Lesson 8
Lesson 8: Vulnerability Management
Device and OS Vulnerabilities
System States:
Legacy Systems: Old systems still being used but outdated, rare supportEOL (End-of-Life): No support at all, officially retiredEOS (End-of-Support): No updates or technical helpObsolete: Extremely outdated, incompatible with modern systemsUnsupported: Not officially supported but may still functionDeprecated: Still works but discouraged, will be removedRetired: Formally decommissioned, no longer in use
Other Vulnerabilities:
Firmware Vulnerabilities: Embedded software flaws, difficult to detect/patchVirtualization Vulnerabilities: VM or hypervisor weaknesses (escape attacks)Application Vulnerabilities: Security flaws in installed softwareZero-Day Vulnerabilities: Unknown by vendors, unpatched, actively exploited
Misconfigurations:
- Default credentials unchanged
- Unnecessary open ports/services
- Poor cloud or system settings
Cryptographic Vulnerabilities:
Weak Keys: Short or poorly generated, can be brute-forcedDeprecated Algorithms: MD5 and SHA-1 no longer secureMisconfigured Cipher Suites: Weak or improperly used encryptionUnprotected Keys: Keys exposed or stored insecurely
Mobile Device Risks:
Sideloading: Installing apps from non-official sources (APK files)Rooting (Android): Gaining root privileges, exposes systemJailbreaking (iOS): Removing iOS restrictions, increases attack surface
Application and Cloud Vulnerabilities
Application Vulnerabilities:
Race Condition: Two processes access same resource simultaneously in unexpected orderTOCTOU (Time-of-check to time-of-use): System state changes between verification and actionMemory Injection: Malicious code injected into memoryBuffer Overflow: Excess data overflows into adjacent memoryMalicious Updates: Compromised update packagesType-Safe Programming Languages: Enforce type rules (Java, C#, Rust, C) to prevent memory vulnerabilities
Evaluation Scope for Secure Development:
Security testing, documentation review, source code analysis, configuration assessment, cryptographic analysis, compliance verification, security architecture review
Web Attacks:
XSS (Cross-Site Scripting): Injects malicious scripts into web pagesSQLi (SQL Injection): Manipulates SQL queriesCSRF (Cross-Site Request Forgery): Forces users to execute unwanted actions
Cloud-Based Vulnerabilities:
Cloud Attack Platforms: Attackers abuse cloud services (launching bots, malware, DDoS)Cloud Misconfiguration: Public S3 buckets, overly permissive accessCASB (Cloud Access Security Broker): Monitor and enforce policies
Supply Chain Risks:
Vulnerabilities from vendors (hardware/software), Example: SolarWinds
Tools:
SBOM (Software Bill of Materials): Lists all components in softwareDependency Analysis: Scans third-party dependencies for vulnerabilitiesCode Signing: Confirms code is authentic and unalteredVendor Risk Assessment: Reviews vendor security practices
Vulnerability Identification Methods
Vulnerability Scanning:
Tools: Nessus, OpenVAS (Greenbone)
Credentialed Scan: Uses login credentials for deeper checksNon-Credentialed Scan: Surface-level, less accurate
Other: Web/App scanners, package monitoring
Threat Feeds:
Real-time updates on emerging threats Sources: MITRE ATT&CK, IBM XForce, Mandiant, Proofpoint, Abuse.ch, OSINT, ISACs, blogs, forums, dark web
Deep and Dark Web:
Deep Web: Not indexed by search enginesDark Web: Anonymous overlay networks (TOR), illicit content
Other Assessment Methods:
Penetration Testing:Unknown environment: No internal knowledge (Black Box)Known environment: Full internal knowledge (White Box)Partially Known environment: Partial knowledge (Gray Box)
Bug Bounties: Public vulnerability discovery programsAuditing: Systematic review of configurations and activities
Vulnerability Analysis and Remediation
CVE System:
CVE (Common Vulnerabilities and Exposures): Standard identifiers for known vulnerabilitiesNVD (National Vulnerability Database): U.S. gov database using CVEs, part of SCAPSCAP (Security Content Automation Protocol): Automates vulnerability management and compliance
CVSS Scoring:
- 0.1-3.9:
Low - 4.0-6.9:
Medium - 7.0-8.9:
High - 9.0-10.0:
Critical
Vulnerability Analysis Factors:
Prioritization: What to fix firstClassification: Type/severity groupingExposure: Can it be reached?Environmental Variables: Unique org factorsRisk Tolerance: Acceptable risk level
Remediation Practices:
Patching: Fix with software updateCybersecurity Insurance: Transfer financial riskNetwork Segmentation: Limit lateral movementCompensating Controls: Alternatives when fixes not feasible (legacy systems)Exceptions/Exemptions: Documented acceptance for low-risk casesValidation & Re-Scanning: Verify fix workedAuditing & Reporting: Track progress, meet compliance
All Content
Lesson 0: Study Tips and Resources
Study Tips and Resources
Lesson 1: Fundamental Security Concepts
Study Tips and Resources
Lesson 2: Threat Types
Study Tips and Resources
Lesson 3: Cryptographic Solutions
Study Tips and Resources
Lesson 4: Identity and Access Management (IAM)
Study Tips and Resources
Lesson 5: Enterprise Network Architecture
Study Tips and Resources
Lesson 6: Cloud & Zero Trust
Study Tips and Resources
esson 7: Resiliency and Site Security
Study Tips and Resources
Lesson 9: Network Security Capabilities
Study Tips and Resources
Lesson 10: Endpoint Security
Study Tips and Resources
Lesson 11: Application Security
Study Tips and Resources
Lesson 12: Alerting and Monitoring
Study Tips and Resources
Lesson 13: Analyze Indicators of Malicious Activity
Study Tips and Resources
Lesson 14: Security Governance Concepts
Study Tips and Resources
Lesson 15: Risk Management Processes
Study Tips and Resources
Lesson 16: Data Protection and Compliance Concepts
Study Tips and Resources