5.2 Threats, vulnerabilities, malware & social engineering

Key Takeaways

  • A vulnerability is a weakness, a threat is anything that can exploit it, and risk is the likelihood-plus-impact combination of the two.
  • Viruses need a host file and user action to spread; worms self-propagate across networks with no user action.
  • Trojans disguise themselves as legitimate software, ransomware encrypts files for payment, spyware secretly steals data, and rootkits hide to keep privileged access.
  • Social engineering targets people through phishing, spear-phishing, pretexting, baiting, and tailgating.
  • Defense in depth layers patching, firewalls, least privilege, MFA, backups, and training so one failure is not fatal.
Last updated: July 2026

Threat vs. Vulnerability vs. Risk

These three words are often used loosely, but security professionals keep them distinct, and the DoD Cyber Test may ask you to tell them apart.

  • A vulnerability is a weakness — an unpatched server, a weak password, an unlocked door.
  • A threat is anything that can exploit a vulnerability — a hacker, a piece of malware, a flood, or a careless employee. The specific route it uses is the attack vector.
  • Risk is the combination: the likelihood that a threat exploits a vulnerability, multiplied by the impact if it succeeds.

Example: an unpatched web server is a vulnerability; a worm built to hit that flaw is a threat; the risk is the chance that worm reaches your server and the damage it would cause. You lower risk by removing vulnerabilities (patching), blocking threats (firewalls), or limiting impact (backups).

Two terms extend this vocabulary. A zero-day is a vulnerability the vendor does not yet know about, so no patch exists — attackers who find it first have a dangerous head start. An insider threat is a trusted person (employee, contractor) who misuses legitimate access, either maliciously or by accident; because they are already inside, insider threats bypass many perimeter defenses and are among the hardest to detect.

Malware: Types and Distinguishing Traits

Malware ("malicious software") is any program written to harm, steal, or seize unauthorized control. The categories differ mainly in how they spread and what they do.

MalwareSelf-replicates?Needs user action?Primary behavior
VirusYes, attaches to a host fileYesSpreads through infected files, corrupts data
WormYes, across networksNoSelf-spreads fast, consumes resources
TrojanNoYes, user installs itHidden payload behind a legit-looking disguise
RansomwareSometimesOftenEncrypts files, demands payment
SpywareNoSometimesSecretly collects keystrokes and data
RootkitNoSometimesHides malware, keeps privileged access

The key distinctions the test looks for:

  • A virus needs a host file and a user action (opening it) to run and spread.
  • A worm is self-propagating — it moves across networks by itself, with no user action, which is why worms cause fast, wide outbreaks.
  • A Trojan poses as legitimate software; it does not self-replicate but tricks the user into installing it.
  • Ransomware encrypts the victim's files and demands payment for the key — a direct attack on availability.
  • Spyware hides and quietly collects information (keystrokes, browsing, credentials).
  • A rootkit buries itself deep in the operating system to conceal itself and other malware, giving the attacker persistent privileged ("root") access.

Social Engineering: Hacking the Human

Many attacks skip technical exploits and target people instead. Social engineering manipulates a person into breaking security — handing over a password, clicking a link, or holding a door open.

  • Phishing blasts fraudulent emails or texts that impersonate a trusted source to harvest credentials or deliver malware.
  • Spear-phishing is a targeted version aimed at a specific person or organization, using personal details to seem credible; whaling targets high-value executives.
  • Pretexting invents a believable scenario — a fake IT help-desk call or a supposed auditor — to pry information loose.
  • Baiting dangles something tempting, such as a "free" download or a USB drive dropped in a parking lot that installs malware when plugged in.
  • Tailgating (piggybacking) is physically following an authorized person through a secured door without badging in.

The defense against social engineering is mostly awareness: verify identities, distrust artificial urgency, and never share credentials. Attackers lean on emotion — fear, curiosity, and the desire to be helpful — so a message that pressures you to act right now or bypass normal procedure is itself a warning sign.

Basic Defenses and Defense in Depth

No single control stops everything, so security relies on layers — the principle of defense in depth. If one layer fails, another still guards the asset. Core controls:

  • Patching / patch management: applying vendor updates promptly closes known vulnerabilities before attackers exploit them. Many large breaches used flaws that already had patches available.
  • Firewalls: filter network traffic, allowing or blocking connections by rule, forming a barrier between trusted and untrusted networks.
  • Antivirus / EDR: detects and removes known malware and suspicious behavior.
  • Least privilege and MFA: limit what a compromised account can do and make a stolen password insufficient on its own.
  • Backups: an offline, tested backup is the single best defense against ransomware.
  • User training: the human layer that blunts social engineering.

Think of a castle: a moat, walls, guards, and a locked vault. An attacker who clears the moat still faces the walls. Combining technical controls (firewalls, patching, antivirus), administrative controls (policies, least privilege, training), and physical controls (locks, badges) is what makes a system genuinely resilient. For example, a phishing email might slip past a firewall, but MFA can still block the stolen password, an alert analyst may report it, and a clean backup limits the damage if something does execute — no single failure hands the attacker everything.

Test Your Knowledge

An IT audit finds a server that is missing several months of security updates. In security terms, this missing-patch condition is best described as a:

A
B
C
D
Test Your Knowledge

Which type of malware spreads across networks by itself, requiring no action from any user?

A
B
C
D
Test Your Knowledge

An unauthorized person slips through a secured door by walking closely behind an employee who badged in. This is an example of which social-engineering technique?

A
B
C
D