Lesson 2	What is security?
Objective	Explain “security” as a continuous process and classify resources with baseline controls.

Security: a continuous, risk-based process

The Internet was built as an open network—excellent for connectivity, not for confidentiality. Security is therefore an ongoing practice of reducing risk to acceptable levels while keeping systems usable. Effective programs balance:

Confidentiality – only authorized parties access data
Integrity – data/systems are not altered improperly
Availability – legitimate users can do their jobs

Know what you’re protecting

Start by inventorying assets and failure modes. The diagram highlights four categories commonly targeted:

Workstations: lock screens, anti-malware; Networks: company communication fabric; Information: core data assets; Servers: concentration points that require hardening. — **Local resources (endpoints):** Auto-lock, strong auth, anti-malware, patching, least-privilege users, safe-download training.

**Network resources:** Your backbone; compromise here often exposes many paths.

**Information & databases:** The crown jewels—protect in transit/at rest, and back up with restore tests.

**Servers & services:** Web, mail, SFTP/APIs, identity; harden aggressively because compromise cascades.

Types of security resources & baseline controls

Local resources (workstations, laptops, mobiles)
- Full-disk encryption; auto-lock; password manager; MFA where possible
- EDR/anti-malware; block unsigned/risky software; timely OS/firmware updates
- Hygiene training: don’t bypass warnings; verify downloads
Network resources
- Segment by trust level; default-deny between segments
- Firewall/WAF as appropriate; DNS/DHCP hardening; secure Wi-Fi (WPA3-Enterprise) and 802.1X for wired
- Central flow/log collection with retention and alerts
Database & information resources
- RBAC and least privilege; separation of duties
- Encrypt sensitive data in transit/at rest; rotate keys
- Backups with periodic restore tests; consider immutability for ransomware resilience
Server & service resources
- Minimize attack surface (remove unused packages/services); baseline hardening
- TLS everywhere; prefer modern file-transfer (SFTP/FTPS) over legacy FTP
- Centralized logging, time sync, configuration/state monitoring

What “security” means day-to-day

Absolute safety isn’t attainable; well-designed guardrails lower risk and improve usability. Favor single sign-on, device compliance checks, and automation so secure choices are the easiest choices.

Useful terms:

Threat / Vulnerability / Risk – intent + weakness + likelihood/impact
Defense in depth – multiple layers so single failures don’t become breaches
Zero trust – never assume; continuously verify identity, device, and context

Observations from incident reviews

Recurring root causes include missing/misconfigured firewalls, no written policy, and insufficient visibility. Counter them with routine patching, hardened defaults, centralized logs/metrics, and rehearsed incident response.

Policies that people can follow

Policies fail when they fight the workflow. Make controls:

Default-on (least privilege, MFA, encryption)
Automated (MDM/Group Policy/desired-state tools)
Measurable (owners, tickets, SLAs, and auditable logs)

Quick verification lab

Run in a test environment; tailor hosts/ports for your network.

# HTTP(S) reachability and policy checks
curl -I https://intranet.example.com
curl --max-time 5 http://blocked.example.com   # should fail if HTTP is blocked

# Basic service exposure from a management jump host
nmap -Pn -sT -p 22,25,80,443,3389 server.example.com

# Windows: verify auto-lock policy (PowerShell)
Get-ItemProperty -Path 'HKCU:\Control Panel\Desktop\' -Name ScreenSaveActive,ScreenSaverIsSecure,ScreenSaveTimeOut

Open network: a system optimized for interoperability and reach, not built-in confidentiality.

Firewall: a control that filters traffic between zones; can be software, hardware, or cloud-native.