Chapter 1 β The CIA Triad
The CIA Triad is the foundational model for information security. Every security control, threat, and attack can be mapped to at least one of its three pillars.
Confidentiality
Information is only accessible to those authorised to see it. Broken by: eavesdropping, credential theft, data breaches.
Integrity
Data is accurate and hasn't been tampered with. Broken by: man-in-the-middle, SQL injection, ransomware.
Availability
Systems and data are accessible when needed. Broken by: DDoS attacks, ransomware, hardware failure.
Additional Principles
- Non-repudiation β A user cannot deny an action they performed (digital signatures prove this)
- Authentication β Verifying identity (something you know/have/are)
- Authorisation β What an authenticated user is permitted to do
- Accounting/Auditing β Logging who did what and when
Chapter 2 β Threat Actors
| Actor | Motivation | Skill | Example |
|---|---|---|---|
| Script Kiddie | Thrill, notoriety | Low | Running downloaded tools without understanding them |
| Hacktivist | Political/social | Medium | Anonymous DDoS campaigns |
| Cybercriminal | Financial gain | MediumβHigh | Ransomware gangs, card skimming |
| Insider Threat | Revenge, profit | Variable | Disgruntled employee stealing data |
| Nation-State APT | Espionage, sabotage | Very High | Stuxnet, SolarWinds |
| Penetration Tester | Authorised testing | High | You β hired to find weaknesses before attackers do |
Chapter 3 β Attack Types
Network Attacks
- Reconnaissance β Passive (OSINT, Google dorking) and active (port scanning, ping sweeps)
- Man-in-the-Middle (MitM) β ARP spoofing, SSL stripping, DNS poisoning
- DoS/DDoS β SYN flood, UDP flood, volumetric attacks, application layer (Layer 7)
- Packet Sniffing β Capturing cleartext credentials on unencrypted protocols
Application Attacks
- SQL Injection β Manipulating database queries via unsanitised input
- XSS (Cross-Site Scripting) β Injecting malicious JavaScript into web pages
- CSRF β Tricking authenticated users into performing unintended actions
- File Inclusion β LFI/RFI: including local or remote files through vulnerable parameters
- Command Injection β Executing OS commands via web application input
Social Engineering
- Phishing β Deceptive emails to steal credentials or deliver malware
- Spear Phishing β Targeted phishing using personal information
- Vishing β Phone-based social engineering
- Pretexting β Creating a fabricated scenario to manipulate a target
Chapter 4 β Vulnerability Management
CVE & CVSS
CVE (Common Vulnerabilities and Exposures) is the standardised naming system for known vulnerabilities. Each CVE has an ID like CVE-2021-44228 (Log4Shell).
CVSS (Common Vulnerability Scoring System) scores vulnerabilities 0β10:
| Score | Severity |
|---|---|
| 0.0 | None |
| 0.1β3.9 | Low |
| 4.0β6.9 | Medium |
| 7.0β8.9 | High |
| 9.0β10.0 | Critical |
# Search CVEs from command line
searchsploit apache 2.4.49
searchsploit -m 50383 # copy exploit to current dir
# Update searchsploit database
sudo searchsploit -uChapter 5 β Penetration Testing Methodology
Professional penetration testing follows a defined lifecycle. Every phase feeds information into the next.
Planning & Scoping
Define what is in scope (IPs, domains, applications), rules of engagement, testing windows, and emergency contacts. Get the Statement of Work (SoW) signed.
Reconnaissance
Passive: WHOIS, DNS records, Google dorking, LinkedIn, Shodan, Censys β no direct contact with target. Active: Nmap scans, banner grabbing β direct interaction with target systems.
Scanning & Enumeration
Port scanning, service version detection, OS fingerprinting. Enumerate web directories, SMB shares, SNMP, SMTP users, FTP banners. Build a complete picture of the attack surface.
Exploitation
Gain initial access: exploit vulnerabilities, use found credentials, phish users. Document every step β screenshots, commands, output. Never modify or delete data.
Post-Exploitation
Establish persistence, escalate privileges, pivot to other systems, dump credentials. Demonstrate business impact: "We accessed the payroll database" is more compelling than "We got a shell."
Reporting
Write an executive summary (non-technical) and a technical report with: finding severity, affected systems, proof-of-concept steps, and remediation recommendations.
Chapter 6 β OWASP Top 10 (2021)
| # | Category | Example |
|---|---|---|
| A01 | Broken Access Control | Accessing another user's account by changing an ID in the URL |
| A02 | Cryptographic Failures | Storing passwords in MD5, transmitting data over HTTP |
| A03 | Injection | SQL injection, command injection, LDAP injection |
| A04 | Insecure Design | No rate limiting on login page, no security in SDLC |
| A05 | Security Misconfiguration | Default credentials, exposed admin panels, verbose errors |
| A06 | Vulnerable & Outdated Components | Running Apache 2.4.49 (CVE-2021-41773) |
| A07 | Identification & Auth Failures | Weak passwords, no MFA, broken session management |
| A08 | Software & Data Integrity Failures | Insecure deserialization, unsigned updates |
| A09 | Security Logging & Monitoring Failures | No logs, no alerts for brute force attacks |
| A10 | Server-Side Request Forgery (SSRF) | Fetching internal metadata endpoints via user-supplied URL |
Chapter 7 β Cryptography Basics
Symmetric vs Asymmetric
- Symmetric β Same key encrypts and decrypts. Fast. Key sharing is the problem. Examples: AES-256, ChaCha20, DES (weak)
- Asymmetric β Public key encrypts, private key decrypts. Slow. Solves key distribution. Examples: RSA, ECC, Diffie-Hellman
Hashing
One-way function β input β fixed-length digest. Used for password storage, file integrity, digital signatures. Never encrypt passwords β hash them.
# Generate hashes on Linux
echo -n "password" | md5sum
echo -n "password" | sha256sum
echo -n "password" | sha512sum
# OpenSSL
openssl dgst -sha256 file.txt
openssl rand -hex 32 # generate random key
# Base64 (NOT encryption β just encoding)
echo "hello" | base64
echo "aGVsbG8K" | base64 -dChapter 8 β Authentication & Access Control
Authentication Factors
- Something you know β Password, PIN, security question
- Something you have β Hardware token, smart card, phone (OTP)
- Something you are β Fingerprint, face recognition, retina scan
Common Auth Weaknesses
- Default credentials not changed (
admin:admin,admin:password) - No account lockout policy (allows unlimited brute force)
- Weak password policy (minimum 6 chars, no complexity)
- Session tokens predictable or transmitted over HTTP
- Passwords stored in plaintext or weak hash (MD5)
Chapter 9 β Defence Concepts
Defence in Depth
Layer multiple security controls so that if one fails, others still protect the asset. Think: firewall + IDS + endpoint AV + network segmentation + MFA + logging.
Key Defensive Technologies
| Technology | What it Does |
|---|---|
| Firewall | Filters traffic by IP/port/protocol rules |
| IDS/IPS | Detects (IDS) or blocks (IPS) malicious patterns |
| WAF | Filters HTTP requests β blocks SQLi, XSS, etc. |
| SIEM | Aggregates and correlates logs from all sources |
| EDR | Endpoint detection β behaviour-based AV replacement |
| MFA | Second factor prevents credential-only attacks |
| Network Segmentation | VLANs and ACLs limit lateral movement |
| Patch Management | Close known CVEs before attackers exploit them |
Chapter 10 β Certifications Roadmap
Certifications validate your skills to employers. Here's a recommended progression for offensive security:
CompTIA Security+ β Start Here
Entry-level. Covers fundamental security concepts, threats, cryptography, compliance. DoD baseline requirement. No prerequisites.
eJPT (eLearnSecurity Junior Penetration Tester)
Practical, beginner-friendly hands-on exam. Great first certification for aspiring pentesters. Inexpensive.
CompTIA PenTest+ / CEH
Mid-level certifications. PenTest+ is more practical; CEH is more theory-heavy. Good for job requirements.
OSCP (Offensive Security Certified Professional)
The gold standard. 24-hour hands-on exam β compromise a series of machines. Highly respected in the industry. Prepare with HackTheBox and KaliRange labs.
OSEP / OSED / OSWE β Advanced Specialisations
Offensive Security's advanced tracks: Evasion (OSEP), Exploit Dev (OSED), Web Expert (OSWE). After OSCP.