Vulnerable Systems, Software, and Devices (Domain 2)
In this episode, we are focusing on vulnerable systems, software, and devices. While cyberattacks often begin with threat vectors like phishing or social engineering, they almost always rely on some form of vulnerability to succeed. That weakness could be in a piece of software, an outdated device, or even a commonly used USB drive. Understanding these risks is critical to securing your environment and minimizing your attack surface.
Let’s begin with removable device risks. Removable devices include USB flash drives, external hard drives, memory cards, and even portable media like CDs and DVDs. These devices are convenient, but they are also a major security risk. Attackers use them to deliver malware, steal data, or bypass network defenses. Simply plugging in an infected USB drive can trigger automatic execution of malicious code on a target system.
In some cases, attackers intentionally drop infected drives in parking lots, conference rooms, or hallways, hoping someone will pick one up and plug it in out of curiosity. These attacks are successful because many systems are configured to automatically trust USB devices, especially if endpoint protection is weak or missing altogether.
Removable media also introduces data loss risks. Sensitive files may be copied to a flash drive and taken offsite without encryption or tracking. If the drive is lost or stolen, the data is exposed.
To mitigate these threats, organizations should implement strict policies for using removable media. This includes disabling automatic execution, requiring encryption on all portable drives, and using device control software to limit which users or systems can access external media. Employees should be trained to avoid using unknown USB devices and to report suspicious activity. Scanning tools should check all connected devices for malware before allowing access.
Next, let’s look at vulnerable software. All software has potential weaknesses. Some come from poor coding practices. Others result from misconfigurations, outdated libraries, or missing updates. Vulnerable software can exist on both the client and server sides and may be targeted by attackers looking for an easy way in.
Client-based software is installed and runs directly on user devices. Examples include email clients, web browsers, and office applications. Vulnerabilities in these programs are especially dangerous because they interact with external content—such as emails, websites, and downloaded files. A single click on a malicious link in a browser can lead to system compromise if the browser is outdated or improperly secured.
Agentless systems are another concern. These rely on web portals or remote access interfaces that do not install agents or software on the client device. While this reduces complexity and management overhead, it can increase exposure. Agentless systems must be secured at the network and application level, using strong authentication, encryption, and access controls.
Another critical issue is the presence of unsupported or legacy systems. Unsupported systems are no longer updated by the vendor. This means that any new vulnerability discovered will remain unpatched, leaving the system exposed indefinitely. Legacy applications often have known flaws and outdated architectures that do not meet modern security standards, but they continue to be used because they support key business functions or are tied to other legacy infrastructure.
The risk here is clear. Attackers often scan networks for signs of outdated software versions or legacy platforms. Once discovered, these targets are exploited using known vulnerabilities that require no custom code or advanced tactics. And because many legacy systems are poorly documented or integrated with newer systems, patching or upgrading them is often avoided—making them attractive long-term targets.
Practical examples of vulnerable software exploitation include ransomware attacks delivered through outdated email clients, or credential theft from unpatched web browsers. In one case, a hospital system was compromised through a third-party scheduling application that had not received security updates in over a year. Attackers used that foothold to access the internal network and encrypt critical data.
Response strategies start with asset inventory. You cannot protect what you do not know you have. Organizations should track all software installations, versions, and patch levels. Vulnerability scans should be run regularly to detect weak points. Patching should be automated where possible, and unsupported systems should be isolated, replaced, or protected with compensating controls like network segmentation and application whitelisting.
As you prepare for the Security Plus exam, be sure you understand the security risks associated with removable media and outdated or unsupported software. Know how client-based software differs from agentless platforms, and what steps can be taken to reduce vulnerability. You may be asked to identify weaknesses in a scenario and recommend remediation steps. Watch for clues like legacy platforms, external devices, or unpatched applications—these are signs that vulnerable systems may be the root of the problem.
