These three questions cover threat identification and incident response — areas that account for a significant share of Security+ marks and where candidates most commonly trip up on terminology.
Question 1
A threat actor sends a personalised email to the CFO of a company, referencing a recent acquisition and requesting an urgent wire transfer. Which attack type best describes this?
- A) Phishing
- B) Vishing
- C) Spear phishing
- D) Smishing
Answer: C — Spear phishing
Spear phishing is targeted phishing directed at a specific individual or organisation, typically using personal details to appear credible. Generic phishing casts a wide net; spear phishing uses research to make the lure convincing.
The key distinctions the exam tests:
| Attack | Vector | Targeting |
|---|---|---|
| Phishing | Mass / untargeted | |
| Spear phishing | Specific individual or org | |
| Whaling | Senior executives specifically | |
| Vishing | Voice/phone | Any target |
| Smishing | SMS | Any target |
The scenario here hits two spear phishing markers: email as the vector, and personalisation with real context (the acquisition detail).
</details>Question 2
A developer reviews application logs and sees the following in a URL parameter: ' OR '1'='1. Which type of attack does this indicate?
- A) Cross-site scripting (XSS)
- B) SQL injection
- C) Directory traversal
- D) Command injection
Answer: B — SQL injection
' OR '1'='1 is a classic SQL injection payload. The single quote closes the existing string literal in the query, OR '1'='1' is always true, which causes the WHERE clause to return all rows. Attackers use this to bypass authentication or dump database contents.
The other attacks look different:
- XSS: Contains
<script>tags or JavaScript (<script>alert(1)</script>) - Directory traversal: Uses
../sequences to navigate the filesystem (../../etc/passwd) - Command injection: Chains OS commands with
; rm -rf /or| cat /etc/passwd
Why it matters for Security+: The exam expects you to recognise attack signatures from examples, not just definitions.
</details>Question 3
A ransomware infection is detected on several workstations. Which should a security team do FIRST?
- A) Identify the ransomware variant and notify management
- B) Eradicate the malware using endpoint protection tools
- C) Contain the affected systems by isolating them from the network
- D) Recover data from the most recent clean backup
Answer: C — Contain the affected systems by isolating them from the network
The NIST incident response lifecycle order is: Preparation → Detection & Analysis → Containment → Eradication → Recovery → Lessons Learned.
Containment always comes before eradication and recovery. Isolating infected systems stops ransomware from spreading laterally across the network before you attempt cleanup. Running eradication tools on a networked system risks re-infection from other compromised hosts.
The order the exam expects you to know:
- Detect / identify
- Contain (isolate, segment)
- Eradicate (remove malware)
- Recover (restore from backup)
- Lessons learned (document)
Notifying management and preserving evidence happen in parallel with containment, not before it.
</details>Key Takeaways
- Spear phishing = targeted email using personal details; whaling = same, but the target is an executive
- SQL injection payloads contain quote characters and boolean logic; XSS contains script tags
- Incident response order: Contain before Eradicate before Recover — the exam regularly tests this sequence