Security Fundamentals — Encryption and Cyber Threat Response

Why Security Matters

2023 Global Cybersecurity Landscape:
→ Ransomware victims increased 32% year-over-year
→ Average cost of a data breach: ~$4.5 million
→ Personal data breach reports: tens of thousands per year

What happens when developers ignore security:
→ A single SQL injection line exposes your entire database
→ XSS steals every user's cookies
→ Storing passwords in plain text → catastrophic loss of user trust

Encryption Basics

Symmetric Encryption

Same key for encryption and decryption:
Plaintext + Key → Ciphertext → Key + Ciphertext → Plaintext

Advantage: Fast
Disadvantage: Key exchange problem (how do you share the key securely?)

Algorithm: AES (Advanced Encryption Standard)
→ 128/256-bit keys, current industry standard

Asymmetric Encryption (Public Key Cryptography)

Public Key: Shared with anyone → used for encryption
Private Key: Kept only by the owner → used for decryption

Flow:
Sender → encrypts with recipient's public key → transmits
Recipient → decrypts with their own private key

Algorithms: RSA, ECC
Disadvantage: Slower than symmetric → in practice, hybrid approach is used
(symmetric key is encrypted with public key and transmitted → HTTPS)

HTTPS and the TLS Handshake

1. Client → Server: "TLS version, list of supported cipher suites"
2. Server → Client: "Chosen algorithm, SSL certificate"
3. Client: Validates certificate (checks CA signature)
4. Session key exchange (symmetric key exchanged using asymmetric)
5. All subsequent communication: encrypted with symmetric key

SSL Certificate:
→ CA (Certificate Authority) vouches for server identity
→ Browser 🔒 icon = valid certificate
→ Let's Encrypt: free certificates (widely used)

Key Hash Functions

Hash: Arbitrary-length data → fixed-length output
→ One-way (cannot be decrypted)
→ Same input = always same output
→ Tiny input change = completely different output (avalanche effect)

Use cases:
Password storage: bcrypt, Argon2 (never use plain MD5/SHA1!)
Data integrity: verify SHA256 checksum after file download
Blockchain: each block linked via its hash

Major Attack Types and Defenses

SQL Injection

Attack:
Input: ' OR '1'='1
Query: SELECT * FROM users WHERE id='' OR '1'='1'
Result: returns all user data

Defense:
→ Prepared Statements / Parameter Binding (mandatory)
→ Validate and escape all input
→ Use minimum-privilege DB accounts

XSS (Cross-Site Scripting)

Attack:
Malicious script injected into a post → executes in other users' browsers
→ Steals cookies/sessions, redirects to phishing pages

Defense:
→ HTML-escape user input (&lt; → &amp;lt;)
→ Set Content Security Policy (CSP) headers
→ HttpOnly cookies (blocks JS access)

CSRF (Cross-Site Request Forgery)

Attack:
Victim visits malicious site → request sent to another site using victim's credentials

Defense:
→ CSRF tokens (unique token per request)
→ SameSite cookie attribute
→ Referer header validation

Authentication vs Authorization

Authentication: Verifying who you are
Authorization: Determining what you are allowed to do

JWT (JSON Web Token):
→ Stateless authentication token
→ Header.Payload.Signature structure
→ Server verifies signature → no DB lookup needed

OAuth 2.0:
→ Social login ("Sign in with Google")
→ Delegated authorization from resource owner

Symmetric: same key for encrypt/decrypt (fast) / Asymmetric: public key encrypts + private key decrypts (slow) HTTPS = HTTP + TLS (symmetric key exchanged via asymmetric, then used for communication) SQL injection defense: Prepared Statements are mandatory Password storage: bcrypt/Argon2 hash (never store plain text, MD5, or SHA1)