the number of users, not the algorithm; reduce the user count
D. Unsalted MD5 hashes are vulnerable to rainbow table and collision attacks; migrate to bcrypt or Argon2 with unique salts

Question 13

An attacker compromises a user's email account and monitors communications for several weeks before sending a carefully timed fraudulent invoice to the organization's vendor payment team.

What threat actor attribute does the extended monitoring period demonstrate?

A. Low sophistication and opportunistic motivation
B. High persistence and financial motivation with patience for maximum impact
C. Hacktivist ideology with a desire for public attention
D. Script kiddie behavior using automated tools

Question 14

A vulnerability assessment reveals that a server is running an outdated version of OpenSSL vulnerable to a known buffer overflow. The server hosts a customer-facing API.

Ranking by urgency, what should be done FIRST?

A. Schedule the patch for the next quarterly maintenance window
B. Migrate the API to a different programming language
C. Add the finding to the risk register and reassess in 90 days
D. Apply the OpenSSL patch immediately following emergency change procedures

Question 15

An attacker uses a USB flash drive labeled "Q4 Salary Review" and drops it in the company parking lot. An employee plugs it into their workstation, executing a payload that establishes a reverse shell.

What attack techniques are combined in this scenario?

A. Tailgating and ransomware deployment
B. Shoulder surfing and trojan installation
C. Baiting (social engineering) and removable media as an attack vector
D. Dumpster diving and rootkit deployment

Question 16

A web application vulnerability scan identifies a server that responds to HTTP TRACE requests and returns full request headers including authentication cookies.

What vulnerability does this represent, and what is the fix?

A. SQL injection; implement parameterized queries
B. Server-side request forgery; implement allowlists for outbound requests
C. Directory traversal; restrict file path access
D. Cross-site tracing (XST); disable the TRACE HTTP method on the server

Question 17

After a phishing campaign compromises multiple user credentials, the security team discovers that the attacker used credential stuffing to access other corporate systems where employees reused passwords.

What combination of mitigations would BEST prevent this cascading compromise?

A. Email filtering and full-disk encryption
B. Security awareness training, unique password policies, and multi-factor authentication across all systems
C. Network segmentation and vulnerability scanning
D. Endpoint detection and response with automated patching

Question 18

A security analyst discovers that a compromised server is participating in a botnet. The server sends small amounts of data to a command-and-control server at random intervals using HTTPS.

Why is this communication pattern difficult to detect?

A. HTTPS traffic is always allowed through firewalls, and the small data volumes blend with legitimate traffic
B. Botnets only communicate during business hours
C. HTTPS traffic cannot be inspected by any security tool
D. Random intervals prevent the server from being identified on the network

Question 19

An organization's third-party code library contains a known vulnerability that was disclosed three months ago. The vendor has released a patch, but the development team has not applied it because it requires refactoring application code.

What type of vulnerability is this?

A. Zero-day vulnerability
B. Hardware vulnerability requiring firmware update
C. Known unpatched vulnerability due to operational constraints
D. Configuration vulnerability caused by default settings

Question 20

During a tabletop exercise, the team discusses a scenario where an attacker performs ARP spoofing on the local network to redirect traffic through their machine, then uses a packet analyzer to capture credentials sent over unencrypted protocols.

What combination of mitigations addresses BOTH the network attack and the credential exposure?

A. Implementing dynamic ARP inspection (DAI) and encrypting all authentication traffic (TLS/HTTPS)
B. Deploying a SIEM and increasing password complexity requirements
C. Installing host-based firewalls and using WPA2 encryption
D. Enabling port security and implementing role-based access control

Domain 2 Pattern Summary

In Security+ Domain 2:

• Always trace the full attack chain: threat actor, vector, vulnerability, exploit, impact, and mitigation.
• Social engineering answers require human-focused mitigations (training, verification procedures), not purely technical controls.
• Known unpatched vulnerabilities are more commonly exploited than zero-days; patch urgency is driven by exposure and exploitability.
• Mitigation must address the root cause, not just symptoms; a WAF does not replace secure coding.
• Insider threats require monitoring and access restriction before confrontation or termination.
• Attack indicators (DNS tunneling, beaconing, unusual access patterns) test your ability to recognize behavior, not just definitions.
• If an answer only addresses one phase of a multi-phase attack, it is usually wrong.

If an answer proposes a single technical control for a problem that spans people, process, and technology, it is usually wrong.