DEV Community: Dzmitry Harbachou

Cybersecurity tools: SIEM or are companies really spying on us

Dzmitry Harbachou — Mon, 15 Dec 2025 17:28:30 +0000

The idea for this article came about a year ago, maybe even a little earlier, when a message appeared in our corporate inbox informing us that we needed to install a new tool, and that tool was SIEM.

That email instantly triggered a new wave of discussions about SIEM, and a new question quickly emerged in our conversations: “Is the company really trying to spy on us?”. This reaction wasn’t surprising, because the unknown has a way of amplifying doubts and fueling speculation. It has been this way throughout history: ancient people attributed lightning and storms to mystical forces or divine anger simply because they had no better explanation. And now, in a regular corporate setting, a new tool can trigger that same reaction, a mix of curiosity and unease, long before anyone understands what it actually does.

And now it’s time to clear up the concerns and take a closer look at what SIEM actually is.

What is SIEM?

So, before we dive into the technical details, what this tool actually collects and analyzes, we need to understand what it is in the first place.

SIEM, or Security Information and Event Management, is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools offer real-time monitoring and tracking of security event logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability identified. SIEM tools have many dashboard options, each dashboard option helps cybersecurity specialists manage and monitor organizational data. So, in simple terms, SIEM acts as a central hub where security-related events from different systems are collected, processed, and analyzed. However, currently, SIEM tools require human interaction for analysis of security events.

What SIEM Actually Does

Alright, that all sounded nice, but it still doesn’t answer the main question: what does SIEM actually do?

Let’s break it down. At a high level, SIEM does four things:

Collects events
Normalizes and organizes data
Detects suspicious or harmful activity
Alerts security teams and helps investigate incidents

Now let’s take a closer look at each part.

SIEM Collects Events

Every system in an organization generates logs: servers, laptops, applications, firewalls, authentication services, cloud platforms - all.

SIEM acts as a central collector. It gathers:

login attempts,
system changes,
network activity,
application behavior,
security alerts from other tools.

These signals are useless in isolation, but together they give context.

SIEM Normalizes and Organizes the Data

Each system logs events differently. One says “authentication failed,” another reports a “login error,” and a third system might only record an error code - all referring to the exact same thing. SIEM translates this chaos into a unified format so analysts (and automated rules) can actually work with it.

SIEM Detects Suspicious Activity

Here’s where SIEM earns its place in cybersecurity.

It correlates different events and looks for patterns such as:

too many failed logins in a short time,
access from an unusual location,
abnormal data transfers,
unexpected privilege escalations,
behavior deviation from the user’s normal pattern.

One event means nothing, but a chain of events can mean an attack.

SIEM Alerts and Supports Investigations

When SIEM detects something suspicious, it generates an alert:

for the security team (SOC),
for automated response systems,
or for further analysis.

And if an incident actually happens, SIEM becomes the main tool for reconstructing what occurred: who did what, when, from where, and how.

- Hold on, hold on! Didn’t you just say that employees were asked to install SIEM on their laptops? Based on what you’ve described so far, it might sound like the employees themselves would be doing the monitoring and analysis.

- So let’s clear that up. What we were actually asked to install wasn’t SIEM itself, but a SIEM agent - a small program that sends the necessary logs from employee devices to the central SIEM system. That’s it. The agent doesn’t analyze anything on its own; it simply collects relevant security events and forwards them for monitoring, correlation, and vulnerability detection.

Types of SIEM by Purpose

Although SIEM as a class solves the same core problem of collecting, correlating and analyzing security events, different systems vary in their focus, architecture and intended use cases. SIEM solutions are generally divided into the following categories:

Traditional SIEM

Early generations of SIEM systems focused primarily on log collection, static correlation based on rules, and meeting compliance requirements. The foundation is manual correlation rules and log search.

Focus: Logging, basic correlation, auditing, compliance.
Key features:

rule-based analysis
minimal automation
limited behavioral analytics
weak cloud support
simple architecture but high alert noise Examples: MicroFocus ArcSight, older versions of QRadar, LogRhythm Classic

Next-Gen SIEM

Modern SIEM systems that include machine learning, UEBA, automation, and advanced correlation capabilities. Widely used as part of a full SOC ecosystem.

Focus: Advanced analytics, automated response, enhanced correlation.
Key features:

UEBA (user and entity behavior analytics)
ML-based anomaly detection
tight integration with SOAR
hybrid support (on-prem and cloud)
improved threat intelligence context Examples: Splunk Enterprise Security, IBM QRadar (newer versions), Exabeam

Cloud-Native SIEM

SIEM systems built to run entirely in the cloud. They offer scalability, speed, and no need to maintain infrastructure. Often support large or nearly unlimited data retention.

Focus: SaaS architecture, high scalability, cloud integrations.
Key features:

automatic resource management
ability to process very large log volumes
seamless integration with cloud platforms (AWS, Azure, GCP)
fast correlation and search
pay-as-you-go pricing model Examples: Microsoft Sentinel, Google Chronicle, Sumo Logic Cloud SIEM

Managed SIEM (for MSSP / Managed SOC)

SIEM solutions designed for service providers who monitor and respond to incidents on behalf of multiple customers. Built with multi-tenancy and SLA-driven workflows in mind.
Focus: Security monitoring as a service, MSSP-friendly features.
Key features:

multi-tenant architecture
centralized customer management
automated response capabilities
reduced operational load for customers
preconfigured rules and playbooks Examples: AT&T USM (AlienVault), LogRhythm, Blumira

Open-Source SIEM

Systems built on open-source technologies that often require substantial customization. Popular with smaller teams, labs, and technical groups that want flexibility and control.
Focus: Flexibility, accessibility, customization without licensing fees.
Key features:

free or open-core model
requires significant configuration
suitable for DevOps and SecOps experimentation
strong community support
flexible but not always enterprise-grade Examples: Wazuh, Elastic SIEM (partially open-core), OSSIM

A little more... (TOP 5 SIEM tools)

We have covered the basics, so it is time to meet the SIEM tools you are most likely to encounter in the real world.

Splunk Enterprise Security

The luxury sports car of SIEM tools.
Incredibly fast, extremely powerful and capable of almost anything… as long as your budget survives.
If a company has massive log volumes and money to spare, Splunk fits perfectly.
In short: "I can do anything. Just pay me."

2) IBM QRadar

The seasoned senior analyst who sees everything and forgets nothing.
It does not need flashy interfaces. It simply gets the job done.
Its event correlation capabilities outperform many newer SIEM products.
In short: "I know exactly what happened, and I have the flows to prove it."

3) Microsoft Sentinel

The SIEM for anyone living in the Microsoft ecosystem.
Easy to start with, cloud friendly and perfectly integrated with Microsoft tools.
Modern, automated and scalable as your organization grows.
In short: "If it is in Azure, I have already integrated with it."

4) Google Chronicle

The Big Data monster on steroids.
It works incredibly fast and stores almost unlimited data without blinking.
If you produce billions of events per day, Chronicle simply says: "So what?"
In short: "Oh, you have a lot of logs? Cute."

5) Elastic SIEM (Elastic Security)

The DevOps favorite: flexible, affordable and endlessly customizable.
It can do a lot if you know how to set it up. But it requires hands-on work, patience and sometimes late-night troubleshooting.
Perfect for those who like tailoring tools to their exact needs.
In short: "I can be anything you want, but you will configure me yourself."

Why Organizations Use SIEM

Companies rely on SIEM for several key reasons:

Early detection of cyberattacks SIEM can catch signs of intrusions before serious damage occurs.
Understanding what’s happening in the infrastructure Without SIEM, logs are scattered and unmanageable.
Protecting sensitive data and accounts It identifies abnormal behavior that could indicate insider threats or compromised credentials.
Compliance with security and privacy regulations Many standards (GDPR, PCI DSS, ISO 27001, SOC2) require monitoring and log retention - SIEM does exactly that.
Efficient investigations and audits When something goes wrong, SIEM helps understand where, how, and why.

Final Thoughts: No, the Company Isn’t Spying on You

So, no - the company is not reading our messages (at least not in mine, and definitely not through a SIEM tool), not tracking how many minutes we spend making coffee, and not secretly watching our screens to see what we’re doing. What the company is doing is making sure that no one else gets access to our corporate devices while we’re busy doing our jobs.

In reality, SIEM is far less dramatic than many imagine. It doesn’t spy on employees; it protects the organization from suspicious activity, compromised accounts, and potentially serious incidents. It notices patterns that humans might miss, helps security teams react faster, and ensures that the tools we rely on every day stay safe and trustworthy.

If anything, SIEM’s role is closer to that of a quiet, overworked night guard: it doesn’t care what you typed in Slack - it only cares if someone tries to log in as you from the other side of the world at 3 a.m.

So the next time an email arrives asking you to install another “mysterious security tool” remember: it’s not about watching you - it’s about watching your back.

Talk soon…

Boring Cybersecurity Theory: Main disciplines (Time to select your own way)

Dzmitry Harbachou — Thu, 21 Aug 2025 09:00:00 +0000

I didn’t put this article at the start of your journey - in my opinion, it’s hard to choose where you’re going if you haven’t yet seen what the road looks like, what challenges lie ahead, or who you’ll be walking beside.

Now that you’ve already explored some of the core ideas of cybersecurity ( threats, frameworks, ethics, risk) - it’s the perfect moment to step back and ask:
What kind of security professional do I want to become?

Welcome to Cybersecurity - A World of Many Roads

When most people hear the word "cybersecurity", they picture someone in a hoodie hammering away at a keyboard in a dark room. In reality, though, cybersecurity is much more than just hacking or stopping hackers. It’s a vast and constantly evolving field, made up of many disciplines - each with its own tools, challenges, and mindset.

Think of it like a city - there's construction, maintenance, policing, investigation, intelligence gathering, governance, and even education. Each of these areas has a role to play in keeping systems and people safe. And just like in a city, cybersecurity needs builders, thinkers, defenders, and strategists.

This article will help you understand the main domains in the cybersecurity world. You’ll see how they connect, what types of jobs exist in each one, and - more importantly - which direction might suit you.

Whether you prefer digging through logs, breaking into systems (legally), writing secure code, or shaping security policy, there’s a path here for you. All you have to do is find it.

Let’s begin with one of the most widely recognized models - the NIST NICE Framework.

Seven Core Disciplines (NIST NICE Framework)

Another framework? Yes - but hear me out. In cybersecurity, there’s pretty much a framework for everything: how to detect attacks, how to respond, how to manage risk… and yes - even how to structure careers.

To help make sense of the many roles in cybersecurity, the U.S. National Institute of Standards and Technology (NIST) created the NICE Framework - a structured way to group security work into seven high-level categories. Each one represents a different part of the cybersecurity lifecycle, and within each are roles that suit different interests and skillsets.

Let’s take a quick tour through each one - who works there, what they do, and why it might just be the right place for you.

Here’s a quick tour of the seven:

1. Securely Provision

Design and build secure systems from the ground up
If you love building systems, writing secure code, or designing cloud infrastructure - this is your zone. These roles focus on baking security in from the start.
Roles: Security Architect, Secure Software Developer, Cloud Security Engineer.

2. Operate & Maintain

Keep everything running safely
You’re the one making sure systems stay up, stay patched, and stay protected. Quiet when things are working - very loud when they aren’t.
Roles: System Admin, Patch Lead, IAM Engineer.

3. Protect & Defend

Detect and fight off threats
Welcome to the Blue Team. You’ll be monitoring, analyzing logs, blocking attacks, and leading incident response. If you like action and puzzles, this is your home turf.
Roles: SOC Analyst, Threat Hunter, Incident Responder.

4. Investigate

Dig into breaches and trace the digital fingerprints
Ever wanted to be a cyber detective? These roles involve forensics, malware analysis, and figuring out what really happened - byte by byte.
Roles: Forensics Analyst, Malware Analyst, Reverse Engineer.

5. Collect & Operate

Offensive security - the ethical attackers
Here you’ll find the Red Team. You break into systems to help others defend them. It’s creative, methodical, and definitely fun - if you like thinking like a hacker.
Roles: Penetration Tester, Red Team Operator, Exploit Researcher.

6. Analyze

Turn chaos into clarity
Threat intelligence, OSINT, behavior analytics - this is the strategic side of security. If you enjoy spotting patterns, researching actors, or thinking globally, this one’s for you.
Roles: CTI Analyst, OSINT Investigator, Threat Modeler.

7. Oversight & Governance

Keep the business side of security in order
From compliance and policy to risk management and privacy law, this is where cybersecurity meets law, ethics, and leadership.
Roles: Risk Analyst, GRC Officer, CISO, Privacy Engineer.

Each of these disciplines has its own rhythm, mindset, and mission. No path is “more cybersecurity” than another. It’s all about where your strengths lie - and what kind of work energizes you.

As in the hacking world, cybersecurity uses colors to classify not people, but teams, based on their methods and intentions.

The Color Team Model: Cybersecurity in Full Spectrum

If you’ve ever read about cybersecurity operations, Capture the Flag (CTF) events, or real-world attack simulations, you’ve probably come across terms like Red Team or Blue Team. This is known as the “color team model” - a popular way the cybersecurity community classifies roles based on their goals and tactics.

It’s not an official framework like NIST, but it’s widely used because… well, it works - and it paints a pretty vivid picture of what each role does in real-world operations.

Here’s a quick rundown:

🟥 Red Team - Attackers (Ethical Hackers)

These are the offensive professionals. They simulate real-world adversaries to test defenses. Red teamers try to breach systems, escalate privileges, steal data — but they do it with permission.
Goal: Show how a real attack might happen before an actual attacker gets there.
Typical roles: Penetration Tester, Red Teamer, Exploit Researcher.

🟦 Blue Team - Defenders

The Blue Team builds and maintains defensive mechanisms. They monitor systems, detect anomalies, respond to incidents, and make it as hard as possible for attackers to succeed.
Goal: Stop or slow down attackers and minimize damage.
Typical roles: SOC Analyst, Incident Responder, Threat Hunter, SIEM Engineer.

🟪 Purple Team - Bridge Between Red and Blue

Purple teams don’t replace Red or Blue - they connect them. A Purple Teamer might help a Blue Team improve detection by analyzing Red Team techniques or facilitate joint exercises.
Goal: Share insights and improve defense through collaboration.
Typical roles: Detection Engineer, Purple Team Analyst, Adversary Emulation Lead.

🟩 Green Team - Builders and Coders

Often overlooked, Green Teams work on secure software development. Their job is to build systems and code with security in mind from day one. Think DevSecOps, secure APIs, encryption, etc.
Goal: Bake security into the foundation, so it’s harder to break later.
Typical roles: DevSecOps Engineer, Secure Developer, Cloud Security Architect.

⚪ White Team - Rules and Coordination

White Teams act as referees in exercises like Red vs. Blue simulations. In real life, they handle governance, oversight, and policy, ensuring ethical boundaries are respected and standards are followed.
Goal: Coordinate and enforce fairness, legality, and scope.
Typical roles: Compliance Officer, GRC Lead, Security Awareness Coordinator.

🟨 Yellow / Gold Team - Leadership and Strategy

This team focuses on high-level decisions, business alignment, and long-term planning. They're not in the trenches but set the direction and strategy.
Goal: Ensure cybersecurity supports business goals and complies with regulations.
Typical roles: CISO, Security Program Manager, Risk & Policy Advisor

Each team represents a different aspect of cybersecurity - and while the colors may vary depending on context, the core idea is the same:

Cybersecurity isn’t a solo effort. It’s a team sport - and everyone plays a different role.

Connecting Frameworks and Colors

How NICE Roles Map to Red, Blue, and Everything In Between
Now that you’ve seen both the NIST NICE disciplines and the color team model, let’s bridge the two.

Why?
Because while frameworks help define structure, real-world cybersecurity work rarely stays in clean categories. A Red Teamer might use skills from "Collect & Operate" but also dive into analysis. A Blue Teamer might patch systems (Operate & Maintain) while investigating an incident.

Here’s a simplified view of how the NICE categories align with color team concepts:

NICE Discipline	Color Team Alignment	Example Roles
Securely Provision	🟩 Green / ⚪ White	Secure Developer, Cloud Security Engineer, Architect
Operate & Maintain	🟦 Blue / 🟩 Green	Patch Lead, IAM Engineer, Automation Engineer
Protect & Defend	🟦 Blue	SOC Analyst, Threat Hunter, SIEM Engineer
Investigate	🟦 Blue / 🟪 Purple	Forensics Analyst, Malware Analyst, IR Specialist
Collect & Operate	🟥 Red	Red Team Operator, Exploit Researcher, Pentester
Analyze	🟪 Purple / 🟨 Yellow	CTI Analyst, Threat Modeler, OSINT Investigator
Oversight & Governance	⚪ White / 🟨 Yellow	GRC Analyst, Compliance Officer, CISO

Keep in mind: these lines blur in real-world environments. Your role may sit at the intersection of two or even three teams - and that’s completely normal.

So where do YOU fit?

Like building secure systems from scratch? → You’re likely Green or White aligned.
Love breaking things to find flaws? → Red Team might be your jam.
Prefer defending and investigating? → Blue and Purple are calling.
Want to strategize, govern, or teach? → White and Yellow roles could suit you best.

There’s no wrong answer - but there is a right fit for your interests, mindset, and energy. The fun part is figuring it out.

Choosing Your Path: What Fits You Best?

Now that you’ve explored the landscape, it’s time for the big question:

Where do you see yourself in this world of roles, colors, and responsibilities?

Don’t worry - you don’t need to have it all figured out today. But here are some ways to start narrowing it down.

Start with your instincts:

Ask yourself:

Do I like building things, or breaking them?
Do I prefer real-time action, or quiet analysis?
Am I more comfortable with people and policy, or with code and systems?
Do I enjoy watching patterns, telling stories from data, or writing procedures?
Do I want to be in the front lines, or working behind the scenes?

Your honest answers will already start pointing you toward a discipline (and maybe even a color team).

🛠️ Match your mindset to disciplines:

If you enjoy…	Explore this area
Creating, designing systems	Securely Provision / Green Team
Breaking systems ethically	Collect & Operate / Red Team
Watching logs, reacting fast	Protect & Defend / Blue Team
Solving cyber mysteries	Investigate / Blue-Purple
Reading signals, researching	Analyze / Purple-Yellow
Managing policies and people	Oversight & Governance / White-Yellow
Building secure apps & pipelines	DevSecOps (crosses Green, Blue, and White)

Not sure yet? That’s fine.

Here’s a secret most professionals won’t tell you:

Many cybersecurity careers are built by exploring first, specializing later.

Start with what excites you. Learn broadly. Play around. Watch CTFs, take a short course, read breach reports, or try OSINT on yourself. The field is wide - and there’s more than one way to get in.

You don’t need to be a hacker or a genius to belong here. You just need curiosity and persistence. The rest will come.

Final Points

Final Points - because this is, for now, the end. Not the end-end, of course - I’m sure there will be more articles in the future, though I can’t promise when. My hope is that what you’ve read here gives you enough structured and connected ideas to start building your own picture of cybersecurity.

Funny thing is, this series wasn’t even meant to be a series. At first, it was just going to be one short article to help prepare for a workshop. But the more I wrote, the more I realized how much there was to say - and I didn’t want to just skim over it. One article turned into many, and here we are.

I’ve probably given you more than enough to start thinking - and that’s the point. I wanted you to see just how wide and varied this field really is. It’s not just “hacking” or “defending”. It’s building, breaking, analyzing, guiding, fixing, and leading.

Now the map is in front of you. The next step? Choose a direction. Build a plan. Start small - a course, a pet project, maybe an internship. Don’t worry about knowing everything; you’ll learn along the way.

Cybersecurity is a journey, and you’re already on it. It’s not a straight line - it twists, it turns, it surprises. And who knows? Maybe one day, somewhere along the way, our paths will cross.

Boring Cybersecurity Theory: Ethics (Make Your Choice)

Dzmitry Harbachou — Wed, 20 Aug 2025 09:00:00 +0000

Security ethics are guidelines for making appropriate decisions as a security professional. Being ethical requires that security professionals remain unbiased and maintain the security and confidentiality of private data. Having a strong sense of ethics can help you navigate your decisions as a cybersecurity professional so you’re able to mitigate threats posed by threat actors’ constantly evolving tactics and techniques. In this article, you'll explore essential ethical principles that will help you make informed, legal, and responsible decisions when facing attacks - not just to protect systems, but to protect people.

But more than that, this article invites you to reflect on a deeper question:
- What decision will you take?
- Because in cybersecurity, your actions - and the ethics behind them - shape not only your impact on the world but also the kind of professional you become.

With great power comes great responsibility. - as dear Uncle Ben once said, Spider-Man (2002)

Ethical concerns and laws related to counterattacks

Now that you’ve explored how attacks work - and that one day you might have the skills, access, and authority to respond to them - it’s time to talk about something more controversial: counterattacks.

The idea of striking back may sound tempting. After all, if someone breaks into your system, shouldn’t you have the right to fight back?
But in cybersecurity, things are rarely that simple. What might feel like justice could quickly become a legal or ethical minefield.

So before you reach for your digital sword, let’s take a closer look at what a counterattack really means - and why, more often than not, professionals choose defense over revenge.

United States standpoint on counterattacks

You can't fight fire with fire. - "The Dark Knight" (2008)

In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among others. You can only defend. The act of counterattacking in the U.S. is perceived as an act of vigilantism. A vigilante is a person who is not a member of law enforcement who decides to stop a crime on their own. And because threat actors are criminals, counterattacks can lead to further escalation of the attack, which can cause even more damage and harm. Lastly, if the threat actor in question is a state-sponsored hacktivist, a counterattack can lead to serious international implications. A hacktivist is a person who uses hacking to achieve a political goal. The political goal may be to promote social change or civil disobedience.

For these reasons, the only individuals in the U.S. who are allowed to counterattack are approved employees of the federal government or military personnel.

International standpoint on counterattacks

The International Court of Justice (ICJ), which updates its guidance regularly, states that a person or group can counterattack if:

The counterattack will only affect the party that attacked first.
The counterattack is a direct communication asking the initial attacker to stop.
The counterattack does not escalate the situation.
The counterattack effects can be reversed.

Most organizations avoid counterattacking - and for good reason. It’s not just a matter of hitting back. The legal boundaries are fuzzy, the risks are high, and once you fire that digital shot, you can’t always control where it lands.

There’s a lot of uncertainty in defining what’s legal and what’s reckless. In most real-world cases, trying to “hack back” leads to more trouble - technical, legal, and reputational.

In 2006, the Israeli company Blue Security launched a creative anti-spam service. When users received spam, the system would automatically send opt-out requests back to the spammers - effectively overwhelming them with traffic.

It worked - for a moment.

But then a major spammer retaliated with a massive DDoS attack, not only targeting Blue Security but also hitting their DNS provider. The attack disrupted numerous unrelated websites.

A few weeks later, Blue Security shut down operations entirely. The cost of the counterattack proved too high.

In cybersecurity, smart defense beats risky retaliation - every time.

To learn more about specific scenarios and ethical concerns from an international perspective, review updates provided in the
Tallinn Manual online.

Ethical principles and methodologies

Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls - such as the CIA triad and others discussed earlier in the articles - to address issues of confidentiality, privacy protections, and laws. To better understand the relationship between these issues and the ethical obligations of cybersecurity professionals, let's review the following key concepts as they relate to using ethics to protect organizations and the people they serve.

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard private assets and data.

Privacy protection means safeguarding personal information from unauthorized use. Personally identifiable information (PII) and sensitive personally identifiable information (SPII) are types of personal data that can cause people harm if they are stolen. PII data is any information used to infer an individual's identity, like their name and phone number. SPII data is a specific type of PII that falls under stricter handling guidelines, including social security numbers and credit card numbers. To effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure private information, identify security vulnerabilities, manage organizational risks, and align security with business goals.

Laws are rules that are recognized by a community and enforced by a governing entity. As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization. To do this:

You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law.

Be transparent and just, and rely on evidence.
Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise.
Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape.

Let’s say you work for a hospital’s IT team. One morning, you discover that an employee accidentally sent a spreadsheet with patient data - including diagnoses and prescriptions - to the wrong email address. Oops.

Now, legally (thanks to HIPAA), that counts as a breach of protected health information (PHI). But beyond legal duties, there’s also an ethical question: Would you want someone to tell you if your personal medical info landed in the wrong inbox? Of course you would.

That’s where your role as a cybersecurity professional becomes more than just technical. You're not just preventing incidents - you're making sure your organization does the right thing when things go wrong. That includes owning up to mistakes, notifying affected patients, and helping rebuild trust.

As a future security professional, ethics will play a major role in your daily work. Knowing the relevant ethics and laws will help you make the right decisions if and when you face a security threat or an incident that results in a breach.

Boring Cybersecurity Theory: Playbook and Zero-day attack

Dzmitry Harbachou — Tue, 19 Aug 2025 09:00:00 +0000

Previously, you learned that playbooks are tools used by cybersecurity professionals to help identify and respond to security incidents. In this article, we'll explore what playbook is, how it works, and why it is essential in a modern cybersecurity environment.

A playbook is a structured document or guide that outlines specific actions and procedures to follow during a security event or operational task. Think of it as a step-by-step manual that ensures consistent, efficient, and effective responses to known threats or incidents. Playbooks are predefined, regularly updated, and tailored to an organization’s tools, infrastructure, and threat landscape.

In simple terms, it’s your go-to response guide: what actions to take, who’s responsible, how to proceed, and in what sequence - when something goes wrong.

Why do you need a playbook?

A playbook is essential in cybersecurity operations because it enables teams to respond to incidents quickly, consistently, and effectively. Without a predefined response plan, decisions made under pressure can be slow, inconsistent, or prone to error.

Let me tell you a story. Some time ago, I was in a cozy town by the sea - not too big, not too small, with just enough charm to make evening walks feel like little rituals. One chilly night, not particularly great for strolling, I found myself walking through the central square.
That’s when I saw them - a pack of dogs, maybe ten or more, running full speed straight in my direction. To be honest, they probably didn’t care about me at all. They charged past without so much as a glance. But I definitely noticed them. My brain went into overdrive: “What do you do when a pack of dogs is running at you?” I had no clue. I’d never been in a situation like that before, and the thoughts in my head were just noise - stay still? run? nothing came together.
While the dogs raced past me, my whole life raced past me too - just for company, I suppose. And then, a minute or two after they were gone, I finally exhaled and kept walking, as if nothing had happened.
It is at moments like these, when you don't know what to do and your brain refuses to help, that you need a guideline. A kind of instruction manual that you can follow without thinking twice. After all, without it, the result could be much worse than a momentary fright.

A playbook is needed to:

React quickly and correctly to incidents
Correct “human error” and errors in a stressful situation
Automate response (in SOAR systems)
Simplify auditing and compliance with standards (NIST, ISO, SOC 2, etc.)

What is included in the Playbook?

Typically includes:

Script Name: 
  Type of incident (e.g., Phishing Email, Ransomware, DDoS Attack)

Threat Description: 
  Brief summary of the threat - what it looks like, where it appears, how it’s detected

Indicators of Compromise (IoC): 
  Examples: Malicious URLs, IP addresses, email senders, file hashes, domains

Responsible Roles: 
  Who is responsible for each task - e.g., SOC, Incident Response, Legal, HR

Response Steps: 
  Ordered actions - e.g., isolate, analyze, notify, remediate, document

Tools Involved: 
  What systems and platforms are used - SIEM, EDR, SOAR, firewall, email filter, ticketing

Escalation: 
  When to escalate, who to escalate to, and under what conditions

Reporting & Logging: 
  What needs to be recorded, and who needs to receive the final report

Example: Playbook to phishing email

Script Name: 
  Phishing Email Incident Response

Threat Description: 
  A user receives an email that appears legitimate but contains a
malicious link or attachment intended to steal credentials or deliver
malware. Typically reported by the user or flagged by an email security gateway.

Indicators of Compromise (IoC): 
  - Sender: hr-support@fakecorp-mail.com
  - URL: http://login.yourbank-secure.com
  - IP: 127.0.0.1
  - Attachment hash: d41d8cd98f00b204e9800998ecf8427e

Responsible Roles: 
  - SOC Analyst: Triage and confirm phishing indicators
  - IR Team: Containment, investigation, coordination
  - IT: Email quarantine and user account monitoring
  - Legal & Compliance: Evaluate reporting obligations
  - HR: Internal communication if needed

Response Steps: 
  1. Confirm phishing attempt using IoCs and headers
  2. Quarantine the email in the mail server
  3. Identify affected users and endpoints
  4. Reset credentials if phishing link was clicked
  5. Block associated URLs and IPs on firewall/proxy
  6. Search for similar messages in the mail system
  7. Document actions and evidence for review
  8. Notify leadership if sensitive data is involved

Tools Involved: 
  - SIEM (e.g., Splunk)
  - Email Security Gateway (e.g., Proofpoint, Mimecast)
  - EDR (e.g., CrowdStrike)
  - Ticketing System (e.g., Jira, ServiceNow)
  - SOAR Platform for automation (if available)

Escalation: 
  - Escalate to CISO if multiple departments affected
  - Escalate to Legal if PII or financial data was involved
  - Severity: Medium → High if credentials were compromised

Reporting & Logging: 
  - Document timestamp of report and response
  - List affected users and actions taken
  - Include relevant logs and IoCs in ticket
  - Final report sent to CISO and retained for audit

Types of playbooks

Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware, vishing, business email compromise (BEC), and other attacks previously discussed. Incident and vulnerability response playbooks are very common, but they are not the only types of playbooks organizations develop.

Each organization has a different set of playbook tools, methodologies, protocols, and procedures that they adhere to, and different individuals are involved at each step of the response process, depending on the country they are in. For example, incident notification requirements from government-imposed laws and regulations, along with compliance standards, affect the content in the playbooks. These requirements are subject to change based on where the incident originated and the type of data affected.

Incident and vulnerability response playbooks

Incident and vulnerability response playbooks are commonly used by entry-level cybersecurity professionals. They are developed based on the goals outlined in an organization’s business continuity plan. A business continuity plan is an established path forward allowing a business to recover and continue to operate as normal, despite a disruption like a security breach.

These two types of playbooks are similar in that they both contain predefined and up-to-date lists of steps to perform when responding to an incident. Following these steps is necessary to ensure that you, as a security professional, are adhering to legal and organizational standards and protocols. These playbooks also help minimize errors and ensure that important actions are performed within a specific timeframe.

When an incident, threat, or vulnerability occurs or is identified, the level of risk to the organization depends on the potential damage to its assets. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. For this reason, a sense of urgency is essential. Following the steps outlined in playbooks is also important if any forensic task is being carried out. Mishandling data can easily compromise forensic data, rendering it unusable.

Common steps included in incident and vulnerability playbooks include:

Preparation
Detection
Analysis
Containment
Eradication
Recovery from an incident

Additional steps include performing post-incident activities, and a coordination of efforts throughout the investigation and incident and vulnerability response stages.

Playbook is not just “documentation,” it's your defense under stress.
It makes responding quick, coherent, and gives you confidence that you won't forget important steps.

Zero-DAY

What happens when we don’t even know a vulnerability exists - and our playbook has no steps for preventing an attack we can't yet see?

That’s exactly what makes zero-day attacks so dangerous.

In cybersecurity, preparation is everything. We rely on detection tools, response plans, and predefined procedures to stay ahead of threats. But zero-day attacks exploit flaws that no one - not vendors, not defenders - has discovered yet. There are no patches, no signatures, no warning.

These are the kinds of attacks that hit fast, cut deep, and often go unnoticed until the damage is done. In this article, we’ll explore what zero-day attacks are, how they work, and what can be done to defend against threats that, by definition, are unknown - until it’s too late.

“Zero days ” is because developers have 0 days to close the hole because it hasn't been disclosed yet and attacks are already underway. As a rule, no one has time to prepare: neither defense systems, nor antiviruses, nor users.

A zero-day vulnerability is a security flaw in software or hardware that is unknown to the party responsible for fixing it—typically the vendor. Because the vulnerability is undiscovered, no patch or mitigation exists to protect against its exploitation. The name "zero-day" reflects the fact that developers have had zero days to fix the flaw before it is or can be exploited.

This is different from known vulnerabilities, which are publicly disclosed (usually with a CVE identifier) and typically have patches or workarounds. Zero-days are dangerous because they can bypass traditional detection methods like signature-based antivirus tools.

A zero-day attack is the actual exploitation of a zero-day vulnerability. Attackers often discover these flaws through their own research or by purchasing them on black markets. Because no patch or fix is available, zero-day exploits are highly valuable to both attackers and defenders.

Such attacks may be used for espionage, sabotage, data theft, or gaining persistent access to critical systems. Advanced persistent threat (APT) groups, state-sponsored actors, and cybercriminal organizations are known to actively use zero-day exploits.

Dictionary:

Term	Meaning
0-day vulnerability	Unknown vulnerability
0-day exploit	Code exploiting such vulnerability
N-day	Vulnerability already known but not yet fixed everywhere

Lifecycle of a Zero-Day Exploit

The lifecycle of a zero-day vulnerability typically unfolds in the following stages:

Discovery: A hacker, researcher, or security team identifies a previously unknown flaw.
Weaponization: An exploit is developed to take advantage of the flaw.
Exploitation: The exploit is deployed in the wild (e.g., through phishing, malicious websites, or direct compromise).
Detection: Anomaly detection or threat hunting identifies suspicious behavior.
Disclosure: The vendor is informed of the flaw (responsibly or otherwise).
Patch: A fix is developed and rolled out.
Public Awareness: The vulnerability is assigned a CVE, and defenses are updated.

Sometimes, after public disclosure, attackers continue to exploit systems that haven’t applied the patch. These are called N-day attacks.

Why Is a Zero-Day Attack So Dangerous?

Zero-day attacks are among the most dangerous types of cyber threats - not because they’re always the most complex, but because they leave no time to prepare. By their very nature, they exploit weaknesses that no one has patched, documented, or even seen coming.

Here’s what makes zero-day threats so uniquely dangerous:

They bypass all known signatures. Traditional defenses like antivirus, IDS/IPS, and firewalls rely on known patterns and threat intelligence. A zero-day exploit, however, uses a vulnerability that hasn’t been catalogued yet - meaning there are no rules to catch it.
You can’t defend against something you don’t know exists. Until a patch is developed and distributed, defenders are left guessing. The only protection is behavior-based monitoring or strict isolation - and even those may fail if the exploit is subtle.
They are often used in targeted, high-stakes attacks. Advanced Persistent Threat (APT) groups, state-sponsored hackers, and cybercriminals use zero-day exploits to quietly breach high-value targets. These attacks are typically part of espionage campaigns, not random crime.
They enable deep compromise. A zero-day vulnerability can allow attackers to escalate privileges, execute arbitrary code (RCE), or exfiltrate sensitive data - all while staying under the radar. By the time they're detected, the attackers may have already achieved their objective.

In short, zero-day exploits don't knock at the front door - they slip through an invisible crack in the foundation.

At a cybersecurity conference, a group of researchers took the stage to show off their latest achievement: a supposedly secure, enterprise-grade network printer. According to them, it had been thoroughly hardened against attacks and was ready for the modern office battlefield. The audience listened politely - until, in the middle of the presentation, the demo printer they brought with them suddenly came to life and began to print.
Out came a single page with a simple message: “Nice talk. You might want to patch this.” Someone in the audience had just exploited a zero-day vulnerability in the printer’s firmware - during the talk - to send a cheeky, perfectly timed warning. The crowd erupted. The researchers laughed (nervously), and everyone walked away with a valuable lesson: never trust a quiet printer - especially at a hacker conference.

How do you fight zero-day??

It is impossible to completely prevent zero-day, but it is possible to reduce risk and damage:

1. Minimum Rights Principle

Limit the rights of users and applications
Even if 0-day gives access, an attacker will not get root

2. Network Segmentation

Isolate critical systems (DMZ, VLAN)
Prevent the attack from spreading across the infrastructure.

3. Behavioral analytics (UEBA, EDR, XDR)

These systems analyze behavioral anomalies rather than signatures
This is one of the most effective ways to catch a 0-day attack.

4. Rapid software updates

Once a 0-day is disclosed, it becomes N-day - and the patch goes out
It's important to have an automated update process

5. Virtualization and containerization

Running software in a restricted container reduces RCE damage.

6. Threat Intelligence

Subscriptions to IOCs, MITRE ATT&CK, TI feeds
Help learn about new vulnerabilities before CVEs are published

7. Playbook and Response Plan

Incident preparedness is half of success
Responding quickly to anomalies minimizes losses

What to do right now (if you want to get ready for 0-day)?:

It's simple: the more layers of defense you implement and the more advanced the tools you use, the harder it will be to attack you - but that's where the simplicity ends. There is no universal approach to defense against zero-day attacks, because it all depends on what you are protecting and what resources you have for it - money, specialists, tools. Not everyone needs overprotection: loss of logs on an auxiliary server will most likely not lead to application shutdown, while leakage of users' personal data may entail both legal and reputational consequences. Therefore, it is important to properly assess your assets, risks, and capabilities to build the protection that is appropriate and effective in your context.

Zero-day is not if, but when. It is impossible to defend against it 100%, but you can:

Limit the radius of attack

Quickly detect an attack

Quickly react and recover.

Interconnectivity in practice:

In real-world scenarios, cyber incidents rarely happen in isolation. A zero-day vulnerability on its own isn’t a threat - until it’s exploited. Detection doesn’t rely on known patterns, and response often unfolds in uncertainty. That’s where interconnectivity between concepts like zero-day, detection strategies, and incident response playbooks becomes critical.
The table below shows how these elements interact in a typical modern attack:

Component	Role in the incident
Zero-day	Unknown vulnerability exploited before a fix exists
Attack (exploit)	Leverages the zero-day to gain initial access or execute malicious actions
Detection	Triggered not by known signatures, but via behavioral analysis and anomalies
Playbook	Provides a structured response, even without specific indicators or prior knowledge

More details about Playbook and Zero-day

Playbook for 0-day incidents is usually not "tailored" to a specific vulnerability, but to the impact and type of attack:

Suspicious traffic
RCE attack
File encryption
Public service penetration

The table below illustrates how a zero-day vulnerability and a playbook interact during a security incident.

Zero-Day	Playbook
Unknown vulnerability	Template for responding to an unknown threat
Causes unexpected incidents	Gives a structured response to incidents
May not be detected by signatures	Response is built on behavior and consequences
Need fast response	Playbook gives steps, roles, tools

That is, it answers not "what exactly was hacked?" but "what to do if we detect strange activity that looks like an attack".

Facing a zero-day is like walking across the ocean floor - deep, dark, and full of unknowns. No signs. No safety nets. Just your wits and whatever plan you managed to carry with you.

Reacting quickly, with confidence, may look reckless to some - even foolish.

“You’re either incredibly brave or incredibly stupid,” as Barbossa once said.
“But then again… it’s two sides of the same coin.”

And that’s exactly what zero-days and playbooks are:

One is chaos, the other is control.
One is unknown, the other is prepared response.

In the end, you can’t stop every attack - but you can choose which side of the coin you stand on when it hits.

Boring Cybersecurity Theory: Frameworks (NIST)

Dzmitry Harbachou — Mon, 18 Aug 2025 09:00:00 +0000

Previously, you learned how organizations use security frameworks and controls to protect against threats, risks, and vulnerabilities. Now let’s dive a bit deeper into the NIST Cybersecurity Framework, a go-to tool for many organizations and one of the most commonly used standards in the cybersecurity world.

This framework has been created by the U.S. National Institute of Standards and Technology and is used all over the world. It is used by large corporations, banks, technology giants, and even government agencies because it helps build a reliable, logical, and scalable security system.

The NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) is a set of recommendations and best practices for organizing cybersecurity. It was developed to provide a structured approach for managing information security risks within companies and government organizations.

NIST CSF includes five key steps (functions):

1. Identify - understand what needs to be protected (assets, risks)
2. Protect - establish protection measures (access control, encryption)
3. Detect - detect the threat (monitoring, logging)
4. Respond - react (response plan)
5. Recover - recover from the incident

1. Identify

The first step in any effective cybersecurity program is understanding what needs protection. The Identify function focuses on gaining visibility into your organization’s digital landscape.

This includes:

Creating an inventory of all digital and physical assets.
Understanding the business context and risk environment.
Defining roles, responsibilities, and governance structures.
Conducting risk assessments and mapping out potential vulnerabilities.

By clearly identifying what is at stake, organizations can prioritize their cybersecurity efforts and allocate resources more efficiently.

2. Protect

Once assets and risks have been identified, the next step is implementing safeguards to ensure their security. The Protect function is about proactive defense.

This involves:

Enforcing access controls and authentication mechanisms (e.g., MFA).
Encrypting sensitive data in transit and at rest.
Conducting regular security training and awareness programs.
Implementing secure software development practices.
Applying physical and environmental controls for infrastructure.

Effective protection minimizes the chances of a successful attack and strengthens organizational resilience.

3. Detect

Despite the best protection measures, no system is immune to threats. The Detect function is crucial for identifying anomalies and incidents as early as possible.

Key elements include:

Real-time monitoring of networks and systems.
Logging and analyzing events and security data.
Utilizing tools like SIEM, IDS/IPS, and behavioral analytics.
Setting alerts and thresholds for suspicious activities.

Early detection enables faster responses and reduces the potential impact of a security breach.

4. Respond

When a cybersecurity incident occurs, the ability to respond swiftly and effectively is essential. The Respond function focuses on containing the threat and managing the fallout.

This entails:

Having a well-documented incident response plan.
Assigning responsibilities and decision-making authority.
Communicating with internal stakeholders and possibly external parties.
Conducting root cause analysis.
Adjusting defenses and procedures based on lessons learned.

A coordinated response helps limit damage, protect reputation, and meet compliance requirements.

5. Recover

Finally, the Recover function addresses how to return to normal operations after an incident. Recovery is not just about restoring data, but also about improving future resilience.

Important steps include:

Restoring systems and data from backups.
Validating the integrity of restored assets.
Reviewing incident reports and response effectiveness.
Updating policies, tools, and procedures.
Communicating recovery status to stakeholders.

A structured recovery process ensures operational continuity and strengthens the organization’s ability to handle future incidents.

Example in Action: "SQL Injection in a Web Application"

Below, you can see how the stages of the NIST CSF align with the phases of a cyber attack incident.

Stage at NIST	What happens	Direction
Identify	Register asset (application), perform risk analysis	Application Security, GRC
Protect	Implement data validation, WAF	Application Security
Detect	WAF or SIEM detects SQL injection attempt	SOC, monitoring
Respond	Activate incident management	Operational Security
Recover	Patch, report, revise DevSecOps processes	Operational Security, GRC

This incident illustrates how important it is to have a structured approach to security-and that's where the NIST Framework comes in. It helps you not just put out fires after attacks, but build defenses up front, from identifying vulnerable systems to timely response and recovery. NIST is not a theory, but a practical framework that allows you to systematically manage risk and prevent similar incidents in the future.

The NIST Cybersecurity Framework provides a clear, actionable structure for managing cybersecurity risks across the lifecycle of an attack. By understanding and applying each of the five core functions, organizations can build a robust defense strategy that not only reacts to threats but anticipates and mitigates them in advance.

Boring Cybersecurity Theory: Controls, Frameworks, and Compliance

Dzmitry Harbachou — Fri, 15 Aug 2025 09:00:00 +0000

A framework is like a treasure map, a medkit, and a compass all rolled into one - it helps beginners avoid chaos and lets pros act with strategy and confidence. It saves time, covers blind spots, makes teamwork smoother, and boosts your credibility with recruiters. Instead of playing a “guessing game,” you'll be following a smart, battle-tested plan used by thousands of professionals before you.

Frameworks

Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.

Cybersecurity area has its own frameworks - these are ready-made schemes that simplify work. They play a key role in helping businesses comply with industry regulations and laws. For instance, healthcare organizations in the U.S. rely on frameworks to meet the requirements of HIPAA - a law that mandates the protection of patients’ personal health information.

In cybersecurity, frameworks act like prebuilt roadmaps. Rather than figuring out what to do from scratch in every situation, you follow a well-defined structure that walks you through each stage - from risk assessment and threat detection to incident response and recovery. They help teams distribute responsibilities, streamline decision-making, and reduce the chance of human error during high-stress moments.

Specifications and guidelines can change depending on the type of organization you work for.

Below are some of the other well-known frameworks commonly used in the world of cybersecurity. Each one offers a different approach depending on the organization’s size, industry, and regulatory needs:

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.

The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.

General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:

Privacy
Security
Breach notification

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

International Organization for Standardization (ISO)

ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.

System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels such as:

Associate
Supervisor
Manager
Executive
Vendor
Others

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.

Controls

Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.

Controls often work in tandem with security frameworks. While frameworks provide structure and strategy, controls are the specific actions that help enforce them. For example, to comply with HIPAA in a healthcare setting, a control might involve requiring multi-factor authentication (MFA) for patients accessing their medical records. This helps ensure that only authorized users can access sensitive information.

Security controls are generally grouped into three categories: physical, technical, and administrative. Each type plays a different role in preventing, detecting, or correcting security issues.

Examples of physical controls:

Gates, fences, and locks
Security guards
Closed-circuit television (CCTV), surveillance cameras, and motion detectors
Access cards or badges to enter office spaces

Examples of technical controls:

Firewalls
MFA
Antivirus software

Examples of administrative controls:

Separation of duties
Authorization
Asset classification

By layering these types of controls, organizations can create defense-in-depth - a strategy that helps ensure no single point of failure leads to compromise. Together with frameworks, controls form the practical foundation of any effective cybersecurity strategy.

Specific frameworks and controls

There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.

Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.

Security frameworks give you the “why” and “what”, while controls give you the “how”. Together, they help organizations build structured, defensible, and compliant cybersecurity programs - capable of adapting to the ever-changing risk landscape.

As a security specialist, you don’t need to remember every framework out there. But understanding the core ones and how they shape real-world security decisions - is key. Especially as the threat landscape keeps evolving, being familiar with these structures helps you protect both the systems you defend and the people behind them.

Boring Cybersecurity Theory: Security Domains From CISSP

Dzmitry Harbachou — Thu, 14 Aug 2025 09:00:00 +0000

Now that we have looked at security from one side, it's time to look at it from another. If you're reading this article, chances are you're involved in IT in some way - and you likely know that companies typically divide responsibilities by roles and domains. The same principle applies to cybersecurity.

Cybersecurity is a broad field that is divided into many areas depending on what is being protected, from what and by what means. There are eight commonly recognized domains of cybersecurity, each with its own responsibilities and specific area of focus.

Domain One: Security and risk management

All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization's security posture include:

Security goals and objectives
Risk mitigation processes
Compliance
Business continuity plans
Legal regulations
Professional and organizational ethics

Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:

Incident response
Vulnerability management
Application security
Cloud security
Infrastructure security

As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union's General Data Protection Regulation (GDPR).

Domain two: Asset security

Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.

Domain three: Security architecture and engineering

This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.

One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:

Threat modeling
Least privilege
Defense in depth
Fail securely
Separation of duties
Keep it simple
Zero trust
Trust but verify

An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.

Domain four: Communication and network security

This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications.

Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls - such as restricted network access - can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.

Domain five: Identity and access management

The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer's issue; then remove access when the customer's issue is resolved.

Domain six: Security assessment and testing

The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor.

This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.

Domain seven: Security operations

The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:

Training and awareness
Reporting and documentation
Intrusion detection and prevention
SIEM tools
Log management
Incident management
Playbooks
Post-breach forensics
Reflecting on lessons learned

The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization's internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.

Domain eight: Software development security

The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users.

Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought.

Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.

I hope this brief dive into the CISSP security domains has given you a clearer sense of the structure behind cybersecurity. It may seem like a maze of terms, frameworks, and controls, but together they form the blueprint for protecting information in a chaotic digital world. Even if the details fade, remembering that security is built on multiple interconnected layers can help you see the bigger picture - and spot the gaps before someone else does.

Boring Cybersecurity Theory: Risk Management

Dzmitry Harbachou — Wed, 13 Aug 2025 15:50:34 +0000

Previously, we learned how security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field.

A 158-year-old company, KNP, collapsed within just three months after hackers from the Akira ransomware group guessed a single weak employee password. The result? £5 million in ransom demands, encrypted data, deleted backups, and 700 employees out of work. One mistake was all it took to bring down a century-old business.

Why is it Critical?

There’s a dangerous myth in cybersecurity: “We’re too small to be a target.”

The truth? Cybercriminals don’t care about your company’s size - only about how easy you are to breach. A poorly configured server, an outdated system, or a single weak password can be enough to put you on their radar.

From my own experience, I can say that this is partially true. I enjoy following the development of modern applications, especially in the field of cryptocurrencies, and this principle proves itself time and time again. The problem isn’t that these companies are small, but rather that in many cases there is simply nothing worth taking from them - at least for now. But when the time comes and value appears, it’s often too late to start thinking about protection - the house is empty, and the safe is gone. That’s why I suggest preparing in advance. As the saying goes, fix the roof while the sun is shining.

Risk management in cybersecurity is really about answering three deceptively simple questions:

What could go wrong?
How likely is it to happen?
How much will it hurt if it does?

Every organization (from startups to global corporations) faces risks that could cause financial loss, reputational damage, legal trouble, or even total shutdown. The difference between those that survive and those that don’t often depends on how well they identify and prepare for these risks.

The primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical.

Digital assets include personal information such as Social Security numbers, dates of birth, bank account details, and mailing addresses.
Physical assets may seem less “cyber”, but are just as critical — if someone can walk into your server room, they don’t need to hack anything. Examples include payment kiosks, servers, computers, and office spaces.

In the context of risk management, two terms often come up:

PII (Personally Identifiable Information) - data that can be used to identify a specific person. This includes names, addresses, phone numbers, email addresses, and account usernames.
SPII (Sensitive Personally Identifiable Information) - a more sensitive subset of PII. This includes information like Social Security numbers, biometric data, medical history, financial account numbers, or any data that could cause significant harm, identity theft, or fraud if exposed.

Whether you’re handling a customer’s shipping address or their passport number, understanding the value and sensitivity of the data is the first step toward protecting it - and toward making smart risk management decisions.

Managing risks isn’t about building an impenetrable fortress. It’s about knowing which battles to fight, which to avoid, and which to insure against - before the attackers make the choice for you.

What's really important?

Risk management isn’t a spreadsheet exercise - it’s detective work. You collect evidence about where problems might occur, who might try to cause them, and how bad the consequences would be if they succeeded.

Cybersecurity risk management is a structured process found in global frameworks like NIST Risk Management Framework, ISO/IEC 27005, and CIS Risk Assessment Method. These frameworks all boil down to one simple truth: you can’t protect everything equally, so you need to know what’s worth protecting most, what’s threatening it, and how to act before trouble strikes.

Also, in regulated industries, additional standards apply - for example, HIPAA in U.S. healthcare, which mandates risk assessments to protect patient data.

At the core, there are five key steps that repeat in a continuous cycle:

Identify what matters most
Identify who or what can harm it
Find the weaknesses they could exploit
Evaluate how bad and how likely each risk is
Decide what to do about each risk

This isn’t theory - it’s the same structure Fortune 500 companies use, scaled down or up depending on the organization. Let’s break each step down.

Step 1 - Identify what matters most

Before you can protect anything, you need to know what’s worth protecting. In risk management, these are your critical assets:

Customer databases with personal data
Financial systems and transaction platforms
Proprietary designs, formulas, or source code
Critical infrastructure (servers, cloud services, network equipment)

Example: A SaaS company might identify its cloud-hosted application and customer records as top-priority assets because downtime or breach would lead to both massive financial loss and reputational damage.

Step 2 - Identify who or what can harm it

Threats can come from outside or inside:

External: cybercriminal gangs, hacktivists, state-sponsored groups, competitors
Internal: disgruntled employees, accidental mistakes, misconfigurations Environmental/technical: power outages, hardware failures, natural disasters

Example: For an online retailer, a likely threat could be credential-stuffing attacks by bots using stolen passwords from other breaches.

Step 3 - Find the weaknesses they could exploit

Every system has vulnerabilities - flaws that can be exploited. Common ones include:

Outdated software with known exploits
Weak or reused passwords
Poor network segmentation
Misconfigured cloud storage
Unpatched IoT devices

Tools like vulnerability scanners, penetration tests, and configuration audits help find them.

Example: A healthcare provider’s security team discovers an internet-facing medical records portal running outdated software vulnerable to SQL injection attacks.

Step 4 - Evaluate how bad and how likely each risk is

Not all risks are equal. You need to consider:

Likelihood - how probable is the event?
Impact - what’s the scale of damage if it happens?

You can do this qualitatively (low/medium/high), quantitatively (financial values, probability percentages), or a mix. Many use a risk heat map to visualize priority.

Example: A phishing attack might be very likely but low-impact if you have strong detection and quick response, while a ransomware breach on critical servers might be rare but catastrophic.

Step 5 - Decide what to do about each risk

You have four basic options:

Avoid - eliminate the risk source
Reduce - add protections to lower the chance or impact
Transfer - shift responsibility
Accept - consciously live with the risk if it’s low enough

Example: A small business might choose to avoid the risk of hosting its own email server by moving to a managed service with built-in security.

Cybersecurity risk management isn’t about chasing every possible threat, but it’s about clarity and focus. The five steps give you a repeatable, structured way to move from uncertainty (we don’t know where we’re vulnerable) to informed action (we know our critical risks and how we’re handling them).

Whether you’re a startup founder or part of a global security team, this process scales. It forces you to prioritize, to think like an attacker, and to make conscious decisions before an incident makes them for you.

In the next section, we’ll explore exactly how to reduce those prioritized risks - and how to choose the right strategy for each one.

Reduce Risks

In every recognized risk management framework - such us NIST to ISO/IEC 27005 or CIS RAM - the same truth emerges: when you strip away the details, there are only four possible ways to respond to a risk.

Why? Because any action you take will ultimately fit into one of these categories:

You remove the risk completely → Avoidance
You make it smaller by adding defenses → Reduction
You hand it off to someone else to handle → Transfer
You live with it after making a conscious choice → Acceptance

This is true whether the risk is financial, operational, or cybersecurity-related. More “options” you might hear - like mitigation, sharing, or outsourcing - are actually just variations or combinations of these four fundamentals.

Why four is enough

Logical completeness - these cover all possible actions you can take toward a risk.
Clarity - having just four categories avoids decision paralysis.
Scalability - works for a small business, a Fortune 500, or even national-level security.
Alignment - since global standards agree on these four, using them keeps your approach consistent with industry best practice.

Think of them as the four cardinal directions in navigation - you can go northeast if you want, but it’s still a mix of north and east.

Avoid the Risk

Eliminate the source of the risk entirely.
Example: If a legacy on-premise email server is riddled with vulnerabilities and costly to maintain, you might shut it down and move to a secure cloud provider.
Best for: High-risk systems that you don’t critically need or can easily replace.

Reduce the Risk

Put in controls to lower the likelihood or impact.
Example: Implementing multi-factor authentication (MFA) to reduce the risk of account compromise from stolen passwords.
Best for: Risks that can’t be avoided but can be significantly minimized.

Transfer the Risk

Shift the financial or operational impact to a third party.
Example: Purchasing cyber insurance to cover costs from a ransomware attack.
Best for: Risks that are difficult to reduce internally or require specialized expertise.

Accept the Risk

Make an informed decision to live with it.
Example: A small startup decides not to invest in enterprise-grade DDoS protection because the likelihood and impact are both low.
Best for: Low-likelihood, low-impact risks where mitigation is not cost-effective.

A single risk may require a combination of strategies. For example, you could reduce the chance of a phishing attack with employee training, transfer some financial exposure via insurance, and accept the residual risk.

Framework(s)?

In previous articles, you’ve already encountered security frameworks. Now, it’s time to see how they work in practice for risk management.

One of the most respected in the field is the NIST Risk Management Framework (RMF), developed by the U.S. National Institute of Standards and Technology. While originally designed for U.S. federal agencies, it’s now used globally by organizations of all sizes.

The RMF provides a structured, repeatable process for identifying, evaluating, and responding to risks in a way that aligns with business objectives and compliance requirements. It ensures that security isn’t just a technical checklist, but a strategic decision-making process.

7 Steps of the NIST RMF

Prepare - Understand the mission, context, stakeholders, and risk tolerance of your organization.
Categorize - Classify information systems based on the potential impact of a breach or compromise.
Select - Choose security controls proportionate to the risk level and system classification.
Implement - Put the chosen controls into operation, integrating them into processes and systems.
Assess - Test and verify that the controls work as intended.
Authorize - Grant formal approval for the system to operate based on residual risk.
Monitor - Continuously track changes, emerging threats, and system performance to adjust controls.

The RMF naturally guides you toward one of the four risk response strategies we discussed earlier:

If a system is too risky and cannot be secured → Avoid
If a risk can be brought down to an acceptable level → Reduce
If another party can handle it more effectively → Transfer
If the residual risk is acceptable within business tolerance → Accept

A framework like NIST RMF removes guesswork. It gives you a shared language, a clear process, and a proven foundation for deciding which risks to tackle, which to hand off, and which to live with.

Even the most fortified castle can fall - history has proven it time and again. In cybersecurity, the same rule applies: no system is invincible. That’s why smart organizations don’t chase “perfect” security - they manage risks so that one breach doesn’t become a catastrophe. It’s about knowing which defenses matter most, preparing for the attacks you can’t prevent, and building resilience to recover faster than the damage spreads. Less glamorous than an impenetrable wall, yes - but far more effective. In the end, the goal isn’t to be untouchable; it’s to ensure that when the walls are tested, your company is still standing the next day.

Boring Cybersecurity Theory: Threats (Vulnerability, Attack, Malware)

Dzmitry Harbachou — Wed, 13 Aug 2025 15:48:00 +0000

We’ve already been introduced to the key actors in the cybersecurity landscape - such as hackers, cyber activists, and other threat agents - and we understand the goals they may pursue and the capabilities they possess. Now, it’s time to examine the methods they use and the steps they take to achieve their objectives.

In this article, we will explore the fundamental concepts of cybersecurity, including threats, vulnerabilities, attacks, and malware. We will look at how these elements are interconnected, the different forms they can take, and why understanding them is essential for building effective security strategies.

Cybersecurity is a field of technology focused on protecting computers, mobile devices, and digital information from malicious actors seeking unauthorized access or intending to cause harm. Individuals, businesses, and governments increasingly store sensitive data - such as credit card numbers, addresses, phone numbers, passwords, personal details, and customer information - on desktops and mobile devices. The primary goal of cybersecurity is to keep that data secure and private. And the best way to ensure effective protection is to understand potential threats in order to prepare for and defend against them.

The following diagram shows how threats, vulnerabilities, attacks, and malware are interconnected within the cybersecurity landscape.

Threats - what can happen
      │
     Examples:
      ├── Hackers, cybercrime groups, competitors
      ├── Disgruntled employee, Administrator error
      │
      ▼  
Vulnerability (gaps, are used to get access)
      │
    Examples: 
      ├── Errors in code, configuration, logic
      ├── XSS
      ├── SQLi
      ├── open ports
      ├── weak passwords
      │
      ▼  
Attacks (actions)
      │
    Examples:
      ├── Exploits (Exploit) - code that exploits a vulnerability
      ├── Phishing
      ├── Brute- force / Credential stuffing
      ├── DDoS (Denial of Service)
      │
      ▼  
Malware (weapons)
      │
    Examples:
      ├── Viruses - embed themselves in other files
      ├── Worms - self-propagating
      ├── Trojans - disguise themselves as useful programs
      ├── Rootkits - hide the presence of other threats
      ├── Spyware - spies on the user
      ├── Ransomware - encrypts files, Demands ransom
      └── Backdoors - leaves a “backdoor” for access

How it all works together :

A threat actor is motivated to gain benefit or cause damage.
It seeks or discovers a vulnerability - technical, process or social.
An attack is launched, which may involve several phases (reconnaissance → delivery → exploitation → hardening → targeting).
The delivery/exploitation phase often utilizes malware as a means of penetration, withholding access, or extending influence.
If the attack is successful, risk is realized: data compromise, downtime, financial loss, reputational damage, etc.

There is plenty of information here, and instead of inventing a florid presentation, I suggest not wasting time - let's just dive into the facts. Let's read!

Threats

Threats in cybersecurity refer to any potential danger that could exploit a vulnerability and cause harm to a system, network, or data. These threats can come from various sources - including malicious individuals, software bugs, or natural disasters - and can lead to data breaches, service disruptions, or unauthorized access.

Below are several common classifications of threats used to better understand and address them.

By source

External: cybercriminals, governments, partners/contractors.
Internal (insider): employees, admins, contractors with access.
Natural/technogenic: fire, flooding, power failure, data center failure.

By actor (threat actors)

State APT groups (cyber espionage, sabotage).
Cybercriminals (financial motivation, extortion).
Hacktivists (ideology/protest).
Competitors (corporate espionage).
Script-kiddies (use off-the-shelf exploits without in-depth knowledge).
Internal attackers (intentional) and unintentional insiders (mistakes, negligence).

By attack vector

Networked: DDoS, MITM, service scanning and exploitation.
Application (AppSec): SQLi, XSS, RCE, SSRF, deserialization.
Social engineering: phishing, spear-phishing, vishing, BEC.
Supply-chain (through supply chain/libraries/partners).
Physical access: device theft, hardware tampering.
Cloud/configuration: public S3 bundles, excessive IAM privileges.
IoT/OT/SCADA: attacks on industrial controllers, smart devices.

By target/impact (CIA-triad + other)

Breach of confidentiality: data leakage, exfiltration.
Integrity breach: data spoofing/modification, sabotage.
Availability breach: DDoS, encryptors (ransomware).
Breach of trust/reputation, fraud, financial loss.

By motivation

Financial gain (ransomware, banking trojans, cryptomining).
Espionage (cyber espionage, intellectual property theft).
Sabotage/destruction (disabling IT/OT systems).
Activism/ideology.
Reconnaissance/network movement (for future operations).

By complexity and duration

Opportunistic (mass, automated, no targeting).
Targeted (targeted).
APT (Advanced Persistent Threat) - lengthy, resource-intensive, with TTP by MITRE ATT&CK.

By environment/technology

Clouds (IaaS/PaaS/SaaS).
Mobile devices.
IoT / IIoT.
OT/ICS (industry, energy).
AI/ML-centric threats (data poisoning, model stealing, deepfakes).
Crypto/blockchain ecosystem (compromise of smart contracts, bridges, wallets).

Vulnerabilities

Cybersecurity professionals spend much of their time chasing weaknesses - patching unpatched systems, reconfiguring misconfigured clouds, training distracted users. All of these weaknesses share one name: vulnerabilities. But not all vulnerabilities are created equal. This article maps the landscape so you can identify, prioritize, and ultimately eliminate the cracks before an adversary slips through.

A vulnerability is a key point of interest for both hackers and cybersecurity professionals. It’s a weakness in a system that can be exploited to gain unauthorized access or cause damage. In ancient times, it would be like an open gate in a city wall - if the gate is left open and the guards are asleep, invaders can raid the city with ease… and might even leave a thank-you note for the hospitable hosts on their way out. That’s why identifying and securing vulnerabilities lies at the heart of any effective cybersecurity strategy.

Where Do Vulnerabilities Come From?

Vulnerabilities in cybersecurity can stem from a variety of sources. Understanding where they come from is essential for identifying and addressing them effectively. Below are the four most common origins of vulnerabilities, along with real-world examples that highlight how they manifest in practice.

1. Software Flaws

One of the most common sources of vulnerabilities is flawed or poorly written code. These can result from bugs, design oversights, or a failure to account for edge cases during development. Classic examples include buffer overflows in C-based applications, SQL injection vulnerabilities in login forms, and unsafe object deserialization in web services. Even a single overlooked line of code can open the door for serious security breaches.

2. Hardware Flaws

Sometimes the vulnerabilities lie deeper - within the hardware itself. Defects in CPUs, firmware, or devices can lead to serious exploits that are difficult to patch or detect. Notable examples include the Spectre and Meltdown side-channel attacks, which exploited fundamental flaws in modern processors. Other cases include backdoored routers or vulnerable UEFI firmware, which attackers can use to compromise systems at a low level.

3. Misconfigurations

Even well-designed systems can be made insecure through misconfiguration. This includes using insecure default settings, failing to restrict access properly, or exposing internal tools to the internet. Examples include publicly accessible Amazon S3 buckets, open FTP or Telnet services, Kubernetes dashboards left unprotected, or applying overly permissive file permissions like chmod 777 on sensitive data.

4. Human Factor

Finally, humans are often the weakest link in the security chain. Whether through ignorance, error, or manipulation, people can unintentionally create vulnerabilities. Common examples include reusing passwords across services, leaving test or default accounts active in production environments, or falling victim to phishing emails. Social engineering remains a highly effective tactic for attackers precisely because it targets human behavior rather than technology.

Mapping Vulnerabilities Across the Stack

Vulnerabilities can exist at every layer of a system - from physical infrastructure all the way up to application logic. Understanding where these weaknesses occur helps security teams apply defense-in-depth strategies and prioritize remediation efforts. Below is a breakdown of common vulnerability types across different layers of the stack:

1. Network Level

At the network layer, poor segmentation or outdated technologies can expose internal systems to external threats. Examples include weak or flat network architecture, legacy VPN protocols that no longer meet modern security standards, and open SMB (Server Message Block) shares accessible without proper restrictions.

2. Protocol Level

Vulnerabilities in communication protocols can be exploited to intercept, manipulate, or redirect data. Common issues include SSL/TLS downgrade attacks, DNS cache poisoning, and insecure SMTP relays - all of which can lead to man-in-the-middle attacks or data tampering.

3. Application Level

The application layer is one of the most frequently targeted by attackers. Vulnerabilities here include Cross-Site Scripting (XSS), SQL Injection (SQLi), Remote Code Execution (RCE), and broken access control. These flaws can lead to unauthorized data access, service disruption, or full system compromise.

4. Operating System Level

When the underlying OS is not properly maintained, it can expose systems to low-level attacks. Examples include outdated kernels lacking security patches, vulnerable device drivers, and the absence of exploit mitigation features like Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP).

5. Physical Level

Even the best digital defenses can be bypassed if physical security is neglected. Unlocked server rooms, unencrypted laptops left unattended, or the use of rogue USB devices can all lead to direct data theft or the installation of persistent malware.

How Dangerous Are They? (Severity)

Not all vulnerabilities are created equal. To manage risk effectively, it's essential to classify vulnerabilities by their severity. This helps security teams prioritize which issues to address first, ensuring that the most dangerous threats are mitigated before they can be exploited.

Here’s a breakdown of common severity levels, the typical impact associated with each, and why they matter in a real-world security context:

Severity	Typical Impact	Why It Matters
Critical	Full system takeover, mass data breach	Must be patched or mitigated immediately - attackers often automate exploitation.
High	Data exfiltration, authentication bypass	Should be prioritized quickly due to high risk of real-world damage.
Medium	Denial of Service (DoS), partial compromise	Can be scheduled for remediation - may be chained with other bugs for escalation.
Low	Information disclosure, banner grabbing	Fix during regular patch cycles - valuable for attackers during reconnaissance.

Understanding severity not only helps with technical triage, but also with communicating risk to stakeholders. Critical and high-severity vulnerabilities often require immediate attention, while medium and low-severity issues can be managed over time - though none should be ignored. In cybersecurity, even “low-risk” vulnerabilities can be a foothold for a more serious breach if left unattended.

By Exploitation Method

Vulnerabilities can be categorized not only by their severity or stack, but also by how attackers exploit them. Understanding these methods helps prioritize risks and build more effective defenses.

Remote vulnerabilities - no prior access needed (e.g., SQLi, Log4Shell).
Local vulnerabilities - require foothold first (privilege escalations like Dirty Pipe).
Logical flaws - business‑logic errors (bypassing payment limits, coupon abuse).
Zero-days - unknown to the vendor, patch not available; keep multi-layered protection at the ready.

Organizational & Process Vulnerabilities

Technology alone is rarely the root of a breach - it's often weaknesses in processes, policies, and people that create the real risk surface.

Common organizational vulnerabilities include the absence of a proper patch-management policy, allowing known CVEs to remain unpatched for months. Defensive tools such as antivirus and intrusion detection systems may be in place, but if they're outdated or misconfigured, they fail to detect evolving threats. A lack of security awareness among staff means users continue to fall for phishing emails and open malicious attachments like “invoice.pdf.exe.” And perhaps most critically, without tested and recoverable backups, a ransomware incident can escalate into a full-scale business disaster.

Vulnerabilities are inevitable, breaches are not. By systematically spotting weaknesses and treating the most dangerous first, you shift the odds dramatically in your favor.

And, as tradition demands, let’s wrap up with a few infamous security stories - real-world bugs that left scars, headlines, and some valuable lessons.

😏 Heartbleed (CVE‑2014‑0160)
Year: 2014
Who knew a harmless-sounding "heartbeat" feature in OpenSSL could end up bleeding encryption keys across the internet? It was just a missing bounds check… and suddenly half the web was exposed. Lesson: never underestimate small bugs in critical libraries.

😧 Log4Shell (CVE‑2021‑44228)
Year: 2021
A logging library. That’s all it was. But thanks to some overly “helpful” features in Log4j, attackers could achieve remote code execution by… sending a log string. In short: “If you can log it, you can own it.” Java admins everywhere cried in JSON.

Stay patched, stay paranoid, and keep learning - because the attackers surely are.

Attacks

In cybersecurity, an attack is any intentional action designed to exploit a vulnerability in order to gain unauthorized access, disrupt services, or steal data. To defend effectively, it’s crucial to understand not just what attacks look like, but how they work - and why they happen.

Below is an organized overview of the most common attack types, grouped by attack vector (how they enter), technique (how they operate), and objective (what they aim to achieve). This structure helps teams classify threats, recognize attack patterns early, and prioritize response based on real-world risk.

By Point of Entry

To understand how attacks begin, it's helpful to look at their initial point of entry - the place where attackers first interact with a system. Each vector opens a different kind of door, and each demands a tailored defense strategy.

Here are the most common entry points attackers use:

Network

Attackers manipulate network traffic, protocols, or routing mechanisms to disrupt services or intercept communication.
Typical attacks: DDoS, ARP spoofing, DNS cache poisoning, TCP RST flood.

Web Applications

Vulnerabilities in web services are exploited through crafted input or malicious data injection. This is one of the most common and dangerous vectors.
Typical attacks: SQL injection (SQLi), Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Remote Code Execution via unsafe deserialization.

Social Engineering

Here, the attacker targets people, not systems - manipulating users into giving up access, credentials, or performing unsafe actions.
Typical attacks: phishing, spear-phishing, business email compromise (BEC), voice phishing (vishing), SMS phishing (smishing).

Supply Chain

By compromising a trusted third-party component, attackers gain indirect access to a target system - often going unnoticed.
Typical attacks: malicious package updates (e.g. NPM), SolarWinds-style backdoors in software build pipelines.

Physical Access

Sometimes attackers go beyond the digital layer and gain direct access to devices or environments.
Typical attacks: rogue USB drives, hardware keyloggers, Evil Twin Wi‑Fi access points.

Cloud / SaaS

Misconfigured cloud environments or weak identity policies can be an open door to sensitive resources.
Typical attacks: stolen OpenID Connect (OIDC) tokens, exposed AWS S3 keys, missing multi-factor authentication (MFA) in Azure AD.

IoT / OT / SCADA Systems

Industrial controllers and smart devices are often insecure by design — and hard to patch.
Typical attacks: logic manipulation in PLCs, IoT botnets like Mirai targeting smart cameras and routers.

Understanding the entry point is the first step in anticipating how an attack may unfold - and in designing defenses that block threats before they take hold.

By Mode of Impact

Passive - Eavesdropping, scanning, OSINT; observes without modifying data or systems.
Active - Injections, remote code execution (RCE), ransomware; alters system state or breaks confidentiality, integrity, or availability.
Combined - Starts with silent reconnaissance, followed by active exploitation; common in advanced persistent threats (APTs).

Popular Attack Techniques (TTPs)

Attackers rely on a wide range of Tactics, Techniques, and Procedures (TTPs) to achieve their objectives. Below are the most common categories and what they typically involve:

Credential Attacks - Brute force, credential stuffing, pass-the-hash, password spraying. Often use leaked password dumps or weak login policies.
Injection Attacks - SQL, LDAP, OS command injection, XXE, NoSQL injection. Prevented through input validation and secure coding practices.
Memory Exploitation - Buffer overflows, use-after-free, integer overflows. Common in low-level languages like C/C++.
Man-in-the-Middle (MitM) - ARP poisoning, SSL stripping, session hijacking. Modern protocols like TLS 1.3 and HSTS help reduce the risk.
Malware-Based Attacks - Ransomware, Trojans, worms, crypto-miners, RATs. Delivered via phishing emails, drive-by downloads, or malicious ads.
Denial-of-Service (DoS) - DNS/UDP floods, SYN floods, Slowloris-style attacks. Often launched by botnets to overwhelm services.
Privilege Escalation - Kernel exploits (e.g., Dirty Pipe), misconfigured SUID, cloud metadata abuse. Used to gain admin or root access.
Evasion and Obfuscation - Fileless malware (PowerShell, WMI), packed binaries. Designed to bypass antivirus and endpoint protection.
Data Exfiltration - DNS tunneling, steganography, abuse of cloud sync services. Makes stolen data appear as regular outbound traffic.

A Step‑by‑Step Attack: The MITRE ATT&CK Kill Chain

Reconnaissance - OSINT collection, port scanning.
Initial Access - Phishing email delivers dropper.
Execution - Payload runs via PowerShell.
Persistence - Adds autorun key in Registry.
Privilege Escalation - Kernel exploit used for admin rights.
Defense Evasion - Disables antivirus/EDR tools.
Credential Access - Extracts passwords from LSASS memory.
Lateral Movement - Pass-the-Hash to move within Active Directory.
Collection - Archives sensitive documents.
Exfiltration - Sends data via HTTPS to attacker-controlled cloud.
Impact - Launches ransomware and encrypts files.

Attacks by Goal (CIA + E)

Attacks often target one or more of the following:

Confidentiality - Sniffing, SQL dumps, phishing. Result: Data breaches, regulatory fines.
Integrity - Web defacement, data tampering (e.g., IoT sensors). Result: Operational disruption, misleading metrics.
Availability - DDoS, ransomware, database destruction. Result: Downtime, reputational damage.
Economics / Reputation - Business Email Compromise (BEC), CEO fraud, insider trading. Result: Financial loss, stock price drops.

How to Defend (Quick Guide)

Layered security - Network segmentation, Zero Trust, WAF, EDR, SIEM.
Patch management - Prioritize by CVSS scores and real-world exploitability.
Secure development - Use SDLC practices, SAST/DAST, and threat modeling.
User awareness - Regular phishing simulations and security training.
Backups & Disaster Recovery - Keep offline, off-site, and test them regularly.
Threat intelligence - Track IOCs, follow TTP trends, and map to MITRE ATT&CK.

An attack is rarely a single event - it’s a chain of methods and tools. Break that chain early, and most threats will remain nothing more than lines in an analyst’s report.

Malware

Malware is a broad term for any malicious code designed to disrupt systems, steal data, or gain unauthorized access. Despite decades of evolution, it remains one of the top cyber threats. Below is a practitioner-focused breakdown of today’s malware landscape.

By Primary Function (Payload)

Virus - Injects itself into files to spread. Examples: ILOVEYOU, Michelangelo. Rare today; mostly blocked by modern EDRs.
Worm - Spreads automatically over networks. Examples: Conficker, WannaCry. Recently resurged via AI-crafted SMB exploits.
Ransomware - Encrypts data for ransom. Examples: LockBit, BlackCat. Now with “triple extortion” (encryption + leak + DDoS).
Spyware/Infostealer - Steals credentials and session data. Examples: AgentTesla, RedLine. New stealers target browsers and MFA tokens.
Trojan - Masquerades as legitimate software. Example: Emotet. Often the first stage in multi-phase attacks.
Rootkit/Bootkit - Hides deep in the system or firmware. Examples: TDL-4, LoJax. UEFI implants require firmware-level validation to detect.
Wiper - Destroys data permanently. Examples: Shamoon, NotPetya. Often seen in geopolitically motivated attacks.
Cryptominer - Hijacks system resources to mine crypto. Example: XMRig variants. Containerized environments are common targets.

By Infection Vector

Email & Phishing - Office macros, ISO/LNK droppers.
Drive-by Download - Malicious ads or compromised websites.
Supply Chain - Poisoned libraries (NPM/PyPI), trojanized updates.
Removable Media - USB tools, AutoRun exploits (still seen in OT).
Remote Exploits - VPN, RDP, Confluence, Ivanti zero-days.
Lateral Movement Tools - PSExec, WMI, remote PowerShell.

By Stealth & Persistence

Fileless/Living off the Land - PowerShell, WMI, LOLBins. Hard to detect - relies on memory for execution.
File-based - Executables, scheduled tasks, registry keys. Moderate detection - caught by signatures + heuristics.
Firmware/UEFI/BMC - Malware in motherboard or controller firmware. Highly stealthy - requires chip-level attestation.

By Target Platform

Windows - Still the #1 target for ransomware and loaders.
Linux/Containers - Cryptominers, botnets (Kaiji, Kinsing).
macOS - RATs and adware using notarization loopholes.
Android/iOS - Banking trojans (Anatsa), spyware (Pegasus).
IoT/OT - Mirai variants, ICS wipers.
Cloud/SaaS - OAuth token theft, misconfigured access scopes.

The Malware Kill Chain (Example)

Initial Access - Phishing email with dropper attachment.
Execution - Macro runs PowerShell loader.
Command & Control - Connects to C2 via DNS-over-HTTPS.
Privilege Escalation - Exploits kernel bug (e.g. Dirty Pipe).
Lateral Movement - RDP/AD enumeration across network.
Action on Objectives - Deploys ransomware, exfiltrates data.

Break any one of these steps - and the entire attack can fail.

Malware keeps evolving - fileless payloads, Rust-based binaries, firmware-level persistence - but the same weaknesses remain: users click, systems stay unpatched, and misconfigurations persist.

Shrink your attack surface. Assume compromise. Monitor everything. Back up often.

Stay patched. Stay paranoid. And may your backups never be needed.

Comparison to reality

Sometimes the abstract concepts of cybersecurity become clearer when compared to everyday scenarios. Let’s imagine your system is a house - how would typical security elements translate?

Category	Examples	Figurative comparison
Threat	Attacker wants to steal data	Burglar in the neighborhood
Vulnerability	Program with a bug (e.g. SQLi)	Window that was forgotten to close
Attack	SQL injection, phishing, DDoS	Robber action
Malware	Trojan, virus, spy, ransomware	Theft tool (lockpick)

Every cyberattack begins with a motive - the attacker wants something: money, data, disruption. That’s the threat. To act on that motive, they search for weak spots - vulnerabilities - like an unpatched server or misconfigured access. Once they find one, they launch an attack, often using malware as a tool to gain entry, stay hidden, or cause damage.

Cybersecurity isn’t just about firewalls and antivirus - it’s about thinking like a defender and detective in a world full of burglars, windows, and lockpicks.
Understanding how attackers think is the first step toward making your home or system invulnerable.

Boring Cybersecurity Theory: Hats (Understand Attackers)

Dzmitry Harbachou — Wed, 13 Aug 2025 15:44:56 +0000

Earlier, if you read the first article, you were introduced to funny stories about young hackers and the epic failures of major corporations. Now it's time to dive deeper into the world of hackers. But in the professional field, a more generalized term is used threat actor - because it’s not always someone hacking you through your home internet. Threats can come from colleagues, activists, or just someone bored enough to mess around - and accidentally cause hundreds of thousands of dollars in damage.

"Life is life" - a phrase my teacher likes to repeat.

The threat actor is any person or group of people who presents a security risk. In this reading, you’ll learn about different types of threat actors. You will also learn about their motivations, intentions, and how they influence the security industry.

To defend effectively, you need to understand who you're defending against and what their goals are. In some cases you can anticipate the actor's behavior and build a defense, in others - for example, when you are facing a monkey with a grenade - you can only minimize the risks and hope for a miracle.

Internal VS External Threat Actors

When people hear the word hacker, they often imagine an external threat - a teenager in a hoodie breaking into corporate databases and transferring money to an offshore account. While this exaggerated image has become a popular stereotype, it highlights a common misconception: the belief that all cyber threats come from outside an organization. In reality, threats can originate both externally and internally, and overlooking the risks posed by insiders can leave critical vulnerabilities unaddressed.

"There is no worse enemy than a foolish ally."
In 2025, UK logistics company KNP (est. 1867) shut down after a ransomware attack. The breach? Hackers guessed a weak employee password, encrypted systems, and wrecked backups. Despite having cyber insurance, the company couldn’t recover - 700 people lost their jobs. A century-and-a-half-old business was brought down not by elite hackers, but by the digital equivalent of leaving a castle gate made of wet cardboard.

Internal Threat Actors

Internal threat actors are individuals who have legitimate access to an organization’s systems, networks, or data. This includes employees, contractors, suppliers, or any other party with trusted access. Their actions can be both intentional - for example, stealing confidential information or sabotaging systems - or unintentional, such as making mistakes that open security gaps. The key characteristic of an internal threat actor is that they operate from within, often leveraging privileges that bypass many standard security measures.

External Threat Actors

External threat actors are individuals or groups outside of an organization who attempt to gain unauthorized access to its systems or data. These can include cybercriminals, state-sponsored attackers, hacktivists, or opportunistic hackers. Unlike insiders, external actors must find ways to penetrate security barriers, often using methods like phishing, malware, brute force attacks, or exploiting software vulnerabilities. They are typically motivated by financial gain, political agendas, espionage, or the challenge of breaking into secure systems.

In this article, I'd like to focus on a few specific types of threat actors:

Hackers - a seemingly straightforward category, but in reality, their motives and methods are far more complex.
Activists - a group that’s always relevant, though often misunderstood.
Script Kiddies - once seen as harmless amateurs, but with the rise of AI tools, they’re becoming increasingly relevant and dangerous.

Hackers

In the world of information security, hackers are often classified by color of "hat", a metaphor that comes from westerns where "white hats are the good guys, black hats are the bad guys".

Here's a detailed classification:

Black Hat - “Black Hats”.

😈 Malicious, acting illegally.
These actors engage in hacking for profit, sabotage, or blackmail. They often use methods such as viruses, exploits, and phishing to infiltrate systems and steal sensitive data. While some operate independently, many work as part of organized criminal networks or even state-sponsored groups. Notable examples include ransomware gangs like REvil and Conti, as well as advanced persistent threat (APT) groups linked to nation-states.

White Hat - “White Hats”.

😇 Ethical hackers, operate legally
These individuals help organizations identify and fix security vulnerabilities. They typically work as penetration testers, participate in bug bounty programs, or operate within internal information security teams. Crucially, they conduct their testing with official authorization, ensuring that their activities are legal and aligned with the company’s goals. Examples include ethical hackers who contribute to platforms like HackerOne or Bugcrowd.

Grey Hat - “Gray Hats.”

❔ Intermediate, balancing good and evil.
These hackers operate without official authorization but typically do not cause harm. They may discover and report vulnerabilities to organizations, though their approach isn't always appropriate or welcome. In some cases, they even request a "reward" for their findings, blurring the line between ethical intent and questionable behavior. For example, someone might find a flaw on a bank’s website, report it without prior permission, and end up receiving either a thank-you - or a legal penalty.

Red Hat (in some classifications).

👊 Hackers who "war on blacks" aggressively
These individuals hack black hats in retaliation, often acting as digital vigilantes. While their intentions may align with defending others, they sometimes operate outside the boundaries of the law, making their actions legally and ethically ambiguous. They are closely related to activist groups and occasionally refer to themselves as “cyberhackers,” blurring the line between justice and vigilantism.

Blue Hat are vigilantes or external testers.

💁 Revenge and personal motives
Blue hat hackers can be both vigilantes and external testers, but the most common definition refers to them as external security professionals hired by organizations to test systems for vulnerabilities before launch. However, in some contexts, the term "blue hat" is also used to describe individuals who engage in hacking activities for revenge or to target black hat hackers, acting as vigilantes.

Green Hat are new.

👽 Apprentices who are just learning about hacking.
Green hat hackers are “green” in the sense that they are inexperienced and may not have the technical skills of more experienced hackers. At this amateur level, they may not intentionally seek to cause harm, but may do so accidentally.

Сongrats! As you've already touched on the secret side of the cybersecurity and dipped into it a bit, your hat's begun to take on a green color

👫 Hacktivist

It's not about money or profit(in any form) - it's about an idea. And when the idea takes the lead, untampered by money or practical limits, we all know where that can lead.

A hacktivist is an actor who engages in "hacktivism," which combines hacking with activism to advance political or social causes. Hacktivists use their technical skills to disrupt, protest, or leak information, often targeting organizations or governments they oppose.

👶 Script kiddies (amateur hackers)

Script kiddies is slang for amateur hackers who lack the technical skills needed to create their own hacking programs or conduct sophisticated attacks, such as SQL injections, so they use scripts created by others. Despite being novices, script kiddies are still dangerous - especially since they often don’t fully understand the damage they can do with the pre-created programs they use.

While we’ve touched on some of the most well-known hacker profiles and motivations, this is far from an exhaustive list. The world of cybersecurity is layered and constantly shifting, and new threat profiles emerge just as quickly as old ones evolve. Future sections will dive deeper into more specific and complex classifications - but for now, you have a clear understanding of who might be targeting you, what motivates them, and what kind of behavior you can expect.

Unfortunately, no one can be told what the Matrix is. You have to see it for yourself. - The Matrix (1999)

Just like the Matrix, no article can prepare you for everything - but now, at least, you know what to start paying attention to.

Boring Cybersecurity Theory: CIA Triad (The Core Principles of Security)

Dzmitry Harbachou — Wed, 13 Aug 2025 15:41:33 +0000

We’ve looked at how cybersecurity came to be - how it grew from simple beginnings into a global necessity. Now, it's time to move from history to understanding the present.

As the digital world expands, so does the need to understand the core ideas and principles that guide how we protect it. Before we explore tools and frameworks, we need to establish a clear foundation: the fundamentals of cybersecurity.

Cybersecurity is the practice of protecting digital systems, networks, applications, and data from unauthorized access, misuse, or disruption. It involves both technical defenses and strategic processes aimed at reducing risk and ensuring that digital environments remain secure and reliable.

The main goals of cybersecurity can be grouped into three key areas:

Confidentiality - keeping sensitive data private.
Integrity - ensuring information remains accurate and trustworthy.
Availability - making sure systems and data are accessible when needed.

These objectives form the foundation of modern cybersecurity - and they’re captured in a simple but powerful model known as the CIA Triad, which we’ll explore next.

The CIA triad is a model that helps inform how organizations consider risk when setting up systems and security policies. It is made up of three elements that cybersecurity analysts and organizations work toward upholding: confidentiality, integrity, and availability. Maintaining an acceptable level of risk and ensuring systems and policies are designed with these elements in mind helps establish a successful security posture, which refers to an organization’s ability to manage its defense of critical assets and data and react to change.

Confidentiality

Confidentiality is the idea that only authorized users can access specific assets or data. In an organization, confidentiality can be enhanced through the implementation of design principles, such as the principle of least privilege. The principle of least privilege limits users' access to only the information they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality and security of private data.

Integrity

Integrity is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place to verify the authenticity of data is essential. One way to verify data integrity is through cryptography, which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by enabling encryption, which is the process of converting data from a readable format to an encoded format. Encryption can be used to prevent access and ensure data, such as messages on an organization's internal chat platform, cannot be tampered with.

Availability

Availability is the idea that data is accessible to those who are authorized to use it. When a system adheres to both availability and confidentiality principles, data can be used when needed. In the workplace, this could mean that the organization allows remote employees to access its internal network to perform their jobs. It’s worth noting that access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. If, for example, an employee works in the organization’s accounting department, they might need access to corporate accounts but not data related to ongoing development projects.

The CIA triad is essential for establishing an organization’s security posture. Knowing what it is and how it’s applied can help you better understand how security teams work to protect organizations and the people they serve.

Boring Cybersecurity Theory: Where it all began

Dzmitry Harbachou — Wed, 13 Aug 2025 15:40:44 +0000

We've all faced security in one way or another, and most of us have at least a basic understanding of what it is. So before we dive into the details, let's go back in time - to the days of magnetic mice, bulky CRT monitors - when the sun seemed a little warmer and the world a little simpler.

Where It All Began

The history of cybersecurity is mostly a history of faults (please do not mix it up with bugs), vulnerabilities, and attempts to close them. Cybersecurity as a discipline emerged not because someone came up with “let's protect computers” in advance, but because they started breaking them.

1950s

Alright, let's imagine that our journey begins in the 1950s. Huge computers occupying entire rooms or even buildings, with unrealistic prices that ordinary users simply could not afford. These machines were used mainly by scientists and military men - for calculations, modeling and other serious tasks. Security was physical access control: if you weren't in the building, you couldn't access the data. To protect information, locks, badges, and guards were used, not software. There was no concept of “hackers,” viruses, or network attacks - simply because there were no networks. All programs were run manually or on a schedule. There was no OS in the usual view, no multi-user access, one computer - one person or group. Data was stored on punched cards, magnetic tapes and drums. No encryption. If you accessed the media, you got everything.

1960s

Let's go forward 10 years, the '60s. In the 1960s, the first full-fledged operating systems and the concept of multi-user mode began to be actively developed. Computers were becoming more and more powerful, and it made sense to share their resources among several users. Thus, the idea of time-sharing was born - temporarily dividing access to the processor, which was a turning point for cybersecurity. Along with this came the first passwords and initial access control mechanisms: each user had to log in somehow, isolate their processes and protect their data. It was during this period that the realization dawned that threats could come from other users on the same system. Developers started thinking about access control, user rights and isolation - and this became the foundation of future information security models.

In 1965, while working with the CTSS system (one of the first multi-user operating systems), a student at MIT encountered a time limit on machine access. To get around this limitation, he wrote a script that copied a system file containing the passwords of all users. CTSS stored this file in the clear, with no encryption or protection. By accessing other people's accounts, the student was able to log in under different names and gain more computing time.

This incident is considered the first recorded case of password cracking in history, and was one of the first calls for real data protection even in closed systems.

1970

In 1969, ARPANET, the world's first computer network, was launched and became the forerunner of the Internet. In the 1970s, it grew rapidly, connecting universities, military institutions and research centers. Initially, ARPANET was designed as an open environment for trusted users, so it had no built-in authentication, encryption or protection against intruders. As the network grew, the first incidents began to appear: unauthorized access, misuse of resources, and remote login attempts. These events sent an important signal: for the first time, security began to be seen as an integral part of network architecture. This decade marked the beginning of discussions on network ethics, user behavior, and technical protection of information in distributed systems.

In 1973, a user discovered that he could connect to a remote system via the ARPANET without authorization, exploiting a vulnerability in the network software. This case was the first recorded remote network intrusion, demonstrating that even among “trusted” participants, real security threats were possible. The incident led to a discussion of the need for systemic access control and the formation of the first network policies.

1980

In the 1980s, computers were no longer strictly scientific and military tools - the era of the personal PC had begun. With the introduction of the IBM PC, MS-DOS and Apple II, millions of people gained access to computing technology, and with it the first computer viruses began to spread. Most attacks occurred offline - via floppy disks carried from machine to machine. This period also saw the first anti-viruses, firewalls and access controls. Against this backdrop, new laws governing computer crime are formed, and hacker culture emerges from the shadows: groups, manifestos and the first high-profile arrests appear. Information security is becoming a necessity - not only for the military, but also for businesses and private users.

Brain is the first mass-market virus (1986)
Created by two brothers from Pakistan "for a good cause," the Brain virus infected the boot sector of floppy disks and spread around the world. It displayed the contact information of authors who did not expect a global epidemic.

First worm on the Internet - Morris worm (1988)
Launched by student Robert Morris, this worm infected about 10% of all computers connected to the ARPANET due to a bug in the code. This was the first mass network infection, leading to the creation of CERT, the first computer incident response team.

Hacker Culture and Manifesto (1986)
After a hacker was arrested under the pseudonym The Mentor, he wrote a "Hacker Manifesto" in which he advocated the ideas of freedom of information and curiosity. The document became a symbol of hacker ethics and is still quoted in subcultures today.

1990s

In the 1990s, the Internet expanded beyond the academic and military environments and became available to the general public. At the same time, new attack vectors emerge: through e-mail, Web sites, and network services. Malware, macro viruses, and social engineering are spreading. For the first time, users are facing massive phishing attacks, viruses in office documents, and Trojans disguised as useful software. In response, an entire ecosystem of defense solutions emerges: antiviruses, firewalls, intrusion detection systems (IDS). Large companies begin to build their first information security strategies. At the same time, the first international cybercrime laws are formed, and hacker groups enter the global arena.

My favorite story is the one about NASA. I don't know a single person who hasn't heard of NASA. But if you haven't, NASA is the U.S. government agency responsible for the civilian space program and aerospace research.
So what happened there?

In 1999, a 15-year-old teenager from California gained access to NASA and Pentagon systems using the simplest method - automated password guessing. Most accounts had passwords like "password", "1234", or even had no password at all.

NASA had to shut down its spacecraft control systems for 21 days, and the damage was estimated at $1.7 million.

The hacker was arrested, but the case went down in history as a textbook example of cybersecurity negligence.

This brings us to the end of the review of the key moments that led to the emergence of a new discipline: cybersecurity. As we can see, it did not develop as a carefully planned endeavor, but rather as a reaction to human error, short-sightedness, and the unforeseen consequences of our own creations. Of course, the story doesn’t end here - many fascinating events have unfolded since then, leading us to where we are today. Yet, that is a story for another time.

I never thought this article would make you an expert in cybersecurity, and I didn't expect it to be interesting to everyone (After all, why read about something that has already happened?). But, in my opinion, there are a few lessons worth remembering here:

You don't have to solve all problems yourself; sometimes it's enough just to read about them.
You can never be completely sure that you've considered everything.
And finally, just because something does not exist yet does not mean that it cannot appear in the future.