SkarpChapter 7 of 25
Vulnerability Types Across Systems, Apps, Cloud, and OT
Walk through the many ways systems can be weak—from misconfigurations and unpatched software to logic flaws in applications and insecure operational technology.
Step 1 – Vulnerabilities vs Threats vs Risks (Exam Foundations)
Core Exam Terms
Vulnerability is a weakness. Threat is something that can exploit it. Risk is the chance and impact of that exploitation.
Simple Analogy
Default admin password = vulnerability. Criminal scanning the internet = threat. Chance they find and abuse it plus damage = risk.
CIA Connection
Every vulnerability threatens one or more of confidentiality, integrity, availability. Keep this mapping in mind for exam items.
Link to Earlier Modules
You learned who attacks and how. Now we focus on what they target: weaknesses across systems, apps, cloud, and operational technology.
Step 2 – Security Controls and How They Relate to Vulnerabilities
Control Types List
Know this list: technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive.
Controls Can Overlap
One control can be multiple types. An IPS is both technical and preventive. The exam sometimes plays on this nuance.
Example: Unpatched OS
Patch policy = managerial/directive. Patch process = operational. Patch tool = technical. All help remove the vulnerability.
Use This Lens Later
For each vulnerability we cover, ask which control type could prevent, detect, correct, or compensate for it.
Step 3 – OS, Host, and Network Vulnerabilities
Host Weaknesses
Unpatched OS, insecure defaults, excessive privileges, and weak endpoint protection are classic host vulnerabilities.
Network Weaknesses
Flat networks, legacy protocols, misconfigured firewalls, and unsecured routers/switches expose the environment.
AAA Reminder
Centralized AAA means authentication, authorization, accounting to control and track access to network devices.
Exam Clues
Phrases like "default configuration", "legacy protocol", or "any-any firewall rule" usually point to clear vulnerabilities.
Step 4 – Host and Network Vulnerabilities in Action (Scenarios)
Scenario 1: RDP Breach
Internet-exposed RDP, weak admin password, and no MFA let a ransomware group break in and encrypt files.
Fixing Scenario 1
Use VPN or secure gateway, strong passwords and MFA, and segment storage away from internet-facing hosts.
Scenario 2: Flat Network
A lab PC gets malware, which spreads via SMBv1 to an unpatched file server on a flat campus network.
Fixing Scenario 2
Segment networks, scan and patch regularly, and disable legacy protocols like SMBv1 to contain spread.
Step 5 – Application and Web Vulnerabilities (Logic, Input, and Design Flaws)
Input & Injection Flaws
SQL injection, command injection, and XSS arise when untrusted input is not validated or sanitized properly.
Auth & Session Issues
Broken authentication and weak session handling let attackers hijack accounts or bypass login controls.
Access & Logic Flaws
Broken access control and business logic issues let users access or do things the designer never intended.
Mitigation Patterns
Use secure coding, parameterized queries, proper session management, and regular code and security testing.
Step 6 – Web App Vulnerabilities: Mini Case Studies
Case 1: SQL Injection
Dynamic SQL built from user input lets `admin' OR '1'='1` bypass login and authenticate as the first user.
Case 2: Reflected XSS
A crafted URL with a script in the search parameter is reflected to the page and runs in the victim’s browser.
Case 3: IDOR
Changing `/invoice?id=1234` to another ID reveals someone else’s data due to missing authorization checks.
Pattern Recognition
Dynamic SQL → SQLi. Script in victim browser → XSS. Object IDs in URLs with no checks → broken access control.
Step 7 – Cloud and Hybrid Environment Vulnerabilities
Shared Responsibility
Cloud providers secure infrastructure; customers must secure configs, identities, data, and apps. Misunderstanding this creates gaps.
Cloud Misconfigs
Common issues: public storage, exposed SSH/RDP, open dashboards, and IAM policies that are far too permissive.
Hybrid Weaknesses
Hybrid links cloud, mobile, IoT, OT, and on-prem. Inconsistent controls and weak integrations create pivot paths.
Mitigation Themes
Least privilege IAM, secure templates, network controls, and centralized logging are key to reducing cloud and hybrid risk.
Step 8 – Operational Technology (OT) Vulnerabilities and Constraints
What Is OT?
Operational technology controls physical processes: ICS, SCADA, PLCs, building systems, and industrial equipment.
OT Vulnerabilities
Legacy firmware, insecure protocols, flat networks, and hard-coded or shared credentials are common weak points.
OT Constraints
Safety, uptime, limited maintenance windows, and vendor control make patching and changes difficult.
OT Mitigations
Use strong segmentation, controlled remote access, monitoring, and compensating controls when patching is not feasible.
Step 9 – Classify the Vulnerability (Thought Exercise)
Work through these short scenarios and, for each one, answer three questions in your notes or out loud:
- Is this primarily a configuration/patch, application, cloud/hybrid, or OT vulnerability?
- Which CIA triad components are most at risk: confidentiality, integrity, availability?
- Name at least one control type from the list (technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive) that could mitigate it.
Scenario A
A company stores customer backups in cloud object storage. The bucket is set to public-read so that "sharing is easier". An attacker discovers the bucket and downloads all backups.
Scenario B
An e-commerce site allows users to change the `price` parameter in a hidden form field before checkout. Attackers set prices to 0 and complete purchases.
Scenario C
A water treatment plant uses a legacy PLC network connected to the corporate LAN via a simple router. The PLCs run old firmware and cannot be patched until the next annual shutdown.
Scenario D
A Linux server in a data center has SSH open to the internet, allows password authentication, and has multiple user accounts with weak passwords and no MFA.
After you classify them, compare to this high-level solution key:
- A: cloud misconfiguration; confidentiality at risk; technical/managerial controls.
- B: application logic flaw; integrity and possibly confidentiality; secure coding and testing controls.
- C: OT legacy/segmentation issue; availability and safety; compensating and segmentation controls.
- D: host/network exposure; confidentiality and integrity; technical preventive controls (MFA, firewalls).
Step 10 – Quick Knowledge Check 1
Answer this exam-style question to test your understanding.
A security analyst discovers that a cloud storage bucket containing sensitive logs is configured with public read access. Which of the following BEST describes this issue?
- An application vulnerability caused by improper input validation
- A cloud configuration vulnerability that primarily affects confidentiality
- An OT vulnerability due to legacy systems that cannot be patched
- A physical security vulnerability involving unauthorized data center access
Show Answer
Answer: B) A cloud configuration vulnerability that primarily affects confidentiality
This is a misconfigured cloud storage resource, so it is a **cloud configuration vulnerability**. Because anyone on the internet can read the logs, it primarily affects **confidentiality**. It is not about input validation (A), legacy OT systems (C), or physical access (D).
Step 11 – Quick Knowledge Check 2
Another practice item to solidify key distinctions.
An industrial control system uses an old protocol with no encryption or authentication between the engineering workstation and PLCs. Due to safety concerns, the plant cannot upgrade or replace the devices this year. Which control type is MOST appropriate to reduce risk in the short term?
- Corrective control: reinstall the PLC firmware after an incident
- Deterrent control: post warning signs near the control room
- Compensating control: add network segmentation and monitoring around the ICS
- Physical control: add more CCTV cameras in the plant
Show Answer
Answer: C) Compensating control: add network segmentation and monitoring around the ICS
Because the devices cannot be upgraded or patched, a **compensating control** is needed. Network segmentation and monitoring around the ICS environment compensate for the protocol weakness. Corrective controls act after incidents, deterrent signs do not address the network issue, and extra CCTV does not mitigate the protocol vulnerability.
Step 12 – Flashcards: Core Vulnerability Concepts
Use these flashcards to reinforce key terms and distinctions.
- Vulnerability
- A weakness in a system, process, design, or control that could be exploited.
- Threat
- Any potential cause of an unwanted impact, such as a threat actor, event, or condition that could exploit a vulnerability.
- Risk
- The likelihood that a threat will exploit a vulnerability, combined with the impact if it happens.
- CIA triad components
- confidentiality, integrity, availability
- AAA functions
- authentication, authorization, accounting
- Security control types (list)
- technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive
- Cloud misconfiguration example
- Publicly accessible storage buckets, overly permissive IAM policies, or exposed management interfaces.
- Common web app vulnerability types
- SQL injection, cross-site scripting (XSS), broken authentication, broken access control, business logic flaws.
- Typical OT vulnerability characteristics
- Legacy systems, insecure protocols, flat networks, shared or hard-coded credentials, limited patch windows due to safety and uptime.
- Hybrid environment (definition)
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
Key Terms
- Risk
- The likelihood that a threat will exploit a vulnerability, combined with the impact if it happens.
- Threat
- Any potential cause of an unwanted impact, such as a threat actor, event, or condition that could exploit a vulnerability.
- SY0-701
- SY0-701 is the exam series code for the latest version (V7) of the CompTIA Security+ certification exam.
- Zero trust
- Zero trust is a security model that assumes no implicit trust and requires continuous verification of users and devices, limiting access to only what is needed.
- AAA functions
- authentication, authorization, accounting
- SQL injection
- An injection attack that allows an attacker to interfere with the queries an application makes to its database by inserting malicious SQL.
- Vulnerability
- A weakness in a system, process, design, or control that could be exploited.
- CompTIA Security+
- CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career.
- Hybrid environment
- A hybrid environment is an enterprise environment that includes a mix of cloud, mobile, Internet of Things (IoT), operational technology (OT), and on-premises resources that must be monitored and secured.
- CIA triad components
- confidentiality, integrity, availability
- Compensating control
- A control that provides an alternative measure of protection when the primary recommended control cannot be implemented.
- Broken access control
- A vulnerability where users can act outside of their intended permissions, often by manipulating identifiers or requests.
- Security control types
- technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, directive
- Cross-site scripting (XSS)
- A web vulnerability that allows an attacker to inject malicious scripts into content that is then executed in other users’ browsers.
- Operational technology (OT)
- Hardware and software that monitors or controls physical processes, devices, and infrastructure, such as ICS, SCADA, and PLCs.