Millions of accounts. All passwords are hashed with MD5. No salt. The database was dumped and circulated online, and within days, the majority of passwords had been cracked.

And all the attacker needed was a wordlist and a loop.

But this couldn’t possibly have happened today, right?

Well, I hate to break it to you, but the same mistakes are still being made today. That’s why you need to understand what exactly happened in 2012 and how to prevent it from happening on your systems.

And what better way of learning than actually performing the attack?

Note: This article assumes you understand what hashing is and why it matters. If you are not there yet, read these first:

• Hashing: What It Is and Why It’s Not the Same as Encryption

• Hashing Algorithms: What Any Cybersecurity Specialist Needs to Know

What actually happened in 2012

Most modern systems don’t store passwords in plaintext, but in hashes.

That’s why when the attacker steals the password database, all they can see are hashes.

Once they have the hashes, the goal is quite simple.

To reverse them and figure out what password produced each hash.

But how?

Well, the first option is brute force. Try all possible combinations and sooner or later, you’ll hit the jackpot.

But it can take years.

So they need something more efficient - a dictionary attack.

Take a list of common passwords. Hash each one. Compare the result against the stolen hashes. If there’s a match, the password is cracked.

No magic. Just a list of words and a simple loop.

It works because most people choose predictable passwords.

“password”, “123456”, “password123”.

Variations with numbers at the end. Seasons plus years. The attacker’s wordlist reflects exactly how real humans think.

That’s exactly what happened in 2012. LinkedIn’s database was dumped. The attackers ran a wordlist against 117 million SHA-1 hashes. And because there was no salt and the algorithm was fast, the majority cracked in days.

And with SHA-1? A modern CPU can compute hundreds of millions of SHA-1 hashes per second. A poorly hashed password is cracked before you finish reading this sentence.

What is salting

If you’ve been paying attention, you noticed this sentence: “because there was no salt.”

What does that even mean? Are we worried about our passwords not being tasty enough? Or what?

Well..let’s take a look at it.

A salt is a random string added to a password before it gets hashed.

Without salting, every user who chooses “password” gets the same hash (assuming the same hashing algorithm):

password → 5f4dcc3b5aa765d61d8327deb882cf99

Always. Every time. On every system in the world.

With salting, a unique random string is generated per user and combined with the password before hashing:

password + x7k2mR9q → completely different hash
password + 4mNpQ2rs → completely different hash again

Two users with the same password now have completely different hashes in the database. An attacker who steals the database cannot use precomputed tables. They have to attack each hash individually. That changes the economics of the attack entirely.

And let’s face it, it’s all about the money.

Why MD5 and SHA-1 are dangerous for passwords

Note: If you have no idea what MD5 or SHA-1 means, make sure to read the articles linked above! You won’t regret it!

Both algorithms were designed for speed. Fast hashing is excellent for verifying file integrity or generating checksums. It is catastrophic for password storage.

A modern CPU can compute hundreds of millions of MD5 hashes per second.

A GPU pushes that into billions.

A weak password is cracked before you finish reading this sentence.

Neither algorithm was designed with password storage in mind. Using them for that purpose is a fundamental design mistake, not a configuration issue.

Make sure to remember that for both the real-world scenarios and certification exams!

What do we use instead?

bcrypt was designed specifically for passwords. The key difference is intentional slowness.

It has a cost factor, sometimes called a work factor, that controls how computationally expensive each hash computation is.

The same password takes milliseconds with MD5 and seconds with bcrypt. At scale, that difference makes automated cracking attacks impractical.

A wordlist with 56 passwords takes MD5 a fraction of a millisecond. The same list against bcrypt takes several seconds. Scale that to millions of passwords and the attack stops being viable on normal hardware.

Note: There is an even newer standard, Argon2, but bcrypt is still widely used.

What you are about to do

It’s time to get some hands-on experience.

The lab below uses a real Docker environment, real password hashes, and a real dictionary attack script.

You will crack three passwords in under a second. You will watch one password survive because it is not in the wordlist. You will see bcrypt slow everything down to a crawl.

Theory tells you this happens.

And the biggest benefit? Next time you’re in an interview, you will have a nice personal project to talk about.

Get 14 day free trial

The lab is waiting. Subscribe to access the full step-by-step walkthrough below.

Read more

You feel that urge to do something, but you always end up watching random YouTube videos, downloading Kali Linux, and feeling like you are getting nowhere.

In cybersecurity, a lack of direction is more dangerous than a lack of knowledge.

I am going to be honest with you. I am not a penetration tester. I am a Cybersecurity Manager.

But I have worked alongside pentesters. I have interviewed candidates for offensive security roles. And I have studied this path carefully enough to know exactly what separates the people who break in from the ones who stay stuck.

This is the study plan I would follow if I had chosen this path.

Penetration Testing (Offensive Security)

Penetration testing is one of the 5 cybersecurity paths you can choose.

If you are not familiar with the cybersecurity paths, read this first:

👉 How to Choose the Right Cybersecurity Role Before You Waste Time and Money on the Wrong Certifications

But before you deep-dive into the materials I am about to provide, make sure this path is really for you.

You do not want to waste weeks and months learning things that will not get you any closer to your goal.

It is a great fit if you:

• Enjoy thinking like an attacker - finding weaknesses before others do

• Like structured problem solving with clear objectives

• Are comfortable going deep into technical detail

• Enjoy learning how systems actually work under the hood

• Have patience for long, methodical investigation

Be honest with yourself:

• Penetration testing is not beginner-friendly

• Most entry-level roles require at least some IT or networking background

• You will spend months building foundations before touching offensive tools

• The learning curve is steeper than almost any other cybersecurity path

But don’t get me wrong here. I am not saying it isn’t worth it! All I am saying is you need some IT experience first!

The Decoded Security Penetration Testing Roadmap

This roadmap has three main goals.

First, make sure you understand the cybersecurity fundamentals that underpin everything in offensive security.

Second, make sure you understand how systems and networks actually work, because you cannot attack what you do not understand.

Third, force you to practice in real environments, not just watch tutorials.

What is your target role? Let me know in the comments and let’s discuss your next steps!

Here is the exact roadmap I would follow if I had to start from scratch.

Step 1: Build the Right Foundation

Before you touch a single offensive tool, you need to understand how cybersecurity actually works.

Most beginners skip this step. They download Kali Linux on day one and wonder why nothing makes sense.

Do not make that mistake.

Make sure to understand these especially:

1. Threat ≠ Risk ≠ Vulnerability: Why CISSP Basics Matter More Than You Think

2. Cybersecurity Controls from Zero to Hero

3. The Psychology of Hacking: Why Smart People Fall for Dumb Scams

4. 6 Myths That Are Killing Corporate Cybersecurity

Step 2: Master Networking and Systems

You cannot hack what you do not understand.

Every penetration tester needs a deep understanding of how networks and systems communicate. This is not optional. It is the foundation of everything.

Focus on:

Networking fundamentals

• This Is How I Explain DNS To Beginners

• Top 5 Most Important Network Protocols for Cybersecurity Beginners

• This Is How I Explain Subnetting To a Beginner

• Why Most Beginners Don’t Understand How Networks Actually Work

• 7 Networking Questions That Instantly Expose Beginners in Cybersecurity Interviews

Linux - non-negotiable

• This Is How I Explain Linux To a Beginner

• Top 5 Linux Commands for an Entry-Level Cybersecurity Role

Cryptography basics

• Symmetric vs Asymmetric Encryption

• Digital Signatures Explained

• [This Is How I Explain PKI To a Beginner] - will be published soon!!

Attack techniques

• This Is How I Explain The Man-in-the-Middle Attack To a Beginner

• How Phishing Works in 5 Steps

• The QR Code Trap

Do you struggle with any of these concepts? Comment the one you don’t understand and I will break it down for you.

Step 3: Get Your First Certification

Most people ask the wrong question: “Which certification should I get?”

The right question is: “Which certification fits where I am right now?”

For penetration testing, here is the honest order:

Start here: eJPT (eLearnSecurity Junior Penetration Tester)

Free to study. Practical exam. Actually tests whether you can do the work, not just memorize definitions. This is the most realistic first certification for this path.

Then: CompTIA PenTest+

Widely recognized. Good intermediate step. Bridges the gap between foundational knowledge and hands-on offensive work.

The goal: OSCP (Offensive Security Certified Professional)

The industry standard for senior offensive roles. Do not attempt this first. Attempt it when you are ready - but consider attempting it earlier than you feel comfortable. Passing OSCP before you have extensive experience sends a signal that nothing else on this path does.

Read the full certification breakdown here: 👉 Stop Buying Random Certifications. Here’s Exactly Which One You Need Based on Your Path

Step 4: Practice in Real Environments

Reading about penetration testing will not make you a penetration tester.

You need to practice. Every day. In real environments.

Here are the free platforms I would use:

TryHackMe - Start here. Guided learning paths with real machines. The most beginner-friendly platform on this list. Complete the “Pre-Security” and “Jr Penetration Tester” paths first.

OverTheWire: Bandit - Teaches Linux command line through puzzles. Surprisingly fun. Surprisingly hard. Do this alongside TryHackMe.

HackTheBox - More advanced. Move here once you are comfortable with TryHackMe. The machines are harder and less guided.

The rule: One hour of practice every day beats five hours on weekends. Consistency matters more than intensity.

Do you struggle with any of these platforms? Comment below and I will point you to the right starting point.

Leave a comment

Step 5: Build a Portfolio

This is the step most beginners skip. Do not skip it.

A penetration testing portfolio proves you can do the work before you have a job to prove it.

What to include:

• CTF writeups - document every challenge you solve on TryHackMe and HackTheBox. Explain what you did, why you did it, and what you learned.

• Personal lab - set up a home lab with VirtualBox or Docker. Document your setup.

• A GitHub profile - publish your scripts, notes, and writeups publicly.

• A blog or newsletter - writing about what you learn forces you to understand it deeply. It also makes you visible to recruiters.

Hiring managers for offensive security roles do not just look at your CV.

They look at your GitHub. They look at your write-ups. They look for evidence that you actually do this.

Have you started a portfolio? Comment below and share it. I will give you feedback.

Leave a comment

Conclusion

Most people do not fail in penetration testing because it is too hard.

They fail because they never had a plan.

They download Kali Linux on day one. They watch random YouTube videos. They jump between tools without understanding what they are doing or why.

That is how months turn into years with nothing to show for it.

This roadmap fixes that. It gives you the structure I wish someone had given me when I was learning this field.

It tells you:

• What to learn

• In what order

• And how to actually practice it

You will start thinking like someone who can:

• Understand how systems communicate

• Identify realistic attack vectors

• Build the skills that actually get you hired

You already have the roadmap. Now it is about execution.

See you in the comments.

Thank you for reading Decoded Security!

Erich

Comment your target role and your current level. I will give you your next step.

💬 Which step feels most challenging right now? Comment below - I read every response.

Leave a comment

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Without it, the internet as we know it wouldn’t exist.

There would be no way to verify that someone is who they claim to be.

So what can you expect today?

After reading this article, you will understand:

1. What the goals of the Public Key Infrastructure (PKI) are

2. What functions and components PKI has

3. How it fulfills its goals

And as a bonus, I will tell you exactly what you need to know for cybersecurity exams and interviews.

So if you are serious about cybersecurity, make sure to read this!

Warning: CC, Security+, and CISSP relevant topic!

Do you want to build a career in cybersecurity? Take a 2-minute cybersecurity quiz and get a personalized reading list based on your background and goals.

Core Objectives of PKI

Before we deep dive into individual components of the PKI, I want to make sure absolutely clear.

PKI isn’t about encryption!

Does it use cryptographic algorithms? Absolutely.

But it is only one small part of a complicated system.

And if you’ve been reading Decoded Security for a while, you know that everything needs to be tied to the core cybersecurity objectives - CIANA. (If you’re not familiar with the CIANA triad, just read the Core Cybersecurity Objectives - Summary.)

So what are the core objectives of the PKI?

• Authentication: To confirm that users, devices, and applications are who they claim to be.

• Confidentiality: To encrypt data so that only the authorized recipient can read it.

• Data Integrity: To guarantee that information has not been altered or tampered with during transit.

• Non-Repudiation: To provide proof of the origin of data, preventing a sender from denying they sent a message or signed a document.

Excellent, now we know its goals. Let’s dive into how they are achieved.

Are you interested in how PKI works? Give me a like so I know I am not alone!

PKI - Key function

Now that we know what we want to achieve with the implementation of the PKI, let’s take a look at how it’s achieved.

Key function: PKI manages the entire lifecycle of digital certificates, which bind public keys to specific identities (people, organizations, or devices).

Don’t know what a digital certificate is? Don’t worry, we all have been there.
Read this first: What is the digital certificate?

In other words, it allows us to verify that a specific public key really belongs to a person, organization, or any other entity.

Why is it so important?

Imagine I generate a key set - Public and Private key, and then a certificate

I will simply create a website that looks exactly like your bank. Your browser will ask me for a certificate, so I will simply generate it and send it.

Everything seems legit, and you will start entering your credentials, and..I think you can see the problem now.

For this reason, there is an independent entity that both your browser (or you) and the bank trust, called a certification authority.

This entity would sign my certificate, but only after I provide proof that I am really your bank. Since I can’t provide any kind of proof that I am your bank, they wouldn’t sign my certificate, and you wouldn’t trust me.

The attack just failed.

So, here is the key information I want you to take away from this chapter.

The PKI introduces a system that allows us to bind a public key to a specific entity ( e.g., a bank) by signing its digital certificate that includes its public key.

The digital certificate is signed by a CA (Certification Authority) that is trusted by both communicating parties.

Don’t know how asymmetric encryption works and what a public key is? I got you covered: Asymmetric encryption - Introduction

PKI - The Passport Analogy

I know I dropped a lot of terms on you. Today is about getting the main idea.

So let me use an analogy that helped me to understand the whole system a couple of years back!

Think of PKI like a passport system.

When you travel internationally, border control does not know you personally. But they trust your passport because they trust the government that issued it.

PKI works exactly the same way.

Here is the mapping:

Certificate Authority (CA) = the government: The trusted organization that issues and signs digital certificates. Everyone agrees to trust the CA. If the CA says a certificate is valid, everyone accepts it.

Digital Certificate = your passport: A document that proves your identity online. It contains your public key and is signed by a CA to confirm it is legitimate.

Public Key = your identity: Visible to everyone. Just like your name and photo on a passport. Anyone can see it.

Private Key = your fingerprint: Known only to you. The unique proof that you are who you say you are. Cannot be faked or transferred.

The CA’s signature is what makes it all work.

Without a trusted authority vouching for your identity, anyone could create a fake certificate claiming to be your bank, your email provider, or anyone else.

Did this analogy helped you? Give me a like so I know it’s worth creating them!

Key Takeaways

If this all feels confusing, don’t worry, it will all start to make sense.

To fully understand this problem, make sure to understand the following topics:

👉 Certification Authorities: What is it and why do we need it?

👉 Digital Signatures Explained

👉 Symmetric vs Asymmetric Encryption

Once you understand these topics, the whole PKI process becomes clearer. And if it doesn’t, just comment under the post, and I will explain it better!

Did this article help you to understand the basics of the PKI process? Give it a like and help me to share it with more people interested in cybersecurity!

Conclusion

Congratulations! You now understand what PKI actually is and why it exists.

And more importantly, you understand the problem it solves - which is exactly the question the CISSP exam will ask you.

Next time, we will look at how this connects to the real world. Because PKI is only a general system, to really understand how it is used, one piece is still missing: the chain of trust.

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

📚 Essential CISSP topic

If you’re preparing for the CISSP exam or are serious about your cybersecurity career, make sure to read this.

Because this is one of the topics that distinguishes juniors from senior professionals.

When I hit security models in Domain 3, my instinct was the same as most candidates:

Open the book. Highlight every name. Make flashcards. Hope my brain hangs on until exam day.

Bell-LaPadula. Biba. Clark-Wilson. Brewer-Nash. Graham-Denning. Take-Grant.

Eight names. Multiple rules each. Some protect confidentiality, some protect integrity, and some have weird rules that I don’t understand.

And here’s the uncomfortable truth 👇

The candidates who fail this section aren’t the ones who forgot a definition. They’re the ones who memorized all eight and still couldn’t answer the question.

This article isn’t a textbook dump. It’s a way to compress 30 pages of CISSP content into a mental shortcut you can actually use on exam day.

And it's something that helped me pass the CISSP exam in 3 months!

Warning: This is one of the most tested topics in CISSP Domain 3.

What is a security model?

A security model is just a formal representation of a security policy. It defines:

• Who (Subject) can access what (Object)

• Under what conditions

• Which kind of protection it enforces (confidentiality, integrity, or both)

Note: If you’re not familiar with terms such as Subject and Object, read this first: Access Controls: Who Gets the Keys?

I know, it all sounds boring.

That’s why most candidates default to rote memorization. (Luckily I have a very bad memory, so that wasn’t an option for me)

Then the exam hits them with a question like this:

“A defense contractor needs to prevent classified intelligence from leaking to lower clearance levels. Which model best supports this requirement?”

Notice what the question is not asking:

• It’s not asking for the definition

• It’s not asking who invented it

• It’s not asking which government uses it

It’s asking: What goal needs to be protected, and which model was built for that exact goal?

That’s the whole game.

Security models are just answers to specific real-world problems. Once you know the problem, the model picks itself.

The 2-Question Filter

As I have mentioned, I have a terrible memory. That’s why I created my personal Decoded Security framework to make sure I can choose the right model in any situation.

For every security model question on the exam, I ask:

Q1: What is being protected? Confidentiality or integrity?

Q2: How is information allowed to flow?

If you can answer those two, you’ll get more than 80% of model questions right without remembering a single rule by heart.

Here’s the map.

Models That Protect CONFIDENTIALITY

These models exist for one reason: To ensure confidentiality.

Bell-LaPadula

• Rules:

  • No read up (The simple security rule)

  • No write down (The * property rule).

  • The strong property rule: Subject's clearance and objects classification needs to be equal

• A junior analyst can’t read top secret. A general can’t write classified info into an unclassified channel.

• Built for: U.S. Department of Defense. Multilevel military systems.

• Memory hook: BLP = Block Leakage of secrets properly.

Brewer-Nash (Chinese Wall)

This particular security model is really interesting. Basically, it is a set of rules that say: If you can access A, you can’t access B. And this all happens within one company.

• Rule: You can’t access two datasets that conflict.

• A consultant working with Bank A can’t suddenly access Bank B’s files.

• Built for: Financial firms, law firms, audit firms.

• Memory hook: Brewer = Builds walls between conflicting clients.

Graham-Denning

Note: Not that important for the exam.

• Rule: 8 primitive operations control the creation, deletion, and granting of rights for subjects and objects.

• Built for: Multilevel secure operating systems.

Take-Grant

Note: Not that important for the exam.

• Rule: Rights transfer between subjects via 4 operations: Take, Grant, Create, Remove.

• Built for: Theoretical analysis of how privileges propagate through a system.

Models That Protect INTEGRITY

These flip the script. They don’t care if you read something. They care that you don’t write garbage into critical systems.

Biba

• Rule: No read down (simple integrity axiom). No write-up (*-integrity axiom).

• A low-integrity process can’t pollute high-integrity data. A junior dev can’t push untested code directly into production payments.

• Built for: Systems where data corruption is worse than data exposure.

• Memory hook: Biba = Block Bad data going UP.

Clark-Wilson

• Rule: Users don’t touch data directly. They access it through well-formed transactions.

• Just remember here that the user does not access the data directly, but only through predefined procedures.

• You might get a question about what the “access control triplet” is:

  • It is the relationship between a user and a set of programs that operate on a set of data items.

  • Subjects → transformation procedures (programs) → data (Data items)

• Built for: Banking, accounting, transactional databases.

• This is the model behind every system where you can’t edit a record without a controlled workflow.

Bell-LaPadula vs Biba: The mirror trick

These two are the most tested models on the exam.

The simplest way to keep them straight:

They are literal mirrors of each other.

If you remember one, you can derive the other by flipping the arrows.

I’ll include a clean mirror diagram in the published version. If you want a printable cheat sheet, comment “Cheatsheet” and I’ll send it to you!

Leave a comment

How to apply this on exam day

Read the scenario. Identify two things:

1. What is the threat? Leakage = confidentiality model. Corruption = integrity model.

2. What environment?

   • Military / classified data → Bell-LaPadula

   • Bank / transactional system → Clark-Wilson

   • Consulting / audit / conflict of interest → Brewer-Nash

   • Critical system integrity → Biba

That’s it.

Most questions don’t require you to recite the “star property” or the “discretionary property.” They require you to match a real-world problem to the model that was designed for it.

If you want the deeper foundation behind these models, my earlier article on the 8 Security Principles every CISSP candidate thinks they understand covers the design thinking these models came from.

Key Takeaways

• Don’t memorize models. Memorize what they protect.

• Group them: confidentiality vs integrity.

• Bell-LaPadula and Biba are mirrors. Learn one, and you get both for free.

• Clark-Wilson is the banking model. Brewer-Nash is the consultant model. Bell-LaPadula is the military model.

• Exam questions reward pattern recognition, not definitions.

Conclusion

I know that Security models can sound very abstract at first, but there is a reason the CISSP tests as much as it does.

It allows security professionals to create a general framework and design systems based on the business needs, not the other way around!

I have spent days trying to figure this all out, and I truly hope this will help you get it in under 90 minutes!

Good luck, and thank you for reading Decoded Security!

PS: Here is a printable cheatsheet to make it all easier for you!

Cissp Security Models Cheat Sheet

76.3KB ∙ PDF file

Download

Download

Want the rest of Domain 3 simplified?

Security models are one piece. Domain 3 also covers cryptography, secure design principles, system architecture, and security capabilities of information systems. It’s the heaviest, most technical domain on the exam.

If you want a structured way to master it without losing your mind, I have something just for you:

👉 CISSP Domain 3: Complete Guide

Built the same way: pattern recognition over memorization.

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

That’s non-negotiable.

If that scares you, I have good news.

Linux is a complex environment. But you don’t need to know everything, at least not for most cybersecurity roles.

You just need to know what actually matters.

And that’s exactly what I am going to tell you today.

The Misconception That Stops Most Beginners (Including Me)

When I used to hear “learn Linux for cybersecurity” I pictured memorizing hundreds of commands.

ls. cd. chmod. grep. awk. sed. netstat. ps. curl. wget.

The list feels endless. (And it is!)

So I tried to avoid it for as long as possible. And of course, I hit the wall.

Here is the truth that I wish someone had told me back then:

You don’t need to know everything about Linux. You just need to understand the general concept and how to read the manual. Everything else will follow.

The Core Idea Of Linux

In Windows, everything has a graphical interface. You click folders, drag files, open menus.

Linux works differently.

In Linux, everything is a file.

Your documents are files. Your settings are files. Your hardware devices are files. Your network connections are files. Even your running processes can be accessed as files.

This is not just a technical detail. It is the model that makes Linux make sense.

Think of it this way:

In Windows, you configure your WiFi through a settings menu with buttons and dropdowns.

In Linux, you can configure your WiFi by editing a text file. Because the network configuration is stored as a file. Like everything else.

This is why Linux is so powerful for cybersecurity. When everything is a file, you can read it, write it, copy it, move it, and automate it with simple commands.

And that is exactly what security professionals do every day.

Top 4 Things You Need Know To Start

Before you learn a single command, you need to understand four foundational concepts. Everything else builds on these.

1. The Linux Filesystem

The Linux filesystem is organized as a single tree starting from the root directory, written as /.

Everything lives somewhere in that tree.

The most important directory for cybersecurity work is /var/log.

This is where system logs live. When something goes wrong or when you are investigating an incident, this is where you look first.

2. Linux Distributions

Linux is not one operating system. It is a family of operating systems built on the same foundation.

Each version is called a distribution.

The ones you will encounter most in cybersecurity:

• Ubuntu - the most beginner-friendly, great for learning

• Kali Linux - built specifically for security testing, comes with hundreds of security tools pre-installed

• Debian - stable and widely used in servers

• CentOS / Rocky Linux - common in enterprise environments

For beginners, start with Ubuntu. Once you are comfortable, explore Kali for security-specific work.

3. Permissions

Linux controls who can do what to every file and directory.

Every file has three permission levels:

• Owner - the person who created the file

• Group - a defined group of users

• Others - everyone else

And three types of permission:

• Read (r) - can view the file

• Write (w) - can modify the file

• Execute (x) - can run the file as a program

When you see something like -rwxr-xr-- in a terminal, that is the permission string. It tells you exactly who can do what with that file.

4. Basic Commands

Once you understand the filesystem and permissions, commands start making sense.

I already wrote a full breakdown of the five commands you actually need for an entry-level cybersecurity role.

If you have not read it yet, start there before anything else:

How To Actually Install and Practice Linux

Reading about Linux is not enough. You need to use it.

Here are the two best options for beginners:

Option 1: Docker (Recommended for complete beginners)

Docker lets you run a Linux environment inside any operating system without changing anything on your computer.

You can spin up a Linux container, practice commands, break things, and delete it when you are done. No risk to your main system.

How to start:

1. Install Docker Desktop on your computer (free)

2. Open your terminal and run: docker run -it ubuntu

3. You now have a full Ubuntu Linux environment to practice in

This is the fastest way to get hands-on with Linux without any setup complexity.

I prepared a complete guide for you: Run Your First Linux Environment in 60 Minutes (FREE)

Option 2: Dual Boot (Recommended when you are ready to go deeper)

Dual booting means installing Linux alongside your existing operating system.

When you start your computer, you choose which one to use.

This gives you a full, native Linux experience. Performance is better than Docker, and you get used to using Linux as your actual working environment.

The tradeoff is that setup takes more time, and there is a small risk of something going wrong during installation if you do not follow instructions carefully.

Use Docker first. Once you are comfortable with the basics, consider dual-booting for a more immersive experience.

Free Practice Platforms

Beyond your own machine, these platforms let you practice Linux in real cybersecurity scenarios:

• TryHackMe - guided learning paths with Linux challenges built in. Perfect for complete beginners.

• OverTheWire: Bandit - a free wargame that teaches Linux commands by making you solve puzzles. Surprisingly fun.

• HackTheBox - more advanced, better suited once you have the basics down

Conclusion

Congratulations! You just made another step in your cybersecurity journey.

But Linux isn’t something you’ll learn through reading, you have to execute!

That’s why I want you to do the following steps RIGHT NOW:

1. Install Docker on your computer

2. Run a Linux Distribution

3. Finish the Free Lab I prepared for you: Run Your First Linux Environment in 60 Minutes

4. Comment on what your biggest problem was under this article - let me help you out!

Leave a comment

Good luck!

- Erich

Where To Go Next

If this article gave you the foundation, the next step is getting practical with the actual commands:

👉 Top 5 Linux Commands for an Entry-Level Cybersecurity Role

And if you want to know which cybersecurity path makes Linux most relevant for your specific goals:

👉 How to Choose the Right Cybersecurity Role

Leave a comment

Want a clear 90-day plan for turning your knowledge into a job offer?

👉 The 90-Day Cybersecurity Job Blueprint - €9.99

4.8 stars. 45 people have used it. 14-day money-back guarantee.

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

A resume that cannot communicate those skills will get you rejected before anyone finds out what you are capable of.

I have spent a long time helping people build cybersecurity knowledge.

Certifications, frameworks, and technical fundamentals. But I can see very often people get passed over for roles they could do in their sleep.

The problem is rarely competence. It is that piece of paper that says: I can do this! Hire me!

I am a Cybersecurity Manager. I sit on the hiring side of this process. And there are four specific things I see on resumes that put candidates in the reject pile before anyone picks up the phone.

None of them is what most resume guides talk about.

One of them will surprise you, because you are probably doing it right now, thinking it makes you look more qualified.

Read more

I have seen SOC analysts study for penetration testing certs because they looked impressive on LinkedIn.

I have spoken to GRC professionals who spent six months on Security+ when they didn’t need it for a single job they applied for.

None of them made a bad decision because they were careless. They made a bad decision because nobody told them the truth:

The certification doesn’t matter. The path does.

So, Path first. Certification second. In that order.

If you are not sure yet which of the five paths fits your background, go back and read the previous article first. Choosing the wrong path makes every certification decision harder.

Path 1: Offensive Security

Target roles: Penetration Tester, Red Team Engineer

This is the path most people romanticize and the one with the steepest entry requirements. Offensive security is not beginner-friendly. Anyone who tells you otherwise is selling you something.

Start here:

eJPT (eLearnSecurity Junior Penetration Tester) is the most realistic first cert for this path. It’s practical, affordable, and actually tests whether you can do the work - not just whether you memorized definitions. It teaches you to think like an attacker on real systems, which is the entire point.

After eJPT, CompTIA PenTest+ is a solid intermediate step that many employers recognize.

Then comes OSCP. The conventional advice is to wait until you have extensive hands-on experience. My take is different.

Attempting OSCP early - even before you feel ready - signals something no other cert on this path does: that you are serious enough to attempt the hardest practical exam in offensive security before you need to.

Passing it early separates you from the hundreds of people who say they want to be a pentester but never commit.

It will be harder without experience. But that difficulty is the point.

What to avoid: CISSP on this path is largely irrelevant until you move into management. Security+ is useful for foundational knowledge but won’t differentiate you for offensive roles.

Path 2: Security Operations (SOC)

Target roles: Security Analyst, Incident Responder

SOC is the most accessible entry point into cybersecurity for people without a deeply technical background. It’s also the path where Security+ actually earns its reputation.

Start here:

CompTIA Security+ is the right first cert for this path. It’s widely recognized, required or preferred in many SOC job postings, and covers the foundational knowledge you need to understand what you’re monitoring. It’s also DoD-approved, which matters if you’re targeting government or defense-adjacent roles.

After Security+, CompTIA CySA+ is the natural next step. It focuses on threat detection, behavioral analytics, and incident response - exactly what SOC analysts do day to day.

ISC2 CC is worth considering before Security+ if you want a free way to prove foundational knowledge while you prepare. It costs nothing to sit and covers the same core concepts.

What to avoid: Jumping to CISSP as a junior SOC analyst is putting the cart before the horse. Build your operational experience first.

Path 3: Security Architecture and Engineering

Target roles: Security Engineer, Cloud Security Engineer, Security Architect

This path splits depending on where you want to specialize - cloud or on-premise. Choose based on where the companies you want to work for actually operate.

If your target is cloud:

AWS Security Specialty or Microsoft SC-900 / AZ-500 are the right starting points, depending on which platform dominates your target market. Cloud security roles are growing fast, and cloud-specific certs signal something generic security certs don’t: That you understand the specific environment where most modern security work actually happens.

If your target is general engineering:

CompTIA Security+ gives you the baseline, then CompTIA CASP+ signals you can operate at a senior level.

For software developers moving into security engineering: look at the CSSLP (Certified Secure Software Lifecycle Professional). It’s underused and directly relevant to your background.

What to avoid: Don’t collect cloud certs across multiple providers before going deep on one. Pick AWS or Azure based on your target companies and commit.

Path 4: Governance, Risk, and Compliance (GRC)

Target roles: Security Auditor, Risk Manager, Compliance Specialist

This is the path I know best. And it’s the path where the certification advice you’ll find online is most consistently wrong.

Start here:

ISC2 CC is free to sit, covers the fundamentals you need, and is backed by the same organization that owns CISSP. For someone with no prior cybersecurity certification, this is your starting point. It costs nothing except study time.

After CC, the path splits based on your specialization:

• Risk management: CRISC is the gold standard. Target it after your first GRC role.

• Governance and management: CISM is the right target for mid-career.

• Compliance and auditing: CISA is what auditors and compliance teams respect most.

CompTIA Security+ works here, too, for beginners who want to validate foundational cybersecurity literacy that GRC employers want to see.

What about CISSP on the GRC path?

Consider attempting it early - even before you feel fully ready. GRC is the path most directly aligned with how CISSP thinks.

The exam is built around risk management, governance, policy, and business decision-making.

That is exactly what GRC professionals do every day.

Passing the CISSP exam early signals that you think at a strategic level before you are even required to. Combined with CC and your first GRC role, it separates you from every other candidate who is still waiting until they feel ready.

What to avoid: Attempting CISSP before you have CC and a good understanding of the fundamentals. Build the foundation first. Then go for it.

Path 5: Management and Leadership

Target roles: Security Program Manager, Security Director, CISO

One cert dominates this path: CISSP.

The conventional advice is to wait until you have five years of experience. My advice is different.

Consider passing it early anyway.

CISSP Associate means you’ve passed the exam before fulfilling the experience requirement. You have six years to complete it afterward.

When a hiring manager sees CISSP Associate on a resume from someone with two years of experience, they don’t think “this person jumped ahead.” They think “this person is serious.”

It won’t replace experience. But it will open doors that a generic technical cert never will.

What to focus on while you build that experience: understanding how security decisions connect to business goals. The exam tests judgment, not just knowledge. Study accordingly.

The honest truth about certifications

A certification will not get you hired on its own.

It opens the door. You still have to walk through it.

What actually gets you hired is showing up to interviews knowing how to think, not just what to memorize. It’s having a resume that tells a coherent story. It’s being able to explain your reasoning clearly when a hiring manager puts a scenario in front of you.

The right certification for your path removes one barrier. It proves you took it seriously enough to invest time and money into a credential that matters for the direction you chose.

That’s it. One barrier removed.

The rest is on you.

Pick your path. Pick your cert. Start this week.

The Certification Tells You What to Study. The Blueprint Tells You What to Do.

Knowing which certification fits your path is only half the answer.

The other half is knowing what to actually do in the next 90 days. Which skills to build first. How to position your background for cybersecurity roles. How to build a resume that gets read. How to walk into interviews and explain your thinking clearly.

That’s what the 90-Day Cybersecurity Job Blueprint covers.

👉 Get the Blueprint - €9.99

4.8 stars. 45 people have used it. 14-day money-back guarantee.

Leave a comment

You feel that urge to do something, but you always end up watching YouTube videos on some random concept, and you feel like you’re getting nowhere.

In cybersecurity, a lack of direction is more dangerous than a lack of knowledge.

I have spent years studying random topics that didn’t get me any closer to my goal.

That’s why I created a study plan, which will help you use your time much more efficiently.

You will no longer focus on “What should I learn?” You will spend your time learning what matters.

GRC (Governance, Risk, Compliance)

GRC (Governance, Risk, Compliance) is one of the 5 cybersecurity paths you can choose.

But before you deep-dive into the materials I am about to provide, make sure this path is really for you.

You don’t want to waste weeks and months learning things that won’t get you any closer to your goal.

It’s a great fit if you:

• Prefer structured thinking over deep technical troubleshooting

• Like understanding how systems, risks, and business decisions connect

• Enjoy analysis, documentation, and decision-making

• Want to work closer to business, strategy, and leadership

It’s especially convenient if you:

• Are you switching from business, law, or management

• Don’t want to spend years becoming deeply technical

As you probably know, GRC is, in general, less technical, but it doesn’t make it any less valuable.

This is where business and cybersecurity meet, and the decisions made at this level influence the whole company.

The Decoded Security GRC Roadmap

This roadmap has three main goals.

First, make sure that you understand the cybersecurity basics that you need for any role in the field.

Second, make sure you understand the basics of cybersecurity GRC.

Third, force you to apply the theoretical knowledge and challenge yourself.

What is your target role? Let me know in the comments and let’s discuss your next steps!

Leave a comment

Here’s the exact roadmap I would follow if I had to start again.

Step 1: Build the right foundation

Before you go deeper into GRC, you need to understand how cybersecurity actually works and be familiar with the fundamentals, which underpin everything.

To make this easier, I put the key concepts into one place.

Make sure to understand these especially:

1. Threat ≠ Risk ≠ Vulnerability: Why CISSP Basics Matter More Than You Think

2. My First Week of CISSP Prep – What I’ve Learned So Far

3. Security Policies, Standards, and Procedures: The Boring Stuff That Actually Saves You

4. Cybersecurity Controls from Zero to Hero

Step 2: Start focusing on GRC topics

Now shift from “what is cybersecurity” → “how companies manage it.”

Focus on:

• Policies vs standards vs procedures

  • Security Policies, Standards, and Procedures: The Boring Stuff That Actually Saves You

• Access Control methods

  • Access Controls: Who Gets the Keys?

• Risk management:

  • Quantitative Risk Analysis: Let The Numbers Do All The Talking

  • How Risk Management Frameworks Keep Systems Secure

  • Risk Management: Managing risks in six steps

  • 3 things that surprise me about CISSP Domain 1: Security and Risk Management

• Data Lifecycle

  • The Data Lifecycle: From Creation to Secure Destruction

  • The Storage Mistake 90% of People Make (Until It’s Too Late)

• Disaster Recovery and Business Continuity

  • Floods, Cybersecurity, and Survival Strategies And the Surprising Link Between Them

• Intellectual Property & Licensing

  • Why We Need to Be Lawyers: Intellectual Property & Compliance in Cybersecurity

• Laws, Legislation and Contracts

  • 15+ Laws Every CISSP Candidate Must Know: The Only Legal Guide You Need

  • Stop Reading SLAs Wrong: The 7 Critical Topics You’re Missing

• (Reality check - optional)

  • 6 Myths That Are Killing Corporate Cybersecurity

Do you struggle with any of these concepts?
Comment the one you don’t understand, and I’ll break it down for you.

Step 3: Try practical examples

There are two articles in which I analyzed a real-world scenario.

• Quantitative Risk Analysis: Let The Numbers Do All The Talking

• Risk Management: Managing risks in six steps

The task is very simple. Let’s use the AI for something useful and tell ChatGPT to create practice scenarios based on my articles.

I will send you feedback, and we can discuss your approach.

Conclusion

Most people don’t fail in GRC because it’s too hard. They fail because they never had a plan.

They jump between random topics, watch endless videos, and confuse activity with progress.

That’s how months turn into years… with nothing to show for it.

The Decoded Security roadmap fixes this. It gives you structure that I wish I had a couple of years back.

It tells you:

• what to learn

• in what order

• and how to actually apply it

You’ll start thinking like someone who can:

• identify real risks

• make informed decisions

• and bring value to a business

And that’s what this field is really about.

You already have the roadmap. Now it’s about execution.

See you in the comments!

Thank you for reading Decoded Security!

Erich

Comment your target role + your current level. I’ll give you your next step.

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

📘 Essential for anyone preparing for the ISC2 CC or CISSP exam

I’ve spoken with many people who passed the ISC2 exams, and I've also spoken with many who failed. And every time I meet someone who failed, I take notes.

And for some reason, this topic comes up very often. Even though it isn’t anything complex, it is absolutely essential in real-world practice.

That’s why I decided to include it in my materials and make sure that no one reading Decoded Security will fail this topic ever again.

Testing Disaster Recovery Plans

You studied disaster recovery. You know what RTO (Recovery Time Objective) and RPO (Recovery Point Objective) mean.

You understand backups, the data security lifecycle, and you can tell the difference between a hot site and a warm site.

If you’re not familiar with those terms, you can find links to my previous articles explaining all of those topics at the end of this article.

You feel ready to answer all disaster recovery questions that might come up in the ISC2 exams.

And you still might fail. And you wouldn’t be the first, nor the last.

People are usually so focused on creating disaster recovery plans and business impact analysis that they forget one crucial part.

A plan is useless unless it’s regularly tested.

And this is exactly where exam questions are designed to catch you.

Because in both the ISC2 Certified in Cybersecurity (CC) and CISSP, one principle shows up again and again:

A plan that hasn’t been tested cannot be trusted.

The hierarchy of disaster recovery testing

Both for the exams and the real-world practice, you need to know two things.

1. Different types of exercises to test DR plans

2. How to balance the assurance with the cost

As always, the more thorough you are, the more money it costs. And stakeholders won't like that.

Let’s take it from the least expensive to the most.

1. Checklist Test

Purpose
Validate that the disaster recovery plan is complete and up to date.

How it is performed

• The DR plan is distributed to functional managers

• Each manager reviews their section independently

• They verify:

  • Contact details

  • Roles and responsibilities

  • Procedures

• Feedback is collected and consolidated

• The plan is updated accordingly

Benefits

• Easy and fast to perform

• Identifies missing steps or outdated information

• Low cost, no operational impact

Drawbacks

• No real execution

• No validation of actual recovery capability

• Gives a false sense of security

When to use

• Early stages of DR planning

• Regular reviews (e.g., quarterly updates)

• Before more advanced testing

Exam insight: This is the weakest form of testing, but it is conveninent as it can be perform regularly without operational impact.

2. Structured Walkthrough

Purpose
Validate logical flow and completeness of the plan as a group.

How it is performed

• Key stakeholders meet in a structured session

• The plan is reviewed step by step

• A facilitator walks the group through:

  • Sequence of actions

  • Dependencies between teams

• Participants discuss:

  • What happens next

  • What might be missing

• Gaps and conflicts are documented and resolved

Benefits

• Identifies inconsistencies and gaps

• Improves team understanding

• Encourages collaboration across departments

Drawbacks

• Still theoretical

• No real system or process validation

When to use

• After checklist review

• When updating or improving the plan

• Before running simulations

3. Tabletop Exercise

Purpose
Simulate decision-making during a disaster scenario.

How it is performed

• A realistic scenario is introduced (e.g., ransomware, data center outage)

• Participants assume their real roles

• A facilitator drives the scenario forward in phases

• Teams explain:

  • What actions they would take

  • Who they would contact

  • How decisions are made

• Injects (new developments) are added to simulate pressure

• Observers record gaps and decision issues

Benefits

• Tests roles and responsibilities

• Improves communication and coordination

• Reveals gaps in procedures and escalation paths

Drawbacks

• No real technical execution

• Does not validate recovery time or system restoration

When to use

• Training teams

• Testing incident response + DR coordination

• Preparation for more advanced tests

Exam trap: Remember that nothing is actually executed in this type of testing!

4. Simulation Test

Purpose
Test actual execution of disaster recovery procedures in a controlled scenario.

How it is performed

• A specific disaster scenario is defined

• Teams execute actual recovery procedures:

  • Restore systems

  • Recover data

  • Activate DR processes

• Real tools and systems are used

• Activities are monitored and timed

• Issues (failures, delays, confusion) are recorded

• Results are analyzed after the exercise

Benefits

• Validates processes and responsibilities

• Reveals real operational issues

• Provides measurable insights (time, errors, gaps)

Drawbacks

• Requires coordination and effort

• May impact operations if not controlled

When to use

• After tabletop exercises

• When validating readiness of teams and processes

5. Parallel Test

Purpose
Validate recovery capability by running systems at an alternate site alongside production.

How it is performed

• Systems are restored or activated at the alternate site

• Data is replicated or restored to that environment

• The alternate system runs in parallel with production

• Processing is performed and results are compared

• Performance and consistency are validated

• Production systems remain active throughout

Benefits

• Tests the infrastructure and data replication

• No disruption to live operations

• High level of confidence without full risk

Drawbacks

• Resource-intensive

• Doesn’t fully simulate real failure conditions

When to use

• When testing alternate sites

• Before conducting full interruption tests

• In mature DR environments

6. Full Interruption Test

Purpose
Validate complete disaster recovery by switching all operations to the alternate site.

How it is performed

• Production systems are intentionally shut down

• Operations are switched entirely to the alternate site

• All business processes run from the recovery environment

• Users interact with the DR systems as if it were real production

• Recovery time and performance are measured

• After testing, systems are restored back to normal operations

Benefits

• Highest level of assurance

• Fully tests systems, people, and processes

• Provides real recovery metrics

Drawbacks

• High risk

• Operational disruption

• Expensive and complex

When to use

• Mature organizations with strong DR capabilities

• Critical systems requiring full validation

• Infrequently (e.g., annually)

Exam insight: This provides the strongest validation and should be used only if the highest level of assurance is required.

Printable cheat sheet - perfect for the exam.

Decoded Security Dr Testing Cheat Sheet

24.1KB ∙ PDF file

Download

Download

Conclusion

This is everything you need to correctly answer disaster recovery testing questions on the ISC2 Certified in Cybersecurity (CC) and CISSP exams, and more importantly, to choose the right level of assurance in real-world practice.

I have one last tip for you. Always complete the previous level before moving to the next. Each level builds on the previous one.

• You review before you simulate

• You simulate before you execute

• You execute before you fully interrupt

Skipping levels doesn’t make you efficient. That’s a common trick in the exam.

Thank you for reading Decoded Security!

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com
LinkedIn: Erich Winkler
Gumroad community: Decoded Security
Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Disaster Recovery and Business Continuity - Study resources

Most “entry-level” cybersecurity jobs don’t actually exist.

I know, you don’t believe me right now.

There are many roles, such as Junior SOC Analyst, Entry-Level Security Engineer, and Associate Cybersecurity Specialist

Well, there are. However, there is one crucial misunderstanding.

“Entry-level” doesn’t mean entry into tech, it means entry into security

They’re designed for people who already have:

• basic IT experience

• understanding of systems and networks

• strong theoretical knowledge of cybersecurity

• some exposure to real-world environments

Does it mean you should give up?

NO!

It only means you need to change your strategy. And I will show you exactly how.

Remember: The stronger the entry-level barrier, the more of a benefit it becomes once you break it!

Why You Should Continue Reading

If you’re new to cybersecurity, there’s a hard truth you need to face:

The game is stacked against you at the beginning.

You need experience to get an “entry-level” job.

Which sounds impossible.

But here’s the good news:

Demand for cybersecurity professionals is still growing.

Despite all the talk about AI replacing jobs, companies are struggling to protect their systems.

And without security, their business doesn’t survive.

Which means:

This is still one of the best fields you can enter, if you approach it the right way.

So instead of guessing…

Let me show you exactly what to do instead.

Why You’re Not Getting Hired

If the first answer that comes to your mind is you’re not smart enough..just stop!

It’s not because you’re not smart enough.

It’s not because cybersecurity is “too difficult.”

It’s because you’re competing against people who are already closer to the field than you are.

From an employer’s perspective, the choice is obvious:

Hire someone who can contribute immediately, or someone who still needs months of training.

And cybersecurity is not a field where companies like to take risks.

So how do we help you get closer to the field and convince employers to see what you can bring to the table?

You actually need only one thing: STRATEGY.

What People Call “Strategy”

Most people respond to this the wrong way.

They try to “fix” the problem by:

• collecting more certifications

• buying and watching more expensive courses

• waiting until they feel “ready”

How do I know? Because I’ve been there.

And I know spending money and watching videos feels productive.

But it doesn’t move you closer to getting hired.

At least not if you’re doing it without a clear direction.

You need to build an image that you are capable of doing something in the real environment.

Get Direction FIRST

That was enough theory and general fluff.

Let’s answer the most important questions:

1. What is it you need to do to break that entry-level barrier?

2. How do you build that image, saying I am useful and suitable for the role?

The first step is this:

Know exactly which role you’re aiming for.

Without that, nothing else works.

Because if you don’t know where you’re going:

• you learn random things

• you collect irrelevant certifications

• you build skills that don’t align with any real job

And from an employer’s perspective?

You look unfocused.

Because your entire strategy depends on that answer.

If you’re not sure yet, start here:

(This will give you the clarity most people skip and pay for later.)

3 Specific Steps You Should Focus On

Great, now you have the direction. And honestly, this is where most people stop.

They understand the problem, but they don’t do anything about it.

In this section, I’ll break down the exact 3-steps you should take to get a job in cybersecurity.

Read more

How do you prove someone is who they claim to be?

Because if you get this wrong, nothing else matters.

It doesn’t matter how well your whole system is set up if you can’t be sure who you are talking to.

That’s why the process of authentication is so widely tested during all cybersecurity exams, including the CC, CISSP, and Security+.

Not familiar with the methods of authentication yet? Read this First!

Today, we are going to focus on a method that is treated as the gold standard.

But just because this method is better than asking for a password, that doesn’t make it automatically secure.

And be sure that the exam will test you on that.

Let’s get to it!

Biometric authentication

Definition: Biometrics verifies an individual’s identity by analyzing a unique personal characteristic.

That sounds pretty clear, doesn’t it?

You simply take anything that you can reliably analyze and is based on unique personal characteristics and uses instead of a dumb password.

Well, there is a catch. But before I tell it to you, let’s add more definitions to make sure you know everything you need.

There are two types of biometric authentication:

1. Physiological: Uses physical attributes unique to an individual

   1. Fingerprints

   2. Retina / Iris (Note: Privacy issues - PHI)

   3. Facial structure

   4. Hand geometry

2. Behavioral: Uses patterns of behavior unique to an individual

   1. Signature dynamics

   2. Keystroke dynamics

   3. Voice patterns

Why is this so important?

Because behavioral characteristics can change over time. We are not machines, and we don’t always do things the same way.

Make sure to keep it in mind!

“The Catch” - Errors

Exam tip: This is what you actually need to know

Remember how I mentioned “the catch”?

Here it is:

Biometric authentication doesn’t always work as expected.

With passwords, it’s simple:

• 100 % Match → access granted

• No match → access denied

It’s 100% or nothing.

But biometrics don’t work like that.

You never get a perfect match.

Instead, the system asks:

“Is this close enough to be the same person?”

And that’s where problems start.

Because now, two things can happen:

1. False Rejection Rate (FRR)

Event: The system rejects a legitimate user.

FRR Definition: The percentage of times a biometric system incorrectly rejects a legitimate user.

Example: Your fingerprint is valid, but the system doesn’t recognize it.

2. False Acceptance Rate (FAR)

Event: An attacker is accepted as a legitimate user.

Definition:
The percentage of times a biometric system incorrectly accepts an unauthorized user.

Which one is better?

Well, that depends on the system.

If you make the system stricter:

• FAR ↓ (more secure)

• FRR ↑ (more users get blocked)

If you make it more lenient:

• FRR ↓ (better usability)

• FAR ↑ (less secure)

  

Without changing the biometric mechanism, you can only decide which mistake you prefer.

Great. Now you understand the main problem with biometric authentication and its sensitivity.

Now there is one more question to answer: How do we compare biometric systems?

Because every system has FRR and FAR.

And depending on the configuration, you can tune one… but worsen the other.

So which one matters more?

FRR or FAR? And at what setting?

This is exactly why we use the Crossover Error Rate (CER).

Crossover Error Rate (CER)

Definition:
The point at which the False Rejection Rate (FRR) equals the False Acceptance Rate (FAR).

In other words, it’s the point where the system makes equal mistakes on both sides.

It is a single number to compare biometric systems.

• Lower CER → fewer total errors → better system

• Higher CER → more errors → worse system

And that’s it! You can now compare two biometric systems!

Additional Information (Exam Notes)

• Biometrics are based on probability, not certainty

• Threshold setting determines system sensitivity (strict vs lenient)

• Lower threshold → higher FAR, lower FRR

• Higher threshold → lower FAR, higher FRR

• False Acceptance Rate (FAR) is a bigger security risk than FRR

• False Rejection Rate (FRR) mainly affects usability

• Crossover Error Rate (CER) is used to compare systems

• Lower CER = better overall accuracy

• Physiological biometrics are generally more stable than behavioral ones

• Some methods raise privacy concerns (e.g., retina scan → PHI)

• Processing speed matters (slow systems reduce adoption)

• BIOMETRIC SYSTEMS ARE EXPENSIVE!

Conclusion

Congratulations! After reading this article, you are ahead of most people.

You now understand that biometrics isn’t just about scanning fingerprints.

You understand both its benefits and its drawbacks, including the errors involved.

We also covered how to prioritize error types based on system sensitivity and how to compare biometric systems.

With all of that, you are more prepared than 95% of people claiming to be cybersecurity experts.

Thanks for reading Decoded Security!

— Erich

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

It was the CISSP exam that made me realize that what I know isn’t enough.

The question was quite simple: What is a Man-in-the-Middle attack?

And I got a very simple answer: It is a type of attack where an attacker positions himself between two parties who believe they are interacting directly.

Easy and correct answer, right?

Well, it is. But if you believe this is enough to pass cybersecurity exams and interviews, you’re wrong.

After reading this article, you will know everything you need to know about this attack for CC, Security+, CISSP exams, and in actual real-world scenarios.

Warning: CC, CISSP, and Security+ relevant topic!

What is a MitM Attack?

Let’s start from the beginning and describe what this term means.

The MitM Attack is a TYPE of attack where an attacker positions themselves between two parties communicating.

Instead of:
Client → Server

It becomes:
Client → Attacker → Server

And what is so dangerous about it?

The client probably won’t even recognize it. Everything works as usual. You open any website, check your emails, and watch YouTube videos.

But the attacker can now:

• Read the traffic

• Modify it

• Steal sensitive data

In other words, all core Cybersecurity objectives of the CIA triad are threatened.

And yes, you guessed it right, that’s no good.

Before we go through a specific example, let’s answer one more question that is frequently asked in both exams and interviews.

Question: How does a MitM attack affect the core cybersecurity objectives?

Answer:

CIA Triad

• Confidentiality - Broken

  • Compromised

  • Without further security controls, the attacker can intercept sensitive data (passwords, emails, tokens)

  

• Integrity

  • Compromised

  • An attacker can modify messages in transit

  • → Data arrives altered without the sender/receiver knowing

• Availability

  • Usually unaffected (but can be impacted)

  • MitM is primarily passive/stealthy

  • → In some cases, an attacker may drop or delay packets (DoS-like behavior)

So, if you ever get this question, and if you’re serious about cybersecurity, you probably will, make sure to understand which core cybersecurity objectives are typically the most affected by this type of attack.

Great! Enough theory!

Now it’s time to get some hands-on experience and try this attack by yourself.

Because that’s what differentiates people who know just theory, and who actually understand the concept. You can’t replace hands-on experience with hours of reading.

And that’s why I prepared a simple Docker Lab, which will guide you step by step on how to simulate this attack.

Let’s get to it!

Are you preparing for the CC, Security+, or CISSP exam?

Comment “CYBERSECURITY” and I will send you a free guide focusing on Top 10 Cybersecurity Fundamentals.

Hands-On Docker Lab: Man-in-the-Middle Attack

How the attack actually happens

Let’s do something most cybersecurity content never shows you:

Instead of just reading about a Man-in-the-Middle attack, you’ll simulate one yourself.

What you’re about to build

You will simulate this exact scenario:

Victim (Browser) → Attacker (MitM Proxy) → Web Server

The attacker will sit in the middle and capture session data in real time.

Read more

In the previous articles, we have covered what the exam looks like. Its structure, domains, and the distribution of points between them.

I also provided you with study resources that are laser-focused on things you need to answer the questions correctly.

And after covering all of that, you miss only one last thing to successfully pass the Security+ exam.

A strategy. Today, we will take all the knowledge and create a plan that will get you where you want to be.

This article gives you that system.

A clear plan for what to do every week and every single day.

So you can stop guessing and start executing.

The 4-Week Strategy (Simple, Not Easy)

Your entire preparation has 3 phases. And what I like about it is that it works for almost any exam you will ever take.

Phase 1: Build Understanding (Week 1)

Goals:

• Understand the concept of the exam

• List topics for each domain

• Understand the fundamentals

What you do:

• Read the introduction where I describe the exam - Exam structure

• Open an Excel or take a piece of paper and list all the main topics for each domain. I made that easy for you: Security+ Domains

• Go through the core concepts - Luckily for you, I covered the Top 10 most important concepts in my FREE guide - Top 10 Cybersecurity fundamentals

Okay, now you should have a complete overview of what you need to learn. That’s a great start.

Start with the topics I listed and make sure to write down all terms that you are not familiar with.

Outcome of this phase:

• A complete list of all topics you need to understand for the exam

• List of terms you need to be familiar with

• A mindmap describing how the terms connect together

Phase 2: Connect the Dots And Test Yourself Soon (Week 2–3)

Most people wait for practice tests until the very last moment.

They are afraid of failing.

Here is the thing: You are allowed to fail in the preparation phase. That’s what forces you to learn.

So, the second you read through the fundamentals, it’s time to start testing yourself.

And, very importantly, add the topics from the practice test to your list. That’s absolutely crucial.

At the end of week 2, you should be stressed about how big your list got and that you are running out of time.

If that’s what you are feeling now, you’re on the right track! Don’t stop!

And if you feel overwhelmed, I’d recommend using an approach that helped me many times in my life and by which I was able to pass the CISSP exam while working full-time.

Divide and Conquer

When your list gets overwhelming, don’t try to fix everything at once.

Break it down:

• Pick one domain

• Focus only on that

• Close the gaps

• Move to the next

Make sure to check the topics in your list and track your progress. That will keep you motivated. Once you check all the topics from one domain, take the practice test again. It will feel good that you know the answers!

Phase 3: Think Like the Exam (Week 4)

Until now, I strongly encouraged you to deep dive into the topics. Truly understand what’s going on behind the scenes.

But this is the time to get practical.

You’ve spent 3 weeks reading materials, watching tutorials, and connecting the dots. You’ve got plenty of diagrams, notes, and maybe ANKI cards.

That will all serve you well in your career.

But now, you need results. Which means, stop caring about how things work and start giving answers that the exam expects.

Every exam have different way the questions are phrased, meant, and created.

You are at a huge disadvantage. The people who created the exam are the ones who set the rules.

You need to adapt. And the best way to do that is to practice the question as much as possible.

So here is the recipe for this phase:

• Full practice exams daily

• Timed conditions

• Focus on weak areas only

• Light review

How to Know You’re Ready

Simple:

• You consistently score 80%+ on practice exams

• You understand why the answers are correct

• You recognize patterns in the practice questions quickly

At that point, it’s time to take the exam.

Don’t wait for confidence.

Confidence comes after you pass.

Conclusion

This is how I passed even the most difficult cybersecurity exams there are.

Having a good strategy is more important than having years of experience. I know many people who have been in the field longer than I have and still failed.

Stop waiting to be ready. Don’t listen to people telling you don’t have a chance.

You don’t need more time. You don’t need more resources.

You need:

• Focus

• Consistency

• Study materials

• And a system

And I just gave you resources and a system. Now it’s time for you to add focus and consistency to the equation.

Follow this for 4 weeks, and you will pass.

Thanks for reading Decoded Security!

- Erich

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

It isn’t a lack of experience.

It isn’t that they are not smart enough.

It isn’t even an absence of an $800 course.

It’s not knowing what really matters for the exam.

They treat all topics the same. They try to “cover everything.” And naturally, they get lost and fail.

In Part 1, we talked about what the exam really is.

Now it’s time to break it down:

👉 What’s inside each domain
👉 What you should actually focus on
👉 What you can safely ignore

Let’s get to it!

WARNING: This article won’t bring anything exciting, but it will help you bring structure to your preparation for the CompTIA Security+ exam.

If you’re just joining: This is Part 2 of my 3-part series on how to pass CompTIA Security+ in 4 weeks.

In Part 1, I explained:

• what the exam actually tests

• why most people fail

• how to think about Security+ the right way

Now we focus on what to study, and what to ignore.

The 5 Domains of Security+

I have already mentioned this last time, but I think it’s absolutely crucial to understand this.

Understanding the exam structure is not optional. It’s one of the fastest ways to improve your score.

The current version (SY0-701) is built around 5 domains.

And you need to know what hides under the hood of each domain. And yes, you guessed it right, that’s what I am going to show you today!

And not only that! I have already explained most of the topics in my 80+ articles here on Decoded Security. So, this is nothing but just a big bank of resources that will help you pass this exam without an $800 course!

Sounds good, right?

So let’s take it domain by domain!

General Security Concepts (12%)

The goal of this chapter is to verify that you understand the fundamental concepts of cybersecurity. Yes, it counts “only” for 12% of the exam, but you are going to need those concepts across all domains, so make sure you know them!

Note: Each topic links to a detailed article if you want to go deeper. :)

What to focus on:

• CIA Triad (Confidentiality, Integrity, Availability)

• AAA (Authentication, Authorization, Accounting)

• Security controls:

  • Technical

  • Administrative

  • Physical

• Core principles:

  • Least privilege

  • Zero Trust

  • Defense in depth

• Cryptography basics:

  • Symmetric vs asymmetric

  • Hashing vs encryption

  • Diffie-Hellman

  • Digital Signatures

• Networking Fundamentals:

  • Network Devices

  • IP addressing

Threats, Vulnerabilities, and Mitigations (22%)

The goal of this domain is to understand how attacks actually work and how to stop them.

You need to know the types of attacks to recognize them and design systems that are resilient to them.

What to focus on:

• Malware:

  • Ransomware

  • Trojans

  • Worms

• Social engineering:

  • Phishing

  • Pretexting

  • Baiting

• Network protocols

  • TCP/UDP

  • FTP

  • SMTP

  • ….. (see the article above)

• Network attacks: (in progress)

  • DoS / DDoS

  • Man-in-the-middle

  • DNS spoofing

• Vulnerabilities: (in progress)

  • Misconfigurations

  • Unpatched systems

  • Weak passwords

• Mitigation basics: (in progress)

  • Patching

  • Input validation

  • Segmentation

Security Architecture (18%)

This domain focuses on secure design.

In other words, it teaches you how to build systems that are secure by default, not systems that need to be fixed later.

You’re not reacting to attacks here. You’re preventing them before they even become possible.

This includes how networks are structured, how systems communicate, how identities are managed, and how trust is established between components.

Because once a system is deployed, fixing security issues becomes:
- slower
- more expensive
- and often incomplete

That’s why good security professionals think about architecture first.

What to focus on:

• Network design:

  • Segmentation (In progress)

  • DMZ (In progress)

  • DNS

  • Firewalls

  • Certification Authority

• Cloud:

  • Shared responsibility model

  • IaaS / PaaS / SaaS

  • Service-level agreement

• Zero Trust

• Secure protocols:

  • HTTPS / TLS

  • SSH

• Identity & Access Management

  • Access Control

  • Access Control Concepts

  • AAA Framework

• System hardening (In progress)

Are you preparing for the Security+ exam? Let me know in the comments and let’s discuss it!

Leave a comment

Security Operations (28%)

This is the most important domain on the exam.

This is where cybersecurity becomes real work.

You’re not designing systems anymore. You’re operating them.

• detecting attacks

• responding to incidents

• minimizing damage

• recovering systems

Basically, we focus on what you do when something actually happens.

Key idea here:
You won’t be judged on preventing every incident.
You’ll be judged on how you handle them.

What to focus on:

• Monitoring & logging: (In progress)

  • SIEM basics

  • Log analysis

• Incident response:

  • Preparation

  • Detection

  • Containment

  • Recovery

  • Reporting

• Vulnerability management (In progress)

  • Scanning

  • Prioritization

• Tools (high-level):

  • EDR (In progress)

  • IDS / IPS

• Backup & recovery

  • RAID

  • Secure Data Disposal

  • Secure Data Lifecycle

Is there any comment you are struggling with? Just let me know in the comments and I will break it down for you!

Leave a comment

Security Program Management and Oversight (20%) (My favorite domain!!)

This is where cybersecurity becomes a business decision.

It’s not about tools. It’s about managing risk.

Because in reality:

• You can’t secure everything

• You can’t eliminate all risk

So the goal is to understand risk and make the right decisions. Because at the end, it’s all about MONEY.

Most technical people underestimate this domain. That’s a mistake.

Because this is how companies actually decide:

• what to protect

• how much to invest

• what risks to accept

💡 Key idea:
Security is not about eliminating risk. It’s about managing it.

What to focus on:

• Risk management:

  • Risk = likelihood × impact

  • Mitigate / Transfer / Accept / Avoid

  • Risk Management frameworks

• Policies, standards, procedures

• Compliance and Privacy:

  • GDPR

  • HIPAA

  • PCI-DSS

  • FISMA

• Intellectual Property & Compliance

• Third-party risk (In progress)

• Security awareness (In progress)

This is it. That’s the list of topics you need to cover to have a chance to pass the exam!
I know it might look scary, but trust me. We just made a very important step.

We put everything we need to know in one place. Which means, now we just start crossing the things off the list.

Conclusion

This is it! The exam might sound scary at this point, but I promise you—once you start crossing topics off your list, it will feel better and better.

You now know:

• the structure of the exam

• what the exam looks like

• what is in each domain

And you have the resources to help you study.

You’re missing one last thing:

A strategy.

That’s what we’ll dive into next time!

Thanks for reading Decoded Security!

- Erich

PS: If you have any questions, feel free to reach out to me!

The last part of the series is already available here:

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

Really..go out and ask people who have anything to do with tech.

They will all tell you how it’s easy, and everybody knows it.

Then ask them to explain the series of events that happen when you open a website.

That’s where the confidence disappears.

Because this isn’t a trivia question.

It’s a test of whether you understand the system or just memorize pieces of it.

And in cybersecurity, that difference matters.

Because you can’t protect what you don’t fully understand.

That’s why this question shows up in interviews.

And if you can answer it clearly, step by step, you’re already ahead of most candidates.

In this article, you’ll learn exactly that.

High-level concept

First, you need to understand that opening a website is not a single action.

It’s a chain of dependencies:

DNS → TCP → TLS → HTTP → Rendering

Each link of this chain solves a different problem:

• DNS → Where is the server? (Application layer)

• TCP → Can we communicate reliably? (Transport layer)

• TLS → Can I trust you? (Between Application and Transport)

• HTTP → Give me the content (Application layer)

Make sure you understand the TCP/IP model and its different layers.

Step-by-Step (Interview-Level Explanation)

1. URL Parsing

Let’s start from the beginning.
When you type:

https://www.example.com/login?user=admin

Your browser parse the URL:

• Scheme (Protocol) → https

• Host (Domain) → www.example.com

• Path → /login

• Query string → user=admin

The scheme (https) doesn’t just define the protocol, it determines the entire communication stack that will be used.

For example:

https:// → HTTP over TLS over TCP
http:// → HTTP over TCP

Okay great. We parsed the URL. What now? We want to send the request to the server, right?

Well, not so fast. We don’t even know where the server is yet..

2. DNS Resolution - Finding the Server

Your browser knows where to go. It doesn’t know the IP address yet.

DNS translates example.com into 93.184.216.34.

Here’s the real lookup chain, and where it stops depends on what’s already cached:

The query descends until one level can answer. Most everyday lookups never reach the root, they hit a cache first.

This is very simplified explanation, if you want to know more about how DNS really works, read it HERE:

Okay, great! Now we have the IP address and we can make the request, right?

Well, not yet!

Step 3: TCP Handshake (Making the Connection)

We need to establish a reliable connection first!

That’s the job for the Transport layer. In particular, the TCP protocol.

It establishes a connection between two devices using something called a three-way handshake:

1. SYN → Client wants to start communication

2. SYN-ACK → Server acknowledges

3. ACK → Client confirms

That’s it. Simple, efficient.

Do you want to know more? I love to hear that! I have covered this topic in one of my previous articles! Read it here: TCP protocol.

Okay, okay. So now it’s finally time to make a request, right?

Well, we are really almost there! I promise!

Step 4: TLS Handshake

This is where it gets interesting when it comes to security.

The TLS protocol lies between the application and transport layers.
It has three simple (haha)..ensure authenticity, integrity, confidentiality of the connection.

Here’s what each step actually does:

1. Client Hello: Your browser initiates the handshake by sending:

• Supported TLS versions

• Supported cipher suites

• Random data (used later for key generation)

2. Server Hello + Certificate

The server responds with:

• The selected cipher suite

• Its digital certificate

That certificate contains:

• The server’s public key

• A digital signature from a trusted Certificate Authority (CA)

3. Certificate Verification

Your browser validates the certificate:

• Is it signed by a trusted CA?

• Is it expired?

• Does the domain match?

If you don’t know what a Certification Authority is, I got you covered!

This is where your digital signatures article connects directly.

Without a valid signature, the browser rejects the connection.

4. Key Exchange

The client and server establish a shared secret.

In modern TLS (1.2+ / 1.3), this is typically done using:

• (EC)DHE → ephemeral key exchange

Important: The certificate is used for authentication, not for encrypting all traffic directly.

5. Secure Channel Established

Both sides derive session keys.

From this point on:

• All data is encrypted

• All data is integrity-protected

Step 5: HTTP Request and Response (Finally Asking for Data)

Once the secure channel is open, the browser sends:

GET /login HTTP/1.1
Host: example.com

The server processes the request, queries a database if needed, and returns HTML with a 200 OK response.

Step 6: Browser Rendering (The Part You Actually See)

The browser parses the HTML, loads CSS, and executes JavaScript.

Only now do you see the page.

Everything before this? Invisible. Automatic. Completed in under a second.

And almost entirely attackable if any single step is misconfigured.

Hands-On Lab: See the Whole Chain With Docker

Congratulations! You now understand the whole process. Which is great!

But just a theory isn’t enough. If you want to get ahead of other candidates, you must get that hands-on experience.

That’s why I prepared a lab that recreates DNS resolution, HTTP requests, and live TLS negotiation in a contained environment.

What you need: Docker Desktop. Nothing else.

If you don’t know how to use Docker or what it is, I got you covered.
→ Download a free step-by-step guide HERE.

Read more

Good move!

Most people will tell you that it is impossible to pass the exam without a $500 course.

Most people will tell you it doesn’t make any sense to take the exam if you don’t have X (choose a random number) years of experience.

DO NOT LISTEN TO THEM!

I don’t know you, but I know that if you dedicate 4 weeks of your life to this, you will pass the exam. All you need to do is have a good plan and take action.

I can’t force you to take action, but I can tell you exactly what matters for the exam, thereby reducing your required effort to a bare minimum.

How am I going to do it?

In this 3-part series, not only will I provide resources and study materials that will explain the concepts from the exam, but I will also explain how the exam tests you and what to focus on.

What CompTIA Security+ Really Is

Before we deep-dive into the details of this exam, let’s take a moment to talk about what this certification is and what it offers.

Security+ is an entry-level cybersecurity certification from CompTIA, one of the most recognized names in IT certifications.

It's vendor-neutral. Which means it doesn't teach you how to use one specific tool or platform. Instead, it teaches you how to think like a security professional.

So if you hope to learn how to properly set up Microsoft Intune, this is not the right choice.

However, if you're career-switching into cybersecurity, Security+ is often the first certification hiring managers want to see on your resume.

Simply, it is a smart choice for people who understand that Cybersecurity concepts are not tied to any platform. And since you’re reading this, I have a feeling you are that kind of person!

Are you preparing for the Security+ exam? Let me know in the comments!

Leave a comment

The 5 Domains of Security+

Understanding the exam structure is not optional.

It’s one of the fastest ways to improve your score.

The current version (SY0-701) is built around 5 domains:

1. General Security Concepts (12%) → The fundamentals. Why security exists and the core principles (like CIA) everything is built on.

2. Threats, Vulnerabilities, and Mitigations (22%) → What can go wrong, how attackers exploit it, and how you stop them.

3. Security Architecture (18%) → How to design systems so they’re secure from the start, not fixed later.

4. Security Operations (28%) → What you actually do day-to-day: monitor, detect, and respond to threats.

5. Security Program Management and Oversight (20%) → The business side: managing risk, setting policies, and aligning security with company goals.

It is important to notice that the domains are not equal.

For example, Security Operations alone = 28% of the exam

That means: You can spend hours memorizing definitions from Domain 1, and still fail because you ignored how security works in practice.

Next week, I’ll walk you through each domain step-by-step so you can actually apply them in the exam. Subscribe to follow the full series.

Subscribe now

Exam details

I am not going to go into all the details, as you can easily find them on the CompTIA website. However, I think it is worth mentioning what you should expect.

Number of questions: Maximum of 90 questions
Time limit: 90 minutes
Passing score: 750 out of 900
Testing options: Testing center or online-proctored exam

But the most important thing is the type of questions.
The exam combines performance-based and multiple-choice questions.

And trust me, the first time you see them, all 4 answers will look correct.

That’s intentional.

Your job isn’t to find a correct answer, it’s to choose the best one.

And I’ll help you develop the eye for detail to do exactly that.

Are you ready to lock in and pass the exam?
Comment “Security+“ and I will send you a FREE guide that describes TOP 10 Cybersecurity Fundamentals you need for the exam.

Leave a comment

Conclusion

Security+ is a big milestone for people who are new to cybersecurity, but it is not as complicated as people make it.

What makes it hard is not knowing what to focus on. That’s the only reason why people spend $1,000s for Security+ courses.

If you commit the next 4 weeks to this properly, you won’t just pass the exam.

You’ll actually understand the basics of cybersecurity.

And that’s what separates people who “Pass and forget” from those who build a real career.

So let’s do this properly and let’s do this together!

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

Next part is available here:

And you know what?
I think the only reason why it is confusing for so many people is that it’s explained incorrectly.

Most tutorials jump straight into masks, ranges, and formulas…

Without explaining what’s actually underneath.

And that’s the problem.

Because subnetting only makes sense once you understand one thing:

What an IP address really is!

Have you struggled with subnetting in the past? Give this article a like and help other people with the same problem discover it!

What is an IP address?

Most people see an IP address like this:

192.168.1.42

And treat it like a label.

But it’s not.

It’s a structured 32-bit number, and every part of it has meaning.

So here is what your IP address actually looks like.

Those dots between the numbers? That just separates bytes.

That 192 in your IP address? It’s actually 11000000 in binary.

Why am I talking about it?

Because once you think of an IP address as 4 bytes rather than 4 random numbers, things get a lot easier!

So the first lecture today is this:

Always think of an IP address as 4 individual bytes.

Now, I am going to show you why it’s so important.

Have you ever thought of an IP address this way?
If not, give this article a like and help other people find it!

Subnetting - What does it really mean?

Let’s start with the definition.

Definition: Subnetting is the process of dividing an IP network into smaller sub-networks by splitting the IP address into a network portion and a host portion.

That didn’t tell you much, huh?
Don’t worry, it didn’t mean to.

Let’s break it down in plain English.

Subnetting means:

Choosing how many bits identify the network, and how many identify the device.

So when you think of an IP address as a line of bits:

[ network bits | host bits ]

Subnetting is simply deciding where that boundary (“|”) sits.

On the left, we have a fixed number of bits that define the network, and on the right, we have a fixed number of bits that address individual devices.

Still confusing, right? Let’s take a look at an example.

Don’t give up now! It’s about to start making sense!

Example - Mask /24

The last term you need to know here is a “subnet mask.”

Here is the definition: A subnet mask is a 32-bit value that defines which part of an IP address represents the network and which part represents the host.

In other words, it is a simple representation of how many bits you reserve for addressing individual devices.

Basically, it’s just a fancy way of saying, put the boundary (“|”) here, thank you.

So, what if you have a /24 mask?

That means, you take the first 24 bits from the left and set them to 1.

11111111.11111111.11111111.00000000

In dotted decimal notation, it would look like this:

255.255.255.0

This means the first 24 bits define the network. They are fixed, and only the last 8 bits (last byte) are dedicated to individual devices.

192.168.1.X // X - devices

So, how many devices do you think you can have in this network?

Leave a comment

Have you answered it in the comments?

No?

This is how you learn, think about it, and give us your answer!

Okay, great. Let’s see what the correct answer is.

You have 8 bits, which can hold 2 values: 0 and 1.

That 2^8 combinations = 256 devices.

If that was your answer, you’re almost correct.

The correct answer is 254. Why? Because you have to exclude network and broadcast addresses. We’ll talk about it next time!

What’s next

First of all, if you don’t fully understand subnetting now, don’t worry. It can be a very confusing topic at first.

Take your time, and read this article twice. Once you do, you can try to create subnets with different masks.

192.168.1.0/25
192.168.1.0/12
192.168.1.0/27

Take a pen and paper and answer the following questions.

• What does the network mask actually look like?

• How many devices can there be?

• And what would the network and broadcast addresses be?

• What is the first and last usable address?

If you answer these in the comments, I will personally give you feedback!

Leave a comment

Conclusion

Congratulations! You just took a huge step in your cybersecurity journey, and I am proud of you.

After reading this article, you are now able to design a network with adequate subnets. You know what an IP address actually is and what those funny numbers after “/” mean.

Believe it or not, that puts you way ahead of most people. Really, go ahead and ask around and see for yourself how many people can give you the right answer. I’ll wait!

Next time, we will talk about cybersecurity implications.

So subscribe and learn something new every week!

Thank you for reading Decoded Security!

Erich

‼️ Free Resource 🚨

If this article helped, I put together a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

👉 Download it here: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com

LinkedIn: Erich Winkler

Gumroad community: Decoded Security

Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

It was back in school. I had studied for weeks. I knew what TCP was. I had memorized the OSI model layers. I even felt good about it.

Then my professor asked me a simple question:

“Can you explain what actually happens during a three-way handshake, and why it matters from a security perspective?”

I answered something like: “SYN, SYN-ACK, ACK.”

Silence.

That’s not an explanation. That’s three acronyms.

And that’s the difference between memorizing networking and actually understanding it.

And since networking is one of the key domains in cybersecurity, you need to actually understand it.

Here are the 7 networking questions that expose that gap, and what a strong answer actually looks like.

‼️ Warning: CC, Security+, and CISSP relevant topic!

Why Networking Questions Are Different

Most beginners study cybersecurity tools.

Firewalls. IDS. SIEM. Endpoint protection.

But tools sit on top of networks.

If you don’t understand how networks actually work, how data moves, where it comes from, and where it goes, you don’t really understand what those tools are protecting.

And interviewers know that.

That’s why networking questions aren’t just knowledge checks.

They’re a test of how you think.

If you’re not familiar with the basics of network protocols yet, I recommend reading this first: Top 5 Most Important Network Protocols for Cybersecurity Beginners

‼️ Free Resource 🚨

If you’re just starting out in cybersecurity, I know how overwhelming it feels to figure out what to learn first.

I’ve been there.

That’s why I created a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

👉 Download it for free: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Question 1: “What’s the difference between TCP and UDP?”

This question sounds basic.

That’s the point.

It’s a filter. If you can’t explain this clearly and connect it to security, the interviewer already knows the next questions will be harder for you.

Where beginners go wrong:

They answer with a definition.

“TCP is connection-oriented. UDP is connectionless.”

Technically correct. Completely forgettable.

What a strong answer sounds like:

Think of TCP like a phone call. Before either person says a word, you both confirm the other is there. If the call drops, you know immediately.

UDP is more like leaving a voicemail. You send it and assume it arrived. No confirmation.

That difference matters a lot in security.

Then you can simple continue with how it matters to cybersecurity:

TCP’s connection process is exactly what SYN flood attacks exploit. attackers send thousands of connection requests that they never complete, overwhelming the server with half-open connections.

UDP, because it has no handshake, gets abused in DNS amplification attacks, small requests generate massive responses, flooding a target with traffic.

I cover TCP and UDP in depth here: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Question 2: “Walk me through what happens when you type google.com into your browser.”

This is the most comprehensive networking question.

It covers DNS, TCP, IP addressing, HTTP, and TLS. All in one answer.

Interviewers use it to see how deep your knowledge actually goes.

Where beginners go wrong:

“The browser looks up the IP address and loads the page.”

That’s one sentence. There are at least ten distinct steps happening.

What a strong answer sounds like:

First, your browser checks its local DNS cache. If it doesn’t know the IP address for google.com, it asks your operating system, which checks its own cache, then forwards the request to your DNS resolver.

The resolver works through the DNS hierarchy: root servers, then TLD servers for .com, then Google’s authoritative name servers, until it gets the IP address back.

Now your browser has an IP.

It uses TCP to connect with the target by sending a SYN, receiving a SYN-ACK, and confirming with an ACK.

If it’s HTTPS, a TLS handshake happens next. Certificates are exchanged, encryption is negotiated, and a secure session is established.

Then the HTTP request goes through, the server responds, and your browser renders the page.

Every single step in that process is a potential attack surface.

DNS can be poisoned. Certificates can be forged. The TCP handshake can be exploited.

This answer shows you understand where things can go wrong, not just that they usually go right.

Want to understand the DNS part of this in detail? Read this: This Is How I Explain DNS To Beginners

Do you find this article useful? Give it a like, it helps me understand what topics to cover next!

Question 3: “What is a subnet mask and why does it matter?”

Subnetting confuses more beginners than almost any other networking topic.

Not because it’s impossibly hard. But most people memorize the formula without understanding what it’s actually doing.

Where beginners go wrong:

“255.255.255.0 means a /24 subnet.”

Okay. But why? And what does that have to do with security?

What a strong answer sounds like:

Think of a city divided into neighborhoods. The subnet mask is what defines those neighborhood boundaries.

It tells a device: “These addresses are local, talk to them directly. Those addresses are outside your network, send that traffic to the router.”

A /24 subnet mask means the first 24 bits define the network. The last 8 bits identify individual devices. That gives you 254 usable host addresses within that network.

From a security perspective, this is the foundation of network segmentation.

In a well-designed network, your servers, workstations, IoT devices, and guest Wi-Fi are all on separate subnets.

Why?

Because if an attacker compromises a guest laptop, the subnet boundary limits how far they can move. They can’t simply reach your file servers. The network is divided by design.

That’s not just a networking concept. That’s the principle of least privilege applied to infrastructure.

For more on private IP addresses, public addresses, and how network segmentation works in practice, read this: Why Most Beginners Don’t Understand How Networks Actually Work

Question 4: “What’s the difference between a hub, a switch, and a router?”

This one catches people who only studied software-side security.

Network defenders need to understand how traffic flows at the hardware level. This is where attacks become visible, or invisible.

Where beginners go wrong:

Treating all three as “things that connect computers to a network.”

They have fundamentally different behaviors. And those differences change how attacks work.

What a strong answer sounds like:

A hub is the least intelligent device. It receives data on one port and broadcasts it to every other port. Every device on the network sees every packet, even packets not meant for them.

A switch is smarter. It learns which device is connected to which port by tracking MAC addresses. When data arrives, it sends it only to the correct port. Traffic is contained.

A router operates at a different level entirely. It works with IP addresses, not MAC addresses, and it connects different networks together. Your home router connects your local network to the internet.

Here’s why that matters for security.

In a hub-based network, any device can capture all traffic passively, using nothing more than a tool like Wireshark. No special access needed.

Switches replaced hubs to solve exactly this problem.

But even on switched networks, an attack called ARP poisoning can trick the switch into flooding traffic everywhere, recreating hub-like behavior for an attacker who knows what they’re doing.

Want to understand how these devices fit into the bigger picture of network architecture? I cover hubs, switches, routers, proxies, and more in detail here: What Are the Things That Keep Our Networks Alive?

Question 5: “What is a firewall and what can’t it do?”

Everyone can answer the first half.

The second half is where most beginners stop cold.

And stopping there tells the interviewer that you see security tools as magic boxes — not as components with specific, bounded functions.

Where beginners go wrong:

“A firewall filters traffic based on rules.”

True. But incomplete.

What a strong answer sounds like:

A firewall is like a security checkpoint at the entrance of a building. It inspects what’s coming in and going out based on an approved list: IP addresses, ports, protocols.

Traditional firewalls are excellent at enforcing those perimeter rules. Block all incoming traffic on port 23 (Telnet)? Easy. Allow only HTTPS on port 443? Done.

But here’s what a firewall cannot do.

It cannot inspect encrypted traffic without special capabilities. If an attacker is communicating over HTTPS port 443, the firewall sees a valid connection — it has no visibility into what’s inside.

It cannot stop insider threats. It cannot detect stolen credentials being used correctly. It has no visibility into attacks that originate from inside the network.

This is why a firewall alone is never enough.

Understanding the limits of a control is what separates a security professional from someone who just passed a certification exam.

Not all firewalls work the same way, though. Packet filtering, stateful, proxy, and next-generation firewalls each have different capabilities — and different blind spots. I break them all down here: The Complete Guide to Firewall Types: From Packet Filters to Next-Gen

Are you preparing for a cybersecurity interview or certification? Let me know in the comments! I’d love to know what topics would help you most!

Question 6: “What is the difference between IDS and IPS?”

These two tools get confused constantly.

Even by people who have been in IT for years.

Where beginners go wrong:

“IDS detects threats. IPS prevents them.”

That’s the one-liner. It’s correct but empty.

What a strong answer sounds like:

An IDS (Intrusion Detection System) is a passive observer. It watches network traffic, compares it against known patterns and signatures, and raises an alert when something looks suspicious. It sees everything. It stops nothing.

An IPS (Intrusion Prevention System) is an IDS with authority. It sits inline on the network, meaning all traffic has to pass through it. When it detects a threat, it can drop the packet, block the connection, or quarantine the source. In real time.

Think of it this way: an IDS is a security camera. An IPS is a security camera with a locked door attached to it.

Now here’s the part most beginners miss.

An IPS sounds strictly better. So why would you ever choose detection without prevention?

Because an IPS carries real risk. False positives on an IDS generate alerts. False positives on an IPS block legitimate traffic. A misconfigured IPS can take down business-critical applications.

In sensitive environments, an IDS is sometimes the right choice precisely because it cannot accidentally break things while it watches.

Knowing when not to use a control is as important as knowing what the control does.

Question 7: “What happens during a three-way handshake?”

And finally, let’s go back to the original question!

This question appears in almost every entry-level and mid-level security interview.

And answering it poorly is a red flag, because the follow-up questions about attacks build directly on top of it.

Where beginners go wrong:

“SYN, SYN-ACK, ACK.”

Three acronyms are not an explanation.

What a strong answer sounds like:

The three-way handshake is how TCP establishes a reliable connection before any data is sent. It’s the mutual agreement that both sides are ready to communicate.

Step one: the client sends a SYN packet to the server. It’s saying: “I want to connect, and here’s my starting sequence number.”

Step two: the server responds with a SYN-ACK. “Got it. I’m ready. Here’s my sequence number.”

Step three: the client sends an ACK back. “Confirmed. Let’s communicate.”

Now, both sides have synchronized sequence numbers, and a connection is established.

Here’s why this matters from an attack perspective.

A SYN flood attack exploits step one.

An attacker sends thousands of SYN packets: often using spoofed IP addresses, and never sends the final ACK.

The server keeps allocating memory and resources, waiting for confirmations that never arrive.

Eventually, it runs out of capacity to handle legitimate connections.

This is a classic denial-of-service technique.

And understanding the handshake is exactly what makes the attack make sense.

I cover TCP in detail as part of this article: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Conclusion

Read through those seven questions again.

Notice what every strong answer has in common.

It’s not just technical accuracy.

Every answer connects the concept to a security implication. Every answer shows the interviewer that the candidate isn’t just reciting a textbook.

They’re thinking like someone who has to defend a real network.

That’s what the interview is actually testing.

Not whether you memorized the right definition. But whether you can look at a protocol, a device, or a tool, and immediately see where it breaks, where it gets abused, and why it matters.

If you can do that consistently, you’re not a beginner anymore.

Key Takeaways

Here’s what I want you to remember:

• Interviewers don’t want definitions. They want understanding.

• Every networking concept has a security implication. Always connect the two.

• TCP and UDP behave differently, and attackers exploit both.

• Subnetting and IP addressing are the foundation of network segmentation.

• Every security control has limits. Knowing those limits is what makes you dangerous.

• The three-way handshake isn’t trivia. It’s the foundation of connection-based attacks.

• Keep going. Foundations take time to build. But they never stop paying off.

‼️ Free Resource 🚨

If this article helped, I put together a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

It’s free. No catch.

👉 Download it here: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com

LinkedIn: Erich Winkler

Gumroad community: Decoded Security

Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Networking fundamentals every cybersecurity beginner must understand

After publishing my article about the 5 most important network protocols every cybersecurity beginner should understand, many of my subscribers asked me what else people should know about networking.

That’s why I’d like to explain one of the most fundamental concepts of modern networking.

Because protocols like HTTP, TCP, UDP, SMTP, and FTP explain how systems communicate.

But there is another question beginners rarely ask:

Where are these systems actually located?

Because communication between systems only makes sense if you understand how networks are structured.

And that leads us to one of the most important concepts in cybersecurity:

Private IP addresses, public IP addresses, and network segmentation.

Understanding this will help you answer a surprising number of interview questions and explain how attackers move through networks.

Quick Recap: Systems Are Always Communicating

In the previous article, we talked about protocols like:

• HTTP for web traffic
• TCP for reliable communication
• UDP for fast communication
• SMTP for email
• FTP for file transfers

These protocols define how systems talk to each other.

For example:

Your browser communicates with a web server using HTTP over TCP.

But before that communication even starts, something else must happen.

Your computer needs to know:

Where is the server located?

And this is where IP addresses come in.

What Is an IP Address?

An IP address is basically the network location of a device.

Think of it like a postal address for computers.

Example:

192.168.1.15

This address allows other systems to send data to your device.

Without IP addresses, protocols like HTTP or SMTP would have no idea where to send data.

But not all IP addresses behave the same.

There are two types you absolutely need to understand.

Note: If you are not familiar with network devices, I recommend reading this article: What are the things that keep our networks alive?

Public IP Addresses

A public IP address is visible to the entire Internet.

Anyone can send traffic to it.

Example:

8.8.8.8

This is Google’s public DNS server.

Public IP addresses are assigned by:

• internet service providers

• cloud providers

• hosting companies

From a cybersecurity perspective, this is important because:

Anything with a public IP address is exposed to the internet.

And exposed systems get scanned constantly.

There are automated bots scanning the internet 24/7 looking for:

• vulnerable servers

• outdated software

• open ports

• misconfigured services

Public IP addresses create an attack surface.

Are you interested in more articles about networking? Let me know in the comments!

Leave a comment

Private IP Addresses

Private IP addresses are used inside internal networks.

They cannot be reached directly from the internet.

Why do we need them?

Because there aren’t enough public IPv4 addresses for every device in the world. Instead of giving every device its own public IP, networks use private addresses internally, which can be reused by anyone.

If you check your home network right now, your devices probably look something like this:

Router: 192.168.1.1
Laptop: 192.168.1.15
Phone:  192.168.1.22
TV:     192.168.1.40

These devices communicate internally using private IP addresses.

But they still access the internet.

How?

Through something called NAT.

NAT: The Translator Between Private and Public Networks

Your router has two identities.

Inside the network:

192.168.1.1

On the internet:

203.0.113.24

When your laptop sends traffic to a website:

192.168.1.15 → google.com

Your router translates it so the internet sees:

203.0.113.24 → google.com

The response then returns to the router, which forwards it to the correct internal device.

This allows many devices to share a single public IP address.

But here’s something many beginners misunderstand.

Private IP addresses were created to solve an address shortage problem, not security problems.

If you’d like to see how this works in practice, I can show you how to build a small simulated network on your own computer.

We’ll create a private network, assign IP addresses, and see how NAT works in real time.

If you’re interested, let me know in the comments and I’ll create the lab.

Leave a comment

What Should You Learn Next?

If you’re starting your cybersecurity journey, focus on fundamentals.

You don’t need to learn everything at once.

Start with:

• Network protocols

• IP addressing (Here)

• DNS

• Encryption

• Network Devices

These concepts appear everywhere in cybersecurity.

And if you master them, you will already be ahead of most beginners.

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

What stops someone from replacing the file with malware?

This is exactly the problem digital signatures solve.

In this article, I’ll explain how digital signatures work, and then we’ll build a small Docker lab where you can try it yourself in 5 minutes.

What You’ll Learn

Before we dive in, here’s what you’ll learn in this article:

• What digital signatures are and why they are important
• How digital signatures protect integrity and authenticity
• How the digital signing process works step by step
• How to create and verify a digital signature yourself
• How tampering with a file breaks the signature

By the end of this article, you won’t just understand digital signatures in theory, you’ll see them working in practice and be able to sign any file!

If you find this article helpful, consider liking the post so more people can discover. I appreciate your time! Thank you!

The Theory

Let’s start with the theoretical background. I know it sounds boring, but like it or not, if you want a career in cybersecurity, you need to know why you do things, not just how to do them.

Digital signatures solve two main problems:

1. Integrity
   The file was not modified.

2. Authenticity
   The file was created by the expected sender.

If you’re not familiar with those terms, I got you covered: CIA Triad

Let’s look at a simple example.

Imagine someone sends you a file.

It contains payment instructions for transferring a large amount of money.

But an attacker intercepts the file and sends you a modified version with different payment details.

The document looks identical.

You send the money.

It’s gone.

Digital signatures prevent that.

They allow the receiver to verify that:

• The file was created by the claimed sender

• The file was not modified by anyone else

How does the whole process work?

Great, now we know what problem we are solving here.
Now let’s walk through the process step by step.

As always, we have Alice and Bob, and Alice wants to send a message to Bob, while Bob needs to be sure that the message is really from Alice and wasn’t modified by anyone else.

They need to perform the following steps:

1. Alice creates a message

For example, the message contains payment information.

2. The message is hashed

Alice runs the message through a hash function.

A hash function converts the message into a short fixed-length value called a hash.
( more information about hashing here: Hashing: What It Is and Why It’s Not the Same as Encryption)

Even a tiny change in the message would produce a completely different hash. So that ensures that any changes are discoverable.

3. Alice signs the hash

This might be a little tricky. What does it mean to sign the hash?
In this case, it means encrypting the hash using your private key.

If you’re not familiar with asymmetric cryptography and its key, I got you covered: Symmetric vs Asymmetric Encryption: What’s the Difference?

So, in our scenario, Alice encrypts the hash using her private key.
This encrypted hash is called the digital signature.

4. Alice sends the message and the signature

Alice sends the message along with the digital signature to Bob.

5. Bob verifies the signature

Bob performs two checks:

1. Bob hashes the original message.

2. Bob decrypts the signature using Alice’s public key to obtain the original hash.

Finally, Bob compares the two hashes.

If they match:

• The message was not modified (integrity)

• The message was signed by Alice (authenticity)

If the hashes are different, the message was tampered with.

Key takeaways

Before we move to the practical lab, let’s summarize the most important points.

• Digital signatures protect both integrity and authenticity.

• They combine hashing and asymmetric cryptography.

• Only the sender can create a valid signature using the private key.

• Anyone can verify the signature using the public key.

• If the hashes don’t match, the message was tampered with.

Hands-On Lab: Try Digital Signatures Yourself

Okay, enough theory! You need to convince people that you are really good at cybersecurity, and the only way to do that is to show them something real.

Let’s see how digital signatures work in practice.

In this short lab, we will:

• generate a private and public key

• create a message

• sign the message

• verify the signature

• modify the message and watch the verification fail

To keep things simple, we’ll run everything inside a Docker container with OpenSSL.

If you don’t know how to use Docker, I have created a simple guide for you for FREE: Docker Guide

Step 1: Create the Lab Environment

Create a new folder for the lab:

digital-signature-lab

Inside the folder, create a file called:

Dockerfile

Add the following content:

FROM ubuntu:22.04

RUN apt-get update && \
    apt-get install -y openssl

WORKDIR /lab

CMD ["/bin/bash"]

This container simply installs OpenSSL, which we’ll use to create and verify digital signatures.

Step 2: Build the Docker Image

Build the container:

docker build -t signature-lab .

Step 3: Start the Container

Run the container:

docker run -it signature-lab

You are now inside the lab environment.

Step 4: Generate a Key Pair

First, we generate a private key.

openssl genrsa -out private.key 2048

Now extract the public key from it:

openssl rsa -in private.key -pubout -out public.key

You should now have two files:

private.key
public.key

Remember:

• Private key → used to sign

• Public key → used to verify

Step 5: Create a Message

Let’s create a simple message file:

echo “Send €10,000 to account 12345” > message.txt

Check the file:

cat message.txt

Step 6: Sign the Message

Now Alice signs the message using her private key.

openssl dgst -sha256 -sign private.key -out signature.bin message.txt

This command:

1. hashes the message using SHA-256

2. encrypts the hash using the private key

3. creates a digital signature

You should now have:

message.txt
signature.bin

Step 7:Verify the Signature

Now Bob verifies the message using Alice’s public key.

openssl dgst -sha256 -verify public.key -signature signature.bin message.txt

If everything is correct, you will see:

Verified OK

This means:

• The message was not modified

• The signature was created using Alice’s private key

Step 8: Simulate an Attack

Now, let’s simulate an attacker modifying the message.

Change the file:

echo “Send €10,000 to account 99999” > message.txt

Try to verify the signature again:

openssl dgst -sha256 -verify public.key -signature signature.bin message.txt

This time, you should see an error message:

Verification Failure (or similar)

Why?

Because the message changed → the hash changed → the signature no longer matches.

This is exactly how digital signatures detect tampering.

What We Just Did

In this small lab, you reproduced the exact process used in real systems:

1. Create a message

2. Hash the message

3. Sign the hash with a private key

4. Send message + signature

5. Verify using the public key

This mechanism protects many things you use every day:

• software updates

• code signing

• secure email

• TLS certificates

Without digital signatures, trust on the internet would be extremely difficult.

Leave a comment

Conclusion

Digital signatures are one of the most important building blocks of modern cybersecurity.

They allow us to verify that the data was not modified and that it really came from the expected sender.

This simple idea, hash the data, sign the hash, verify the signature, is what protects many systems we use every day.

Software updates, secure emails, TLS certificates, and signed applications all rely on this mechanism.

Without digital signatures, trusting software and data on the internet would be extremely difficult.

Now that you understand how they work, you’ve taken another step toward thinking like a cybersecurity professional.

See you next time!

Erich
Decoded Security

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!