In today’s digital-first world, understanding how to detect and respond to threats is crucial. Whether you’re a SOC analyst, IT professional, or someone interested in monitoring systems and networks, knowing the basics can go a long way. In this blog, we’ll cover some key terms and concepts in a simple way.

What are HIDS and NIDS?

  • HIDS (Host-based Intrusion Detection System): Installed on individual devices/hosts to monitor suspicious activities such as file changes, logs, or unauthorized access attempts.
  • NIDS (Network-based Intrusion Detection System): Monitors network traffic to detect malicious patterns or unusual behavior.

What is the CIA Triad?

The CIA Triad is the foundation of information security:

  • Confidentiality – Keeping data private and accessible only to authorized users.
  • Integrity – Ensuring data is accurate and not altered without permission.
  • Availability – Making sure systems and data are accessible when needed.

 What is AAA?

AAA stands for Authentication, Authorization, and Accounting:

  • Authentication: Verifying identity (e.g., login with username & password).
  • Authorization: Deciding what actions the user is allowed to perform.
  • Accounting: Tracking user activities for audits or monitoring.

What is an Indicator of Compromise (IOC)?

IOCs are clues that a system might be breached, such as unusual login locations, unexpected network traffic, or unknown files appearing.

What are Indicators of Attack (IOAs)?

IOAs focus on detecting the attacker’s methods or intent while the attack is happening, such as multiple failed login attempts or suspicious commands.

 What is the OSI Model?

The OSI (Open Systems Interconnection) model explains how data moves in a network through 7 layers:

  • Physical – Hardware, cables, signals.
  • Data Link – MAC addresses, switches, error detection.
  • Network – IP addresses, routing.
  • Transport – TCP/UDP, reliability.
  • Session – Establishing and managing sessions.
  • Presentation – Data formatting, encryption.
  • Application – User-facing applications like browsers, email.

What is the Three-Way Handshake?

It’s the process TCP uses to establish a connection:

  • SYN – Client requests a connection.
  • SYN-ACK – Server acknowledges and agrees.
  • ACK – Client confirms, and the connection is established.

What is the TCP/IP Model?

The TCP/IP model has 4 layers:

  • Application
  • Transport
  • Internet
  • Network Access

How to Protect Against Man-in-the-Middle (MITM) Attacks

  • Always use HTTPS websites.
  • Avoid public Wi-Fi or use a VPN.
  • Enable multi-factor authentication (MFA).
  • Keep your devices updated.

What are the HTTP response codes?

  • 200 OK – Request successful
  • 301/302 – Redirect
  • 400 Bad Request
  • 401 Unauthorized
  • 403 Forbidden
  • 404 Not Found
  • 500 Internal Server Error

Explain OWASP Top 10

Some common threats include:

  • Broken Access Control
  • Cryptographic Failures
  • Injection (SQL, NoSQL)
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable Components
  • Identification & Authentication Failures
  • Software/Data Integrity Failures
  • Security Logging Failures
  • Server-Side Request Forgery (SSRF)

What is SQL Injection?

A technique where attackers insert malicious SQL queries into input fields to access or modify databases.

What is SQL Injection?

  • Classic/Union-based – Using UNION statements.
  • Error-based – Triggering database errors to get info.
  • Blind SQL Injection – Guessing queries when no error is shown.
  • Time-based – Measuring response delays to infer results.

How to Prevent SQL Injection

  • Use parameterized queries or prepared statements.
  • Validate and sanitize inputs.
  • Apply least privilege access for databases.

Explain XSS Types

  • Stored XSS – Malicious script saved on the server.
  • Reflected XSS – Script sent via a URL or request.
  • DOM-based XSS – Manipulation happens in the browser DOM.

What is IDOR?

IDOR (Insecure Direct Object Reference) is a type of security vulnerability where an application exposes direct access to objects, such as files, database records, or user accounts, without proper authorization checks. Attackers can manipulate identifiers, like changing a user ID in the URL (example.com/profile?id=123) to access data belonging to another user.

What is RFI?

RFI (Remote File Inclusion) is a web application vulnerability where an attacker tricks the application into including a malicious file from an external server. This usually happens when the app dynamically includes files based on user input, without validating or restricting the source.

What is LFI?

LFI (Local File Inclusion) is similar to RFI but involves including files that already exist on the server. Attackers exploit applications that load local files dynamically without proper validation. This can allow them to read sensitive files (/etc/passwd), access configuration files, or even execute code in some cases.

What is CSRF?

CSRF (Cross-Site Request Forgery) is an attack where a malicious actor tricks a logged-in user into performing unwanted actions on a web application without their consent. It exploits the trust that the application has in the user’s browser.

What is WAF?

WAF (Web Application Firewall) is a security tool designed to protect web applications by filtering, monitoring, and blocking malicious HTTP/S traffic. Unlike traditional firewalls, which focus on network-level threats, a WAF focuses on application-layer attacks, such as SQL injection, XSS, CSRF, and file inclusion attacks.

A WAF analyzes incoming requests and applies rules to detect malicious patterns or behaviors. For example, it can block requests that contain SQL commands in input fields, prevent scripts from executing, or restrict access from suspicious IP addresses.

Could you share some general network security product names?

  • Antivirus/Antimalware (e.g., McAfee, Bitdefender)
  • EDR (Endpoint Detection & Response) (e.g., CrowdStrike, SentinelOne)
  • DLP (Data Loss Prevention) tools
  • Encryption & Patch Management solutions

Conclusion

Understanding concepts like the CIA triad, intrusion detection (HIDS/NIDS), OWASP Top 10, SQL injection, XSS, and endpoint protection makes it easier for SOC analysts to monitor, detect, and respond to threats effectively. Knowing these terms helps build stronger defenses and maintain safer systems and networks in the face of modern attacks.