Security Fundamentals & Best Practices Beginner

Information security rests on three goals — the CIA triad:

• Confidentiality — only authorised parties can read data (encryption, access control).
• Integrity — data is not altered without detection (hashing, signatures).
• Availability — systems are usable when needed (redundancy, DDoS protection).

Every control you design should map back to one or more of these.

Defence in depth: layer multiple controls so one failure is not catastrophic. Least privilege: grant the minimum access needed for a task. Fail securely: on error, deny rather than allow. Zero trust: never trust by network location alone — verify every request.

• Patch promptly — most breaches exploit known, unpatched flaws.
• Enable multi-factor authentication (MFA) everywhere.
• Use a password manager; never reuse passwords.
• Back up data and test restores (3-2-1 rule).
• Encrypt data at rest and in transit (TLS).
• Log and monitor; you cannot respond to what you cannot see.

Many attacks target people, not code. Phishing tricks users into revealing credentials; pretexting invents a believable story; tailgating follows staff through secure doors. Defence: training, verification procedures, and reporting channels. Technical threats include malware, ransomware, and man-in-the-middle attacks.