A vulnerability is a security weakness or flaw in a system which a threat actor can compromise the system by taking advantage (exploiting) the weakness.
Default settings - These are systems and devices which are deployed on a network using the same configurations as they have left the manufacturer.
Weak encryption - These are systems which uses insecure encryption technologies which a threat actor can exploit can gain unauthorized access to the system.
Unsecure protocols - Unsecure protocols are network and application protocols which does not provide security features such as encryption to ensure privacy between the client and the server.
Open permission - These are full permissions which are given to everyone which can lead to a security risk from users on the network.
Unsecure root accounts - These are root accounts on Linux-based systems which does not contain complex passwords that are easy to compromised.
Open ports and services - There many unnecessary services running on a system. Some services may open a network port to allow inbound connections from remote system, a threat actor can launch a remote exploit across the network to take advantage of the a vulnerable service on a target system.
A vulnerability on the cloud is having insecure applications, services and even virtual machines on cloud and is vulnerable to anyone on the Internet.
A vulnerability within an on-premise are security weakness which exists on the systems that are within the organization's network.
When a security risk exists, an organization may seek to transfer the risk handling to a third-party.
The third-party is usually a trusted provider who may have experience in handling the type of risk.
If there's an issue with a product from a vendor, the vendor may not provide adequate support to the customer and may inform the customer there is something wrong on the customer's end and not the actual device.
It's important to know where your data is being stored.
Data can be lost or leaked by the third-party vendor.
Data can be stolen while it's being stored on the third-party infrastructure.
There are many issues when managing the third-party vendor.
There can be security concerns which as is the vendor has certified professionals to work on the equipment they support, does the vendor has a privacy policy for customer data, does the vendor meet certain compliance and regulatory standards.
An organization should ensure a vendor is properly screened and meets all requirements before conducting business with the vendor.
Sometimes an organization may been to integrate their systems with a third-party system.
Ensure the third-party systems are trusted and secure.
The third-party vendor may be vulnerable or a victim of a supply chain attack and have not realized it.
There are security concerns if the third-party is not acquiring their hardware and software components from other suppliers than the trusted retailer.
When a third-party is developing code or application, there are security concerns such as compliance, secure coding techniques.
There are security vulnerabilities when an organization does not have a proper patch management policy in effect.
Firmware
Operating system (OS)
Applications
Legacy platforms can be older software and systems which are no longer supported by the vendor.
This means there vendor has stopped providing security updates to legacy or end-of-life (EoL) systems and applications.
If an organization is running legacy systems, they will be vulnerable to newer threats and cyber-attacks.
Software vendors typically test their applications for security weakness before publishing their product to customers.
Sometimes an attacker is able to find a security vulnerability on an application after it has been published before the software is aware of it.
The attacker can take advantage of this vulnerability to compromise the application, this is known as a zero-day attack.