Confidentiality: protect data from unauthorized access (encryption, access controls). Integrity: ensure data isn't altered without authorization (hashing, checksums, digital signatures). Availability: systems remain operational (redundancy, DDoS protection, backups). Every security decision should consider all three. Example: encrypting a database protects confidentiality, but if you lose the key, availability suffers.

Symmetric (AES, ChaCha20): fast, same key for both operations, challenge is key distribution. Asymmetric (RSA, ECC): public key encrypts, private key decrypts. Slower but solves key exchange problem. In practice: TLS uses asymmetric to exchange a symmetric session key, then symmetric for data transfer. Digital signatures use the reverse: private key signs, public key verifies.

Types: (1) Packet-filtering: inspects headers (IP, port, protocol). (2) Stateful inspection: tracks connection state. (3) Application-layer (WAF): inspects HTTP traffic, blocks SQL injection/XSS. (4) Next-gen (NGFW): deep packet inspection, IPS, application awareness. Rules: allow/deny based on source/dest IP, port, protocol. Deploy at network perimeter and between segments.

Attack: ' OR 1=1-- in a login form bypasses authentication. Types: in-band (error-based, union-based), blind (boolean, time-based), out-of-band. Prevention: (1) Parameterized queries/prepared statements. (2) ORM usage. (3) Input validation and sanitization. (4) Least privilege database accounts. (5) WAF rules. Never concatenate user input into SQL strings.

Types: email phishing (mass), spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice). Indicators: urgent tone, suspicious links, mismatched URLs, generic greetings. Prevention: email filtering, DMARC/DKIM/SPF, security awareness training, MFA, link analysis tools.

2021 list: (1) Broken Access Control. (2) Cryptographic Failures. (3) Injection. (4) Insecure Design. (5) Security Misconfiguration. (6) Vulnerable Components. (7) Auth & Identity Failures. (8) Software & Data Integrity Failures. (9) Security Logging Failures. (10) SSRF. Used as baseline for security testing.

IDS: passive monitoring, generates alerts. Types: network-based (NIDS), host-based (HIDS). Detection: signature-based and anomaly-based. IPS: inline, blocks malicious traffic in real-time. Can cause false positives. Tools: Snort (IDS/IPS), Suricata, OSSEC (HIDS). Deploy IDS in monitoring mode first, tune rules, then switch to IPS mode.

Phases: (1) Reconnaissance: gather information (OSINT). (2) Scanning: port scanning, vulnerability scanning. (3) Exploitation: attempt to breach systems. (4) Post-exploitation: maintain access, lateral movement. (5) Reporting: document findings, risk ratings, remediation. Types: black box, white box, gray box. Tools: Metasploit, Burp Suite, Nmap, Wireshark.

Principles: (1) Never trust, always verify. (2) Least privilege access. (3) Assume breach. Implementation: identity verification (MFA, SSO), device health checks, micro-segmentation, continuous monitoring, data-centric security. Technologies: ZTNA, identity providers (Okta, Azure AD), SASE.

Protocols: OpenVPN (reliable, SSL/TLS), WireGuard (modern, fast), IPSec/IKEv2 (built into OS). Types: remote access VPN, site-to-site, SSL VPN. Enterprise: Zero Trust Network Access (ZTNA) is replacing traditional VPNs — verify every request regardless of network location.

Lockheed Martin's model: (1) Recon: research target. (2) Weaponize: create malware/exploit. (3) Deliver: send via email, web, USB. (4) Exploit: trigger vulnerability. (5) Install: establish persistence. (6) Command & Control: remote access. (7) Actions: data exfiltration, ransomware. Defense: disrupt at any stage. MITRE ATT&CK provides more granular tactics.

Properties: deterministic, fast, pre-image resistant, collision resistant, avalanche effect. Algorithms: SHA-256, SHA-3, BLAKE3. For passwords: use bcrypt, scrypt, or Argon2 (slow + salted). MD5 and SHA-1 are broken. Applications: file integrity, HMAC, blockchain, digital certificates.

How it works: program allocates fixed-size buffer, attacker sends more data than buffer can hold, excess overwrites adjacent memory. Types: stack-based, heap-based, integer overflow. Defenses: ASLR, DEP/NX bit, stack canaries, bounds checking, safe functions. Modern languages (Rust, Go) prevent this by design.

Response: (1) Isolate affected systems from network. (2) Activate incident response plan. (3) Identify ransomware variant. (4) Notify management, legal, law enforcement. (5) Assess scope. (6) Check backups. (7) Restore from clean backups. (8) Investigate entry point. (9) Patch and harden. (10) Document everything for post-incident review.

Layered defense: (1) Input validation (server-side). (2) Parameterized queries. (3) Output encoding. (4) CSRF tokens. (5) HTTPS with HSTS. (6) CSP headers. (7) MFA. (8) RBAC. (9) Security headers. (10) Dependency scanning. (11) WAF. (12) Penetration testing. (13) Security logging.

Process: (1) Review architecture diagrams and data flows. (2) Threat modeling (STRIDE methodology). (3) Automated vulnerability scanning (OWASP ZAP, Nessus). (4) Static code analysis (SonarQube, Checkmarx). (5) Manual penetration testing. (6) Check OWASP Top 10 coverage. (7) Review authentication and authorization. (8) Check encryption at rest and in transit. (9) Verify logging and monitoring. (10) Document findings with risk ratings and remediation timeline.

Google's approach: (1) Custom Titan security chips. (2) BeyondCorp: Zero Trust network. (3) Binary Authorization: only verified code runs. (4) Data encrypted at rest and in transit. (5) Bug bounty program. (6) Project Zero: finds vulnerabilities in all software. (7) AI-powered threat detection.

Architecture: (1) Kernel-level agent monitoring file operations, process creation, network connections. (2) Behavioral analysis for attack patterns. (3) ML models trained on known behaviors. (4) Cloud backend for correlation and threat intelligence. (5) Real-time alerts and automated response. (6) Forensic timeline for investigation. (7) MITRE ATT&CK mapping.

Packet-filtering: examines headers (source/dest IP, port), fast but basic. Stateful: tracks connection state, smarter decisions. Application/Proxy: inspects application layer data, can filter content. NGFW (Next-Generation): combines stateful + deep packet inspection + IDS/IPS + application awareness. WAF (Web Application Firewall): HTTP-specific, prevents SQL injection, XSS, CSRF. Cloud-based: AWS Security Groups, Azure NSG. Host-based: iptables (Linux), Windows Firewall. Zero Trust: verify every request regardless of location.

Symmetric: same key encrypts and decrypts. AES-256 (standard), ChaCha20 (mobile). Fast, used for bulk data. Challenge: key distribution. Asymmetric: public key encrypts, private key decrypts. RSA-2048, ECC (smaller keys). Slower, used for key exchange and signatures. Hybrid: TLS uses asymmetric to exchange symmetric key, then symmetric for data. Hashing (one-way): SHA-256, bcrypt for passwords. Digital signatures: verify sender identity and message integrity. At-rest (disk encryption), in-transit (TLS/HTTPS), end-to-end (Signal protocol).

Structure: 14 tactics (why — objectives like Initial Access, Execution, Persistence) with techniques (how — specific methods) and sub-techniques. Matrices: Enterprise (Windows/Linux/macOS/Cloud), Mobile, ICS. Use cases: threat modeling, red team planning, detection gap analysis, SOC operations, security assessments. Each technique includes: description, detection methods, real-world examples, mitigations. Tools: ATT&CK Navigator for visualization. Related: MITRE D3FEND (defensive), MITRE ENGAGE (deception). Industry standard for sharing threat intelligence.

Team tiers: Tier 1 (alert triage), Tier 2 (incident analysis), Tier 3 (threat hunting, forensics). Tools: SIEM (Splunk, QRadar, Sentinel) aggregates logs, EDR (CrowdStrike, Defender) monitors endpoints, SOAR automates response. Process: detect → triage → investigate → contain → remediate → post-incident. Alert fatigue: false positive reduction through tuning, ML-based correlation. Metrics: MTTD (mean time to detect), MTTR (mean time to respond). Threat intelligence: IOC feeds, dark web monitoring. Compliance: SOC 2, ISO 27001 audit support.

Immediate: (1) Isolate: disconnect affected systems from network (don't power off — preserves memory evidence). (2) Contain: block malicious IPs/domains at firewall, disable compromised accounts. (3) Preserve: image affected systems for forensics. (4) Assess: identify ransomware variant (ID Ransomware), scope of encryption, data exfiltration. (5) Notify: CISO, legal, law enforcement (FBI/CISA), insurance, affected customers. (6) Recover: restore from clean backups (test if not encrypted). (7) Don't pay: no guarantee of recovery, funds criminal activity. (8) Post-incident: root cause analysis, patch vulnerability, improve defenses.

Methodology: (1) Reconnaissance: map attack surface, identify technologies, endpoints. (2) Authentication: brute force protection, password policy, MFA, session management. (3) Authorization: IDOR, privilege escalation, horizontal/vertical access control. (4) OWASP Top 10: injection (SQLi), XSS, CSRF, SSRF, broken access control, security misconfiguration. (5) API security: rate limiting, input validation, API keys. (6) Configuration: HTTPS, security headers (CSP, HSTS), error handling. (7) Tools: Burp Suite, OWASP ZAP, Nikto, Nmap. (8) Report: findings with severity, impact, remediation steps, retesting plan.

Capabilities: (1) Continuous monitoring: processes, files, network connections, registry changes. (2) Threat detection: behavioral analysis, IOC matching, ML-based anomaly detection. (3) Investigation: timeline view, process tree, file analysis, memory forensics. (4) Response: isolate endpoint, kill process, quarantine file, rollback changes. (5) Threat hunting: proactive search for hidden threats. Products: CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. EDR vs Antivirus: AV uses signatures, EDR uses behavior. XDR: extended detection across endpoints, network, cloud, email.

Lifecycle: discovery → exploit development → attacks in the wild → vendor notification → patch release → patch deployment. Defense: (1) Defense in depth: multiple security layers. (2) Behavioral detection: EDR/IDS detect unusual behavior. (3) Virtual patching: WAF/IPS rules blocking exploit patterns. (4) Microsegmentation: limit lateral movement. (5) Patch management: reduce exposure window. (6) Threat intelligence: monitor for zero-day disclosures. (7) Bug bounty: incentivize responsible disclosure. Market: zero-days sold to governments, brokers (Zerodium). Cost: iOS zero-click exploit worth $2M+.

IDS (Intrusion Detection System): monitors network traffic, generates alerts, passive. NIDS (network-based) and HIDS (host-based). IPS (Intrusion Prevention System): same detection + active blocking, inline (traffic flows through it). Detection methods: signature-based (known patterns), anomaly-based (baseline deviation), behavior-based (protocol compliance). Tools: Snort/Suricata (open-source), Palo Alto, Fortinet. Placement: IDS on mirror port (passive), IPS inline between firewall and network. Modern: NGFW combines firewall + IPS. False positives: overly aggressive IPS can block legitimate traffic.

Types: (1) Phishing: fake emails with malicious links/attachments. (2) Spear phishing: targeted at specific individuals. (3) Vishing: voice phishing via phone. (4) Smishing: SMS phishing. (5) Pretexting: fabricated scenario to gain trust. (6) Baiting: infected USB drives left in offices. (7) Tailgating: following authorized person through secure door. Defense: security awareness training, simulated phishing campaigns, email filtering, DMARC/DKIM/SPF, MFA (mitigates credential theft), verification procedures for wire transfers, physical access controls, least privilege principle.

OAuth 2.0: authorization protocol. Grant types: Authorization Code (web apps), PKCE (SPAs/mobile), Client Credentials (server-to-server), Device Code (TVs/IoT). Tokens: access token (short-lived, for API access), refresh token (long-lived, gets new access token). OpenID Connect (OIDC): authentication protocol built on OAuth. Adds id_token (JWT with user identity). Scopes: openid, profile, email. Endpoints: /authorize, /token, /userinfo, /.well-known/openid-configuration. Providers: Google, Microsoft, Auth0, Keycloak. PKCE should always be used for public clients.

Cycle: (1) Asset discovery: CMDB, network scanning (Nmap), cloud inventory. (2) Vulnerability scanning: Nessus, Qualys, Rapid7 — scheduled and continuous. (3) Prioritize: CVSS score + asset criticality + exploitability + business context. (4) Remediate: patches, configuration changes, compensating controls. (5) Verify: rescan to confirm fix. (6) Report: SLA compliance, trends, risk metrics. (7) Governance: define SLA by severity (Critical: 24-48hrs, High: 7 days, Medium: 30 days). Tools: Tenable, Qualys, MS Defender Vulnerability Management. Integrate with ITSM for tracking. Risk-based approach over 'patch everything'.