CIA Triad & Security Fundamentals

The foundation of information security

Core Principles

  • Confidentiality — Ensuring information is accessible only to authorized individuals
    Encryption Access Controls Data Classification
  • Integrity — Maintaining accuracy and completeness of data
    Hashing Digital Signatures Version Control
  • Availability — Ensuring information is accessible when needed
    Redundancy Load Balancing Backup Systems

Additional Security Concepts

  • AAA Framework — Authentication, Authorization, Accounting
  • Non-Repudiation — Preventing denial of actions
  • Defense in Depth — Multiple security layers
  • Least Privilege — Minimal access required
Remember: Security is a combination of People, Processes, and Technology. Technical controls alone cannot guarantee security without proper processes and trained personnel.

Common Threats & Mitigation Strategies

Modern threats and defense mechanisms

Threat Categories

  • Social Engineering — Phishing, Vishing, Smishing, Baiting
    Mitigation: Security awareness training, email filtering, MFA
  • Malware — Viruses, Worms, Trojans, Ransomware, Spyware
    Mitigation: EDR solutions, regular patching, least privilege
  • Network Attacks — DDoS, MITM, DNS Spoofing, ARP Poisoning
    Mitigation: Firewalls, IDS/IPS, rate limiting, DNSSEC
  • Application Attacks — SQLi, XSS, CSRF, Buffer Overflow
    Mitigation: Input validation, WAF, secure coding practices

Learning Resources

OWASP Top 10 Web Application Security Risks SANS Security Awareness Training CISA Known Exploited Vulnerabilities

Networking Fundamentals & Subnetting

Essential network concepts for security professionals

IPv4 Addressing

  • Class A (1.0.0.0 - 126.0.0.0) — Large networks, /8 mask
  • Class B (128.0.0.0 - 191.255.0.0) — Medium networks, /16 mask
  • Class C (192.0.0.0 - 223.255.255.0) — Small networks, /24 mask
  • Private Ranges:
    • 10.0.0.0/8 (16,777,216 hosts)
    • 172.16.0.0/12 (1,048,576 hosts)
    • 192.168.0.0/16 (65,536 hosts)

Subnetting Examples

192.168.1.0/24 → Network: 192.168.1.0, Broadcast: 192.168.1.255, Hosts: 192.168.1.1-254
10.0.0.0/16 → Network: 10.0.0.0, Broadcast: 10.0.255.255, Hosts: 10.0.0.1 - 10.0.255.254
Network Segmentation Best Practice: Separate management, servers, users, and IoT devices into different VLANs/subnets. Use firewall rules to control inter-VLAN communication.

pfSense Firewall Administration

Enterprise-grade firewall configuration and management

Initial Setup Checklist

  1. WAN Configuration — Set up DHCP/PPPoE/Static IP based on ISP requirements
  2. LAN Configuration — Define internal network (e.g., 192.168.1.1/24)
  3. Admin Password — Change default credentials immediately
  4. Firmware Update — Update to latest stable version
  5. Package Installation — Install essential packages:
    Snort ntopng Suricata OpenVPN

VLAN Configuration

Interfaces → Assignments → VLANs → Add VLAN
  • VLAN 10: Management (192.168.10.0/24)
  • VLAN 20: Servers (192.168.20.0/24)
  • VLAN 30: Users (192.168.30.0/24)
  • VLAN 40: IoT/Guests (192.168.40.0/24)

Firewall Rule Best Practices

  • Default Deny — Block all incoming traffic by default
  • Explicit Allow — Only permit necessary traffic
  • Stateful Inspection — Enable stateful firewall
  • Logging — Enable logging for critical rules
  • Regular Review — Audit rules quarterly

NAT Configuration

  • Automatic Outbound NAT — Usually sufficient for most networks
  • Port Forwarding — Forward specific ports to internal servers
  • 1:1 NAT — For DMZ or exposed services
  • NAT Reflection — Enable for internal access to forwarded services

pfSense Resources

Official pfSense Documentation Netgate Blog & Tutorials pfSense Subreddit Community Lawrence Systems YouTube Tutorials
Important: Always backup configuration before major changes. Use Diagnostics → Backup & Restore to save configuration files.

Intrusion Detection & Prevention Systems (Snort)

Network monitoring and threat prevention

Snort Configuration Guide

  1. Installation — Install Snort package via pfSense package manager
  2. Interface Selection — Enable on LAN/WAN interfaces as needed
  3. Rule Management — Subscribe to Emerging Threats or Snort VRT
  4. Mode Selection — Start with IDS (alert-only) mode
  5. Testing — Generate test traffic to verify detection
  6. Tuning — Suppress false positives, customize rules
  7. IPS Mode — Enable blocking after confidence in rules

Essential Snort Rules

alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; ...)
alert tcp any any -> $HOME_NET 80 (msg:"SQL Injection Attempt"; ...)
  • Emerging Threats (ET) — Free community ruleset
  • Snort VRT — Commercial rules with subscription
  • Talos Rules — Cisco's comprehensive ruleset

Network Traffic Monitoring (ntopng)

Real-time network visibility and analytics

ntopng Features

  • Traffic Analysis — Identify top talkers and applications
  • Flow Monitoring — Track network conversations
  • Alerting — Configure alerts for anomalies
  • Historical Data — Store and analyze historical traffic patterns
  • Security Monitoring — Detect suspicious activities

SIEM & Splunk Fundamentals

Security Information and Event Management

Splunk Configuration

  1. Data Inputs — Configure firewall, server, and application logs
  2. Source Types — Define log formats for proper parsing
  3. Field Extraction — Extract relevant fields from logs
  4. Dashboards — Create security dashboards
  5. Alerts — Set up alerts for security events
  6. Correlation Searches — Create complex detection rules

Essential SPL Queries

index=firewall | stats count by src_ip | sort -count | head 10
index=auth | search action=failure | stats count by user | sort -count

ISO 27001 Information Security Management

International security standard implementation

ISO 27001 Implementation Steps

  1. Scope Definition — Define ISMS boundaries
  2. Leadership Commitment — Obtain management support
  3. Risk Assessment — Identify and analyze risks
  4. Risk Treatment — Select controls from Annex A
  5. Documentation — Create policies and procedures
  6. Implementation — Deploy controls
  7. Internal Audit — Conduct regular audits
  8. Management Review — Review ISMS performance
  9. Continual Improvement — Implement improvements

Essential Documentation

  • ISMS Scope Statement
  • Risk Assessment Report
  • Statement of Applicability
  • Information Security Policy
  • Asset Inventory
  • Incident Response Procedure
  • Business Continuity Plan
Evidence Required: Asset inventory, risk register, training records, audit reports, incident logs, and performance metrics.

Incident Response Framework

NIST SP 800-61 Incident Handling Guide

Incident Response Lifecycle

  1. Preparation
    • Develop IR plan and policy
    • Assemble CSIRT team
    • Prepare tools and resources
    • Conduct training and exercises
  2. Detection & Analysis
    • Monitor and detect anomalies
    • Triage and validate incidents
    • Collect and preserve evidence
    • Determine scope and impact
  3. Containment, Eradication & Recovery
    • Short-term and long-term containment
    • Remove malicious components
    • Restore systems from backups
    • Implement additional controls
  4. Post-Incident Activity
    • Conduct lessons learned review
    • Update policies and procedures
    • Improve detection capabilities

Business Continuity & Disaster Recovery

Ensuring operational resilience

Key Concepts

  • RTO (Recovery Time Objective) — Maximum acceptable downtime
  • RPO (Recovery Point Objective) — Maximum acceptable data loss
  • MTD (Maximum Tolerable Downtime) — Business survival limit
  • BIA (Business Impact Analysis) — Identify critical functions

DR Plan Components

  • Contact lists and communication plans
  • System recovery procedures
  • Alternate site arrangements
  • Backup restoration processes
  • Testing and maintenance schedule

CEH (Certified Ethical Hacker) Study Roadmap

Structured preparation guide

Study Phases

  1. Phase 1: Foundations (Weeks 1-2)
    • Networking fundamentals (TCP/IP, OSI model)
    • Linux command line basics
    • Windows security concepts
    • Basic cryptography
  2. Phase 2: Reconnaissance & Scanning (Weeks 3-4)
    • Passive and active information gathering
    • Network scanning techniques (Nmap)
    • Enumeration methods
    • Vulnerability assessment tools
  3. Phase 3: Access & Exploitation (Weeks 5-6)
    • System hacking methodologies
    • Malware creation and analysis
    • Social engineering techniques
    • Web application attacks
  4. Phase 4: Post-Exploitation & Defense (Weeks 7-8)
    • Maintaining access
    • Covering tracks
    • Incident response procedures
    • Legal and compliance aspects

Study Resources

Official CEH Certification Page Udemy CEH Course (Recommended) TryHackMe Learning Paths HackTheBox Practice Labs VulnHub Vulnerable Machines
Lab Environment Setup: Use VirtualBox/VMware with Kali Linux, Metasploitable, and Windows targets. Document all exercises in a lab notebook.

Essential Cybersecurity Tools

Must-know tools for security professionals

Network Security Tools

Nmap Wireshark Nessus OpenVAS Snort ntopng

Web Application Security

Burp Suite OWASP ZAP SQLMap FFUF Nikto

Forensics & Incident Response

Autopsy Volatility Wireshark Splunk Elastic SIEM