5.1 Key Security Concepts
Key Takeaways
- The CIA triad (Confidentiality, Integrity, Availability) is the foundation of information security and underpins every CCNA security control.
- A vulnerability is a weakness, a threat is a potential danger, an exploit is the act of using a weakness, and risk is the likelihood times impact.
- Attacks group into reconnaissance, access, denial-of-service, and social-engineering categories — the exam asks you to classify a described scenario.
- Defense-in-depth layers physical, network, host, application, and data controls so no single failure exposes the whole network.
- Threat actors range from script kiddies to organized crime and nation-states; user awareness training mitigates the most common vector (phishing).
Why Security Is 15% of the CCNA
Security Fundamentals is one of the six domains on the Cisco CCNA 200-301 exam (current v1.1 blueprint) and is weighted at 15% of your score. The exam delivers roughly 100-120 questions in 120 minutes and you need about 825 out of 1000 points to pass. Because security questions are scenario-heavy, you must do more than memorize terms — you must classify an attack and pick the correct mitigation under time pressure.
The CIA Triad
Every control you configure in this chapter exists to protect one or more legs of the CIA triad — the bedrock model of information security.
| Principle | Definition | CCNA-relevant control |
|---|---|---|
| Confidentiality | Only authorized parties can read the data | Encryption (IPsec, WPA2/3), ACLs, SSH instead of Telnet |
| Integrity | Data is not altered in transit or at rest | Hashing (SHA-256), digital signatures, message authentication |
| Availability | Systems and data are reachable when needed | Redundancy, backups, DDoS rate-limiting, port security |
A quick exam test: encrypting a config backup protects confidentiality; a SHA hash on a firmware image protects integrity; mitigating a SYN flood protects availability.
Vulnerability, Threat, Exploit, Risk
These four terms are routinely confused, and the exam exploits that. Memorize them as a chain.
| Term | Definition | Example |
|---|---|---|
| Vulnerability | A weakness that could be used against you | Unpatched IOS, default password, open Telnet |
| Threat | The potential danger that may use the weakness | A hacker, a worm, a disgruntled insider |
| Exploit | The actual technique/code that uses the weakness | A crafted packet that crashes the unpatched service |
| Risk | Probability the threat exploits the vulnerability, times impact | Risk = likelihood × impact |
Worked example: a switch with an open, untrusted access port is a vulnerability; a visitor who plugs in a rogue laptop is the threat; running a DHCP-starvation tool is the exploit; the resulting outage cost is the risk.
The Four Attack Categories
- Reconnaissance — gathering information first: port scanning (nmap), ping sweeps, packet sniffing, DNS lookups, and Cisco Discovery Protocol (CDP) harvesting of device details.
- Access — gaining unauthorized entry: password attacks (brute force, dictionary, credential stuffing), phishing, man-in-the-middle (MITM), IP spoofing, session hijacking, and buffer overflows.
- Denial of Service (DoS/DDoS) — exhausting resources: a single-source DoS, a botnet-driven DDoS, a TCP SYN flood (half-open connections), or an ICMP/amplification flood.
- Social engineering — manipulating people: phishing, spear phishing, pretexting, tailgating, and baiting. This is the #1 real-world entry vector, which is why user awareness training appears in every security program.
Malware Types You Must Distinguish
| Type | Defining behavior |
|---|---|
| Virus | Attaches to a file; needs user action to spread |
| Worm | Self-replicates across the network with no user action |
| Trojan | Disguised as legitimate software; opens a backdoor |
| Ransomware | Encrypts data and demands payment |
| Spyware | Secretly monitors and exfiltrates activity |
| Rootkit | Hides in the OS kernel; very hard to detect |
Threat Actors and Program Elements
Threat actors range from script kiddies (low skill, borrowed tools) to hacktivists, organized crime, insiders, and nation-states (advanced persistent threats). A mature security program counters them with user awareness training, physical access control, acceptable-use policies, an incident-response plan, disaster recovery/business continuity, and regular audits.
Defense-in-Depth
Defense-in-depth layers controls so a single failure never exposes everything:
- Physical — locks, cameras, secure facilities
- Network — firewalls, IPS, VLAN segmentation
- Host — antivirus, host firewall, patching
- Application — input validation, secure coding
- Data — encryption, data-loss prevention
- Administrative — policies, training, background checks
Layer 2 Attacks Worth Naming Now
Many security questions are framed around switch attacks, which we mitigate in section 5.5. Recognize them early so you can map attack to defense quickly under exam time pressure.
| Attack | What it does | Mitigation |
|---|---|---|
| MAC flooding | Floods the switch CAM table with fake source MACs until it overflows and floods all unicast traffic out every port, acting like a hub | Port security |
| ARP spoofing | Sends forged ARP replies binding the attacker's MAC to the gateway IP, enabling man-in-the-middle | Dynamic ARP Inspection |
| DHCP starvation | Drains the DHCP scope with spoofed requests so legitimate clients get no lease | DHCP snooping |
| DHCP spoofing | A rogue DHCP server hands clients a poisoned default gateway, redirecting traffic | DHCP snooping |
| VLAN hopping | Uses double-tagging or DTP to reach VLANs the attacker should not see | Disable DTP, move off VLAN 1 |
Security Controls Vocabulary
The exam also expects the three control families. Preventive controls stop an incident before it happens (firewall rules, port security). Detective controls reveal an incident in progress (IDS, syslog, NetFlow). Corrective controls restore normal operation afterward (backups, reimaging). Map any new tool you learn into one of these three buckets — it makes scenario questions far easier to reason about and is exactly how Cisco frames defense-in-depth thinking.
On the Exam: Expect a scenario ("an attacker sends spoofed ARP replies…") and a request to name the attack or its mitigation. Anchor on the chain — weakness (vulnerability) vs. danger (threat) vs. action (exploit) — and remember which CIA leg each control protects.
An attacker runs an nmap port scan and performs DNS lookups to map a target before launching anything. Which attack category is this?
A device runs an unpatched version of IOS with a known bug. In the security vocabulary, the unpatched IOS itself is best described as which of the following?
Which element of the CIA triad is protected when a network engineer verifies a firmware image with a SHA-256 hash before installing it?
Self-replicating malware spreads across the network with no user interaction. Which type is it?