Security Fundamentals: Understanding the Basics
PitsWhen we hear the word "security," we often think about locked doors, CCTV cameras, or alarms. In the digital world, the idea is the same, but instead of protecting a house, we’re protecting information, systems, and networks. Security fundamentals are the basic concepts you need to understand how to keep data safe and reduce risks from cyber threats.
In this blog, we’ll go over the core ideas behind security. We’ll break it down into simple terms so you can build a strong foundation, whether you’re just getting started in IT, studying for certifications, or simply curious about how security works in the digital space.
Why Security Matters
Technology runs almost every part of our lives. From online banking and shopping to storing personal photos in the cloud, our data is constantly being shared and stored across systems. Without security, this information can be stolen, altered, or destroyed. The impact can range from losing money to having your identity compromised.
That’s why understanding the basics of security is important, not only for IT professionals but also for anyone using technology every day.
The CIA Triad
At the heart of information security is the CIA triad, which stands for Confidentiality, Integrity, and Availability. Think of this as the foundation of all security principles.
Confidentiality means keeping information private and accessible only to the right people. For example, when you log in to your email, your password ensures only you can see your messages.
Integrity is about making sure information is accurate and hasn’t been changed without permission. Imagine if someone hacked your bank account and altered your balance, this would break integrity.
Availability ensures that information and systems are accessible when needed. For instance, if a company’s website goes down due to an attack, it affects availability.
Every security measure we use is meant to protect one or more parts of this triad.
Key Terms You Should Know
To understand security better, let’s break down four important terms: vulnerability, exploit, threat, and mitigation.
Vulnerability
A vulnerability is a weakness in a system that could be taken advantage of. For example, a software bug that allows hackers to bypass a password screen is a vulnerability.
Exploit
An exploit is the actual method or tool used to take advantage of a vulnerability. If a hacker writes code to bypass that weak password screen, the code itself is the exploit.
Threat
A threat is anything that can potentially harm a system or data. This could be a hacker, a malware program, or even natural events like a flood damaging a server.
Mitigation Technique
Mitigation is about reducing risks by addressing vulnerabilities and threats. For example, applying a software update to fix a bug is a mitigation technique. Using strong passwords and enabling two-factor authentication are also common ways to mitigate risks.
No System Is Perfectly Secure
You might have heard the phrase, “no system is perfectly secure.” What this means is that no matter how many protections you put in place, there will always be some level of risk.
Technology is constantly changing, and so are the methods attackers use. A company may patch one vulnerability today, but a new one could be discovered tomorrow. Even the strongest security systems can be bypassed through human error, like someone clicking a malicious link in an email.
The goal of security is not to make a system 100% safe, because that’s impossible. Instead, the goal is to reduce risks to an acceptable level. This is done by combining strong security practices, regular updates, monitoring, and training people to recognize threats.
Think of it like locking the doors to your house. A determined burglar could still break in, but the locks, alarms, and cameras make it much harder, less attractive, and riskier for them to try. That’s exactly how security works in the digital world.
Common Attacks You Should Know
Now that we’ve set the foundation, let’s talk about the attacks you’ll hear about most often. I’ll explain what each one is, how it works in plain language, simple examples, what you might notice, and basic ways to reduce the risk.
Denial of Service (DoS) and Distributed DoS (DDoS)
What it is: An attempt to make a service unavailable by overwhelming it with traffic or resource-heavy requests.
DoS vs DDoS: DoS comes from one source. DDoS comes from many machines at once (usually a botnet), which is harder to block.
How it works: Attackers flood a website, API, or server with more requests than it can handle. Legitimate users get timeouts or errors.
Examples:
SYN flood: Sends many half-open TCP connections so the server runs out of memory for new ones.
HTTP flood: Bombards a web app with repeated page or API requests.
UDP/ICMP flood: Sprays packets that consume bandwidth and CPU.
What you might see: Slow website, frequent timeouts, high bandwidth or CPU usage.
Basic defenses: Use a CDN with DDoS protection, rate limiting, web application firewalls, autoscaling, and blocklists. Keep services patched and disable unused protocols.
Spoofing Attacks
What it is: Pretending to be someone or something else to gain trust or bypass controls.
Common types:
IP spoofing: Faking the source IP to hide the attacker or to redirect responses to a victim.
ARP spoofing (LAN): Lying about “who has this MAC address” so traffic goes through the attacker.
DNS spoofing: Returning a fake IP for a real domain so users land on the wrong site.
Email spoofing: Sending mail that looks like it came from a trusted address.
Example scenario: An attacker on the same Wi-Fi uses ARP spoofing to make your laptop send traffic to them first, then on to the gateway.
Basic defenses: Use network segmentation, static ARP on critical hosts, DNSSEC where possible, SPF/DKIM/DMARC for email, and mutual authentication.
Reflection and Amplification Attacks
What it is: A special kind of DDoS where the attacker sends small requests to legitimate servers but forges the victim’s IP as the source. Those servers “reflect” large replies back at the victim. If the reply is much larger than the request, that’s amplification.
How it works:
Attacker sends a tiny request to many public servers (like open DNS or NTP).
Each server sends a much larger response to the spoofed source (the victim).
The victim is crushed by traffic it never asked for.
Examples: DNS amplification, NTP amplification, SSDP, CLDAP, and memcached-based amplification.
Basic defenses: Block IP spoofing at network edges (BCP 38), close or secure open resolvers and NTP, rate limit responses, and use DDoS protection services.
Man-in-the-Middle (MitM)
What it is: Intercepting and possibly altering traffic between two parties without them knowing.
How it works: On local networks, attackers often use ARP spoofing to sit between you and the gateway. On public Wi-Fi, they might create an “evil twin” access point with the same name as a real one. They can read unencrypted data, inject content, or downgrade encryption.
Examples:
Capturing logins from an unencrypted website over coffee shop Wi-Fi.
SSL stripping that forces users from HTTPS to HTTP and then captures data.
Basic defenses: Prefer HTTPS everywhere and verify the lock icon, use VPNs on untrusted networks, enable HSTS for websites, and use certificate pinning for apps.
Reconnaissance Attacks
What it is: Information gathering. Attackers map the target before they strike.
Types:
Passive recon: OSINT like company websites, LinkedIn, job posts, paste sites, and public code repos.
Active recon: Network probing such as ping sweeps, port scans, banner grabbing, and DNS zone transfers.
Examples:
Scanning a company’s IP range to find exposed RDP or SSH.
Reading a job post that reveals which firewall or SIEM the company uses.
Basic defenses: Reduce public footprints, use least privilege on DNS records, restrict whois data where possible, detect scans with IDS/IPS, and block or tarpitting suspicious probing.
Malware
What it is: Malicious software designed to damage, spy, or make money.
Common types:
Virus: Attaches to files and spreads when files move.
Worm: Spreads on its own over networks.
Trojan: Disguised as something useful but opens a backdoor.
Ransomware: Encrypts files and demands payment.
Spyware/Keylogger: Steals data and keystrokes.
Rootkit: Hides itself to maintain control.
Botnet client: Turns the device into a node for DDoS or spam.
Examples: A user installs a “free” video converter that silently steals browser passwords and joins a botnet.
Basic defenses: Keep systems patched, use reputable antivirus/EDR, block macros by default, restrict admin rights, limit script execution, and back up data offline to recover from ransomware.
Social Engineering
What it is: Tricking people rather than hacking systems. Humans are often the easiest way in.
Common tactics:
Phishing: Generic email with a malicious link or attachment.
Spear phishing: Personalized to a specific person or role.
Whaling: Targets executives.
Smishing/Vishing: Phishing by SMS or voice call.
Pretexting: Inventing a believable story to get info or access.
Baiting/Tailgating: Leaving infected USBs or following someone into a secure area.
Examples: An email that looks like it came from HR with “updated salary schedule.xlsx” that asks you to enable macros.
Basic defenses: Security awareness training, strong email filtering, verify requests by a second channel, strict visitor policies, and least privilege so one mistake does less damage.
Password-Related Attacks
What it is: Attempts to guess, steal, or reuse your passwords.
Common types:
Brute force: Tries every possible combination.
Dictionary attack: Tries common words and patterns.
Credential stuffing: Reuses breached username/password pairs across sites.
Password spraying: Tries a few common passwords across many accounts to avoid lockouts.
Keylogging/Shoulder surfing: Captures what you type or see.
Examples: Attackers use a list from a past breach to log in to your email because you reused the same password.
Basic defenses: Use unique passphrases for every site, enable multi-factor authentication, set lockout and rate limits, check for breached credentials, and use a password manager.
Bringing It Together
These attacks often combine. A campaign might start with reconnaissance, use phishing to get a foothold, drop malware, move laterally, and launch a DDoS as a distraction. Knowing the patterns helps you spot early signs and respond faster.
Multi-Factor Authentication (MFA)
One of the simplest but most effective ways to protect your accounts is Multi-Factor Authentication, often shortened to MFA. The idea is that instead of relying on just a password, you need to provide two or more different factors to prove it’s really you.
These factors usually fall into three categories:
Something you know – like a password or PIN.
Something you have – like your phone, a hardware token, or a smart card.
Something you are – like your fingerprint, face, or voice.
When you combine at least two of these, it becomes much harder for attackers to break in. Even if they manage to steal your password, they would still need your phone or fingerprint to get access.
Example: Let’s say someone guesses your email password. Without MFA, they can log right in. But with MFA enabled, they’ll also need the code sent to your phone or generated by an authenticator app. That extra step can stop them in their tracks.
Common forms of MFA:
SMS codes (less secure but still better than nothing).
Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator.
Push notifications to your phone.
Hardware keys like YubiKey or Titan Security Key.
Biometric authentication (fingerprint or face scan).
MFA isn’t perfect. It can still be bypassed with advanced phishing or SIM swapping but it adds a strong extra layer of defense. For most people and organizations, enabling MFA is one of the easiest and most effective ways to improve security.
Digital Certificates
When you visit a website and see the padlock icon in your browser, that’s where digital certificates come into play. A digital certificate is like an online ID card issued by a trusted organization called a Certificate Authority (CA). It helps prove that a website, server, or person is really who they claim to be.
How it works
The website presents its digital certificate to your browser.
The certificate includes the site’s public key and is signed by a trusted CA.
Your browser checks if it’s valid and issued by a CA it trusts.
If everything matches, a secure encrypted connection (HTTPS) is established.
This process is part of Public Key Infrastructure (PKI), which is the system that manages, issues, and validates certificates.
Why it matters
Without certificates, you wouldn’t know if the site you’re connecting to is legitimate or an attacker pretending to be it. Certificates protect against man-in-the-middle attacks by ensuring your data is encrypted and sent to the right place.
Example
When you go to https://yourbank.com, your browser verifies the bank’s certificate. If the certificate isn’t valid, you’ll see a warning like “Your connection is not private.” That’s your browser telling you not to trust the site.
Key points to remember
Certificates prove identity and enable encryption.
They’re issued by trusted Certificate Authorities (like DigiCert, GlobalSign, Let’s Encrypt).
Expired or self-signed certificates can trigger warnings.
They are crucial for websites, VPNs, email servers, and many enterprise systems.
In short, digital certificates build trust online. They make sure that when you connect to a website or service, you’re really talking to the right one and that your communication stays private.
Controlling and Monitoring Users with AAA
In security, one of the most important tasks is making sure that the right people can access the right resources and that their actions are tracked. This is where AAA comes in: Authentication, Authorization, and Accounting.
Authentication
This is the process of verifying who a user is. Essentially, it answers the question: “Are you really who you say you are?”
Examples: Entering a username and password, using a fingerprint, or scanning a face.
Multi-Factor Authentication (MFA), which we discussed earlier, is an advanced form of authentication.
Authorization
Once a user is authenticated, the system needs to decide what they’re allowed to do. This is authorization. It answers the question: “Now that we know who you are, what can you access?”
- Example: An employee might be able to read files in the marketing folder but not delete files from the finance folder.
Accounting
Accounting tracks what users do while they’re logged in. It answers: “What actions did this user take?”
Examples: Logging which files were accessed, what commands were run on a server, or how long someone was connected.
Accounting is useful for auditing, troubleshooting, and detecting suspicious activity.
Putting It Together
AAA is used in many systems, including networks, servers, and cloud services. For example, a corporate VPN might:
Authenticate a user with a username, password, and phone code.
Authorize them to access only certain internal servers.
Account for their session, logging which resources they accessed and for how long.
By combining authentication, authorization, and accounting, organizations can control access, enforce security policies, and keep detailed records to detect and respond to security incidents.
Security Program Awareness
Security is not just about tools and technology, it’s also about people. A security program is an organized set of policies, practices, and training designed to protect an organization’s information and systems. Being aware of this program helps employees understand their role in keeping the organization safe.
Why Awareness Matters
Even the best security systems can fail if people don’t follow basic practices. Humans are often the weakest link in security. For example, a phishing email can trick someone into giving away credentials, no matter how strong the network defenses are. Awareness programs aim to reduce these risks by educating everyone about threats and safe behaviors.
Common Elements of Security Awareness Programs
Policies and Guidelines: Clear rules for using devices, accessing systems, and handling data.
Training Sessions: Teaching employees how to spot phishing, secure passwords, and safe web habits.
Simulated Attacks: Mock phishing emails or social engineering tests to reinforce learning.
Regular Updates: Informing staff about new threats or changes in company policies.
Reporting Channels: Making it easy for employees to report suspicious activity.
Example in Practice
A company may run a monthly phishing simulation. Employees who click on the fake phishing link get immediate feedback and learn what signs to look for. This builds awareness and reduces the chance of falling for real attacks.
Key Takeaway
Security is everyone’s responsibility. Awareness programs help employees understand threats, follow safe practices, and respond correctly when they encounter suspicious activity. When everyone knows the basics, the organization as a whole becomes stronger against attacks.
Wrapping Up
Security is a broad topic, but it all comes down to one main idea: protecting information and systems from threats while keeping them available and trustworthy. In this blog, we covered the basics from why security matters and the CIA triad, to common attacks, defenses like multi-factor authentication and digital certificates, controlling users with AAA, and the importance of security program awareness.
No system is perfectly secure, but understanding these fundamentals helps you reduce risks and respond effectively when issues arise. Security isn’t just a technical problem; it’s also about people, processes, and awareness. By building a solid foundation, you’ll be better prepared to protect yourself, your organization, or your future systems from common threats.
This is just the beginning. Keep exploring, learning, and practicing these fundamentals, because the more you understand security, the more confident and capable you’ll be in the digital world.
Subscribe to my newsletter
Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by