Intro to cyber security

Lecture 1

Security-focused Dev Thought

1. Adversarial thinking required

2. Your code has an intelligent opponent

3. They have time,motivation,and creativity

4. They only need to win once

Thinking like an attacker

1. Physical manipulation of the mechanism(can I pick the lock)

2. Social engineering or theft(Can I copy someone else’s key)

3. Exploiting trust relationships(Can I trick staff into giving me a key)

4. Alternative attack vectors(Can I just climb through the window)

Roadmap

1. Linux Foundations

2. Finding Information

3. CIA Triad

4. Risk and Controls

5. Threat Modelling

6. Kill Chain

Linux Foundations

essential tools for security practitioners

Finding Information

Staying current in a rapidly evolving field

CIA Triad

The fundamental goals of cybersecurity

Risk and controls

Strategic approaches to managing threats

Threat Modeling

Systematic framework for security analysis

Kill Chain

Understanding the attackers playbook

The operating system of security

Linux

Kali Linux

The industry-standard penetration testing distribution, pre-loaded with hundreds of security tools

Security Onion

Network security monitoring platform for intrusion detection, log management, and enterprise security monitoring

Cloud Infrastructure

Most cloud containers and servers run Linux variants, making command-line proficiency essential for cloud security

Analysis Sandboxes

Malware analysis environments rely on Linux for safe investigation and reverse engineering of threats

You need to find all failed login attempts in a 2GB log file to investigate a potential breach

1. GUI Approach

2. Command Line Approach

GUI Approach

1. Open file manager

2. Wait for file to load

3. Application crashes

4. Give up

Time wasted: 10+ minutes

Command line Approach

grep "Failed password" /var/log/auth.log >

failed_logins.txt

Advantages of Command Line Approach

1. Automation at scale

2. Speed for larger datasets

3. Scriptable and repeatable

4. Low memory overhead

5. Works remotely over SSH

Essential Linux Commands: Navigation

1. pwd: print working directory

2. ls: list files and folders

3. cd/path/to/directory: change directory

4. ls*.log: show only log files

Essential Linux Commands: Reading Files

1. cat file.txt: dump entire file to screen

2. less file.txt:Paginate with search

3. head -n 20: First 20 lines

4. tail -f: last lines, live updates

5. grep “error” file.txt: find specific lines

Every linux file has permissions that control read,write, and execute access. Which command reveals these permissions?

ls -la

Three Linux permission types

1. Read: r

2. Write: w

3. Execute: x

Permission groups apply to?

1. Owner

2. Group

3. Others

Example output: -rwxr-xr-x

rwx: owner

r-x: Group

r-x: Others

Key commands

1. chmod: Change permissions

2. chown: Change ownership

3. sudo: Execute as superuser

Why are permissions security-critical?

Privilege escalation attacks frequently exploit incorrect file permissions

Common real-world failure?

1. Sensitive configuration file has world-readable permissions

2. Attacker reads database credentials

3. Lateral movement to database server

4. Game over

Network Commands

1. ip addr

2. ss -tulpn

3. curl

4. ping

ip addr

Network interfaces and IP addresses

ss -tulpn

Listening ports and associated processes

curl

Making web requests safely from CLI

ping

Testing network reachability

Linus’s Law

Given enough eyeballs, all bugs are shallow

-Open source is safer because anyone can audit the code

Why can open source still be insecure?

Public code gives adversaries a roadmap. Malicious actors can study the source systematically to discover vulnerabilities before defenders

What is a patch gap?

Time between vulnerability disclosure and patch application

Advantages of open source

Fixes are published transparently, and the community can verify patches meet security standards

Disadvantages with open source

Everyone sees the vulnerability when it’s announced, creating a race between defenders patching and attackers exploiting

Average time to exploit

5.5 days after disclosure

Average time to patch

38 days

What does CVE stand for?

Common Vulnerabilities and Exposures

Purpose of CVE

A standard identifier for publicly known security flaws, used globally by vendors, researchers, and security tools.

CVE format

CVE-YEAR-NUMBER

Why does CVE matter operationally

1. Allows constant communication across organisations

2. Automated vulnerability scanning

3. Patch management tracking

4. Threat intelligence sharing

5. Compliance reporting

National Vulnerability Database

enriches CVE records with critical context and scoring

CVSS Scoring measure what?

Severity ratings from 0-10 using common Vulnerability Scoring System

Affected Software

Common Platform Enumeration strings identifying vulnerable products and versions

References

Links to vendor patches, advisories, and technical analysis

CVSS Severity Ranges

0.0-3.9:Low

4.0-6.9: Medium

7.0-8.9: High

9.0-10.0: Critical

Three Pillars of CIA Triad

1. Confidentiality

2. Integrity

3. Availability

Confidentiality

Only authorised parties can access information

Integrity

Data cannot be altered undetectably

Availability

System are accessible when needed

Confidentiality Controls

1. Encryption

2. Access Control list

3. Multi-Factor Authentication

Integrity Controls

1. Cryptographic Hashing

2. Digital Signatures

3. Write-Once Storage

4. Version Control

Availability Control

1. Redundancy

2. Load Balancing

3. DDoS Mitigation

4. Rate Limiting

5. Offline Backups

CIA Triad Trade offs

1. Confidentiality vs. Availability

2. Integrity vs.Availability

Confidentiality vs. Availability

max confidentiality=air-gapped system

result: Not remotely available to legitimate users

Integrity vs. Availability

Blockchain

result: Slow write operations, reduced availability for high-throughput applications

Return to CVSS

1. Attack Vector

2. Attack Complexity

3. Privileges Required

4. User Interaction

5. Scope

6. Impact: C/I/A

Attack Vector

Network scores highest:remotely exploitable

-Adjacent,Local,Physical score progressively lower

Attack Complexity

-low: easy exploitation

-high: requires special conditions beyond attacker control

Privileges Required

None: no authentication needed

Low/High: privileges required score lower

User Interaction

None: automatic exploitation

Required:victim must be tricked

Scope

Changed: affects resources beyond security scope

Unchanged: stays within boundaries

Impact:C/I/A

Confidentiality,Integrity,Availability rated None/Low/High based on data affected

Threat Modelling

1. Asset and Policy(what)

2. Adversary(who)

3. Mechanism(how)

Threat Model 1: Confidentiality

Threat: Network eavesdropper

Threat Model 2: Integrity

Malicious relay/server

Threat Model 3: Availability

DDoS attacker

Confidentiality: end-to-end encryption defense

Only sender and receiver can read messages

Integrity: Cryptographic signatures defense

Tampering detection

Availability: Scale and rate limiting defense

Automatic provision of additional server capacity during traffic spikes to maintain service levels

When security fails

when mechanism can’t enforce policy against adversary

Failure Modes

1. Weak mechanism vs. advanced adversary

2. Overwhelmed Mechanism

3. Bypassed Mechanism

Risk Formula

Likelihood*impact

Likelihood definition

Probability the threat occurs(0-100%)

Impact definition

Damage if it happens

What are the ways to handle risk?

1. Accept: risk is low enough to tolerate

2. Avoid:Don’t do the risky activity

3. Mitigate: Reduce likelihood or impact

4. Transfer: Insurance or outsource to third-party vendor

Types of Security Controls

1. Administrative control: Policies, procedures, training

2. Technical control: Software/hardware enforcement

3. Physical control: Locks, badges, cameras

Administrative Controls advantages

Low cost to implement

Administrative Controls Disadvantages

Relies on human compliance

Technical Controls Advantages

Consistent enforcement

Physical Controls Advantage

Effective against local threats

Physical Controls Disadvantage

No protection against remote attacks

Modern security Architectures

1. Defence in Depth

2. Zero Trust

Defence in depth principles

1. Don’t rely on a single defence

Zero Trust principles

1. No implicit trust based on location

2. Every request authenticated and authorised

3. Assume breach at all times

4. Least privilege access

Cyber kill chain

1. Models attacks as a sequence of stages, not isolated events

2. Breaking any stage will stop the attack

3. Helps prioritise defensive investments

4. Reveals dependencies in attacker workflows

Kill Chain Stages

1. Reconnaissance:Information gathering

2. Weaponisation: Crafting exploit

3. Delivery:Getting exploit to victim

4. Exploitation: Triggering vulnerability

5. Installation: Persistence

6. Command and control: Remote Control

7. Actions on Objectives: Data theft/damage

Key legal rule in security testing

Authorisation matters more than intent

Cybercrime penalties include

Fines and imprisonment

Responsible disclosure requires

Private reporting and time to patch

Professional Pentesting Rules

1. Required before testing: Written authorisation

2. During testing: Stay in scope, document everything

3. After testing: report responsibly and delete data