Study Guide: Part 1 – Foundations of Computer Security

Computer security protects systems and data from unauthorized access, alteration, or destruction. The CIA Triad summarizes its core goals: confidentiality, integrity, and availability.

Confidentiality: Only authorized users can access information. Related terms: - Privacy: control over personal information. - Anonymity: hiding identity. - Secrecy: concealing existence of information. - Exfiltration: unauthorized transfer of data out of a system.

Integrity: Ensures accuracy and trustworthiness of data and systems. Integrity includes data integrity (no unauthorized changes), origin integrity (verifying source), recipient integrity (ensuring correct destination), and system integrity (software/hardware functioning as intended). Authenticity is tied to integrity: verifying origin along with correctness.

Availability: Ensures systems and data are usable when needed.
Threats include DoS (Denial of Service) and DDoS (Distributed Denial of Service) attacks, hardware failures, and failed backups.

System Goals
Security systems aim at prevention, detection, and recovery. Prevention stops attacks, detection identifies them, and recovery restores systems after incidents. Forensics investigates what happened. Defense in Depth is a layered strategy that applies multiple overlapping defenses — technical, procedural, and sometimes physical. If one control fails, others still provide protection.

Policies, Mechanisms, and Assurance
- Policies: Define what is allowed.
- Mechanisms: Enforce policies.
- Technical mechanisms: include operating system controls and cryptography. - Procedural mechanisms: include audits, ID checks, and separation of duties. - Assurance: Confidence that policies and mechanisms are correctly implemented.

• A principal is an entity that can be uniquely identified and authenticated.
• A subject is the active process acting on behalf of a principal.
• All security depends on assumptions about users, environments, and trusted components.

Security Engineering and Risk Analysis
Security engineering balances cost, usability, and protection.
Risk analysis evaluates asset value, likelihood of attack, and potential costs. Tradeoffs matter: too much protection may reduce usability or become too costly.

Trusted Components and Boundaries - The Trusted Computing Base (TCB) is all the hardware, firmware, and software essential to enforcing security. - A trust boundary is where data passes between trusted and untrusted entities. - Supply chain security is critical: a trusted vendor can become an attack vector.

Human Factors People remain the weakest link. Weak passwords, poor training, and misaligned incentives undermine protection.
- Security theater: Measures that look protective but add little real security.
- Weakest link: Security is only as strong as the most vulnerable component.

Study Guide: Part 2 – Threats, Vulnerabilities, and Attacks

A vulnerability is a weakness in software, hardware, or configuration. Examples include buffer overflows, default passwords, and weak encryption. Hardware-level flaws include Spectre, Meltdown, and Rowhammer.

An exploit is a tool or technique that leverages a vulnerability. An attack is the execution of an exploit with malicious intent.

An attack vector is the pathway used to deliver an exploit, such as email, websites, USB drives, or open network ports. The attack surface is the total set of possible entry points.

Not all vulnerabilities are technical. Social engineering manipulates people into granting access or revealing information. Phishing, spear phishing, pretexting, and baiting are common techniques. (This will be explored in more detail later in the course.)

A threat is the possibility of an attack, and a threat actor is the adversary who may carry it out. One useful classification, described by Ross Anderson, distinguishes threats as disclosure (unauthorized access), deception (false data), disruption (interruptions), and usurpation (unauthorized control). Related concepts include snooping, modification, masquerading, repudiation, denial of receipt, and delay.

The threat matrix distinguishes between opportunistic vs. targeted attacks and unskilled vs. skilled attackers (from script kiddies to advanced persistent threats).

The Internet amplifies risk by enabling action at a distance, anonymity, asymmetric force, automation at scale, global reach, and lack of distinction between malicious and normal traffic.

A botnet is a network of compromised machines controlled via a command and control server, used for spam, phishing, cryptocurrency mining, credential stuffing, or DDoS attacks.

Study Guide: Part 3 – Adversaries and Cyber Warfare

Behind every attack is an adversary. Adversaries differ in their goals, risk tolerance, resources, and expertise.

Types include:

• Hackers:
  • White hats: defensive security researchers who find and report flaws.
  • Black hats: malicious attackers seeking profit or disruption.
  • Gray hats: operate in a legal or ethical gray zone, sometimes disclosing flaws responsibly and sometimes not.
• Criminal groups: organized gangs running fraud, ransomware, or “malware-as-a-service.”
• Malicious insiders: employees or contractors who abuse legitimate access.
• Hacktivists: politically or socially motivated attackers.
• Spies: industrial or state-backed espionage actors.
• Press or politicians: may try to obtain sensitive information to gain an advantage, but are usually risk-averse due to reputational or legal consequences.
• Police and law enforcement: have legal authority (e.g., warrants, evidence seizure), but can also overstep through illegal searches or surveillance.
• Nation-states: governments capable of long-term, well-funded operations.

Economic incentives sustain underground markets where exploits, botnets, and stolen data are sold. Zero-day vulnerabilities can fetch high prices in closed broker markets. By contrast, bug bounty programs reward researchers for legal disclosure.

Advanced Persistent Threats (APTs) are advanced in their methods, persistent in maintaining access, and threatening in their ability to bypass defenses. They are typically state-backed and operate over months or years with stealth and patience.

Cyber warfare involves state-sponsored attacks on critical infrastructure and military systems:

• Stuxnet (2010): demonstrated that malware could cross an air gap via USB drives and cause physical damage to Iranian nuclear centrifuges.
• Russia: used cyber operations against Ukraine, including power grid outages (2015–2016), NotPetya (2017), and WhisperGate plus satellite disruptions (2022).
• China: Volt Typhoon infiltrated U.S. critical infrastructure (2025); Salt Typhoon targeted global telecom and data center providers.
• Iran, Israel, and North Korea: engaged in disruptive or financially motivated campaigns, including espionage and theft.
• GPS spoofing: has disrupted aviation and shipping in conflict zones (2024).

Countermeasures include government and industry cooperation, international botnet takedowns, and intelligence sharing.

The implication is that cybersecurity affects all levels: national security, corporate security, and personal security. Cyber warfare blurs the line between peace and conflict. Attribution is difficult, and critical infrastructure, businesses, and individuals alike are potential targets.

Study Guide: Part 4 – Tracking Vulnerabilities and Risks

Why track vulnerabilities?
Early vulnerability reporting was inconsistent. The CVE system (1999) introduced standardized identifiers. CVSS added a way to score severity. Together, they form the backbone of how vulnerabilities are shared and prioritized.

CVE (Common Vulnerabilities and Exposures)

A unique identifier assigned to publicly disclosed vulnerabilities. Example: CVE-2021-44228 (Log4Shell).

CVSS (Common Vulnerability Scoring System)

A 0–10 scale for rating the severity of vulnerabilities, based on exploitability and impact. Scores are grouped into categories from Low to Critical.

Attribution challenges

Attackers obscure their origins, reuse tools, share infrastructure, and sometimes plant false flags. This makes it difficult to know with certainty who is behind an attack.

APT (Advanced Persistent Threat)

Well-funded, skilled groups (often state-backed) that carry out prolonged, targeted campaigns. Advanced = may use custom malware, zero-days, or sophisticated tradecraft; Persistent = long-term stealthy presence; Threat = ability to bypass defenses.

TTPs (Tactics, Techniques, and Procedures)

A framework for describing attacker behavior.

• Tactics: Broad objectives (e.g., gain initial access, exfiltrate data).
• Techniques: General methods (e.g., spear phishing, credential dumping).
• Procedures: Specific implementations (e.g., a malware family, a particular exploit tool).

TTPs are more reliable than adversary names because they describe what attackers do.