Chapter 21 Β· Quiz

Common Threat Vectors Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: An attacker sends a text message claiming to be the US Postal Service with a link to track a package. What threat vector is this?

Correct answer: B. This is a message-based vector β€” specifically SMS phishing (smishing). The attacker uses a text message as the delivery channel and social engineering (impersonating USPS with a plausible package delivery scenario) to lure a click. No PDF attachment is involved (A). The attack is conducted via text message, not a phone call (C). No SVG image is described (D). Message-based vectors include email, SMS, and IM/DM β€” they deliver malicious links, malware, or pure social engineering to manipulate victim behavior.

Question 2: A security team discovers that 500 employees' browsers are running a malicious extension that was submitted to the browser's extension store. What threat vector does this represent?

Correct answer: C. Browser extensions are explicitly a file-based vector. File-based vectors include not just executables but also browser add-ins and extensions that contain malicious code. A malicious extension can read all page content, capture passwords typed into web forms, and exfiltrate data β€” all from within the trusted browser context. No USB is involved (A). The systems are not described as unsupported/end-of-life (B). Answer D might seem plausible β€” the extension was in the official store β€” but the vector category for a malicious installed extension is file-based, not supply chain. Supply chain attacks specifically target trusted manufacturing or service pipelines to compromise the ultimate target indirectly.

Question 3: An organization's network was breached through a third-party HVAC vendor's system. What attack concept does this illustrate?

Correct answer: C. This is the 2013 Target breach pattern β€” a textbook supply chain vector. The attacker did not attack Target directly; they compromised a trusted third-party vendor (HVAC contractor Fazio Mechanical) that had legitimate network access to Target's systems, then used that trusted access as a pathway into Target's POS network. Supply chain attacks exploit trusted third-party relationships to bypass the target's direct defenses. The HVAC vendor was the weak link in Target's supply chain. No USB device, no default credentials on the HVAC controller, and no wireless network are described as the attack mechanism.

Question 4: Which defense specifically prevents unauthorized devices from accessing a wired or wireless network by requiring authentication before granting network access?

Correct answer: C. 802.1X is the IEEE standard for port-based Network Access Control (NAC). It specifically requires any device connecting to a wired or wireless network to authenticate through an authentication server (RADIUS) before the switch port grants any network access. Without 802.1X, any device physically connected to an Ethernet port gets automatic network access. WPA3 (A) is a wireless encryption protocol β€” it protects wireless traffic but does not by itself enforce device authentication in the 802.1X sense. Default credential rotation (B) addresses a different vector. Disabling service ports (D) addresses the open service port vector, not unauthorized device access to the network itself.

Question 5: A hospital is still running Windows XP on several legacy medical devices because the vendor no longer supports them and replacement is not currently budgeted. What threat vector does this create?

Correct answer: C. Windows XP reached end-of-life in April 2014. Systems running XP are unsupported systems β€” Microsoft no longer releases security patches for newly discovered vulnerabilities. New CVEs affecting XP will never be patched, creating a permanent and growing vulnerability window. WannaCry (2017) specifically demonstrated this: it exploited a Windows SMB vulnerability for which no XP patch was ever released, causing massive disruption in healthcare organizations running XP. A (USB drives) and B (phishing) are separate vectors that may also apply but do not describe the specific risk created by running EOL software. D (supply chain) is incorrect β€” the vendor's decision to end support is not a supply chain attack; it is simply the product reaching end-of-life.

Matching: Threat Vector Terms

Match each term to its correct definition.

TERM

Vishing
HID Attack
Agentless Software
Default Credentials

DEFINITION

A compromised server-side application affects all connecting clients without any local install
A USB device that emulates a keyboard and automatically types malicious commands
Phone-based social engineering to extract sensitive information from victims
Factory-set usernames and passwords that give full access if never changed

Performance Task

A company's security consultant performs a comprehensive threat vector review and finds: (1) all routers still use default admin/admin credentials, (2) a department has been running Windows 7 for 3 years with no patches, (3) the MSP has access to all internal systems with no MFA. Write the prioritized remediation plan.

Model Answer:

Priority 1 β€” Default Credentials (Immediate: within 24 hours):
Default credentials on all routers must be changed immediately. This is the highest-urgency finding because it requires zero technical skill to exploit β€” any attacker who discovers the device model can look up the default credentials on routerpasswords.com and gain full administrator access to every router in the organization. A compromise of the routers enables traffic interception, routing manipulation, and access to all network segments. Assign a technician to physically or remotely access each router and set a unique, strong password meeting the organization's password policy. Document all new credentials in the organization's password manager. Verify the change on each device.

Priority 2 β€” MSP Access Without MFA (Immediate: within 48 hours):
The MSP has privileged access to all internal systems β€” this is one of the highest-risk access configurations possible. Without MFA, a single stolen or phished MSP employee credential provides authenticated, privileged access to the entire organization. Require MFA immediately for all MSP remote access sessions β€” no exceptions. Additionally, audit the scope of MSP access: does the MSP need access to every internal system, or can access be scoped to only the systems they actively manage? Implement least-privilege access restrictions so the MSP can only reach systems within their defined management scope, with access to sensitive systems requiring additional authorization. Review MSP access logs for any unusual activity going back 90 days to determine if unauthorized access has already occurred.

Priority 3 β€” Unsupported Windows 7 Systems (Within 1–2 weeks, with interim mitigations immediate):
Windows 7 reached end-of-life in January 2020. These systems have been accumulating unpatched vulnerabilities for three years. Establish an immediate network isolation plan: move Windows 7 systems to an isolated VLAN with tightly restricted firewall rules β€” allow only the minimum network traffic required for their business function. This reduces the blast radius if any of these systems are compromised. Simultaneously, begin the upgrade project: identify which applications are preventing upgrade, engage vendors for updated versions supporting current OS, and establish a timeline for replacement or application migration. If specific systems cannot be upgraded within an acceptable timeframe, formally document the risk, implement all available compensating controls (host-based firewall, endpoint protection if available for EOL OS, physical access restrictions), and get sign-off from leadership on the accepted risk.