2.5 Compare and contrast social engineering attacks, threats, and vulnerabilities
📘CompTIA A+ Core 2 (220-1202)
A vulnerability is a weakness in a system that can be exploited by attackers. Understanding vulnerabilities is crucial because they are the “holes” in a network, device, or software that can allow unauthorized access, data loss, or other security problems.
Here are the main types you need to know for the exam:
1. Non-compliant Systems
Definition:
A non-compliant system is a device or software that does not follow an organization’s security policies or industry standards.
Why it’s a vulnerability:
- If a system is not compliant, it may have weak passwords, unnecessary services running, or insecure configurations.
- Attackers can take advantage of these weaknesses to gain access to data or disrupt services.
Exam tip:
Think of non-compliance as “not following the rules.” In IT, rules are there to keep systems secure.
2. Unpatched Systems
Definition:
An unpatched system is a device, operating system, or application that has not been updated with the latest security fixes.
Why it’s a vulnerability:
- Software vendors release patches to fix security holes.
- If updates are not applied, attackers can exploit known weaknesses to gain control of the system or steal data.
Example in IT context:
- A Windows computer missing the latest security update might be vulnerable to ransomware.
- A web server running old software can be hacked through a known exploit.
Exam tip:
Always associate “unpatched” with known weaknesses that have already been fixed but weren’t applied.
3. Unprotected Systems
Definition:
An unprotected system is one that is missing essential security defenses, like antivirus software or a firewall.
Why it’s a vulnerability:
- Without antivirus, malware can run undetected.
- Without a firewall, unauthorized network traffic can reach the system.
Exam tip:
“Unprotected” literally means no shield. In IT, that shield is software like antivirus or firewalls.
4. End-of-Life (EOL) Systems
Definition:
End-of-Life (EOL) systems are devices or software that are no longer supported by the manufacturer.
Why it’s a vulnerability:
- EOL systems stop receiving updates, including critical security patches.
- Attackers often target EOL software because weaknesses are publicly known and no longer fixed.
Example in IT context:
- Windows 7 is EOL. Systems still running it are at risk because Microsoft no longer provides security updates.
Exam tip:
Remember: EOL = no updates = higher risk.
5. Bring Your Own Device (BYOD)
Definition:
BYOD refers to personal devices, like laptops, tablets, or smartphones, used for work purposes.
Why it’s a vulnerability:
- Personal devices may not meet corporate security standards.
- They may have unpatched software, weak passwords, or unapproved applications.
- BYOD can introduce malware or allow unauthorized access to company data.
Exam tip:
BYOD is convenient but risky. Security teams must control access to prevent vulnerabilities from spreading.
Quick Summary Table
| Vulnerability | What it is | Why it matters |
|---|---|---|
| Non-compliant systems | Systems not following security policies | May have misconfigurations attackers can exploit |
| Unpatched systems | Systems missing updates | Known vulnerabilities remain open |
| Unprotected systems | No antivirus/firewall | Exposed to malware and attacks |
| EOL systems | Unsupported software/hardware | No patches, more easily exploited |
| BYOD | Personal devices used for work | Can bypass corporate security controls |
Key Points for the Exam
- Vulnerabilities are weaknesses that can be exploited.
- Regular updates, compliance checks, and proper protection reduce risks.
- BYOD devices need careful management to avoid introducing vulnerabilities.
- EOL systems should be upgraded or replaced to stay secure.
