Chapter 77 Β· Tricks

Hardening Targets β€” Exam Tricks

High-yield distinctions, common traps, and pattern recognition for hardening target questions on the Security+ exam.

Trick 1 IoT = Change Defaults + VLAN. Network Infrastructure = Change Defaults + Check Manufacturer. The Default Credential Trap Applies to Both.

The exam frequently tests default credentials in two different target contexts β€” IoT devices and network infrastructure. Both are commonly compromised via unchanged defaults. Know the distinction: for IoT, the primary compensating control after defaults is VLAN segmentation; for network infrastructure, the primary ongoing control is checking manufacturer advisories for rare but important firmware updates.

Pattern Recognition
"Smart thermostat / IP camera / building sensor compromised via default password"
β†’ IoT: change defaults + segment to own VLAN
"Switch / router / firewall accessed via default admin credentials"
β†’ Network infrastructure: change defaults + configure proper authentication (RADIUS/TACACS+)
"IoT device compromised β€” prevent it from reaching corporate servers"
β†’ VLAN segmentation (network containment is the control when device-level security is weak)
"Network infrastructure firmware update from manufacturer" β€” how urgent?
β†’ Very high priority β€” infrastructure updates are rare; when released, they address something significant
Memory anchor: IoT = change defaults + VLAN. Network gear = change defaults + watch for rare patches. Both start with defaults; the containment strategy differs.
Trick 2 SCADA = Physical Consequences + Air-Gap. RTOS = Deterministic Timing + Isolation. They Are Not Interchangeable.

The exam tests SCADA/ICS and RTOS as distinct concepts. The key discriminators: SCADA is about large-scale industrial process control where compromise causes physical infrastructure damage; RTOS is about deterministic timing requirements in safety-critical systems where timing failures cause immediate physical consequences. Both require isolation, but for different reasons β€” SCADA for consequence containment, RTOS for timing protection.

Pattern Recognition
"Power grid / water treatment / manufacturing / oil refinery control system"
β†’ SCADA / ICS (air-gap; no internet access; extensive segmentation)
"Must respond within milliseconds" / "deterministic processing" / "ABS / airbag / flight control"
β†’ RTOS (isolate from all networks; minimum services; no timing disruption)
"Why isolate RTOS from corporate networks?" β€” timing or security?
β†’ Both: network traffic disrupts deterministic timing AND introduces attack vectors
"SCADA system connected to corporate IT network β€” what is the risk?"
β†’ Attacker can pivot from corporate IT to ICS β€” physical infrastructure consequence
Memory anchor: SCADA = big physical infrastructure, air-gapped. RTOS = deterministic timing, isolated. Both are isolated but for different reasons.
Trick 3 Embedded System = Hard to Update β†’ Network Segmentation Is the Compensating Control.

Embedded systems are a special case the exam tests: purpose-built hardware with firmware-embedded OS, often with no update mechanism. The key hardening fact is that when patching is not possible, the defense moves to the network level. Segmentation + firewall = the compensating control. If the exam describes a device that cannot be patched and asks how to protect it, the answer is network isolation, not endpoint security.

Pattern Recognition
"Purpose-built device / appliance / sensor with no update mechanism"
β†’ Embedded system: segment + firewall in front (compensating control for inability to patch)
"Firmware patch released for an embedded device β€” how quickly should it be deployed?"
β†’ Immediately (patches are rare; when one exists, it addresses something significant)
"Embedded device cannot be patched β€” which control protects it?"
β†’ Network segmentation + firewall (network-level containment replaces device-level hardening)
Memory anchor: Embedded = can't patch β†’ move defense to the network. Segment and firewall the device; control what reaches it and what it can reach.
Trick 4 Cloud Management Workstation = "Keys to the Kingdom." Its Four Controls Are Always Tested Together.

The exam frequently presents a cloud breach scenario and asks what should have been in place. The cloud management workstation and the four cloud hardening pillars (secure workstation, least privilege, EDR, C2C backup) appear as a set. Know each pillar and what threat it addresses β€” questions often describe one being missing and ask what the consequence is or what should be added.

Pattern Recognition
"Cloud admin laptop compromised β†’ attacker creates rogue IAM admin account"
β†’ Missing: least privilege (IAM creation should not be permitted from that account)
"Attacker active for days on cloud admin laptop before cloud damage"
β†’ Missing: EDR on the cloud management workstation (would have detected compromise earlier)
"Cloud backup buckets deleted by attacker β€” data unrecoverable"
β†’ Missing: Cloud-to-Cloud (C2C) backup to different provider/region
"Which device in a cloud environment must be hardened with the highest priority?"
β†’ The cloud management workstation β€” it controls everything
Memory anchor: Cloud workstation = keys to the kingdom. Secure it first. Then: least privilege limits blast radius, EDR detects compromise, C2C backup survives deletion.
Practice Scenarios β€” Apply the Tricks
Scenario A: A hospital deploys 300 networked infusion pumps from a medical device manufacturer. The pumps have firmware embedded at manufacture and have no mechanism to receive software updates. A vulnerability is discovered in the pump firmware. Patching is not possible. What hardening approach should the security team implement?
Scenario B: A security consultant is assessing a manufacturing company's infrastructure. They discover the SCADA system controlling the production floor is accessible from any workstation on the corporate network. Engineers say this is convenient because they can check production status from their desks. What is the risk and what should be changed?
Scenario C: A company's IT team is reviewing their workstation hardening process. They currently patch the operating system monthly but do not systematically update applications or device firmware. What gap does this create, and what should the hardening process include?