Cybersecurity Essentials: Concepts & Best Practices
Posted on Aug 27, 2025 in Mathematics and Computer Science
Vulnerability & Patch Management
(Domain 4 Concepts)
Common Vulnerability Scoring System (CVSS)
- Rates vulnerabilities on a scale of 0-10 for severity.
Exploit vs. Zero-Day
- Exploit: A known attack method against a vulnerability.
- Zero-Day: A vulnerability that has no patch available yet.
Remediation vs. Mitigation
- Remediation: Completely fixing a vulnerability.
- Mitigation: Applying temporary protections while awaiting a full fix.
Common Scanning Tools
- Nessus / OpenVAS: Identify known vulnerabilities.
- Nikto: Scans web servers for misconfigurations & outdated software.
- Burp Suite: Tests web applications for security flaws.
Patch Management Phases
- Testing: Validate updates in a non-production environment.
- Deployment: Push patches to live systems.
- Verification: Confirm patches applied successfully & monitor post-patch performance.
Access Controls & Authentication
Access Control Models
| Model | How It Works | Example |
|---|
| MAC (Mandatory Access Control) | Permissions strictly enforced by security policies | Military / Classified Data |
| DAC (Discretionary Access Control) | Users control permissions of their own resources | Windows file-sharing |
| RBAC (Role-Based Access Control) | Permissions are assigned based on roles | Admin vs. Standard User |
| ABAC (Attribute-Based Access Control) | Policies based on attributes (time, location, device) | Dynamic Cloud Security |
Multi-Factor Authentication (MFA) Factors
- Requires two or more types of authentication:
- Something You Know: Password, PIN
- Something You Have: Smart card, token
- Something You Are: Biometrics (fingerprint, face recognition)
Incident Response & Digital Forensics
Incident Response Phases
- Preparation: Develop security policies, train employees, configure logging.
- Detection & Analysis: Identify signs of compromise using logs, alerts, & SIEM tools.
- Containment: Limit the attack’s spread (disconnect infected systems, revoke credentials).
- Eradication: Remove malicious software, patch vulnerabilities, harden security.
- Recovery: Restore systems, verify security integrity, monitor for reinfection.
- Lessons Learned: Analyze root cause & improve security policies.
Digital Forensics & Evidence Handling
Order of Volatility (Forensic Data Collection)
| Data Type | Volatility Level | Examples |
|---|
| RAM & Active Network Sessions | Most Volatile | Process dumps, active connections |
| Temporary Files & Logs | Moderately Volatile | Web caches, application logs |
| Hard Disk Data | Less Volatile | Stored files, partitions |
| Archived & Backup Storage | Least Volatile | Long-term records, offsite backups |
Chain of Custody
- Document every step in handling forensic evidence to maintain integrity.
Hashing (MD5, SHA-256)
- Ensures integrity of forensic data.
Networking Concepts & Security
Subnetting Cheat Sheet
| Prefix | Subnet Mask | Usable Hosts |
|---|
| /24 | 255.255.255.0 | 254 Hosts |
| /26 | 255.255.255.192 | 62 Hosts |
| /30 | 255.255.255.252 | 2 Hosts (Point-to-Point) |
Subnetting Formula
2ⁿ – 2 = Usable Hosts
- Example: /27 → 2⁵ – 2 = 30 usable hosts
Virtual Local Area Networks (VLANs)
- Isolate network segments to reduce attack surface.
- Prevent unauthorized access between departments (e.g., separate Finance & HR VLANs).
- Requires Layer 3 routing to allow communication between VLANs.
Network Security Controls
- ACLs (Access Control Lists): Restrict traffic based on IP addresses, ports, protocols.
- 802.1X Authentication: Network access control using RADIUS server.
- NAC (Network Access Control): Enforce endpoint security before granting access.
Common Attack Types
| Attack | How It Works | Defense |
|---|
| MITM (Man-in-the-Middle) | Attacker intercepts network traffic | Encrypt communications (TLS, VPN) |
| ARP Spoofing | Falsifies MAC address mapping to redirect traffic | Enable Dynamic ARP Inspection |
| DNS Poisoning | Redirects legitimate requests to malicious sites | Use DNSSEC for authentication |
Security Operations & Monitoring
(Includes concepts often challenging for exams)
SIEM & Log Analysis
- Security Information & Event Management (SIEM): Centralized log collection & threat correlation.
- Syslog: Standardized logging protocol for network devices.
- Event Correlation: Matching log entries to detect attack patterns.
- Log Retention Best Practices
- Store logs for 30–90 days for quick access.
- Archive logs for a year or more based on compliance requirements.
Network-Based Threat Detection
NIDS vs HIDS (Network vs Host Intrusion Detection Systems)
- NIDS: Monitors traffic at a network level, detects anomalies.
- HIDS: Monitors events on individual devices, detects unauthorized changes.
False Positives vs. False Negatives
- False Positive: Security system detects a threat, but it’s not real.
- False Negative: Actual threat exists, but security system misses it.
Security Automation & Cloud Security
SOAR vs SIEM
- SIEM: Detects threats via log correlation.
- SOAR: Responds automatically with predefined security workflows.
Cloud Security Best Practices
- CASB (Cloud Access Security Broker): Monitors cloud usage & applies policies.
- Least Privilege Access: Restrict permissions to reduce security risks.
- Encryption at Rest & Transit: Protects cloud data from theft.
