Recap

Substititioin cipher from last time:

Plain:    ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher:   QWERTYUIOPASDFGHJKLZXCVBNM

Ceasar cipher with shift of 3:

Plain:    ABCDEFGHIJKLMNOPQRSTUVWXYZ
Cipher:   DEFGHIJKLMNOPQRSTUVWXYZABC

These are both examples of symmetric encryption: same key to encrypt & decrypt.

Transposition cipher: rearranging letters instead of changing them.
https://ninadtech.com/Route-Cipher-Online

Asymmetric Encryption Recap

• Uses two keys: public key (anyone can see) & private key (only you)
• Data encrypted with public key can only be decrypted with private key, and vice versa
• Common use cases:
  • Confidentiality: senders encrypt with recipient’s public key
  • Digital signatures: senders sign with their private key to prove authenticity

What is CIA in Security?

CIA in cybersecurity stands for:

• Confidentiality - Keeping sensitive information secret from unauthorized users
• Integrity - Ensuring data hasn't been tampered with or corrupted
• Availability - Making sure systems and data are accessible when needed

Not the Central Intelligence Agency!
These are the three pillars of information security
Every security decision should consider all three

The CIA Triad (not the spy agency)

• C - Confidentiality
• I - Integrity
• A - Availability

Think of it as:

"Only the right people, see the right data, in the right condition, at the right time."

CIA in Everyday Life

For each, think of a real-life example from your own world:

• Confidentiality - Who should never see your DMs or grades?
• Integrity - What would go wrong if your Venmo / bank balance was “slightly edited”?
• Availability - What breaks in your life if Wi-Fi dies during an exam / registration window?

Turn to a neighbor: which one (C, I, or A) stresses you out the most?

Matching Game: Asset → CIA Property

Which property is most critical (you can argue more than one)?

• Online banking
  • C / I / A ?
• University gradebook
  • C / I / A ?
• Instagram or TikTok
  • C / I / A ?
• Emergency alert system
  • C / I / A ?

Write your answers; we’ll argue as a class.

Breaking the Triangle - Quick Scenarios

For each scenario, which part of CIA is under attack?

1. Your grades page won’t load the night before applications are due.
2. Someone posts a fake screenshot of your DMs.
3. Your medical records are leaked on a public forum.

Bonus: which one would matter most to you personally?

Perfect Security Doesn't Exist

• You can usually improve one CIA corner only by sacrificing another:

  • More confidentiality → more annoying logins, captchas, 2FA.
  • More availability → maybe fewer checks, more caching, more risk.
  • Strong integrity checks → you can lock access so tightly that people make unofficial copies, and those copies lose integrity.

• Security is always a trade-off game, not a magical on/off switch.

You can encrypt data (C) but still allow bit flips if you don’t use authenticated encryption.

Security Attacks

Instead of memorizing terms, let’s think like this:

“If someone really wanted my info, what would they actually do first?”

We’ll map those ideas back to official names later.

Thought Experiment: The Nosy Neighbor

Purely hypothetical.

Your neighbor is obsessed with learning everything about you:

• Where you live on social, where you bank, what devices you use…

Questions for your table:

1. What info can they get without touching your devices at all?
2. What clues do you leave lying around: Wi-Fi name, packages, mail, socials?
3. What simple mistakes would make their job easier?

We’ll then flip this into defense strategies.

Flip It: Defending Against the Nosy Neighbor

Using your list from before:

• Which items are easy fixes?
  • (Ex: moving something off public Instagram, turning off location history)
• Which require a bit more work?
  • (Ex: password manager, 2FA, cleaning up old accounts)
• Which ones you probably won’t fix, and why? (real-world trade-offs!)

Attack Type: Password Guessing (Brute Force-ish)

Imagine an attacker who:

• Knows your name, pet, favorite team, and birthday.
• Can try a limited number of logins before lockout.

Discuss:

1. List 3 passwords they’d probably try on you.
2. Now design one password that would totally disappoint them.
3. What makes that password harder to guess than the others?

Then we’ll connect this to “password guessing” / brute force attacks.

2FA - Annoying, but Powerful

You’ve seen this pattern:

• Something you know: password / PIN
• Something you have: phone, security key
• Sometimes something you are: fingerprint, face

Questions:

1. Why does 2FA stop most password-guessing attacks cold?
2. What’s the most annoying 2FA moment you’ve had?
3. When would you absolutely enable 2FA? (name 2-3 accounts)

Social Engineering: Hacking the Human

Attack goal: convince you to do something unsafe.

Table brainstorm (no real names):

• A "story" an attacker might use over the phone or email to:
  • Get you to read out a code,
  • Install an app,
  • Or reveal personal info.
• What tiny detail would make that story feel extra believable?

We’ll label these later as phishing, spear phishing, etc.

Phishing vs. Spear Phishing

Given these two emails:

1. Dear Customer, your account has a problem. Click here.
2. Hi <your name>, this is IT from <your university>. We saw strange activity on your UAlbany account…

Questions:

• Which one feels like generic phishing?
• Which feels like spear phishing (targeted)?
• What clues would you check before clicking anything?

Malware: The Digital Disease

Code that bypasses authorization.

The Setup

• "Hey, download this app to get free Spotify Premium!"

• You install it. It works. But in the background, it's mining crypto.

• What is this?

• A Trojan Horse.

Malware & Friends - Name That Attack

Imagine these situations:

1. You install a “Free PDF merger” → it secretly mines crypto on your laptop.
2. A program silently spreads to every computer on the dorm network.
3. A piece of code waits until finals week to wipe files.

For each, guess:

• Is this closer to a virus, worm, Trojan, or logic bomb?
• What could have stopped it: antivirus, OS updates, app store, user caution?

(Official definitions on the next slide if we’re still arguing.)

Other Common Attacks - Quick Fire Round

For each name, try to give a 1-sentence description in plain English:

• Spoofing
• Backdoor
• Buffer overflow
• Denial of Service (DoS)
• Man-in-the-Middle

Then: which one sounds the scariest to you, and why?

Bringing It Back to CIA

For each attack type we’ve seen, ask:

• Does it mostly break:
  • Confidentiality (secret data leaked),
  • Integrity (data changed / corrupted),
  • or Availability (system down / unusable)?
• Many real attacks hit more than one corner of the triangle.

Wrap-Up

• Security isn’t just “hackers in hoodies” - it’s small, everyday decisions.
• The CIA triad is the mental model behind those decisions.
• Attack names (phishing, worms, Trojans, etc.) are just labels for:
  • “How could someone realistically go after me?”
  • “What simple steps would make that much harder?”

Homework-ish thought:

If someone really wanted your data, what is the single easiest mistake of yours they’d exploit first?