Hardware Components
CPU execution types & processing models
SMP — Symmetric Multiprocessing
All processors share one OS & memory. Think of a team working from the same office — shared resources, tightly coupled.
MPP — Massive Parallel Processing
Each processor has its own OS & memory. Think of separate offices — loosely coupled, highly scalable.
Protection Mechanisms
Hardware-level privilege control & process management
1. Protection Rings
Inner = more privilege. The OS kernel sits at the center; user apps are on the outside.
"Rings 0–2 = Supervisory, Ring 3 = Street level"
Or:
0 is the boss, 3 is the employee who needs permission for everything.
2. Operating States
- Supervisory state — all-access; can execute any instruction & reference any memory
- Operating/Problem state (User mode) — limited; every access request checked against credentials
3. Process States
Managed by the Process Scheduler:
Memory Protection Mechanisms
Primary & secondary memory types + protection techniques
ROM — Read Only Memory
Non-volatile. Data persists without power. Four types:
- PROM Programmable ROM — write once
- EPROM Erasable (UV light) then re-writable
- EEPROM Electronically erasable — used for BIOS
- Flash Modern EEPROM variant; fast block erasure
RAM — Random Access Memory
Volatile. Data lost when power off. Three levels:
- Real Main working memory
- Cache Fast buffer between CPU and RAM
- Registers Fastest; inside the CPU itself
Why Memory Protection Matters
Prevents one process from accessing another's memory space → preserves data integrity, prevents system crashes, and stops unauthorized data access.
Secondary Memory Protection
Protects non-volatile storage (HDD, SSD, USB, cloud). Critical because data survives power-off — prime target for long-term exfiltration.
Input / Output Devices
Yes, even keyboards and mice can be attack vectors
Device Types
- Input Keyboards, mice, scanners, mics, cameras
- Output Monitors, printers, projectors, speakers
- Storage USB drives, external HDDs, IoT sensors
- Network Modems, routers
⚠️ Can basic devices be risky?
Yes! A USB drive can inject malware. A compromised keyboard can log keystrokes. A malicious router can intercept all traffic.
Firmware
Microcode stored in ROM — the software closest to hardware
BIOS
Basic Input/Output System. Stored on EEPROM chip.
Updating it = "flashing the BIOS".
Threat: Phlashing — malicious code embedding itself into BIOS
(very hard to remove!)
UEFI
Unified Extensible Firmware Interface. Replaced BIOS since 2011. More advanced interface between hardware and OS — supports larger drives, faster boot, Secure Boot feature.
Hardware Device Firmware
Printers, modems, routers each have mini-OS stored as firmware in EEPROM. If compromised, they become persistent attack footholds.
The Software Stack (Bottom → Top)
Protecting Client & Server Systems
Endpoint security + server hardening
Client-Side Security
Secures the user endpoint (laptops,
mobiles, browsers).
Attack example: malicious website injects code into a vulnerable browser.
- Endpoint Security (EDR) — antivirus + detection & response
- Browser Security — Content Security Policy (CSP), HttpOnly/Secure cookies
- Input Sanitization — validate all inputs client & server side
- Code Obfuscation — make JS hard to reverse engineer
- Patching — keep browsers & OS updated
Server-Side Security
Servers = primary target (sensitive data, central control). Key concerns: data flow control, load balancing, throughput, DoS/DDoS defence.
- NGFW & WAF — filter network & app-layer traffic
- Patch Management — regular OS/app updates
- MFA + RBAC — access control & least privilege
- Encryption — protect data at rest
- IDS/IPS — monitor & block suspicious traffic
- Server Hardening — disable unused ports/services
- DDoS Mitigation — tools to absorb volumetric attacks
Database Systems Security
CIA Triad for stored data — Confidentiality, Integrity, Availability
⚠️ Common Threats
- SQL/NoSQL Injection — malicious code in queries manipulates the DB
- Insider Threats — malicious or careless authorized employees
- Misconfigured DB — default passwords, open ports
- Weak/Missing Encryption — data readable if system is breached
- Ransomware — data encrypted or stolen, ransom demanded
✅ Best Practices
- Least Privilege — users get minimum necessary access
- Data Masking — hide sensitive data in non-production environments
- Secure Backups — regular, encrypted backups
- Vulnerability Scanning & Pen Testing
- Physical Security — secure servers hosting the DB
Cloud Computing Security
AWS, Azure, Google, Alibaba — protecting data, apps & infrastructure
Cloud Service Models
Key Concepts
- Hypervisor/VMM Creates, manages, and operates virtual machines
- Elasticity Cloud's ability to expand or shrink resources on demand
- Shared Responsibility CSP secures "of" the cloud; customer secures "in" the cloud
Shared Responsibility Model — The Golden Rule
Physical data centers, networking, storage hardware, virtualization layer — the cloud itself
Data, applications, identity management, access controls — what's IN the cloud
⚠️ Common Cloud Threats
- Misconfigurations — #1 cause of cloud breaches
- Account Hijacking — weak credentials exploited
- Insecure APIs — vulnerabilities in cloud management interfaces
- Insider Threats — risks from within the organization
✅ Cloud Security Strategies
- IAM + MFA — control who accesses what
- Data Encryption — at rest and in transit
- CSPM — Cloud Security Posture Management for compliance
- CWPP + CNAPP — workload & cloud-native app protection
- Secure Backups — encrypted, off-site
IoT Security
Cameras, sensors, smart devices — insecure by design
⚠️ Key Threats & Challenges
- Weak Firmware — rushed to market, little security testing
- No Encryption — most IoT traffic is unencrypted
- Default Credentials — never changed from factory defaults
- Gateway Risk — compromised device = entry to entire network
- Unsupported Software — no patches, ever-growing vulnerabilities
✅ Best Practices
- Change Default Passwords immediately
- Update Firmware regularly
- Network Segmentation — IoT on its own VLAN
- Zero Trust — authenticate every device continuously
- Disable Unused Features (Bluetooth, remote access)
- MFA whenever available
Web-Based Security
Protecting websites, APIs & web applications
| Threat | What it does | Mitigation |
|---|---|---|
| SQL Injection (SQLi) | Malicious code injected into DB queries to extract/alter data | Validate & sanitize all user inputs; use parameterized queries |
| XSS (Cross-Site Scripting) | Malicious scripts injected into trusted websites | Escape user-provided content; use Content Security Policy |
| DDoS | Flood servers with traffic to make services unavailable | DDoS mitigation services, rate limiting, traffic scrubbing |
| Broken Access Control | Unauthorized access to accounts or data | Strict authentication mechanisms, RBAC |
Key Web Security Components
- WAF — Web Application Firewall; filters HTTP traffic between app and internet
- Vulnerability Scanning — automated tools find known weaknesses
- Secure Coding (OWASP Top 10) — build security in from the start
- API Security — protect interfaces from unauthorized access
- SSL/TLS — encrypt data in transit
Pen Test Checklist for Web
- View hosted web pages for exposed info
- Explore automation technologies in use
- Check file and backup handling
- Evaluate SSL/TLS transmission security
- Test authentication & session management
- Review cryptography & data validation
- Check DoS defences & error handling
Mobile Device Security
Device security + app security + BYOD concerns
Device Security Features
Useless if not activated!
- Full device encryption
- Remote wiping
- Screen locks & lockout
- GPS tracking
- Application control
- Storage segmentation
- Disabling unused features
Application Security
- Key Management — most crypto failures are from bad key mgmt, not algorithms
- Credential Management — central, secure storage of creds
- Authentication — passwords + biometrics
- Geotagging — can reveal routine patterns; use carefully
- Encryption — enable if available
- App Whitelisting — deny by default, allow by exception (opposite of blacklisting)
BYOD — Bring Your Own Device
Policy allowing employees to use personal devices for work. Improves morale but introduces significant security risks.
- Data Ownership — who owns the data? Remote wipe issues
- Support Ownership — who pays for repairs?
- Patch Management — who ensures updates?
- Antivirus — required or optional?
- Privacy — employee loses some privacy
- Forensics — how are devices investigated?
- Onboarding/Offboarding — processes for enrollment & departure
- COPE Company Owned, Personally Enabled — company provides device, employee personalizes
- CYOD Choose Your Own Device — employee picks from approved list
- VDI/VMI Virtual Desktop/Mobile Infrastructure — apps run in a virtual environment, not on the device
D-S-P-A-F-P-O: Data ownership, Support, Patching, Antivirus, Forensics, Privacy, Onboarding/Offboarding
Operating System Security
Technical & policy mechanisms + OS hardening
⚙️ Technical Mechanisms
- Layering — ring-model structure for OS privilege levels
- Abstraction — access rights assigned to groups of objects, not individuals
- Data Hiding — objects placed in different security containers from subjects (need-to-know)
- Process Isolation — separate memory spaces for each process's instructions & data
- Hardware Segmentation — like process isolation but enforced by physical hardware controls
📋 Policy Mechanisms
- Least Privilege — users get only the minimum access needed for their job. Nothing more.
- Separation of Duties — critical tasks split across multiple people; reduces insider fraud
- Accountability — all privileged actions logged; "who did what?"
Least Privilege · Separation of Duties · Accountability
OS Hardening — The 6-Point Shield
Less software = smaller attack surface
Defaults are publicly known; change them
Block unauthorized network traffic
Complex, unique credentials across all accounts
Multi-Factor Authentication for all privileged access
Log everything; detect anomalies early
Remove unnecessary software · Change defaults · Firewall · Strong passwords · MFA · Enable auditing
Phrase: "Really Careful Firewalls Seem More Effective Always"
Master Summary Table
All layers at a glance — great for last-minute review
| Layer | Key Threats | Key Defences | Mnemonic |
|---|---|---|---|
| Hardware / CPU | Side-channel attacks, privilege escalation | Protection rings, operating states, process isolation | MM·MT |
| Memory | Buffer overflow, process injection | ASLR, DEP, paging, MMU | PAD·PK·KB |
| I/O Devices | Malicious USB, keyloggers, rogue devices | Port control, physical security, input validation | PPSANE·I |
| Firmware | Phlashing, BIOS rootkits | Secure Boot (UEFI), firmware updates, integrity checks | — |
| Client Systems | Drive-by downloads, XSS, malware | EDR, CSP, patching, code obfuscation | — |
| Server Systems | DDoS, SQL injection, unauthorized access | WAF, NGFW, IDS/IPS, MFA, server hardening | NPMEDIS |
| Database | SQL injection, insider threats, ransomware | Least privilege, encryption, masking, auditing | SIM·WR |
| Cloud | Misconfigurations, account hijacking, insecure APIs | IAM, CSPM, shared responsibility model, MFA | — |
| IoT | Default creds, no encryption, botnets | Network segmentation, Zero Trust, firmware updates | CUNZD·M |
| Web | SQLi, XSS, DDoS, broken access control | WAF, input validation, TLS, OWASP guidelines | SXDBr |
| Mobile | Malicious apps, BYOD risks, geotracking | App whitelisting, encryption, MFA, remote wipe | D-S-P-A-F-P-O |
| Operating System | Privilege escalation, rootkits | Least privilege, separation of duties, OS hardening | LSA / RCFSMEA |