All topic guides
Security

Security Threat Landscape

Common attacks, malware types, and defense strategies at CCNA scope.

How the sources were combined

Panagiss Security Threat Landscape is the dedicated source — linked to ACL and switch security topics for layered defense.

Overview

CCNA security starts with knowing common threats (malware, social engineering, DoS) and matching controls (ACLs, switch security, firewalls). This guide maps attack types to mitigations at exam depth.

Security fundamentals

TermDefinition
ThreatPotential to cause harm to an IT asset
VulnerabilityWeakness that compromises security or functionality
ExploitTechnique that uses a vulnerability to compromise a system
RiskLikelihood and impact of a successful attack
MitigationTechniques to reduce attack likelihood or severity

CCNA expects you to recognize common threats and map them to layered defenses: firewalls, ACLs, switch security (port security, DHCP snooping), device hardening, and encryption.

Malware

Malware is malicious software. Know these types for the exam:

TypeBehaviorSpread
VirusInserts into other softwareRequires human action to spread
WormSelf-replicatingSpreads automatically across networks
Trojan horseDisguised as legitimate softwareOften installs back doors
RansomwareEncrypts data; demands payment for decryption keyOften delivered via phishing
Info

Botnets are built from worm/trojan-infected zombie hosts controlled by a command-and-control (C2) server — the foundation of large-scale DDoS attacks.

Hacking tools (awareness)

Penetration testers use the same tools as attackers to find weaknesses:

  • Password crackers
  • Packet sniffers (Wireshark) — read unencrypted traffic
  • Ping sweepers
  • Port and vulnerability scanners

Reconnaissance and social engineering

Reconnaissance gathers information about a target before attacking — from passive sources (WHOIS, job listings) to active tools (ping sweeps, port scans).

Social engineering manipulates people into revealing credentials or sensitive data — often via phone or email, with no technical exploit required.

Phishing is social engineering via fake emails or websites impersonating trusted brands to steal passwords or payment data.

Data exfiltration

Data exfiltration is unauthorized data leaving an organization — by external hackers after compromise, or insiders (malicious or accidental, e.g., email with secrets, lost USB drive).

Denial of Service (DoS)

A DoS attack floods a target with more traffic than it can handle, denying service to legitimate users. Single-source DoS can be blocked by filtering that source.

TCP SYN flood

TCP SYN flood — attacker sends SYNs without completing the handshake, exhausting server connection tables.

TCP SYN flood — attacker sends SYNs without completing the handshake, exhausting server connection tables.

Supplementary figure from Panagiss CCNAmd

SYN flood mitigation concepts — half-open connections consume resources.

SYN flood mitigation concepts — half-open connections consume resources.

Supplementary figure from Panagiss CCNAmd

DDoS and botnets

Distributed DoS (DDoS) attacks originate from many sources (botnet), making simple source blocking ineffective. Infected hosts connect outbound to C2 servers — bypassing inbound firewall rules.

Spoofing

Spoofing fakes identity:

TypeExample
IP address spoofingFake source IP in packets
MAC address spoofingFake source MAC on LAN
Application spoofingRogue DHCP server offering wrong gateway/DNS

Reflection and amplification

Reflection attacks spoof the victim's address as the source, causing reflectors to flood the victim with responses. Amplification uses protocols that return much larger responses than requests (e.g., DNS, NTP) to multiply attack volume.

Man-in-the-middle (MITM)

The attacker inserts into the communication path between legitimate hosts — reading or modifying traffic. ARP spoofing is a classic L2 MITM attack on IPv4 LANs.

Password attacks

When a login prompt is reachable:

  1. Enumeration — discover valid usernames
  2. Guessing, brute force, dictionary attacks — obtain passwords

Mitigation: account lockout, strong passwords, MFA, limit management access with ACLs/VTY restrictions.

Buffer overflow

Malformed or oversized data sent to a service can crash it (DoS) or allow arbitrary code execution (compromise).

Packet sniffers

On a compromised host or in the traffic path, sniffers capture packets. Unencrypted protocols (Telnet, HTTP, SNMPv1/v2c communities) expose credentials immediately. Use SSH, HTTPS, and SNMPv3.

IDS and IPS

SystemPlacementAction
IDS (Intrusion Detection)Out-of-band / copy of trafficAlerts administrators
IPS (Intrusion Prevention)InlineCan block matching traffic

Both use signatures (known attack patterns) and anomaly detection (unusual behavior). Require tuning to minimize false positives/negatives.

IDS vs IPS placement — detection observes; prevention sits inline.

IDS vs IPS placement — detection observes; prevention sits inline.

Supplementary figure from Panagiss CCNAmd

IPS vs firewalls

DeviceInspection depthTypical rules
FirewallL3/L4 (IP, port)Permit/deny by address and port
IPSUp to L7 (application)Signature-based attack blocking

Next-Generation Firewalls (NGFW) blur the line — deep packet inspection, application awareness, IPS, and VPN termination in one platform (e.g., Cisco Firepower on ASA).

Stateful firewalls

Stateful firewalls maintain a connection table tracking two-way flow state. Return traffic for permitted outbound sessions is allowed automatically.

Stateful firewall — connection table tracks permitted flows and return traffic.

Stateful firewall — connection table tracks permitted flows and return traffic.

Supplementary figure from Panagiss CCNAmd

Example policy:

  • Deny all inbound from outside to inside
  • Permit outbound web from 10.10.10.0/24
  • Return web traffic permitted by state table

Packet filters (ACLs) vs stateful firewalls

ACLs on routers are stateless packet filters:

  • No connection table
  • Affect one direction only
  • Outbound ACL only → return traffic allowed (no ACL on inbound)
  • ACLs both directions → need explicit permits for outbound and return
ACL packet filter — stateless, one direction; return traffic needs its own rule.

ACL packet filter — stateless, one direction; return traffic needs its own rule.

Supplementary figure from Panagiss CCNAmd

Tip

Defense in depth: firewalls at security boundaries + internal ACLs on routers for segmentation. See the ACL topic for placement rules.

Internal vs external threats

Threat sourcePrimary mitigation
ExternalPerimeter firewall + IPS
InternalSegmentation ACLs, switch port security, host firewalls
Defense in depth — perimeter and internal security controls.

Defense in depth — perimeter and internal security controls.

Supplementary figure from Panagiss CCNAmd

Cryptography (CCNA awareness)

ServiceProvided by crypto
ConfidentialityEncryption — data unreadable to interceptors
IntegrityHash/HMAC — detect tampering
AuthenticityDigital signatures, certificates
Non-repudiationSender cannot deny sending

Symmetric vs asymmetric

TypeKeysSpeedUse case
SymmetricSame shared secret keyFastBulk data (AES, 3DES)
AsymmetricPublic/private key pairSlowKey exchange, signatures (RSA)

HMAC (MD5, SHA) provides integrity using a shared symmetric key.

PKI and TLS

PKI uses a trusted Certificate Authority (CA) to solve key distribution. TLS (successor to SSL) secures HTTPS:

  1. Server presents certificate signed by trusted CA
  2. Browser verifies with CA public key
  3. Symmetric session keys negotiated for bulk encryption
  4. HMAC ensures integrity

VPN overview (awareness)

Site-to-site VPNs encrypt traffic over untrusted networks (Internet) using IPsec (ESP common; AH less common).

IPsec modeUse
TunnelEncrypts original IP header — site-to-site
TransportEncrypts payload only — host-to-site

IPsec phases:

  1. IKE Phase 1 — authenticate peers, build secure channel
  2. IKE Phase 2 — negotiate IPsec SA (transform set)
  3. Data transfer — encrypt interesting traffic

Interesting traffic is defined by an extended ACL — ties VPN config to ACL knowledge.

Remote access VPN connects individual users to the corporate network (client VPN).

CCNA-level mitigation summary

ThreatMitigation at CCNA scope
Malware / botnetsPatch management, endpoint AV, egress filtering
Phishing / social engineeringUser training, email filtering
DoS/DDoSISP scrubbing, rate limiting, IPS (awareness)
SpoofingDHCP snooping, DAI, BPDU Guard, uRPF (awareness)
MITM / ARP spoofingDAI, port security, encryption
Password attacksSSH not Telnet, AAA, strong passwords, VTY ACLs
SniffingEncrypt management (SSH, SNMPv3), HTTPS
Unauthorized accessFirewalls, ACLs, switch security

Exam checklist

TrapKey fact
Virus vs wormVirus needs human action; worm self-propagates
IDS vs IPSIDS alerts; IPS blocks inline
ACL vs stateful FWACLs don't track connection state
SNMPv1/v2cCommunity strings sent in clear text
DDoS vs DoSDDoS = many sources; harder to filter
ICMPv6 in IPv6 ACLsBlanket deny breaks NDP — see IPv6 topic

Related lessons on this site

Continue in this domain

Security · guide 3 of 3

Sources & further reading

psaumur CCNA Course Notes

Additional references

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.