Cybersecurity Fundamentals Vocabulary

Cybersecurity Fundamentals

  • Discipline concerned with protecting the assets of computer/information systems.
  • Core questions this lecture answers:
    • What is cybersecurity and what are we trying to protect?
    • What kinds of harm are possible and how can we avoid it?
    • How do risk, threats, vulnerabilities, and controls fit together?
  • Foundational triad: Confidentiality, Integrity, Availability (C-I-A).
    • Frequently supplemented with Authentication & Non-repudiation.
  • Central, recurring idea: All security measures exist to reduce risk by protecting assets against threats that exploit vulnerabilities.

Assets: What Needs Protection?

  • Hardware
    • End-user computers (desktops, laptops, tablets, phones)
    • Medical devices, automobiles, industrial controllers, security systems
    • Household appliances (IoT), scientific equipment, tracking/location devices
  • Software / Network Resources
    • Operating systems, applications, network services
    • Access-control mechanisms, physical-access systems
    • Location services, network traffic, device identity, user actions
  • Data (most intangible, often highest value)
    • Conventional files (photos, music, databases)
    • Sensitive personal data: geolocation, activity logs, network identity
    • Access lists, payment information, monitoring/status reports

Glossary of Basic Terms

  • Vulnerability – Any weakness that can be exploited to cause harm.
    • Total collection of vulnerabilities often called the "attack surface".
  • Threat – Any circumstance or event with the potential to cause harm.
  • Attack – Realisation of a threat via exploitation of a vulnerability.
  • Countermeasure / Control – An action, device, or process that removes or reduces a vulnerability or otherwise mitigates a threat.

The C-I-A Triad & Extended Properties

  • Confidentiality
    • Limit access to data and to metadata to authorised entities only.
    • Distinguish between full vs. partial access.
    • Typical confidentiality breaches involve viewing or copying rather than modification.
    • Personally Identifiable Information (PII), intellectual-property documents, and national-security data are high-value targets.
  • Integrity
    • Ensure data remain accurate, complete, and uncorrupted.
    • All alterations must be authorised, intentional, and occur under controlled circumstances.
    • Historical failures: the Microsoft Word “\not” macro prank, 1990s Intel Pentium floating-point flaw.
    • Business examples: falsifying accounting or payroll values.
  • Availability
    • Information/system must be accessible when needed.
    • Extends into operations: backups, recovery strategies, RAID, cloud replication, redundant personnel/training, business-continuity & disaster-recovery (BC/DR) planning, uptime guarantees, handling “normal” hardware failures.
  • Authentication (often grouped with C-I-A)
    • Validation that an entity is who/what it claims to be.
  • Non-repudiation
    • Assurance that a party cannot deny an action it performed (e.g.
      digitally signed email).

Harm: What Can Go Wrong?

  • Negative consequence of an attack; magnitude depends on asset value.
  • Typical harms
    • Theft (identity, financial, intellectual property)
    • Loss of privacy or confidential info exposure
    • Destruction or loss of asset (data deletion, hardware damage)
    • Disruption of organisational operations, downtime, business loss
    • Reputational damage, loss of stakeholder trust

Risk Concept

  • Working definition: Risk = Likelihood \times Impact
    • Likelihood → probability that a threat will successfully exploit a vulnerability.
    • Impact → the quantified or qualified amount of harm that would result.
  • Components considered in risk analysis
    • Value of asset
    • Severity of harm
    • Cost & effectiveness of countermeasures
    • Possibility of transferring risk (e.g.
      cyber-insurance)
  • Practical issues
    • Hard to estimate asset value (some data are priceless).
    • Hard to quantify harm (especially reputational).
    • Difficult to enumerate all threats or to calculate their likelihood.

Threat Classification & Likelihood Biases

  • Non-human threats: natural disasters, hardware failure, fire, earthquake.
  • Human threats: accidental (spilled coffee, fat-finger data entry) or intentional (hackers, insiders, saboteurs).
    • Malicious vs. non-malicious.
    • Random (non-targeted) vs. directed (targeted).
  • Harm types specific to human threats (Parkerian variations):
    • Interception (unauthorised access)
    • Interruption (availability loss)
    • Modification (unauthorised change)
    • Fabrication (insertion of false data)
  • Cognitive bias note: People over-estimate rare catastrophic risks and under-estimate common mundane ones (e.g.
    fear of air crashes vs.
    complacency about automobile accidents).

Method–Opportunity–Motive (M-O-M) Triangle

  • A threat actor typically needs all three:
    1. Method – Skills/tools/techniques.
    2. Opportunity – Time & access.
    3. Motive – Reason/incentive (financial gain, ideology, thrill, revenge).
  • Controls often work by removing at least one side of the triangle.

Common Vulnerabilities (Partial List)

  • Untrained users; social-engineering susceptibility.
  • Insider sabotage/abuse.
  • Weak authentication/poor password practices.
  • Misconfiguration (default passwords, open ports).
  • Lack of physical security.
  • Inadequate network segmentation or traffic isolation.

Controls / Countermeasures: Overarching Categories

  • Preventive – Block threats from exploiting the vulnerability.
    • Firewalls, encryption, strong access controls, locked doors.
  • Detective – Identify or alert when exploitation occurs.
    • IDS/IPS, system logs, CCTV, audit trails.
  • Deterrent – Discourage attacker by increasing perceived cost/risk.
    • Policies, legal banners, user training, visible guards.
  • Corrective – Lessen impact after exploitation.
    • Backups, data recovery, fail-over clusters, BC/DR plans.
  • Expanded “5-D” security verbs
    1. Prevent (eliminate vulnerability)
    2. Deter (make attack harder/costlier)
    3. Deflect (lure to less valuable decoy, e.g.
      honeypot)
    4. Detect (discover the attack)
    5. Recover (restore operations/assets)

Physical Controls

  • Locks, security guards, mantraps, fences.
  • Environmental protections: fire suppression, earthquake bracing, sealed data-center floors.
  • Backup copies stored off-site or in the cloud.
  • Emphasis: attackers look for weakest point → even simple physical controls can be highly effective.

Technical Controls

  • Software (logical) controls
    • OS permissions, Role-Based Access Control (RBAC), Mandatory Access Control (MAC).
    • Password policies, Multi-Factor Authentication (MFA).
    • Cryptographic functions: encryption, hashing, digital signatures.
    • Dedicated security applications (anti-malware, EDR, DLP).
  • Development-time controls – secure coding practices, code reviews, automated testing, DevSecOps.
  • Hardware controls
    • Smart cards, hardware security modules (HSM), Trusted Platform Module (TPM).
    • Biometric readers (fingerprint, facial recognition).
  • Network controls
    • Firewalls (stateful, next-gen), routers with ACLs, segmentation & VLANs.
    • VPNs, intrusion-detection/prevention systems, zero-trust architectures.

Procedural (Administrative) Controls

  • Policies, Standards, Procedures, Guidelines – formal documents that tell humans what is allowed, required, or prohibited.
  • Training & security-awareness programs – often cited as most important control because humans remain weakest link.
  • Example policy topics
    • Password composition & rotation.
    • Prohibition on sharing credentials.
    • Acceptable-use policy, BYOD rules.
    • Confidentiality & Non-Disclosure Agreements (NDAs).
  • Legal mechanisms
    • Statutory protections (state/federal), industry regulations (HIPAA, PCI-DSS).
    • Contractual obligations, service-level agreements (SLAs).

Practical & Ethical Considerations

  • No system can ever be made 100 % secure → aim is acceptable risk level.
  • Ethical imperative to safeguard user privacy & prevent misuse of data.
  • Balancing security with usability & cost:
    • Over-protection can stifle productivity; under-protection invites catastrophe.
  • Reputation as an intangible asset: breach disclosure laws mean reputational harm often exceeds direct financial loss.

Study Tips & Connections

  • Tie C-I-A concepts to every real-world security story you hear.
  • When analysing any security scenario, explicitly list Asset → Threat → Vulnerability → Control.
  • Map human-threat actions (interception, interruption, etc.) onto triad impacts.
  • Quantitative risk analysis often uses Risk = \text{Probability} \times \text{Loss}—try simple mock calculations to build intuition.
  • Revisit foundational networking, operating-system, and cryptography knowledge; each provides context for controls listed here.