Your complete study reference for Security+, Network+, and SOC fundamentals.
Study smarter โ everything in one place.
Before you learn any other topic in cybersecurity, you must understand the CIA Triad. It is the foundation of everything else. CIA stands for Confidentiality, Integrity, and Availability. It has nothing to do with the spy agency โ it is simply the three goals that every security team is trying to achieve, every single day.
Think of it like this: cybersecurity exists to protect information. But what does "protect" actually mean? The CIA Triad answers that question. Information is protected when only the right people can see it (Confidentiality), when nobody can secretly change it (Integrity), and when it is available whenever it is needed (Availability). If any one of these three is broken, you have a security problem.
Confidentiality means that only people who are authorized (given permission) can see the data. Imagine your medical records at a hospital. Your doctor should be able to read them. A random stranger should not. When a hacker steals customer credit card numbers, that is a breach of confidentiality โ someone who was not authorized saw the data.
How do we protect confidentiality? Three main tools:
Real-world example: In 2017, Equifax (a company that stores credit information for millions of Americans) was breached. Attackers saw the personal data of about 147 million people. That was a massive confidentiality failure.
Integrity means data cannot be changed by someone who is not allowed to change it โ and if a change happens, we can detect it. Imagine your bank balance is $5,000. If a hacker changes it to $5, no data was stolen and no system went down โ but you clearly have a serious problem. That is an integrity attack.
How do we protect integrity?
Real-world example: When you download software, the website often shows a SHA-256 checksum. After downloading, you can generate the hash of your copy. If it matches the website's hash, your download was not tampered with on the way to you.
Availability means systems and data are up and reachable when authorized users need them. A hospital's patient database must work at 3 AM during an emergency. An online store must stay online during Black Friday. If the data is perfectly confidential and perfectly accurate but the system is down โ security has still failed.
How do we protect availability?
Real-world example: Ransomware attacks on hospitals lock up patient systems so staff cannot access records. Surgeries get postponed and ambulances get redirected. That is an availability attack โ and it shows why availability can be a life-or-death matter.
Every attack you will ever study breaks at least one part of the triad. A data leak breaks Confidentiality. A hacker modifying a website breaks Integrity. A DDoS attack breaks Availability. Ransomware is nasty because it breaks two at once: your files become unavailable, and the criminals often threaten to publish them (confidentiality) too.
Security teams also have to balance the triad. If you lock a system down too tightly (maximum confidentiality), it can become hard for real users to do their jobs (poor availability). Good security is always a balance between protection and usability.
You will create a file, generate its unique fingerprint (hash), secretly change the file, and watch the fingerprint change. This is exactly how professionals detect file tampering.
SOC analysts and incident responders use hashing every day. When malware is found, the analyst takes the file's SHA-256 hash and searches it in threat databases like VirusTotal to identify the malware family. File Integrity Monitoring (FIM) tools โ required by the PCI DSS credit card standard โ automatically hash important system files and alert the SOC when a fingerprint changes, because that can mean an attacker modified the system. Digital forensics investigators hash evidence drives so they can prove in court that the evidence was never altered.
Malware is short for "malicious software" โ any program written to cause harm. Just like there are many kinds of crime in the real world, there are many kinds of malware, and each one behaves differently. Your job as a security student is to know each type by its behavior: how it spreads, what it does, and how we stop it.
A computer virus works like a biological virus: it cannot survive on its own. It attaches itself to a host โ a real file, like a Word document or a program โ and it only spreads when a human opens or shares that infected file. No human action, no infection. Viruses can corrupt files, slow down machines, or destroy data.
Example: The famous "Melissa" virus (1999) hid inside a Word document. When someone opened it, it emailed itself to the first 50 people in their address book โ but it still needed each new victim to open the attachment.
A worm is more dangerous because it does not need a host file and does not need a human to click anything. A worm scans the network, finds other vulnerable computers, and copies itself to them automatically. One infected laptop can infect an entire company overnight.
Example: WannaCry (2017) was a worm that spread through a Windows file-sharing flaw (port 445, the EternalBlue exploit). It infected over 200,000 computers in 150 countries in a few days โ hospitals in the UK had to cancel appointments because their systems were locked.
Named after the wooden Trojan Horse story. A trojan pretends to be something useful โ a free game, a PDF reader, a "cracked" version of paid software โ but when you install it, it secretly installs malware too. Trojans commonly open a backdoor: a hidden entrance that lets the attacker into your computer later, whenever they want.
Key difference: A trojan does not spread itself. It tricks YOU into installing it. This is why you should never download software from unofficial websites.
Ransomware encrypts (locks) all your files, then shows a message demanding payment โ usually in cryptocurrency โ for the key to unlock them. Modern ransomware gangs also use double extortion: they steal a copy of your data first, then threaten to publish it if you refuse to pay. Ransomware is currently the number one money-making crime in cybersecurity.
Best defense: Offline backups. If you have a clean backup, you can restore your files without paying. This is why backup strategy is a security topic, not just an IT topic.
Spyware hides on your device and quietly watches: your browsing, your files, sometimes your camera and microphone. A keylogger is a special kind of spyware that records every key you press. Think about what you type in a day โ usernames, passwords, credit card numbers, private messages. A keylogger captures all of it and sends it to the attacker.
A rootkit buries itself deep inside the operating system โ sometimes below the operating system โ and hides its own existence. It can lie to the antivirus, hide files, and hide running programs. The name comes from "root," the all-powerful admin account on Linux. Rootkits are extremely hard to remove; often the only safe fix is to completely wipe the machine and reinstall everything.
When malware quietly takes control of thousands of computers, those machines become bots (or "zombies"), and together they form a botnet controlled by one criminal called the bot herder. The infected owners usually have no idea. Botnets are rented out to send spam, mine cryptocurrency, and launch DDoS attacks โ flooding a target website with traffic from thousands of machines at once.
Example: The Mirai botnet (2016) infected smart cameras and home routers โ not even computers โ and used them to knock major websites like Twitter and Netflix offline for hours.
You will safely trigger your antivirus using the harmless industry-standard EICAR test file, then use VirusTotal โ the same tool SOC analysts use daily โ to investigate a file's reputation. Nothing in this lab involves real malware.
This is the daily bread of a Tier 1 SOC analyst. When an antivirus alert appears in the SIEM, the analyst copies the file hash and checks it in VirusTotal and other threat intelligence tools to answer: is this a false alarm or real malware? What family is it โ ransomware, trojan, worm? Their triage decision determines whether the incident gets escalated. Malware analysts go deeper, running samples in isolated sandboxes to study behavior. Knowing how to safely test detection (EICAR) and investigate file reputation (VirusTotal) is a skill you can mention in job interviews.
Companies spend millions of dollars on firewalls, antivirus, and encryption. But there is one part of every system that cannot be patched with software: the human being. Social engineering is the art of manipulating people into giving up information or access. It is behind the majority of successful breaches today โ most attacks do not start with genius hacking; they start with one person clicking one link.
Social engineers exploit basic human emotions:
Phishing is the mass-mail version: the attacker sends thousands of identical fake emails ("Your Netflix payment failed โ update your card") hoping a small percentage of people click. The link leads to a fake login page that steals your password, or the attachment installs malware.
Spear phishing is targeted. The attacker researches YOU first โ your name, your job, your manager's name, projects you work on (often from LinkedIn). The email looks like it comes from a coworker and references real details. Far more convincing, far more dangerous.
Whaling targets the "big fish" โ CEOs, CFOs, directors. These accounts can approve payments and access everything, so criminals invest weeks preparing one perfect email.
Vishing is voice phishing โ a phone call. "This is your bank's fraud department. We detected suspicious activity. To secure your account, confirm your card number." Attackers now use AI voice cloning to sound like real people, even a victim's own boss or family member.
Smishing is phishing by SMS/text: fake delivery notifications ("Your package is held โ pay $1.99 customs fee") and fake bank alerts, with links to credential-stealing pages.
Pretexting means inventing a believable story (a pretext) to extract information. Classic example: calling an employee while pretending to be the IT help desk โ "We're migrating email servers tonight, I just need your username and password to move your mailbox." A good pretexter sounds friendly, confident, and busy.
Tailgating (also called piggybacking) is physical: the attacker follows an employee through a badge-controlled door before it closes, often carrying coffee cups or boxes so the polite employee holds the door open. Once inside, they can plug devices into the network or steal equipment.
Baiting uses a tempting object. The classic is a USB drive labeled "Payroll" or "Confidential" dropped in the parking lot. Studies show a large share of found drives get plugged in. The drive then silently installs malware.
You will take Google's phishing detection challenge, then dissect a real email header to trace where a message truly came from โ the same skill email security analysts use to investigate reported phishing.
Phishing investigation is one of the most common daily tasks for a Tier 1 SOC analyst and email security specialist. When an employee clicks "Report Phishing," an analyst pulls the email header, checks SPF/DKIM/DMARC results, extracts URLs and attachments, checks them against threat intelligence, then decides: delete the email from all mailboxes, block the sender domain, and check whether anyone clicked. Companies also employ security awareness coordinators who run phishing simulation programs. Being able to read a header and explain WHY an email is fake is a genuine interview-ready skill.
Once computers talk to each other over a network, attackers gain new ways in. Network-based attacks target the connections between systems rather than tricking a person. To understand them, remember the CIA Triad: some of these attacks break Availability (DDoS), some break Confidentiality (MITM), and some break Integrity (DNS spoofing). Let's go one by one, in plain language.
DoS stands for Denial of Service. The goal is to make a website or server unavailable to real users. A simple DoS comes from one machine. A DDoS (Distributed Denial of Service) comes from thousands of machines at once โ usually a botnet. Imagine a shop with one door. If 10,000 fake customers crowd the doorway, real customers can't get in. DDoS attacks Availability, the "A" in CIA.
In a Man-in-the-Middle attack, the criminal secretly sits between you and the website you're talking to. You think you're talking directly to your bank; really, everything passes through the attacker first. They can read it (breaking confidentiality) and even change it (breaking integrity). This is why public Wi-Fi is risky and why HTTPS encryption matters so much โ encryption makes intercepted data unreadable.
On a local network, devices use ARP (Address Resolution Protocol) to match IP addresses to hardware (MAC) addresses. ARP was designed with no security โ it trusts any reply. In ARP poisoning, the attacker sends fake ARP replies saying "I am the router," so all your traffic flows through the attacker's computer first. It is a common way to set up a Man-in-the-Middle attack on a local network.
DNS (Domain Name System) is the internet's phone book: it turns a name like yourbank.com into an IP address. In DNS spoofing (or cache poisoning), the attacker corrupts these records so that when you type the real bank address, you are silently sent to a fake copy of the site that steals your login. The web address can look correct while the destination is fake.
Many websites store data in an SQL database (users, passwords, orders). When a website is poorly built, an attacker can type database commands into a normal input box โ like a login or search field โ and the website mistakenly runs them. This is SQL injection. A classic trick types ' OR '1'='1 into a login form to fool the site into logging in without a valid password. Consequences: stealing entire databases, deleting data, or bypassing logins. This attacks the database, and it is one of the most famous web vulnerabilities in history.
Cross-Site Scripting (XSS) is different from SQL injection: instead of attacking the database, it attacks other users who visit the site. The attacker injects malicious JavaScript into a page (for example, in a comment field). When other visitors load that page, their browsers run the attacker's script โ which can steal their session cookies and hijack their accounts.
Easy way to remember: SQL injection attacks the server's database. XSS attacks the other users' browsers.
A zero-day is a vulnerability that the software maker does not yet know about, so there is no patch. Attackers who discover it can exploit it freely โ defenders have had "zero days" to prepare. These are the most dangerous and most valuable attacks, because standard "just update your software" advice cannot help until the vendor releases a fix.
In a replay attack, the attacker captures valid data โ such as an encrypted "unlock the door" command or a login token โ and simply sends it again later to gain access, without ever needing to understand or decrypt it. Defenses include timestamps, session tokens, and one-time numbers (nonces) that make each message valid only once.
You will run a real (but harmless) SQL injection against a deliberately vulnerable practice website that is built for learning. You will bypass a login and understand exactly why the attack works. Important: only ever do this on apps you own or that are designed for practice. Attacking real sites is illegal.
Penetration testers and application security engineers do exactly this for a living โ legally testing company web apps to find injection flaws before criminals do, then writing reports telling developers how to fix them. On the defensive side, SOC analysts recognize SQL injection attempts in web server logs and WAF alerts (spotting patterns like ' OR 1=1 or UNION SELECT in URLs). OWASP Juice Shop is so widely used for training that mentioning it in an interview signals you understand the OWASP Top 10, the industry-standard list of web risks.
| Port | Protocol | What It Does | Encrypted? |
|---|---|---|---|
| 20/21 | FTP | File Transfer โ sends files between computers | โ No โ use SFTP |
| 22 | SSH / SFTP | Secure Shell โ encrypted remote login and secure file transfer | โ Yes |
| 23 | Telnet | Old remote login โ plain text. NEVER use this. Use SSH instead. | โ No |
| 25 | SMTP | Sending email (Simple Mail Transfer Protocol) | โ Basic โ use port 587 |
| 53 | DNS | Converts website names (google.com) to IP addresses | โ Standard |
| 67/68 | DHCP | Automatically assigns IP addresses to devices on a network | โ No |
| 80 | HTTP | Unencrypted web browsing โ NEVER enter passwords on HTTP sites | โ No โ use HTTPS |
| 110 | POP3 | Receiving email โ downloads to device and deletes from server | โ No |
| 143 | IMAP | Receiving email โ keeps on server, syncs across all devices | โ No |
| 443 | HTTPS | Encrypted web browsing โ the padlock in your browser. Always use this. | โ Yes (TLS) |
| 445 | SMB | Windows file sharing. WannaCry/EternalBlue attacked this port. | โ ๏ธ High Risk if exposed |
| 3389 | RDP | Remote Desktop Protocol โ Windows remote access. High-risk if exposed. | โ ๏ธ Often targeted |
Every computer has one IP address, but it runs many services at the same time โ web, email, file sharing, remote login. How does incoming data know which service it belongs to? The answer is ports. Think of the IP address as a building's street address, and ports as the individual apartment numbers inside. Port 80 is the "web browsing apartment." Port 25 is the "sending email apartment." When data arrives, the port number tells the computer which service should handle it.
There are 65,535 ports, but for Security+ and Network+ you must memorize the common ones below. Examiners love asking "which port does X use?" and "is this port encrypted?" Knowing these cold earns easy points and, more importantly, helps you spot danger on a real network.
For each port, always ask: (1) What service uses it? and (2) Is the traffic encrypted or plain text? Plain-text protocols send data โ including passwords โ in readable form, so anyone intercepting the traffic can read it. That is why we replace old plain-text protocols with encrypted ones.
FTP (20/21) transfers files but sends everything, including your password, in plain text โ insecure. SSH (22) gives you an encrypted remote command line and also powers SFTP, the secure way to transfer files. Telnet (23) is the ancient, plain-text version of remote login โ never use it; SSH replaced it. RDP (3389) is Windows Remote Desktop; it is powerful and therefore heavily targeted โ attackers constantly scan the internet for exposed RDP to break into.
SMTP (25) sends email out. POP3 (110) downloads email to one device and removes it from the server. IMAP (143) keeps email on the server and syncs it across all your devices โ which is why your phone and laptop show the same inbox. The basic versions are unencrypted; secure email uses encrypted variants (like port 587 with encryption for sending, 993 for secure IMAP, 995 for secure POP3).
HTTP (80) is unencrypted web traffic โ never type a password on an HTTP page. HTTPS (443) is encrypted with TLS โ this is the padlock in your browser and the standard for all modern websites. DNS (53) translates names to IP addresses. DHCP (67/68) automatically hands out IP addresses to devices when they join a network. SMB (445) is Windows file sharing; because the WannaCry worm spread through it, an exposed port 445 is a serious red flag.
Attackers begin by scanning which ports are open on a target โ open ports are doors, and each door is a potential way in. Defenders do the opposite: they close unneeded ports and monitor the ones that stay open. If you see Telnet (23) open on a company server, that is a finding you would report. If you see RDP (3389) exposed to the whole internet, that is a critical risk. Knowing ports turns a wall of numbers into a security story you can actually read.
You will use Nmap โ the world's most famous port scanner โ to discover which ports and services are open on a machine you are legally allowed to scan. You will read the results the way a security professional does. Only scan your own computer or the official practice target below. Scanning others without permission is illegal.
Port scanning is a core task for penetration testers (finding an organization's exposed services during an authorized assessment) and for vulnerability analysts and network administrators (auditing their own networks to close ports that should not be open). SOC analysts see the other side: they detect unauthorized scans hitting the company and investigate them as possible reconnaissance. Nmap is on almost every cybersecurity job description that mentions "network scanning," so hands-on Nmap experience is directly resume-worthy.
If a network is like a building, then firewalls and security devices are the guards, gates, and alarm systems. Their job is to decide what traffic gets in, what gets out, and to raise the alarm when something looks wrong. This topic is about knowing which device does which job โ a favorite exam area because the names sound similar but the roles are very different.
A firewall is the first line of defense. It sits between two networks (usually your private network and the internet) and enforces a set of rules about what traffic is allowed. Rules are based on things like port numbers, IP addresses, and protocols. For example: "Allow web traffic on port 443, block everything on port 23 (Telnet)." Anything not explicitly allowed is denied. This "default deny" idea is central to security.
Packet-filtering firewall โ the simplest. It looks only at the "envelope" of each packet (source, destination, port) and decides yes or no. Fast, but it does not understand the conversation as a whole.
Stateful firewall โ smarter. It remembers the state of active connections. If your computer starts a conversation with a website, the stateful firewall knows to let the website's replies back in โ but it blocks unexpected traffic that no one asked for. This context makes it much harder to sneak past.
NGFW (Next-Generation Firewall) โ the modern all-in-one. On top of stateful filtering, it does deep packet inspection (looking inside the traffic, not just the envelope), application control (it can tell Facebook traffic from Zoom traffic even on the same port), and often includes a built-in IPS and antivirus. Most business firewalls today are NGFWs.
These two get confused constantly, so learn the difference clearly. An IDS (Intrusion Detection System) watches network traffic and alerts a human when it sees something suspicious โ but it does not stop it. Think of it as a security camera: it records and sounds an alarm, but it cannot lock the door. IDS is passive.
An IPS (Intrusion Prevention System) also detects suspicious traffic, but it can automatically block it in real time. Think of it as a security guard who can slam the gate shut. IPS is active. Because an IPS sits directly in the traffic path and can block, a mistake (a false positive) could accidentally block legitimate business traffic โ so tuning it correctly matters.
Memory hook: IDS = Detect only. IPS = Prevent. Detection is passive; prevention is active.
A regular firewall does not understand website attacks like SQL injection or XSS. A WAF (Web Application Firewall) specializes in exactly that: it sits in front of a web application and inspects web requests for malicious patterns, blocking things like injection attempts before they reach the app.
A DMZ (Demilitarized Zone) is a separate network segment that sits between the public internet and your private internal network. You put internet-facing servers โ like your public web server and email server โ in the DMZ. That way, if a hacker breaks into the web server, they are stuck in the DMZ and still separated from your sensitive internal systems. It is like a hotel lobby: guests can enter the lobby, but they still cannot walk into the private offices.
Security teams layer these tools together โ this is called defense in depth. A firewall filters at the edge, an IPS blocks known attack patterns, a WAF protects the web apps, an IDS quietly watches and feeds alerts into the SOC's SIEM, and the DMZ keeps public servers isolated. No single device does everything; strength comes from the layers.
You will inspect your computer's built-in firewall, create a rule, and test it โ seeing exactly how a firewall allows and blocks traffic. This uses only your own machine, so it is completely safe and legal.
Install pfSense in VirtualBox to configure a real business firewall: create allow/deny rules, set up a DMZ interface, and enable the Snort IDS/IPS package. This mirrors an enterprise firewall closely.
Firewall administration is a daily job for network security engineers and firewall administrators: they write and review rules, remove risky "any-any" rules, and segment networks with DMZs. SOC analysts read firewall logs to investigate blocked and allowed connections during incidents. Being able to say "I've built firewall rules and configured pfSense with an IDS" is concrete, hands-on experience that stands out for entry-level network security and SOC roles.
Wired networks keep data inside cables. Wi-Fi broadcasts your data through the air, in every direction, where anyone nearby with the right tool can catch it. That is why wireless security exists: to scramble that airborne data so only the right devices can read it. Over the years the protocols got stronger as older ones were cracked. Knowing the order โ and which are safe today โ is essential exam knowledge and real-world safety.
WEP (Wired Equivalent Privacy) โ the original, from the late 1990s. It is completely broken. Its encryption has fatal flaws, and free tools can crack a WEP password in minutes. If you ever see WEP in use, treat it as no protection at all. Never use it.
WPA (Wi-Fi Protected Access) โ the quick replacement for WEP. Better, but it was built on some of the same weak foundations and also has known vulnerabilities. Considered outdated.
WPA2 โ the standard that ruled for over a decade. It uses AES, a strong encryption algorithm, and is still widely used today. It is solid when configured with a strong password, though it has some known weaknesses (like the KRACK attack).
WPA3 โ the latest and strongest. It improves password protection (making guessing attacks much harder), protects even open public networks with individual encryption, and is required for the newest Wi-Fi 6 certified devices. When available, always choose WPA3.
Evil Twin โ The attacker sets up a fake Wi-Fi access point with the same name (SSID) as a real one โ say, "Airport_Free_WiFi." Your device connects to the stronger fake signal, and now all your traffic flows through the attacker. It is a Man-in-the-Middle attack built out of a fake hotspot. This is why you should never do banking on unknown public Wi-Fi without a VPN.
War Driving โ Literally driving around a city with a laptop or phone scanning for Wi-Fi networks, mapping which ones are open or weakly protected. Attackers use it to find easy targets; the name is a nod to older "war dialing."
Deauthentication (Deauth) attack โ The attacker sends forged "disconnect" frames to kick your device off the real Wi-Fi. Frustrated, your device reconnects โ and the attacker can use that moment to capture the connection handshake (to crack the password) or push you onto their Evil Twin.
You will scan the wireless networks near you and read their security settings โ spotting which use strong encryption (WPA2/WPA3), which are weak or open, and understanding the risk. This is passive observation of signals in the air on equipment you own, which is legal. Do not attempt to connect to or attack networks you do not own.
Wireless security assessments are a real service that penetration testers and security consultants perform for clients โ surveying the airwaves, finding rogue access points, and testing whether Wi-Fi encryption can be cracked. Network administrators run wireless site surveys to place access points and enforce WPA3. SOC and physical security teams watch for Evil Twin and deauth attacks. Even the simple skill of reading a network's authentication type and rating its risk is exactly the mindset employers want in entry-level security staff.
Encryption exists to keep data secret from people who should not read it. It takes readable data (called plaintext) and scrambles it into unreadable data (called ciphertext) using a key. Only someone with the correct key can turn it back into readable form. If a thief steals encrypted data without the key, all they get is meaningless garbage. There are three big cryptography ideas you must master: symmetric encryption, asymmetric encryption, and hashing. Let's build them up slowly.
In symmetric encryption, the same key both locks (encrypts) and unlocks (decrypts) the data. Imagine a physical box with one key: you lock it and mail it, and your friend uses an identical key to open it. It is very fast, which makes it perfect for encrypting large amounts of data โ files, hard drives, video streams.
The catch is the key distribution problem: how do you get that secret key to the other person without an eavesdropper copying it along the way? If you email the key, anyone reading the email now has it. This problem is exactly what asymmetric encryption was invented to solve.
Examples: AES is the modern gold standard (used everywhere, very strong). DES and 3DES are older and now considered weak or retired.
Asymmetric encryption uses two mathematically linked keys: a public key that you can share with the whole world, and a private key that you keep secret forever. Here is the magic: anything locked with your public key can only be unlocked with your private key.
So if someone wants to send you a secret, they encrypt it with your public key (which everyone has). Only your private key can decrypt it โ so only you can read it. The key distribution problem disappears, because the public key was never a secret. The trade-off is that asymmetric encryption is slower, so it is not used for bulk data.
The clever real-world combo: HTTPS uses asymmetric encryption just at the start, to safely exchange a symmetric key. Then both sides switch to fast symmetric encryption for the actual conversation. You get the safety of asymmetric plus the speed of symmetric.
Examples: RSA (the classic) and ECC (Elliptic Curve โ strong with smaller keys, great for phones).
Hashing is different from encryption because it is one-way โ you cannot reverse it back to the original. A hash function takes any input and produces a fixed-length code (the hash, or digest). The same input always gives the same hash, but even a tiny change in the input produces a wildly different hash.
Hashing does not hide data; it verifies integrity โ proving data was not changed. It is also how passwords should be stored: a website stores the hash of your password, not the password itself. When you log in, it hashes what you typed and compares. Even the company cannot see your actual password.
Examples: SHA-256 is the current strong standard. MD5 and SHA-1 are broken โ attackers can create collisions โ so never use them for security.
Attackers use rainbow tables โ giant precomputed lists of common passwords and their hashes โ to reverse stolen password hashes quickly. Salting defeats this: before hashing, the system adds a unique random value (the "salt") to each password. Now every password hash is unique even if two users chose the same password, and the attacker's precomputed tables become useless. Modern systems always salt password hashes.
Remember the jobs: Symmetric (AES) = fast bulk encryption, one shared key. Asymmetric (RSA/ECC) = solves key sharing, public + private key pair. Hashing (SHA-256) = one-way integrity check and password storage. Salting = makes password hashes unique and rainbow-table-proof.
You will hash text and watch tiny changes explode the output, see how salting makes identical passwords hash differently, and inspect the encryption on a real website. All safe, all on your own machine and public tools.
Cryptography underpins nearly every security role. SOC analysts and incident responders hash suspicious files to identify malware (as in the malware lab) and check whether sensitive data was encrypted during a breach. Security engineers configure TLS certificates, choose strong cipher suites, and make sure passwords are salted and hashed correctly โ a top cause of real breaches is companies storing passwords in plaintext or with broken MD5. Tools like CyberChef are used daily by analysts to decode and analyze data. Understanding when to use symmetric vs. asymmetric vs. hashing is a frequent technical interview question.
Asymmetric encryption lets anyone send you secrets using your public key. But there is a hidden danger: how do you know a public key really belongs to your bank, and not to an attacker pretending to be your bank? If a criminal can trick you into using their public key, they can read everything. PKI (Public Key Infrastructure) is the system built to solve this trust problem. Think of it as a passport system for the internet: a trusted authority vouches for who you are.
A CA (Certificate Authority) is a highly trusted organization whose job is to verify identities and issue digital certificates. When a website wants to prove it is really "yourbank.com," it asks a CA to check its identity and issue a certificate. Your browser comes with a built-in list of trusted CAs (like DigiCert, Sectigo, and the free Let's Encrypt). Because your browser trusts the CA, and the CA vouches for the website, your browser can trust the website. This is a "chain of trust."
A digital certificate is an electronic document that binds a website's identity to its public key. It contains: the website's name, its public key, who issued it (the CA), and validity dates. When you connect to an HTTPS site, the site hands your browser this certificate. Your browser checks that it was issued by a trusted CA, that it is not expired, and that it matches the website name. If all checks pass โ you get the padlock.
TLS (Transport Layer Security) is the protocol that actually encrypts your web traffic, using the certificate's keys. You will often hear "SSL," but SSL is the old, insecure ancestor; TLS is the modern version everyone uses now (the terms are used loosely, but on the exam, TLS = current, SSL = outdated). This is the technology behind HTTPS and the padlock.
Sometimes a certificate must be cancelled before its expiry date โ for example, if the website's private key gets stolen. Two mechanisms handle this:
A self-signed certificate is one that an organization creates and signs itself, without a trusted CA vouching for it. It still provides encryption, but no outside authority has verified the identity โ so browsers show a warning. Self-signed certificates are fine for internal testing and internal tools, but should never be used on a public website, because visitors cannot verify who they are really talking to.
When you see "Not Secure" or a certificate error, it usually means one of three things: the certificate is expired, it is for the wrong domain name, or it is self-signed / not from a trusted CA. Attackers running fake sites often trigger these warnings โ which is why teaching users not to click past them is real security work.
You will examine the certificates of real websites, trace their chain of trust up to the CA, spot the difference between a valid and a broken certificate, and check a certificate's health with a professional tool.
Certificate management is a genuine, ongoing job. Security engineers and system administrators install and renew certificates, and an expired certificate can take an entire company's website or app offline โ a very common real-world outage. GRC and compliance analysts run SSL Labs scans to prove systems use strong TLS for audits like PCI DSS. SOC analysts investigate certificate warnings that may signal a Man-in-the-Middle attack or a phishing site using a suspicious certificate. Being able to read a certificate chain and grade a site's TLS is a practical, demonstrable skill.
These three are easy to mix up, so let's separate them with a simple story. You arrive at an airport. Identification is claiming who you are โ you say "I'm Lilian" and show your ticket with your name. Authentication is proving it โ you show your passport, and the officer verifies it is really you. Authorization is what you're allowed to do once verified โ your boarding pass lets you onto this flight, but not into the cockpit. This topic focuses on authentication: how you prove your identity.
Every method of proving identity fits into one of exactly three categories, called factors:
1. Something You Know โ Information stored in your brain: a password, a PIN, or an answer to a security question. This is the most common but the weakest factor, because knowledge can be guessed, stolen, phished, or reused. Passwords leak in breaches every day.
2. Something You Have โ A physical item in your possession: your phone running an authenticator app, a smart card, or a hardware token like a YubiKey. An attacker on the other side of the world cannot easily steal a physical object from your pocket.
3. Something You Are โ A physical trait of your body, called biometrics: a fingerprint, face scan, iris scan, or voice print. Hard to fake and impossible to forget, though not perfect (and you cannot change your fingerprint if it is ever compromised).
Some models add somewhere you are (location) and something you do (behavior like typing rhythm), but the classic three are the exam core.
Multi-Factor Authentication (MFA) means using two or more factors from different categories. This is the single most effective way to protect accounts, because an attacker must defeat two very different things at once. Stealing your password (something you know) is useless if they also need the code on your phone (something you have).
The classic exam trap: Password + security question is NOT MFA โ both are "something you know." Password + a code texted to your phone IS MFA, because it combines "something you know" with "something you have." The factors must be from different categories to count.
Single Sign-On (SSO) lets you log in once and then access many different systems without logging in again. When you "Sign in with Google" to a new app, that is SSO. It improves user experience and lets companies enforce security centrally. The trade-off: that one login becomes a master key, so SSO accounts should always be protected with strong MFA โ if the SSO login falls, many systems fall with it.
You will turn on multi-factor authentication using an authenticator app, and set up a password manager to generate strong unique passwords โ the exact controls security teams push across whole organizations. You do this on your own accounts, so it is safe and also directly improves your personal security.
Identity and Access Management (IAM) is one of the fastest-growing areas of cybersecurity, with entire job titles built around it. IAM analysts and administrators roll out MFA to thousands of employees, manage authenticator enrollment, and handle lockouts and recovery. Help desk and SOC staff deal with MFA fatigue attacks, where criminals spam login prompts hoping a tired user approves one. Security awareness teams teach staff why "password + security question" is not real MFA. Having personally configured TOTP MFA and a password manager means you can speak about these controls credibly in an interview โ and you've protected your own accounts in the process.
Once someone has proven who they are (authentication), the next question is: what are they allowed to do? That is authorization, and access control models are the different systems organizations use to decide it. The exam expects you to recognize each model by how it makes decisions. Let's walk through them from most flexible to most strict.
In Discretionary Access Control, the owner of a resource decides who can access it. It is "discretionary" because access is left to the owner's discretion. When you create a document and choose who to share it with in Google Drive or on Windows, that is DAC. It is flexible and common, but risky โ an owner can accidentally share sensitive data with the wrong person.
Mandatory Access Control is the strictest model. Access is decided by the system based on security labels (classifications), not by the owner. Every user gets a clearance level (like Confidential, Secret, Top Secret) and every file gets a classification. You can only access data at or below your clearance โ and even the file's owner cannot override the rules. This is used by governments and militaries where secrecy is critical. Remember: MAC = mandatory labels, no personal discretion.
Role-Based Access Control grants access based on your job role, not your individual identity. Instead of assigning permissions to each person one by one, the company defines roles โ "Accountant," "Nurse," "HR Manager" โ each with a set of permissions. New employees are simply placed into a role and instantly get the right access. This is the most common model in businesses because it scales well and is easy to manage. When someone changes jobs, you just change their role.
Attribute-Based Access Control is the most fine-grained and modern. It decides access using multiple attributes combined: the user's role, their department, the time of day, their location, the device they're using, and more. A rule might be: "Allow access only if the user is in the Finance role AND on a company laptop AND connecting from inside the country during business hours." This flexibility powers modern Zero Trust systems.
Least Privilege โ Give each user the minimum access they need to do their job, and nothing more. If an intern doesn't need access to payroll, they don't get it. This limits the damage if their account is ever compromised.
Need to Know โ Even someone with high clearance only gets access to the specific information required for their current task. Having "Top Secret" clearance does not mean you can read every Top Secret file โ only the ones relevant to your work. Least privilege limits how much access; need-to-know limits which specific data.
You will create user accounts and folders on your own computer, then set permissions so that one user can access a folder and another cannot โ implementing DAC and least privilege by hand. Safe, on your own machine.
Managing permissions is bread-and-butter work for IAM analysts, system administrators, and SOC teams. In real breaches, over-privileged accounts are how attackers move from one small foothold to taking over everything, so companies run regular "access reviews" to strip unnecessary permissions โ enforcing least privilege. GRC/compliance analysts audit whether access matches job roles (required by standards like HIPAA and SOC 2). Being able to say "I've configured NTFS permissions and enforced least privilege on user accounts" demonstrates you understand authorization in practice, not just theory.
"The cloud" sounds mysterious, but it is simple: instead of buying and running your own computers, you rent computing power, storage, and software from a provider over the internet. When you use Gmail, your emails live on Google's computers, not yours. That is cloud computing. Companies love it because they avoid buying expensive hardware, they can scale up instantly, and they only pay for what they use. For security, the key question becomes: who is responsible for protecting what?
The three cloud models differ by how much the provider handles versus how much you handle. A classic way to remember it is "pizza as a service":
IaaS (Infrastructure as a Service) โ The provider gives you the raw ingredients: virtual servers, storage, and networking. YOU install and manage the operating system, the applications, and your data. It is like buying pizza ingredients and cooking at home โ most control, most work. Examples: AWS EC2, Azure Virtual Machines.
PaaS (Platform as a Service) โ The provider gives you the infrastructure PLUS the operating system and a ready platform to run your code. YOU only manage your application and its data. It is like a take-and-bake pizza โ you just add your toppings and bake. Examples: Google App Engine, Azure App Service. Great for developers who don't want to manage servers.
SaaS (Software as a Service) โ The provider manages everything: hardware, OS, and the software itself. You just log in and use the app. It is like ordering a finished pizza delivered to your door โ least control, least work. Examples: Gmail, Microsoft 365, Salesforce, Dropbox.
This is the heart of cloud security and appears on the exam constantly. In the cloud, security is shared between you (the customer) and the provider. The provider secures the cloud itself; you secure what you put in it. The exact split depends on the model:
The big lesson: even with SaaS, you are never fully off the hook. If you use weak passwords, skip MFA, or misconfigure sharing, that is your failure, not the provider's. Most real cloud breaches come from customer misconfiguration, not the provider being hacked.
Public cloud โ Resources (like AWS, Azure, Google Cloud) are shared among many different customers, kept logically separated. Cheapest and most scalable.
Private cloud โ Cloud resources dedicated to ONE organization only. More control and privacy, but more expensive. Common for banks and governments.
Hybrid cloud โ A mix of public and private, letting a company keep sensitive data in a private cloud while using the public cloud for everything else. Most common in large enterprises.
You will create a free cloud account, launch a simple resource, and practice securing it โ seeing the shared responsibility model with your own hands. You'll also learn the #1 real-world cloud mistake: accidentally exposing storage to the public.
No-cost alternative that needs no card: use the free interactive labs at AWS Skill Builder or the free tier of a SaaS app you already use (like Microsoft 365 or Google Workspace) to complete the "secure the account" steps below.
Cloud security is one of the highest-demand, best-paid areas in the field right now. Cloud security engineers and analysts spend their days doing exactly these tasks: enforcing MFA on accounts, applying least-privilege IAM policies, and hunting for misconfigured public storage buckets โ the single most common cause of cloud data leaks. GRC analysts map the shared responsibility model to compliance requirements. Even entry-level SOC roles increasingly monitor cloud logs (like AWS CloudTrail). Hands-on experience with an AWS/Azure free tier, and understanding who is responsible for what, is one of the most valuable things a beginner can put on a resume.
A VPN (Virtual Private Network) creates a private, encrypted "tunnel" through the public internet. Imagine sending a letter through a clear glass tube where anyone can read it โ that is normal internet traffic. A VPN wraps that tube in solid steel: your data still travels over the same public internet, but it is encrypted, so anyone who intercepts it sees only scrambled nonsense. VPNs solve a real problem: how do remote workers safely reach company systems, and how do offices connect securely across the internet?
Remote Access VPN โ Connects one individual user to a network. This is what an employee uses to securely reach the office network from home, a coffee shop, or a hotel. Their laptop builds an encrypted tunnel to the company, so it's as if they were plugged in at the office. When you "connect to the company VPN" to work from home, this is it.
Site-to-Site VPN โ Permanently connects two whole locations โ for example, a company's New York office and its London office. The tunnel is always on, between the two networks' equipment, so staff at both sites share resources as if on one network. Individual users don't do anything; the connection lives in the network hardware.
IPSec โ A suite of protocols that secures VPN connections at the Network Layer (Layer 3) of the OSI model. It encrypts and authenticates each packet. IPSec is very common for site-to-site VPNs and strong remote access. Remember: IPSec = network layer.
SSL/TLS VPN โ Uses the same TLS technology as HTTPS websites, working over port 443. Its big advantage: because it runs in a normal browser over the standard HTTPS port, it works almost anywhere without special client software or firewall changes. Remember: SSL VPN = port 443, browser-friendly.
Split tunneling decides which traffic goes through the VPN. With split tunneling ON, only company-bound traffic goes through the encrypted tunnel, while your personal traffic (YouTube, personal email) goes directly to the internet. This saves company bandwidth and is faster โ but it is a security risk, because that personal traffic bypasses the company's security controls and monitoring. If your personal browsing gets you infected, that malware is now sitting on a device that also connects to the company network. The secure alternative, full tunneling, sends everything through the VPN so it can all be inspected.
You will set up a real, free VPN and prove it is working by watching your public IP address change and your traffic become encrypted. You'll see the encrypted tunnel with your own eyes.
Configuring and troubleshooting VPNs is a core duty for network and security administrators โ they set up remote access for the whole workforce, build site-to-site tunnels between offices, decide split vs. full tunneling, and enforce MFA on VPN logins. SOC analysts review VPN logs to spot suspicious remote logins (like a user connecting from two countries an hour apart โ "impossible travel"). Wireshark, used in this lab, is one of the most important tools in all of cybersecurity for analyzing traffic during investigations. Being comfortable with VPNs and basic packet capture is directly applicable to help desk, network, and SOC roles.
A SOC (Security Operations Center) is the team and room where an organization's cybersecurity defense happens 24 hours a day, 7 days a week. Think of it as the security guard station for a company's entire digital world. Analysts sit watching screens full of alerts, deciding which are real threats and responding to them. If you are studying cybersecurity to get a job, the SOC analyst role is the single most common entry point into the industry โ so understanding how a SOC works is understanding your likely first job.
SOC analysts are organized into levels, called tiers, based on experience and the depth of work:
Tier 1 โ The First Responder. This is the entry-level role and where most people start. Tier 1 analysts watch the incoming stream of alerts, do quick triage (decide if an alert is real or a false alarm), handle the simple ones, and escalate anything serious to Tier 2. Think of them as the emergency call-takers of cybersecurity.
Tier 2 โ The Investigator. When Tier 1 escalates something, Tier 2 digs deep. They investigate how far an attack spread, what the attacker did, and how to contain it. They have more experience and access to more tools.
Tier 3 โ The Threat Hunter. The most senior analysts don't just wait for alerts โ they proactively hunt for hidden threats that slipped past the automated systems. They also handle the most complex incidents and improve the SOC's detection rules.
Every device in a company โ servers, laptops, firewalls, applications โ produces logs (records of events). Alone, these logs are scattered and overwhelming. A SIEM (Security Information and Event Management) system solves this: it collects logs from ALL systems into one place and correlates them to spot patterns a human would miss.
Here's the power of correlation: one failed login is nothing. But the SIEM can notice "500 failed logins on one account, then one success, then that account downloaded the customer database at 3 AM" โ and fire an alert. The SIEM sees the big picture across all systems at once. Popular SIEMs include Splunk, IBM QRadar, and Microsoft Sentinel โ names worth knowing for interviews.
Alert Triage โ The core Tier 1 skill: quickly judging each alert. A True Positive is a real threat that correctly triggered an alert. A False Positive is a false alarm โ the alert fired but there's no real threat. A big part of the job is cutting through false positives to find the real dangers, and reducing "alert fatigue."
IOC (Indicator of Compromise) โ A piece of evidence that a system may be hacked: a known-malicious IP address, a malware file hash, an unusual login time, or a strange outbound connection. Analysts hunt for IOCs across their logs.
Playbook โ A step-by-step guide for responding to a specific incident type (a phishing report, a malware detection, a ransomware outbreak). Playbooks make sure every analyst responds consistently and nothing is forgotten under pressure.
You will load real log data into Splunk โ the industry-leading SIEM โ and run searches to find suspicious activity, exactly like a Tier 1 SOC analyst on their first day. This is the closest thing to sitting in a real SOC seat.
This IS the entry-level SOC analyst job. Employers hiring Tier 1 analysts look specifically for people who can search a SIEM, triage alerts, and write clear incident notes. Splunk skills alone appear on a huge number of cybersecurity job postings, and Splunk offers free training and certifications. Platforms like TryHackMe and LetsDefend are widely used by career changers to build a portfolio of completed SOC labs to show employers. If you complete even a few of these and can talk through your investigation process, you can speak credibly in a SOC interview โ this is one of the most job-relevant labs on this whole page.
When a real security incident hits โ ransomware spreading, a hacker inside the network โ people panic. Panic leads to mistakes: pulling the wrong plug, deleting evidence, or missing part of the attack. Incident Response (IR) is a calm, proven, step-by-step process that everyone follows so nothing is forgotten under pressure. Security+ tests these six steps in order on nearly every exam, so you must know them cold. This is the widely used SANS model. (NIST uses a similar 4-phase version, but the six-step order below is what your notes emphasize.)
This happens before any incident. You build the incident response team, write the playbooks, set up the tools (like the SIEM and backups), and train staff. It is like a fire department buying trucks and running drills before there is ever a fire. Good preparation is what makes the other five steps possible. Many organizations fail here โ they only think about response after they've already been hit.
This is detecting and confirming that an incident is actually happening. An alert fires in the SIEM โ is it a real threat (True Positive) or a false alarm (False Positive)? Analysts investigate to confirm. You cannot respond to something you haven't identified, and you don't want to trigger a full emergency response for a false alarm. Accurate identification also determines the scope: which systems and data are affected.
Once confirmed, stop the damage from spreading immediately. If a laptop has ransomware, disconnect it from the network before it encrypts the shared drives. Containment is like closing the watertight doors on a ship to stop flooding from reaching other compartments. There is short-term containment (quickly isolate) and long-term containment (temporary fixes while you prepare to fully remove the threat). Critical: Contain BEFORE you eradicate โ you must stop the bleeding before you treat the wound.
Remove the threat completely. Delete the malware, disable compromised accounts, close the vulnerability the attacker used, and patch the systems. It is not enough to stop the spread; you must remove every trace, or the attacker simply comes back. This step often reveals the root cause โ how they got in โ which must be fixed so it can't be reused.
Restore normal operations safely. Rebuild systems, restore data from clean backups (backups made before the infection), and carefully bring systems back online. Then monitor closely to make sure the attacker is truly gone and doesn't return. Rushing recovery โ restoring from an infected backup, or reconnecting too soon โ is a common, costly mistake.
After the dust settles, the team meets to review: What happened? How did they get in? What did we do well? What was slow or missed? The goal is not to blame people but to improve โ update the playbooks, fix the gaps, and strengthen defenses so the same incident can't happen again. This step feeds directly back into Step 1 (Preparation), making the whole cycle continuous.
Memorize the order: Preparation โ Identification โ Containment โ Eradication โ Recovery โ Lessons Learned. The most common trick question swaps Containment and Eradication. Remember the logic: you must Contain first (stop the spread) and Eradicate second (remove it). A handy memory phrase: "Prep, ID, Contain, Eradicate, Recover, Learn."
You will run a "tabletop" exercise โ a walkthrough of a realistic incident where you apply all six steps in order and write a mini incident report. This is a real technique used by professional IR teams, and it needs no special software.
Tabletop exercises are a genuine, regular activity for incident response teams, SOC teams, and even executives โ organizations are often required to run them for compliance and cyber insurance. Incident responders and SOC analysts follow exactly this six-step process during real attacks, and the ability to write a clear, organized incident report is a highly valued skill (much of the job is documentation). Understanding the correct order โ especially contain-before-eradicate โ and being able to walk through a ransomware scenario is the kind of practical knowledge that impresses interviewers for SOC and IR roles.
| Framework | What It Is | Who Uses It |
|---|---|---|
| NIST CSF | 5 functions: Identify โ Protect โ Detect โ Respond โ Recover | US Government, large companies |
| ISO 27001 | International standard for building an Information Security Management System (ISMS) | Global organizations |
| MITRE ATT&CK | Knowledge base of real attacker tactics, techniques, and procedures (TTPs). Used by SOC analysts daily. | SOC teams, threat hunters |
| PCI DSS | Rules for handling credit card data securely | Any business accepting card payments |
| HIPAA | US law protecting patient health information | Healthcare organizations |
| GDPR | EU law protecting personal data. Heavy fines for violations. | Any company handling EU citizens' data |
| SOC 2 | Security audit standard for cloud service providers | SaaS companies, cloud vendors |
Security cannot be random. If every company invented its own approach, there would be chaos and no way to measure whether anyone is actually safe. Frameworks are organized sets of best practices that tell organizations how to build good security. Regulations are laws that require certain protections, often with heavy fines for failure. As a security professional, you must know the major ones โ not to memorize every rule, but to recognize which applies to which situation. This is heavily tested and constantly relevant on the job.
NIST CSF (Cybersecurity Framework) โ Created by the US National Institute of Standards and Technology. Its heart is five functions: Identify โ Protect โ Detect โ Respond โ Recover. These give any organization a simple structure for a security program: know what you have, protect it, detect attacks, respond, and recover. Widely used by US government and large companies. Memorize those five functions in order.
ISO 27001 โ An international standard for building an ISMS (Information Security Management System) โ basically a documented, repeatable system for managing security. Organizations can get officially certified against ISO 27001, which they use to prove to customers worldwide that they take security seriously. Global in scope.
MITRE ATT&CK โ A huge, free knowledge base that catalogs the real tactics, techniques, and procedures (TTPs) that actual attackers use, organized by the stages of an attack. SOC analysts and threat hunters use it daily to understand attacker behavior, map their defenses, and describe incidents in a common language. Think of it as an encyclopedia of "how hackers actually operate."
PCI DSS (Payment Card Industry Data Security Standard) โ Rules for any business that accepts credit card payments. It requires protections like encryption, firewalls, and access control around card data. Not a government law, but enforced by the card companies โ break it and you can lose the ability to accept cards.
HIPAA โ A US law protecting patient health information. Any healthcare organization (hospitals, clinics, insurers) must safeguard medical records, with real penalties for breaches. If the scenario mentions health data in the US, think HIPAA.
GDPR (General Data Protection Regulation) โ A strict EU law protecting the personal data of EU citizens. It gives people rights over their data and imposes huge fines (up to 4% of global revenue) for violations. It applies to any company worldwide that handles EU residents' data โ so it reaches far beyond Europe.
SOC 2 โ An audit standard (from the AICPA) for cloud and SaaS service providers. A SOC 2 report proves to customers that a vendor properly protects their data across principles like security and availability. SaaS companies are frequently asked for their SOC 2 report before customers will trust them.
Match each to a keyword: NIST CSF = 5 functions (Identify, Protect, Detect, Respond, Recover). ISO 27001 = international certification / ISMS. MITRE ATT&CK = attacker tactics and techniques. PCI DSS = credit cards. HIPAA = US healthcare. GDPR = EU personal data privacy. SOC 2 = cloud/SaaS vendor audit.
You will use the free MITRE ATT&CK website to look up real attacker techniques and map out how an attack works โ the exact skill SOC analysts use to describe incidents. You'll also browse the NIST framework to see how organizations structure security.
MITRE ATT&CK is one of the most in-demand skills in modern SOC work โ analysts "map" every incident to ATT&CK techniques so teams share a common language and can measure their detection coverage. Threat hunters use it to plan hunts. On the compliance side, GRC (Governance, Risk, and Compliance) analysts spend their careers implementing NIST CSF and ISO 27001 and preparing organizations for PCI DSS, HIPAA, and SOC 2 audits โ a huge, well-paid field that values people who know which framework fits which situation. Being able to name these frameworks and use ATT&CK hands-on is directly interview-relevant for both SOC and GRC career paths.
Many beginners think backups are just an "IT" thing. They are actually one of the most important security controls, protecting the "A" (Availability) in the CIA Triad. When ransomware encrypts your files or a server dies, a good backup is the difference between "restore and keep working" and "pay criminals" or "lose the business." This topic covers how backups are done and how organizations decide how much data loss and downtime they can tolerate.
The most famous rule in backups, and easy to remember: keep 3 copies of your data, on 2 different types of media, with 1 copy stored offsite (away from your building). Why? If you keep all copies in one place and there's a fire, flood, or ransomware, you lose everything at once. Three copies mean redundancy; two media types protect against one type failing; one offsite copy survives a local disaster. Modern versions add a fourth idea: keep at least one copy offline (disconnected), because ransomware can encrypt backups it can reach over the network.
Full Backup โ A complete copy of everything. It takes the most time and storage to create, but it is the fastest to restore because everything is in one place. Companies often do a full backup weekly.
Incremental Backup โ Backs up only what changed since the last backup of any kind (full or incremental). Very fast to create and small, but slower to restore: to rebuild, you need the last full backup PLUS every incremental in order. Miss one and the chain breaks.
Differential Backup โ Backs up everything changed since the last FULL backup. It's the middle ground: larger and slower to create than incremental (because it re-copies all changes since the full, every time), but faster to restore โ you only need the last full backup plus one differential.
The exam distinction: Differential = changes since last FULL. Incremental = changes since last backup of any kind. This is a classic trick question.
These two metrics look similar but mean very different things:
RTO (Recovery Time Objective) โ How fast must you be back online after a disaster? It's about time. If your RTO is 2 hours, systems must be restored within 2 hours. A lower RTO requires more expensive, faster recovery solutions.
RPO (Recovery Point Objective) โ How much data can you afford to lose, measured in time? It's about the backup frequency. If your RPO is 4 hours, you must back up at least every 4 hours, because you can tolerate losing at most 4 hours of data. A lower RPO means backing up more often.
Memory hook: RTO = Time to recover (how long down). RPO = Point in the past you restore to (how much data lost). Picture a timeline: RPO is how far back your last good backup is; RTO is how long forward until you're running again.
You will make a real backup, simulate data loss, restore it, and then design a simple backup plan with RTO and RPO targets โ the same planning a business continuity analyst does. All on your own machine.
Backup and recovery is central to Business Continuity and Disaster Recovery (BC/DR) roles, and to every SOC's response to ransomware โ the ability to restore from clean, offline backups is what lets a company refuse to pay a ransom. System administrators design and test backup schedules; security teams verify backups are offline and actually restorable (an untested backup is not a real backup). Defining RTO and RPO is a core task when organizations plan disaster recovery and buy cyber insurance. Being able to explain the backup types and set RTO/RPO targets shows employers you understand resilience, a theme that runs through Security+ and real operations alike.
In the movies, hackers just start typing and break in. In reality, the first and most important phase of almost every attack is reconnaissance โ gathering information about the target before touching anything. The more an attacker learns first (employee names, technologies used, exposed systems), the easier the actual attack becomes. Understanding recon matters for defenders too: if you know how attackers gather information, you can reduce what you leak. Recon is the very first stage in attack models like the Cyber Kill Chain and MITRE ATT&CK.
OSINT (Open Source Intelligence) means gathering information from publicly available sources โ no hacking required. This includes Google searches, company websites, LinkedIn profiles, social media, job postings, and public records like WHOIS (which lists who registered a domain). It's astonishing how much attackers learn this way: a job posting for "Splunk administrator" tells them the company uses Splunk; LinkedIn reveals the IT team's names for spear phishing; a photo posted online might show a badge or a screen. All of it is legal and public โ which is exactly why it's so powerful.
Passive reconnaissance means gathering information without touching the target's systems at all. You look at Google, LinkedIn, WHOIS, and public databases. Because you never contact the target directly, the victim has no idea you're researching them โ it leaves no trace in their logs. OSINT is passive recon.
Active reconnaissance means directly interacting with the target's systems to probe them โ for example, port scanning their servers to see what's open. This gives more detailed, current information, but it leaves traces: the target's firewalls and intrusion detection systems can log and detect the probing. So active recon is more revealing but riskier for the attacker.
Simple way to remember: Passive = look, don't touch (undetectable). Active = touch and probe (can be detected).
Port scanning checks which ports (and therefore which services) are open on a target โ recall from the Ports topic that each open port is a potential door. The most famous tool is Nmap. Because scanning sends packets to the target, it's active recon and can be detected. Attackers scan to find weak services to attack; defenders scan their own systems to find and close those same weaknesses first.
Shodan is often called "the scariest search engine." While Google indexes web pages, Shodan indexes internet-connected devices: servers, webcams, routers, databases, and even industrial control systems. Attackers use it to find exposed devices โ like a security camera with no password or a database open to the internet โ without scanning anything themselves (making this a passive OSINT technique). Defenders use Shodan too, to discover which of their own devices are accidentally exposed to the internet.
You will gather public information about a domain using passive OSINT tools โ exactly how a penetration tester begins an engagement. Use only your own domain, or a public practice target. Do not probe systems you don't own. Everything here is passive (looking at public data), so it's safe and legal.
Reconnaissance is the official first phase of every professional penetration test and red team engagement โ testers spend real time on OSINT before touching anything, and they document it in their reports. On the defensive side, threat intelligence analysts and "attack surface management" teams continuously run WHOIS, Shodan, and breach-database checks against their own organization to find exposed data and devices before attackers do. Recruiters and SOC teams also use these skills. Employers value candidates who understand the passive-vs-active distinction and can safely use tools like Shodan and Google Dorking โ it shows you think like both an attacker and a defender.
Access all lessons, labs, and practice exams โ 100% free, no login required.
VIEW FULL CURRICULUM โ