new updates

_explained/1_project.md

@@ -5,6 +5,8 @@ description: what is phishing?
 img: assets/img/projects/phishing.webp
 #importance: 1
 category: phishing
+topic_type: threat
+icon: mail-exclamation
 related_publications: true
 ---
 

_explained/antivirus-edr.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Antivirus vs EDR
+description: What is the difference between antivirus and EDR?
+img: assets/img/projects/antivirus-edr.png
+category: explained
+topic_type: tools
+icon: shield-search
+---
+
+## 🛡️ What Is the Difference Between Antivirus and EDR?
+
+Antivirus (AV) software is the traditional approach to endpoint protection. It works primarily by comparing files on your device against a database of known malware signatures. If a file matches a known threat, it is blocked or quarantined. Endpoint Detection and Response (EDR) is a newer, more advanced approach. Rather than just checking files against a known list, EDR continuously monitors behavior on the device — watching for suspicious patterns, unusual processes, or anomalous activity that might indicate an attack, even if the threat has never been seen before. Think of antivirus as a wanted poster and EDR as a security camera watching for suspicious behavior.
+
+---
+
+### 🧪 Real-World Example
+
+A ransomware attacker uses a brand-new variant that no antivirus vendor has seen yet. Because the signature is not in any database, traditional antivirus lets it through. An EDR solution, however, notices that the process is rapidly encrypting files across the disk — behavior that looks exactly like ransomware — and automatically kills the process and alerts the security team before major damage occurs.
+
+---
+
+### ✅ Key Takeaways
+
+- Antivirus uses signature matching against known threats; EDR monitors behavior in real time.
+- EDR can detect zero-day attacks and fileless malware that antivirus often misses.
+- EDR provides detailed forensic logs, helping security teams investigate how an attack happened.
+- Most enterprise environments use EDR; antivirus remains common for personal and small-business use.
+- Many modern tools combine both approaches, often called "next-generation antivirus" (NGAV).
+- EDR typically requires more resources and expertise to manage than traditional antivirus.

_explained/attack-surface.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Attack Surface
+description: What is an attack surface?
+img: assets/img/projects/attack-surface.png
+category: explained
+topic_type: concepts
+icon: target
+---
+
+## 🎯 What Is an Attack Surface?
+
+An attack surface is the total collection of points where an unauthorized user could try to enter, extract data from, or cause damage to a system or organization. Every device, application, user account, open port, API, third-party vendor, and even employee is a potential entry point. The larger the attack surface, the more opportunities an attacker has to find a weakness. Attack surface management is the practice of identifying, cataloging, and reducing these exposure points. A key principle in security is attack surface reduction — removing or hardening anything that does not need to be publicly exposed or that is not essential to operations.
+
+---
+
+### 🧪 Real-World Example
+
+A small company has a web server, a remote desktop port left open from an old project, ten employee laptops, and a file-sharing account managed by a vendor. Each of those is part of the attack surface. An attacker scanning the internet finds the open remote desktop port, brute-forces a weak password, and is inside the network — all through one overlooked exposure point that the company forgot existed.
+
+---
+
+### ✅ Key Takeaways
+
+- The attack surface includes everything an attacker could potentially target: software, hardware, people, and processes.
+- A larger attack surface means more risk; reducing it is a core security strategy.
+- Attack surface reduction includes closing unused ports, disabling unnecessary services, and revoking unused accounts.
+- External attack surface refers to what is visible from the internet; internal attack surface covers what an attacker inside the network can reach.
+- Third-party vendors and supply chain partners extend your attack surface beyond your own systems.
+- Regular scanning and asset inventory are essential for understanding what your attack surface actually looks like.

_explained/backups.md

@@ -0,0 +1,38 @@
+---
+layout: page
+title: Backups & the 3-2-1 Rule
+description: What is the 3-2-1 backup rule?
+img: assets/img/projects/backups.png
+category: explained
+topic_type: defense
+icon: cloud-upload
+---
+
+## 💾 What Is the 3-2-1 Backup Rule?
+
+**Backups** are copies of your data stored separately from the original, so you can recover if data is lost, corrupted, or held hostage by ransomware. The **3-2-1 rule** is the simplest and most widely recommended framework for doing backups reliably:
+
+- **3** — Keep at least three copies of your data (the original plus two backups).
+- **2** — Store copies on at least two different types of media (e.g., an internal drive and an external drive, or a local NAS and cloud storage).
+- **1** — Keep at least one copy **offsite** — physically or geographically separate from the others.
+
+The logic is straightforward: a single backup stored next to the original fails if the building burns down or ransomware encrypts everything connected to the same network. Offsite and offline copies survive those scenarios.
+
+A backup that has never been tested is not a real backup. Regularly restore files from your backups to confirm they actually work.
+
+---
+
+### 🧪 Real-World Example
+
+> A small business is hit by ransomware on a Monday morning. Every file on the network is encrypted, and attackers demand $50,000. The IT team checks their backups — they have a cloud backup from the previous night and an offline external drive updated weekly. Within four hours, systems are restored from the cloud backup. They pay nothing.
+
+---
+
+### ✅ Key Takeaways
+
+- Follow the **3-2-1 rule**: three copies, two media types, one offsite.
+- Ensure at least one backup is **offline or air-gapped** so ransomware cannot reach it.
+- **Automate** your backups — manual processes get skipped.
+- **Test restores** on a schedule; a backup you have never restored from may be corrupted or incomplete.
+- Back up **all critical data**: documents, databases, email, configuration files, and system images.
+- Know your **recovery time objective (RTO)** — how fast you need to be back up — and ensure your backup solution can meet it.

_explained/business-email-compromise.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Business Email Compromise
+description: What is business email compromise?
+img: assets/img/projects/business-email-compromise.png
+category: explained
+topic_type: threat
+icon: mail-dollar
+---
+
+## 📧 What Is Business Email Compromise?
+
+**Business Email Compromise (BEC)** is a targeted scam in which an attacker impersonates a trusted person — such as a company executive, vendor, or colleague — to manipulate employees into transferring money or sensitive data. Unlike broad phishing campaigns, BEC attacks are carefully researched and highly personalized. Attackers may hijack a real email account, create a look-alike domain, or simply spoof the sender's display name. The goal is usually financial fraud: convincing an accounts payable employee to wire funds to an attacker-controlled account, or tricking HR into redirecting payroll deposits. BEC is one of the costliest cyber threats in the world, responsible for billions of dollars in losses each year.
+
+---
+
+### 🧪 Real-World Example
+
+An employee in the finance department receives an email that appears to come from the company's CEO, asking for an urgent wire transfer to close a confidential deal before end of day. The email tone is authoritative, references real internal details, and asks the employee not to discuss it with others. The employee complies — but the CEO never sent the email, and the money goes to a fraudster overseas.
+
+---
+
+### 🛡️ How to Protect Yourself
+
+- Always verify wire transfer or payment requests by calling the requester directly using a known phone number
+- Look carefully at sender email addresses for subtle misspellings or domain differences
+- Enable multi-factor authentication on all business email accounts
+- Establish a written policy requiring dual approval for financial transactions above a set threshold
+- Train employees to recognize urgency and secrecy as common BEC red flags
+- Use email authentication standards (SPF, DKIM, DMARC) to reduce spoofed emails reaching inboxes

_explained/cia-triad.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: The CIA Triad
+description: What is the CIA Triad in cybersecurity?
+img: assets/img/projects/cia-triad.png
+category: explained
+topic_type: concepts
+icon: triangle
+---
+
+## 🔺 What Is the CIA Triad?
+
+The CIA Triad is the foundational model of cybersecurity, built around three core principles: Confidentiality, Integrity, and Availability. Confidentiality means keeping information private and accessible only to those who are authorized to see it. Integrity means ensuring that data is accurate and has not been tampered with or altered without authorization. Availability means making sure that systems and data are accessible and functional when legitimate users need them. Nearly every security control, policy, or tool in existence is designed to protect one or more of these three properties.
+
+---
+
+### 🧪 Real-World Example
+
+A hospital's patient records system must be confidential — only authorized staff can view patient data. It must have integrity — a nurse needs to trust that a medication dosage in the record has not been changed by anyone unauthorized. And it must be available — if a ransomware attack locks the system down during an emergency, lives could be at risk. A security breach can attack any or all three of these properties at once.
+
+---
+
+### ✅ Key Takeaways
+
+- Confidentiality protects data from unauthorized access — enforced through encryption and access controls.
+- Integrity ensures data is accurate and unaltered — enforced through hashing, audit logs, and checksums.
+- Availability ensures systems are up and accessible — protected by backups, redundancy, and DDoS mitigation.
+- Most cyberattacks target at least one leg of the triad: data theft breaks confidentiality, tampering breaks integrity, ransomware breaks availability.
+- The CIA Triad is used to evaluate risks, design systems, and assess the impact of security incidents.
+- Understanding the triad helps organizations prioritize what they are protecting and why.

_explained/credential-stuffing.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Credential Stuffing
+description: What is credential stuffing?
+img: assets/img/projects/credential-stuffing.png
+category: explained
+topic_type: threat
+icon: lock-open
+---
+
+## 🔓 What Is Credential Stuffing?
+
+**Credential stuffing** is an automated attack in which criminals use large lists of stolen usernames and passwords — obtained from previous data breaches — to try logging into other websites and services. Because many people reuse the same password across multiple accounts, attackers rely on the fact that credentials leaked from one site will also work on others. Automated tools can test millions of username-password pairs against hundreds of websites in a very short time. If even a small percentage of attempts succeed, the attacker gains access to banking, email, shopping, or social media accounts. Credential stuffing is distinct from brute-force attacks: instead of guessing random passwords, attackers use real credentials that are already known to work somewhere.
+
+---
+
+### 🧪 Real-World Example
+
+> A large gaming platform suffers a data breach, and the stolen logins are posted on a hacking forum. Attackers run those same email-and-password combinations against a popular online retailer. Thousands of accounts are compromised within hours — not because the retailer was hacked, but because users had reused the same passwords.
+
+---
+
+### 🛡️ How to Protect Yourself
+
+- Use a unique, strong password for every account — never reuse passwords across sites
+- Use a password manager to generate and store complex passwords without needing to memorize them
+- Enable multi-factor authentication (MFA) on every account that supports it
+- Check sites like HaveIBeenPwned.com to find out if your credentials have appeared in a known breach
+- Change passwords immediately for any account associated with a breached service
+- Watch for unexpected login notifications or activity alerts from your accounts

_explained/cve-cvss.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: CVE & CVSS Scoring
+description: What are CVEs and CVSS scores?
+img: assets/img/projects/cve-cvss.png
+category: explained
+topic_type: concepts
+icon: bug
+---
+
+## 🐛 What Are CVEs and CVSS Scores?
+
+A CVE (Common Vulnerabilities and Exposures) is a standardized identifier assigned to a publicly known security vulnerability in software or hardware. Each CVE gets a unique ID — like CVE-2021-44228 (the critical Log4Shell vulnerability) — so that security researchers, vendors, and defenders can all reference the same flaw without confusion. A CVSS (Common Vulnerability Scoring System) score is a numerical rating, from 0.0 to 10.0, that measures how severe a vulnerability is. The score takes into account factors like how easy the flaw is to exploit, whether it requires authentication, and how much damage it can cause. Together, CVEs and CVSS scores help organizations prioritize which vulnerabilities to fix first.
+
+---
+
+### 🧪 Real-World Example
+
+A security researcher discovers a bug in a popular web server software that allows remote code execution without any login. It gets assigned a CVE ID and a CVSS score of 9.8 out of 10 — critical. Your security team sees the alert, searches your environment for the affected software, and patches it within hours. Without this standardized system, the same vulnerability might be described a dozen different ways across different reports, causing dangerous delays.
+
+---
+
+### ✅ Key Takeaways
+
+- CVEs are unique identifiers for known vulnerabilities, managed by MITRE and published in the National Vulnerability Database (NVD).
+- CVSS scores range from 0.0 (none) to 10.0 (critical) and help teams prioritize patching.
+- A score of 7.0 or higher is generally considered high or critical severity.
+- CVSS scores measure exploitability, impact on confidentiality, integrity, and availability, and other factors.
+- Not every high-scoring CVE is equally dangerous in your environment — context and exposure matter.
+- Tools like EPSS (Exploit Prediction Scoring System) complement CVSS by estimating the likelihood a vulnerability will actually be exploited.

_explained/dark-web-monitoring.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Dark Web Monitoring
+description: What is dark web monitoring?
+img: assets/img/projects/dark-web-monitoring.png
+category: explained
+topic_type: tools
+icon: eye
+---
+
+## 🕶️ What Is Dark Web Monitoring?
+
+The dark web is a part of the internet that is not indexed by standard search engines and requires special software — like the Tor browser — to access. It is frequently used by cybercriminals to buy and sell stolen data, including email addresses, passwords, credit card numbers, and Social Security numbers. Dark web monitoring is a service that continuously scans these hidden forums, marketplaces, and data dumps for your personal information. When a match is found, you receive an alert so you can take action — like changing a compromised password — before serious damage is done.
+
+---
+
+### 🧪 Real-World Example
+
+A company suffers a data breach and millions of customer credentials are stolen. Within days, those credentials appear for sale on a dark web marketplace. A dark web monitoring service detects your email address and password in that dump and immediately notifies you, giving you the chance to change your password and lock down your accounts before an attacker can use them.
+
+---
+
+### ✅ Key Takeaways
+
+- Dark web monitoring scans hidden online markets and forums for your personal data.
+- It does not remove your data from the dark web — it only alerts you that it has been found.
+- Common data found includes email/password pairs, credit card numbers, and identity information.
+- Many password managers and credit monitoring services now include dark web monitoring.
+- Receiving an alert means you should immediately change the affected password and enable MFA on that account.
+- Proactive monitoring gives you a head start before attackers can exploit stolen credentials.

_explained/deepfakes.md

@@ -0,0 +1,30 @@
+---
+layout: page
+title: Deepfakes & AI-Driven Attacks
+description: What are deepfakes and AI-driven attacks?
+img: assets/img/projects/deepfakes.png
+category: explained
+topic_type: threat
+icon: brain
+---
+
+## 🤖 What Are Deepfakes & AI-Driven Attacks?
+
+**Deepfakes** are hyper-realistic synthetic media — video, audio, or images — generated by artificial intelligence to make it appear that someone said or did something they never actually did. Beyond faked videos, AI is increasingly used to power a broader class of attacks: generating convincing phishing emails with perfect grammar, cloning someone's voice from just a few seconds of audio, and automating highly personalized social engineering at massive scale. These AI-driven techniques lower the barrier for attackers significantly — what once required skilled actors and expensive equipment can now be done in minutes with free or cheap tools. As the technology improves, distinguishing real from fake becomes harder for both humans and automated detection systems.
+
+---
+
+### 🧪 Real-World Example
+
+A company's CFO receives a video call from what appears to be the CEO, asking for an emergency wire transfer. The face and voice are convincing. The CFO approves the transfer — but the "CEO" was a deepfake generated by attackers who had studied publicly available videos and audio recordings. This type of attack has already resulted in multi-million dollar losses at real organizations.
+
+---
+
+### 🛡️ How to Protect Yourself
+
+- Establish out-of-band verification procedures for high-stakes requests — always confirm via a separate, known channel
+- Be skeptical of urgent video or voice requests involving money or sensitive data, even from familiar faces
+- Look for subtle signs of deepfake artifacts: unnatural blinking, lip-sync issues, or odd lighting around the face
+- Use a pre-agreed code word with colleagues or family for verifying identity in sensitive situations
+- Stay informed about AI-generated content and train your team to recognize new threat techniques
+- Report suspected deepfake fraud to your security team and relevant authorities immediately

_explained/emailspoofing.md

@@ -4,6 +4,8 @@ title: Email Spoofing
 description: What is email spoofing?
 img: assets/img/projects/emailspoofing.png
 category: explained
+topic_type: threat
+icon: mail-off
 ---
 
 ## ✉️ What Is Email Spoofing?