Domain 3 of 8 · Chapter 5 of 10

Architecture Vulnerabilities

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • The architecture-vulnerability model
  • Shared-substrate: virtualization, containers, cloud
  • Data, OT, and constrained-device architectures
  • Decentralized architectures: distributed, microservices, serverless, edge, HPC
  • Exam-pattern recognition

Signature vulnerability and primary mitigation by architecture type

Architecture typeSignature vulnerabilityPrimary mitigation
Database systemsInference and aggregation; SQL injectionPolyinstantiation, query restriction/views, parameterized queries
Cryptographic systemsWeak key management, hardcoded/poorly stored keys, deprecated algorithmsHSM-backed key storage, key rotation, retire weak algorithms
Virtualized systemsVM escape; hypervisor compromise; VM sprawlHarden/patch hypervisor, isolate high-value VMs, control sprawl
Cloud (SaaS/PaaS/IaaS)Misconfigured customer-owned layer; shared-responsibility confusionApply correct service-model split; secure data, identity, config
ICS / SCADALegacy unauthenticated protocols; cannot patch or actively scanZone/conduit segmentation, passive monitoring, secure the EWS
IoT / embeddedDefault credentials, no patch path, long lifespanChange defaults, segment, plan for end-of-support
ContainersShared host kernel; insecure images; weak isolationMinimal trusted images, scan registry, restrict kernel capabilities
Microservices / serverlessLarge API surface; over-trusted internal calls; over-broad function permissionsAuthN/AuthZ every call, API gateway/mTLS, least-privilege function roles
Distributed / edge / HPCNo single perimeter; physically exposed nodesZero-trust between components; protect exposed edge nodes

Decision tree

Which architecture doesthe scenario describe?Shared substrate undermany workloads?Data store oravailability-first OT?Decentralized overa network?Hypervisor / VM: patchhypervisor, isolate VMs bysensitivity (VM escape)Container: trusted images,minimal host OS(shared kernel)Cloud: apply service-modelsplit; secure data, identity,configDatabase: query restriction,views, polyinstantiation(inference / aggregation)ICS / IoT: segment, passivemonitoring, compensatingcontrols (cannot patch/scan)Microservices / API:authenticate every call,API gateway, mutual TLSAlways: zero-trust between components; never treat logical separation as physical

Cheat sheet

  • Recognize the architecture first, then map it to its signature vulnerability and the matching mitigation
  • A shared component is a shared blast radius
  • Never treat logical separation as equal to physical or hardware separation
  • VM escape lets a guest break out to the hypervisor and reach every other VM
  • A bare-metal (Type 1) hypervisor has a smaller attack surface than a hosted (Type 2) one
  • VM sprawl leaves dormant, unpatched VMs as live attack surface
  • Containers share the host kernel, so they isolate more weakly than VMs
  • Pull container images only from trusted registries and scan them before deployment
  • Run a minimal, container-specific host OS to shrink the shared attack surface
  • Cloud shared responsibility splits the stack: provider secures OF the cloud, customer secures IN the cloud
  • The cloud responsibility line slides with the service model: IaaS > PaaS > SaaS for customer-owned layers
  • Misconfiguration of the customer-owned cloud layer is the dominant breach cause, not provider failure
  • Inference deduces protected facts from data you are allowed to see
  • Aggregation assembles a sensitive whole from individually harmless pieces
  • Polyinstantiation defeats inference by storing same-key records at different classification levels
  • A cryptographic system's architectural weakness is key management, not the math
  • OT/ICS prioritizes availability and safety over confidentiality, inverting the IT order
  • Do not actively scan or reflexively patch fragile OT: use passive monitoring and compensating controls
  • Segment OT from IT with security zones and conduits, isolated behind a DMZ
  • IoT and embedded devices fail on default credentials, no patch path, and lifespans that outlast support
  • In microservices the API is the exposed attack surface: authenticate every call, never trust the internal network
  • Scope serverless functions to least-privilege execution roles and validate event inputs
  • Edge and HPC lose the single perimeter: treat each node as untrusted and protect physically exposed ones
  • STRIDE categorizes threats into six types, mapped per DFD element
  • DREAD rates and prioritizes a threat by five factors
  • ABAC is the answer to RBAC role explosion
  • DAC lets owners delegate access, which exposes it to Trojan horses

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-125: Guide to Security for Full Virtualization Technologies Whitepaper
  2. NIST SP 800-190: Application Container Security Guide Whitepaper
  3. AWS Overview: Security and Compliance (Shared Responsibility Model)
  4. NIST SP 800-145: The NIST Definition of Cloud Computing Whitepaper
  5. NIST CSRC Glossary: Inference
  6. NIST CSRC Glossary: Aggregation
  7. NIST SP 800-82 Rev. 3: Guide to Operational Technology (OT) Security Whitepaper