What is why domain 2 dominates the security+ exam?

This is covered in detail in the "Why Domain 2 Dominates the Security+ Exam" section of this guide. It is an important concept for the Security+ exam.

Is this study guide free?

Yes. All Courseiva study guides and practice questions are free to use with no signup required.

Security+ Threats and Vulnerabilities: Study Guide + Practice Questions

Quick answer: Domain 2 (Threats, Vulnerabilities, and Mitigations) makes up 22% of the Security+ exam—the largest single domain. Master malware types, social engineering tactics, network attacks, vulnerability scanning, and indicators of compromise (IoCs). Expect scenario-based questions testing your ability to identify and respond to threats. Use the 12 practice questions below to solidify your knowledge.

Why Domain 2 Dominates the Security+ Exam

Domain 2 carries the heaviest weight because it covers the real-world threats you’ll face daily as a security professional. CompTIA wants you to recognize attacks before they succeed, not just after logs are reviewed. This domain tests your ability to classify malware, spot social engineering red flags, understand network-level exploits, and interpret vulnerability scan results.

You’ll see about 18–22 questions from this domain on a typical 90-question exam. Many are scenario-based: you’re given a description of an incident and asked to identify the attack type, the most likely indicator of compromise (IoC), or the best mitigation. Deep familiarity with attack patterns is non-negotiable.

Malware Types You Must Know

Malware questions often present a symptom and ask you to name the variant. Know these core types cold:

Malware Type	Primary Behavior	Common IoCs
Virus	Attaches to legitimate files; spreads when executed	Corrupted executables, file size changes
Worm	Self-replicates without user interaction	High network traffic, unusual outbound connections
Trojan	Disguised as legitimate software; backdoor access	Unauthorized remote connections, unexpected processes
Ransomware	Encrypts files; demands payment	File extensions changed, ransom notes, file access denied
Spyware	Covertly collects user data	System slowdowns, unusual network traffic to unknown IPs
Rootkit	Hides deep in OS; persists after reboot	Unexplained system behavior, anti-malware tools fail to detect

Exam Tip: The exam loves comparing worms and viruses. Remember: worms don’t need a host file—they exploit network services or vulnerabilities to spread autonomously. Viruses require user action (opening a file, running a program).

Social engineering accounts for a significant portion of Domain 2 questions because humans remain the weakest link. Know these attack vectors:

Phishing: Deceptive emails impersonating trusted entities. Variants include spear phishing (targeted), whaling (targeting executives), and vishing (voice calls).
Pretexting: Attacker fabricates a scenario to extract information. Example: pretending to be IT support to reset a password.
Baiting: Offering something enticing (e.g., a free USB drive loaded with malware).
Tailgating: Following an authorized person into a restricted area without credentials.
Quid pro quo: Offering a service in exchange for information (e.g., “I’ll fix your computer if you give me your login”).

IoC for social engineering: Watch for unusual urgency, requests for credentials, unexpected attachments, or phone calls from unknown numbers claiming to be support.

Network Attacks: Exploiting Protocols and Infrastructure

Network attacks test your understanding of how attackers abuse TCP/IP, wireless protocols, and network services. Focus on these high-yield topics:

Denial of Service (DoS) and Distributed DoS (DDoS)

Attackers flood a target with traffic to exhaust resources. Variants include SYN floods (incomplete TCP handshakes), UDP floods, and amplification attacks (e.g., DNS amplification using open resolvers). IoCs: Sudden traffic spikes, service unavailability, high CPU/memory usage.

Man-in-the-Middle (MitM)

Attacker intercepts or alters communication between two parties. Common methods: ARP spoofing (poisoning ARP caches to redirect traffic), session hijacking (stealing session cookies), and SSL stripping (downgrading HTTPS to HTTP). IoCs: Unexpected certificate warnings, unusual ARP table entries.

Wireless Attacks

Evil Twin: Rogue access point mimicking a legitimate SSID. Users connect, and attacker captures credentials.
Deauthentication Attack: Sends deauth frames to disconnect clients, forcing them to reconnect to a rogue AP.
WPA2 Cracking: Captures the 4-way handshake, then brute-forces the pre-shared key offline.

Exam Tip: Know the difference between a replay attack (capturing and retransmitting valid data) and a pass-the-hash attack (using captured password hashes to authenticate without knowing the plaintext).

Vulnerability Scanning: Tools and Interpretation

You don’t need to be a scanning expert, but you must understand the purpose, limitations, and outputs of vulnerability scanners.

Key Concepts

Active vs. Passive Scanning: Active scanning sends probes (e.g., Nessus, OpenVAS) and may crash fragile systems. Passive scanning monitors traffic without interacting with targets.
False Positives vs. False Negatives: Scanners generate false positives (flagging benign issues) and false negatives (missing real vulnerabilities). You must verify findings manually.
Credentialed vs. Non-Credentialed Scans: Credentialed scans log in to systems for deeper inspection (e.g., checking patch levels). Non-credentialed scans only see open ports and services.

Common Vulnerabilities Found

Unpatched software (e.g., outdated Apache, Windows Server)
Weak or default credentials
Open ports running unnecessary services (e.g., Telnet, FTP)
Missing security headers (e.g., Strict-Transport-Security)
SSL/TLS misconfigurations (e.g., weak ciphers, expired certificates)

IoC from scans: A scan report showing CVE-2023-XXXX with high severity means you need to prioritize patching. Cross-reference with exploit databases (e.g., Metasploit modules) to assess real-world risk.

Indicators of Compromise (IoCs): What to Look For

IoCs are forensic evidence that an attack has occurred. The exam tests your ability to match IoCs to attack types.

Common IoCs

Network: Unusual outbound connections, DNS queries to known malicious domains, high bandwidth usage at odd hours
Host: New user accounts, unexpected scheduled tasks, registry modifications, unknown processes in Task Manager
File: Altered file hashes, renamed executables, files in unusual locations (e.g., C:\Windows\Temp\)
Behavioral: Accounts locked out repeatedly, failed login attempts from foreign IPs, antivirus alerts

Exam Tip: Scenario questions often list multiple IoCs. The correct answer is the one that directly indicates the attack type. For example, a sudden spike in DNS queries to evil.com is a network IoC for a C2 beacon.

12 Security+ Practice Questions (Domain 2)

Test your knowledge with these exam-style questions. Answers and explanations follow.

Question 1: A user reports their computer is slow and they see a pop-up demanding $500 in Bitcoin to unlock files. Files now have a .locked extension. What type of malware is this?
A) Worm
B) Trojan
C) Ransomware
D) Rootkit

Question 2: An attacker calls an employee, claims to be from the IT help desk, and asks the employee to verify their password for a “critical security update.” What social engineering technique is this?
A) Phishing
B) Pretexting
C) Baiting
D) Quid pro quo

Question 3: A security analyst notices a high volume of SYN packets sent to a web server with no corresponding ACK responses. The server is unresponsive. What attack is occurring?
A) DNS amplification
B) SYN flood
C) ARP spoofing
D) Session hijacking

Question 4: Which vulnerability scanning approach provides the most detailed assessment of a system’s patch level?
A) Non-credentialed scan
B) Passive scan
C) Credentialed scan
D) Port scan

Question 5: A network admin sees an unfamiliar SSID broadcasting near the office with the same name as the corporate Wi-Fi. Employees are connecting to it. What attack is this?
A) Evil twin
B) Deauthentication attack
C) WPA2 cracking
D) Replay attack

Question 6: Which IoC is most likely associated with a rootkit infection?
A) High CPU usage from a known process
B) Antivirus software fails to run or update
C) Multiple failed login attempts from a foreign IP
D) Unusual outbound connections to port 80

Question 7: A security team finds a file named invoice.pdf.exe in a user’s Downloads folder. What type of malware is most likely?
A) Virus
B) Worm
C) Trojan
D) Ransomware

Question 8: An attacker sends an email to the CEO with a fake login page for the company’s bank. What type of phishing is this?
A) Spear phishing
B) Whaling
C) Vishing
D) Smishing

Question 9: A vulnerability scan reports that port 23 (Telnet) is open on a server. What is the primary risk?
A) Weak encryption
B) Unencrypted traffic
C) Default credentials
D) Unpatched software

Question 10: Which network attack involves intercepting and modifying data between two parties without their knowledge?
A) DoS
B) MitM
C) ARP poisoning
D) DNS spoofing

Question 11: A user receives a USB drive labeled “Employee Bonus Info” in the parking lot. They plug it in, and malware installs. What social engineering attack is this?
A) Pretexting
B) Baiting
C) Tailgating
D) Quid pro quo

Question 12: An analyst sees a process named svch0st.exe running on a server. What does this likely indicate?
A) Normal Windows process
B) Malware masquerading as a legitimate process
C) A legitimate update
D) A driver issue

Answer Key and Explanations

C) Ransomware – File encryption + ransom demand = classic ransomware.
B) Pretexting – The attacker created a false scenario (IT support) to extract credentials.
B) SYN flood – A flood of SYN packets without ACKs ties up server resources.
C) Credentialed scan – Logging in allows the scanner to check installed patches and local configurations.
A) Evil twin – A rogue AP with the same SSID tricks users into connecting.
B) Antivirus fails to run – Rootkits often disable security software to avoid detection.
C) Trojan – The file masquerades as a PDF but is an executable.
B) Whaling – Targeting a high-profile individual (CEO) with a tailored attack.
B) Unencrypted traffic – Telnet sends all data, including passwords, in plaintext.
B) MitM – Man-in-the-middle attacks intercept and modify communications.
B) Baiting – The attacker offers something enticing (USB drive) to trigger malware installation.
B) Malware masquerading – Legitimate svchost.exe has no number in it; svch0st.exe uses a zero to impersonate.

How to Study Domain 2 Effectively

Domain 2 rewards hands-on knowledge. Here’s a practical study plan:

Lab malware analysis safely: Use virtual machines with tools like Process Monitor and Wireshark to observe malware behavior (use safe samples from sources like theZoo).
Practice social engineering scenarios: Write out attack scripts for each technique. This helps you recognize patterns in exam questions.
Run vulnerability scans: Install OpenVAS or Nessus on a lab network. Interpret scan reports and prioritize findings.
Memorize IoC categories: Create flashcards for network, host, file, and behavioral IoCs. Link each to specific attack types.

Common pitfalls: Don’t confuse a worm’s self-replication with a virus’s need for a host file. Don’t mix up phishing (email) with vishing (voice) or smishing (SMS). Always read scenario questions twice—the exact wording reveals the attack type.

Final Takeaway and Next Steps

Domain 2 is the backbone of the Security+ exam. Master malware classification, social engineering tactics, network attack vectors, vulnerability scanning, and IoCs, and you’ll handle the 22% weight with confidence. The 12 practice questions above mirror the exam’s style—use them to gauge your readiness.

For more free practice questions covering every Security+ domain, visit Courseiva.com. Our platform offers realistic, scenario-based questions with detailed explanations to sharpen your skills before exam day. Start your free practice set now and move one step closer to certification.