Introduction to Cyber Security

"Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators."

William Gibson, Neuromancer (1984) [1]

Gibson wrote that as science fiction. Today it describes infrastructure that moves money, delivers medicine, controls power grids, and carries private conversations for half the planet. The gap between the fiction and the reality is that nobody designed this infrastructure to be secure. It was designed to be useful. Security came later, always running behind.

That is the central tension in cybersecurity: systems built for openness, retrofitted with protection, defended by professionals who are always outnumbered and outpaced. Understanding that tension is where the field begins.

What Cybersecurity Actually Is

Cybersecurity is the practice of protecting systems, networks, and data from unauthorized access, damage, or attack. That definition is technically accurate but undersells the scope. Modern cybersecurity covers everything from consumer smartphones to hospital networks to the industrial control systems that manage water treatment, power generation, and air traffic. The field exists because everything of value now lives in or passes through digital infrastructure, and digital infrastructure has vulnerabilities not as an exception, but as a structural property.

Technically, cybersecurity is a subset of information security that specifically addresses electronic systems and the threats that target them. Information security is the broader discipline: protecting information in any format against any threat, including paper records, verbal communication, and physical assets.[2] In practice the two terms are used interchangeably, and understanding both is foundational.

What distinguishes cybersecurity from almost every other engineering discipline is that the adversary is intelligent. A bridge engineer does not worry that gravity will study the bridge's design and adapt. A cybersecurity professional does. Attackers learn, evolve, share techniques, and specifically work to circumvent whatever controls exist. That dynamic never stops, which is why the field never stagnates.

The Threat Landscape

Not every attacker is the same. Conflating a ransomware criminal with a nation-state operator leads to defenses calibrated for the wrong threat. The threat landscape contains distinct actors with distinct motivations, resources, and patience.

The most common threat to most organizations is financially motivated crime. Ransomware, business email compromise, and payment fraud account for the overwhelming majority of incidents that security teams handle. The Verizon Data Breach Investigations Report, which analyzes tens of thousands of confirmed incidents annually, consistently shows that external financially motivated actors are responsible for the majority of confirmed breaches.[3]

Nation-state actors are the most sophisticated and the most patient. They operate on timelines measured in months or years. Their goal is usually intelligence collection rather than immediate financial return.

Common Attack Types

Understanding how attacks work is foundational to defending against them, regardless of which career path you pursue. These are not abstract categories. They are documented techniques that appear in real incidents every day.

Phishing and Social Engineering

Phishing is the most common initial access technique across industries and geographies. An attacker sends a message designed to appear trustworthy, tricking the recipient into clicking a link, opening an attachment, or surrendering credentials. Variants include:

• Spear phishing. Targeted at specific individuals, using personalized details scraped from LinkedIn, company websites, or prior data breaches.

• Whaling. Spear phishing aimed at executives or board members.

• Vishing. Voice phishing over phone calls, sometimes using AI-synthesized voices.

• Smishing. Phishing via SMS.

Business email compromise (BEC) is a financially devastating variant where attackers compromise or convincingly spoof a corporate email account to authorize fraudulent wire transfers. The FBI's Internet Crime Complaint Center recorded $2.7 billion in BEC losses in 2022 alone, more than any other cybercrime category.[5]

Denial of Service

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks overwhelm a system or network with traffic until it is unavailable to legitimate users. DDoS attacks use botnets, networks of compromised devices, to amplify volume far beyond what any single attacker could generate.

The 2016 Mirai botnet attack weaponized hundreds of thousands of insecure IoT devices (home routers, IP cameras, DVRs) to flood Dyn, a major DNS provider, with traffic. The result: Twitter, Reddit, GitHub, Netflix, the New York Times, and dozens of other major sites went offline for much of the US East Coast for hours.[6]

Man-in-the-Middle (MitM)

MitM attacks intercept communications between two parties. The attacker positions themselves in the path of traffic, reading, modifying, or injecting messages without either party knowing. Encryption is the primary defense. If traffic is encrypted end-to-end, interception yields only ciphertext.

Injection Attacks

Injection attacks insert malicious code into inputs that an application passes to an interpreter. SQL injection targets database queries; command injection targets operating system calls; LDAP injection targets directory services. A successful SQL injection can expose entire databases, modify records, or grant administrative access.

SQL injection has appeared on the OWASP Top 10 list of critical web vulnerabilities for over fifteen years. In 2023, the MOVEit breach, which exposed data from hundreds of organizations including government agencies across the US, UK, and Canada, was traced to a SQL injection zero-day in the MOVEit Transfer software.[7]

Credential Attacks

Credential attacks use stolen, guessed, or brute-forced credentials to gain access. Modern variants include:

• Credential stuffing. Testing combinations from previous data breaches against new services, exploiting password reuse.

• Password spraying. Trying common passwords across many accounts to avoid lockouts.

• Brute force. Exhaustively trying all combinations against a single account.

With billions of credential pairs available on dark web markets from previous breaches, credential-based attacks are consistently the most common initial access vector in confirmed incidents.

Malware: A Field Guide

Malware, software designed to damage, disrupt, or gain unauthorized access to systems, comes in distinct categories. Knowing the differences matters because they have different infection vectors, different objectives, and require different defenses.

Encryption

Encryption converts readable data (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm and a key. Without the correct key, ciphertext is computationally infeasible to read. It is the foundational technology for protecting data in transit and at rest.

Symmetric Encryption

Symmetric encryption uses a single key for both encryption and decryption. Both parties must share the key securely before communication can begin.

AES (Advanced Encryption Standard), standardized by NIST in 2001 after a five-year international competition, is the most widely deployed symmetric algorithm in the world. AES-256 (a 256-bit key) is used to protect classified US government information.[9]

Asymmetric Encryption

Asymmetric encryption uses a mathematically linked key pair: a public key anyone can use to encrypt data, and a private key only the owner possesses to decrypt it. This solves the key distribution problem inherent in symmetric encryption.

Every time your browser shows a padlock in the address bar, asymmetric cryptography (typically RSA or elliptic curve) established the session. TLS 1.3, defined in RFC 8446 (2018), is the current standard; it eliminated support for outdated and broken cipher suites from earlier versions.[10]

Encryption in Practice

The Tools of the Trade

Security practitioners use a core set of tools for both offensive and defensive work. You will encounter these throughout any technical certification or training path. Learning them early, in legal environments, accelerates everything else.

Nmap

Nmap (Network Mapper) is the standard tool for network discovery and security auditing. It identifies hosts, open ports, running services, and operating system versions across a network.

Nmap is where most network-based assessments begin and where most network defenders look when mapping their own exposure.[13]

Metasploit

Metasploit is an open-source penetration testing framework maintained by Rapid7. It provides a library of exploits, payloads, and auxiliary modules for authorized testing. OSCP candidates spend significant time learning its operation.

Metasploit's value for defenders is in understanding exactly what an attacker with this tool can do to unpatched systems.[14]

Burp Suite

Burp Suite, developed by PortSwigger, is the standard tool for web application security testing. It acts as a proxy between your browser and the target, intercepting and allowing modification of every HTTP/S request and response.

PortSwigger's free Web Security Academy (portswigger.net/web-security) is one of the best free training resources in cybersecurity and teaches Burp Suite through real-world web vulnerability labs.[15]

Wireshark

Wireshark captures and inspects network traffic in real time. Analysts use it to diagnose network problems, analyze protocol behavior, and investigate suspicious traffic.

Watching a TLS handshake, a DNS query, or a TCP three-way handshake live in Wireshark teaches more about networking than hours of reading.[16]

Digital Forensics

When a breach occurs, someone has to figure out what happened. Digital forensics is the application of scientific investigation methods to digital evidence, determining how an attacker gained access, what they did once inside, what data was touched, and what evidence can be preserved for legal proceedings.

The Locard Exchange Principle, established by forensic scientist Edmond Locard, holds that every contact leaves a trace.[17] In digital environments, attackers leave artifacts: log entries, registry modifications, network connection records, file system changes, deleted files recoverable from unallocated disk space, and memory residue that forensic tools can extract and analyze.

Core principles every practitioner needs to understand:

Memory forensics has become increasingly important as attackers use fileless malware, malicious code that runs entirely in RAM and leaves no files on disk. Tools like Volatility allow investigators to extract process lists, network connections, decryption keys, and injected code from memory images.

References

[1] Gibson, W. (1984). Neuromancer. Ace Books. ISBN 978-0-441-56956-4.

[2] Von Solms, R.; van Niekerk, J. (2013). From information security to cyber security. Computers & Security, 38, 97-102. doi:10.1016/j.cose.2013.04.004

[3] Verizon. (2024). 2024 Data Breach Investigations Report. Verizon Business. Retrieved from https://www.verizon.com/business/resources/reports/dbir/

[4] Mandia, K. (2020, December 8). FireEye shares details of recent cyber attack, actions to protect community. FireEye Blog. Retrieved from https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[5] Federal Bureau of Investigation. (2023). 2022 Internet Crime Report. Internet Crime Complaint Center (IC3). Retrieved from https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

[6] Kolias, C., Kambourakis, G., Stavrou, A., & Voas, J. (2017). DDoS in the IoT: Mirai and other botnets. Computer, 50(7), 80-84. doi:10.1109/MC.2017.201

[7] CISA. (2023, June 7). #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability. Cybersecurity and Infrastructure Security Agency. Retrieved from https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

[8] Srinivasan, M., & Agrawal, A. (2021). Impact of cybersecurity on hospital mortality rates. JAMA Open Network, 2021. doi:10.1001/jamanetworkopen.2021.21204

[9] National Institute of Standards and Technology. (2001). Advanced Encryption Standard (AES). FIPS Publication 197. doi:10.6028/NIST.FIPS.197

[10] Rescorla, E. (2018). The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. Internet Engineering Task Force. doi:10.17487/RFC8446

[11] Apple Inc. (2024). Apple Platform Security. Apple Inc. Retrieved from https://support.apple.com/guide/security/welcome/web

[12] Marlinspike, M., & Perrin, T. (2016). The Double Ratchet Algorithm. Signal Foundation. Retrieved from https://signal.org/docs/specifications/doubleratchet/

[13] Lyon, G. F. (2009). Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure.Com LLC. ISBN 978-0-9799587-1-7. Retrieved from https://nmap.org/book/

[14] Kennedy, D., O'Gorman, J., Kearns, D., & Aharoni, M. (2011). Metasploit: The Penetration Tester's Guide. No Starch Press. ISBN 978-1-59327-288-3.

[15] PortSwigger. (2024). Web Security Academy. PortSwigger Web Security. Retrieved from https://portswigger.net/web-security

[16] Combs, G., & the Wireshark Team. (2024). Wireshark User's Guide. The Wireshark Foundation. Retrieved from https://www.wireshark.org/docs/wsug_html/

[17] Locard, E. (1930). The analysis of dust traces: Part I. The American Journal of Police Science, 1(3), 276-298. doi:10.2307/1147011

Further Reading

Questions about what you just read? Want to go deeper on a specific topic? Join the community on Discord or reach out on LinkedIn. And if this book helped, contribute back: fix something, improve something, add a resource you found useful.