Chapter 1: Security Foundations and the CIA Triad

The CIA triad is the foundational framework that organizes every enterprise security control, policy, and investment decision. The three pillars — Confidentiality, Integrity, and Availability — map directly to concrete technical mechanisms that network engineers and security practitioners implement every day.

Think of the CIA triad like the structural legs of a stool. Remove any one leg and the stool topples. Regulatory frameworks including HIPAA, ISO 27001, and the NIST Cybersecurity Framework map their requirements directly onto CIA triad controls.

Confidentiality guarantees data is accessible only to authorized parties. A breach exposes data — it does not destroy it. Examples: leaked credentials, stolen intellectual property, exposed patient records.

Encryption: TLS establishes a shared session key via asymmetric cryptography, then encrypts bulk data with a symmetric cipher. A packet capture reveals only ciphertext.

Access control: RBAC assigns permissions to roles rather than individuals. MFA adds a second verification factor so a stolen password alone cannot grant access. Zero Trust removes implicit trust from network position — every request is verified per identity, device posture, and resource sensitivity.

Data classification determines which controls apply to each dataset:

Integrity assures data has not been altered, corrupted, or tampered with — in transit or at rest. A breach corrupts data, often invisibly: a modified config file, tampered firmware, or altered financial record.

Cryptographic hashing (SHA-256): deterministic, collision-resistant. Any single-bit change produces a completely different digest. SHA-256 and SHA-3 are appropriate for security; CRC-32 detects transmission errors only and can be forged.

Digital signatures combine hashing with asymmetric crypto for integrity and non-repudiation: the sender encrypts a SHA-256 hash with their private key; the recipient decrypts with the sender's public key and recomputes the hash — matching hashes confirm authenticity and integrity.

Version control: Every Git commit is identified by a hash of its contents and parent commits. Any historical tampering invalidates all subsequent commit hashes.

Availability guarantees authorized users can access systems and data when needed. 75% of organizations reported ransomware exposure in 2024 — ransomware is explicitly an availability attack.

Redundancy eliminates single points of failure: redundant power, dual uplinks, RAID arrays, geographically distributed data centers.

Failover: Active-passive keeps a standby warm but idle; active-active distributes load across live nodes. RTO (maximum tolerable downtime) and RPO (maximum tolerable data loss) drive these architectural choices.

Enterprise security is a stack of complementary controls operating at different infrastructure layers. Understanding where each control type lives and what it can and cannot see is essential for designing a defense-in-depth architecture.

Firewalls: Stateful firewalls track TCP connection state, enforce rules on IP/port/protocol. NGFWs add Layer 7 application inspection, user identity integration, and TLS decryption for encrypted traffic inspection.

IDS vs IPS: IDS passively alerts; IPS is inline and can drop, reset, or redirect malicious traffic. IPS uses signature-based detection (known attacks) and anomaly-based detection (statistical deviations). Inline placement introduces latency — factor into network design.

NAC enforces posture requirements (current AV signatures, OS patches, compliant firewall settings) before permitting network access. Non-compliant devices are quarantined to a remediation VLAN.

Legacy antimalware uses signature-based detection: known-malicious file hashes or byte sequences. Effective against known malware; fails against novel threats, obfuscated variants, and fileless malware.

Modern antimalware incorporates behavioral detection, ML classifiers, and cloud reputation lookups — asking "does this process behave like malware?" rather than "does this file match a known-bad signature?"

EDR records process trees, network connections, file events, and registry changes, streaming telemetry to a central platform. Analysts can reconstruct attack timelines, identify lateral movement, and remotely isolate endpoints without physical access.

Host-based firewalls (Windows Defender Firewall, iptables/nftables) enforce per-process network policies — providing a final defense layer even when the network perimeter is compromised.

WAF inspects HTTP request/response content for attack patterns: SQL injection, XSS, path traversal, protocol violations. Operates in signature mode (known patterns) or behavioral mode (deviation from normal traffic profile).

API gateways centralize authentication, rate limiting, input validation, and logging for API traffic — enforcing these as a single auditable policy layer rather than in each microservice individually.

RASP embeds security monitoring in the application runtime — intercepting database queries, shell executions, and file operations from inside the process. Particularly effective against zero-day vulnerabilities where no WAF signature exists.

Security controls generate enormous volumes of telemetry. Without a centralized system to collect, correlate, and act on this data, defenders are overwhelmed by volume and miss signals buried in the noise. The SOC toolchain — SIEM, SOAR, and log management — transforms raw telemetry into actionable intelligence and automated response.

A SIEM ingests log and event data from heterogeneous sources, normalizes it into a common schema (source IP, destination IP, port, action, timestamp), and applies correlation rules that identify attack patterns across all data sources uniformly.

Example correlation rule:

IF authentication_failure.count > 500
   AND authentication_failure.target_account = SAME
   AND authentication_failure.time_window < 60s
THEN generate_alert(severity=HIGH, type="Brute Force Attack")

Rules can also correlate across sources: a port scan from the IDS followed within 5 minutes by a new outbound connection from that server is a potential compromise sequence neither event alone would flag.

Sliding window anomaly detection computes a statistical baseline over a rolling time window and alerts when the current value deviates significantly. A global retailer's holiday traffic would trigger constant false positives with static thresholds — sliding window adapts to normal variation and catches low-and-slow attacks that stay below fixed limits.

SOAR receives alerts from the SIEM and executes automated response playbooks. SIEM provides detection and visibility; SOAR provides speed and consistency. The five-stage pipeline:

SOAR governance is critical: playbooks without change control, testing, and rollback procedures create fragile automation that can amplify incidents. Best practice requires version control for playbooks, staging environments, peer review, and defined rollback procedures.

Log management is the infrastructure layer that makes SIEM and SOAR possible. Key decisions:

• Retention: PCI-DSS requires 12 months (3 accessible); HIPAA requires 6 years. Longer retention supports forensic investigation of breaches not discovered immediately.
• Integrity protection: Write-once storage, cryptographic log signing, and immutable cloud object storage (S3 Object Lock, Azure Immutable Blob) protect logs from attacker tampering post-compromise.
• Indexing: Elasticsearch, Splunk, and OpenSearch enable sub-second queries across billions of events for incident investigation.
• Coverage gaps: Unmonitored cloud services, legacy systems, and network segments without flow data are blind spots attackers will exploit.

Advanced security practice requires fluency with terminology that defines how organizations understand, hunt for, and respond to threats. These terms appear throughout this course and in professional certifications.

Threat intelligence (TI) is processed, contextualized information about adversary capabilities, infrastructure, motivations, and tactics. Raw indicators (IP addresses, domains, file hashes) are Indicators of Compromise (IoCs). Tactical TI describes MITRE ATT&CK TTPs; strategic TI describes the threat landscape for an industry or region. Operationalizing TI means ingesting IoC feeds into SIEM and EDR so detections fire when known-bad indicators appear.

Threat hunting is the proactive, hypothesis-driven search for adversary activity not detected by automated controls. A hunter forms a hypothesis, then actively queries endpoint telemetry, logs, and network captures to test it. Requires rich telemetry (EDR, full packet capture, DNS logs) and familiarity with MITRE ATT&CK.

Threat modeling identifies potential threats during system design. The STRIDE model maps to CIA violations:

• Tampering → Integrity violation
• Denial of Service → Availability violation
• Information Disclosure → Confidentiality violation
• Spoofing → Authentication failure
• Repudiation → Non-repudiation failure
• Elevation of Privilege → Authorization failure

Static analysis examines the binary without executing it: strings, imported functions, file headers, hash comparison. Fast but misses packed/encrypted code and environment-dependent behavior.

Dynamic analysis executes malware in a controlled sandbox and observes behavior: network connections, files created, registry modifications, processes spawned. Captures behavior static analysis misses.

Reverse engineering uses disassemblers (IDA Pro, Ghidra) and debuggers to reconstruct compiled binary logic — necessary for custom C2 protocols, encryption implementations, and sandbox evasion techniques.

Run book automation (RBA) codifies operational procedures into structured, machine-executable workflows. SOAR playbooks are the security implementation of RBA. Value: consistency (same procedure every time, regardless of which analyst is on shift) and speed (seconds vs. minutes/hours).

DevSecOps integrates security into every stage of the software development lifecycle:

• SAST: Analyzes source code for vulnerabilities before compilation or deployment
• SCA: Scans third-party library dependencies for known CVEs
• Container image scanning: Checks images for vulnerabilities before registry push or production deployment
• IaC scanning: Validates Terraform, CloudFormation, and Kubernetes manifests for misconfigurations before apply
• Secret scanning: Detects API keys and credentials accidentally committed to source code repositories