Cybersecurity · Foundations

Cybersecurity Foundations

Page 1 of 4

Level 1 of my cybersecurity course. Data, networks, attackers, and everyday defences with hands-on labs.

Back to Cybersecurity overview
OverviewTrack CPDCPD evidenceDashboardsLabsStudios

CPD assessment

Cybersecurity Foundations

Certificates support your career and help keep the site free for learners using the browser only tier. Sign in before you learn if you want progress and CPD evidence recorded.

Sign inSee Sample QuestionsTake the assessmentPricingCPD prep pack
During timed exams, Professor Ransford is paused and copy actions are restricted to reduce casual cheating.

CPD timing for this level

Foundations time breakdown

This is the first pass of a defensible timing model for this level, based on what is actually on the page: reading, labs, checkpoints, and reflection.

Reading
42m
6,388 words · base 32m × 1.3
Labs
240m
16 activities × 15m
Checkpoints
45m
9 blocks × 5m
Reflection
72m
9 modules × 8m
Estimated guided time
7h 39m
Based on page content and disclosed assumptions.
Claimed level hours
8h
Claim includes reattempts, deeper practice, and capstone work.
The claimed hours are higher than the current on-page estimate by about 1h. That gap is where I will add more guided practice and assessment-grade work so the hours are earned, not declared.

What changes at this level

Level expectations

I want each level to feel independent, but also clearly deeper than the last. This panel makes the jump explicit so the value is obvious.

Anchor standards (course wide)
NIST Cybersecurity Framework (CSF 2.0)ISO/IEC 27001 and 27002
Assessment intent
Foundations

Terminology, safe habits, and correct reasoning about basic security decisions.

Assessment style
Format: mixed
Questions: 50
Timed: 75 minutes
Pass standard
80%

Not endorsed by a certification body. This is my marking standard for consistency and CPD evidence.

Evidence you can save (CPD friendly)
  • Personal security baseline: MFA, recovery options, password manager setup, and a short review note (what changed and why).
  • One small threat sketch for a system you actually use (assets, entry points, boundaries).
  • A phishing decision log: three examples and the exact cues you used to classify them.

Cybersecurity Foundations

Level progress0%

CPD tracking

Fixed hours for this level: 8. Timed assessment time is included once on pass.

View in My CPD
Pricing and CPDSign in to record progress
Progress minutes
0.0 hours
CPD and certification alignment (guidance, not endorsed):

This level is designed to build real-world security judgement using safe labs, not “hacking theatre”. It maps well to the foundations expected by:

  • CompTIA Security+: core terms, basic risk thinking, identity, and everyday controls.
  • (ISC)² SSCP: practical security administration and operational awareness.
  • NIST Cybersecurity Framework 2.0 (CSF): identify, protect, detect, respond, recover as a mental model.
  • ISO/IEC 27001 oriented practice: evidence, policies that match reality, and repeatable controls.
How to use Foundations
My goal is to make you safer in real life and more useful at work. If you want drama, watch a film. If you want competence, stay here.
Good practice
Do one small loop: read, try one lab, then write down one control you would apply tomorrow. That turns learning into behaviour.
Bad practice
Best practice

🧭

Module F0. What cybersecurity is and is not

Concept block
Security as a system
Security connects intent, controls, evidence, and recovery. If one is missing, you are guessing.
Security connects intent, controls, evidence, and recovery. If one is missing, you are guessing.
Assumptions
We can name what matters
Controls can be tested
Failure modes
Control theatre
No recovery plan
Cybersecurity is the practice of reducing risk in digital systems. It is not magic. It is not perfection. It is a set of decisions and controls that make harm less likely, less severe, and easier to recover from when it happens.

If you are a child, think of it like this. The internet is a busy city. Cybersecurity is how we do four things.

  1. Lock doors that should be locked
  2. Check who is allowed in
  3. Notice when something looks wrong
  4. Have a plan for when mistakes happen
You will hear the word cyber used as shorthand. Historically it connects to cybernetics, the study of control and communication in animals and machines. That term comes from the Greek kybernētēs, meaning “steering” or “governor”. It is a good reminder. Security is about steering risk, not pretending risk does not exist.

Four terms people mix up

Let’s define four common terms precisely, using simple language.

Notice the difference.

  1. A vulnerability can exist even if nobody uses it.
  2. An exploit is about how the weakness is used.
  3. An incident is about what happened and whether it needs response.
  4. A breach is about impact. One example is confidentiality being broken.

What this course deliberately does not teach

This course is defensive and ethical. It does not teach you to break into systems. It teaches you to understand risk, spot weak assumptions, and choose controls that protect people.

Here is a short story that shows what "cyber" looks like in real life. A finance team gets an email that looks like a supplier. The invoice is correct. The tone is correct. The bank details are new. The team is under pressure. They pay. A week later the supplier calls to chase payment. Nobody was hacked in a dramatic way. It was an identity failure plus a weak process. The outcome was still real loss.

Real-world impact of getting this wrong

In 2023, UK outsourcing company Capita experienced a data breach that affected 6.66 million people. The direct cost was over £25 million, plus a £14 million fine. But the reputational damage was worse. Capita lost major contracts, their share price dropped, and clients lost trust. When you handle data for hundreds of organisations, one security failure affects everyone.

In 2017, Equifax failed to patch a known vulnerability. The result was a breach of 147 million people's personal information. Equifax paid $700 million in settlements and fines. Their CEO, CIO, and CSO all resigned. The company's reputation was destroyed. The cost of patching that vulnerability would have been a fraction of what they paid after the breach.

Why this matters to you

If you are responsible for security, getting it wrong does not just affect you. It affects your team, your organisation, your customers, and potentially your career. The average cost of a data breach in the US is $10.22 million. But beyond the money, there is reputational damage that can take years to recover from. Companies can lose 2.1% of their market value within two days of announcing a breach.

What experts know

The best security work is often invisible. It is clear boundaries, clear logs, and controls that survive an incident report. It is patching known vulnerabilities promptly. It is verifying identities before making payments. It is understanding that security is about reducing risk, not eliminating it. And it is knowing that the cost of prevention is always less than the cost of a breach.

Threat, vulnerability, and risk in context

Everyday example. If you leave your house key under a plant pot, the threat is someone trying doors, the vulnerability is the predictable hiding place, and the risk depends on your street, your neighbours, and what happens if someone gets inside.

Common mistake. Treating cybersecurity as a list of scary words, instead of a habit of checking assumptions. Another common mistake is over focusing on rare, advanced attacks while ignoring the easy ones that happen daily.

Why it matters. When you separate threat, vulnerability, and risk, you stop guessing. You can choose the control that reduces harm most, and you can explain that choice to a manager without waving your hands.

A common myth

Cybersecurity is not only about stopping hackers. It is also about preventing accidents, spotting mistakes early, and recovering fast when something breaks.

Good, bad, best practice (Foundations mindset)
Good practice
Use correct terms. When you say “incident”, mean incident. When you say “breach”, mean breach. Precise language prevents expensive misunderstandings.
Bad practice
Best practice

Everyday dependency chain

One weak link can still hurt people even when the app looks fine.

Person → Login → App → Data store → Backups
If login is weak, confidentiality fails. If data store is unchecked, integrity fails. If backups are missing, availability fails.

Quick check. What cybersecurity is

What is cybersecurity in one sentence

Scenario: Your bank texts you a one-time code. You did not request it. Is this an event, an incident, or a breach

What is the difference between vulnerability and exploit

Scenario: A teammate accidentally shares a private link to a folder. Nobody outside the team has accessed it yet. Is it a breach

What does NIST CSF 2.0 add that many people miss

Why is 'secure' contextual

After this section you should be able to

  1. Explain what cybersecurity is and what it is not
  2. Use the terms vulnerability, exploit, incident and breach correctly
  3. Explain why security is about trade offs and context

⚖️

Module F1. Risk and security outcomes

Concept block
Risk drives priorities
Risk is how you decide what to fix first. It is not a score to admire.
Risk is how you decide what to fix first. It is not a score to admire.
Assumptions
Likelihood is a model
Impact includes people
Failure modes
Risk scoring without action
Wrong priority
Security is risk management. That sounds like boring business language, but it is actually what makes security real. You start by being clear about what matters, what could go wrong, and what you will do about it.
An It includes obvious things like customer records and laptops, but also things like staff time, reputation, and the ability to keep operating. If payroll fails on Friday, that is an availability problem. If a patient record is wrong, that is an integrity problem. If a private email leaks, that is a confidentiality problem.

Risk is contextual. The same control can be essential in one place and pointless in another. A strict password policy does not help if the real attack path is a shared admin account. A fancy monitoring tool does not help if nobody knows what to do when it alerts. Controls without context turn into theatre. They look reassuring and then fail at the worst time.

This module maps well to the “risk and governance” parts of common frameworks and syllabi, including CISSP domain language and the NIST CSF “Identify” thinking. This is guidance, not endorsement.

We will use one simple example for the rest of Foundations. Imagine a small clinic with an online booking system. The key assets are the patient data, the appointment schedule, the staff time, and the clinic's ability to operate. The threats include phishing, stolen passwords, ransomware, and honest mistakes. The vulnerabilities include reused passwords, no multi-factor authentication (MFA), and missing backups. The risk is how those realities combine for this clinic, not a generic list from a template.

In real organisations, this is how risk conversations should sound. "If this fails, who gets hurt, how quickly, and how would we know." This is why asset lists and data classification exist, even when they feel like paperwork. They make priorities explicit.

Everyday example. Your phone is an asset, but so is your ability to get into your bank account. If your phone is lost, the worst case is not "my phone is gone." The worst case is "my identity is used to reset accounts." The asset is not the device. The asset is what the device unlocks.

Common mistake. Starting with controls and tools instead of starting with assets and outcomes. People often buy a scanner, a dashboard, or an audit template before they can answer what they are protecting and why.

Why it matters. When you get the asset and context right, you can spend effort where it reduces harm. You stop doing security theatre and start doing risk reduction.

After this section you should be able to

  1. Explain why risk is contextual and what breaks when controls are applied blindly
  2. Explain how assets, threats, and vulnerabilities connect to real decisions
  3. Explain why Identify work comes before tool buying

Quick check. Risk and outcomes

What is risk

What is residual risk

Name three security outcomes people use

What does confidentiality mean

What does integrity mean

What does availability mean

Why can a control become 'theatre'

Why does context matter

🔐

Module F5. Identity and access

Concept block
Identity flow
Authentication answers who. Authorisation answers what. Sessions carry the decision over time.
Authentication answers who. Authorisation answers what. Sessions carry the decision over time.
Assumptions
Auth is not authz
Sessions expire
Failure modes
Privilege creep
Weak session handling

Identity is now the security perimeter because work happens everywhere. Staff work from home. Phones are used for approvals. Vendors have access. Cloud services connect to other cloud services. The question is no longer only "is the network safe". The question is "who is this, and what should they be allowed to do".

People mix these up all the time, and systems do too. A login screen is authentication. Permissions and roles are authorisation. Weak authentication makes it easy to pretend. Weak authorisation makes it easy to abuse a real account.
Passwords are not evil. They are just easy to get wrong. Long passwords are better than clever passwords. Password reuse is the real disaster. It reduces the damage when a password leaks. It is boring. It is also one of the best risk controls we have.

In real organisations, identity failures show up as shared accounts, stale accounts, "temporary" exceptions that become permanent, and approvals done on the wrong channel. This is where audit findings come from, but it is also where incidents come from.

Everyday example. Handing someone your house keys is authorisation. Checking their ID at the door is authentication. If you give a spare key to a neighbour "just in case" and never take it back, you created a long lived trust decision without noticing.

Common mistake. Treating identity as a user experience detail instead of a safety system. Another common mistake is giving broad permissions because it is easier, then being surprised when something bad happens quickly.

Why it matters. When identity is strong and access is narrow, a compromised account does not automatically become a full breach. It buys time. It limits harm. It makes detection and recovery possible.

After this section you should be able to

  1. Explain the difference between authentication and authorisation
  2. Explain what breaks when identity is treated as a soft control
  3. Explain why least privilege reduces blast radius during incidents

Quick check. Identity and access

What is authentication

What is authorisation

Why does MFA help

What does least privilege mean

Name one common identity failure

🧩

Module F2. Data, encoding, and integrity

Concept block
Integrity is provable change
Integrity is about detecting and resisting tampering, not about secrecy.
Integrity is about detecting and resisting tampering, not about secrecy.
Assumptions
We know what good looks like
We protect the reference
Failure modes
Integrity without provenance
Confusing hashing with encryption

Bits → bytes → characters

How a single switch becomes readable text.

Bit is 0 or 1
8 bits → 0100 0001 (decimal 65)
Encoding table → 65 = A in ASCII
UTF 8 can use more than one byte when needed
Why encoding matters for security
Encoding changes how text is represented, not what it means. The security problem happens when one part of a system validates the data one way, but another part interprets it differently. Also, naive keyword checks can miss encoded variants, which is why we prefer robust parsing and context-aware validation.
Benign example. The word SELECT can look very different once encoded, but it is still the same underlying bytes. The lesson is not “memorise encoded strings”. The lesson is “do not rely on brittle string checks for security”.

If you are building or reviewing a system, the safer approach is this.

  1. Parse inputs using a trusted parser for that format
  2. Validate based on the expected structure and context
  3. Encode outputs in the correct context. Examples include HTML, URL, JSON
Hashing vs encryption key differences

Hashing is one way. You cannot reverse it. It is used for integrity checks and for storing passwords with specialised password hashing. Encryption is two way. You can decrypt with a key. It is used for confidentiality in transit and at rest.

  1. Hashing is one way and it is not reversible
  2. Encryption is reversible with the correct key
  3. A common mistake is storing passwords with a fast hash such as SHA 256. Use bcrypt, Argon2, or scrypt instead
  4. Rainbow tables are precomputed hashes of common passwords. Salts help prevent simple lookups. Password hashing schemes handle salts for you

Quick check. Data and integrity

Scenario: A name field shows strange symbols after an export and re-import. What is a likely cause

Scenario: Why do security people care about parsing and encoding

Why do bytes often show the number 255

Scenario: You flip one bit in a value and an integrity check fails. What did that prove

Convert decimal 13 to binary

Scenario: A system stores passwords using a fast hash. Why is that a security problem

Why is hashing not encryption

After this section you should be able to

  1. Explain why representation and parsing mistakes create security risk
  2. Explain what breaks when systems disagree on how bytes should be interpreted
  3. Explain why integrity controls depend on correct data handling

🌐

Module F3. Networks, transport, and what leaks

Concept block
A request is a chain
Most ‘network problems’ are a chain of smaller steps. Diagnose the step, not the vibe.
Most ‘network problems’ are a chain of smaller steps. Diagnose the step, not the vibe.
Assumptions
Order matters
Trust is explicit
Failure modes
Blaming ‘the network’
TLS as a magic shield

Prevention alone fails. Not because people are lazy, but because systems are complex. Something will slip. A password will leak. A laptop will go missing. A supplier will get compromised. Defence needs layers, and it needs feedback.

This aligns to the NIST Cybersecurity Framework 2.0 Protect, Detect, and Respond functions. Protect reduces likelihood. Detect reduces time to notice. Respond reduces harm and recovery time. Cyber Essentials Plus focuses on practical technical controls that support this loop. Examples include secure configuration, access control, malware protection, patch management, and boundary protections.

Logging matters before incidents. If you do not collect basic logs, you cannot tell what happened. Then every incident becomes a guessing game. You end up with panic, broad resets, and lost time. A simple response plan beats a heroic late night. It tells people who decides, who communicates, and what evidence to preserve.

In real organisations, this is the difference between "we think it was this account" and "we can show the exact sequence of actions." It is also why detection engineering is a real job. Good teams treat detection as a product that is tuned, tested, and improved.

Everyday example. If a fire alarm goes off but nobody knows which room triggered it, everyone wastes time. If the alarm logs the room and the time, you can respond quickly and avoid a full building panic.

Common mistake. Turning on every log and then drowning in noise, or logging nothing and then trying to do forensics with guesses. Another common mistake is writing an incident plan that nobody has rehearsed.

Why it matters. Detection and response are how you limit harm when prevention fails. You cannot undo a breach with wishful thinking. You need evidence, speed, and clear ownership.

Under the hood, data still moves as packets. A packet has a header and a payload. The header is the envelope that tells the network where it is going. The payload is the content. Even when the payload is encrypted, metadata can still reveal behaviour. That is why monitoring often starts with patterns, not secrets.

A packet's short trip

Payload stays hidden but the envelope still talks.

Laptop -> Home router -> ISP -> Internet -> Server
Header includes source, destination, port, length
Payload is the content, often encrypted
Metadata like timing and size still leaks patterns.
OSI and TCP/IP layer mapping
Network security concepts
  1. HTTPS uses HTTP with TLS. It protects data in transit between browser and server. It does not hide all metadata.
  2. DNS stands for Domain Name System. It turns names into IP addresses. DNS can be attacked or manipulated, which is why secure DNS options exist.
  3. VPN stands for Virtual Private Network. It creates an encrypted tunnel to a VPN provider. It can protect traffic from local observers, but the VPN provider still becomes a point of trust.
  4. Network segmentation means separating networks by trust level or function. It limits blast radius when something is compromised.
Common network attack patterns
  1. Man in the middle, often shortened to MitM. An attacker tries to intercept traffic. TLS and certificate validation help.
  2. DNS hijacking. An attacker tries to redirect name lookups. DNSSEC and encrypted DNS help.
  3. Packet sniffing. An attacker captures traffic. Encryption helps.
  4. ARP spoofing. An attacker tries to confuse devices about who is who on a local network. Monitoring and secure network design help.
Real world scenario. Home network security

Your home network is an attack surface too. Consider four areas.

  1. Router. Default passwords, firmware updates, guest network
  2. IoT devices. Smart speakers, cameras, and thermostats often have weak security
  3. WiFi. WPA3 where possible, strong passphrase, guest network separation
  4. Devices. Phones, laptops, and tablets need updates and protection

A compromised smart camera can be used to spy on you, launch attacks on other devices, or join a botnet for distributed denial-of-service (DDoS) attacks. Security isn't just about corporate networks.

Quick check. Networks and transport

Scenario: You can open a site by IP address, but the domain name fails. Where should you look first

Scenario: A connection is encrypted, but someone can still see which services you are using. How

Scenario: A login works sometimes and fails on public Wi‑Fi. What network factors might explain it

Why are packets used instead of one large blob

What does TLS mainly protect

After this section you should be able to

  1. Explain why trust boundaries exist and what breaks when networks are assumed safe
  2. Explain how metadata can leak behaviour even when content is encrypted
  3. Explain why monitoring often starts with patterns, not secrets

🔒

Module F4. CIA and simple attacks

Concept block
CIA applied to systems
Confidentiality, integrity, and availability fail in different places. Controls must match the failure.
Confidentiality, integrity, and availability fail in different places. Controls must match the failure.
Assumptions
CIA is a lens, not a slogan
Availability is a safety issue
Failure modes
Overfocus on confidentiality
No evidence trail

To keep this practical, we will use one simple frame. Confidentiality, integrity, and availability are often shortened to CIA. Confidentiality means only the right people can see information. Integrity means changes are correct and visible. Availability means systems are there when needed. The purpose is not to memorise three words. The purpose is to ask better questions.

In plain language, confidentiality is about privacy, integrity is about truth, and availability is about being able to function. Most incidents are one of these three, usually with a second one following close behind.

When identity is weak, confidentiality fails. When changes are untracked, integrity fails. When backups are missing, availability fails. Good governance makes those failures less likely because it makes the decisions explicit and reviewed.

In real organisations, CIA is how you explain impact to non security people. A leader might not care about a vulnerability ID, but they do care about "patients could not be seen" or "invoices were changed" or "private data leaked." CIA translates technical failures into outcomes.

Everyday example. Confidentiality is your bank statement being private, integrity is your balance being correct, and availability is being able to pay for groceries when you are at the checkout.

Common mistake. Thinking CIA is a checklist where you must maximise all three at once. In practice you trade. Tight security might reduce availability if you lock out staff too often. High availability might reduce confidentiality if you spread access too widely. The job is to choose wisely and explain the trade.

Why it matters. CIA is a simple way to reason about controls and to spot what kind of harm you are actually preventing. It helps you avoid security theatre and focus on outcomes.

CIA in plain view

Three qualities that work together.

Confidentiality → only the right people can see it
Integrity → changes are correct and visible
Availability → systems are there when needed
Controls include strong auth, input checks, monitoring, backups, graceful degradation.

Core ideas quiz. CIA in practice

What is confidentiality

What is integrity

What is availability

Give one example of an integrity failure

Why are weak passwords a problem

How can a fake link hurt you

Why is trust a decision

How does availability relate to incidents

After this section you should be able to

  1. Explain CIA as decision questions, not memorised words
  2. Explain what breaks when identity is weak or integrity is not monitored
  3. Explain why availability needs planning, not hope

👥

Module F6. Human factors and phishing

Concept block
Verification under pressure
Phishing works by using normal work habits against you. The defence is a simple decision path.
Phishing works by using normal work habits against you. The defence is a simple decision path.
Assumptions
Time pressure is part of the attack
Verification has a script
Failure modes
Channel spoofing
Approval bypass

Humans are not the weakest link. Humans are the system. Most insecure behaviour is a rational response to a bad setup. If it takes five minutes to do the safe thing, people will do the fast thing. If approvals block urgent work, people will route around them. If security tools produce noise, people will ignore them.

It is decision making, not paperwork. It is how an organisation decides what it will accept, what it will fix, and who owns the trade offs. CISSP governance principles focus on accountability, risk ownership, and clear policy that matches reality.

Real organisational failures are often not technical. They are unclear ownership, unclear priorities, and no rehearsal for bad days. The paperwork shows up after the incident, usually with a new template and a tired team.

In real organisations, governance shows up as: who is allowed to approve exceptions, how access is granted and removed, how incidents are escalated, and what gets funded. Good governance is boring in the best way. It makes security decisions repeatable instead of emotional.

Everyday example. If nobody is clearly responsible for locking up at night, it eventually becomes "someone will do it." That is not a plan. Governance is deciding who locks up, how you check, and what happens if it is missed.

Common mistake. Blaming individuals for predictable system failures. Another common mistake is writing policies that describe an ideal world and then punishing people for living in the real one.

Why it matters. Human factors and governance are what make security sustainable. Without them, controls decay, exceptions pile up, and the organisation only gets serious after harm has happened.

After this section you should be able to

  1. Explain why humans are part of the system and what breaks when processes are unrealistic
  2. Explain governance as ownership of trade offs, not documents
  3. Explain why clear roles and rehearsed response reduce harm

Quick check. Human factors

Why is 'someone clicked a link' not a full explanation

What is a safe default action for urgent requests

Name one common pressure tactic

What does governance mean in simple terms

🕵️

Module F7. Privacy and everyday data protection

Concept block
Personal data journey
Privacy is about what data leaves, where it rests, and who can see it.
Privacy is about what data leaves, where it rests, and who can see it.
Assumptions
Purpose is stated
Retention is deliberate
Failure modes
Overcollection
Deletion that is only UI

Privacy is a security property. It is about reducing harm from unnecessary collection, unnecessary sharing, and unnecessary retention. If you collect less data, there is less data to leak. If you keep data for less time, there is less to steal later.

Quick check. Privacy

What does data minimisation mean

Why does retention increase risk

What is one privacy-safe habit

Why can logging create privacy risk

Module F8. Foundations capstone

Concept block
A personal baseline
A baseline is a small set of controls you can sustain. Consistency beats intensity.
A baseline is a small set of controls you can sustain. Consistency beats intensity.
Assumptions
Habits beat heroics
You review, not only set
Failure modes
One control for everything
No recovery plan

This capstone is about turning learning into action. Choose a small set of changes you can explain. Make them real. Keep it calm and practical.

Quick check. Capstone

What is the goal of this capstone

What is one safe default when you are unsure

Why keep the baseline small

This is Foundations. Move into Applied next once you can explain every term on this page to another person and show them how the tools work.

Quick feedback

Optional. This helps improve accuracy and usefulness. No accounts required.