Cybersecurity basics

Real example

A bank app: TLS encrypts the session (C), the transaction amount cannot be silently altered (I), the app is up at 2am (A).

Question

“What is the CIA triad?”

Answer

It is the three pillars of cybersecurity — Confidentiality, Integrity, and Availability. Confidentiality means data is only seen by authorised parties; Integrity means it is not modified without permission; Availability means it is reachable when needed. Every security control I implement maps back to one of these three.

Real example

Strong password + 2FA + device encryption + audit logging + a behavioural-detection EDR — beat any one, you are still locked out.

Question

“Why is defence in depth better than one strong control?”

Answer

Because no single control is perfect. Defence in depth assumes any one layer can fail and still leaves the attacker facing more layers. Each layer is cheap on its own but combined they make the attack economically unattractive — that is the point.

Real example

A junior dev has read-only prod-log access, not full DB admin. If their laptop is stolen, the attacker cannot drop tables.

Question

“How would you apply least privilege to a customer-support team?”

Answer

I would scope each agent to read-only access to the tables they actually need — orders, tickets — not user passwords, payment cards, or DB-admin commands. Any sensitive action like a refund or an account merge would require manager approval, and every access would be audit-logged so we can detect abuse.

Real example

Old model: anyone behind the VPN is trusted. Zero trust: even the CEO's laptop must re-prove identity on every API call.

Question

“What problem does zero trust solve?”

Answer

It solves the assumption that "inside the network = trusted." Once an attacker phishes one user or compromises one device, they pivot freely. Zero trust requires re-verification on every request, so a single compromised credential cannot grant lateral movement.

Real example

Logging in (Auth-N), being able to read /docs but not /admin (Auth-Z), every action being logged for audit (Accounting).

Question

“Difference between authentication and authorisation?”

Answer

Authentication is about who you are — proving identity, typically via a password and 2FA. Authorisation is about what you are allowed to do once authenticated, like which APIs or data you can access. They are sequential — you authenticate first, then the system authorises each action.

Real example

A USPS smishing text = opportunistic. LockBit ransomware = organised crime. Stuxnet = state actor. Departing employee deletes a database = insider.

Question

“Which threat actor type would target a hospital with ransomware?”

Answer

Organised crime, almost always. Hospitals pay quickly to restore patient services, and ransomware groups know it. Groups like LockBit and BlackCat run enterprise-style operations specifically targeting healthcare and critical infrastructure where downtime is unaffordable.

Real example

Phisher researches LinkedIn (recon), crafts a fake invoice (weapon), emails it (deliver), victim opens it (exploit), malware drops (install), it calls home (C2), then steals data (action).

Question

“What stage of the Kill Chain is easiest to disrupt?”

Answer

Generally Delivery — that is where most defences sit, like email gateway filtering, URL sandboxing, or attachment scanning. The earlier you can break the chain the better, because every stage onwards is harder to detect — by Actions on Objectives the attacker may have already exfiltrated data.

Real example

When a CrowdStrike alert says "T1078 Valid Accounts," that is the MITRE technique ID for using legitimate stolen credentials — easier to pivot from than a vendor name.

Question

“Difference between a tactic and a technique in ATT&CK?”

Answer

A tactic is the attacker's goal at a stage — Initial Access, Persistence, Lateral Movement. A technique is how they accomplish that goal — Spearphishing Attachment, Scheduled Task, Pass-the-Hash. So tactics are the columns of the ATT&CK matrix, techniques are the cells inside them.

Real example

Asset inventory (Identify) → MFA + patching (Protect) → SIEM alerts (Detect) → IR runbook (Respond) → backups + post-mortem (Recover).

Question

“Which NIST CSF function covers "we got breached, now what?"”

Answer

That is Respond and Recover — Respond is the immediate handling of the incident, like containment, eradication, and stakeholder communication; Recover is the longer-term restoration, including rebuilding affected systems and applying lessons learned. The other three — Identify, Protect, Detect — are about preventing it from getting that far.