CompTIA Security+ Types of Attacks: Free Practice Questions + Study Guide

MB
Moussa BENALI
Senior Network & Security Engineer · 6+ years of experience designing and securing enterprise networks. CCNA, Security+, and AWS certified.
Verified for Security+ SY0-701 · Feb 2026

Social Engineering Attacks

Social engineering is the art of manipulating people into divulging confidential information or performing actions that compromise security. Rather than exploiting technical vulnerabilities, social engineering targets the human element - often the weakest link in any security chain. These attacks are heavily tested on the Security+ SY0-701 exam because they remain one of the most effective attack vectors in real-world breaches.

📝
Security+ Exam Note: Social engineering falls under Domain 2: Threats, Vulnerabilities, and Mitigations (22% of the SY0-701 exam). Expect scenario-based questions requiring you to identify the specific type of social engineering attack described. See the official CompTIA exam objectives for the full domain breakdown.

Phishing is the most common social engineering attack. It uses fraudulent emails, messages, or websites to trick victims into revealing credentials or installing malware. Several specialized variants exist:

  • Spear phishing - targeted phishing directed at a specific individual or organization, using personalized information to appear legitimate
  • Whaling - spear phishing that specifically targets high-level executives (CEO, CFO, board members)
  • Vishing - voice phishing conducted over phone calls, often impersonating IT support or bank representatives
  • Smishing - phishing via SMS text messages, frequently containing malicious links or urgent requests

Beyond phishing, other social engineering techniques include:

  • Pretexting - creating a fabricated scenario (pretext) to gain a victim's trust and extract information, such as impersonating a vendor or auditor
  • Baiting - leaving malware-infected physical media (USB drives) in public areas or offering enticing downloads to lure victims
  • Tailgating - physically following an authorized person through a secured door or entrance without proper authentication
  • Shoulder surfing - observing a victim's screen or keyboard to capture passwords, PINs, or other sensitive data
💡
Tip: On the exam, pay close attention to scenario details. The difference between spear phishing and whaling is the target - whaling specifically targets C-level executives. If the scenario mentions a CFO or CEO, think whaling.

Malware Types

Malware (malicious software) is any software intentionally designed to cause damage, gain unauthorized access, or disrupt systems. Understanding the distinctions between malware types is critical for the Security+ exam, as questions often present a scenario and ask you to identify the type of malware involved.

Malware Type Self-Replicating? User Interaction? Key Characteristic
Virus Yes Required (host file) Attaches to legitimate files; activates when file is executed
Worm Yes Not required Spreads autonomously across networks by exploiting vulnerabilities
Trojan No Required Disguises itself as legitimate software; creates backdoors
Ransomware Varies Varies Encrypts files and demands payment for decryption key
Rootkit No Required Hides deep in the OS to maintain persistent, undetected access
Spyware No Varies Secretly monitors user activity and collects data
Keylogger No Varies Records keystrokes to capture credentials and sensitive input
Fileless malware No Varies Operates entirely in memory; leaves no files on disk
RAT No Required Remote Access Trojan; provides attacker full remote control
Key Concept: The critical distinction between a virus and a worm is that a virus requires a host file and user interaction to spread, while a worm is self-propagating and exploits network vulnerabilities to spread without user action. This is one of the most frequently tested concepts.

Network Attacks

Network attacks target the infrastructure that connects systems. Understanding these attacks and their indicators is essential for both the Security+ exam and real-world security operations.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks aim to make a service unavailable by overwhelming it with traffic or exploiting resource limitations:

  • SYN flood - sends thousands of TCP SYN packets without completing the three-way handshake, exhausting the server's connection table
  • Amplification attacks - exploits protocols like DNS or NTP where a small request generates a much larger response, directed at the victim via IP spoofing
  • DDoS - coordinates DoS attacks from many compromised systems (botnet), making them far harder to mitigate

On-path attacks (formerly known as man-in-the-middle) involve an attacker positioning themselves between two communicating parties to intercept or alter traffic:

  • ARP spoofing/poisoning - sends falsified ARP messages to associate the attacker's MAC address with a legitimate IP address on the local network
  • DNS poisoning - corrupts the DNS cache to redirect domain name lookups to malicious IP addresses
  • Evil twin - a rogue wireless access point configured to mimic a legitimate network, tricking users into connecting through the attacker's AP
⚠️
Important: CompTIA now uses the term "on-path attack" instead of "man-in-the-middle" on the SY0-701 exam. Both terms describe the same concept, but use "on-path" in your exam answers.

Application Attacks

Application-layer attacks exploit vulnerabilities in software - particularly web applications. These attacks target flaws in how applications process user input, making secure coding practices and input validation critical defenses.

Injection attacks insert malicious code or commands into application inputs:

  • SQL injection (SQLi) - inserts malicious SQL statements into input fields to manipulate database queries, potentially exposing or modifying all stored data
  • Command injection - injects operating system commands through application inputs to execute arbitrary commands on the server

Cross-site scripting (XSS) injects malicious scripts into web pages viewed by other users. Three main types exist:

  • Stored (persistent) XSS - malicious script is permanently stored on the target server (e.g., in a database) and served to every user who views the affected page
  • Reflected XSS - malicious script is embedded in a URL and reflected off the server in error messages or search results; requires the victim to click a crafted link
  • DOM-based XSS - exploits client-side JavaScript to modify the page's DOM, executing the attack entirely in the browser without server involvement

Other critical application attacks include:

  • Cross-site request forgery (CSRF) - forces an authenticated user's browser to send forged requests to a vulnerable application, performing actions without the user's knowledge
  • Buffer overflow - sends more data than a buffer can hold, overwriting adjacent memory and potentially executing arbitrary code
  • Directory traversal - uses sequences like ../ to access files outside the intended directory, potentially exposing sensitive system files
💡
Tip: The primary defense against SQL injection is parameterized queries (prepared statements), not input filtering alone. While input validation helps, parameterized queries structurally prevent SQL code from being interpreted as part of the query.

Password Attacks

Password attacks attempt to recover or bypass authentication credentials. As the Security+ exam emphasizes, understanding these attack methods is essential for implementing proper defenses like account lockout policies, MFA, and strong hashing algorithms.

  • Brute force - systematically tries every possible character combination until the correct password is found; effective against short or simple passwords but extremely time-consuming for complex ones
  • Dictionary attack - uses a precompiled list of common passwords and words rather than trying all combinations; faster than brute force but limited to known passwords
  • Rainbow table attack - uses precomputed hash-to-password lookup tables to quickly reverse password hashes; defeated by salting (adding random data to each password before hashing)
  • Credential stuffing - takes username/password pairs leaked from one data breach and tries them against other services, exploiting password reuse across sites
  • Password spraying - tries a small number of commonly used passwords (e.g., "Password1!", "Summer2026!") against many accounts simultaneously, avoiding account lockout thresholds
Key Concept: Credential stuffing and password spraying are frequently confused. Credential stuffing uses known valid credentials from breaches against other services. Password spraying tries common passwords against many accounts on a single service. The distinction is critical for the exam.
Included with Exam Purchase

Get the Complete Security+ Study Guide

When you purchase a Security+ practice exam, you get full access to our comprehensive study guides covering every exam topic in depth - not just the free samples here.

All Security+ topics covered Detailed explanations 10 free preview pages
Create Free Account to Preview

CompTIA Security+ Attack Types Practice Questions

Test your understanding with these 5 expert-created questions. Each includes a detailed explanation to reinforce your learning.

Ready for More?

You've just covered Types of Attacks. Here's how to keep preparing for your CompTIA Security+:

Frequently Asked Questions

Are attack types heavily tested on the Security+ exam?

Yes, attack types are among the most heavily tested topics on the CompTIA Security+ SY0-701 exam. Domain 2 (Threats, Vulnerabilities, and Mitigations) accounts for 22% of the exam and directly covers attack types. Additionally, Domain 1 (General Security Concepts) at 12% and Domain 4 (Security Operations) at 28% also include scenario-based questions involving attack identification and response. Expect a significant number of performance-based and multiple-choice questions requiring you to identify, classify, and mitigate various attacks.

What is the difference between a virus and a worm?

The key difference is how they spread. A virus requires user interaction to propagate - it attaches itself to a legitimate file or program and only executes when the host file is opened or run. A worm, on the other hand, is self-replicating and can spread across networks automatically without any user interaction, typically by exploiting software vulnerabilities. Worms tend to cause more widespread damage more quickly because they don't depend on human action to propagate.

How can I protect against phishing attacks?

Protecting against phishing requires a layered approach: implement email filtering and anti-spam solutions, deploy DMARC/DKIM/SPF email authentication protocols, conduct regular security awareness training for employees, use multi-factor authentication (MFA) so stolen credentials alone are insufficient, enable URL filtering and web proxies to block known malicious domains, and establish clear procedures for verifying unusual requests (especially financial ones). No single control is sufficient - defense in depth is essential.

What Security+ domains cover attacks and threats?

Attacks and threats are primarily covered in Domain 2: Threats, Vulnerabilities, and Mitigations (22% of the SY0-701 exam). This domain explicitly covers threat actors, attack vectors, social engineering, malware types, network attacks, application attacks, and indicator analysis. However, attacks also appear across Domain 1: General Security Concepts (12%), Domain 3: Security Architecture (18%), and Domain 4: Security Operations (28%), particularly in scenario-based questions where you must identify and respond to attacks in context.