Cyber Security

1. Vulnerability is a weakness that makes a threat possible

• Example: weak password, which leads to threats

2. Threat is any potential occurrence, malicious or otherwise, that could harm an asset. In other words, a threat is any bad thing that can happen to your assets

• Example: Getting access to the payroll data despite the mentioned weak password  

3. Attack is an action that exploits a vulnerability or enacts a threat

• Hacker attack the system and use the weak password vulnerability 

4. Countermeasure. A safeguard that addresses a threat and mitigates risk

• Preventive: Like the zero trust principle

• Detective: Like WAF

• Corrective: After the occurrence

5. Hardening: a preventive approach that targets reducing the attack surface of a system by removing unnecessary services, permissions, and vulnerabilities, and enforcing secure configurations. 

6. Hijacking: To steal something from the client or the server 

7. Phishing

• Fake emails or messages to steal credentials or sensitive info

• User training, MFA, email filtering (SPF, DKIM, DMARC)

8. Malware

• Malicious software (viruses, trojans, worms, etc.)

• You should have Antivirus, EDR, software updates, restricted access

9. Ransomware: Encrypts data and demands ransom, you should have Backups, EDR, least privilege, behavior-based detection

10. Spyware is a type of malicious software that secretly monitors and collects data from a user's device without their knowledge or consent.

11. Spoofing: Impersonation (IP, email, DNS, etc.), you should have SSL/TLS, SPF/DKIM/DMARC, DNSSEC

12. Botnet: Network of compromised devices used for attacks, you should have Network monitoring, firewalls, and IoT security controls

13. Rootkit: Malware that hides in the system/root level, you should have Kernel-level protection, file integrity monitoring

14. Social Engineering: Manipulating people to leak confidential data, you should have Employee training, verification procedures, and phishing simulations

15. APT: Advanced Persistent Threat — long-term, stealthy attack, you should use Network segmentation, anomaly detection, threat hunting

16. Zero Day: Unknown vulnerabilities that developers or users are not aware, so defense is not effective.

1. Science: as it has well-known practices

• Grounded in Mathematics & Logic: Cryptography, hashing, and formal verification use algorithms and proofs.

• Repeatable Methods: Security assessments, penetration testing, and forensic analysis follow standardized methodologies (e.g., NIST, ISO 27001).

• Risk Models: Uses probability, game theory, and threat modeling (e.g., STRIDE, DREAD).

2. Art: as it studies human behavior and simulates hacker's mindset

• Creative Thinking: Attackers use unpredictable tactics (social engineering, zero-days), and defenders must think like hackers.

• Human Behavior: Understanding user habits, psychology, and organizational culture is crucial.

• Adaptive Responses: No system is 100% secure—security teams must improvise during incidents.

• Continuous learning curve, to attack and defend, like chess game.

1. Identify: For assets

• Classify

• Threat modeling

2. Protect: The hardening of asset security

• Potential threats

• Hardening 

3. Detect: Incidents

• Continuous monitoring for the environment and solutions

• Detection phase

4. Respond: With a plan

• Short term

• Long term

• Defense in depth

5. Recover: Normal operations

Hardening: a preventive approach that targets reducing the attack surface of a system by removing unnecessary services, permissions, and vulnerabilities, and enforcing secure configurations. 

In another meaning, Hardening = proactive security configuration & cleanup to reduce risk. It’s foundational to building secure systems and complements monitoring & response.

Examples of Hardening:

• OS: Disable unused accounts & services, patch vulnerabilities

• Database: Remove default users, restrict permissions, enable encryption

• Network: Close unused ports, configure firewalls & IDS/IPS

• Applications: Remove debug code, enforce strong auth, validate input

Objective 1: Improve Incident Response

• KR1: Reduce MTTR by 30%

• KR3: Conduct 2 tabletop exercises this quarter
  
  

Objective 2: Strengthen System Hardening

• KR1: Reach 95% patch compliance within 7 days

• KR2: Disable unused ports/services on 100% of servers

• KR3: Review 100% of privileged accounts by Q2

• KR4: DB Hardening 85%

• KR4: App Hardening 85%

• KR4: Network & Infrastructure Hardening 85%

Objective 3: Enhance Access Control

• KR1: Enforce MFA for all staff accounts

• KR2: Apply RBAC across all business applications

• KR3: Complete IAM audit of cloud services

Objective 4: Reduce Phishing Risks

• KR1: Launch monthly phishing tests

• KR2: Achieve <3% employee click rate

• KR3: Ensure 100% staff complete security training

Objective 5: Strengthen Cloud Security Posture

• KR1: Deploy a Cloud Security Posture Management (CSPM) tool

• KR2: Remediate all critical cloud misconfigurations

• KR3: Encrypt 100% of cloud storage buckets

• Number of Vulnerabilities by Severity (Critical/High/M dium)

• % of Data Encrypted (in transit and at rest)

• Frequency of Firewall Rule Changes

• Malware Detections per Endpoint

• % of Users with Multi-Factor Authentication (MFA) Enabled

• Average Patch Deployment Time

• % of Third-Party Vendors Assessed for Risk

• Number of Data Loss Prevention (DLP) Events Triggered

• % of APIs Protected by API Gateway or WAF

• Number of Security Alerts Triaged vs. Ignored

1. “Hackers only target big companies”

• Myth: Small businesses are safe.

• Reality: Small organizations are often easier targets due to weaker defenses, because of revenge and reputation.

2. “Cyberattacks are always high-tech”

• Myth: Hackers only use sophisticated coding attacks.

• Reality: Most breaches start with simple human mistakes—phishing links, weak passwords, or unsecured devices.

3. “Once secure, always secure”

• Myth: Security measures don’t need regular updates.

• Reality: Threats evolve—security must be continuously monitored and improved.
  
  

4. “Hackers are all outsiders”

• Myth: Only external attackers cause problems.

• Reality: Insider threats (malicious or accidental) account for a large share of breaches.

5. “Developers only take the responsibility for securing solutions”

• Myth: Only development team will be able to secure the solution.

• Reality: it's shared responsibility across enterprise stakeholders, starting from physical security, to technology solutions, product owners, architects, DBAs, developers, should add the Hacker Persona to their model to apply defense in depth concepts.

5. “Cybersecurity is only an IT problem.”

• Myth: Only the IT department needs to care.

• Reality: Everyone is a target—phishing, social engineering, and weak passwords affect all employees.
  
  

7. “Strong passwords are enough.”

• Myth: One complex password makes you safe.

• Reality: Multi-factor authentication (MFA) is essential—passwords alone can be stolen.
  
  

8. “Antivirus is all you need.”

• Myth: Installing antivirus software guarantees security.

• Reality: Modern threats require layered defenses—firewalls, endpoint detection, patching, monitoring, and user training.