Information Security
Security isn't just about locking everything down. The goal is an effective & efficient policy — too much security wastes resources and creates new loopholes. Too little leaves you exposed.
System Security
Methods & processes for protecting information systems from unauthorized access, disclosure, usage, or modification.
Information Security
Ensures the Confidentiality, Integrity, and Availability (CIA) of information — the three non-negotiable pillars.
Security–Functionality–Usability
These three always trade off. More security = less usability/functionality. The goal is a balanced center where all three are strong enough.
Non-Repudiation
Guarantees that a sender cannot deny sending a message. Achieved via digital signatures & encryption.
Hack Value
The attractiveness or worth of a target to a hacker. High hack value = the target holds something desirable (data, money, prestige, disruption potential). Hackers evaluate hack value before investing time in an attack.
The CIA Triad
Confidentiality · Integrity · Availability — the three guarantees every secure system must provide.
Confidentiality
Only authorized people can access information. Prevents unauthorized disclosure.
Integrity
Data is accurate and hasn't been tampered with. Ensures trustworthiness.
Availability
Systems and data are accessible when needed by authorized users.
Key Terms — Flashcards
Know these cold. They appear in every hacking exam.
⬇ More concepts to know deeply:
Viruses & Worms
A virus is malicious code that attaches itself to other files to spread — it needs a host file to travel. A worm is self-replicating and spreads independently across networks without needing a host file.
Insider Threat
A threat from someone already inside the organization — employee, contractor, or partner misusing their authorized access. Two types:
Intentional (Malicious) —
deliberate sabotage or data theft.
Unintentional (Negligent) — accidental exposure,
weak passwords, clicking phishing links.
Botnets
A network of compromised "zombie" devices controlled remotely by a botmaster. Device owners are unaware. Used for:
DDoS attacks · Spam campaigns · Data theft · Cryptomining
Doxing — In Depth
Collecting and publishing personally identifiable information (PII) about a target from publicly available sources — mostly social media, public records, and databases. Used to harass, blackmail, or expose individuals.
Daisy Chaining — In Depth
Sequential hacking attempts where each break-in enables the next. The attacker uses credentials or info harvested from System A to gain access to System B, C, and beyond — moving laterally through an organization.
Attack Components
Motive · Method · Vulnerability — remove any one of these, and the attack fails.
Motive
The why. Goal driving the attacker — money, espionage, disruption, revenge.
Method
The how. Technique used — phishing, malware, SQL injection, social engineering.
Vulnerability
The where. The weakness or flaw that makes the attack possible.
APT — Advanced Persistent Threat
Sophisticated, long-term attack where an attacker stays hidden inside a network for an extended period. Conducted by highly skilled attackers targeting strategic data.
Shrink-Wrap Exploits
Attacking known vulnerabilities in popular, off-the-shelf software that hasn't been patched. Targets unpatched OS, COTS software, and outdated apps.
Threat Categories
Network Level · Host (OS) Level · Application Level — threats exist at every layer of the stack.
| Level | Targets | Examples |
|---|---|---|
| 🌐 Network | Routers, switches, firewalls | |
| 💻 Host (OS) | Operating system, local env | |
| 📦 Application | Web apps, software | |
| 📱 Mobile | Smartphones & apps | |
| ☁️ Cloud | Cloud infrastructure | |
| 👤 Insider | Employees, contractors | |
| 🤖 Botnet | Any internet-connected device |
Information Warfare
Using information systems to gain a strategic advantage over an adversary.
Protect your own systems
Actions taken to protect information systems from attacks and unauthorized access. Includes security controls, monitoring, and incident response.
Disrupt enemy systems
Proactive actions taken against adversaries to disrupt, manipulate, or destroy their information systems and operations.
Quick Recap — Before Your Exam
🗂 Everything in 15 bullets
- InfoSec = Protecting data from unauthorized access, disclosure, use, modification
- CIA Triad: Confidentiality (who sees it) · Integrity (is it accurate) · Availability (can you use it)
- Non-Repudiation = you can't deny sending something (digital signatures prove it)
- Security–Functionality–Usability triangle: improving one weakens the others — aim for center balance
- Hack Value = how attractive a target is to an attacker (high value = more likely to be attacked)
- Every attack has 3 parts: Motive + Method + Vulnerability
- Zero-Day = unknown vulnerability, no patch exists yet — most dangerous kind
- APT = attacker hides inside a system for months/years undetected
- Shrink-Wrap Exploits = attacking known flaws in unpatched, off-the-shelf software
- Virus = attaches to files to spread · Worm = spreads on its own, no host needed
- Botnet = network of zombie devices controlled by one botmaster (DDoS, spam, theft)
- Insider Threat = intentional (malicious) or unintentional (negligent) misuse by insiders
- Daisy Chaining = sequential break-ins using credentials from each previous system
- Threats live at every layer: Network · Host/OS · Application · Mobile · Cloud · Insider · Botnet
- Information Warfare = Defensive (protect yours) vs Offensive (attack theirs)
CIA (Triad) · Non-repudiation · Motive-Method-Vulnerability (attack components) · Network-Host-App (threat levels)
Practice Questions
A hospital's patient records are altered by an insider who changes medication dosages in the system. Which pillar of the CIA Triad is primarily violated? Which control (from the cia-control rows) would most directly prevent this? Explain your reasoning.
Zero-Day vs. Exploit
Explain the difference between a zero-day vulnerability and an exploit. Why are zero-days considered especially dangerous compared to known vulnerabilities? What does the "day 0" in the name signify?
Virus vs. Worm
A new piece of malware spreads across an organization's network by copying itself to every reachable share drive without any user action. Is this a virus or a worm? Justify your classification using the hitchhiker analogy from the study guide.
Attack Components
An attacker is motivated by financial gain. They target a bank's unpatched web server using a SQL injection technique. Map this scenario to the three attack components (Motive · Method · Vulnerability). Which component, if eliminated, would most effectively neutralize the attack?
Threat Categories
Classify each of the following threats by level (Network / Host / Application / Mobile / Cloud / Insider / Botnet):
a) An employee copies sensitive files to a personal USB drive.
b) An attacker floods a server with authentication requests.
c) Cross-site scripting on a web application.
d) Spyware installed on a company-issued smartphone.
APT vs. Shrink-Wrap
Company A is infiltrated by an attacker who remains hidden for 11 months, slowly exfiltrating R&D data. Company B is breached via an unpatched vulnerability in a popular, off-the-shelf CRM application.
Which attack is the APT and which is the shrink-wrap exploit? What makes the APT particularly difficult to detect?
Offensive vs. Defensive
A nation-state's cybersecurity team monitors its own critical infrastructure for intrusions. At the same time, a separate unit conducts penetration testing against a rival state's power grid systems.
Which team is conducting defensive information warfare and which is conducting offensive? Is offensive information warfare ever considered legitimate? Briefly discuss.
The Balancing Act
A company implements mandatory 10-factor authentication and full disk re-encryption every 24 hours for all employees. Using the Security–Functionality–Usability triangle, explain what trade-off has been made and why an overly secure system can itself become a security risk.