Governance elements refer to the foundational components and frameworks that guide an organization's approach to managing and protecting its information systems.

• Regulations :

  Regulations are commonly issued in the form of laws, usually from the government, and carry financial penalties and/or imprisonment for non-compliance. For example, the General Data Protection Regulations (GDPR) were enacted by the European Union (EU) to control the use of Personally Identifiable Information (PII) of its citizens and those in the EU.

• Standards :

  Standards are often used by government teams to provide a framework to introduce policies and procedures in support of regulations. For example, the International Organization for Standardization (ISO) develops and publishes international standards on a variety of technical subjects, including information systems and information security. And another is the National Institute of Standards and Technology (NIST), a United States government agency.

• Policies :

  Policies are put in place by organizational governance, such as executive management, to provide guidance in all activities to ensure that the organization meets industry standards and regulations.

• Procedures :

  Procedures are the detailed steps to complete tasks that support departmental or organizational policies.

When leaders and management implement the systems and structure that the organization will use to achieve its goals, they are guided by laws and regulations created by the government to enact public policy. Laws and regulations guide the development of standards that cultivate policies that result in procedures.

Risk management is the process of identifying, assessing, and mitigating potential risks to an organization's digital assets, systems, and information. It includes risk assessments and audits, vulnerability scanning, implementing preventive measures such as firewalls, encryption, or multi-factor authentication, and developing risk management frameworks and policies.

Incident Response :

Incident Response (IR) refers to the organized approach taken by an organization to detect, respond to, manage, and recover from security incidents, such as cyberattacks, data breaches, or other malicious activities. The goal of incident response is to minimize the impact of an incident, restore normal operations as quickly as possible, and learn from the event to improve future security measures.

Terminologies -

• Asset : An asset refers to any valuable entity that needs protection within an organization's IT infrastructure, network, or environment. Assets can include both tangible (physical devices) and intangible resources (data, software, and intellectual property).
• Event : An event refers to any observable occurrence or action within a system, network, or environment.
• Vulnerability : Weakness in a system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
• Threat : A threat is a potential or ongoing danger that could exploit a vulnerability to cause harm to a system, network, or organization via unauthorized access, destruction, disclosure, or modification of information.
• Exploit : An exploit is a piece of software, code, or technique that leverages a vulnerability in a system, application, or network to cause unintended behavior or gain unauthorized access.
• Attack : An attack refers to any deliberate action taken by a malicious actor with the intent to compromise the confidentiality, integrity, or availability of a system or network.
• Intrusion : A security event or combination of events in which an intruder gains or attempts to gain unauthorized access to a system or system resource.
• Breach : A breach refers to an incident where unauthorized access, disclosure, or manipulation of data, systems, or networks occurs.
• Incident : An event that actually or potentially compromises the confidentiality, integrity, or availability of a system or network.
• Zero Day : A zero-day refers to a vulnerability in a software or system that is unknown to the vendor or the public.

Rebundancy :

Redundancy refers to the practice of implementing backup systems, processes, or components to ensure that critical functions continue to operate smoothly in the event of failures, attacks, or disasters. By incorporating redundant systems, data storage, and network paths, organizations can reduce the risk of downtime, data loss, and service interruptions caused by system failures, cyberattacks, or other disruptions.

The CIA Triad serves as the foundation of information security, and all three aspects must be addressed to ensure comprehensive cybersecurity.

• Confidentiality :

  Assurance that information is accessible only to those authorized to have access. Encryption, access controls, and authentication are used to prevent unauthorized access.

• Integrity :

  The trustworthiness of data or resources is maintained by preventing improper or unauthorized changes. Hashing, checksums, and digital signatures are implemented to prevent and detect such modifications.

• Availability :

  Assurance that systems responsible for delivering, storing, and processing information are accessible to authorized users when needed. Redundancy, backups, and robust disaster recovery plans are implemented to ensure continuous access to resources.

• Authenticity* :

  Authenticity ensures that the origin of information or communication is genuine and the source is verified as legitimate. It is achieved using digital signatures, certificates, public key infrastructure (PKI), authentication protocols (such as usernames, passwords, biometrics, and multi-factor authentication), and message authentication codes (MACs).

• Non-Repudiation* :

  Non-repudiation ensures that a party cannot deny the authenticity of their actions, such as sending a message or signing a document. It provides proof of origin and delivery, ensuring accountability. It is achieved using digital signatures, audit logs, message receipts, and secure time stamping.

Access control is the process and mechanism that restrict and manage access to systems, data, or resources within an organization. It limits the visibility, access, and use of resources in a computing environment. This ensures that only authorized users can access information, resources, and systems while preventing unauthorized access that could lead to data breaches, system vulnerabilities, or cyberattacks.

Types of Access Control Models -

• Discretionary Access Control (DAC) :

  The owner of a resource has the authority to grant or deny access to others. Access rights are determined based on the discretion of the resource owner. Once a user is given permission to access an object (usually by a system administrator or through an existing access control list), they can grant access to other users on an as-needed basis. Example: A file owner on a system determines who can read, write, or execute the file.

• Mandatory Access Control (MAC) :

  Access decisions are made based on predetermined policies set by an administrator, not the resource owner. Resources are classified (e.g., top secret, confidential, public), and users are assigned clearance levels. Mandatory access control establishes strict security policies for individual users and the resources, systems, or data they are allowed to access. Example: Military or governmental organizations often use MAC, where access is based on security clearances.

• Role-Based Access Control (RBAC) :

  Access rights are assigned based on roles within an organization, rather than individual users. Users are granted permissions according to the role they are assigned (e.g., admin, manager, employee). Individuals can perform any action that is assigned to their role and may be assigned multiple roles as necessary. Example: An admin has full access, while regular users may have read-only access to certain files.

• Rule-Based Access Control :

  A set of rules is established to determine access; these rules are based on specific conditions (e.g., network location, device, or specific times of day). RuBAC is an extension of RBAC in which access is governed by a set of rules that the organization prescribes. Example: Allowing access to certain systems only when a user is connected from the company's secure network.

Microsegmentation :

Microsegmentation is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. Networks are divided into smaller, isolated segments to reduce the lateral movement of potential attackers. Each segment has its own security policy, making it more difficult for threats to spread across the network.

Zero Trust :

Zero Trust is a security framework that operates on the principle of "never trust, always verify." It requires strict identity verification and access control for every user, device, application, and network trying to access resources, regardless of whether they are inside or outside the corporate network.

Key Principles of Zero Trust -

• Never Trust, Always Verify : Every request for access to systems, applications, or data is treated as though it is coming from an untrusted source, even if the request originates from inside the network.
• Least Privilege Access : Users and devices are granted the minimum level of access necessary to perform their tasks, reducing the potential attack surface. This includes enforcing strict access control policies and limiting user permissions.
• Micro-Segmentation : Zero Trust networks also utilize microsegmentation. Networks are divided into smaller, isolated segments to reduce the lateral movement of potential attackers. Each segment has its own security policy, making it more difficult for threats to spread across the network.
• Continuous Monitoring and Validation : Security controls are constantly evaluated, and access rights are continuously reassessed to ensure they are still appropriate based on the context (e.g., location, device, role, behavior). This helps in identifying and mitigating anomalies.
• Multi-Factor Authentication (MFA) : Strong authentication mechanisms are implemented to ensure that only authorized users and devices can access critical resources. MFA requires multiple forms of identity verification, such as passwords and biometrics or tokens.

Cryptography is the practice and study of techniques for securing communication and data from third parties. It involves the creation of mathematical algorithms and protocols that ensure confidentiality, integrity, authenticity, and non-repudiation of information.

• Encryption :

  Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users. Encryption is used to protect sensitive data from unauthorized access and data breaches.

• Decryption :

  The decryption is a reverse process of encryption, where ciphertext is transformed back into plaintext using a decryption key.

• Hashing :

  Hashing is a method of converting data (message, file, or password) into a fixed-size string of characters, which typically represents a "fingerprint" of the original data. This converted hash value is called digest. Hashes are used for data integrity checks, ensuring that data has not been altered.

• Digital Signature :

  A digital signature is a cryptographic technique used to verify the authenticity and integrity of digital messages or documents. It serves as a virtual equivalent of a handwritten signature or a stamped seal, but with much more security.

• Public Key Infrastructure (PKI) :

  Public Key Infrastructure (PKI) is a framework that manages digital keys and certificates, enabling secure communication and data exchange over untrusted networks (like the internet). PKI ensures that public keys are properly distributed, authenticated, and managed so that secure transactions and communications can occur between parties.

Encryption is the process of transforming readable plaintext into unreadable ciphertext to mask sensitive information from unauthorized users. Encryption is used to protect sensitive data from unauthorized access and data breaches. Encryption works by using encryption algorithms to encrypt data into an indecipherable format. Only authorized parties with the right secret key, known as the decryption key, can decrypt the data.

• Plaintext : Plaintext is the original, readable data or message in its unencrypted form. Its meaning or value is immediately accessible and usable by the end user (person or a process).
• Ciphertext : Ciphertext is the encrypted, unreadable data or message and is not interpretable without the decryption key.
• Encryption Algorithm : An encryption algorithm is a mathematical procedure used to transform data (plaintext) into an unreadable format (ciphertext). This transformation process is achieved using a set of rules and a cryptographic key.

Types of Encryption -

• Symmetric Encryption : In symmetric encryption, the same key is used for both encryption and decryption processes. Example: AES (Advanced Encryption Standard) and DES (Data Encryption Standard)
• Asymmetric Encryption : In asymmetric encryption, different keys are used for encryption and decryption: a public key for encryption and a private key for decryption. Asymmetric encryption is also known as public key cryptography (PKC). Example: RSA (Rivest-Shamir-Adleman)

Hashing is a method of converting data (message, file, or password) into a fixed-size string of characters, which typically represents a "fingerprint" of the original data. This converted hash value is called digest. Hashes are used for data integrity checks, ensuring that data has not been altered. Hashing is often used in file fingerprinting and storing passwords securely. Instead of storing the password itself, systems store the hash of the password.

• The key property of a hash function is that it produces a fixed-size output for any size of input.
• The same input will always produce the same hash value, and even a tiny change in input will generate drastically different hash values.
• The hash is irreversible, that is, a one-way operation; one cannot reverse the process to retrieve the original input data from the hash value.
• Example: MD5 (Message Digest Algorithm) and SHA (Secure Hash Algorithm).

Checksum :

A checksum is a small-sized piece of data generated from a larger set of data, used for error detection in data transmission and storage. When the data is transmitted or stored, the checksum is sent or saved alongside it. A checksum is computed by applying a mathematical algorithm (e.g., CRC32, MD5, SHA-1) to the data. Checksum is used in error detection in file transfers, storage, and network protocols (e.g., CRC checks in network protocols like Ethernet or ZIP file integrity).

• Checksums are fast and efficient for detecting accidental data corruption but are not designed for security purposes; they don't provide a high level of protection against malicious tampering.
• For data integrity and colision resistance, more robust and secure hashes are used.

A digital signature is a cryptographic technique used to verify the authenticity and integrity of digital messages or documents. It serves as a virtual equivalent of a handwritten signature or a stamped seal, but with much more security. Digital signatures are based on asymmetric cryptography (also called public-key cryptography). It is used in email signing, software distribution, legal documents (contracts, agreements, and other legally binding documents), and blockchain.

Digital Signatures Working -

• Key Generation :

  • Private Key : This key is kept confidential by the signer and is used to create the digital signature.
  • Public Key : This key is shared publicly and can be used by others to verify the authenticity of the signature.

• Signing Process :

  • The signer creates a hash (a unique digital fingerprint) of the document or message.
  • This hash is encrypted using the signer's private key, forming the digital signature.
  • The signed message (the original message along with the digital signature) is then sent to the recipient.

• Verification Process :

  • The recipient uses the public key of the signer to decrypt the digital signature.
  • The recipient also generates a hash of the original document.
  • If the decrypted hash from the digital signature matches the newly generated hash, it confirms that the document has not been altered and that the signature is indeed from the rightful signer.

Public Key Infrastructure (PKI) is a framework that manages digital keys and certificates, enabling secure communication and data exchange over untrusted networks (like the internet). PKI ensures that public keys are properly distributed, authenticated, and managed so that secure transactions and communications can occur between parties. PKI involves a set of hardware, software, policies, and standards that work together to provide services such as encryption, authentication, and digital signatures using public key cryptography.

Key Components of PKI -

• Certificate Authority (CA) :

  The CA is the trusted entity responsible for issuing and managing digital certificates. The CA validates the identity of the entity requesting a certificate before issuing it. Essentially, the CA vouches for the authenticity of a public key and the identity behind it. Example: DigiCert, GlobalSign, Let's Encrypt.

• Registration Authority (RA) :

  The RA acts as an intermediary between users and the CA. When a user requests a digital certificate, the RA verifies the applicant’s identity (documents or database checks). Once the RA validates the request, it sends it to the CA for final approval and certificate issuance. The RA does not issue certificates but plays a key role in the identity verification process.

• Digital Certificates :

  A digital certificate is an electronic document that binds a public key to an identity (e.g., an individual, organization, or device). It contains the public key, the identity of the certificate holder, and the CA’s signature confirming its authenticity. X.509 certificates are the most common format for digital certificates. Key fields of a digital certificate include the public key (associated with the user or entity), the subject (owner's identity, e.g., domain, email, or organizational entity), the issuer (Certificate Authority), the serial number (a unique identifier for the certificate.), the expiration date (certificate validity period), and the digital signature (the CA's signature confirming the certificate's authenticity).

• Key Management :

  PKI systems must ensure proper key storage, revocation, and renewal processes. This includes handling certificate expiration and managing compromised keys. Key storage is typically done using secure hardware modules, such as Hardware Security Modules (HSMs), or software-based solutions like key vaults.

Use Case of PKI : SSL/TLS Certificates -

• Server & Client Interaction : A client (web browser) connects to a web server via HTTPS. The server presents its SSL/TLS certificate, which contains its public key.
• Certificate Validation : The client’s browser checks if the certificate is valid (signed by a trusted CA, not expired, and not revoked). If valid, a secure communication channel is established by encrypting data using the server’s public key.
• Secure Communication : The data exchanged between the client and the server is encrypted using a symmetric session key, and the public/private key pair is used for the initial secure key exchange.

SecOps (Security Operations) is a crucial discipline in cybersecurity that focuses on the integration of security practices and IT operations to ensure the continuous protection, monitoring, and management of an organization's infrastructure, networks, and data.

Logging and Monitoring :

Logging refers to the practice of recording detailed information about events, processes, and actions that occur within a system or network.

• These records, called logs, provide a history of events and activities that can be used for troubleshooting, performance monitoring, security auditing, and incident response.
• A log contains information such as user IDs, system activities, dates and times of key events, device and location identity, system and resource access attempts, system configurations, network traffic, and track or history of events.
• A log should be stored separately from the system where it is generated.

Security Information and Event Management :

Security Information and Event Management (SIEM) is a system or tool used to provide real-time monitoring, analysis, and response to security threats across an organization's IT infrastructure.

• SIEM tools collect, aggregate, and analyze data from various sources, such as security logs, network traffic, and endpoint devices, to detect potential security incidents, vulnerabilities, or breaches.
• Characteristics of SIEM are log management, event correlation, and real-time monitoring; incident detection and alerts; reporting and compliance; and forensics and analysis.
• Logs are the raw data generated by systems and provide detailed records of activities. And SIEM is a tool that aggregates, normalizes, and analyzes these logs in real-time to detect security threats, providing more advanced insights, automation, and compliance reporting.
• While logs provide the foundational data, SIEM platforms use that data to enhance security monitoring and response, making SIEM an essential tool for managing and interpreting logs in the context of cybersecurity.
• Example: Splunk, a popular SIEM platform that helps organizations monitor, analyze, and respond to security events and incidents.

Intrusion Detection Systems :

Intrusion Detection Systems (IDS) are security tools designed to detect unauthorized access or anomalies in a network or system. IDS monitors and analyzes network traffic, system activity, and user behavior to identify potential security breaches, such as cyberattacks or data theft, and alerts administrators to take action. IDS automate the inspection of logs and real-time system events to detect intrusion attempts and system failures.

Type of IDS -

• Network-based IDS (NIDS) : HIDs monitor activity on individual devices or hosts (servers, computers). It is installed on the host device, where it monitors file integrity, system calls, and application logs. It detects internal threats and activities like unauthorized access to files and malicious changes to system configurations.
• Host-based IDS (HIDS) : NIDs monitor network traffic for suspicious activity. It is placed at strategic points within the network (e.g., between the internal network and the internet). It detects external attacks like denial-of-service (DoS) and port scanning.

Intrusion Prevention Systems :

An Intrusion Prevention System (IPS) is a network security device that monitors network and/or system activities for malicious activity. IPS is placed in line with traffic and is more advanced than an Intrusion Detection System (IDS). IPS not only detects but also automatically blocks or prevents the detected threats in real time to prevent unauthorized access or attacks on computer systems and networks. Since IPSs are more effective at preventing network-based attacks, their function is integrated into firewalls.

Types of IPS -

• Network-based IPS (NIPS) : These are deployed at key points in the network (e.g., network perimeter) to monitor and protect the entire network.
• Host-based IPS (HIPS) : Installed on individual devices or hosts, HIPS protect against threats targeting a specific machine, such as a server or endpoint.
• Wireless IPS (WIPS) : A specialized IPS designed to protect wireless networks from unauthorized access or attacks.

Firewalls :

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and untrusted external networks, such as the internet. These rules can be configured to permit or deny traffic based on factors such as IP address, port number, protocol, or specific applications. Firewalls can be hardware devices, software programs, or a combination of both. Firewalls use a variety of techniques to control and monitor network traffic, including packet filtering, stateful inspection, and application-level filtering. It blocks unauthorized access and filters out malicious traffic.

Types of Firewall -

• Network-based Firewall : A network firewall is a device that protects an entire network from unauthorized access and attacks. Network firewalls can be hardware or software based and are typically installed at the perimeter of a network to block unauthorized access from the internet.
• Host-based Firewall : A host-based firewall is a firewall that protects an individual computer from unauthorized access and attacks. Host-based firewalls are typically software-based and are installed on individual computers to control access to network resources and block unauthorized traffic.

Honeypots :

A honeypot is a security resource or system set up to attract and deceive attackers, making it appear as though it's a vulnerable or valuable target. The purpose of a honeypot is not to serve a legitimate function but to lure cybercriminals into interacting with it so that their actions can be monitored and analyzed. This helps cybersecurity professionals gather intelligence on attackers' tactics, techniques, and procedures (TTPs), as well as distract attackers from real, critical systems.

Attacks refer to any deliberate action or attempt to compromise the confidentiality, integrity, or availability of systems, networks, or data, with the intention of altering, stealing, destroying, or exposing information. These attacks can be perpetrated by individuals, groups, or even nation-states. The goal of a cyberattack can range from stealing sensitive information to disrupting the functioning of a system or causing financial, operational, or reputational harm.

Types of Attacks -

Social Engineering :

Social engineering attacks involve manipulating or deceiving individuals into divulging confidential or personal information, typically to gain unauthorized access to systems, data, or financial resources. Unlike technical hacking methods that exploit vulnerabilities in software or hardware, social engineering targets the human element of security, exploiting psychological tendencies and trust. Social engineering techniques include phishing, baiting, tailgating (or piggybacking), and pretexting.

• Phishing : Attackers impersonate legitimate organizations or individuals to trick people into revealing sensitive information, such as passwords, credit card numbers, or personal details. This is typically done through fraudulent emails, websites, or messages that appear to be from trusted sources, such as banks, online services, or social media platforms.
• Pretexting : The attacker creates a fabricated story or pretext to obtain confidential information from a target. The attacker often impersonates someone the victim knows or trusts, such as a coworker, authority figure, or official.
• Baiting : Baiting involves offering something enticing to the victim to lure them into providing access to sensitive information, downloading malware, or performing an action that benefits the attacker.
• Tailgating : Tailgating is a physical security breach in which an attacker follows an authorized person into a secure area without proper access or permission. The authorized person is typically unaware that they are allowing someone to enter the secure area.
• Piggybacking : Piggybacking is similar to tailgating, but it typically involves an authorized person knowingly allowing the unauthorized person to enter a restricted area. The authorized individual is aware that they are allowing someone access and often gives their explicit consent.
• Impersonation : Impersonation is when an attacker pretends to be someone else to gain access to sensitive information or physical locations.
• Dumpster Diving : Dumpster diving involves sifting through trash or discarded items (such as paper documents, old hardware, or electronic devices) to find sensitive or valuable information. This could include things like passwords, account numbers, business records, or other confidential data.
• Shoulder Surfing : Shoulder surfing involves observing someone’s screen or physical interactions, such as entering a password or PIN, to steal sensitive information. This can happen in public places or areas where people are not aware that someone is watching them.
• Pharming : Pharming is a type of cyber attack where a user is redirected from a legitimate website to a malicious one, often without their knowledge. This is typically done by exploiting vulnerabilities in DNS or by infecting the user's computer with malware that modifies their host file.
• Evil Twin : An Evil Twin attack is a type of wireless network attack where a malicious actor sets up a fake Wi-Fi access point that appears to be a legitimate, trusted network. The attacker’s fake access point mimics the SSID (network name) of a legitimate Wi-Fi network, often in a public space like an airport or hotel.

Phishing Attacks :

In phishing attacks, attackers impersonate legitimate organizations or individuals to trick people into revealing sensitive information, such as passwords, credit card numbers, or personal details. This is typically done through fraudulent emails, websites, or messages that appear to be from trusted sources, such as banks, online services, or social media platforms.

• Spear Phishing : A targeted attempt to steal sensitive information using personalized fake communications (e.g., emails from seemingly trusted sources).
• Whaling : A specific type of spear phishing that targets high-profile individuals, such as executives or government officials.
• Vishing (Voice Phishing) : Attackers use phone calls or voice messages to impersonate legitimate entities and extract sensitive information over the phone.
• Smishing (SMS Phishing) : Phishing attempts through text messages to deceive users into revealing personal information.

Eavesdropping (Sniffing) :

Eavesdropping is the act of secretly intercepting and listening to private communications or data transmissions without the consent of the involved parties. It is often done to gather sensitive information, such as personal details, passwords, credit card numbers, or confidential business data. To prevent eavesdropping, encryption should be used for sensitive communications, and VPNs should be used to secure data over public networks.

DNS Spoofing :

DNS Spoofing (also known as DNS Cache Poisoning) is an attack in which an attacker manipulates the Domain Name System (DNS) records to redirect or intercept users' web traffic. In a DNS spoofing attack, the attacker provides false DNS responses to a victim, causing the victim’s system to trust the malicious data. This can lead the victim to be redirected to malicious websites or servers, even though the domain name they entered was legitimate. To mitigate, use secure DNS servers, cache hygiene (regularly clearing DNS caches), and encryption.

Malware Attacks :

A malware attack refers to the process by which a malicious actor or software spreads or executes malware on a target system or network. Malware, short for malicious software, is any program or code designed to harm, exploit, or compromise the functionality of a computer, network, or device. Malware can lead to data theft, system damage, or a complete system takeover. Common types of malware include viruses, worms, trojans, ransomware, and spyware.

• Viruses : A virus is a piece of malicious software or code that attaches itself to a program or file. It is designed to spread from one computer to another when the infected files are shared or opened, and it works by altering, overwriting, or deleting files once it infects a system. A virus often disrupts system operations.
• Worms : Standalone programs that replicate themselves and spread across networks without requiring a host file. Unlike viruses, they can spread automatically without user intervention by exploiting vulnerabilities in networks.
• Trojans : Malicious software disguised as legitimate programs to trick users into running it, often used to steal data or gain unauthorized access.
• Backdoor : A type of malicious software or access point that enables attackers to bypass normal authentication methods and gain unauthorized remote access to a system. Often disguised as legitimate software, backdoors are typically installed by Trojans and provide attackers with persistent control over the compromised system.
• Ransomware : Software that encrypts a victim’s data and demands a ransom payment in exchange for the decryption key.
• Spyware : Software that secretly monitors and collects information about users and users's devices without their knowledge.
• Adware : Software that automatically displays or downloads unwanted advertisements and often tracks user behavior.
• Keylogger : A keylogger is a type of software or hardware designed to secretly record the keystrokes on a computer or other devices. The purpose of a keylogger is to capture and monitor all typed data without the user’s knowledge or consent. This includes everything from usernames, passwords, credit card numbers, messages, and other sensitive information. Keyloggers can operate in the background, invisible to the user, and may send the captured data back to the attacker or store it locally for later retrieval.
• Rootkit : A rootkit is malicious software designed to gain unauthorized access to a system or network and hide its presence. It allows attackers to maintain privileged control (root access) over the system while remaining undetected, often by manipulating system processes or logs. Rootkits operate at a low system level, such as the kernel or firmware, making them difficult to detect with standard security software. Detecting and removing rootkits typically requires specialized tools or a complete system reformat.
• Botnet : A botnet is a network of infected computers or devices, known as "bots" or "zombies," that are controlled remotely by an attacker, often without the knowledge of the device's owner. These devices are typically compromised by malware and can be used for a variety of malicious purposes, including Distributed Denial-of-Service (DDoS) attacks, spamming (sending large volumes of unsolicited emails), data theft, and mining cryptocurrency.

Password Attacks :

Passwords are often the primary means of authenticating users, and if compromised, they can provide access to sensitive data, systems, and resources.

• Brute Force Attack : In a brute-force attack, the attacker systematically tries every possible combination of characters until the correct password is found. This method involves testing all possible combinations of letters, numbers, and symbols, making it time-consuming but effective if the password is weak or simple. Countermeasures include using long and complex passwords, implementing account lockouts after multiple failed attempts, and enabling multi-factor authentication (MFA).
• Dictionary Attack : A dictionary attack involves using a dictionary, i.e., a prearranged list of common words, phrases, and frequently used passwords, to guess a password. The attacker typically uses a list of words from the dictionary, variations of common passwords, or leaked password lists. Countermeasures include using passwords that are not based on common words or dictionary phrases and enabling multi-factor authentication (MFA).
• Rainbow Table Attack : Rainbow tables are precomputed tables used to reverse cryptographic hash functions, converting hashed passwords back into plaintext. Attackers use precompiled tables of hash values corresponding to common passwords and attempt to match them with the hashes stored in a database. Countermeasures include using salting (adding random data) when storing passwords and employing strong cryptographic hashing algorithms like bcrypt.
• Credential Stuffing : Credential stuffing attacks use previously stolen username and password combinations (often from data breaches) to gain unauthorized access to multiple systems. Attackers automate the process of trying stolen credentials on various websites or services. If users reuse passwords across multiple sites, attackers can gain access to accounts on those platforms. Countermeasures include using never-reused passwords across different accounts, enabling MFA, and using password managers to generate and store unique passwords.

MitM Attack :

A Man-in-the-Middle (MitM) attack is a type of cyberattack where an attacker intercepts and potentially alters communication between two parties without their knowledge. The attacker positions themselves between the sender and the receiver, allowing them to eavesdrop on the conversation or modify the data being transmitted. This can occur in unsecured communication channels, like public Wi-Fi networks.

Denial-of-Service Attack :

In a Denial-of-Service (DoS) attack, an attacker attempts to disrupt the normal functioning of a target system, service, or network by overwhelming it with a flood of traffic or requests. The goal is to make the targeted system unavailable to its users, effectively denying access to legitimate users. DoS attacks can result in downtime for websites, services, or networks, causing significant disruptions, financial losses, or reputational damage.

• DoS (Denial of Service) : In a traditional DoS attack, a single source or machine sends a massive volume of traffic to the target system, overwhelming its resources (such as bandwidth, memory, or CPU), causing the system to slow down or crash.
• DDoS (Distributed Denial of Service) : In a DDoS attack, the attacker uses multiple machines or devices (often part of a botnet) to flood the target system with traffic, making the attack more difficult to stop because it comes from many different sources.

Privilege Escalation :

Privilege escalation is a type of security vulnerability or attack where an attacker gains elevated access to resources or functions that they would normally not be able to access. This occurs when a user, application, or process is granted higher privileges (e.g., admin or root rights) than intended.

• Vertical Privilege Escalation (or Privilege Elevation) : This occurs when a user gains higher privileges, such as a regular user gaining administrative (root) access. For example, a standard user may exploit a vulnerability to gain administrator rights and perform actions that are normally restricted.
• Horizontal Privilege Escalation : This happens when an attacker gains access to another user's resources or data, but without increasing their own privileges. In this case, they can access or modify data that belongs to a different user with similar or equal privilege levels.

Advanced Persistent Threat (APT) :

An Advanced Persistent Threat (APT) is a type of cyberattack where an unauthorized user gains prolonged and covert access to a network to steal data or surveil activity. These attacks are typically orchestrated by well-funded and highly skilled threat actors, often linked to nation-states or organized crime groups.

A vulnerability is a weakness in an information system, security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Types of Vulnerabilities -

Remote Code Execution (RCE) :

Remote Code Execution (RCE) is a critical security vulnerability that allows an attacker to run arbitrary code on a remote system, usually the server, without authorization. RCE occurs when an application or system: Takes user input, and Executes it as code, or passes it to a vulnerable component (e.g., shell, interpreter) without proper validation. This allows attackers to send specially crafted data that executes commands, installs malware, or takes control of the system. Consequences of RCE: Full server compromise, Data theft or loss, Lateral movement within a network, etc. RCE Examples: Log4Shell (Apache Log4j).

Injection :

An injection vulnerability is a security flaw that allows an attacker to inject malicious input into a program, causing it to interpret that input as code or commands instead of plain data. Applications often interact with databases, operating systems, web services, or interpreters using user-provided input. If the application fails to properly validate or escape this input, attackers can "inject" special code that the system mistakenly executes. Types of Injection:

• SQL Injection: Targets databases by injecting SQL commands.
• Command Injection: Targets the operating system, allowing execution of arbitrary system commands.
• XXE (XML External Entity): Targets XML parsers by injecting external entities to access files, perform SSRF, or cause DoS.
• XML Injection / XPath Injection: Targets XML parsers or XPath engines, manipulating XML data or queries.
• LDAP Injection: Targets LDAP directories, altering directory queries or bypassing authentication.

Insecure Deserialisation

Insecure deserialization is a vulnerability that occurs when an application deserializes untrusted or tampered data without proper validation, allowing an attacker to manipulate the serialized object in a way that leads to unintended behavior such as remote code execution (RCE), privilege escalation, authentication bypass, or denial of service (DoS). Serialization is the process of converting an object (such as a Python dictionary or a Java object) into a format that can be stored or transmitted, like JSON, XML, or binary. Deserialization is the reverse process, where the data is converted back into its original object form.

Server-Side Request Forgery (SSRF) :

Server-Side Request Forgery (SSRF) is a web vulnerability that occurs when an attacker is able to make the server send HTTP (or other protocol) requests to an unintended destination, typically due to insecure handling of user-supplied URLs or input. In SSRF, the attacker tricks the server into making a request to a target that the attacker cannot reach directly. This is possible when an application fetches data from a URL provided by the user — for example, downloading a file, accessing an image, or connecting to a webhook — without validating or restricting the destination. Prevent SSRF by restricting allowed domains/IPs, blocking internal metadata endpoints, using firewalls or network segmentation, validating user input, and limiting server response data exposure.

Broken Access Control (BAC) :

Broken Access Control is a security vulnerability that occurs when an application fails to properly enforce restrictions on what authenticated users are allowed to do, enabling attackers to gain unauthorized access to resources or perform actions outside their intended permissions. Access control defines who can perform specific actions within an application. When these rules are poorly implemented or entirely missing, it can allow malicious users to access other users' data, perform admin-level actions without proper authorization, or modify and delete records they should not have access to. Examples of Broken Access Control include Insecure Direct Object References (IDOR), where attackers modify user IDs in URLs to access unauthorized accounts; missing role checks that let regular users access admin functions; forced browsing to hidden, privileged endpoints; and relying on frontend restrictions without backend enforcement, allowing attackers to send unauthorized requests manually.

Broken Authentication :

Broken Authentication is a security vulnerability where an application’s authentication mechanisms are improperly implemented, allowing attackers to compromise user accounts, bypass authentication, or impersonate other users. Common causes include weak, predictable, or default passwords; poor session management (e.g., session IDs not rotated or invalidated on logout); credential stuffing attacks due to reused passwords; insecure password recovery or reset processes; exposing authentication tokens in URLs or logs; and failure to enforce multi-factor authentication (MFA) where appropriate. Consequences of broken authentication can include account takeover, data theft or unauthorized access, privilege escalation if administrative accounts are compromised, and fraud or identity theft.

Sensitive Data Exposure :

Sensitive Data Exposure is a security vulnerability that occurs when an application inadvertently exposes confidential or personal information to unauthorized parties. This can happen through weak encryption, improper handling, or insecure transmission and storage of sensitive data such as passwords, credit card numbers, personal identification details, or health records. When sensitive data is exposed, attackers can steal or manipulate it, leading to identity theft, financial loss, or privacy violations. Protecting sensitive data requires strong encryption, secure transmission protocols (like HTTPS), proper access controls, and careful data handling practices throughout the application lifecycle.

Security Misconfiguration :

Security Misconfiguration is a common vulnerability that occurs when security settings in an application, server, or platform are incorrectly configured or left at insecure defaults. This can expose the system to attacks by making it easier for attackers to exploit weaknesses, access sensitive data, or take control of the environment. Examples of security misconfiguration include leaving default passwords or keys unchanged, enabling unnecessary features, services, or ports, exposing sensitive information through debugging or error messages, and using insecure HTTP headers or outdated software versions.

Cross-Site Scripting (XSS) :

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These scripts are typically written in JavaScript and can be used to manipulate content, steal sensitive information such as cookies and session tokens, hijack user sessions, deface websites, redirect users to malicious sites, or perform actions on behalf of the user without their consent. XSS occurs when an application takes untrusted input—like form fields, URLs, or comments—and renders it in a web page without proper sanitization or escaping, allowing the attacker’s script to execute in the victim’s browser. To prevent XSS, output should be escaped based on its context (HTML, JavaScript, URL), input should be sanitized using libraries like DOMPurify, and a Content Security Policy (CSP) should be implemented to restrict script execution. Unsafe DOM methods like innerHTML should be avoided, and modern frameworks such as React or Angular, which automatically handle output encoding, should be used. Types of XSS:

• Stored XSS (Persistent): The malicious script is stored on the server (e.g., in comments or user profiles) and served to users later.
• Reflected XSS: The script is embedded in a URL or request and immediately reflected in the response, often in error messages or search results.
• DOM-based XSS: The vulnerability exists in client-side JavaScript that processes data from the browser without proper sanitization.

Cross-Site Request Forgery (CSRF) :

Cross-Site Request Forgery (CSRF) is a security vulnerability where an attacker tricks a logged-in user into unknowingly submitting unwanted actions on a web application. This happens because the user’s browser automatically includes their authentication credentials (like cookies) when making requests, so the server thinks the requests are legitimate. CSRF works by tricking a logged-in user’s browser into sending unauthorized requests to a trusted site without their knowledge, using their active authentication (like cookies). The site then processes these forged requests as if they were legitimate actions from the user. Prevent CSRF by using anti-CSRF tokens in forms and requests, requiring re-authentication for sensitive actions, setting the SameSite cookie attribute to restrict cross-site cookie sending, and verifying the request source through Referer or Origin headers.

SQL Injection :

SQL Injection (SQLi) is a type of cyberattack in which an attacker exploits vulnerabilities in an application by inserting malicious SQL (Structured Query Language) code into input fields. This can allow the attacker to manipulate the database—viewing, modifying, or deleting data they should not have access to. Most web applications interact with databases using SQL queries, and if user input is not properly validated or sanitized, attackers can craft input that alters the intended SQL query. SQL Injection enables attackers to bypass authentication, access and steal sensitive data, modify or delete records, execute administrative tasks, extract entire databases, and potentially take control of the server. To prevent SQL Injection, use prepared statements (parameterized queries) to ensure user input is treated as data, not code. Validate and sanitize all inputs through input validation and escaping. Follow the principle of least privilege by restricting database permissions. Utilize ORM frameworks, which often include built-in SQLi protection, and deploy web application firewalls (WAFs) as an additional defense layer. Types of SQLi:

• In-Band SQLi: Attacker injects SQL and immediately sees results in the application’s response (e.g., input ' OR '1'='1 alters the query to always return true, bypassing authentication).
  • Error-Based: Attacker causes database errors to gain information from error messages (e.g., injecting ' UNION SELECT NULL, version() -- reveals the database version through an error).
  • Union-Based: Attacker uses the SQL UNION operator to combine results from the original query with malicious query results, retrieving data directly (e.g., ' UNION SELECT username, password FROM users -- appends user data to the query output).
• Blind SQLi: No direct output; attacker infers data by observing application behavior (e.g., using true/false queries to check if the first letter of username is ‘A’, with different page responses).
  • Boolean-Based: Uses conditional queries causing different responses based on true/false evaluation (e.g., username = 'admin' AND 1=1 returns a normal page, while username = 'admin' AND 1=0 causes an error or different behavior).
  • Time-Based: Uses delays to determine if conditions are true by measuring server response times (e.g., query causes a 5-second delay if the first password character is ‘a’).
• Out-of-Band SQLi: When direct or blind injection isn’t possible, attacker uses external channels like DNS or HTTP requests to receive data (e.g., database triggers a DNS lookup to attacker’s server, leaking data externally).