Domain 4 of 5 · Chapter 4 of 8

Security Terminology

Threat, vulnerability, exploit, risk

Picture an unpatched VPN gateway sitting on the public internet. The missing patch is the vulnerability, a weakness in a system, security procedure, internal control, or implementation. A ransomware crew that wants in is the threat, defined by NIST as any circumstance or event with the potential to adversely impact operations, assets, or individuals (FIPS 200 adds the threat-source angle: the potential for a threat-source to successfully exploit a vulnerability) (NIST glossary: threat[1]). The piece of code the crew runs to actually abuse that missing patch is the exploit. And the chance that this all happens, multiplied by what it would cost the business, is the risk. Network+ writes scenarios that name one of these and ask you to classify it, or names a defense and asks which term it addresses, so internalize the chain rather than memorizing four isolated definitions.

The relationship is causal and ordered: a threat uses an exploit to abuse a vulnerability, and the result is realized risk. A few sharp boundaries keep you out of the common traps. The vulnerability is the weakness (per NIST a "weakness ... that could be exploited or triggered by a threat source" (NIST glossary: vulnerability[2])), never the attacker and never the payload. The exploit is the action or tool, the crafted packet, the Metasploit module, the malicious SQL string, not the hole it goes through. A vulnerability with no threat able to reach it, or a threat with no vulnerability to land on, produces little realized risk, which is the whole point of segmentation and hardening.

Don't confuse the payload with the weakness

The single most common labeling error on this topic is calling the malicious input the vulnerability. A buffer overflow is a good check: the missing bounds-check in the code is the vulnerability; the oversized crafted input is the attack/exploit. If a stem hands you a piece of code, a packet, or a phishing message, that is the exploit or the attack, not the vulnerability.

Threatactor / eventVulnerabilitythe weaknessRealized risklikelihood x impactuses an exploitto abuseproduces
The causal chain: a threat uses an exploit to abuse a vulnerability, which produces realized risk.

Risk = likelihood x impact

Risk has a definition you can compute against, and it changes how you answer remediation questions. NIST defines risk as a measure of the extent to which an entity is threatened, and "typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs, and (ii) the likelihood of occurrence" (NIST glossary: risk[3]). In Network+ shorthand this is risk = likelihood x impact, and a closely related model is risk = threat x vulnerability: drive either factor toward zero and the realized risk follows.

That two-factor shape is why a single problem usually has more than one defensible answer. You can attack the likelihood side by removing the vulnerability (patch it, harden it, segment it so the threat cannot reach it) or by reducing the threat's opportunity. You can attack the impact side by adding redundancy and backups so an outage hurts less, or by transferring the financial blow with cyber-insurance. Both are legitimate risk reduction, and an exam item that offers one of each is testing whether you understand that risk is a product, not a single lever.

The four risk responses

You rarely erase risk; you choose how to handle what remains. The standard responses are avoid (stop doing the risky activity entirely), mitigate / reduce (apply controls to lower likelihood or impact, the usual network answer), transfer (shift the financial consequence to a third party such as an insurer), and accept (formally acknowledge a low or unavoidable risk and proceed). Whatever is left after your controls is residual risk, and accepting residual risk is a deliberate, documented decision rather than negligence. Watch for stems that imply you can reach zero risk; you cannot, and "accept the residual risk" is often the correct, mature answer.

Risklikelihood x impactLower likelihoodpatch, harden, segmentLower impactredundancy, backups, insuranceAvoidMitigateTransferAcceptFour risk responses
Risk is a product of two factors; you reduce it on either axis, then handle what is left with one of the four risk responses.

The CIA triad maps controls to goals

Every security control exists to protect at least one of three goals, and Network+ tests whether you can name which one. The CIA triad is Confidentiality, Integrity, and Availability.

Confidentiality is preserving authorized restrictions on access and disclosure (NIST glossary: confidentiality[4]). You enforce it with encryption (in transit and at rest) and access control. A packet sniffer reading a cleartext Telnet password is a confidentiality failure, and the fix is to encrypt the channel (use SSH instead of Telnet).

Integrity is guarding against improper modification or destruction, and NIST explicitly folds in non-repudiation and authenticity (NIST glossary: integrity[5]). You enforce it with cryptographic hashes (a checksum that changes if one bit changes) and digital signatures. An on-path attacker silently altering a file in transit is an integrity failure, detectable because the recomputed hash no longer matches.

Availability is ensuring timely and reliable access to and use of information (NIST glossary: availability[6]). You enforce it with redundancy, failover, load balancing, backups, and disaster recovery. A DDoS flood that knocks a web server offline is an availability failure, and the fix is capacity, filtering, and redundancy, not encryption.

When to map versus when to widen

Most stems want exactly one letter: pick the goal the incident violates or the control protects. Confidentiality breaks point to encryption or access control, integrity breaks point to hashing or signatures, availability breaks point to redundancy or DR. Some references extend the model with Authenticity (the data is genuinely from who it claims) and Non-repudiation (the sender cannot deny sending it); in CompTIA's model these live inside Integrity, so do not reach for a fourth letter unless the question explicitly introduces one.

CIA triadConfidentialityencryption, access controlIntegrityhashing, signaturesAvailabilityredundancy, backups, DRFails: sniffed password(use SSH not Telnet)Fails: altered transfer(hash mismatch detects)Fails: DDoS outage(add redundancy)
Each CIA goal pairs with its enforcing controls and a classic failure example.

AAA, attack surface, vector, and zero-day

A second cluster of vocabulary rounds out the topic, and each term has a sharp boundary the exam exploits.

AAA: three separate stages

AAA is Authentication, Authorization, and Accounting, and the trap is collapsing the first two. Authentication answers who are you and is satisfied by something you know, have, or are (a password, a token, a fingerprint). Authorization answers what are you allowed to do once your identity is proven (which VLAN, which files, read versus write), typically through roles or access control lists. Accounting answers what did you actually do by logging activity for audit, forensics, and billing. A user who logs in successfully but is denied a share has passed authentication and failed authorization, and the fix is a permission change, not a password reset. RADIUS and TACACS+ are the protocols that centralize AAA for network devices.

Attack surface versus attack vector

The attack surface is "the set of points on the boundary of a system ... where an attacker can try to enter, cause an effect on, or extract data" (NIST SP 800-53 Rev. 5, attack surface[7]), the aggregate of every reachable port, service, account, and interface. An attack vector (threat vector) is one specific route an intrusion takes, such as a phishing email, an exposed RDP port, or a malicious USB drive. Hardening reduces the attack surface (close ports, disable unused services, segment the network) precisely so that fewer vectors exist.

Zero-day: no patch exists yet

A zero-day is an attack that exploits a previously unknown vulnerability, one the vendor and public do not yet know about. Because no patch or signature exists, an answer of "apply the vendor patch" is wrong by definition; the correct mitigations are compensating and behavioral controls, segmentation, least privilege, anomaly detection, and virtual patching at an IPS, until a fix ships.

Authenticationwho are you?password, token, biometricAuthorizationwhat may you do?roles, ACLsAccountingwhat did you do?audit logsAAA pipelinecentralized by RADIUS / TACACS+
AAA runs as three distinct stages; login success only clears the first, authentication.

Exam-pattern recognition

Network+ tests this vocabulary in a few predictable shapes. Knowing the shape tells you what the right answer looks like.

Label-the-term items

The stem describes a scenario and asks you to classify a piece of it. Map by role: a weakness or missing control (open port, default password, unpatched service) is the vulnerability; an actor or event (hacker, insider, malware family, natural disaster) is the threat; a tool, code, or crafted input is the exploit; a business measure of likelihood and consequence is the risk. The classic distractor offers the payload as the vulnerability, choose the underlying weakness instead.

Map-to-CIA items

The stem names an incident and asks which security goal it violates. Eavesdropping or data leakage is Confidentiality; tampering, alteration, or a failed checksum is Integrity; an outage, DoS, or hardware failure is Availability. A control-side variant asks which goal a control serves: encryption protects confidentiality, hashing and signatures protect integrity, redundancy and backups protect availability.

Authentication-versus-authorization items

The stem says a user logged in but cannot reach something. The user passed authentication and failed authorization; the remediation is a permission, group, or ACL change, never a credential reset. The reverse, cannot log in at all, is an authentication problem.

Zero-day and risk-response items

If a stem describes an attack against an unknown, unpatched flaw, do not pick "apply the patch", pick compensating controls (segmentation, least privilege, IPS, anomaly detection). If a stem asks how to handle a small or unavoidable residual risk, "accept the risk" or "transfer it via insurance" are valid, mature answers; an option promising to eliminate risk entirely is the wrong one.

What is the stem asking?read the verbClassify a pieceweakness=vulnpayload=exploitWhich CIA goal?leak=C, alter=Ioutage=ALogin but no accessauthz problemfix permissionUnknown flawno patch existscompensating ctrlRisk question? You cannot reach zero risk;accept or transfer residual risk is valid
Read the stem's verb first; it routes you to the term-class, CIA, AAA, or zero-day/risk answer pattern.

The four core terms, distinguished

AspectVulnerabilityThreatExploitRisk
What it isA weakness in a system or controlA potential actor or event that could cause harmThe technique or code that abuses a weaknessLikelihood a threat hits a vulnerability x impact
ExampleUnpatched VPN gateway, open portRansomware gang, insider, floodMetasploit module, crafted SQL string20% chance of a breach costing 1M
You control it byPatching, hardening, segmentationRarely controllable directlyBlocking with IPS signatures and patchesReducing likelihood or impact
NatureA state of the systemExternal or internal forceAn action taken against the systemA calculated business measure

Decision tree

What does the stem name?a thing, an incident, or access?A thing to classifyweakness, actor, or tool?An incident occurredwhich goal did it break?Access behaviorlogin vs reach?a thingan incidentaccessWeakness = Vulnerabilityactor=Threat, tool=Exploitnot the payloadMap to CIAleak=C, alter=I, outage=ALogin ok, no reachauthz problemfix permissionUnknown flaw or residual risk?zero-day = compensating controls; never erase risk, accept or transfer

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

A vulnerability is the weakness, not the attacker or the payload

A vulnerability is a weakness in a system, security procedure, internal control, or implementation that a threat could exploit or trigger, an unpatched service, a default password, an open port. It is a state of the system, never the actor and never the code thrown at it. Pin this down first because most labeling questions on this topic hinge on separating the weakness from the thing that abuses it.

Trap Calling the crafted input or malware the vulnerability; that payload is the exploit or attack, while the vulnerability is the underlying flaw it abuses.

A threat is the actor or event with potential to cause harm

A threat is any circumstance, event, or actor with the potential to adversely impact operations, assets, or individuals: a ransomware gang, a malicious insider, a flood, a power failure. It describes the source of possible harm, not the weakness and not the technique. You usually cannot control a threat directly, which is why network controls target the vulnerability side instead.

1 question tests this
An exploit is the technique or code that abuses a vulnerability

An exploit is the actual method, tool, or code a threat uses to take advantage of a vulnerability, a Metasploit module, a crafted SQL string, an oversized buffer-overflow input. It is the action against the system, distinct from both the weakness it targets and the actor running it. If a stem hands you a packet, a script, or a malicious message, that is the exploit, not the vulnerability.

Trap Treating the exploit as the vulnerability; the exploit is the action taken, the vulnerability is the hole it goes through.

4 questions test this
Risk is the likelihood a threat hits a vulnerability times the impact

Risk is a measure of how threatened an asset is, typically a function of the likelihood an event occurs and the adverse impact if it does, so think risk = likelihood x impact. A related shorthand is risk = threat x vulnerability: drive either factor toward zero and realized risk follows. Because it is a product, a single problem often has more than one valid mitigation depending on which factor you attack.

2 questions test this
A threat exploits a vulnerability to realize risk

The four core terms form one causal chain: a threat uses an exploit to abuse a vulnerability, and the outcome is realized risk. Reading a scenario as this chain, rather than four isolated words, tells you exactly which label fits each clause. The same incident can ask you to name the open port, the attacker, the tool, or the business measure.

1 question tests this
Reduce risk by lowering likelihood or impact, not just one

Since risk is likelihood times impact, you can cut it on either axis. Patching, hardening, and segmentation lower the likelihood a threat reaches a vulnerability; redundancy, backups, disaster recovery, and cyber-insurance lower the impact when it does. An exam item offering one defense of each type is testing that you see risk as a two-factor product rather than a single lever.

Trap Assuming only patching reduces risk; adding redundancy or transferring the loss via insurance lowers impact and is equally valid risk reduction.

1 question tests this
The four risk responses are avoid, mitigate, transfer, accept

Once you understand a risk, you choose how to handle it: avoid (stop the risky activity), mitigate or reduce (apply controls, the usual network answer), transfer (shift the financial loss to a third party like an insurer), or accept (formally acknowledge a low or unavoidable risk and proceed). Whatever remains after controls is residual risk. Accepting residual risk is a deliberate, documented decision, not negligence.

Trap Picking an option that promises to eliminate risk entirely; residual risk always remains, so accept or transfer is often the mature, correct answer.

Confidentiality keeps data secret with encryption and access control

Confidentiality preserves authorized restrictions on access and disclosure, the C in the CIA triad. You enforce it with encryption (in transit and at rest) and access control. A packet sniffer reading a cleartext Telnet password is a confidentiality failure, and the fix is to encrypt the channel by using SSH instead of Telnet.

Trap Mapping eavesdropping to integrity; reading data without changing it breaks confidentiality, while integrity is about unauthorized modification.

Integrity guards against improper change with hashing and signatures

Integrity guards data against improper modification or destruction and includes non-repudiation and authenticity, the I in the CIA triad. You enforce it with cryptographic hashes (a checksum that changes if any bit changes) and digital signatures. An on-path attacker silently altering a file in transit is an integrity failure, caught because the recomputed hash no longer matches.

Trap Choosing encryption to ensure integrity; encryption protects confidentiality, while a hash or signature is what detects tampering.

Availability keeps systems reachable with redundancy and DR

Availability ensures timely and reliable access to information and systems, the A in the CIA triad. You enforce it with redundancy, failover, load balancing, backups, and disaster recovery. A DDoS flood that knocks a web server offline is an availability failure, and the answer is capacity, filtering, and redundancy rather than encryption.

Trap Reaching for encryption to fix a DoS outage; encryption protects confidentiality and does nothing for availability, which needs redundancy and filtering.

Map a security incident to the CIA goal it violates

The exam often names an incident and asks which security goal it broke. Eavesdropping or data leakage is a Confidentiality failure, tampering or a failed checksum is an Integrity failure, and an outage, DoS, or hardware failure is an Availability failure. Reverse it for controls: encryption serves confidentiality, hashing and signatures serve integrity, redundancy and backups serve availability.

1 question tests this
CompTIA folds authenticity and non-repudiation into integrity

Some references extend the CIA triad with Authenticity (data genuinely comes from who it claims) and Non-repudiation (the sender cannot deny sending it), but in CompTIA's model these live inside Integrity. Do not reach for a fourth security goal on a CIA mapping question unless the stem explicitly introduces one.

AAA is three stages: authentication, authorization, accounting

AAA stands for Authentication, Authorization, and Accounting, three distinct stages. Authentication proves who you are (password, token, certificate, biometric), authorization decides what that proven identity may do (which VLAN, which files, read versus write), and accounting logs what was actually done for audit, forensics, and billing. RADIUS and TACACS+ are the protocols that centralize AAA for network devices.

Login success but no access is an authorization failure

When a user authenticates fine but cannot reach a resource, they passed authentication and failed authorization. The remediation is a permission, group, or ACL change, not a credential reset. The reverse, being unable to log in at all, is the authentication problem; keep the two stages separate.

Trap Resetting the user's password when they can log in but cannot reach a share; the credentials already worked, so the fix is an authorization change.

Attack surface is the whole boundary; a vector is one route in

The attack surface is the set of all points on a system's boundary where an attacker could try to enter, affect, or extract data, every open port, exposed service, account, and interface. An attack vector (threat vector) is a single route an intrusion actually takes, such as a phishing email or an exposed RDP port. Hardening shrinks the attack surface so fewer vectors exist.

Trap Using attack surface and attack vector interchangeably; the surface is the aggregate of all entry points, while a vector is one specific path through it.

A zero-day exploits an unknown flaw, so no patch exists yet

A zero-day is an attack against a previously unknown vulnerability the vendor and public do not yet know about. Because no patch or signature exists, applying the vendor patch is impossible by definition. The correct mitigations are compensating and behavioral controls: segmentation, least privilege, anomaly detection, and virtual patching at an IPS, until a real fix ships.

Trap Selecting apply the vendor patch for a zero-day; no patch exists for an unknown flaw, so the answer is compensating controls until one is released.

1 question tests this
Hardening reduces risk by shrinking the attack surface

Device and network hardening lowers risk by removing reachable weaknesses: close unused ports, disable unnecessary services, change default credentials, and segment the network. Each removed exposure is one fewer vulnerability for a threat to exploit, which is the likelihood side of risk = likelihood x impact. The goal is fewer entry points, not a single perfect control.

1 question tests this

Also tested in

References

  1. NIST Computer Security Resource Center Glossary: threat Whitepaper
  2. NIST Computer Security Resource Center Glossary: vulnerability Whitepaper
  3. NIST Computer Security Resource Center Glossary: risk Whitepaper
  4. NIST Computer Security Resource Center Glossary: confidentiality Whitepaper
  5. NIST Computer Security Resource Center Glossary: integrity Whitepaper
  6. NIST Computer Security Resource Center Glossary: availability Whitepaper
  7. NIST Computer Security Resource Center Glossary: attack surface (NIST SP 800-53 Rev. 5) Whitepaper