NetworkingCCNA

CCNA Security Fundamentals: CIA Triad, Threats, Vulnerabilities & MFA

Security fundamentals form 15% of the CCNA 200-301 exam. Beyond Layer 2 security and VPNs, the exam tests foundational security concepts: the CIA triad, the difference between threats, vulnerabilities, and exploits, common attack categories, security program elements (user awareness, physical security), and password policy including multi-factor authentication. This guide covers the conceptual layer that ties all other CCNA security topics together.

9 min

5 sections · 6 exam key points

5 practice questions

The CIA triad

The CIA triad is the foundational framework for information security: Confidentiality, Integrity, and Availability. Every security control, attack, and countermeasure can be mapped to one or more of these three properties.

Confidentiality ensures that information is accessible only to authorized parties. Threats to confidentiality: eavesdropping, data exfiltration, unencrypted storage or transmission, unauthorized access. Controls: encryption (TLS, IPsec), access control, need-to-know policies.

Integrity ensures that information is accurate and has not been tampered with, either in storage or transit. Threats to integrity: man-in-the-middle attacks, data corruption, unauthorized modification. Controls: cryptographic hashes (SHA-256), digital signatures, message authentication codes (HMAC), checksums.

Availability ensures that systems and data are accessible when needed by authorized users. Threats to availability: Denial of Service (DoS), Distributed DoS (DDoS), hardware failure, natural disaster, ransomware. Controls: redundancy, load balancing, DDoS mitigation, backups, high-availability failover.

Security decisions always involve trade-offs between the three. Increasing confidentiality (strong encryption) can reduce availability (performance overhead). Maximum availability (no authentication) reduces confidentiality. The goal is appropriate balance for the risk environment.

Threats, vulnerabilities, and exploits

These three terms are frequently confused but have specific meanings in security: a vulnerability is a weakness in a system — a bug, misconfiguration, or design flaw. A threat is any potential danger that could exploit a vulnerability — a malicious actor, malware, or environmental hazard. An exploit is the specific technique or tool used to take advantage of a vulnerability.

Risk is the intersection of threat, vulnerability, and impact: Risk = Threat × Vulnerability × Impact. A vulnerability with no known threat is low risk. A severe vulnerability with active exploitation and high business impact is critical risk.

Attack categories on CCNA: Reconnaissance (passive information gathering — port scans, OSINT); Access attacks (exploiting vulnerabilities to gain unauthorized access — password attacks, man-in-the-middle, social engineering); DoS/DDoS attacks (overwhelming a system to deny service to legitimate users); Malware (viruses, worms, ransomware, spyware — software designed to damage or gain unauthorized access).

Common attack types

Social engineering attacks exploit human psychology rather than technical vulnerabilities. Phishing uses fraudulent emails to trick users into revealing credentials or clicking malicious links. Spear phishing targets specific individuals with personalized lures. Vishing uses voice calls. Smishing uses SMS. Pretexting creates a fabricated scenario to extract information. Social engineering is often the first step in a more complex attack — technical defenses alone cannot stop it; user training is essential.

Password attacks: brute force (trying all combinations), dictionary attacks (trying common words and passwords), credential stuffing (using leaked username/password pairs from other breaches). Defense: strong password policies, account lockout, MFA.

Man-in-the-Middle (MitM) attacks position an attacker between two communicating parties to intercept or modify traffic. ARP spoofing (sending fake ARP replies to redirect traffic through the attacker's device) is the classic Layer 2 MitM attack — mitigated by Dynamic ARP Inspection. Defense: encryption (TLS), PKI certificate validation, DAI.

DoS vs DDoS: a DoS attack comes from a single source; a DDoS attack uses many compromised systems (botnets) simultaneously. DDoS is much harder to block because the traffic comes from thousands of legitimate-looking IPs. Common DDoS types: volumetric (saturate bandwidth), protocol (exploit protocol weaknesses like SYN flood), application layer (HTTP floods).

Security program elements

A security program is not just technology — it includes people, processes, and physical controls.

User awareness and training is the most effective defense against social engineering. Security awareness programs teach users to identify phishing, protect passwords, handle sensitive data, and report suspicious activity. Regular training, phishing simulations, and clear policies reduce human-layer risk.

Physical access control protects network infrastructure from physical threats: data centers with badge access, biometrics, mantrap entries (two-door airlocks), surveillance cameras, and locked network closets. Physical access to a device often bypasses all logical security — an attacker with physical access can reset passwords, capture traffic, or steal hardware.

Security policies define expected behavior, acceptable use, incident response procedures, and consequence for violations. Common policies: Acceptable Use Policy (AUP), password policy, data classification policy, incident response plan. Without documented policies, security controls lack context and enforcement authority.

Password policies and multi-factor authentication

Password policy elements: minimum length (12+ characters recommended), complexity (uppercase, lowercase, numbers, symbols), maximum age (require periodic changes), history (prevent reuse of recent passwords), lockout threshold (lock account after N failed attempts to resist brute force).

Multi-factor authentication (MFA) requires two or more authentication factors from different categories: Something you know (password, PIN), Something you have (security token, smartphone app, smart card), Something you are (fingerprint, face recognition, retina scan). MFA dramatically reduces the effectiveness of password attacks — even if a password is compromised, the attacker still needs the second factor.

Common MFA implementations: TOTP (Time-based One-Time Password) apps like Google Authenticator or Cisco Duo generate a 6-digit code that changes every 30 seconds. Hardware tokens (RSA SecurID) generate OTPs. SMS codes (less secure — SIM swapping is a known attack vector). Push notifications (Duo Security sends a push to the user's phone for approval).

Password managers allow users to use strong, unique passwords for every service without memorizing them — reducing credential reuse (the root cause of credential stuffing attacks). Enterprise PAM (Privileged Access Management) systems manage credentials for privileged accounts like network administrator logins.

Threat, vulnerability, exploit, and risk defined

Term	Definition	Example
Vulnerability	Weakness in a system	Unpatched OS, default password, open port
Threat	Potential danger that could exploit a vulnerability	Attacker, malware, insider threat
Exploit	Technique used to take advantage of a vulnerability	Buffer overflow code, SQL injection, phishing email
Risk	Likelihood and impact of a threat exploiting a vulnerability	Critical CVE actively exploited in the wild
Countermeasure	Control that reduces a vulnerability or its impact	Patch, firewall rule, MFA, user training

Key exam facts — CCNA

CIA triad: Confidentiality (encryption), Integrity (hashing), Availability (redundancy)
Vulnerability = weakness; Threat = potential danger; Exploit = technique used to attack
Social engineering targets humans, not technology — phishing, vishing, pretexting
MFA factors: something you know + something you have + something you are (2 of 3 needed)
Physical security: locked server rooms, badge access, mantrap, cameras — physical access bypasses logical controls
DoS = single source; DDoS = distributed botnet — harder to block

Common exam traps

Availability is less important than Confidentiality and Integrity

All three CIA properties are equally important — which one matters most depends on the business context. For a hospital, availability of patient records can be life-critical. For a financial institution, integrity of transaction data is paramount. The risk assessment determines priority.

MFA using SMS codes is as secure as hardware token MFA

SMS-based MFA is vulnerable to SIM swapping attacks (an attacker transfers your phone number to their SIM). Hardware tokens and TOTP apps are significantly more resistant. SMS MFA is better than no MFA but is the weakest MFA option.

A strong password eliminates the need for MFA

Passwords can be stolen through phishing, data breaches, or keyloggers regardless of complexity. MFA provides a second factor that remains secure even when the password is compromised. Both strong passwords AND MFA are needed.

Practice questions — Security Fundamentals

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator needs to ensure that confidential data cannot be read by unauthorized parties while in transit. Which CIA property is being protected?

A.Availability

B.Integrity

C.Confidentiality

D.Authentication

Explanation: Confidentiality ensures data is accessible only to authorized parties. Encrypting data in transit (using TLS, IPsec) directly protects confidentiality. Integrity ensures data hasn't been tampered with. Availability ensures systems are accessible when needed.

Q2.An attacker sends thousands of fake TCP SYN packets to a web server, exhausting its connection table. Which type of attack is this?

A.Phishing

B.Man-in-the-Middle

C.SYN flood (DoS)

D.SQL injection

Explanation: A SYN flood is a DoS attack that exploits the TCP 3-way handshake — the attacker sends many SYN packets without completing the handshake, filling the server's half-open connection table until it can no longer accept legitimate connections. This attacks Availability.

Q3.An employee receives a convincing email claiming to be from IT, asking them to click a link and re-enter their VPN password. Which attack type is this?

A.Brute force

B.Phishing

C.ARP spoofing

D.Vishing

Explanation: Phishing uses fraudulent emails that impersonate trusted entities to trick users into revealing credentials. This is a social engineering attack targeting the human element rather than technical vulnerabilities.

Q4.Which authentication factor category does a fingerprint scanner represent?

A.Something you know

B.Something you have

C.Something you are

D.Something you do

Explanation: A fingerprint is a biometric — 'Something you are.' The three MFA factor categories are: Something you know (password, PIN), Something you have (token, smartphone), Something you are (fingerprint, face, retina).

Q5.What is the difference between a vulnerability and an exploit?

A.They are the same thing

B.A vulnerability is a weakness; an exploit is the technique used to take advantage of it

C.An exploit is a weakness; a vulnerability is the attacker's method

D.A vulnerability only applies to software; an exploit applies to hardware

Explanation: A vulnerability is a weakness in a system — a bug, misconfiguration, or design flaw. An exploit is the specific tool or technique that takes advantage of that vulnerability to cause harm. A vulnerability without an exploit is still dangerous but currently unexploited.

Frequently asked questions — Security Fundamentals

What is the CIA triad in cybersecurity?

The CIA triad is the foundational security framework: Confidentiality (only authorized parties can access information — protected by encryption and access control), Integrity (information is accurate and unmodified — protected by hashing and digital signatures), Availability (systems and data are accessible when needed — protected by redundancy and DDoS mitigation). Security programs aim to maintain an appropriate balance of all three.

What is multi-factor authentication and why is it important?

MFA requires users to provide two or more authentication factors from different categories: something you know (password), something you have (phone app, hardware token), something you are (biometric). Even if an attacker steals a password, they still need the second factor. MFA is the single most effective control for preventing unauthorized account access.

What is the difference between a DoS and DDoS attack?

DoS (Denial of Service) originates from a single attacker system. DDoS (Distributed DoS) uses a botnet of thousands of compromised devices to overwhelm the target simultaneously. DDoS is much harder to defend against because blocking one source doesn't stop the attack — the traffic comes from thousands of seemingly legitimate IPs worldwide.

Why is user security awareness training important if you have technical controls?

Social engineering attacks (phishing, pretexting, vishing) target humans, not technology. A perfectly secured network can be compromised if an employee reveals credentials in a phishing email or lets an attacker tailgate through a secure door. Technical controls stop technical attacks; user training is the only defense against social engineering.

What physical security controls protect network infrastructure?

Common controls: locked server rooms and wiring closets (prevents unauthorized physical access), badge/card readers with logging, biometric access for high-security areas, mantraps (two-door airlocks preventing tailgating), surveillance cameras, cable locks for equipment, and equipment inventory tracking. Physical access to a device can bypass all logical security controls — an attacker with physical access can reset passwords and access all data.

Practice this topic

CCNApractice questions

Test yourself on Security Fundamentals

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime