The Cybersecurity Landscape

September 7, 2017 — the day 147 million people got robbed without knowing it

Imagine waking up one morning to discover that your Social Security number, birth date, home address, and driver's license number were sitting on a hacker's server. You didn't click a bad link. You didn't download a shady app. You didn't do anything wrong.

Equifax — one of the three companies that controls your credit score in the United States — had a web application running on a server. That server had a known vulnerability in a software framework called Apache Struts. A patch had been available for two months. Nobody applied it.

Attackers walked in through that unpatched door. They moved laterally through Equifax's network for 76 days before anyone noticed. By the time it was over, the personal data of 147 million Americans was gone. Equifax eventually paid over $700 million in settlements.

One server. One missing patch. Two months of neglect. That's all it took.

This is the world of cybersecurity — and this module is your first look at the battlefield.

Who is attacking — and why?

Not all attackers are the same. A teenager running downloaded hacking tools from their bedroom is a very different threat than a team of military intelligence officers backed by a nation-state budget. Understanding who is attacking helps you understand how to defend.

There Are No Dumb Questions

"Are hackers always criminals?"

No. "Hacker" originally meant someone who loves to take things apart and understand how they work. Today, the security industry distinguishes between black hat (malicious), white hat (ethical, hired to test security), and grey hat (finds vulnerabilities without permission but reports them). Many of the best defenders started as hackers in the original sense — deeply curious tinkerers.

"Can a small business really be a target? We have nothing worth stealing."

Small businesses are disproportionately targeted precisely because they think this way. Attackers use automated scanning tools that probe millions of systems at once. They don't care if you have 5 employees or 50,000 — if your door is unlocked, they walk in. Small businesses also have less security budget, making them easier targets for ransomware.

The CIA Triad — the foundation of everything

If cybersecurity were a religion, the CIA Triad would be its holy trinity. Every security decision, every control, every tool maps back to protecting one or more of these three principles.

And no, we are not talking about the Central Intelligence Agency.

CIA stands for Confidentiality, Integrity, and Availability. Think of them like this:

Confidentiality means keeping secrets secret. When Equifax's data was stolen, confidentiality was violated. Encryption, access controls, and classification systems all serve confidentiality.

Integrity means data is accurate and unaltered. If someone changes your bank balance from $5,000 to $500 without authorization, that is an integrity violation — even if they didn't steal anything. Checksums, digital signatures, and version control protect integrity.

Availability means systems work when they need to. When the WannaCry ransomware locked NHS hospital computers in 2017, doctors couldn't access patient records. Nobody stole data — the data was just unavailable. Redundancy, backups, and DDoS protection serve availability.

There Are No Dumb Questions

"Do you always need all three? Can I just focus on confidentiality?"

All three matter, but the balance shifts based on context. A military intelligence system prioritizes confidentiality above all else — better for the system to go offline than to leak secrets. A hospital emergency system prioritizes availability — a doctor needs patient records now, even if it means slightly relaxed access controls. An online banking system needs all three equally. Understanding these trade-offs is a core skill.

"What about privacy? Is that the same as confidentiality?"

Related but distinct. Confidentiality is a technical property — is the data protected from unauthorized access? Privacy is a legal and ethical concept — does the individual have control over how their personal information is collected, used, and shared? You can have confidentiality without privacy (the data is secure, but the company uses it in ways you never agreed to), and you can have privacy policies without confidentiality (a company promises to protect your data but leaves a database exposed to the internet).

The attack surface — where do attackers get in?

An "attack surface" is every possible point where an unauthorized user could try to enter or extract data. Think of it like the doors, windows, vents, and skylights of a building — the more openings you have, the more places you need to guard.

People — the number one attack vector

Phishing emails, phone scams, fake login pages, pretexting (pretending to be IT support) — social engineering targets the human operating system. Technology can be patched; human nature cannot. An attacker who can convince one employee to hand over their password has bypassed every firewall in the building.

Software vulnerabilities

Every piece of software has bugs. Some bugs are security vulnerabilities — flaws that an attacker can exploit. A "zero-day" is a vulnerability that the software vendor does not know about yet, meaning there are zero days of available protection. The Equifax breach exploited a known vulnerability. Worse attacks exploit unknown ones.

Networks

When data travels between your computer and a server, it passes through routers, switches, DNS servers, and Wi-Fi access points. Each is a potential interception point. Man-in-the-middle attacks intercept traffic. DNS poisoning redirects you to fake websites. Unsecured Wi-Fi is an open invitation.

Physical access

The most underrated attack vector. A USB drive left in a parking lot ("USB drop") is a classic social engineering trick — curiosity makes people plug it in. Tailgating (following someone through a secured door) bypasses access cards. Dumpster diving through discarded documents is still shockingly effective.

Cloud misconfigurations

With organizations moving infrastructure to AWS, Azure, and Google Cloud, misconfigured storage buckets have become one of the most common breach causes. An S3 bucket set to "public" is the digital equivalent of leaving your filing cabinet on the sidewalk.

Defense in depth — the medieval castle strategy

Here is an analogy that has been used by cybersecurity professionals for decades, because it works perfectly.

Imagine a medieval castle. A castle does not rely on a single wall to keep invaders out. It uses layers — each one makes it harder for an attacker to get through, and each one buys defenders more time to respond.

This is called defense in depth — the principle that no single security control is enough. You need multiple overlapping layers so that when (not if) one layer fails, the next one catches the attacker.

The cybersecurity career landscape

Here is the good news: cybersecurity is one of the fastest-growing, highest-paying, and most in-demand career fields on the planet. And unlike many tech careers, you do not necessarily need a computer science degree to break in.

Key roles and what they pay

The SOC Analyst role is where most people start. Think of it as the emergency room of cybersecurity — you are the first person to see the alerts, decide what is real, and escalate serious incidents. It is not glamorous, but it is where you build the instincts that every other role requires.

Breaking in without a CS degree

Many of the best security professionals came from non-traditional backgrounds — military, law enforcement, IT support, even teaching. What matters more than a specific degree:

• Curiosity — you genuinely enjoy figuring out how things work (and break)
• Problem-solving — you can think like an attacker to defend like a pro
• Continuous learning — threats evolve daily; you have to evolve with them
• Communication — explaining risk to non-technical executives is half the job

The certification roadmap

Certifications are the currency of the cybersecurity job market. They prove to employers that you have a baseline of verified knowledge. Here is the path most professionals follow:

Back to Equifax

One server. One missing patch. Two months of neglect. The attackers moved through Equifax's network for 76 days before anyone noticed, and 147 million Americans lost their personal data. Every concept in this module — threat actors, attack surfaces, the CIA Triad, defense in depth — maps directly to what went wrong. The patch existed. The vulnerability was known. The failure was not technical complexity; it was the absence of basic security discipline applied consistently.

Key takeaways

• The Equifax breach showed that a single unpatched server can expose 147 million records — cybersecurity failures have real, massive consequences
• Five threat actor types operate with different motivations and capabilities — from script kiddies seeking bragging rights to nation-states conducting espionage
• The CIA Triad (Confidentiality, Integrity, Availability) is the foundation of every security decision — learn to evaluate any scenario through this lens
• Attack surfaces span people, software, networks, physical access, and cloud — people remain the weakest link
• Defense in depth means layering security controls so no single failure is catastrophic — think medieval castle, not single fence
• Cybersecurity careers offer strong salaries, near-zero unemployment, and accessible entry paths — start with Security+ and a SOC Analyst role