1.3 Information Security Fundamentals
Key Takeaways
- The CIA triad — Confidentiality, Integrity, Availability — is the model every CEH attack is measured against; many questions ask which element an attack violates
- A threat is a potential danger, a vulnerability is a weakness, and risk is the likelihood and impact of a threat exploiting a vulnerability (Risk = Threat x Vulnerability x Impact, conceptually)
- Hacker classes the exam tests: white/black/gray hat, script kiddie, hacktivist, state-sponsored, suicide hacker, and cyber terrorist
- The Cyber Kill Chain (7 Lockheed Martin stages) and MITRE ATT&CK (tactics + techniques) are the two adversary models CEH expects you to recognize
- Security controls are classified by function (preventive, detective, corrective, deterrent, compensating) and by type (administrative, technical, physical)
The CIA Triad
The CIA triad is the foundation of information security. Every attack in CEH can be mapped to which property it breaks:
- Confidentiality — information is accessible only to authorized parties. Broken by data theft, eavesdropping/sniffing, shoulder surfing, or weak access control.
- Integrity — information is accurate and unaltered except by authorized changes. Broken by tampering, man-in-the-middle modification, or unauthorized writes. Verified with hashing (MD5/SHA) and digital signatures.
- Availability — systems and data are usable when needed. Broken by denial-of-service (DoS/DDoS), ransomware, or hardware/network failure.
Extensions you should recognize: Authenticity (the source is genuine) and Non-repudiation (a party cannot deny an action — provided by digital signatures and logging). Some frameworks add these to form a five-element model.
Exam tip: A DoS attack targets Availability, sniffing targets Confidentiality, and altering a record in transit targets Integrity. Map the attack to the broken property — this is one of the most common question patterns.
Threat vs. Vulnerability vs. Risk
These three terms are repeatedly tested as distractors. Keep them precise:
| Term | Definition | Example |
|---|---|---|
| Threat | A potential cause of an unwanted incident (the actor or event) | A ransomware group, a malicious insider, a flood |
| Vulnerability | A weakness that a threat can exploit | An unpatched server, a weak password policy |
| Risk | The likelihood and impact of a threat exploiting a vulnerability | Probable downtime cost if ransomware hits that unpatched server |
| Exploit | The actual technique/code that takes advantage of a vulnerability | A Metasploit module for that CVE |
Conceptually, Risk = Threat x Vulnerability x Impact. Removing the vulnerability (patching) or reducing impact (backups, segmentation) lowers risk even if the threat still exists — you usually cannot remove the threat itself. An asset is anything of value being protected; zero-day describes a vulnerability with no available patch.
Classes of Hackers and Threat Actors
CEH expects you to classify attackers by intent and authorization:
| Type | Intent / Authorization |
|---|---|
| White hat | Authorized, ethical — security professionals and pen testers (the CEH role) |
| Black hat | Malicious, unauthorized — criminals seeking profit, theft, or damage |
| Gray hat | In-between — acts without authorization but not for clear malice (e.g., reports a flaw they found while poking around) |
| Script kiddie | Unskilled, uses prebuilt tools/exploits they don't understand |
| Hacktivist | Politically or socially motivated (defacement, leaks, DDoS) |
| State-sponsored / nation-state | Government-backed espionage or sabotage; often an Advanced Persistent Threat (APT) |
| Suicide hacker | Aims for impact regardless of getting caught or punished |
| Cyber terrorist | Uses attacks to cause fear/harm for ideological ends |
The defining line for ethical hacking is authorization, not technique — a white hat and a black hat may run the same Nmap scan, but only one has written permission.
Attack Vectors and the Attack Surface
- An attack vector is the path or method used to reach a target — email phishing, an exposed web app, a malicious USB, or a supply-chain component.
- The attack surface is the sum of all points where an unauthorized user could try to enter or extract data. Reducing it (closing ports, removing unused services, least privilege) is a core defensive goal.
Attack categories the exam expects: passive (eavesdropping, traffic analysis — no modification), active (modification, injection, DoS), close-in (physical proximity), insider (authorized misuse), and distribution (tampering with hardware/software before delivery).
Adversary Models: Cyber Kill Chain and MITRE ATT&CK
CEH tests two complementary adversary models.
Cyber Kill Chain (Lockheed Martin)
The Cyber Kill Chain models an intrusion as seven sequential stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. Breaking any single link disrupts the whole attack, which is why it is used to argue for layered defense — for example, blocking malicious email at Delivery stops the chain before Exploitation.
MITRE ATT&CK
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a continuously updated knowledge base of real-world attacker behavior. It is organized into tactics (the adversary's goal, e.g., Initial Access, Persistence, Exfiltration) and techniques (the how, each with a T-number such as T1566 Phishing). Unlike the linear kill chain, ATT&CK is a behavior matrix that blue teams use to map detection coverage and to drive threat-hunting. CEH wants you to know it is behavior-based and complementary to the kill chain — not a replacement for it.
Defense-in-Depth
Defense-in-depth layers independent controls so a single failure does not cause full compromise. Think of concentric rings from policy at the outside to the protected asset at the core, as above.
Classifying Security Controls
CEH expects you to classify controls two ways at once — by function and by type:
By function:
- Preventive — stop an incident (firewall rules, MFA, encryption, patching)
- Detective — discover an incident (IDS/IPS, SIEM, log monitoring, audits)
- Corrective — recover after an incident (backups, restore, incident response)
- Deterrent — discourage (warning banners, visible cameras)
- Compensating — substitute when a primary control isn't feasible
By type:
- Administrative — policies, training, background checks, procedures
- Technical (logical) — software/hardware: ACLs, encryption, IDS, MFA
- Physical — locks, guards, cameras, mantraps, biometric doors
Exam tip: Map the scenario to both axes. A SIEM that alerts is detective + technical; a backup that restores is corrective + technical; security-awareness training is preventive + administrative; a guard at the door is preventive + physical.
An attacker floods a company's public web server with traffic until legitimate customers can no longer reach the site. Which element of the CIA triad is primarily violated?
An unskilled individual downloads a ready-made exploit tool they do not understand and runs it against a website. Which class of hacker best describes them?
Which framework is a behavior-based matrix of real-world adversary tactics and techniques that defenders use to assess detection coverage?
A company deploys a SIEM that generates real-time alerts when it detects anomalous login behavior. How is this control best classified by function and type?