How do you prove someone is who they claim to be?

Because if you get this wrong, nothing else matters.

It doesn’t matter how well your whole system is set up if you can’t be sure who you are talking to.

That’s why the process of authentication is so widely tested during all cybersecurity exams, including the CC, CISSP, and Security+.

Not familiar with the methods of authentication yet? Read this First!

Today, we are going to focus on a method that is treated as the gold standard.

But just because this method is better than asking for a password, that doesn’t make it automatically secure.

And be sure that the exam will test you on that.

Let’s get to it!

Biometric authentication

Definition: Biometrics verifies an individual’s identity by analyzing a unique personal characteristic.

That sounds pretty clear, doesn’t it?

You simply take anything that you can reliably analyze and is based on unique personal characteristics and uses instead of a dumb password.

Well, there is a catch. But before I tell it to you, let’s add more definitions to make sure you know everything you need.

There are two types of biometric authentication:

1. Physiological: Uses physical attributes unique to an individual

   1. Fingerprints

   2. Retina / Iris (Note: Privacy issues - PHI)

   3. Facial structure

   4. Hand geometry

2. Behavioral: Uses patterns of behavior unique to an individual

   1. Signature dynamics

   2. Keystroke dynamics

   3. Voice patterns

Why is this so important?

Because behavioral characteristics can change over time. We are not machines, and we don’t always do things the same way.

Make sure to keep it in mind!

“The Catch” - Errors

Exam tip: This is what you actually need to know

Remember how I mentioned “the catch”?

Here it is:

Biometric authentication doesn’t always work as expected.

With passwords, it’s simple:

• 100 % Match → access granted

• No match → access denied

It’s 100% or nothing.

But biometrics don’t work like that.

You never get a perfect match.

Instead, the system asks:

“Is this close enough to be the same person?”

And that’s where problems start.

Because now, two things can happen:

1. False Rejection Rate (FRR)

Event: The system rejects a legitimate user.

FRR Definition: The percentage of times a biometric system incorrectly rejects a legitimate user.

Example: Your fingerprint is valid, but the system doesn’t recognize it.

2. False Acceptance Rate (FAR)

Event: An attacker is accepted as a legitimate user.

Definition:
The percentage of times a biometric system incorrectly accepts an unauthorized user.

Which one is better?

Well, that depends on the system.

If you make the system stricter:

• FAR ↓ (more secure)

• FRR ↑ (more users get blocked)

If you make it more lenient:

• FRR ↓ (better usability)

• FAR ↑ (less secure)

  

Without changing the biometric mechanism, you can only decide which mistake you prefer.

Great. Now you understand the main problem with biometric authentication and its sensitivity.

Now there is one more question to answer: How do we compare biometric systems?

Because every system has FRR and FAR.

And depending on the configuration, you can tune one… but worsen the other.

So which one matters more?

FRR or FAR? And at what setting?

This is exactly why we use the Crossover Error Rate (CER).

Crossover Error Rate (CER)

Definition:
The point at which the False Rejection Rate (FRR) equals the False Acceptance Rate (FAR).

In other words, it’s the point where the system makes equal mistakes on both sides.

It is a single number to compare biometric systems.

• Lower CER → fewer total errors → better system

• Higher CER → more errors → worse system

And that’s it! You can now compare two biometric systems!

Additional Information (Exam Notes)

• Biometrics are based on probability, not certainty

• Threshold setting determines system sensitivity (strict vs lenient)

• Lower threshold → higher FAR, lower FRR

• Higher threshold → lower FAR, higher FRR

• False Acceptance Rate (FAR) is a bigger security risk than FRR

• False Rejection Rate (FRR) mainly affects usability

• Crossover Error Rate (CER) is used to compare systems

• Lower CER = better overall accuracy

• Physiological biometrics are generally more stable than behavioral ones

• Some methods raise privacy concerns (e.g., retina scan → PHI)

• Processing speed matters (slow systems reduce adoption)

• BIOMETRIC SYSTEMS ARE EXPENSIVE!

Conclusion

Congratulations! After reading this article, you are ahead of most people.

You now understand that biometrics isn’t just about scanning fingerprints.

You understand both its benefits and its drawbacks, including the errors involved.

We also covered how to prioritize error types based on system sensitivity and how to compare biometric systems.

With all of that, you are more prepared than 95% of people claiming to be cybersecurity experts.

Thanks for reading Decoded Security!

— Erich

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

It was the CISSP exam that made me realize that what I know isn’t enough.

The question was quite simple: What is a Man-in-the-Middle attack?

And I got a very simple answer: It is a type of attack where an attacker positions himself between two parties who believe they are interacting directly.

Easy and correct answer, right?

Well, it is. But if you believe this is enough to pass cybersecurity exams and interviews, you’re wrong.

After reading this article, you will know everything you need to know about this attack for CC, Security+, CISSP exams, and in actual real-world scenarios.

Warning: CC, CISSP, and Security+ relevant topic!

What is a MitM Attack?

Let’s start from the beginning and describe what this term means.

The MitM Attack is a TYPE of attack where an attacker positions themselves between two parties communicating.

Instead of:
Client → Server

It becomes:
Client → Attacker → Server

And what is so dangerous about it?

The client probably won’t even recognize it. Everything works as usual. You open any website, check your emails, and watch YouTube videos.

But the attacker can now:

• Read the traffic

• Modify it

• Steal sensitive data

In other words, all core Cybersecurity objectives of the CIA triad are threatened.

And yes, you guessed it right, that’s no good.

Before we go through a specific example, let’s answer one more question that is frequently asked in both exams and interviews.

Question: How does a MitM attack affect the core cybersecurity objectives?

Answer:

CIA Triad

• Confidentiality - Broken

  • Compromised

  • Without further security controls, the attacker can intercept sensitive data (passwords, emails, tokens)

  

• Integrity

  • Compromised

  • An attacker can modify messages in transit

  • → Data arrives altered without the sender/receiver knowing

• Availability

  • Usually unaffected (but can be impacted)

  • MitM is primarily passive/stealthy

  • → In some cases, an attacker may drop or delay packets (DoS-like behavior)

So, if you ever get this question, and if you’re serious about cybersecurity, you probably will, make sure to understand which core cybersecurity objectives are typically the most affected by this type of attack.

Great! Enough theory!

Now it’s time to get some hands-on experience and try this attack by yourself.

Because that’s what differentiates people who know just theory, and who actually understand the concept. You can’t replace hands-on experience with hours of reading.

And that’s why I prepared a simple Docker Lab, which will guide you step by step on how to simulate this attack.

Let’s get to it!

Are you preparing for the CC, Security+, or CISSP exam?

Comment “CYBERSECURITY” and I will send you a free guide focusing on Top 10 Cybersecurity Fundamentals.

Hands-On Docker Lab: Man-in-the-Middle Attack

How the attack actually happens

Let’s do something most cybersecurity content never shows you:

Instead of just reading about a Man-in-the-Middle attack, you’ll simulate one yourself.

What you’re about to build

You will simulate this exact scenario:

Victim (Browser) → Attacker (MitM Proxy) → Web Server

The attacker will sit in the middle and capture session data in real time.

Read more

In the previous articles, we have covered what the exam looks like. Its structure, domains, and the distribution of points between them.

I also provided you with study resources that are laser-focused on things you need to answer the questions correctly.

And after covering all of that, you miss only one last thing to successfully pass the Security+ exam.

A strategy. Today, we will take all the knowledge and create a plan that will get you where you want to be.

This article gives you that system.

A clear plan for what to do every week and every single day.

So you can stop guessing and start executing.

The 4-Week Strategy (Simple, Not Easy)

Your entire preparation has 3 phases. And what I like about it is that it works for almost any exam you will ever take.

Phase 1: Build Understanding (Week 1)

Goals:

• Understand the concept of the exam

• List topics for each domain

• Understand the fundamentals

What you do:

• Read the introduction where I describe the exam - Exam structure

• Open an Excel or take a piece of paper and list all the main topics for each domain. I made that easy for you: Security+ Domains

• Go through the core concepts - Luckily for you, I covered the Top 10 most important concepts in my FREE guide - Top 10 Cybersecurity fundamentals

Okay, now you should have a complete overview of what you need to learn. That’s a great start.

Start with the topics I listed and make sure to write down all terms that you are not familiar with.

Outcome of this phase:

• A complete list of all topics you need to understand for the exam

• List of terms you need to be familiar with

• A mindmap describing how the terms connect together

Phase 2: Connect the Dots And Test Yourself Soon (Week 2–3)

Most people wait for practice tests until the very last moment.

They are afraid of failing.

Here is the thing: You are allowed to fail in the preparation phase. That’s what forces you to learn.

So, the second you read through the fundamentals, it’s time to start testing yourself.

And, very importantly, add the topics from the practice test to your list. That’s absolutely crucial.

At the end of week 2, you should be stressed about how big your list got and that you are running out of time.

If that’s what you are feeling now, you’re on the right track! Don’t stop!

And if you feel overwhelmed, I’d recommend using an approach that helped me many times in my life and by which I was able to pass the CISSP exam while working full-time.

Divide and Conquer

When your list gets overwhelming, don’t try to fix everything at once.

Break it down:

• Pick one domain

• Focus only on that

• Close the gaps

• Move to the next

Make sure to check the topics in your list and track your progress. That will keep you motivated. Once you check all the topics from one domain, take the practice test again. It will feel good that you know the answers!

Phase 3: Think Like the Exam (Week 4)

Until now, I strongly encouraged you to deep dive into the topics. Truly understand what’s going on behind the scenes.

But this is the time to get practical.

You’ve spent 3 weeks reading materials, watching tutorials, and connecting the dots. You’ve got plenty of diagrams, notes, and maybe ANKI cards.

That will all serve you well in your career.

But now, you need results. Which means, stop caring about how things work and start giving answers that the exam expects.

Every exam have different way the questions are phrased, meant, and created.

You are at a huge disadvantage. The people who created the exam are the ones who set the rules.

You need to adapt. And the best way to do that is to practice the question as much as possible.

So here is the recipe for this phase:

• Full practice exams daily

• Timed conditions

• Focus on weak areas only

• Light review

How to Know You’re Ready

Simple:

• You consistently score 80%+ on practice exams

• You understand why the answers are correct

• You recognize patterns in the practice questions quickly

At that point, it’s time to take the exam.

Don’t wait for confidence.

Confidence comes after you pass.

Conclusion

This is how I passed even the most difficult cybersecurity exams there are.

Having a good strategy is more important than having years of experience. I know many people who have been in the field longer than I have and still failed.

Stop waiting to be ready. Don’t listen to people telling you don’t have a chance.

You don’t need more time. You don’t need more resources.

You need:

• Focus

• Consistency

• Study materials

• And a system

And I just gave you resources and a system. Now it’s time for you to add focus and consistency to the equation.

Follow this for 4 weeks, and you will pass.

Thanks for reading Decoded Security!

- Erich

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

It isn’t a lack of experience.

It isn’t that they are not smart enough.

It isn’t even an absence of an $800 course.

It’s not knowing what really matters for the exam.

They treat all topics the same. They try to “cover everything.” And naturally, they get lost and fail.

In Part 1, we talked about what the exam really is.

Now it’s time to break it down:

👉 What’s inside each domain
👉 What you should actually focus on
👉 What you can safely ignore

Let’s get to it!

WARNING: This article won’t bring anything exciting, but it will help you bring structure to your preparation for the CompTIA Security+ exam.

If you’re just joining: This is Part 2 of my 3-part series on how to pass CompTIA Security+ in 4 weeks.

In Part 1, I explained:

• what the exam actually tests

• why most people fail

• how to think about Security+ the right way

Now we focus on what to study, and what to ignore.

The 5 Domains of Security+

I have already mentioned this last time, but I think it’s absolutely crucial to understand this.

Understanding the exam structure is not optional. It’s one of the fastest ways to improve your score.

The current version (SY0-701) is built around 5 domains.

And you need to know what hides under the hood of each domain. And yes, you guessed it right, that’s what I am going to show you today!

And not only that! I have already explained most of the topics in my 80+ articles here on Decoded Security. So, this is nothing but just a big bank of resources that will help you pass this exam without an $800 course!

Sounds good, right?

So let’s take it domain by domain!

General Security Concepts (12%)

The goal of this chapter is to verify that you understand the fundamental concepts of cybersecurity. Yes, it counts “only” for 12% of the exam, but you are going to need those concepts across all domains, so make sure you know them!

Note: Each topic links to a detailed article if you want to go deeper. :)

What to focus on:

• CIA Triad (Confidentiality, Integrity, Availability)

• AAA (Authentication, Authorization, Accounting)

• Security controls:

  • Technical

  • Administrative

  • Physical

• Core principles:

  • Least privilege

  • Zero Trust

  • Defense in depth

• Cryptography basics:

  • Symmetric vs asymmetric

  • Hashing vs encryption

  • Diffie-Hellman

  • Digital Signatures

• Networking Fundamentals:

  • Network Devices

  • IP addressing

Threats, Vulnerabilities, and Mitigations (22%)

The goal of this domain is to understand how attacks actually work and how to stop them.

You need to know the types of attacks to recognize them and design systems that are resilient to them.

What to focus on:

• Malware:

  • Ransomware

  • Trojans

  • Worms

• Social engineering:

  • Phishing

  • Pretexting

  • Baiting

• Network protocols

  • TCP/UDP

  • FTP

  • SMTP

  • ….. (see the article above)

• Network attacks: (in progress)

  • DoS / DDoS

  • Man-in-the-middle

  • DNS spoofing

• Vulnerabilities: (in progress)

  • Misconfigurations

  • Unpatched systems

  • Weak passwords

• Mitigation basics: (in progress)

  • Patching

  • Input validation

  • Segmentation

Security Architecture (18%)

This domain focuses on secure design.

In other words, it teaches you how to build systems that are secure by default, not systems that need to be fixed later.

You’re not reacting to attacks here. You’re preventing them before they even become possible.

This includes how networks are structured, how systems communicate, how identities are managed, and how trust is established between components.

Because once a system is deployed, fixing security issues becomes:
- slower
- more expensive
- and often incomplete

That’s why good security professionals think about architecture first.

What to focus on:

• Network design:

  • Segmentation (In progress)

  • DMZ (In progress)

  • DNS

  • Firewalls

  • Certification Authority

• Cloud:

  • Shared responsibility model

  • IaaS / PaaS / SaaS

  • Service-level agreement

• Zero Trust

• Secure protocols:

  • HTTPS / TLS

  • SSH

• Identity & Access Management

  • Access Control

  • Access Control Concepts

  • AAA Framework

• System hardening (In progress)

Are you preparing for the Security+ exam? Let me know in the comments and let’s discuss it!

Leave a comment

Security Operations (28%)

This is the most important domain on the exam.

This is where cybersecurity becomes real work.

You’re not designing systems anymore. You’re operating them.

• detecting attacks

• responding to incidents

• minimizing damage

• recovering systems

Basically, we focus on what you do when something actually happens.

Key idea here:
You won’t be judged on preventing every incident.
You’ll be judged on how you handle them.

What to focus on:

• Monitoring & logging: (In progress)

  • SIEM basics

  • Log analysis

• Incident response:

  • Preparation

  • Detection

  • Containment

  • Recovery

  • Reporting

• Vulnerability management (In progress)

  • Scanning

  • Prioritization

• Tools (high-level):

  • EDR (In progress)

  • IDS / IPS

• Backup & recovery

  • RAID

  • Secure Data Disposal

  • Secure Data Lifecycle

Is there any comment you are struggling with? Just let me know in the comments and I will break it down for you!

Leave a comment

Security Program Management and Oversight (20%) (My favorite domain!!)

This is where cybersecurity becomes a business decision.

It’s not about tools. It’s about managing risk.

Because in reality:

• You can’t secure everything

• You can’t eliminate all risk

So the goal is to understand risk and make the right decisions. Because at the end, it’s all about MONEY.

Most technical people underestimate this domain. That’s a mistake.

Because this is how companies actually decide:

• what to protect

• how much to invest

• what risks to accept

💡 Key idea:
Security is not about eliminating risk. It’s about managing it.

What to focus on:

• Risk management:

  • Risk = likelihood × impact

  • Mitigate / Transfer / Accept / Avoid

  • Risk Management frameworks

• Policies, standards, procedures

• Compliance and Privacy:

  • GDPR

  • HIPAA

  • PCI-DSS

  • FISMA

• Intellectual Property & Compliance

• Third-party risk (In progress)

• Security awareness (In progress)

This is it. That’s the list of topics you need to cover to have a chance to pass the exam!
I know it might look scary, but trust me. We just made a very important step.

We put everything we need to know in one place. Which means, now we just start crossing the things off the list.

Conclusion

This is it! The exam might sound scary at this point, but I promise you—once you start crossing topics off your list, it will feel better and better.

You now know:

• the structure of the exam

• what the exam looks like

• what is in each domain

And you have the resources to help you study.

You’re missing one last thing:

A strategy.

That’s what we’ll dive into next time!

Thanks for reading Decoded Security!

- Erich

PS: If you have any questions, feel free to reach out to me!

The last part of the series is already available here:

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

Really..go out and ask people who have anything to do with tech.

They will all tell you how it’s easy, and everybody knows it.

Then ask them to explain the series of events that happen when you open a website.

That’s where the confidence disappears.

Because this isn’t a trivia question.

It’s a test of whether you understand the system or just memorize pieces of it.

And in cybersecurity, that difference matters.

Because you can’t protect what you don’t fully understand.

That’s why this question shows up in interviews.

And if you can answer it clearly, step by step, you’re already ahead of most candidates.

In this article, you’ll learn exactly that.

High-level concept

First, you need to understand that opening a website is not a single action.

It’s a chain of dependencies:

DNS → TCP → TLS → HTTP → Rendering

Each link of this chain solves a different problem:

• DNS → Where is the server? (Application layer)

• TCP → Can we communicate reliably? (Transport layer)

• TLS → Can I trust you? (Between Application and Transport)

• HTTP → Give me the content (Application layer)

Make sure you understand the TCP/IP model and its different layers.

Step-by-Step (Interview-Level Explanation)

1. URL Parsing

Let’s start from the beginning.
When you type:

https://www.example.com/login?user=admin

Your browser parse the URL:

• Scheme (Protocol) → https

• Host (Domain) → www.example.com

• Path → /login

• Query string → user=admin

The scheme (https) doesn’t just define the protocol, it determines the entire communication stack that will be used.

For example:

https:// → HTTP over TLS over TCP
http:// → HTTP over TCP

Okay great. We parsed the URL. What now? We want to send the request to the server, right?

Well, not so fast. We don’t even know where the server is yet..

2. DNS Resolution - Finding the Server

Your browser knows where to go. It doesn’t know the IP address yet.

DNS translates example.com into 93.184.216.34.

Here’s the real lookup chain, and where it stops depends on what’s already cached:

The query descends until one level can answer. Most everyday lookups never reach the root, they hit a cache first.

This is very simplified explanation, if you want to know more about how DNS really works, read it HERE:

Okay, great! Now we have the IP address and we can make the request, right?

Well, not yet!

Step 3: TCP Handshake (Making the Connection)

We need to establish a reliable connection first!

That’s the job for the Transport layer. In particular, the TCP protocol.

It establishes a connection between two devices using something called a three-way handshake:

1. SYN → Client wants to start communication

2. SYN-ACK → Server acknowledges

3. ACK → Client confirms

That’s it. Simple, efficient.

Do you want to know more? I love to hear that! I have covered this topic in one of my previous articles! Read it here: TCP protocol.

Okay, okay. So now it’s finally time to make a request, right?

Well, we are really almost there! I promise!

Step 4: TLS Handshake

This is where it gets interesting when it comes to security.

The TLS protocol lies between the application and transport layers.
It has three simple (haha)..ensure authenticity, integrity, confidentiality of the connection.

Here’s what each step actually does:

1. Client Hello: Your browser initiates the handshake by sending:

• Supported TLS versions

• Supported cipher suites

• Random data (used later for key generation)

2. Server Hello + Certificate

The server responds with:

• The selected cipher suite

• Its digital certificate

That certificate contains:

• The server’s public key

• A digital signature from a trusted Certificate Authority (CA)

3. Certificate Verification

Your browser validates the certificate:

• Is it signed by a trusted CA?

• Is it expired?

• Does the domain match?

If you don’t know what a Certification Authority is, I got you covered!

This is where your digital signatures article connects directly.

Without a valid signature, the browser rejects the connection.

4. Key Exchange

The client and server establish a shared secret.

In modern TLS (1.2+ / 1.3), this is typically done using:

• (EC)DHE → ephemeral key exchange

Important: The certificate is used for authentication, not for encrypting all traffic directly.

5. Secure Channel Established

Both sides derive session keys.

From this point on:

• All data is encrypted

• All data is integrity-protected

Step 5: HTTP Request and Response (Finally Asking for Data)

Once the secure channel is open, the browser sends:

GET /login HTTP/1.1
Host: example.com

The server processes the request, queries a database if needed, and returns HTML with a 200 OK response.

Step 6: Browser Rendering (The Part You Actually See)

The browser parses the HTML, loads CSS, and executes JavaScript.

Only now do you see the page.

Everything before this? Invisible. Automatic. Completed in under a second.

And almost entirely attackable if any single step is misconfigured.

Hands-On Lab: See the Whole Chain With Docker

Congratulations! You now understand the whole process. Which is great!

But just a theory isn’t enough. If you want to get ahead of other candidates, you must get that hands-on experience.

That’s why I prepared a lab that recreates DNS resolution, HTTP requests, and live TLS negotiation in a contained environment.

What you need: Docker Desktop. Nothing else.

If you don’t know how to use Docker or what it is, I got you covered.
→ Download a free step-by-step guide HERE.

Read more

Good move!

Most people will tell you that it is impossible to pass the exam without a $500 course.

Most people will tell you it doesn’t make any sense to take the exam if you don’t have X (choose a random number) years of experience.

DO NOT LISTEN TO THEM!

I don’t know you, but I know that if you dedicate 4 weeks of your life to this, you will pass the exam. All you need to do is have a good plan and take action.

I can’t force you to take action, but I can tell you exactly what matters for the exam, thereby reducing your required effort to a bare minimum.

How am I going to do it?

In this 3-part series, not only will I provide resources and study materials that will explain the concepts from the exam, but I will also explain how the exam tests you and what to focus on.

What CompTIA Security+ Really Is

Before we deep-dive into the details of this exam, let’s take a moment to talk about what this certification is and what it offers.

Security+ is an entry-level cybersecurity certification from CompTIA, one of the most recognized names in IT certifications.

It's vendor-neutral. Which means it doesn't teach you how to use one specific tool or platform. Instead, it teaches you how to think like a security professional.

So if you hope to learn how to properly set up Microsoft Intune, this is not the right choice.

However, if you're career-switching into cybersecurity, Security+ is often the first certification hiring managers want to see on your resume.

Simply, it is a smart choice for people who understand that Cybersecurity concepts are not tied to any platform. And since you’re reading this, I have a feeling you are that kind of person!

Are you preparing for the Security+ exam? Let me know in the comments!

Leave a comment

The 5 Domains of Security+

Understanding the exam structure is not optional.

It’s one of the fastest ways to improve your score.

The current version (SY0-701) is built around 5 domains:

1. General Security Concepts (12%) → The fundamentals. Why security exists and the core principles (like CIA) everything is built on.

2. Threats, Vulnerabilities, and Mitigations (22%) → What can go wrong, how attackers exploit it, and how you stop them.

3. Security Architecture (18%) → How to design systems so they’re secure from the start, not fixed later.

4. Security Operations (28%) → What you actually do day-to-day: monitor, detect, and respond to threats.

5. Security Program Management and Oversight (20%) → The business side: managing risk, setting policies, and aligning security with company goals.

It is important to notice that the domains are not equal.

For example, Security Operations alone = 28% of the exam

That means: You can spend hours memorizing definitions from Domain 1, and still fail because you ignored how security works in practice.

Next week, I’ll walk you through each domain step-by-step so you can actually apply them in the exam. Subscribe to follow the full series.

Subscribe now

Exam details

I am not going to go into all the details, as you can easily find them on the CompTIA website. However, I think it is worth mentioning what you should expect.

Number of questions: Maximum of 90 questions
Time limit: 90 minutes
Passing score: 750 out of 900
Testing options: Testing center or online-proctored exam

But the most important thing is the type of questions.
The exam combines performance-based and multiple-choice questions.

And trust me, the first time you see them, all 4 answers will look correct.

That’s intentional.

Your job isn’t to find a correct answer, it’s to choose the best one.

And I’ll help you develop the eye for detail to do exactly that.

Are you ready to lock in and pass the exam?
Comment “Security+“ and I will send you a FREE guide that describes TOP 10 Cybersecurity Fundamentals you need for the exam.

Leave a comment

Conclusion

Security+ is a big milestone for people who are new to cybersecurity, but it is not as complicated as people make it.

What makes it hard is not knowing what to focus on. That’s the only reason why people spend $1,000s for Security+ courses.

If you commit the next 4 weeks to this properly, you won’t just pass the exam.

You’ll actually understand the basics of cybersecurity.

And that’s what separates people who “Pass and forget” from those who build a real career.

So let’s do this properly and let’s do this together!

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Let’s learn and grow together!

Next part is available here:

And you know what?
I think the only reason why it is confusing for so many people is that it’s explained incorrectly.

Most tutorials jump straight into masks, ranges, and formulas…

Without explaining what’s actually underneath.

And that’s the problem.

Because subnetting only makes sense once you understand one thing:

What an IP address really is!

Have you struggled with subnetting in the past? Give this article a like and help other people with the same problem discover it!

What is an IP address?

Most people see an IP address like this:

192.168.1.42

And treat it like a label.

But it’s not.

It’s a structured 32-bit number, and every part of it has meaning.

So here is what your IP address actually looks like.

Those dots between the numbers? That just separates bytes.

That 192 in your IP address? It’s actually 11000000 in binary.

Why am I talking about it?

Because once you think of an IP address as 4 bytes rather than 4 random numbers, things get a lot easier!

So the first lecture today is this:

Always think of an IP address as 4 individual bytes.

Now, I am going to show you why it’s so important.

Have you ever thought of an IP address this way?
If not, give this article a like and help other people find it!

Subnetting - What does it really mean?

Let’s start with the definition.

Definition: Subnetting is the process of dividing an IP network into smaller sub-networks by splitting the IP address into a network portion and a host portion.

That didn’t tell you much, huh?
Don’t worry, it didn’t mean to.

Let’s break it down in plain English.

Subnetting means:

Choosing how many bits identify the network, and how many identify the device.

So when you think of an IP address as a line of bits:

[ network bits | host bits ]

Subnetting is simply deciding where that boundary (“|”) sits.

On the left, we have a fixed number of bits that define the network, and on the right, we have a fixed number of bits that address individual devices.

Still confusing, right? Let’s take a look at an example.

Don’t give up now! It’s about to start making sense!

Example - Mask /24

The last term you need to know here is a “subnet mask.”

Here is the definition: A subnet mask is a 32-bit value that defines which part of an IP address represents the network and which part represents the host.

In other words, it is a simple representation of how many bits you reserve for addressing individual devices.

Basically, it’s just a fancy way of saying, put the boundary (“|”) here, thank you.

So, what if you have a /24 mask?

That means, you take the first 24 bits from the left and set them to 1.

11111111.11111111.11111111.00000000

In dotted decimal notation, it would look like this:

255.255.255.0

This means the first 24 bits define the network. They are fixed, and only the last 8 bits (last byte) are dedicated to individual devices.

192.168.1.X // X - devices

So, how many devices do you think you can have in this network?

Leave a comment

Have you answered it in the comments?

No?

This is how you learn, think about it, and give us your answer!

Okay, great. Let’s see what the correct answer is.

You have 8 bits, which can hold 2 values: 0 and 1.

That 2^8 combinations = 256 devices.

If that was your answer, you’re almost correct.

The correct answer is 254. Why? Because you have to exclude network and broadcast addresses. We’ll talk about it next time!

What’s next

First of all, if you don’t fully understand subnetting now, don’t worry. It can be a very confusing topic at first.

Take your time, and read this article twice. Once you do, you can try to create subnets with different masks.

192.168.1.0/25
192.168.1.0/12
192.168.1.0/27

Take a pen and paper and answer the following questions.

• What does the network mask actually look like?

• How many devices can there be?

• And what would the network and broadcast addresses be?

• What is the first and last usable address?

If you answer these in the comments, I will personally give you feedback!

Leave a comment

Conclusion

Congratulations! You just took a huge step in your cybersecurity journey, and I am proud of you.

After reading this article, you are now able to design a network with adequate subnets. You know what an IP address actually is and what those funny numbers after “/” mean.

Believe it or not, that puts you way ahead of most people. Really, go ahead and ask around and see for yourself how many people can give you the right answer. I’ll wait!

Next time, we will talk about cybersecurity implications.

So subscribe and learn something new every week!

Thank you for reading Decoded Security!

Erich

‼️ Free Resource 🚨

If this article helped, I put together a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

👉 Download it here: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com

LinkedIn: Erich Winkler

Gumroad community: Decoded Security

Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

It was back in school. I had studied for weeks. I knew what TCP was. I had memorized the OSI model layers. I even felt good about it.

Then my professor asked me a simple question:

“Can you explain what actually happens during a three-way handshake, and why it matters from a security perspective?”

I answered something like: “SYN, SYN-ACK, ACK.”

Silence.

That’s not an explanation. That’s three acronyms.

And that’s the difference between memorizing networking and actually understanding it.

And since networking is one of the key domains in cybersecurity, you need to actually understand it.

Here are the 7 networking questions that expose that gap, and what a strong answer actually looks like.

‼️ Warning: CC, Security+, and CISSP relevant topic!

Why Networking Questions Are Different

Most beginners study cybersecurity tools.

Firewalls. IDS. SIEM. Endpoint protection.

But tools sit on top of networks.

If you don’t understand how networks actually work, how data moves, where it comes from, and where it goes, you don’t really understand what those tools are protecting.

And interviewers know that.

That’s why networking questions aren’t just knowledge checks.

They’re a test of how you think.

If you’re not familiar with the basics of network protocols yet, I recommend reading this first: Top 5 Most Important Network Protocols for Cybersecurity Beginners

‼️ Free Resource 🚨

If you’re just starting out in cybersecurity, I know how overwhelming it feels to figure out what to learn first.

I’ve been there.

That’s why I created a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

👉 Download it for free: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Question 1: “What’s the difference between TCP and UDP?”

This question sounds basic.

That’s the point.

It’s a filter. If you can’t explain this clearly and connect it to security, the interviewer already knows the next questions will be harder for you.

Where beginners go wrong:

They answer with a definition.

“TCP is connection-oriented. UDP is connectionless.”

Technically correct. Completely forgettable.

What a strong answer sounds like:

Think of TCP like a phone call. Before either person says a word, you both confirm the other is there. If the call drops, you know immediately.

UDP is more like leaving a voicemail. You send it and assume it arrived. No confirmation.

That difference matters a lot in security.

Then you can simple continue with how it matters to cybersecurity:

TCP’s connection process is exactly what SYN flood attacks exploit. attackers send thousands of connection requests that they never complete, overwhelming the server with half-open connections.

UDP, because it has no handshake, gets abused in DNS amplification attacks, small requests generate massive responses, flooding a target with traffic.

I cover TCP and UDP in depth here: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Question 2: “Walk me through what happens when you type google.com into your browser.”

This is the most comprehensive networking question.

It covers DNS, TCP, IP addressing, HTTP, and TLS. All in one answer.

Interviewers use it to see how deep your knowledge actually goes.

Where beginners go wrong:

“The browser looks up the IP address and loads the page.”

That’s one sentence. There are at least ten distinct steps happening.

What a strong answer sounds like:

First, your browser checks its local DNS cache. If it doesn’t know the IP address for google.com, it asks your operating system, which checks its own cache, then forwards the request to your DNS resolver.

The resolver works through the DNS hierarchy: root servers, then TLD servers for .com, then Google’s authoritative name servers, until it gets the IP address back.

Now your browser has an IP.

It uses TCP to connect with the target by sending a SYN, receiving a SYN-ACK, and confirming with an ACK.

If it’s HTTPS, a TLS handshake happens next. Certificates are exchanged, encryption is negotiated, and a secure session is established.

Then the HTTP request goes through, the server responds, and your browser renders the page.

Every single step in that process is a potential attack surface.

DNS can be poisoned. Certificates can be forged. The TCP handshake can be exploited.

This answer shows you understand where things can go wrong, not just that they usually go right.

Want to understand the DNS part of this in detail? Read this: This Is How I Explain DNS To Beginners

Do you find this article useful? Give it a like, it helps me understand what topics to cover next!

Question 3: “What is a subnet mask and why does it matter?”

Subnetting confuses more beginners than almost any other networking topic.

Not because it’s impossibly hard. But most people memorize the formula without understanding what it’s actually doing.

Where beginners go wrong:

“255.255.255.0 means a /24 subnet.”

Okay. But why? And what does that have to do with security?

What a strong answer sounds like:

Think of a city divided into neighborhoods. The subnet mask is what defines those neighborhood boundaries.

It tells a device: “These addresses are local, talk to them directly. Those addresses are outside your network, send that traffic to the router.”

A /24 subnet mask means the first 24 bits define the network. The last 8 bits identify individual devices. That gives you 254 usable host addresses within that network.

From a security perspective, this is the foundation of network segmentation.

In a well-designed network, your servers, workstations, IoT devices, and guest Wi-Fi are all on separate subnets.

Why?

Because if an attacker compromises a guest laptop, the subnet boundary limits how far they can move. They can’t simply reach your file servers. The network is divided by design.

That’s not just a networking concept. That’s the principle of least privilege applied to infrastructure.

For more on private IP addresses, public addresses, and how network segmentation works in practice, read this: Why Most Beginners Don’t Understand How Networks Actually Work

Question 4: “What’s the difference between a hub, a switch, and a router?”

This one catches people who only studied software-side security.

Network defenders need to understand how traffic flows at the hardware level. This is where attacks become visible, or invisible.

Where beginners go wrong:

Treating all three as “things that connect computers to a network.”

They have fundamentally different behaviors. And those differences change how attacks work.

What a strong answer sounds like:

A hub is the least intelligent device. It receives data on one port and broadcasts it to every other port. Every device on the network sees every packet, even packets not meant for them.

A switch is smarter. It learns which device is connected to which port by tracking MAC addresses. When data arrives, it sends it only to the correct port. Traffic is contained.

A router operates at a different level entirely. It works with IP addresses, not MAC addresses, and it connects different networks together. Your home router connects your local network to the internet.

Here’s why that matters for security.

In a hub-based network, any device can capture all traffic passively, using nothing more than a tool like Wireshark. No special access needed.

Switches replaced hubs to solve exactly this problem.

But even on switched networks, an attack called ARP poisoning can trick the switch into flooding traffic everywhere, recreating hub-like behavior for an attacker who knows what they’re doing.

Want to understand how these devices fit into the bigger picture of network architecture? I cover hubs, switches, routers, proxies, and more in detail here: What Are the Things That Keep Our Networks Alive?

Question 5: “What is a firewall and what can’t it do?”

Everyone can answer the first half.

The second half is where most beginners stop cold.

And stopping there tells the interviewer that you see security tools as magic boxes — not as components with specific, bounded functions.

Where beginners go wrong:

“A firewall filters traffic based on rules.”

True. But incomplete.

What a strong answer sounds like:

A firewall is like a security checkpoint at the entrance of a building. It inspects what’s coming in and going out based on an approved list: IP addresses, ports, protocols.

Traditional firewalls are excellent at enforcing those perimeter rules. Block all incoming traffic on port 23 (Telnet)? Easy. Allow only HTTPS on port 443? Done.

But here’s what a firewall cannot do.

It cannot inspect encrypted traffic without special capabilities. If an attacker is communicating over HTTPS port 443, the firewall sees a valid connection — it has no visibility into what’s inside.

It cannot stop insider threats. It cannot detect stolen credentials being used correctly. It has no visibility into attacks that originate from inside the network.

This is why a firewall alone is never enough.

Understanding the limits of a control is what separates a security professional from someone who just passed a certification exam.

Not all firewalls work the same way, though. Packet filtering, stateful, proxy, and next-generation firewalls each have different capabilities — and different blind spots. I break them all down here: The Complete Guide to Firewall Types: From Packet Filters to Next-Gen

Are you preparing for a cybersecurity interview or certification? Let me know in the comments! I’d love to know what topics would help you most!

Question 6: “What is the difference between IDS and IPS?”

These two tools get confused constantly.

Even by people who have been in IT for years.

Where beginners go wrong:

“IDS detects threats. IPS prevents them.”

That’s the one-liner. It’s correct but empty.

What a strong answer sounds like:

An IDS (Intrusion Detection System) is a passive observer. It watches network traffic, compares it against known patterns and signatures, and raises an alert when something looks suspicious. It sees everything. It stops nothing.

An IPS (Intrusion Prevention System) is an IDS with authority. It sits inline on the network, meaning all traffic has to pass through it. When it detects a threat, it can drop the packet, block the connection, or quarantine the source. In real time.

Think of it this way: an IDS is a security camera. An IPS is a security camera with a locked door attached to it.

Now here’s the part most beginners miss.

An IPS sounds strictly better. So why would you ever choose detection without prevention?

Because an IPS carries real risk. False positives on an IDS generate alerts. False positives on an IPS block legitimate traffic. A misconfigured IPS can take down business-critical applications.

In sensitive environments, an IDS is sometimes the right choice precisely because it cannot accidentally break things while it watches.

Knowing when not to use a control is as important as knowing what the control does.

Question 7: “What happens during a three-way handshake?”

And finally, let’s go back to the original question!

This question appears in almost every entry-level and mid-level security interview.

And answering it poorly is a red flag, because the follow-up questions about attacks build directly on top of it.

Where beginners go wrong:

“SYN, SYN-ACK, ACK.”

Three acronyms are not an explanation.

What a strong answer sounds like:

The three-way handshake is how TCP establishes a reliable connection before any data is sent. It’s the mutual agreement that both sides are ready to communicate.

Step one: the client sends a SYN packet to the server. It’s saying: “I want to connect, and here’s my starting sequence number.”

Step two: the server responds with a SYN-ACK. “Got it. I’m ready. Here’s my sequence number.”

Step three: the client sends an ACK back. “Confirmed. Let’s communicate.”

Now, both sides have synchronized sequence numbers, and a connection is established.

Here’s why this matters from an attack perspective.

A SYN flood attack exploits step one.

An attacker sends thousands of SYN packets: often using spoofed IP addresses, and never sends the final ACK.

The server keeps allocating memory and resources, waiting for confirmations that never arrive.

Eventually, it runs out of capacity to handle legitimate connections.

This is a classic denial-of-service technique.

And understanding the handshake is exactly what makes the attack make sense.

I cover TCP in detail as part of this article: Top 5 Most Important Network Protocols for Cybersecurity Beginners

Conclusion

Read through those seven questions again.

Notice what every strong answer has in common.

It’s not just technical accuracy.

Every answer connects the concept to a security implication. Every answer shows the interviewer that the candidate isn’t just reciting a textbook.

They’re thinking like someone who has to defend a real network.

That’s what the interview is actually testing.

Not whether you memorized the right definition. But whether you can look at a protocol, a device, or a tool, and immediately see where it breaks, where it gets abused, and why it matters.

If you can do that consistently, you’re not a beginner anymore.

Key Takeaways

Here’s what I want you to remember:

• Interviewers don’t want definitions. They want understanding.

• Every networking concept has a security implication. Always connect the two.

• TCP and UDP behave differently, and attackers exploit both.

• Subnetting and IP addressing are the foundation of network segmentation.

• Every security control has limits. Knowing those limits is what makes you dangerous.

• The three-way handshake isn’t trivia. It’s the foundation of connection-based attacks.

• Keep going. Foundations take time to build. But they never stop paying off.

‼️ Free Resource 🚨

If this article helped, I put together a free 80-page guide covering the 10 cybersecurity concepts behind 90% of entry-level interview questions.

It’s free. No catch.

👉 Download it here: decodedsecurity.gumroad.com/l/Top10_Cybersecurity_Concepts

Let’s Connect

If you want to collaborate, discuss, or just geek out over networking and cybersecurity, reach out:

Email: erich.winkler@decodedsecurity.com

LinkedIn: Erich Winkler

Gumroad community: Decoded Security

Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Networking fundamentals every cybersecurity beginner must understand

After publishing my article about the 5 most important network protocols every cybersecurity beginner should understand, many of my subscribers asked me what else people should know about networking.

That’s why I’d like to explain one of the most fundamental concepts of modern networking.

Because protocols like HTTP, TCP, UDP, SMTP, and FTP explain how systems communicate.

But there is another question beginners rarely ask:

Where are these systems actually located?

Because communication between systems only makes sense if you understand how networks are structured.

And that leads us to one of the most important concepts in cybersecurity:

Private IP addresses, public IP addresses, and network segmentation.

Understanding this will help you answer a surprising number of interview questions and explain how attackers move through networks.

Quick Recap: Systems Are Always Communicating

In the previous article, we talked about protocols like:

• HTTP for web traffic
• TCP for reliable communication
• UDP for fast communication
• SMTP for email
• FTP for file transfers

These protocols define how systems talk to each other.

For example:

Your browser communicates with a web server using HTTP over TCP.

But before that communication even starts, something else must happen.

Your computer needs to know:

Where is the server located?

And this is where IP addresses come in.

What Is an IP Address?

An IP address is basically the network location of a device.

Think of it like a postal address for computers.

Example:

192.168.1.15

This address allows other systems to send data to your device.

Without IP addresses, protocols like HTTP or SMTP would have no idea where to send data.

But not all IP addresses behave the same.

There are two types you absolutely need to understand.

Note: If you are not familiar with network devices, I recommend reading this article: What are the things that keep our networks alive?

Public IP Addresses

A public IP address is visible to the entire Internet.

Anyone can send traffic to it.

Example:

8.8.8.8

This is Google’s public DNS server.

Public IP addresses are assigned by:

• internet service providers

• cloud providers

• hosting companies

From a cybersecurity perspective, this is important because:

Anything with a public IP address is exposed to the internet.

And exposed systems get scanned constantly.

There are automated bots scanning the internet 24/7 looking for:

• vulnerable servers

• outdated software

• open ports

• misconfigured services

Public IP addresses create an attack surface.

Are you interested in more articles about networking? Let me know in the comments!

Leave a comment

Private IP Addresses

Private IP addresses are used inside internal networks.

They cannot be reached directly from the internet.

Why do we need them?

Because there aren’t enough public IPv4 addresses for every device in the world. Instead of giving every device its own public IP, networks use private addresses internally, which can be reused by anyone.

If you check your home network right now, your devices probably look something like this:

Router: 192.168.1.1
Laptop: 192.168.1.15
Phone:  192.168.1.22
TV:     192.168.1.40

These devices communicate internally using private IP addresses.

But they still access the internet.

How?

Through something called NAT.

NAT: The Translator Between Private and Public Networks

Your router has two identities.

Inside the network:

192.168.1.1

On the internet:

203.0.113.24

When your laptop sends traffic to a website:

192.168.1.15 → google.com

Your router translates it so the internet sees:

203.0.113.24 → google.com

The response then returns to the router, which forwards it to the correct internal device.

This allows many devices to share a single public IP address.

But here’s something many beginners misunderstand.

Private IP addresses were created to solve an address shortage problem, not security problems.

If you’d like to see how this works in practice, I can show you how to build a small simulated network on your own computer.

We’ll create a private network, assign IP addresses, and see how NAT works in real time.

If you’re interested, let me know in the comments and I’ll create the lab.

Leave a comment

What Should You Learn Next?

If you’re starting your cybersecurity journey, focus on fundamentals.

You don’t need to learn everything at once.

Start with:

• Network protocols

• IP addressing (Here)

• DNS

• Encryption

• Network Devices

These concepts appear everywhere in cybersecurity.

And if you master them, you will already be ahead of most beginners.

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

What stops someone from replacing the file with malware?

This is exactly the problem digital signatures solve.

In this article, I’ll explain how digital signatures work, and then we’ll build a small Docker lab where you can try it yourself in 5 minutes.

What You’ll Learn

Before we dive in, here’s what you’ll learn in this article:

• What digital signatures are and why they are important
• How digital signatures protect integrity and authenticity
• How the digital signing process works step by step
• How to create and verify a digital signature yourself
• How tampering with a file breaks the signature

By the end of this article, you won’t just understand digital signatures in theory, you’ll see them working in practice and be able to sign any file!

If you find this article helpful, consider liking the post so more people can discover. I appreciate your time! Thank you!

The Theory

Let’s start with the theoretical background. I know it sounds boring, but like it or not, if you want a career in cybersecurity, you need to know why you do things, not just how to do them.

Digital signatures solve two main problems:

1. Integrity
   The file was not modified.

2. Authenticity
   The file was created by the expected sender.

If you’re not familiar with those terms, I got you covered: CIA Triad

Let’s look at a simple example.

Imagine someone sends you a file.

It contains payment instructions for transferring a large amount of money.

But an attacker intercepts the file and sends you a modified version with different payment details.

The document looks identical.

You send the money.

It’s gone.

Digital signatures prevent that.

They allow the receiver to verify that:

• The file was created by the claimed sender

• The file was not modified by anyone else

How does the whole process work?

Great, now we know what problem we are solving here.
Now let’s walk through the process step by step.

As always, we have Alice and Bob, and Alice wants to send a message to Bob, while Bob needs to be sure that the message is really from Alice and wasn’t modified by anyone else.

They need to perform the following steps:

1. Alice creates a message

For example, the message contains payment information.

2. The message is hashed

Alice runs the message through a hash function.

A hash function converts the message into a short fixed-length value called a hash.
( more information about hashing here: Hashing: What It Is and Why It’s Not the Same as Encryption)

Even a tiny change in the message would produce a completely different hash. So that ensures that any changes are discoverable.

3. Alice signs the hash

This might be a little tricky. What does it mean to sign the hash?
In this case, it means encrypting the hash using your private key.

If you’re not familiar with asymmetric cryptography and its key, I got you covered: Symmetric vs Asymmetric Encryption: What’s the Difference?

So, in our scenario, Alice encrypts the hash using her private key.
This encrypted hash is called the digital signature.

4. Alice sends the message and the signature

Alice sends the message along with the digital signature to Bob.

5. Bob verifies the signature

Bob performs two checks:

1. Bob hashes the original message.

2. Bob decrypts the signature using Alice’s public key to obtain the original hash.

Finally, Bob compares the two hashes.

If they match:

• The message was not modified (integrity)

• The message was signed by Alice (authenticity)

If the hashes are different, the message was tampered with.

Key takeaways

Before we move to the practical lab, let’s summarize the most important points.

• Digital signatures protect both integrity and authenticity.

• They combine hashing and asymmetric cryptography.

• Only the sender can create a valid signature using the private key.

• Anyone can verify the signature using the public key.

• If the hashes don’t match, the message was tampered with.

Hands-On Lab: Try Digital Signatures Yourself

Okay, enough theory! You need to convince people that you are really good at cybersecurity, and the only way to do that is to show them something real.

Let’s see how digital signatures work in practice.

In this short lab, we will:

• generate a private and public key

• create a message

• sign the message

• verify the signature

• modify the message and watch the verification fail

To keep things simple, we’ll run everything inside a Docker container with OpenSSL.

If you don’t know how to use Docker, I have created a simple guide for you for FREE: Docker Guide

Step 1: Create the Lab Environment

Create a new folder for the lab:

digital-signature-lab

Inside the folder, create a file called:

Dockerfile

Add the following content:

FROM ubuntu:22.04

RUN apt-get update && \
    apt-get install -y openssl

WORKDIR /lab

CMD ["/bin/bash"]

This container simply installs OpenSSL, which we’ll use to create and verify digital signatures.

Step 2: Build the Docker Image

Build the container:

docker build -t signature-lab .

Step 3: Start the Container

Run the container:

docker run -it signature-lab

You are now inside the lab environment.

Step 4: Generate a Key Pair

First, we generate a private key.

openssl genrsa -out private.key 2048

Now extract the public key from it:

openssl rsa -in private.key -pubout -out public.key

You should now have two files:

private.key
public.key

Remember:

• Private key → used to sign

• Public key → used to verify

Step 5: Create a Message

Let’s create a simple message file:

echo “Send €10,000 to account 12345” > message.txt

Check the file:

cat message.txt

Step 6: Sign the Message

Now Alice signs the message using her private key.

openssl dgst -sha256 -sign private.key -out signature.bin message.txt

This command:

1. hashes the message using SHA-256

2. encrypts the hash using the private key

3. creates a digital signature

You should now have:

message.txt
signature.bin

Step 7:Verify the Signature

Now Bob verifies the message using Alice’s public key.

openssl dgst -sha256 -verify public.key -signature signature.bin message.txt

If everything is correct, you will see:

Verified OK

This means:

• The message was not modified

• The signature was created using Alice’s private key

Step 8: Simulate an Attack

Now, let’s simulate an attacker modifying the message.

Change the file:

echo “Send €10,000 to account 99999” > message.txt

Try to verify the signature again:

openssl dgst -sha256 -verify public.key -signature signature.bin message.txt

This time, you should see an error message:

Verification Failure (or similar)

Why?

Because the message changed → the hash changed → the signature no longer matches.

This is exactly how digital signatures detect tampering.

What We Just Did

In this small lab, you reproduced the exact process used in real systems:

1. Create a message

2. Hash the message

3. Sign the hash with a private key

4. Send message + signature

5. Verify using the public key

This mechanism protects many things you use every day:

• software updates

• code signing

• secure email

• TLS certificates

Without digital signatures, trust on the internet would be extremely difficult.

Leave a comment

Conclusion

Digital signatures are one of the most important building blocks of modern cybersecurity.

They allow us to verify that the data was not modified and that it really came from the expected sender.

This simple idea, hash the data, sign the hash, verify the signature, is what protects many systems we use every day.

Software updates, secure emails, TLS certificates, and signed applications all rely on this mechanism.

Without digital signatures, trusting software and data on the internet would be extremely difficult.

Now that you understand how they work, you’ve taken another step toward thinking like a cybersecurity professional.

See you next time!

Erich
Decoded Security

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Most people don’t. And I don’t blame them.

The terms get used interchangeably in news headlines, casual conversation, and, unfortunately, even in some training materials.

But if you’re preparing for the CISSP, or you’re serious about cybersecurity, this distinction is not optional.

So let’s fix it. Fast.

👍 And if you enjoy these kinds of challenges, leave a like.

First: What Even Is Malware?

Malware is the umbrella term. It stands for malicious software, any code designed to harm the confidentiality, integrity, or availability of a system.

Everything else?

Virus, worm, trojan, ransomware... those are types of malware.

Think of it like this: “animal” is the category.

“Dog” and “cat” are specific types. You wouldn’t say “I saw an animal” when what you mean is “I saw a lion.”

The same logic applies here.

The Types You Need to Know

Virus

A virus attaches itself to a file or program. When you open that file, the virus executes and spreads to other files.

• Requires user action to spread, someone has to open the infected file

• Can stay dormant until triggered

• Classic example: downloading an infected email attachment

Worm

A worm spreads on its own. No user action required. It scans networks, finds vulnerable systems, and installs itself automatically.

• Self-replicating, no file sharing needed

• Can infect entire networks in minutes

• The key differentiator from a virus: no human interaction required

Trojan (Trojan Horse)

A trojan disguises itself as legitimate software. You think you’re installing a useful tool. You’re actually installing a backdoor.

• Does not self-replicate, that’s the virus/worm job

• Opens a backdoor for attackers to access your system remotely

• Can steal data, log keystrokes, or activate your camera

Ransomware

Ransomware encrypts your files and demands payment to get them back. It’s one of the most disruptive and financially devastating malware types out there.

• Spreads via phishing emails, malicious links, or worm-like exploitation

• Best practice: Do not pay the ransom. Payment does not guarantee recovery, and it funds more attacks.

The best protection against Ransomware is having a good backup strategy! Not paying the ransom!

Rootkit

A rootkit hides deep inside your operating system, at the kernel level. It replaces core system files, so antivirus software doesn’t see it.

• Extremely hard to detect

• Gives attackers long-term, covert access to your machine

• Detection requires behavioral analysis and memory scanning, not just signature scans

Fileless Malware

Fileless malware is exactly what it sounds like: no file is written to disk. It lives entirely in memory, using trusted system tools like PowerShell to do its dirty work.

• Invisible to traditional antivirus, there’s nothing on disk to scan

• Delivered via phishing, malicious macros, or browser exploits

• Prevention: keep browsers and OS updated. Disable macros by default.

💬 Did you already know the difference between a virus and a worm?
Let’s keep it simple! Comment yes or no.

One-Line Summary for Each Type

I have a very bad memory, and that’s why I like summaries. It will help you remember the key information you need to know about each term.

These are the key takeaways:

• Virus: attaches to files, needs user to spread it

• Worm: spreads itself, no human required

• Trojan: disguised as legitimate software, opens a backdoor

• Ransomware: encrypts your data, demands payment

• Rootkit: hides at kernel level, antivirus can’t see it

• Fileless: lives in memory, nothing written to disk

Why This Matters Beyond any Exams

On the CISSP exam, you’ll be asked to identify malware types from scenario descriptions. Getting this wrong costs you marks.

But in the real world, it costs more than marks.

If you misidentify a worm as a virus, you treat it wrong. You focus on the infected file instead of network propagation, and the worm keeps spreading while you’re looking the wrong way.

The right diagnosis leads to the right response.

👍 If you learned something new today, leave a like so more people can discover Decoded Security.

Conclusion

Congratulations! Now you know the basic malware types.
It is a great step forward in knowing how to protect your systems against them.

But here’s the real question:

How does malware actually get onto your system in the first place? And how does it stay hidden from all our security controls?

That’s what we are going to cover next time!

Cybersecurity Basics Series

1️⃣ Malware Types (this article)
2️⃣ Malware Propagation Techniques (next)
3️⃣ Access Control Models
4️⃣ Encryption Basics
5️⃣ Incident Response

Ready to level up your cybersecurity skills?

• ❓Take the quiz to test your understanding: CybersecErich: Quiz Hub

• 📰Subscribe (free or paid) to get new posts straight to your inbox.

• Share this with a friend studying for CISSP, or anyone curious about cybersecurity

Warning: List of study materials at the end of the article!

In my previous article, How to Choose the Right Cybersecurity Role Before You Waste Time and Money on the Wrong Certifications, I explained that cybersecurity isn’t one job, it’s a system with multiple career paths.

One of those paths was Security Operations (SOC).

And for many people, SOC is one of the best entry points into cybersecurity.

Why?

Because SOC roles expose you to:

• Real attacks

• Real systems

• Real investigations

• Real tools

Do you want to land your first job in cybersecurity? Comment “interview” and I’ll share a cybersecurity interview guide with you for FREE. No strings attached.

Leave a comment

You learn faster than in almost any other junior security role.

But after choosing a path, the next logical question becomes:

“Okay… what should I actually learn now?”

Certifications are often the first thing people think about.

But certifications don’t build competence on their own.

Skills do.

If your goal is your first SOC job, these are the three areas that will increase your chances the most.

1. Networking Fundamentals

SOC analysts investigate alerts.

And most alerts involve network activity.

• Suspicious IP addresses.

• DNS traffic.

• Authentication attempts.

• Connections to unknown servers.

And to investigate something, you need to understand it first.

The good news?

You don’t need to learn everything at once.

You need the right fundamentals.

If you’re unsure where to start, I already covered the most important protocols beginners should focus on here:

👉 Top 5 most important network protocols for cybersecurity beginners

One simple truth:

Networking is the language of SOC. Make sure you can describe a three-way handshake anytime!

2. Linux and System Basics

Many security tools and enterprise systems run on Linux.

Cloud workloads? Linux.
Security appliances? Linux.
Servers? Often Linux.

You simply can’t avoid it!

However, you don’t need to become a Linux beast overnight!
You’re no administrator, you’re a SOC analyst.
You don’t need 1,000 commands.
You need a practical subset.

I explained exactly which ones matter most here:

👉 Top 5 Linux commands for an entry-level cybersecurity role

Even beginner Linux familiarity already puts you ahead of many candidates.

And because I know how it feels to be completely lost, I chose 5 Linux commands I’d start with if I were completely new to Linux.

What commands would you add on the list? Let me know in the comments!

Leave a comment

3. Hands-On Investigation Practice

This is the biggest differentiator.

Employers want evidence that you can think like an analyst.

That means:

• Looking at logs

• Understanding alerts

• Asking questions

• Connecting evidence

The employer wants proof that you know what you’re looking for.

But here is the problem. How are you going to prove experience without getting the job first?

Well, the answer is simple: A PERSONAL PROJECT.

For example:

“I created a lab and analyzed suspicious login activity.”

How? You can use Docker containers to simulate any number of computers and any network topology.

Did you manage to run your first Docker environment? Let me know in the comments!

Leave a comment

Cybersecurity is confusing at the beginning.

So if you feel overwhelmed, don’t worry.

That’s normal.

I was exactly where you are now.

There are countless certifications, tools, and learning paths, and it’s very easy to jump from one topic to another without clear direction.

That’s why choosing a path matters, and focusing on the right fundamentals matters even more.

If your goal is SOC roles, focus on what actually builds competence:

• Networking fundamentals

• Linux and system basics

• Hands-on investigation practice

These skills create real momentum.

And momentum is what gets people hired.

If you ever feel unsure about what you should focus on next, you can always reach out to me. I genuinely enjoy helping people navigate the beginning of their cybersecurity journey.

Leave a comment

If you focus on the fundamentals, stay curious, and keep practicing, you are already ahead of most beginners entering the field.

Progress beats perfection.

Keep going!

Here is your actionable checklist!

If you’re serious about landing your first SOC job, start with this:

1. Check Your Networking Basics
   Make sure you understand IPs, DNS, and the TCP three-way handshake.

2. Practice Linux for 30 Minutes + Create 2 Docker containers on the same network!

3. Start a Small Security Project
   Create a lab, analyze logs, or simulate login attempts.
   Your goal: something you can talk about in an interview.

“I built a lab and investigated security events.”

That sentence alone can set you apart.

Which step will you start first?

Comment: NETWORK | LINUX | PROJECT

…and I’ll share one practical tip to help you.

Leave a comment

BONUS: List of study materials

The three areas we discussed are broad.

If you’re serious about building a career in cybersecurity, especially in SOC, you should also understand the following foundational topics.

These concepts appear constantly in real environments, certifications, and interviews.

Here are some resources to help you go deeper:

1. Risk Management: Risk Management: Managing risks in six steps

2. Basics of Virtualization: Containers vs. Virtual Machines

3. Quantitative Risk Analysis: Quantitative Risk Analysis: Let The Numbers Do All The Talking

4. Access Control: Access Controls: Who Gets the Keys?

5. Diffie-Hellman: Diffie-Hellman Explained Like You’re 12 (And Why Interviewers Love Asking About It)

6. ISO/OSI model: Understanding the ISO/OSI Model – Why is it crucial for Cybersecurity professionals?

7. DNS: This Is How I Explain DNS To Beginners

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

“Can you explain Diffie-Hellman?”

It also appears in major certifications like CC (Certified in Cybersecurity) and CISSP.

Not because you need to calculate the math…

…but because it tests whether you understand a core security concept: secure key exchange over an insecure channel.

And there is a good reason for that!

Note: If this article helped you understand Diffie-Hellman, drop a like so more people can find it too. Thank you!

What problem does it solve?

Imagine you want to send a secret message to someone.

So, you generate a key and use a secure algorithm to encrypt your message.

Great!

But there’s a problem.

How do you share the key with the other party?

They need to decrypt the message somehow, and everyone can see your communication channel.

Hackers. Governments. Your ISP. Anyone.

So how do you create a shared secret without ever meeting in person, and without anyone else discovering it?

Warning: If you’re not sure how symmetric encryption works. I got you covered!
Symmetric vs Asymmetric Encryption: What’s the Difference?

The solution is called Diffie-Hellman key exchange.

And today, it protects almost everything you do online.

Are you preparing for any cybersecurity certification exam? Let us know in the comments!

Leave a comment

What Is the Purpose?

The purpose of Diffie-Hellman is simple:

Create a shared secret between two parties without transmitting the secret itself.
(REMEMBER THIS)

That shared secret can then be used for:

• Encryption keys (TLS / HTTPS)

• VPN tunnels

• Secure messaging

• Authentication protocols

Important: Diffie-Hellman does not encrypt data itself.

It only creates the secret key.

Encryption algorithms (like AES) use that key afterward.

Okay, now that you know the purpose, let’s take a look at how it works!

Principle: The Colored Water Example

I will explain this algorithm without using complicated mathematical formulas. That isn’t the point here. So instead of a discrete logarithm problem, I am going to use colors!

Let’s imagine the following scenario:

1. You have two people who want to communicate securely: Alice and Bob.

2. They want to create a secret color mixture (shared secret).

3. But an attacker (Eve) is watching everything on the public channel.

So what should they do?

Do you find this analogy convenient? Let me know in the comments!

Leave a comment

Step 1: Alice and Bob should agree on public parameters

In our example, this could be the color yellow.
This is called a public parameter.
Everyone can see it:

• Alice sees it

• Bob sees it

• Eve (the attacker) also sees it

And that’s completely fine.
There is no secrecy yet.

Step 2: Private Secret Colors

Now it gets interesting. Both Alice and Bob choose a secret private color that they don’t share with anyone.

Let’s say that Alice chooses blue and Bob chooses red.

Once they have their own secret color, take a glass of yellow water (public) and add their secret-colored water to the glass.

Step 3: Exchange the Mixed Colors

They exchange their mixtures publicly again.

So now:

• Alice receives Bob’s mixture

• Bob receives Alice’s mixture

Eve still sees everything. She has both Bob’s mixture and Alice’s mixture. But it is impossible for her to separate the two individual colors from the mix.

So the information is useless for her.

Step 4: Final Secret

Now, both add their own secret color again.
Both end up with the same final color.
But Eve cannot reproduce it.

And that’s it! Bot and Alice now have their shared secret and can easily communicate securely!

If this article helped you understand the concept of the Diffie-Hellman algorithm, drop a like and help more people understand it!

Conclusion

If you’re reading this, congratulations.

Understanding Diffie-Hellman is a huge step forward and absolutely crucial for certification exams such as CC, Security+, or CISSP.

More importantly, it means you’re beginning to understand how secure communication actually starts, and that’s one of the foundations of cybersecurity.

I know cryptography can feel intimidating at first, so here are the key takeaways I want you to remember:

You don’t need to understand the math. Focus on the concept first.

Diffie-Hellman is about creating a shared secret over an insecure channel.

It does not encrypt data, it creates the key that encryption uses later.

Public parameters can be visible to everyone. Security comes from private values.

Modern protocols like TLS, VPNs, and secure messaging use Diffie-Hellman (or its variants) in the handshake phase.

If you understand this principle, you’re already ahead of many beginners, and you’ll recognize one of the most common cybersecurity interview questions instantly.

Keep going.

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Great. I can do that.

I sat down and started learning.

After a while, I realized there is an infinite number of things that I could be learning and that I had no idea what to focus on.

I was jumping from one topic to another, TCP today, DNS tomorrow, VLANs next week, without really knowing what actually mattered.

It felt like trying to drink from a fire hose.

If this sounds familiar, you’re not alone.

The truth is: you don’t need to learn everything at once!

In this article, I’ll show you the 5 most important network protocols every cybersecurity beginner should understand and why they matter in real-world security.

Before we get into that, please make sure you understand the TCP/IP model and its layers.

HTTP/HTTPS

Layer: Application Layer (Layer 7 - ISO/OSI model, Layer 4 TCP/IP model)

Function:
Transfers web data between a client and a web server. Typically between user’s browser and a web server.

Process:
HTTP uses a request–response model. A client (browser) sends an HTTP request to a server, and the server responds with content (HTML, images, API data, etc.).

Not sure what it means? Maybe this picture will help you.

Looking at this picture, two questions might pop in your head.

What are HTTP methods and what are the Status codes?

Let’s take it step by step.

An HTTP method defines the action that a client wants to perform on a resource located on a web server.

There are 4 main methods:

• GET (Read) → Retrieve data from a server

• POST(Create) → Send data to the server (e.g., login form submission)

• PUT(Update) → Update or replace data on the server

• DELETE(Delete) → Remove data from the server

HTTP response codes (also called status codes) are messages sent by the server to tell the client what happened with the request.

In simple terms:

Status codes tell you whether your request worked, or why it failed.

Remember that famous Error 404? Yes, that is a response code!

Why it matters to cybersecurity:
Most internet traffic today is web traffic. Many attacks target web communication, including:

• Man-in-the-Middle (MitM)

• Session hijacking

• Credential theft

• Web application attacks (XSS, SQL injection)

And if you want to protect your systems agains those attacks, you need to understand this protocol first!

Note: HTTPS works the same way but adds TLS encryption, which protects the communication from interception or tampering.

TCP (Transmission Control Protocol)

Layer: Transport Layer (Layer 4 — ISO/OSI model, Layer 3 — TCP/IP model)

Function:
Provides reliable, ordered, and error-checked delivery of data between devices.

Make sure to understand the three-way handshake!

Process:
Before sending data, TCP establishes a connection between two devices using something called a three-way handshake:

1. SYN → Client wants to start communication

2. SYN-ACK → Server acknowledges

3. ACK → Client confirms

Once the connection is established, data can be transmitted reliably. TCP ensures that:

• Packets arrive in the correct order

• Missing packets are retransmitted

• Communication is stable

Understanding TCP helps you understand:

• Port scanning

• Network connections

• Session hijacking

• SYN flood attacks (DoS)

• Firewall behavior

If you don’t understand TCP, you don’t really understand how systems communicate.

UDP (User Datagram Protocol)

Layer: Transport Layer (Layer 4 — ISO/OSI model, Layer 3 — TCP/IP model)

Function:
Provides fast, connectionless data transmission without reliability guarantees.

Process:
Unlike TCP, UDP does not establish a connection before sending data.

It simply sends packets (called datagrams) to the destination without:

• Acknowledgments

• Retransmissions

• Ordering guarantees

This makes UDP much faster, but less reliable. (SEND AND HOPE)

Why it matters to cybersecurity:

UDP is commonly used in:

• DNS

• Video streaming

• Online gaming

• VoIP

It is also heavily abused in DDoS amplification attacks because attackers can send large volumes of traffic quickly.

Understanding UDP explains why some attacks can generate massive traffic and overwhelm systems.

SMTP (Simple Mail Transfer Protocol)

Layer: Application Layer (Layer 7 — ISO/OSI model, Layer 4 — TCP/IP model)

Function:
Used to send emails between mail servers and from clients to servers.

SMTP is curerntly a standard for transferring email messages.

Process:

1. A user sends an email from their email client.

2. The email is transferred to a mail server using SMTP.

3. The server forwards the message to the recipient’s mail server.

4. The recipient retrieves it using another protocol (like IMAP or POP3). - DIFFERENT PROTOCOL

SMTP was originally designed without strong security, which is why additional protections were later added (SPF, DKIM, DMARC).

Why it matters to cybersecurity:

Email is the number one attack vector in cybersecurity.

Understanding SMTP helps you understand:

• Phishing attacks

• Email spoofing

• Malware delivery

• Business Email Compromise (BEC)

• Email authentication mechanisms

If you work in security, you will deal with email threats constantly.

Example:
Sending an email from Gmail or Outlook.

FTP (File Transfer Protocol)

Layer: Application Layer (Layer 7 — ISO/OSI model, Layer 4 — TCP/IP model)

Function:
FTP allows efficient uploading and downloading of files between hosts.

Process:

FTP uses two separate connections:

• A control connection (commands)

• A data connection (file transfer)

Traditional FTP does not encrypt communication, meaning:

• Usernames

• Passwords

• Files

can be intercepted.

Because of this, secure alternatives were created:

• SFTP (SSH File Transfer Protocol)

• FTPS (FTP over TLS)

Why it matters to cybersecurity:

FTP is a classic example of an insecure legacy protocol still found in many environments.

Security professionals need to understand it because:

• Credentials can be captured easily

• Servers are often misconfigured

• Attackers frequently scan for exposed FTP services

It teaches an important lesson:

Just because a protocol exists doesn’t mean it is secure.

Example:
Uploading files to a web hosting server.

Great! Let’s sum it all up now.

What now?

If you’re reading this, congratulations.

Understanding these protocols is a great start and absolutely crucial for certification exams such as CC, Security+, or CISSP.

More importantly, it means you’re beginning to understand how systems actually communicate, and that’s the foundation of cybersecurity.

I know it can feel overwhelming at times, so here are the key takeaways I want you to remember:

• You don’t need to learn everything at once. Focus on the fundamentals first.

• Most cyber attacks exploit communication between systems, networking knowledge gives you visibility into that.

• TCP and UDP are crucial transport layer protocols. Make sure to understand the differences between them.

• Make sure to understand at which ISO/OSI layer the protocol operates

If you master these basics, you’re already ahead of most people!

Keep going.

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Subscribe now

That’s non-negotiable.
And no cybersecurity certificate will save you from it.

There are over 1,000 Linux commands, more than anyone can realistically learn.

The good news?
You don’t need to.

You don’t need to be a Linux wizard.
You need a small, job-relevant subset of commands.

The bad news?
Figuring out which ones to learn is hard, especially when you’re learning on your own.

I remember struggling in the terminal, running “advanced” commands while not even knowing how to list files in my current directory.

I want to help you avoid that.

Here are 5 Linux commands you’ll use constantly in your first cybersecurity role.

Let’s get to it.

Top 5 commands

Is this everything you need to become an expert?

No.

But these commands give you something far more important than expertise: orientation.

They let you explore a Linux system on your own, files, processes, and the network, without feeling lost.

And that matters, because in cybersecurity, learning doesn’t happen by staring at a black screen.
It happens by trying things, breaking things, and understanding what you see.

This is where that starts.

1. List files and directories

Command: ls

Purpose: Show what files and directories exist in a given location.

Useful arguments:

• -l: Shows detailed information: permissions, owner, group, size, and timestamps.

• -a: Includes hidden files (those starting with .).

• -h: Displays file sizes in human-readable format (KB, MB, GB).

• -la: The most commonly used combination. Shows everything, with full details.

Example of usage: You enter a directory you don’t recognize and want to see everything inside it.

2. Change directories

Command: cd

Purpose: Move between directories in the Linux filesystem.
Useful arguments:

• cd /path/to/directory

  • Move directly to a specific location.

• cd ..

  • Move one directory up.

• cd ~

  • Jump to your home directory.

• cd -

  • Switch back to the previous directory.

When to use - example:

You need to check the log files located in “/var/log”.

cd /var/log

This moves you straight to the logs so you can continue your investigation. Then you can run the “ls” command to see all the files in the directory.

Do you want to learn more about Linux commands? Let me know in the comments!

Leave a comment

3. Copy and move files

Commands: cp, mv

Purpose:
Copy or move files and directories.

Useful arguments:

cp (copy)

• cp file1 file2
  Copy a file to a new location or name.

• cp -r directory/ destination/
  Copy directories recursively.

mv (move / rename)

• mv file destination/
  Move a file to a different directory.

• mv oldname newname
  Rename a file.

Example: Move a file to another directory

You’re in your home directory and want to move a file into a log-analysis folder.

mv suspicious.log /var/log/analysis/

4. Delete files and directories

Command: rm

Purpose:
Delete files or directories from the system.

Useful arguments:

• rm file.txt
  Delete a single file.

• rm -i file.txt
  Ask for confirmation before deleting — recommended for beginners.

• rm -r directory/
  Delete a directory and its contents recursively.

• rm -f file.txt
  Force deletion without prompts (dangerous if misused).

Warning: There is no built-in “undo” for rm.

When to use – example:

You created a temporary copy of a file for testing and no longer need it.

rm -i test_copy.log

5. View file contents

Command: cat

Purpose:
Display the contents of a file directly in the terminal.
In cybersecurity, this is how you quickly inspect logs, configs, and scripts.

Useful arguments:

• cat file.txt
  Show the full contents of a file.

• cat -n file.txt
  Display line numbers — helpful when reviewing scripts or configs.

• cat file1 file2
  View multiple files in sequence.

Warning: Use only for small files

When to use – example:

You copied a configuration file and want to quickly check what’s inside.

cat -n sshd_config

What now?

If you know how to use these commands, you’re no longer “bad at Linux.”

This is how you start.

You can:

• See what files are in the directory

• Move between directories

• Copy and move files safely

• Read short configuration files

That’s enough to start learning for real.

Linux commands aren’t something you can memorize.

You need to practice.

That’s how you get better.

If you want help setting up a safe practice environment or learning what to explore next, comment “Linux”!

I’ll point you in the right direction.

Leave a comment

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

• Start Here: Decoded Security Roadmap

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

I simply went with that one simple sentence: it translates IP addresses to domain names and vice versa. Magic sentence that means nothing.

If that’s you, give me a like so I know I am not the only one in the world!

And let’s be honest, it was enough. But then I wanted to switch to cybersecurity, and this lack of knowledge about such a crucial system started to really slow me down.

DNS components…no idea.

DNS record types…I believe there is something like… A?

And the worst part?

Every time you ask someone how it works, they immediately jump into some random detail.

Really… go and ask someone how DNS works.

The answer will probably look like this:

“It translates IP addresses to domain names. And there is a recursive resolver, which can be vulnerable to DNS amplification attacks. That is a huge problem because it can overload the whole infrastructure…”

Do you know how DNS works now?

No?

I didn’t either.

And the funny thing is, it’s actually really simple.

So let me show you.

Warning: CC and CISSP relevant topic!

DNS - Basic Concept

Let’s start from the beginning.

DNS is often called the Internet’s phonebook. But what does it mean?

It’s simple: if you want to connect to a website, you need to know its IP address, not its name.

There is no such thing as Google.com or YouTube.com.

But imagine you’d have to type 142.250.74.14 every time you want to connect to Google. That would make things really complicated.

DNS simply translates it for us, stupid humans who can’t remember a bunch of numbers.

Did you learn something new? Give me a like so I can teach you more!

DNS process (simplified)

Okay, now we know what DNS is supposed to do.

Now, let’s take a look at what actually happens when you type google.com in your browser.

Here’s the simplified process:

1. You type a domain name

2. Resolver checks the HOSTS file

3. Checks cache

4. If not found → asks DNS server

5. Gets IP address

6. Browser connects

I bet you have a couple of questions now. What is the Resolver? What is the HOSTS file?

Let me explain that.

Do you find this article interesting? Give it a like! It helps me understand what should I focus on!

DNS lookup (less simplified)

DNS process:

Step 1: Check the HOSTS file

• HOSTS file: This is a small local text file with manual mappings.

• Example: 192.168.1.50 example.com

• If found:

  • process stops

  • no DNS request

  • browser connects immediately

Step 2: Check local DNS cache (Not important now)

If the desired information isn’t in the HOSTS file, then the system checks the DNS Cache.

Step 3: Query sent to recursive resolver

You type example.com.

The request goes to a DNS resolver

The resolver sends requests to the DNS servers, not you.

Step 4: Resolver asks a root nameserver

The resolver contacts a root nameserver (.).

Root servers don’t know the IP.

They only know: Which Top-Level Domain (TLD) server to ask next?

Step 5: Root responds with the TLD server

The root server replies:

“Ask the .com nameserver.”

So now the resolver knows where to go next.

Step 6: Resolver asks the TLD nameserver

The resolver queries the .com TLD server.

This server manages all .com domains.

It still doesn’t know the final IP.

Step 7: TLD returns authoritative nameserver

The TLD replies:

“The authoritative nameserver for example.com is ns1.example.com.”

Now we’re getting closer.

Step 8: Resolver asks the authoritative nameserver

The resolver contacts the authoritative nameserver.

This is the server that actually owns the domain’s records.

This server finally knows the answer.

Step 9: The Authoritative server returns the IP

It responds:

example.com → 93.184.216.34

This is the real IP address.

Step 10: Resolver returns the answer to your browser

The resolver:

• sends the IP back to your computer

• caches it for future use

Your browser now knows where to connect.

DNS lookup is DONE!

Super short recap of the process

Here’s the entire lookup again in 10 seconds:

1. Check the HOSTS file

2. Check cache

3. Ask resolver

4. Root → TLD

5. TLD → authoritative server

6. Get IP

7. Browser connects

Done.

Milliseconds.

Thousands of times per day.

You just never noticed.

Conclusion

Congratulations! Now you understand how DNS works! Well, at least the basics!

There are many topics we need to go through!

Next time, we will go through different kinds of DNS and why it all matters from a cybersecurity perspective! Because, like it or not, you need to know these things to become a cybersecurity professional.

Cybersecurity is one of the best career opportunities today.

But starting is confusing.

Too many roles.
Too many certifications.
Too many opinions online.

Decoded Security exists to make cybersecurity understandable and help you move forward faster.

Here you’ll find practical guidance, career insights, and learning resources that help you:

• Break into cybersecurity

• Choose the right career path

• Prepare for interviews and certifications

• Understand complex topics in plain English

• Connect with others entering the field

Who Is Decoded Security For?

Decoded Security helps:

✅ People trying to break into cybersecurity
✅ Professionals preparing for their first cybersecurity job
✅ Software developers switching to cybersecurity
✅ Certification candidates (CC, Security+, CISSP and others)
✅ Anyone wanting practical cybersecurity knowledge without academic fluff

Where should I start?

Your starting point depends on your goal. Here are recommended entry points.

If you’re new to cybersecurity

Start with Foundation:

1. Threat ≠ Risk ≠ Vulnerability: Why CISSP Basics Matter More Than You Think

2. My First Week of CISSP Prep – What I’ve Learned So Far

3. Security Policies, Standards, and Procedures: The Boring Stuff That Actually Saves You

4. Cybersecurity Controls from Zero to Hero

If you're a software developer switching careers

Avoid starting from zero:

1. 5 Specific Steps For Software Developers To Get a Job in Cybersecurity In 6 Months Without Starting Over

2. How to Choose the Right Cybersecurity Role Before You Waste Time and Money on the Wrong Certifications

3. Why good engineers fail the CISSP exam - and managers don’t

If you want your first cybersecurity job

Prepare smarter:

1. 3 Things You Need To Know For Your First Cybersecurity Interview

2. 6 Myths That Are Killing Corporate Cybersecurity

3. How to Choose the Right Cybersecurity Role Before You Waste Time and Money on the Wrong Certifications

If you're preparing for certifications

Useful for CC, Security+, CISSP and similar exams:

1. The 8 Security Principles Every CISSP Candidate Thinks They Understand (Until They Don’t)

2. 15+ Laws Every CISSP Candidate Must Know: The Only Legal Guide You Need

3. GDPR Explained: The Privacy Law That Follows Your Data Everywhere

4. The Final Goodbye: How to Dispose Data So It Never Comes Back

These are just starting points. Explore and follow topics that match your goals!

Who am I?

I’m Erich, a CISSP-certified Cybersecurity Manager.

One of my biggest accomplishments is becoming a Cybersecurity Manager at 26 for an international company.

However, like most people, I didn’t start my career in cybersecurity with a perfect roadmap.

I used to be a Software Developer, having no idea how to break into such a complex field.

But over time, I started noticing patterns, and now that I know both sides of the hiring process, I am sharing my insights on how to speed up your career.

And now, I have decided to write about this journey and share things I wish I had known at the beginning.

And no, you don’t need a master’s degree for that.

Learn more here.

Decoded Security Story

It’s been almost a year since I started this newsletter. Over time, I have published 60+ articles on cybersecurity topics, from the basics to advanced concepts.

But I didn’t stop there, I started sharing the insights that helped me become a cybersecurity manager at 26 years old - interview tips, frequent interview topics, and specific advice I wish I knew a couple of years back.

Once people started asking questions, I decided to help even more. I started creating quizzes, templates, and actionable checklists to help you solve the challenges people in cybersecurity face.

What happens if I subscribe to Decoded Security?

Decoded Security is primarily a free newsletter.

Free Subscription

• 1 - 2 articles a week directly to your inbox about the following topics:

  • Cybersecurity concepts that you need to know to get your first job in cybersecurity

  • Complex cybersecurity topics in plain English

  • Certification and interview tips

  • Real-world insights from the world of cybersecurity

• Various discounts on Decoded Security products

• Cybersecurity quizzes where you can test your knowledge

• Access to the Subscriber’s chat where I answer all your questions.

Paid Subscription

What you get:

🚀 Exclusive Discord Community
Connect with like-minded people, share progress, and learn faster together.

📚 50% discount on all Decoded Security products
Get structured resources, templates, and guides at a fraction of the cost.

⚡ Free and early access to new materials
Be the first to access new checklists, guides, and tools before anyone else.

💬 Priority access to personal guidance (limited)
Get direct support from me when you’re stuck.

• Ask career-related questions

• Get direction on what to learn next

• Avoid common mistakes that slow people down

(Async support, limited capacity to ensure quality responses)

Earn money with Decoded Security: Affiliate Program

Earn 30% commission on every product you promote.

• Share cybersecurity guides, templates, and courses

• Get paid for every sale

• No limits on earnings

👉 Start here: https://www.decodedsecurity.com/p/invite-friends-earn-rewards

Decoded Security Materials

I’ve created ebooks, templates, quizzes, and roadmaps to help people move faster in cybersecurity careers.

You can find all materials here:

• Gumroad

• Quiz hub

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Leave a comment

📘 Essential for anyone preparing for the ISC2 CC or CISSP exam.

CISSP doesn’t test tools. Interviews don’t care about dashboards.

They test whether you understand the purpose, importance, and structure of incident response at a professional level.

And I will get you ready for those questions!

What Is Incident Response?

Incident response (IR) is the structured approach an organization uses to detect, analyze, contain, eradicate, and recover from security incidents.

But that definition misses the point.

At its core, incident response exists to answer one question:

“How do we stay in control when something has already gone wrong?”

It assumes failure. It assumes compromise.
And it focuses on damage control, decision-making, and recovery, not prevention.

The Purpose of Incident Response

The purpose of incident response is not to prevent incidents.

That’s a common misunderstanding.

Incident response exists to:

• Limit business impact

• Protect critical assets and data

• Preserve evidence and accountability

• Enable fast, informed decisions under pressure

• Restore trustworthy operations

In other words:

Incident response turns chaos into a managed situation.

Without it, every incident becomes an improvisation, and improvisation under stress is how small incidents become disasters. → I need you to remember this!!

The Phases of Incident Response - Structure

For CC and CISSP, incident response is understood as a lifecycle, not a single action.

Each phase has a specific purpose, and mixing them up is a common exam and interview mistake.

1. Detection & Identification

This phase answers one question:

“Do we have an incident?”

Detection can come from:

• Technical sources (SIEM, EDR, monitoring systems)

• Human sources (employees, administrators)

• Third parties (partners, service providers)

At this stage:

• You do not fix anything

• You do not jump to conclusions

• You confirm that an event qualifies as a security incident

📌 Exam trap: Detection is not a response. Identifying an incident does not mean containing it.

2. Response

This phase answers:

“How do we stop the damage from spreading?”

Containment focuses on:

• Isolating affected systems

• Preventing further compromise

• Limiting business impact

Speed matters more than perfection.

📌 CISSP mindset: Temporary containment is acceptable if it prevents escalation.

3. Mitigation

This phase answers:

“How do we properly eliminate the threat?”

Mitigation focuses on removing adversarial control from affected systems.

It includes:

• Removing malware

• Eliminating persistence mechanisms

• Closing exploited vulnerabilities

The mitigation phase ends when affected systems, while still isolated from production networks, are free from adversarial control.

📌 Key exam point: Clean systems are not yet trusted systems.

Do you know anyone struggling with these concepts? Send it their way and help them out!

Share

4. Reporting

This phase answers:

“What must be documented, and who needs to know?”

Proper reporting ensures legal, regulatory, and executive readiness.

An incident report includes:

• Summary of the incident

• Indicators of compromise

• Related incidents

• Actions taken

• Chain of custody for all evidence

• Impact assessment

• Identification and comments of incident handlers

• Next steps to be taken

📌 Interview insight: If it’s not documented, it didn’t happen.

5. Recovery

This phase answers:

“Can we trust these systems again?”

Recovery aims to restore full, trustworthy functionality.

It requires:

• Significant testing

• Verification that affected systems are truly trustworthy

• Proper configuration to support business processes

• Confirmation that no compromises exist in those processes

Recovery is complete only when systems are both operational and trustworthy.

📌 Exam trap: Availability alone does not equal recovery.

6. Remediation

This phase answers:

“How do we make sure this never happens again?”

Remediation focuses on long-term risk reduction.

It includes:

• Identifying control gaps

• Deciding which controls must be implemented or modified

Remediation occurs in two phases:

1. Controls are put in place

2. Controls are later reviewed to determine if they should become permanent

📌 CISSP principle: Remediation addresses root causes, not symptoms.

7. Lessons Learned

This phase occurs once the incident is closed.

It answers three questions:

• What happened?

• What did we learn?

• How can we do it better next time?

Lessons learned drive:

• Process improvements

• Training updates

• Policy and control enhancements

📌 Professional mindset: Every incident should reduce future risk.

Conclusion

If you’re reading this, congratulations!

You’ve just taken another solid step in your cybersecurity journey!

Incident response is one of those topics that looks simple on the surface, but quickly exposes gaps in understanding during exams and interviews.

By now, you should have a clear mental model of why incident response exists, how the phases fit together, and how ISC² expects you to think about it.

Of course, knowing the theory alone won’t pass the exam or land you the role, but it puts you in a much stronger position than most candidates.

Remember: Clarity builds confidence.

And confidence, especially in exams and interviews, is often the deciding factor.

And if you want a complete guide on how to prepare for your first interview and land a job in cybersecurity I got you covered again: The 90-Day Cybersecurity Job Blueprint. (Secret discount for Decoded Security subscribers already applied!)

Thank you for reading Decoded Security.
I’m looking forward to your questions, comments, and discussions below.

Exam & Interview tips

For exams and interviews, remember this:

• Detection ≠ Response

• Containment ≠ Eradication

• Recovery ≠ Remediation

• Lessons learned ≠ Blame

Incident response is about controlled decision-making under pressure, not technical heroics.

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

• Gumroad community: Decoded Security

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Ready to level up your cybersecurity skills?

• 💬Comment below and tell me what your experience with SLAs is

• ❓Take the quiz to test your understanding: CybersecErich: Quiz Hub

• 📰Subscribe (free or paid) to get new posts straight to your inbox.

• Share this with a friend studying for CISSP, or anyone curious about cybersecurity

Here’s a hard truth from the hiring side:

You don’t fail interviews because you don’t know enough.
You fail because you focus on the wrong things.

I can’t teach you everything in one post, but I can give you three topics that come up again and again in real interviews.

Knowing the rules won’t get you the job.
Not knowing them will almost certainly cost you the interview.

That’s why this article focuses on what interviewers expect you to understand

📘 Essential also for anyone preparing for the ISC2 CC exam.

1. The CIA Triad

“What are the core security objectives in any system?”

3 letters, crucial concept.

The CIA Triad defines the three core objectives of information security:

• Confidentiality – making sure information is only accessible to those who are authorized.

• Integrity – ensuring that data hasn’t been tampered with or altered without permission.

• Availability – making sure systems and data are accessible when needed.

Why does it matter so much?

Protecting information systems means ensuring the CIA (Confidentiality, Integrity, Availability) of all assets in our information systems.

Every control, every procedure should exist in order to support one of the core objectives.

The good news is, the concept is quite easy, and all you need is one picture!

However, if you’d like to know more about it, make sure to check one of my previous articles: CIA Triad - Introduction.

Threat ≠ Risk ≠ Vulnerability

“Could you please explain the difference between Threat, Risk and Vulnerability to me?”

I hear people use these terms interchangibly all the time.

In reality, there is a huge difference. And knowing this difference shows that you are aware how risk management works.

Let me give you a definition of each term:

• A threat is any potential danger that is associated with the exploitation of a vulnerability.

• A vulnerability is a weakness in a system that allows a threat source to compromise its security.

• A risk is the likelihood of a threat source exploiting a vulnerability and the corresponding business impact.

Still confused about the difference?

Let me show the relationship between the terms in one simple example.

Imagine a house with a broken window (vulnerability). There’s a burglar in the neighborhood (threat). The risk is that the burglar might notice the window and break in.

Now, installing a camera or alarm system won’t stop the burglar from existing. It won’t fix the window either. But it might discourage the burglar or notify you quickly if something goes wrong.

That’s it! All you need is one very simple example, and you already look like a pro!

If you’re interested in more details about this topic, I recommend reading one of my previous articles: Threat ≠ Risk ≠ Vulnerability.

Security Policies, Standards, and Procedures

This might sound boring to you, especially if you’re a technically oriented person, but like it or not, even as a cybersecurity specialist, you are still part of an organization, and you need to understand the bigger picture of what you are doing.

That’s why hiring managers often want to make sure you are willing to learn the basics of cybersecurity governance.

Again, let me give you definitions first:

Policy:

A high-level statement that defines what must be done and why. It reflects management’s intent and direction.

Standard:

A mandatory rule that defines what exactly must be used or followed — tools, technologies, or configurations.

Procedure:

A detailed set of steps that explain how to implement a policy or standard in practice.

Guideline:

An optional recommendation or best practice. They help us to cover the grey areas and provide the necessary flexibility.

It didn’t hurt that bad, did it?

The whole concept is actually pretty easy, and I will give you one simple picture that will help you to remember it.

Make sure you can understand the difference and prepare real-world examples of each.

Not sure where to start? Well, I got you covered again.

If you want a practical scenario + quiz, read: Security Policies, Standards, and Procedures: The Boring Stuff That Actually Saves You.

You can find a real world scenario there and a quiz that will help you determine if you’re ready for the interview!

Conclusion

If you’re reading this, congratulations! You just made another step on your cybersecurity journey!

Of course, simply knowing these topics isn’t enough to land a job in the field, but it is a great start!

I know interviews are stressful, but from my experience, knowing what to focus on not only increases your chances of getting hired but also gives you more confidence.

And confidence is often the key ingredient in the mix!

And if you want a complete guide on how to prepare for your first interview and land a job in cybersecurity I got you covered again: The 90-Day Cybersecurity Job Blueprint.

Thank you for reading Decoded Security, and I am looking forward to your comments!

Let’s connect

If you want to collaborate, discuss, or just geek out over virtualization and cloud security, reach out to me:

• Email: erich.winkler@decodedsecurity.com

• LinkedIn: Erich Winkler

Enjoyed this article? Like it or drop a comment. I’d love to hear your thoughts and questions!

Let’s learn and grow together!

Ready to level up your cybersecurity skills?

• 💬Comment below and tell me what your experience with SLAs is

• ❓Take the quiz to test your understanding: CybersecErich: Quiz Hub

• 📰Subscribe (free or paid) to get new posts straight to your inbox.

• Share this with a friend studying for CISSP, or anyone curious about cybersecurity

If yes, this article is for you.

I’m going to give you a clear tour of the field and show you four very different paths you can take in cybersecurity—and how they actually relate to each other.

Why should you care?

Because choosing the wrong path can easily cost you years of effort and thousands of dollars in certifications, courses, and wasted preparation.

Cybersecurity is a demanding field.
And having direction puts you far ahead of people who are just “trying to figure it out.”

Most people don’t fail in cybersecurity because they aren’t smart enough.

They fail because they never had a plan.

Cybersecurity isn’t one job. It’s a system

Most people imagine security as a collection of isolated roles.

Pentester here.
SOC analyst there…
Cybersecurity manager somewhere at the top..

If we want to succeed, we have to change this mindset.

Cybersecurity is a living system with 5 main components.

Once you know these components, everything is much clearer.

Let’s go!

Not only people with cybersecurity roles have cybersecurity responsibilities. Cybersecurity is everyone’s responsibility. I covered this in one of my previous articles!

1. Offensive Security

Someone has to think like an attacker and ask:

• How could this system be abused?

• Where are the weak points?

• What assumptions are we making that might be wrong?

These roles actively probe for weaknesses, but unlike malicious hackers, they do it to help organizations improve their security.

What roles are we talking about?

Penetration Tester

Required Seniority: Mid → Senior

I started with this role on purpose, because you probably heard about it the most. The first question I get when I say I work in cybersecurity is: “Can you hack my computer?”

PS: No, I can’t. I am not a penetration tester.

But what is the official goal of this role?

Penetration testers focus on controlled attacks against specific systems.

Basically, you tell him to break into a system under specific conditions and a time frame, and they do everything in their power to do so.

A good penetration tester doesn’t just find vulnerabilities.
They explain why they matter and how they can realistically be abused.

This role suits people who enjoy:

• Structured testing

• Technical depth

• Clear objectives and reporting

But here’s the important part:

Penetration testing is not beginner-friendly.

Red Team Engineer

Required Seniority: Senior

Red Team Engineer takes it a little further.

Instead of testing individual systems, red teams simulate real-world attacks across the entire organization.

But, for the purposes of this article, read teaming is very similar to penetration testing.

Not all companies use Red teaming, as it is very expensive.

Additionally, it is highly unlikely to become a Red Team Engineer without prior experience as a penetration tester.

Do you find this article useful? Let me know in the comments!

Leave a comment

2. Security Operations (SOC) Roles

If you don’t know what SOC is, it is the central team responsible for continuously monitoring, detecting, and responding to cybersecurity threats across an organization.

A SOC operates 24/7 (or close to it), because attackers don’t work office hours.

Security Analyst

Required Seniority: Junior → Mid

The security analyst is the front line.

This role is about:

• reviewing security alerts

• investigating suspicious behavior

• deciding what is real and what is noise

Most alerts are false positives.
Some are not.

Your job is to tell the difference.

When something looks wrong, the analyst digs deeper to understand:

• what happened

• how serious it is

• whether it needs immediate action

It is also one of the best entry points into cybersecurity, because it forces you to learn how attacks actually appear in real systems, not just in textbooks.

Incident Responder

Required Seniority: Mid → Senior

When an alert becomes a confirmed threat, the incident responder takes over.

This is the crisis role.

Incident responders focus on:

• containing active attacks

• limiting damage

• removing attacker access

• coordinating with other teams

They work under pressure, often with incomplete information, while systems are already compromised.

The key challenge here is balance:

• move too slowly, and the attacker causes more damage

• move too fast, and you might break critical business systems

Incident responders don’t just clean up messes.

They also document what happened and feed that knowledge back into the SOC so the same attack is detected faster next time.

3. Security Architecture and Engineering

SOC teams detect problems.
Offensive teams expose weaknesses.

But none of that matters if systems are poorly designed in the first place.

Security architecture and engineering exist to answer a different question:

“How do we build systems that are secure by design, not secure by luck?”

These roles focus on prevention, resilience, and scale.

Instead of reacting to incidents, they reduce how often incidents happen at all.

Security Architect

Required Seniority: Senior

Their job is to design how security fits into the organization as a whole.

They ask questions like:

• Where should trust exist—and where shouldn’t it?

• How do identity, network, application, and data security fit together?

• What happens when this system grows, changes, or fails?

A security architect doesn’t usually configure tools day-to-day.
They design the blueprint others follow.

Typical responsibilities include:

• Designing security architectures for networks, applications, and cloud environments

• Defining security standards and patterns

• Evaluating new technologies and their security implications

• Ensuring security supports the business instead of blocking it

This is probably one of the most crucial technical cybersecurity roles in the organization.

Security Engineer

Required Seniority: Mid → Senior (Junior roles are available)

If security architects design the blueprint, security engineers build it.

This is the hands-on role responsible for turning ideas, policies, and architectures into real, working defenses.

Security engineers focus on:

• implementing security controls across systems and applications

• configuring and maintaining security tools

• integrating security into existing infrastructure

• automating repetitive security tasks

They work closely with IT, DevOps, and development teams to make sure security actually works in practice, not just on paper.

Typical responsibilities include:

• deploying and managing endpoint, network, and identity security controls

• hardening operating systems and applications

• integrating security into CI/CD pipelines

• validating that security controls are effective

TIP: Very convenient for SW developers who want to break into cybersecurity!

Many people move into security engineering from SOC or general IT roles, which is why junior positions do exist.
Experience with real systems matters more than theory here.

Cloud Security Engineer

Required Seniority: Mid → Senior

Imagine everything that a security engineer does, but for a cloud.

Cloud environments are:

• highly dynamic

• heavily automated

• built around APIs and identity

Most cloud breaches don’t happen because of advanced exploits.
They happen because of simple misconfigurations.

Cloud security engineers exist to prevent exactly that.

Have you chosen your path? Let me know in the comments and let’s discuss it!

Leave a comment

4. Governance, Risk, and Compliance

This is where we get from highly technical roles to business and strategic roles.

These roles focus on risk, rules, and decision-making, not tools.

They make sure security:

• aligns with business goals

• meets legal and regulatory requirements

• focuses on real risk instead of security theater

Security Auditor

Required Seniority: Junior → Mid

Security auditors verify whether security controls actually exist, and whether they work as intended.

Their job is not to break systems, but to check reality against promises.

They focus on:

• reviewing security controls and processes

• assessing compliance with standards and regulations

• identifying gaps between policy and practice

• documenting findings for management and regulators

Auditors are detail-oriented and methodical.
They care about evidence, consistency, and repeatability.

Without audits, organizations often discover weaknesses only after a breach.

Do you think you’re the only one who is struggling with breaking into cybersecurity?

WRONG!

We all have been there. So let’s face it together! Join the community of nearly 600 cybersecurity enthusiasts and professionals!

Risk Manager

Required Seniority: Mid → Senior

Risk managers think in probabilities and impact.

Their role is to help the organization understand:

• What could go wrong

• How likely it is

• How bad it would be if it did

They focus on:

• identifying and prioritizing security risks

• analyzing business impact

• defining risk treatment strategies

• supporting leadership decision-making

Risk managers translate technical issues into business language.

Without effective risk management, organizations often:

• overspend on low-impact issues

• Ignore critical risks

• make emotional instead of informed decisions

Compliance Specialist

Required Seniority: Junior → Mid

Compliance specialists focus on rules, frameworks, and regulations.

They ensure the organization:

• understands regulatory requirements

• implements necessary controls

• documents processes correctly

Their responsibilities typically include:

• interpreting security regulations and standards

• translating requirements into internal processes

• helping teams understand what is required of them

• preparing for audits and assessments

Basically, the goal of this role is to translate external obligations to everyone who is affected.

5. Management and Leadership (This will take a while)

At some point, cybersecurity stops being about tools and systems.

It becomes about people, priorities, and strategy.

Management and leadership roles exist to coordinate efforts, allocate resources, and ensure security delivers real value to the organization.

Security Program Manager

Required Seniority: Mid → Senior

Security program managers keep security initiatives moving.

They focus on:

• planning and tracking security projects

• coordinating between teams

• managing timelines and dependencies

• ensuring initiatives deliver measurable results

They don’t usually configure tools or respond to incidents.
They make sure things actually get done.

Without program management, security efforts often stall or fail due to poor coordination, not technical limitations.

Security Director

Required Seniority: Senior

Security directors lead security teams and operations.

They sit between hands-on security work and executive leadership.

Their responsibilities include:

• managing security teams

• setting operational priorities

• overseeing budgets and resources

• ensuring alignment with business objectives

A strong security director provides clarity and direction.
A weak one creates chaos, even with talented teams.

Chief Information Security Officer (CISO)

Required Seniority: Executive / Senior

The CISO owns the organization’s security vision and strategy.

This role is about:

• defining long-term security direction

• communicating risk to executives and the board

• balancing security needs with business goals

• building and leading mature security programs

A CISO doesn’t manage firewalls or alerts.

It is a C-suite role that sits at the highest level of the organization and makes sure that the overall security strategy is aligned with the business goals.

Without effective CISO leadership, security becomes fragmented, reactive, and misaligned with reality.

Conclusion

A lot of roles, right?

Don’t worry, you don’t have to decide everything today.

What does matter is that you understand the five main paths in cybersecurity, because that decision will shape everything that comes next.

Certifications.
Skills.
Entry roles.
Even how long your journey will take.

For example:
If your goal is to become a penetration tester, it makes no sense to start with leadership-focused certifications like CISSP and position yourself as a security manager.

That mismatch costs people years of effort and thousands of dollars.

Choosing a path first makes your journey:

• faster

• cheaper

• and far less frustrating

And here’s the good news:

In the next article, I’ll break down specific, realistic certifications for each of the five cybersecurity paths, so you know exactly what makes sense for your goal, and what doesn’t.

What Should You Learn Next?

If you’re starting your cybersecurity journey, focus on fundamentals.

You don’t need to learn everything at once.

Start with:

• Network protocols

• IP addressing

• DNS

• Encryption

• Network Devices

These concepts appear everywhere in cybersecurity.

And if you master them, you will already be ahead of most beginners.

Ready to level up your cybersecurity skills?

• 💬Comment below and tell me what your experience with SLAs is

• ❓Take the quiz to test your understanding: CybersecErich: Quiz Hub

• 📰Subscribe (free or paid) to get new posts straight to your inbox.

• Share this with a friend studying for CISSP, or anyone curious about cybersecurity