SecurityFundamentals

Security Fundamentals

Core concepts of information security — the CIA Triad, threats, vulnerabilities, authentication, authorization, policies, and best practices.

CIA Triad

The three core principles of information security

Confidentiality

Ensuring data is accessible only to authorized individuals. Implemented through encryption, access controls, and authentication. Prevents unauthorized disclosure of sensitive information.

Integrity

Ensuring data is accurate, consistent, and not tampered with. Implemented through hashing, checksums, version control, and access controls. Prevents unauthorized modification.

Availability

Ensuring systems and data are accessible when needed. Implemented through redundancy, backups, failover clusters, and DDoS protection. Prevents downtime and data loss.

Types of Threats

Common cybersecurity threats and attack vectors

Malware

Malicious software (viruses, worms, trojans, ransomware) designed to damage or disrupt systems.

Phishing

Social engineering attacks using deceptive emails or messages to steal credentials or sensitive info.

DDoS

Distributed Denial of Service overwhelms a server with traffic, making it unavailable to legitimate users.

MitM

Man-in-the-Middle attacks intercept communication between two parties to eavesdrop or alter data.

Social Engineering

Psychological manipulation tricks people into divulging confidential information or performing actions.

Insider Threats

Current or former employees who misuse their authorized access to harm the organization.

Vulnerabilities

Weaknesses that can be exploited by attackers

Zero-day

Unknown vulnerability with no available patch. Extremely dangerous as no defense exists yet.

Misconfiguration

Improperly configured systems, default passwords, open cloud storage buckets, or verbose error messages.

Weak Passwords

Easily guessable or reused passwords that can be cracked via brute force or credential stuffing.

Unpatched Software

Known vulnerabilities in outdated software that remain exploitable because patches were not applied.

Authentication Methods

Ways to verify a user's identity

Password-based

Something you know. Most common method but vulnerable to phishing, brute force, and credential stuffing.

Biometric

Something you are. Fingerprints, facial recognition, iris scans. Hard to replicate but privacy concerns exist.

MFA

Multi-Factor Authentication combines two or more methods (password + OTP + biometric) for stronger security.

Certificate-based

Digital certificates issued by a CA verify identity. Used in TLS, client authentication, and code signing.

Token-based

Hardware or software tokens generate time-based one-time passwords (TOTP) for second-factor auth.

SSO / OAuth

Single Sign-On allows one set of credentials across multiple services. OAuth enables delegated authorization.

Authorization Models

How access control decisions are made

Model	Full Name	How It Works	Use Case
DAC	Discretionary Access Control	Owner decides who can access resources	File systems, shared documents
MAC	Mandatory Access Control	System-enforced labels and clearances	Military, government classified data
RBAC	Role-Based Access Control	Access based on job role / group membership	Enterprise systems, databases
ABAC	Attribute-Based Access Control	Access based on user, resource, and environment attributes	Cloud, fine-grained policies

Security Policies & Standards

Frameworks that guide security practices

ISO 27001

International standard for Information Security Management Systems (ISMS). Specifies requirements for establishing, implementing, and improving an ISMS.

NIST CSF

National Institute of Standards and Technology Cybersecurity Framework. Provides guidelines for managing cybersecurity risk across five functions: Identify, Protect, Detect, Respond, Recover.

GDPR

General Data Protection Regulation. EU regulation for data protection and privacy. Requires consent, breach notification, and right to erasure.

HIPAA

Health Insurance Portability and Accountability Act. US regulation for protecting medical records and health information.

Security Best Practices Checklist

Use strong, unique passwords with a password manager

Enable Multi-Factor Authentication (MFA) everywhere

Keep all software and systems up-to-date with patches

Encrypt sensitive data at rest and in transit

Follow the principle of least privilege for access

Regularly backup critical data (3-2-1 rule)

Conduct security awareness training for employees

Implement network segmentation and firewalls

Monitor logs and set up intrusion detection

Have an incident response plan ready

Use secure coding practices (input validation, output encoding)

Regularly audit and review access controls

Interview Questions

Common security fundamentals interview questions with answers