Back to Blog
tech

Cybersecurity Foundations: A Student Playbook

Everything I wish someone stitched together for me: core threats, CISSP domains, frameworks, tooling, mindset, and principles—stripped of fluff and tuned for someone actually starting out.

10 min read
By Andy

New to security? Cool. Don’t cram random acronyms. Learn the why, then the what. Every new thing you hear is usually one of three buckets: a problem (threat), a way to reduce the problem (control), or a guiding idea (principle). That’s it. This is my starter map written in plain English.

0. Why Cybersecurity Exists

Almost every attack boils down to someone trying to: (1) steal money/data, (2) break trust, or (3) gain leverage to force a payout or influence. Our job is simple to say, hard to do: make attacks harder, limit the damage, and notice & fix things faster. Everything else hangs off that.

1. Introduction to Cybersecurity

Cybersecurity just means: keep the stuff running, private, and trustworthy. Early internet days = “install antivirus, toss up a firewall.” Today it’s continuous: watch what’s happening, question who’s asking for access, assume something will go wrong, and design so one mistake doesn’t nuke everything.

Takeaway: Security isn’t a gadget you purchase once. It’s a habit + ongoing maintenance.

2. Classification of Cyber Threats

2.1 Malware (Malicious Software)

Software built to do shady stuff:

  • Virus – Hides inside another file; spreads when you run it.
  • Worm – Moves on its own across machines.
  • Ransomware – Locks your files and charges “rent” to get them back.
  • Spyware – Quietly watches & sends out your activity or passwords.
  • Adware – Spammy ads + tracking; sometimes a doorway for worse.
  • Rootkit – Gives hidden “god mode” to an attacker.
  • Botnet – A bunch of infected computers acting like a remote robot army.
  • Fileless Malware – Lives in memory; leaves little on disk to scan.

2.2 Trojan (Disguised Payload)

Looks safe, does harm. Usually: installs more malware, steals logins, keeps a secret door open, or disables defenses.

2.3 Social (Human) Engineering

Tricking people instead of breaking code:

  • Phishing / Spear / Whaling – Fake messages (broad → targeted → execs).
  • Pretexting – Fake story to build fake trust.
  • Baiting – “Free USB / free download” that isn’t free.
  • Quid Pro Quo – “I’ll fix X, just give me Y.”
  • Tailgating – You hold the door. Stranger slides in.
  • Deepfakes – AI-mimicked voices/faces.

Pattern: people rush, feel pressured, or flattered → mistakes happen.

3. Defense Fundamentals (Action Layers)

3.1 Preventing Malware

  1. Keep systems lean and updated.
  2. Use decent endpoint protection (looks for weird behavior, not just known bad files).
  3. Only allow approved apps in sensitive areas.
  4. Block weird outbound traffic (why is a printer talking to Russia?).
  5. Plant fake “bait” files or fake systems to catch intruders early.

3.2 Limiting Trojan Impact

  1. Teach: “Download from official source, don’t run random installers.”
  2. Open suspicious stuff in a safe sandbox first.
  3. Split networks so one infected laptop ≠ total meltdown.
  4. Re‑check identity when things seem off (sudden login from two continents).

3.3 Countering Social Engineering

  1. Basic email protections + spam filtering.
  2. Use MFA (best = security keys, not SMS).
  3. Give people the minimum access they need right now.
  4. Practice fake phishing + “what if” exercises.
  5. Watch for odd usage patterns on sensitive systems.

4. Advanced Mitigation Strategies

  • Zero Trust – Don’t automatically trust anything; check each request.
  • Threat Intel – Learn from what attacks others are seeing so you aren’t surprised.
  • Automated Response – Let scripts handle obvious stuff fast.
  • Future‑proof Crypto – Prep for a world where today’s math breaks.
  • Supply Chain – Know what code you use, where it came from, and if someone tampered with it.

Big lesson: you can’t protect what you can’t see. Step one is visibility.

5. CISSP Domains (Mental Map)

Fancy list that just organizes the field. Translation:

  1. Risk: What could hurt us?
  2. Assets: What do we have & where is it?
  3. Architecture: How is it built & defended?
  4. Networks: How stuff talks.
  5. Identity: Who’s allowed in.
  6. Testing: Are defenses working?
  7. Operations: Daily monitoring & response.
  8. Software: Build it secure from the start.

When you learn something new, ask “Which bucket?” Helps memory stick.

6. Common Attack Types (Map Them Early)

| Attack | Plain Goal | What’s Really Hit | |--------|-----------|------------------| | Password guessing | Steal an account | Identity / Access | | Social tricks | Fool a person | People / Process | | Physical breach | Touch the gear | Assets | | Supply chain | Poison updates | Architecture / Ops | | Crypto attack | Read or change secrets | Data protection |

Post‑incident reflection: How did it arrive? What was weak? What broke? What blocked it? What should have blocked it? Instead of a dense chart, here’s the quick list:

  • Password guessing – Goal: steal an account. Hits: identity / access layer.
  • Social tricks (phishing etc.) – Goal: fool a human. Hits: people + process.
  • Physical breach – Goal: touch hardware or plug something in. Hits: assets / facilities.
  • Supply chain tampering – Goal: sneak bad stuff in upstream. Hits: build / update pipeline.
  • Crypto attack – Goal: read or tamper with protected data. Hits: data protection layer.

After any incident ask: How did it arrive? What was weak? What broke? What blocked it? What should have blocked it?

7. Threat Actors & Hacker Taxonomy

  • APT – Well‑funded pros. Slow, sneaky, serious targets.
  • Insider – Someone already inside misusing access (by mistake or on purpose).
  • Hacktivist – Political / social motive, public noise.
  • Newbie / Script use – Uses pre‑built tools; still causes chaos.
  • Ethical Hacker – Paid to find holes before criminals do.

Who they are + how skilled they are changes how you defend.

8. Core Glossary (Trimmed for Signal)

  • CIA Triad – Confidentiality, Integrity, Availability (the classic three pillars).
  • Malware – Bad software.
  • Phishing – Fake message that wants you to click / give info.
  • SIEM – Tool that gathers logs and flags weird stuff.
  • IDS – Alarm system watching traffic or behavior.
  • Least Privilege – Don’t give more access than necessary.
  • Encryption – Scramble data so only the right key unlocks it.
  • Pen Test – Friendly break‑in test.

9. Frameworks & Compliance (Don’t Memorize; Understand Purpose)

Skip memorizing—just know the job each one plays:

  • NIST CSF – Shared lifecycle for managing risk (Identify → Protect → Detect → Respond → Recover).
  • CIS Controls – Opinionated “do these first” technical priorities.
  • GDPR – EU personal data handling + breach notification rules.
  • PCI DSS – Guard credit card info.
  • HIPAA / HITRUST – Protect health data + aligned assurance.
  • ISO 27001 – Formal, certifiable security management system.
  • SOC 2 – External report on how a service org secures & governs data.

Purpose: create shared language between engineers, legal, execs, auditors.

10. Tooling & Capability Building

Match skill → a tool → a tiny rep you can do today:

  • Logs – (Splunk / Elastic) Count failed vs. successful logins.
  • Packets – (Wireshark) Capture traffic; identify a DNS request.
  • Endpoint – (Defender / CrowdStrike alt) List processes; terminate one safely.
  • Vulnerability scan – (OpenVAS / Trivy) Scan a container & remediate ONE finding.
  • Scripting – (Python / Bash) Script that prints today’s failed login IPs.
  • SQL – (sqlite / psql) Query: top 5 IPs by failed auth attempts.
  • Crypto basics – (OpenSSL) Generate a key + self‑signed cert; inspect it.
  • Recon – (nmap / Burp) Scan localhost ports; label what’s running.

Tools rotate. Core abilities stick.

11. CIA Triad in Practice

Full terms—not shortcuts:

Confidentiality – Only the right people / systems can see it. Controls: strong authentication, least privilege / RBAC, encryption at rest & in transit, data classification & labeling, DLP where needed.

Integrity – Data stays correct and untampered. Controls: hashes & checksums, digital signatures, immutability strategies (WORM / append‑only), code signing, versioned / off‑line backups.

Availability – It’s reachable when needed. Controls: redundancy (multi‑AZ / region), load balancing, graceful degradation, rate limiting, tested restore & disaster recovery drills, capacity planning & monitoring.

Quick gut check: if you add a control and it doesn’t clearly help C, I, or A, challenge it.

12. Controls → Frameworks → Compliance Chain

  1. Add a thing (example: require security key for admins).
  2. Tie it to a framework line so others know “why.”
  3. Prove it works with logs / tests / docs.

When you add something ask: How do we know it works? How does it fail? Who would notice?

13. SIEM & Detection Engineering Basics

Think of a SIEM as “logs in, meaning out.” Good starting logs: logins, process launches, DNS lookups, file downloads, permission changes, weird data transfers. Bad pattern: create a flood of noisy rules you never revisit. Better pattern: guess a real attack → write a detection → simulate it → tune noise → document it so future‑you isn’t confused.

14. Encryption (Reality Check)

Use widely trusted algorithms. Protect the keys more than the math. Rotate them. Never invent your own encryption—seriously. And base64 is just packaging, not protection.

15. Pen Testing vs. Red Team vs. Vulnerability Scan

  • Scan – Automated list of “probably weak spots.”
  • Pen Test – Human tries to actually exploit a few of them.
  • Red Team – Pretend attacker with a goal (“steal X”) while testing if you notice.
    Start small: scan your own test box and explain results to a friend.

16. Domains Deep Dive Snapshot

Some example focuses:

  • Risk – What matters most & what could break it.
  • Operations – Watch + react fast.
  • Secure Dev – Fix problems early while building.
  • Identity – Make “who are you?” and “should you do that?” consistent.

17. OWASP Security Principles (Core + Extras)

Core reminders: have fewer doors, give fewer keys, layer defenses, split critical tasks, keep it simple, fix things properly. Add-ons: start secure by default, break closed not wide open, don’t blindly trust third parties, and don’t rely on hiding details. Revisit these—things quietly drift.

18. Building Your Skill Stack (Roadmap)

  1. Get comfy in a terminal.
  2. Understand how computers talk (basic networking).
  3. Learn a scripting language to automate boring stuff.
  4. Learn how logins & tokens work.
  5. Learn basic cloud account hygiene.
  6. Sketch “how would someone break this?” (threat modeling).
  7. Write one detection rule & tune it.
  8. Learn to explain a problem + fix in plain words.

Concepts outlive tools. Invest in concepts.

19. Putting It All Together (Mindset Loop)

Look → Name what you see (attack? weakness? missing guardrail?) → Guess a fix → Try it → See if it worked → Repeat. Your edge starting out: you’re not stuck thinking “we’ve always done it this way.” Explore wide before you specialize.

20. Quick Self‑Check

Try answering out loud:

  1. Define ransomware simply.
  2. Point to what failed in a phishing example.
  3. Name three logs that would catch an intruder moving sideways.
  4. Distinguish scan vs. pen test vs. red team.
    Miss one? Revisit that part and pair it with a concrete example.

21. Conclusion

Attack tricks shift. Core thinking doesn’t: reduce what’s easy to exploit, notice weird fast, recover cleanly. Keep tinkering. Build small labs. Break things legally and ask “why did that work?” That’s how you quietly level up.

Ship it. Then go learn by poking something in a safe sandbox.

Newsletter

If you like me and wants to stay in my loop, you can subscribe to my newsletter.

Get to know me, updates on my projects, insightful thoughts on tech, and random thoughts delivered straight to your inbox on how you can be more productive and just genuine content.

Unsubscribe at any time. I respect your privacy and won't share your email.