Confidentiality: Only authorized users can access data. Example: Encrypting customer PII in a database so even if breached, data is unreadable.

Integrity: Data hasn't been tampered with. Example: Using checksums to verify software downloads haven't been modified.

Availability: Systems are accessible when needed. Example: DDoS protection ensuring your e-commerce site stays online during an attack.

Symmetric: Same key encrypts and decrypts. Fast, used for bulk data. Example: AES for encrypting files at rest.

Asymmetric: Public/private key pairs. Slower, used for key exchange and signatures. Example: RSA for TLS handshakes.

In practice: TLS uses asymmetric to exchange a symmetric session key, then symmetric for the actual data—best of both worlds.

Authentication: Verifying who you are (username/password, MFA, biometrics)

Authorization: What you're allowed to do (role-based access, permissions)

Accounting: Logging what you did (audit trails, access logs)

Defense in depth means multiple security layers so if one fails, others still protect you.

Example layers: Perimeter firewall → IDS/IPS → Network segmentation → Host-based firewall → Endpoint protection → Application security → Data encryption → Access controls → Monitoring/logging

Vulnerability: A weakness that could be exploited (unpatched server)

Threat: Something that could exploit a vulnerability (ransomware gang)

Risk: Probability and impact of a threat exploiting a vulnerability. Risk = Threat × Vulnerability × Impact

OWASP Top 10 lists the most critical web application security risks. The 2021 list includes:

• Broken Access Control (#1 - moved up from #5)
• Cryptographic Failures
• Injection (SQL, NoSQL, OS command)
• Insecure Design (new in 2021)
• Security Misconfiguration

Most common in my experience: Broken access control—developers forget to check permissions on every endpoint.

Users and systems should have only the minimum permissions needed to perform their function.

Implementation: Role-based access control, just-in-time access, regular permission audits, separate admin accounts, network segmentation.

IDS (Intrusion Detection System): Monitors and alerts on suspicious activity. Passive—doesn't block traffic.

IPS (Intrusion Prevention System): Monitors AND blocks malicious traffic inline. Active—can drop packets.

"Never trust, always verify." Assumes breach has already occurred. Every access request is fully authenticated and authorized regardless of network location.

Key principles: Verify explicitly, use least privilege access, assume breach, micro-segmentation, continuous validation.

Black box: No prior knowledge—simulates external attacker

White box: Full knowledge (source code, architecture)—thorough but time-consuming

Gray box: Partial knowledge—balances realism with efficiency

Handshake: SYN → SYN-ACK → ACK establishes a TCP connection.

SYN Flood Attack: Attacker sends many SYN packets with spoofed IPs, server allocates resources for half-open connections, exhausting memory. Mitigation: SYN cookies, rate limiting, firewall rules.

Attacker sends fake ARP messages to link their MAC address with a legitimate IP, intercepting traffic (man-in-the-middle).

Prevention: Static ARP entries for critical systems, Dynamic ARP Inspection (DAI), 802.1X port security, network segmentation, VPNs.

Network Firewall: Operates at layers 3-4 (IP, ports). Blocks/allows based on IP addresses, ports, protocols.

WAF (Web Application Firewall): Operates at layer 7 (application). Understands HTTP, can block SQL injection, XSS, malicious payloads in requests.

Attacker encodes data in DNS queries/responses to exfiltrate data or establish C2 channels, bypassing firewalls that allow DNS.

Detection: Unusually long domain names, high volume of DNS requests, requests to suspicious TLDs, DNS traffic to non-corporate DNS servers.

Attacker gains access to traffic on other VLANs through switch spoofing or double tagging.

Prevention: Disable DTP on access ports, set native VLAN to unused VLAN, explicitly configure trunk ports, use private VLANs.

• WPA3 (or WPA2-Enterprise with RADIUS at minimum)
• Strong, unique passwords rotated regularly
• Disable WPS
• MAC filtering (limited value, but adds layer)
• Separate guest network with isolation
• Hide SSID (limited value)
• Monitor for rogue access points

Expected: 80 (HTTP), 443 (HTTPS), possibly 22 (SSH) restricted to admin IPs

Concerning: 21 (FTP), 23 (Telnet), 3389 (RDP), 3306 (MySQL), database ports exposed publicly, any unexpected high ports

TLS encrypts data in transit between client and server.

TLS 1.3 improvements: Faster handshake (1-RTT vs 2-RTT), removed weak ciphers, forward secrecy mandatory, encrypted handshake, no RSA key exchange.

Attacker announces IP prefixes they don't own via BGP, redirecting internet traffic through their network for interception or disruption.

Mitigation: RPKI (Resource Public Key Infrastructure), BGP monitoring, route filtering, MANRS compliance.

1. Preserve evidence—don't modify systems
2. Check SIEM alerts and correlate events
3. Review firewall and network logs
4. Analyze suspicious traffic with packet captures
5. Check endpoint logs and run memory forensics
6. Identify IOCs and search for lateral movement
7. Document timeline and findings

1. Preparation: IR plan, tools, team training
2. Identification: Detect and verify the incident
3. Containment: Limit damage (short-term and long-term)
4. Eradication: Remove threat from environment
5. Recovery: Restore systems to normal operation
6. Lessons Learned: Document and improve

1. Isolate the machine immediately (disconnect network, don't power off)
2. Identify the ransomware variant if possible
3. Check for lateral movement to other systems
4. Preserve evidence for forensics
5. Notify incident response team and management
6. Assess backup availability and integrity
7. Do NOT pay ransom without executive and legal consultation

L1: Triage alerts, initial investigation, escalate or close. Follow playbooks.

L2: Deep-dive investigation, threat hunting, handle escalations, tune detection rules.

L3: Advanced threats, malware analysis, forensics, develop new detections, mentor L1/L2.

Context is everything. I investigate: Is this normal behavior for this user/system? Does the timing make sense? Are there correlated events? What's the reputation of IPs/domains involved? Does the payload match known malware? When in doubt, assume true positive and investigate further.

ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations.

Uses: Map detection coverage, identify gaps, understand attack chains, create threat-informed defense, communicate about threats consistently, prioritize security investments.

Attacker compromises a trusted vendor/software to reach downstream targets.

Examples: SolarWinds (malicious update), Codecov (compromised bash uploader), Kaseya (REvil ransomware through MSP software). Prevention: Vendor risk assessment, software bill of materials, integrity verification.

1. Thank the employee—encourage reporting culture
2. Analyze the email headers, links, attachments
3. Check if others received the same email
4. Block sender/domain at email gateway
5. If anyone clicked, investigate their machine
6. Add IOCs to blocklists
7. Consider security awareness follow-up

IOCs: Evidence that a breach occurred—file hashes, IP addresses, domains, registry keys. Reactive, easily changed by attackers.

IOAs: Behaviors indicating an attack in progress—credential dumping, lateral movement patterns, unusual process execution. Proactive, harder for attackers to evade.

Vulnerability scanning: Automated, identifies known vulnerabilities, broad coverage, frequent (weekly/monthly), safe.

Penetration testing: Manual, attempts exploitation, deep analysis, less frequent (annually), controlled risk.

• 4624/4625: Successful/failed logons
• 4672: Special privileges assigned (admin logon)
• 4688: Process creation (with command line if enabled)
• 4698/4702: Scheduled task created/modified
• 7045: Service installation
• 1102: Audit log cleared (suspicious!)
• PowerShell logs (4103, 4104) for script execution

• Parameterized queries/prepared statements (primary defense)
• Input validation (whitelist approach)
• Stored procedures (with caution)
• Least privilege database accounts
• WAF as additional layer
• Regular security testing

Stored XSS: Malicious script stored in database, served to users

Reflected XSS: Script in URL parameter reflected in response

DOM-based XSS: Client-side script manipulation

Prevention: Output encoding, Content Security Policy, HttpOnly cookies, input validation, modern frameworks with auto-escaping.

Cross-Site Request Forgery tricks authenticated users into performing unintended actions.

Prevention: CSRF tokens (synchronizer token pattern), SameSite cookie attribute, verify Origin/Referer headers, re-authentication for sensitive actions.

• Block public access (account and bucket level)
• Enable encryption at rest (SSE-S3 or SSE-KMS)
• Enforce encryption in transit (bucket policy)
• Enable versioning and MFA delete
• Use IAM policies with least privilege
• Enable access logging
• Use VPC endpoints for private access

Cloud provider responsible for: Physical security, infrastructure, hypervisor, network fabric

Customer responsible for: Data, access management, OS patching, application security, encryption, network configuration

• Enable RBAC with least privilege
• Network policies for pod-to-pod communication
• Pod security standards/policies
• Scan container images for vulnerabilities
• Use secrets management (not ConfigMaps for sensitive data)
• Enable audit logging
• Keep cluster and nodes updated
• Restrict API server access

Security Information and Event Management—centralizes logs, correlates events, enables detection and investigation.

Evaluation criteria: Log ingestion capacity, query performance, correlation capabilities, built-in detections, integration ecosystem, compliance reporting, cost model (per GB vs per endpoint).

• Authentication (OAuth 2.0, API keys with rotation)
• Authorization on every endpoint
• Rate limiting and throttling
• Input validation
• TLS everywhere
• API gateway for centralized security
• Logging and monitoring
• Version deprecation strategy

Server-Side Request Forgery—attacker tricks server into making requests to unintended locations.

Cloud danger: Can access metadata services (169.254.169.254) to steal IAM credentials, access internal services, pivot to other resources. Capital One breach was SSRF-based.

• Secrets management (not in code or env vars)
• SAST/DAST scanning in pipeline
• Dependency scanning (SCA)
• Container image scanning
• Signed commits and artifacts
• Least privilege for pipeline credentials
• Audit logging of deployments
• Separation of duties