# Cybersecurity — Overview

## Purpose
Cybersecurity protects systems, networks, and data from digital attacks. This section covers:

- **Threat Landscape** — Understanding attackers, motivations, and attack vectors
- **Defense in Depth** — Layered security controls and architecture
- **Identity & Access** — Authentication, authorization, and access control
- **Secure Development** — Building security into the SDLC
- **Incident Response** — Detecting, responding to, and recovering from breaches

## Key Questions This Section Answers
1. What are the most common attack vectors and how do we defend against them?
2. How do we implement zero-trust architecture?
3. What are the OWASP Top 10 vulnerabilities?
4. How do we design secure authentication and authorization?
5. How do we detect and respond to security incidents?

---

## 1. The Threat Landscape

### Threat Actors

| Actor | Motivation | Sophistication | Examples |
|-------|------------|----------------|----------|
| **Script Kiddies** | Fun, notoriety | Low | Using pre-made tools |
| **Hacktivists** | Political/social cause | Medium | Anonymous, WikiLeaks |
| **Cybercriminals** | Financial gain | Medium-High | Ransomware gangs |
| **Nation-States** | Espionage, warfare | Very High | APT groups (APT28, Lazarus) |
| **Insiders** | Revenge, money | Varies | Disgruntled employees |

### Attack Vectors

```
                    ┌─────────────────┐
    Phishing ──────>│                 │
    Malware  ──────>│   TARGET        │
    Exploits ──────>│   SYSTEM        │
    Social Eng ────>│                 │
    Supply Chain ──>│                 │
                    └─────────────────┘
```

In [None]:
import plotly.graph_objects as go
from plotly.subplots import make_subplots
import numpy as np
import pandas as pd

# Attack vector frequency and impact
attack_vectors = ['Phishing', 'Malware', 'Ransomware', 'SQL Injection', 'XSS', 
                  'DDoS', 'Man-in-the-Middle', 'Zero-Day', 'Insider Threat', 'Supply Chain']
frequency = [95, 75, 70, 45, 50, 40, 30, 15, 25, 35]  # % of organizations affected
avg_cost = [4.5, 3.8, 8.2, 2.5, 1.8, 2.2, 3.0, 12.0, 5.5, 9.5]  # $ millions

fig = go.Figure()

fig.add_trace(go.Scatter(
    x=frequency, y=avg_cost, mode='markers+text',
    marker=dict(size=[f/3 for f in frequency], color=avg_cost, colorscale='Reds',
                showscale=True, colorbar=dict(title='Avg Cost ($M)')),
    text=attack_vectors, textposition='top center', textfont=dict(size=10),
    hovertemplate='<b>%{text}</b><br>Frequency: %{x}% of orgs<br>Avg Cost: $%{y}M<extra></extra>'
))

fig.update_layout(
    title='Attack Vectors: Frequency vs Average Cost',
    xaxis_title='Frequency (% of organizations affected annually)',
    yaxis_title='Average Cost per Incident ($ Millions)',
    template='plotly_white'
)
fig

## 2. Defense in Depth

Multiple layers of security controls, so if one fails, others still protect:

```
┌─────────────────────────────────────────────────────────────┐
│  POLICIES & PROCEDURES (Governance)                         │
├─────────────────────────────────────────────────────────────┤
│  PHYSICAL SECURITY (Data centers, access control)          │
├─────────────────────────────────────────────────────────────┤
│  PERIMETER (Firewalls, WAF, DDoS protection)               │
├─────────────────────────────────────────────────────────────┤
│  NETWORK (Segmentation, IDS/IPS, VPN)                      │
├─────────────────────────────────────────────────────────────┤
│  HOST (EDR, AV, patching, hardening)                       │
├─────────────────────────────────────────────────────────────┤
│  APPLICATION (Secure coding, SAST/DAST, WAF)               │
├─────────────────────────────────────────────────────────────┤
│  DATA (Encryption, DLP, access controls)                   │
└─────────────────────────────────────────────────────────────┘
```

### Security Controls Types

| Type | Purpose | Examples |
|------|---------|----------|
| **Preventive** | Stop attacks | Firewalls, MFA, encryption |
| **Detective** | Identify attacks | SIEM, IDS, log monitoring |
| **Corrective** | Fix after attack | Patching, IR procedures |
| **Deterrent** | Discourage attacks | Warning banners, policies |
| **Compensating** | Alternative control | Manual review when automation fails |

In [None]:
# Defense in Depth layers visualization
layers = ['Policies', 'Physical', 'Perimeter', 'Network', 'Host', 'Application', 'Data']
effectiveness = [40, 60, 75, 80, 85, 90, 95]  # Cumulative protection %
cost = [10, 50, 80, 120, 100, 90, 70]  # Relative cost to implement

fig = make_subplots(rows=1, cols=2, subplot_titles=(
    'Cumulative Protection by Layer', 'Implementation Cost by Layer'
))

colors = ['#1a237e', '#283593', '#3949ab', '#5c6bc0', '#7986cb', '#9fa8da', '#c5cae9']

fig.add_trace(go.Funnel(
    y=layers, x=effectiveness,
    textinfo='value+percent initial',
    marker=dict(color=colors),
    name='Protection'
), row=1, col=1)

fig.add_trace(go.Bar(
    x=layers, y=cost, marker_color=colors,
    text=cost, textposition='outside', name='Cost'
), row=1, col=2)

fig.update_layout(title='Defense in Depth: Layers, Protection & Cost', template='plotly_white')
fig.update_yaxes(title_text='Relative Cost', row=1, col=2)
fig

## 3. OWASP Top 10 (2021)

The most critical web application security risks:

| # | Vulnerability | Description | Mitigation |
|---|---------------|-------------|------------|
| 1 | **Broken Access Control** | Unauthorized access to functions/data | RBAC, deny by default |
| 2 | **Cryptographic Failures** | Weak encryption, exposed data | TLS, strong algorithms |
| 3 | **Injection** | SQL, NoSQL, OS command injection | Parameterized queries |
| 4 | **Insecure Design** | Missing security controls | Threat modeling |
| 5 | **Security Misconfiguration** | Default configs, verbose errors | Hardening, automation |
| 6 | **Vulnerable Components** | Outdated libraries | SCA, patching |
| 7 | **Auth Failures** | Weak passwords, session issues | MFA, secure sessions |
| 8 | **Data Integrity Failures** | Untrusted deserialization | Signing, validation |
| 9 | **Logging Failures** | Insufficient monitoring | Centralized logging |
| 10 | **SSRF** | Server-side request forgery | Input validation |

In [None]:
# OWASP Top 10 severity and exploitability
owasp = ['Broken Access\nControl', 'Crypto Failures', 'Injection', 'Insecure Design',
         'Security\nMisconfig', 'Vulnerable\nComponents', 'Auth Failures',
         'Data Integrity\nFailures', 'Logging\nFailures', 'SSRF']

impact = [9.4, 8.5, 9.0, 8.0, 7.5, 8.8, 8.5, 7.8, 6.5, 7.0]
exploitability = [8.5, 7.0, 8.0, 6.0, 9.0, 7.5, 8.0, 6.5, 5.0, 7.0]
prevalence = [8, 7, 6, 5, 9, 8, 7, 5, 8, 4]

# Create risk score
risk_score = [(i * e * p / 100) for i, e, p in zip(impact, exploitability, prevalence)]

fig = go.Figure()

fig.add_trace(go.Bar(
    x=owasp, y=risk_score,
    marker=dict(color=risk_score, colorscale='Reds'),
    text=[f'{r:.1f}' for r in risk_score],
    textposition='outside'
))

fig.update_layout(
    title='OWASP Top 10: Risk Score (Impact × Exploitability × Prevalence)',
    xaxis_title='Vulnerability Category',
    yaxis_title='Risk Score',
    template='plotly_white'
)
fig

## 4. Identity & Access Management

### Authentication vs Authorization

| Concept | Question | Methods |
|---------|----------|--------|
| **Authentication** | Who are you? | Password, MFA, biometrics, certificates |
| **Authorization** | What can you do? | RBAC, ABAC, policies |

### Zero Trust Principles

"Never trust, always verify"

1. **Verify explicitly** — Always authenticate and authorize
2. **Least privilege** — Minimum access needed for the task
3. **Assume breach** — Minimize blast radius, segment access

### Authentication Methods Comparison

| Method | Security | Usability | Cost |
|--------|----------|-----------|------|
| Password only | ⭐ | ⭐⭐⭐⭐⭐ | $ |
| Password + SMS OTP | ⭐⭐ | ⭐⭐⭐ | $$ |
| Password + TOTP | ⭐⭐⭐ | ⭐⭐⭐ | $ |
| Password + Push | ⭐⭐⭐⭐ | ⭐⭐⭐⭐ | $$$ |
| Passkeys/FIDO2 | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ | $$ |
| mTLS (certificates) | ⭐⭐⭐⭐⭐ | ⭐⭐ | $$$$ |

In [None]:
# Authentication methods comparison
methods = ['Password Only', 'Password + SMS', 'Password + TOTP', 
           'Password + Push', 'Passkeys/FIDO2', 'mTLS']

security = [2, 4, 6, 8, 9.5, 10]
usability = [10, 6, 6, 8, 8, 4]
phishing_resistant = [0, 0, 0, 5, 10, 10]

fig = go.Figure()

fig.add_trace(go.Scatterpolar(
    r=security + [security[0]], theta=methods + [methods[0]],
    name='Security', line=dict(color='#e74c3c', width=2),
    fill='toself', fillcolor='rgba(231,76,60,0.1)'
))

fig.add_trace(go.Scatterpolar(
    r=usability + [usability[0]], theta=methods + [methods[0]],
    name='Usability', line=dict(color='#3498db', width=2),
    fill='toself', fillcolor='rgba(52,152,219,0.1)'
))

fig.add_trace(go.Scatterpolar(
    r=phishing_resistant + [phishing_resistant[0]], theta=methods + [methods[0]],
    name='Phishing Resistant', line=dict(color='#2ecc71', width=2),
    fill='toself', fillcolor='rgba(46,204,113,0.1)'
))

fig.update_layout(
    polar=dict(radialaxis=dict(visible=True, range=[0, 10])),
    title='Authentication Methods: Security vs Usability',
    template='plotly_white'
)
fig

## 5. Incident Response

### NIST Incident Response Lifecycle

```
┌──────────────┐     ┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  PREPARATION │────>│  DETECTION   │────>│ CONTAINMENT  │────>│ POST-INCIDENT│
│              │     │  & ANALYSIS  │     │  ERADICATION │     │   ACTIVITY   │
│              │     │              │     │  & RECOVERY  │     │              │
└──────────────┘     └──────────────┘     └──────────────┘     └──────────────┘
       ↑                                                              │
       └──────────────────────────────────────────────────────────────┘
                            (Lessons Learned)
```

### Key Metrics

| Metric | Description | Industry Avg |
|--------|-------------|-------------|
| **MTTD** | Mean Time to Detect | 207 days |
| **MTTC** | Mean Time to Contain | 73 days |
| **MTTR** | Mean Time to Respond | 280 days total |

### Severity Levels

| Level | Description | Response Time | Examples |
|-------|-------------|---------------|----------|
| **P1 Critical** | Imminent threat, active breach | 15 min | Ransomware, data exfil |
| **P2 High** | Significant risk, contained | 1 hour | Malware, unauthorized access |
| **P3 Medium** | Limited impact | 4 hours | Phishing, policy violation |
| **P4 Low** | Minimal risk | 24 hours | Recon attempts, spam |

In [None]:
# Incident response timeline visualization
phases = ['Detection', 'Analysis', 'Containment', 'Eradication', 'Recovery', 'Post-Incident']

# Average days for each phase
avg_days = [207, 10, 15, 20, 28, 5]
best_practice_days = [7, 1, 1, 3, 5, 2]

fig = make_subplots(rows=1, cols=2, subplot_titles=(
    'Incident Response Timeline (Days)', 'Cost by Detection Time'
))

fig.add_trace(go.Bar(name='Industry Average', x=phases, y=avg_days, marker_color='#e74c3c'), row=1, col=1)
fig.add_trace(go.Bar(name='Best Practice', x=phases, y=best_practice_days, marker_color='#2ecc71'), row=1, col=1)

# Cost by detection time
detection_days = [30, 60, 90, 120, 150, 180, 210, 240, 270, 300]
breach_cost = [3.2, 3.5, 3.9, 4.2, 4.5, 4.8, 5.1, 5.4, 5.7, 6.0]  # $ millions

fig.add_trace(go.Scatter(
    x=detection_days, y=breach_cost, mode='lines+markers',
    line=dict(color='#e74c3c', width=2), name='Breach Cost'
), row=1, col=2)

fig.update_layout(title='Incident Response: Time is Money', template='plotly_white', barmode='group')
fig.update_xaxes(title_text='Detection Time (Days)', row=1, col=2)
fig.update_yaxes(title_text='Days', row=1, col=1)
fig.update_yaxes(title_text='Breach Cost ($ Millions)', row=1, col=2)
fig.show()

print(f"Industry Average: {sum(avg_days)} days total incident lifecycle")
print(f"Best Practice: {sum(best_practice_days)} days total incident lifecycle")
print(f"Cost savings from faster detection: ${breach_cost[-1] - breach_cost[0]:.1f}M")

## 6. Cryptography Essentials

### Encryption Types

| Type | Speed | Key Management | Use Cases |
|------|-------|----------------|----------|
| **Symmetric** (AES) | Fast | Shared secret | Data at rest, bulk data |
| **Asymmetric** (RSA, ECC) | Slow | Public/private pair | Key exchange, signatures |
| **Hybrid** | Best of both | Combined | TLS, secure messaging |

### Key Security Algorithms

| Purpose | Recommended | Avoid |
|---------|-------------|-------|
| Symmetric Encryption | AES-256-GCM | DES, 3DES, RC4 |
| Asymmetric Encryption | RSA-2048+, ECC | RSA-1024 |
| Hashing | SHA-256, SHA-3 | MD5, SHA-1 |
| Password Storage | Argon2, bcrypt | Plain MD5, SHA |
| Key Exchange | ECDH, X25519 | DH-1024 |

---

## Core Topics in This Section

| Topic | Description |
|-------|-------------|
| **Threat Modeling** | STRIDE, attack trees, risk assessment |
| **OWASP Top 10** | Web application vulnerabilities |
| **Identity & Access** | AuthN, AuthZ, SSO, MFA, Zero Trust |
| **Network Security** | Firewalls, VPN, segmentation, TLS |
| **Incident Response** | Detection, containment, recovery, forensics |
| **Secure Development** | SAST, DAST, SCA, secure SDLC |

## Key Takeaways

1. **Know your threats** — Understand who attacks you and how
2. **Defense in depth** — Multiple layers, no single point of failure
3. **Zero trust** — Never trust, always verify, assume breach
4. **Shift left** — Build security into development from the start
5. **Detect fast** — Every day of delay costs more money
6. **Practice response** — Incident response is a skill that needs rehearsal

## References
- NIST Cybersecurity Framework
- OWASP Testing Guide & Top 10
- MITRE ATT&CK Framework
- CIS Controls