Cybersecurity Course — Chapters 1–12

Chapter 1 — Introduction to Cybersecurity

Foundational concepts: purpose of cybersecurity, the CIA triad, human factors, attacker types, common attacks, and the defender mindset.

Cybersecurity is the discipline of protecting information systems from unauthorized access, misuse, disclosure, disruption, modification, or destruction. While public perception often focuses on exploits or sensational breaches, the practice of cybersecurity is far broader: it encompasses program governance, risk management, technical controls, personnel training, monitoring, incident response, and continuous improvement.

The goals of cybersecurity can be succinctly described by the Confidentiality–Integrity–Availability (CIA) triad. Confidentiality seeks to ensure that information is accessible only to those authorized to view it; integrity seeks to maintain the accuracy and trustworthiness of information; availability ensures that systems and data are usable when required. Every security control maps to at least one element of the triad.

Human factors are central to most security incidents. Social engineering, poor password hygiene, and misconfiguration often enable attacks. Consequently, effective security architecture minimizes opportunities for human error and includes detection and recovery capabilities to limit the impact of inevitable mistakes.

Attackers vary according to capability and motive. Criminal actors prioritize financial gain and often use malware, ransomware, and credential theft. State-affiliated groups may target infrastructure or intellectual property and exhibit persistence and sophistication. Insider threats include both malicious employees and well-intentioned personnel whose actions nevertheless produce an exposure. Understanding motive and capability aids defenders in selecting appropriate mitigations.

Fundamental defensive practices include prioritizing assets by value and risk, implementing layered controls (defense in depth), enforcing least privilege, monitoring for anomalies, and maintaining tested incident response and recovery plans. Frameworks such as the NIST Cybersecurity Framework, CIS Controls, and OWASP provide structured guidance and operational starting points for organizations at any scale.

Concluding this introductory chapter, the reader should be comfortable describing the CIA triad, recognize the role of human behavior in security incidents, and understand that cybersecurity is a programmatic discipline combining policy, process, and technology. The subsequent chapters expand into architecture, identity management, secure development, detection, and response.

Chapter 2 — Secure Architecture & Network Defenses

Design principles for resilient systems: defense in depth, segmentation, zero trust, firewalls, and secure network topologies.

Secure architecture begins with a threat-informed design that anticipates how an attacker might target assets and then applies layered controls to mitigate those threats. Defense in depth ensures that no single control serves as the sole barrier; rather, multiple complementary protections reduce the likelihood and impact of a successful attack.

Network segmentation separates systems into zones aligned with trust boundaries and business functions. For example, public-facing services (web servers) should reside in a distinct demilitarized zone (DMZ) that limits direct access to internal resources such as databases and management systems. Effective segmentation reduces blast radius when a component is compromised.

A default-deny stance for access control is essential: only allow explicitly required protocols, ports, and addresses rather than opening broad ranges by default. Firewalls—both network and host-based—enforce these restrictions. Similarly, network access control (NAC) ensures that only compliant devices may join critical segments.

Zero trust is an architectural model founded on the principle of continuous verification. Rather than assuming trust based on network location, zero trust requires authentication and authorization for each request and often incorporates micro-segmentation, strong identity controls, and short-lived credentials.

For cloud environments, secure architecture translates to careful design of virtual networks, security groups, route tables, and peering arrangements. Cloud providers operate a shared-responsibility model: the provider secures the underlying infrastructure while customers must secure their configuration, workloads, and data. Misconfigurations—such as publicly exposed storage—are a common source of breaches.

Logging and telemetry at network choke points provide the data required for detection. NetFlow, packet captures, and intrusion detection system events can reveal reconnaissance, lateral movement, and data exfiltration. Regular architecture reviews, threat modeling, and red-team testing produce practical insights and feed continuous improvement.

Chapter 3 — Identity & Access Management

Authentication, authorization, lifecycle management, MFA, single sign-on, and identity governance.

Identity and access management (IAM) is the foundation of secure operations. Correctly implemented, IAM ensures that only the right individuals and services can perform permitted actions. A robust IAM program includes authentication, authorization, accounting, and identity lifecycle management.

Authentication establishes identity. Modern systems combine multiple factors—something you know (password), something you have (hardware token or mobile device), and something you are (biometric)—to provide assurance. Multi-factor authentication (MFA) significantly reduces the likelihood of account compromise by mitigating credential theft and replay attacks.

Authorization controls what authenticated principals may do. Role-based access control (RBAC) and attribute-based access control (ABAC) provide models to grant permissions according to roles or attributes, thereby reducing administrative complexity and minimizing privilege creep. Just-in-time privilege elevation further limits the window during which high privilege access exists.

Identity lifecycle management aligns account provisioning and deprovisioning with HR processes and organizational events. Stale accounts, orphaned service principals, and unmanaged credentials are common risks. Regular audits and automation reduce these exposures.

Single sign-on (SSO) improves usability and security by centralizing authentication and applying consistent policy. Security considerations for SSO include protecting the identity provider, securing session tokens, and requiring MFA for sensitive operations.

Finally, identity monitoring—tracking authentication logs, anomalous login patterns, and failed attempts—provides early indicators of credential compromise and enables proactive containment.

Chapter 4 — Secure Software Development Lifecycle

Integrating security into requirements, design, coding, testing, and deployment. Threat modeling, code review, and supply-chain controls.

A secure software development lifecycle (SSDLC) embeds security activities across the lifecycle from requirements through maintenance. SSDLC emphasizes early identification of risks, continuous testing, and deployment practices that enforce security controls.

Threat modeling provides a structured approach to identify likely attack vectors and security requirements. By considering data flows, trust boundaries, and misuse cases, teams can prioritize mitigations that reduce the most significant risks. Threat models should be revisited as architecture changes.

Automated security tooling in continuous integration and continuous delivery (CI/CD) pipelines—such as static application security testing (SAST), software composition analysis (SCA), and dynamic application security testing (DAST)—provides fast feedback to developers. Code review by peers, with an emphasis on security-sensitive areas, remains one of the most effective controls.

Dependency management and supply-chain security require tracking third-party libraries, evaluating their maintenance posture, and applying timely patches. Reproducible build processes and artifact signing increase assurance that deployed code matches reviewed sources.

Operational considerations include secret management, secure configuration, runtime protections (sandboxing and least-privilege execution), and continuous monitoring. A mature SSDLC combines people, process, and tools to reduce vulnerability introduction and improve response speed when vulnerabilities are discovered.

Chapter 5 — Web Application Security

Common web application threats, OWASP Top Ten, secure input/output handling, session management, and API security.

Web applications remain a primary target for attackers due to their public exposure and direct connection to data stores. The OWASP Top Ten enumerates common classes of vulnerabilities that frequently result in breaches. Understanding and mitigating these classes is a prerequisite for secure application development.

Input validation and output encoding prevent injection and cross-site scripting (XSS) attacks. Parameterized queries eliminate the class of SQL injection issues when database interaction uses safe APIs. Authentication and session management should use established frameworks and avoid homegrown approaches. Session tokens should be protected with secure cookie flags and limited lifetimes.

APIs require careful attention to authentication, authorization, and rate limiting. Documentation and error handling should avoid leaking sensitive internal information. A defense-in-depth approach for web security includes a secure development process, runtime protections such as Web Application Firewalls (WAFs), and systematic testing including automated scanning and controlled manual penetration testing in authorized lab environments.

Chapter 6 — Endpoint and Host Security

Hardening hosts and endpoints, endpoint detection and response, patch strategy, application control, and device management.

Endpoints and hosts are primary footholds for attackers. Effective protection includes baseline hardening, host-based controls, and continuous monitoring. A hardened image with only required services reduces attack surface. Application allowlisting limits the ability of unauthorized binaries to execute.

EDR solutions provide high-fidelity detection of suspicious behavior at the host level and enable rapid containment actions. EDR telemetry, when combined with central logging and network telemetry, allows security teams to detect patterns across hosts and identify coordinated activity.

Patch management requires an inventory of assets, risk-based prioritization, testing in representative environments, and predictable deployment windows. Critical fixes should be expedited and applied according to documented processes with rollback plans in case of regressions.

Device management for mobile and remote endpoints enforces configurations, enforces encryption, and protects data at rest. Where appropriate, remote wipe and containerization of corporate data protect sensitive information on lost or stolen devices.

Chapter 7 — Cloud Security Fundamentals

Cloud shared responsibility, secure configuration, identity and access in the cloud, network controls, and data protection.

Cloud computing requires a distinct approach to security because traditional perimeter controls do not directly map to virtualized, multi-tenant infrastructure. Each cloud provider defines a shared responsibility model that delineates what the provider secures and what the customer must secure. Understanding those boundaries is the first step in preventing misconfigurations and exposures.

Secure cloud architecture uses isolated networks (VPCs or equivalent), least-privilege IAM policies, private subnets for sensitive workloads, and robust logging and monitoring. Resource policies and tags improve governance and enable automation for enforcement and response. Infrastructure-as-code and automated security checks reduce drift and ensure reproducible secure configurations.

Key cloud concerns include protecting management plane access, securing APIs, handling secrets, storing and transferring data securely, and ensuring proper identity federation. Centralized logging and alerting across cloud accounts enable detection of suspicious activities and simplification of incident response.

Chapter 8 — Logging, Monitoring, and Detection

Designing telemetry, building detection use cases, alert tuning, and operationalizing security monitoring.

Effective detection is predicated on comprehensive telemetry: authentication logs, process and endpoint events, DNS queries, network flows, and cloud management events together provide a holistic view of activity. Centralized log collection and parsing into normalized events enable correlation and analytics.

Detection engineering defines the specific behaviors that indicate malicious activity and translates them into searches and analytics that surface these behaviors. Use cases such as credential misuse, abnormal data access patterns, lateral movement, and command-and-control callbacks should be prioritized by impact and likelihood.

Alert fatigue is a significant operational challenge. Prioritization, enrichment of alerts with contextual information, and escalation paths increase the efficiency of investigation. Metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) help measure program effectiveness.

Finally, logs must be protected, archived, and made tamper-evident where possible. Attackers commonly attempt to erase traces; robust logging and retention practices reduce their ability to conceal activity.

Chapter 9 — Incident Response and Forensics

Preparation, detection, containment, eradication, recovery, and post-incident analysis, with forensics considerations.

Incident response is an operational discipline enabling organizations to detect, analyze, and recover from security events. A mature program includes preparation activities (defined procedures, contact lists, tools, and backups), detection and analysis capability, containment and eradication playbooks, recovery actions, and structured post-incident reviews.

Preserving forensic evidence may be necessary for legal or investigative purposes; therefore, responders must balance the need for rapid containment with proper evidence handling. Common forensics artifacts include memory captures, disk images, file system metadata, logs, and network captures. Chain-of-custody documentation is required for evidence to be admissible in formal investigations.

Containment strategies vary by scenario; isolation, network segmentation, and temporary disabling of affected services can limit exfiltration and lateral movement. Eradication removes malicious artifacts and may involve re-imaging systems, applying patches, or changing credentials. Recovery restores services and verifies integrity before returning systems to normal operations.

Post-incident reviews identify root causes and systemic improvements. These reviews should produce concrete remediation tasks, timeline updates, and adjustments to detection and response processes to reduce recurrence.

Chapter 10 — Threat Intelligence and Adversary Understanding

Collecting, analyzing, and operationalizing threat intelligence. Using MITRE ATT&CK for mapping adversary behaviors.

Threat intelligence provides context and operational indicators that improve detection and response. Intelligence sources range from open-source feeds to commercial providers and industry information sharing groups. High-quality intelligence is timely, relevant, and actionable.

MITRE ATT&CK is commonly used for mapping observed behaviors to standardized technique identifiers, enabling organizations to evaluate coverage gaps and tune detections. Operationalizing intelligence requires enrichment—validating indicators, reducing false positives, and integrating context such as affected asset owners, controls, and likely impact.

Intelligence programs should emphasize relevance and measurable value. Indicators without context can overwhelm analysts; conversely, tailored intelligence can materially reduce time to detect and time to remediate by providing known tactics, techniques, and procedures (TTPs) and recommended mitigations.

Chapter 11 — Privacy, Compliance, and Risk Management

Balancing security, privacy, and legal requirements. Risk assessments, controls selection, and compliance frameworks.

Security, privacy, and compliance are related but distinct responsibilities. Privacy concerns revolve around lawful, fair, and transparent handling of personal data. Compliance refers to satisfying regulatory or contractual obligations through controls and documented evidence. Risk management is the process of identifying, quantifying, prioritizing, and treating risks according to business appetite.

A pragmatic risk program identifies critical assets, enumerates threats and vulnerabilities, estimates likelihood and impact, and prescribes controls to reduce risk to an acceptable level. Controls may be preventative, detective, or corrective. When selecting controls, organizations should consider cost, operational impact, and effectiveness.

Privacy by design embeds data minimization, purpose limitation, and secure defaults into systems from conception. Data mapping and classification support consistent handling and retention policies, while privacy impact assessments inform high-risk changes. Regulatory frameworks such as GDPR, HIPAA, and industry-specific rules require careful mapping to operational controls and audit evidence.

Chapter 12 — Offensive Concepts for Defenders (Ethical, Controlled)

Understanding attacker tools and techniques for defensive gain; ethical red teaming, vulnerability assessment, and safe lab practices.

Defenders benefit from understanding offensive techniques: replica adversary activity exercises allow evaluation of detection, response, and control effectiveness. This is the rationale for authorized penetration testing, red teaming, and purple teaming. The objective is not to produce exploits for misuse but to validate defensive posture and produce actionable remediation.

Authorized penetration tests follow a defined scope, provide rules of engagement, and often simulate a specific adversary with defined capabilities. Red teams use a more adversarial approach to emulate persistent, multi-stage intrusions. Purple teams are collaborative exercises where red and blue teams work together to tune defenses and close gaps identified during active testing.

Training and validation should use dedicated labs and intentionally vulnerable applications (for example, open-source training platforms) to avoid damage to production systems. All offensive activity must adhere to legal frameworks and organizational policies and should produce prioritized remediation recommendations rather than a list of vulnerabilities alone.

Understanding attacker methods also improves defensive detection: defenders can translate red-team behaviors into detection signatures, telemetry requirements, and architecture changes that eliminate easy paths used by real adversaries.