Show Menu

Cybersecurity Fundamentals Cheat Sheet by

A cheat sheet on basics of cybersecurity


What is Inform­ation Security?

Inform­ation security focuses on the value of the inform­ation being protected rather than how it is being protected. It encomp­asses physical security and cybers­ecu­rity.
Cybers­ecurity tends to focus on the security of digital systems, but it should not be limited to digital elements as most attacks have human and physical factors as well.

OFFENSE : Threat Actor Groups

What are Threat Actor Groups

# Cybers­ecurity profes­sionals must know different types of threat actor groups, varying in motiva­tion, resources, and techni­ques.
# The five main types of cyber attacker groups are Script Kiddie, Hackti­vist, Criminal Gang, Nation State Hacker, and Malicious Insider.

Group 1: Script Kiddie

# Least advanced, relies on off-th­e-shelf penetr­ation testing tools, publicly available exploits.
# Main motiva­tions are reputa­tion, status in the eyes of the hacking community, entert­ain­ment, or settling grudges.
# Self-t­aught via forums, videos, and experi­men­tation, typically teenagers or young adults.
# Little funding, little or no technical expertise and assist­ance, may use free tools written by others.
# Defenses should ensure patching schedule is effective and basic perimeter defenses are up to date.

Group 2: Hacktivist

# Driven by ideolo­gical reasons, uses hacking to achieve political or economic change.
# Range from impres­sio­nable amateurs to experi­enced members within the security community.
# Motiva­tions vary greatly, involve supporting one cause the indivi­duals believe in.
# Operate at scale with varying tools and biggest attribute is size.
# Defenses should cope with an extended disruptive attack.

Group 3: Criminal Gang

# Fastest growing group, running ransomware attacks, committing extortion, theft of customer data or intell­ectual property, and so on.
# Cyber-­based criminal is a full-time and quite lucrative propos­ition.
# Gangs range from few indivi­duals to multin­ati­onals with hundreds of members.
# Gangs frequently develop and deploy their malware, access substa­ntial infras­tru­cture such as servers and domains.
# Intern­ational laws make securing a prosec­ution near imposs­ible.
# Defenses should be compre­hensive and detect, respond, and recover from attacks.

Group 4: Nation State Hacker

# Operates on behalf of a govern­ment, military, or intell­igence agency.
# Targets range from national security interests to commercial enterp­rises to personal data.
# Uses advanced and sophis­ticated tools and techni­ques.
# Uses large resources, such as funding, personnel, infras­tru­cture, and expertise.
# Attacks can be difficult to detect and attribute, and may use false flag operat­ions.
# Defenses require intell­igence and expertise, including identi­fying potential targets and advanced threat hunting capabi­lities.

Group 5: Malicious Insider

# Insider threat actors with authorized access to an organi­zat­ion's systems or data.
# Can be current or former employees, contra­ctors, or third-­party vendors.
# Can be motivated by financial gain, ideology, revenge, or other reasons.
# Can use their access to steal, leak, or damage data, install malware or backdoors, or conduct espionage.
# Defenses require access control, monito­ring, and insider threat detection capabi­lities, as well as compre­hensive security awareness and training programs.

OFFENSE : Types of Cyber Attacks

Denial of Service (DoS) Attack:

Any attack that causes a complete or partial system outage.
Can range from causing a system to crash to making it unreac­hable or incapable of continuing work due to abnormal levels of forwarded network traffic.
Example: sending a malici­ously formatted file to a server that causes it to overload.

Distri­buted Denial of Service (DDoS) Attack:

A DoS attack that comes from more than one source at the same time.
Machines used in such attacks are collec­tively known as "­bot­net­s" and will have previously been infected with malicious software.
Example: sending a large number of page requests to a web server in a short space of time, overlo­ading it.

Phishing Attack:

The practice of sending messages that appear to be from trusted sources with the goal of gaining personal inform­ation or influe­ncing users to do something.
Combines social engine­ering and technical trickery.
Example: sending an email with a file attachment or a link to a fake website that loads malware onto a target's computer.

Spear Phishing Attack:

A very targeted type of phishing activity.
Attackers take the time to conduct research into targets and create messages that are personal and relevant.
Example: an attacker collects a target's details from social media and calls the target pretending to be a repres­ent­ative from the bank.

Structured Query Language (SQL) Injection:

SQL allows users to query databases.
SQL injection is the placement of malicious code in SQL queries, usually via web page input.
Example: in the UK, two teenagers managed to target TalkTalk's website in 2015 to steal hundreds of thousands of customer records from a database that was remotely access­ible.


A catch-all term for malicious software.
Any software designed to perform in a detrim­ental manner to a targeted user without the user's informed consent.
Example: ransom­ware, which holds a victim's files captive in exchange for a ransom payment.

Man in the Middle (MitM) Attack:

Occurs when hackers insert themselves in the commun­ica­tions between a client and a server.
Allows hackers to see what’s being sent and received by both sides.
Example: setting up a "­fre­e" WiFi hot spot in a popular public location.

Domain Name System (DNS) Attack:

DNS is one of the core protocols used on the internet.
Attack vectors directly target DNS, including DNS spoofing, domain hijacking, and cache poisoning.
Example: in 2016, the DNS service provided by a company called Dyn was attacked.

OFFENSE : Structure of a Cyber Attack

What is the Structure of a Cyber Attack?

Computer systems evolve over time, making it necessary for cyber attacks to adapt accord­ingly. While specific techniques may change, the overall structure of a cyber attack can be studied. This section aims to provide a basic unders­tanding of this structure.

Lockheed Martin Cyber Kill Chain® framework

Developed by resear­chers at Lockheed Martin to examine the typical sequence of a cyber attack Consists of seven steps: Reconn­ais­sance, Weapon­iza­tion, Delivery, Exploi­tation, Instal­lation, Command and Control (C2), Actions on Objectives Each step is dependent on the previous one's completion
Reconn­ais­sance: Inform­ation gathering
Weapon­iza­tion: Arming the delive­rable payload
Delivery: Delivering the payload via email, web, USB, etc.
Exploi­tation: Exploiting a vulner­ability to execute code on victim's system
Instal­lation: Installing malware on the victim's system
Command & Control (C2): A command channel for remote manipu­lation of victim
Actions on Object­ives: With 'Hand on Keyboard' access, intruders accomplish their original goal
Each step is dependent on the previous one's completion


# Developed by the American non-profit organi­zation MITRE to collect and present a set of tactics, techni­ques, and procedures (TTP) used by cyber attackers
# Presented in a matrix to help organi­zations examine cyber attacks in a simplified form
# The matrix consists of a list of tactics and techniques used by cyber attackers
# The ATT&CK matrix is open and available to any person or organi­zation for use at no charge


An attacker's objective may be to gain creden­tialed access to a system
If poor logging and no account lockouts are in use, the attacker may use the Brute Force technique, which involves trying millions of username and password combin­ations until a successful one is identified
If this technique fails, the attacker can switch to another approach and continue trying

Offense : Funding and profit­ability of cyber crime

OFFENSE : Funding and profit­ability of cyber crime

What are the drivers of cyber crime?

National Interest
In this section we will understand the cyber crime ecosystem.


# Thriving intern­ational market­place made up of hundreds of forums, platforms, and systems
# Criminals buy and sell data, identi­ties, and tools to make a profit
# Specialism drives effici­encies and allows criminals to focus on what they each do best

Initial Cash Injection:

# Stolen from victim: done through compro­mising banking systems or compro­mising accounts, most common manner is through fraud or deception
# Criminal for hire: offer services to carry out illegal tasks to regular people and organi­zat­ions; gets paid by the organi­zation or individual
# Extorted from victim: criminal gains the ability to disrupt a victim by disabling key systems or threat­ening to divulge sensitive data


# Rapid increase in crypto­cur­ren­cies, such as Bitcoin, proposed a new method for monetary exchange based on a shared ledger called a Blockchain
# Designed to be near impossible to regulate or block, making them unbeli­evably useful for money laundering or for other criminal market­place activities
# Rapid growth of ransomware due to crypto­cur­ren­cies; easier for victims to make concealed payments

Ecosystem in Action

Step 1. Malware designed to record keystrokes and screen shots
Step 2. Criminals buy a list of known email addresses and send out malware as an email attachment
Step 3. Malware authors have a list of passwords and banking logins
Step 4. Criminal gang attempts to login and make transfers to money mules
Step 5. Money mules buy and transfer crypto­cur­rencies to accounts controlled by the gang
Step 6. Trail often ends with only the money mule being traceable

OFFENSE : Social Engine­ering

What is Social Engine­ering?

# Social Engine­ering is the art of making someone do what you want them to do.
# It involves psycho­logy, biology, and mathem­atics.
# In cybers­ecu­rity, it's the use of deception to manipulate indivi­duals into divulging confid­ential or personal inform­ation.
# Social engine­ering attacks are the dark art of using social intera­ctions to trick someone into making a security mistake.

Examples of Social Engine­ering Tactics:

# Scams and confidence tricks that defraud vulnerable indivi­duals of their savings.
# Tailga­ting, or closely following, indivi­duals in order to gain access to secure areas.
# Persuading young adults to act as money launderers for gangs.
# Get-ri­ch-­quick schemes online.
# Within certain organi­zat­ions, employees might skip a long business process like verifying caller identities or getting the right levels of approvals to grant access rights.
# Attackers use time restri­ctions, impers­onate a trusted authority figure, or pretend to be a potential love interest.

Why Does Social Engine­ering Work?

# Humans are imperfect. Our decisions are irrational and flawed. Human decision making varies greatly throughout the day and depends on changing circum­sta­nces.
# Short term gratif­ication or greed can be utilized to manipulate a target. Attackers benefit from affecting a target's decisi­on-­making process to achieve a result.
All these factors impact a target's ability to make a good decision or even identify they are being manipu­lated in the first place.

What Makes a Good Social Engine­ering Attack?

# It is well resear­ched.
# It is delivered confid­ently.
# The attack feels plausible and realistic.

How Can You Defend Against Social Engine­ering?

# Be aware and guard against common social engine­ering attacks.
# If something seems too good to be true, it probably is.
# Don't be afraid to challenge others who make unusual requests or appear out of place.
# Verify unexpected emails or requests.
# Check the sender's email address.
# Be cautious of phishing emails.


What is Open Source Intell­igence (OSINT)

# Intell­igence operations using publicly available inform­ation
# All inform­ation that can be easily collected without active collection methods (hacking, wiretaps)

Benefits of OSINT

# Virtually free and consid­erably easy to acquire compared to tradit­ional forms of inform­ation gathering
# Undete­ctable to the target

Sources of Open Inform­ation

1. Company website: can reveal helpful inform­ation, use "­Google hackin­g" and Wayback Machine to find more advanced inform­ation
2. Media and news: good journa­lists are skilled at processing open inform­ation, may provide help for further invest­iga­tions
3. Social media: people share inform­ation widely, even small pieces of inform­ation can add credib­ility to social engine­ering attacks
4. Government or public records: many countries keep detailed records of both citizens and companies

Good rules for gathering open inform­ation

1. Get lots of inform­ation: quantity is valuable, analyst tools operate better with more inform­ation
2. Get a range: do not rely on a single source, not everything online is true
3. Be ethical: do not use illegal methods or violate privacy laws
4. Verify inform­ation: confirm inform­ation from multiple sources, use critical thinking and skepticism
5. Keep a low profile: avoid drawing attention to the invest­iga­tion, take measures to maintain privacy and security.

OFFENSE : Technical Scanning

What is Technical Scanning?

They are techniques used by attackers to collect inform­ation about computers and networks during the reconn­ais­sance stage of an attack.

Ping Test:

# Sends an Internet Control Message Protocol (ICMP) packet to target machine’s IP address.
# If target machine responds with an echo reply packet, scanning machine knows target machine is active and switched on.
# Provides a basic test to identify machine status and how far into network machine is located by using packet's "time to live" (TTL).
# Can be used to tell attackers and defenders if machine is responsive and, when repeated in a sweep, how many devices are on a network.
# Can be started using the command ‘ping target­_name’ on Windows machines.


# Calculates traceroute between two computers by sending out packets with increasing or decreasing "­times to live" (TTL).
# Used to map out network and determine how many switches and routers exist between you and your destin­ation.
# A complete list of the network nodes between scanner and target can be produced.
# Can be started using the command ‘tracert target­_name’ on Windows machines.

Port Scanning:

# Based on the idea of attempting to open a connection with a certain number of ports on target machine.
# Scans the most common 1,000 ports for a given protocol.
# Can work out what machine is being used for by working through the list of "well known" ports on target device.
# Can identify "­ope­n" and "­clo­sed­" ports.
# Can be performed using Network Mapper (Nmap). It is a free and open-s­ource network scanner.

Network Vulner­ability Scanning:

# Certain actions are done to exploit vulner­ability in real time to determine if it exists on target system (dynamic scanning).
# Version numbers of software are compared against a database to find vulner­abi­lities.

OFFENSE : Case Studies


Advanced and targeted malware collection that targeted Iranian uranium processing
Used four previously uniden­tified vulner­abi­lities and a pair of compro­mised digital certif­icates
Spread through infected USB drives
The definitive example of a cyber weapon deployed for military and political objectives


Large-­scale data breach due to the organi­zat­ion's failure to apply a security patch
Attackers stole at least 147 million names and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and expiration dates
Basic mistakes in the organi­zation made the breach possible
Placed the idea of data breaches into US attention

National Security Agency

Malicious insider, Edward Snowden, released a signif­icant amount of classified inform­ation
Leaked files included technical capability overviews, guidance on operat­ions, and other highly sensitive material
Several business arrang­ements between the NSA and US companies were brought under a high degree of scrutiny as a result
Considered the most damaging set of leaks the US had ever suffered


Large-­scale supply chain attack affecting thousands of organi­zations
Attacker compro­mised SolarW­inds' update process, spreading malware to thousands of SolarW­inds' customers
Highli­ghted how trusted relati­onships within supply chains can be used by attackers
Patches for software are still recomm­ended as a routine step, despite supplier compro­mises.

DEFENSE : Financial Impacts

Financial Impact

# Average global total cost of a data breach is $4.35M
# Cost of data breaches has increased by 14.8% since 2015
# Lost business is the biggest contri­butor to these costs
# Regulatory fines and remedi­ation costs may impact an organi­zation

Hiscox Cyber Readiness Report 2021

# Proportion of firms reporting attacks is on the rise
# Hackers' favorite targets are TMT, financial services, and energy sectors
# Average firm devotes more than 21% of its IT budget to cybers­ecurity
# 16% of firms reporting cyber attacks had to deal with a ransomware demand
# Cyber attacks are an unavoi­dable cost of doing business today

DEFENSE : Security Strategy

Metrics to Assess Security Maturity

Cybers­­ec­urity maturity is a scale, and an organi­­zation may show develo­­pment in one area while not being mature in another area.

Security Maturity Levels (PRISMA)

Level 1: Policies - Documented policies exist and are readily available. Policies establish a cycle of assessing risk, implem­enting security controls, and monitoring effect­ive­ness.
Level 2: Procedures - Formal, documented procedures exist to implement security controls. Procedures define IT security respon­sib­ilities and expected behaviors, and document implem­ent­ation and rigor.
Level 3: Implem­ent­ation - Procedures are commun­icated to indivi­duals who need to follow them, and security controls are implem­ented consis­tently and reinforced through training.
Level 4: Test - Tests are routinely conducted to evaluate the adequacy and effect­iveness of security controls, and corrective actions are taken to address weakne­sses. Inform­ation from potential and actual security incidents is used as test results.
Level 5: Integr­ation - IT security is fully integrated into the culture and decisi­on-­making processes. A compre­hensive IT security program is in place, and costs and benefits are measured precisely. Threats are contin­ually reeval­uated, and controls are adapted as needed.

10 Steps to Cyber Security offered by NISC UK

1. Risk management
2. Engagement and training
3. Asset management
4. Archit­­ecture and config­­ur­ation
5. Vulner­­ab­ility management
6. Identity and access management
7. Data security
8. Logging and monitoring
9. Incident management
10. Supply chain security

Market­place for the security industry

# Large organi­zations typically have products from various cybers­ecurity vendors.
# These cybers­ecurity vendors contribute to a vibrant ecosystem supported by various standard author­ities, charities, and government entities.

DEFENSE : Protection

Goal of Cybers­ecurity

Goal: Aim to make cyber attacks frustr­atingly difficult. The emphasis is on reducing operat­ional risk to an acceptable level.

Preventive Strategy 1 - Perimeter Security

Attack surface: the sum total of an organi­zat­ion’s infras­tru­cture and software enviro­nment that is exposed where an attacker could choose to attack.
Protecting the attack surface: keeping the attack surface as small as possible by limiting which services are externally accessible and what devices can be connected.
Perimeter: a defined boundary that neatly separated an organi­zat­ion’s assets from the outside world.

Preventive Strategy 2 - Network Segreg­ation

Demili­tarized zone (DMZ) : a middle ground area on the network which is partly controlled and managed, used to refer to servers that may be used by both internal and external applic­ations.
An attacker who compro­mises a server in the DMZ would need a second successful attack to move further into the organi­zation.

Preventive Strategy 3 - Least Privilege

Granting the fewest permis­sions to enable a role to be completed, which means that the conseq­uences of a successful attack are reduced when compared to a less restricted system.

Preventive Strategy 4 - Patch Management

Patch manage­ment: the process of updating software to reduce the risk of them being succes­sfully attacked.
Vulner­ability manage­ment: the process of identi­fying flaws within software.
Vulner­ability scanner: a piece of software that assesses if there are any vulner­abi­lities within a server or applic­ation.
Compen­sating controls: a temporary solution if a vulner­ability is identified for which a patch is not available.

Layered Cybers­ecurity

It means applying multiple forms of defense to an organi­zat­ion's infras­tru­cture and software enviro­nment
It is inspired by the military concept of defense in depth where a successful attack would have to bypass or circumvent all layers of defense, which is difficult to achieve
Defense in depth includes network defenses, device defenses, and data controls like encryption
Example of Layers of Security : Perimeter -> Network -> Host -> Applic­ation -> Data

DEFENSE : Detection

When is Detection necessary

Should an organi­zat­ion’s defenses fail to succes­sfully prevent a cyber attack, an organi­zat­ion's next priority is to detect the cyber attack. This is ideally done while the attack is in progress or in the best situation, when the breach has yet to occur at all.


Logging is the process where actions are accurately recorded in a secure location, acting as a permanent record of what has occurred within a network.
Log records should be tamper­-proof and can be done on individual machines or applic­ations.
Organi­zations can use a larger collection of logs to track the activities of both legitimate users and attackers.

Network Monitoring

Traffic analysis is an approach where organi­zations can monitor commun­ica­tions across their network to identify what is being done on a network, even in a passive fashion while encryption is being used.

Security inform­ation and event management (SIEM)

SIEM tools collect all the inform­ation throughout the organi­zat­ion's technology infras­tru­ctures and aggregate it, helping cybers­ecurity teams to identify events and patterns of potential attacks and analyze them.

Security operations center (SOC)

SOC is respon­sible for detecting attacks in progress using SIEMs and other monitoring tools, and security analysts make up the team of people respon­sible for assessing an organi­zat­ion’s security in the SOC.

False alarms

False positives can occur when an alert is triggered, and the action is legiti­mate. Confirming if an alert is a false positive is the respon­sib­ility of a security analyst.
A balance needs to be establ­ished in adjusting the sensit­ivity of certain thresholds within a SOC.


An unusually high amount of activity in logging can indicate unknown or unauth­orized activity.

DEFENSE : Response

Six phases of incident management

1. Prepar­ation
2. Identi­fic­ation
3. Contai­nment
4. Eradic­ation
5. Recovery
6. Reflection

Types of tests to assess level of prepar­ation

Paper-­based Tests:
Table-top Exercises:
Live Tests:
Survey and prep
Small response exercise
Live failure and response exercise

Key terms to know

Business contin­uity: the ability to continue operating despite an incident
Disaster recovery: the ability to recover from a disaster

Benefit of incident response teams

Organi­zations with incident response capabi­lities saw an average cost of a breach of USD 3.26 million in 2022, compared to USD 5.92 million at organi­zations without incident response capabi­lities. This is a cost difference of USD 2.66 million, or 58%.

DEFENSE : Crypto­graphy

What is Crypto­graphy?

It is the art of writing and solving codes and keeping the inform­ation confid­ential

Secure Commun­ica­tions

Confid­ent­iality: Message is private and cannot be understood by an eavesd­ropper.
Authen­ticity: Spoofing or impers­onation is imposs­ible.
Integrity: Tampering with a message can be identified by the receiver.

Encryption and its Types

Encryption converts a message into an unreadable state that can only be understood by those with a decryption key.
Two forms of encryp­tion: Symmetric and Asymme­tric.

Symmetric encryp­tion:

Uses the same key for encryption and decryp­tion.
Rely on both the sender and receiver having access to the same key.
Example: Rotati­on-­based cipher like Advanced Encryption Standard (AES).

Asymmetric encryp­tion:

Uses different keys for encryption and decryp­tion: public and private keys.
Anyone can use the public key to encrypt a message, which can only be decrypted using the holder's private key.
Beneficial for commun­icating securely with unknown entities.
Example: Online shopping where an in-person meeting to create a shared, unique, symmetric key is not required.

DEFENSE : Threat Intell­igence

What is Threat Intell­igence?

# Intell­igence has histor­ically been used in military operations as a force multip­lier, allowing commanders to use resources for their greatest impact.
# Threat Intell­igence is data collected and analyzed by organi­zations to understand the motives and behavior of cyber attackers, focusing on attacker tactics, techni­ques, and procedures (TTPs) or other indicators of compromise (IOCs).
# Tactics are the "­why­," techniques are the “how,” and procedures are the specific implem­ent­ation that the adversary uses for techni­ques. Indicators of compromise (IOCs) are signatures related to attacker activity.
# Organi­zations can benefit from threat intell­igence in providing a warning, indicators of compro­mise, context, and learning from peers.
# Sources of threat intell­igence include threat exchange platforms, confer­ences, articles, and news, and product vendors.
# Job roles within the world of cyber threat intell­igence can be divided into two areas: production and interp­ret­ation. Production involves the collection and enrichment of inform­ation, while interp­ret­ation involves analyzing the findings and deciding the best course of action to recommend.
Key Takeaway : The use of threat intell­igence enables organi­zations to design defenses tailored to the specific attacks they may face, rather than relying on industry or regulatory standards. This is especially beneficial for organi­zations that operate in complex or anomalous ways where regula­tions may not provide adequate guidance.


No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Security+ 601 Exam Cheat Sheet
          Network+ | 01.Basics Cheat Sheet
          Network+ | 04.Media & Cabling Cheat Sheet