This article explains the general idea of cybersecurity. It is a collection of notes I have gathered online and is freely available to read. I recommend reading through my OSI layer 1-2 and 3-4 articles to get a better grasp of networking terminology.

Terminology:

• Cybersecurity: The study of information security policy. It is the way to protect people from harmful attacks online.
• Authorization: The process of verifying what a person has access to.
• Authentication: The process of verifying the person's identity.
• Cyberspace: An environment where anything digital takes place. It is a word that serves as a contrast to "in real life". We use "internet" to represent ourselves in "cyberspace".
• Internet: A service provided by Internet Service Providers that involve the use of TCP/IP protocol suite. We use "internet" to stay online in the "cyberspace".
• Vulnerability: A flaw in a system that could be exploited to compromise the system.
• Zero-day Vulnerability: A flaw in a system not known to software developers but known to attackers (i.e. STUXNET and Log4Shell).
• Exploit: It is the software in the system used to take advantage of a security bug or vulnerability.
• Malware: "Bad" software running on a computer for malicious purposes. Examples include viruses, trojans, ransomware, worms, rootkits etc.
• Access Point: A hardware networking device that allows other Wi-Fi devices to connect to a wired or wireless network (like a home router).
• Default Gateway: A portal of Local Area Network to let internet traffic arrive.

Introduction

CIA Triad

In the world of cybersecurity, it is important to contain information within reasonable limits on the internet.

There are three ways to ensure this:

• Confidentiality: Only a specific group or person is authorized for data access (i.e. using password or biometrics)
• Integrity: Keeping data accurate and not compromised or tampered with. It must remain trustworthy and unchanged unless modified by authorized users.
• Availability: Data is readily accessible for public or private use.

Together, they form what is called the "CIA triad". It is the guiding model for designing information security policies.

Cybersecurity Frameworks

As computer security needs were becoming more demanding in the early days of computing, it became necessary to report and share incident findings via a standard framework.

One of the most popular one is a study made by Lockheed Martin Corporation to find definite patterns of malware penetrating inside a computer or system. They have formulated a model and The Cyber Kill Chain was created for referential use.

Cyber Kill Chain (CKC) is a strategic framework that provides a systematic understanding for understanding and mitigating cyber threats:

Note: This model is not the sole standard way to track down the stages of a cyberattack. It is only there as a reference and assumes the attacks are linear (they often loop, skip, or overlap stages)

1. Reconnaissance: Find/recognize the target ("casing the joint")
2. Weaponization: Create a malicious payload (code) exploiting a known vulnerability.
3. Delivery: Transmit the weapon to the target (e.g., email attachment, malicious link, USB drive).
4. Exploitation: Trigger the malicious code to take advantage of the vulnerability.
5. Installation: Install malware or a backdoor on the compromised system.
6. Command and Control: Establish communication between the compromised system and the attacker.
7. Action on Objectives: Carry out the attacker’s goals (data theft, sabotage, etc.).

This is just one of the many frameworks. Other popular frameworks include:

• Diamond Model
• MITRE ATT&CK
• Unified Kill Chain (UKC) (Combination of CKC and MITRE ATT&CK)

We are not going to focus on these frameworks in detail as they are beyond the scope for an introductory cybersecurity article. It's good however to be aware of their existence.

The Three Types of Software

When users start interacting with computers and the internet, they may notice three different types of software: goodware, grayware, and malware.

Type	Characteristics	Examples
Goodware	Obtained from trustworthy source	Official OS updates or vendor-signed programs
Grayware	Software that is not outright malicious but may have unwanted features	Potentially unwated programs (PUAs), bloatware, adware, spyware
Malware	Software that is made to cause harm to its recipient	Virus, Trojan, Worm

Note: You may find "spyware", "adware", and "trackware" in the "grayware" category. Depending on the true intent of the hacker or developer, both "adware" and "spyware" are often malicious by nature. Therefore, it's better to consider them as "malware" instead

Hats

The word "hacker" is often misunderstood. Although it colloquially implies a bad-actor in the cyberspace, it is more nuanced.

As we see in this picture, every type of hacker has different responsibilities. The colours for ethics are "white", "gray", and "black":

• Black: Hackers that commit illegal acts ("the bad guy"). e.g. steal personal information/money, destroy IT infrastructure, commit fraud etc.
• Gray: Hackers that commit illegal acts but without malicious intent. e.g. exploit security flaws without permission, but report them afterward.
• White: Hackers that commit legal and ethical acts ("the good guy"). e.g. They are altruistic and care about people's privacy and dignity.

Specialized hackers include:

• Red: Hackers that specialize in offensive security.
  • They're often perceived as people who simulate or commit aggressive attacks for ideological purposes. They also prevent and punish crimes without a police warrant. (Hence, "vigilantes").
  • Groups infamous for red hat hacking include Anonymous, SiegedSec, and others.
• Blue:
  • Hackers that specialize in defensive security.
    • They are recruited by companies to defend IT infrastructure with the sole purpose of protecting, patching, monitoring etc.
  • OR... Hackers that seek vengeance for retribution.
    • They are disgruntled people that believe their target is in the wrong. The do not do it for money, they do it out of spite to enact personal retribution or social justice.
• Purple: Hackers that self-teach and experiment their IT infrastructure.
  • They like to combine the best of blue and red hat hacking techniques to push the limits of IT security.
• Green: Hackers that are relatively new to the field of cybersecurity. They are committed to learn and improve their IT skills.
• Script Kiddies: Hackers that do not like to learn. They just want to find shortcuts to commit malicious acts.

Attack Indicators

Computer hackers make the world either a safe or dangerous place. Among the least ethical hackers, they create software known as "malware".

Malware: A type of program made by bad actors designed to cause harm or exploit computer systems or devices. It is a portmanteau of "malicious software".

In order for attackers to achieve successful objectives, it will always require "social engineering".

Social Engineering: It is the use of psychological influence on people into performing actions with bad intent. Examples include a fake look-alike of a banking website, a corporate email, adware, etc. Lying, eavesdropping, deceiving, and tailgating (following someone closely) are all considered both online and offline.

Malware is categorized by their penetration (infection) and payload (behaviour). They can do one or multiple things and can overwrite system files, damage booting processes, encrypt sensitive files, steal personal information, etc.

Hackers usually incorporate malware with some or all of the characteristics above based on the following multiple categories in their malicious code.

Important: Cybersecurity textbooks or articles like to describe how there are different "types" of malware. The thing is, a certain malicious program can be a virus (by penetration), a trojan (by payload), and a spyware (by payload) all in one. It is very common to find overlapping features based on how malwares penetrate systems, how they hide, and how they behave. It is better to think of the following list as labels or functions rather than mutually exclusive "types".

The three main categories are:

• Virus: Malware that replicates itself by infecting an executable file.
  • It almost always attaches itself to an executable file.
  • It requires the user or a host program to trigger it.
• Worms: Malware that can self-replicate on its own.
  • Like viruses, it also spreads itself to other computers.
  • Unlike a virus, it does not involve user interaction at all.
• Trojans (a.k.a Trojan Horse): Malware that misleads users its true intent.
  • A stand-alone malware disguised as a legitimate software and acts as a cover for hidden actions.
  • Unlike viruses and worms, they do not self-replicate.

This table gives a clearer picture:

Parameter	Virus	Worms	Trojans
Main target	Attacks the files in the system	Attacks the systems in a network	Attacks the users in a system
Replication	Yes	Yes	No
User Interaction	Yes	No	Yes
Reproducibility	Reproduce by infecting other files	Reproduce by itself	None
Impact/Payload	File corruption, system instability	Network slowdown, system crash, delivery of other malware (Trojan)	Stealing data, providing Remote Access Trojan (RAT), or delivering ransomware

A few more examples include:

• Spyware: Malware that strictly spies people. It includes keylogging, unauthorized camera/microphone access, logging activities, location tracking etc.
• Rootkit: Malware specifically designed to corrupt operating system functionality.
• RAT (Remote-access Trojan): A more sophisticated trojan that enables attackers to establish a covert/hidden communication channel (backdoor) for complete unauthorized computer access.
• Adware: Malware/Grayware that presents unwanted ads. It can be in the form of too many irritant pop-up windows.
• Ransomware: Malware that encrypts user data and extracts ransom from the user. If the ransom is not met, the computer becomes compromised.

Other programs involving malware include:

• Keylogger: Logs all the keysstrokes users enter with their keyboards.
• Bot: A software application that automatically performs one or multiple tasks. Bots that are distributed on the network form a botnet (portmanteau of "bot" and "net").
• Logic bomb: A set of instructions in a program that carries malware (i.e. malware or worm) only after certain conditions are met.

Attack Techniques

Beyond malware infections, hackers achieve the same objective by delivering techniques to exploit vulnerable networking protocols or deceive users.

Networking Attacks

In this section, we'll categorize three major attack types based on the CIA Triad (Confidentiality, Integrity, and Availability).

Attack Type	Target: Confidentiality	Target: Integrity	Target: Availability
DDoS	Low	Low	High
MitM	High	Medium-->High (if active), Low (if passive)	Low
SQL Injection	High	High	Medium

Note:

• MitM has an interesting place for Integrity. Depending on the attack, it can either be passive or active. If passive, hackers only read data. If active, hackers can read AND potentially modify packet flow, corrupting networking/system integrity in the process.
• It is important to highlight that such attacks are deeply woven together. By combining various techniques, a single attack can practically violate all three pillars that compromise confidentiality, alter integrity, and disrupt availability.

We'll start with DoS:

DoS and DDoS Attack

DoS (Denial-of-service) or DDoS (distributed denial-of-service) are attacks that both seek to make machine(s) or network unavailable to its intended users.

The core difference between DoS and DDoS is the number of systems attacking.

A DoS (Denial of Service) attack comes from one computer.

A DDoS (Distributed Denial of Service) attack uses many computers to flood the target. The attacker breaks into multiple computers ("agents") and installs secret programs (malware). This setup allows the attacker to become the "master" of a large fleet. With just a few simple commands, they can instantly order all the compromised computers to launch a much bigger and wider attack.

Here is an image to illustrate:

Man in the Middle (MitM) Attacks

A Man (or Meddler) in the Middle (MitM) (a.k.a On-Path Attack) is a cyberattack that involves the attacker secretly intercepting and relaying communication between two directly connected hosts. The attacker can monitor, capture and modify data exchanged between the two hosts.

Its primary objective is to violate confidentiality (eavesdropping, steal credentials etc.). If the attack is not passive, they can modify information flowing through the network.

MitM can involve the following methods:

Note: The words "spoofing" and "poisoning" might be colloquially used interchangeably. It is more precise to see "spoofing" as the action " and "poisoning" as the result.

• Rogue Access Points: Attackers create passwordless Wi-Fi access points with names similar to legitimate ones. If victims unwillingly connect to these, all their online traffic will pass through the attackers' device.
• ARP poisoning (ARP Spoofing): Attackers broadcast over the local network the mapping between the IP address of a legitimate device and the MAC address of their own device. This is possible only when the perpetrators have access to the victim's local network.
• DNS Cache poisoning (DNS Spoofing): Occurs by changing or corrupting entries in a DNS cache (e.g. any device with a DNS cache like on a router, a personal computer, or a DNS server). The end result is the user being directed to a malicious copy of a website that is indistinguishable from the original.
• IP Poisoning (IP Spoofing): Occurs when an attacker disguises themselves as a legitimate user by having their IP packets bypass IP authentication.

We will go through each one:

Rogue Access Points

A Rogue Access Point is a wireless access point (AP) installed on a secure network without the knowledge of the system administrator (unless if it's deliberately there for testing reasons). It may be a standalone hardware device like an AP connected to a switch, a router or any networking device. It can also be a software-based AP ("evil twin") that imitates a legitimate AP.

If ignored, the consequences are:

• It provides a wireless backdoor into the network for outsiders.
• It bypasses the network firewalls and other security devices.

It can involve:

• Direct Rogue AP connection: The attacker plugs a customized hardware (Access Point) into a network to provide a persistent wireless backdoor bypassing all security controls and access to internal resources.
  • Example: It's like someone entering a bank through a side door that isn't supposed to open. Instead of having networking traffic flowing in the right route, they are misaligned but then reverts back to its destination (an effective MitM attack).
• Evil Twin: It is a type of rogue AP. Its purpose is to imitate an access point by jamming any legitimate wireless signals or use repeaters in order to effectively trick users into connecting the attacker's network instead of the real one.
  • Example: If a person with a laptop at Starbucks would like to connect to public internet, they may be prone to seeing a legitimate SSID (AP's name like "Starbucks Wi-Fi") but unknowningly thinks that it is fake.

ARP Poisoning

It is a layer 2 layer attack that tampers with MAC addressing.

If the attacker has access to the local area network, they can broadcast ARP messages to associate the attacker's MAC address with the IP address of the default gateway (or any routing devices). This allows the attacker to intercept and control all local network traffic between users and the internet.

As shown in the picture above, instead of traffic flowing through hub/switch's ARP cache, it is flowing through the attacker's ARP cache. This can give the attacker control of all Layer 2 operations.

1. Identify the target: The attacker identifies the IP and MAC addresses of the target host (victim) and the Default Gateway (router).
2. Poison the target: The attacker sends forged ARP replies to the target host, falsely claiming the attacker's MAC belongs to the Gateway's IP.
3. Poison the gateway: The attacker sends forged ARP replies to the default gateway, falsely claiming the attacker's MAC belongs to the target host's IP.
4. Traffic interception: With both ARP caches updated, the attacker is now the Man-in-the-Middle (MiTM). All traffic flows through the attacker's machine.
5. Eavesdropping and forwarding: The attacker captures and analyzes the intercepted packets (e.g. using Wireshark) and then forwards the traffic to the legitimate destination to keep the connection alive.

DNS Cache Poisoning

Note: It goes by various names: "DNS hijacking", "DNS (cache) poisoning", or "DNS redirection".

DNS cache poisoning is a cyberattack that tricks the computer into accepting a fake DNS record. It works by modifying the name resolution of a genuine URL to point the user into a compromised DNS server. If this happens in a business setting, it can affect multiple networks at a large scale.

So, if the user tries to access a legitimate site, it will redirect to a fake version of the said site (the user still sees google.com even when hovering on it, but it still redirects to the fake version due to DNS name resolution). The attacker can then attempt to steal personal information (spyware) and can also infect the computer via user installation with a trojan or a virus.

1. Inject DNS Cache: Attacker injects fake DNS entry. This will make the target's IP address be associated to the IP address of the attacker's fake server.
2. Initiate legitimate request: User issues a request (HTTP GET) to a legitimate website by typing the URL. This will require DNS lookup which has already been compromised.
3. Request resolution redirection: Request resolves to a fake website.
4. Malicious Payload Delivery: "Spoof" the user and compromise their computer with social engineering.

IP Poisoning

IP spoofing is the creation of internet protocol (IP) packets with a false source IP address. Its main purpose is to impersonate a different user in the network.

If we use the above image as an example:

The attacker (1.1.1.1) wants to flood a victim (3.3.3.3) while hiding.

1. The Attacker's Deception: The attacker (1.1.1.1) sends a packet to the server (2.2.2.2). The attacker falsifies the source IP address in that packet, setting it to the victim's address (3.3.3.3).

2. The Server's Reaction: The server (2.2.2.2) believes the request actually came from 3.3.3.3.

3. Traffic Misdirection: When the server (2.2.2.2) sends its reply or answer, it sends it back to the address it saw in the source field: 3.3.3.3.

4. The Victim is Flooded: If the attacker does this repeatedly, using many servers like 2.2.2.2, all of those servers' replies are directed to the single, innocent victim at 3.3.3.3. This will cause a flood and the trusted host becomes the target of a DDoS attack.

Social Engineering (SE) Attacks

Phishing is deception designed to impersonate or trick users into submitting data for malicious use (harvest info or spread malware).

The most of famous of SE Attacks is phishing, it comes with many forms:

URL Spoofing

URL spoofing is an attack that requires heavy social engineering. It is the redirection of a genuine site to a fraudulent look-alike designed to steal sensitive data or install malware. It can be considered MITM only if the attacker acts as the intermediary between the user and the legitimate server.

It is similar to DNS poisoning, but it does not involve any DNS cache change. A hacker will only create a fraudulent website and a deceptive link which serves the same purpose as DNS spoofing.

It can come in many ways:

• Misleading Unicode characters (Homograph attacks): Attackers register domain names with characters from other alphabets that look almost identical to ASCII cahracters (Cyrillic "а" vs. Latin "a") or use puny-encoded domains (xn--...) to visually display like a trusted domain.
• Very long URLs (URL Padding/obfuscation) Long URLs include the legitimate brand early in the string but bury the rest (e.g. https://www.google.com.attacker.com/). This is especially common for devices with small screens that truncate the full URL to appear legitimate even though it belongs to the attacker.
• Typosquatting: Users who mistype a URL (goggle.com instead of google.com) may land on these pages and be prompted to enter credentials or download malware.

Cryptology

If the buns of a burger are the infrastructure, the patty is the cryptology.

Even though there is a lot to unpack, here are concise definitions of all relevant topics to cover:

Cryptology: It is the study of secure communication (codes).

Cryptography: A subset of Cryptology. It is the art of creating and encrypting data.

Cryptanalysis: Another subset of cryptology. It is the art of deciphering and decoding encrypted data (without being told the key).

Steganography: Similar to cryptography, but it does not encode information. It hides it instead.

Now with that out of the way, we'll start talking about cryptography.

Cryptography

Cryptography requires encryption. With encryption, there are unlimited ways to conceal text from adversaries. From Caesar cipher to Zodiac letters, and from Enigma machines to Quantum encryption, they all have one thing in common: ciphers.

There are four things to take note here. We have ciphertext, plaintext, key, and cipher. Here is a basic illustration of the process:

Out of these four, the are two main ones:

• Cipher (or cypher): The algorithm to encrypt data. Its objective is to turn plaintext into ciphertext.
• Key: It is used alongside the cipher. This makes data accessible only to those who obtain it.

Here's an analogy:

Cipher = lock design

Key = the actual key that opens that specific lock.

General applications that require ciphers include browsing, cloud storage, and VPNs. Insecure and secure protocols like telnet vs SSH or application-level internet connectivity like HTTP vs HTTPS (via TLS) are a few common practical examples.

Historically, ciphers were simple to use and easy to break. It heavily relied on word analysis and linguistic patterns. But over time, it became harder to crack with advanced mathematical methods and heavy use of number theory, probability, statistics etc.

It depends on the choice of cipher and the key tied it to perform a desired operation. In order to decide on what cipher to use, we can rely on two properties to determine their security strength, confusion and diffusion.

Property	Description	Goal	Example
Confusion	- Makes the relationship between the encryption key and the ciphertext as complex as possible. - A single change in encryption key bit will affect many ciphertext bits.	Prevents attackers from deducing the key from the ciphertext.	Substitution: Replace a letter or block of substrings with a corresponding letter or substring.
Diffusion	- Makes the relationship between the plaintext and the ciphertext as complex as possible. - A single change in plaintext bit will affect many ciphertext bits.	Prevents attackers spotting plaintext patterns.	Transposition (Permutation): Reorganize or rearrange letters based on a specific pattern or algorithm.

At the end of the day, if data systems are not properly encrypted or do not meet the admin's objectives beforehand, the system becomes vulnerable from outside attacks. Because of this, strong oversight and adaptability will be required by security specialists for multiple cryptographic algorithms for different applications. They will rely on a suite of algorithms working together called "cryptosystem".

Cryptosystem: A suite of algorithms for key generation, encryption and decyption operations.

Several principles influence the design of cryptosystems, with one of the most recognized being Kerckhoffs’s Principle (summarized by Claude Shannon's maxim's "the enemy knows the system"). This principle asserts that a cryptographic system should remain secure even when its design and algorithms are fully known to adversaries as long as the keys remain confidential.

Based on the CIA Triad, there are three key points for cryptography (we'll get into all these in the Encryption Methods chapter):

• Confidentiality of data: Encryption algorithms like AES, ChaCha20, or RSA (for key exchange)
• Integrity of information being sent and received: Via hashing (SHA-256, SHA-3) and HMAC (HMAC-SHA256, HMAC-SHA1)
• Authentication (non-repudiation): Via digital signatures such as RSA-PSS, ECDSA, or EdDSA (Ed25519)

The two main types of cryptography include:

• Symmetric Cryptography
• Asymmetric Cryptography

Each of these has its ups and downs, but both are widely used.

Symmetric Cryptography

When both parties use the same key to encrypt and decrypt messages, it is referred to as symmetric encryption.

In this image, we can see both sides' use the same key to encrypt and decrypt (hence, "symmetric"). There are a couple of steps it has to follow:

1. Generate the key: Generate a private key for both parties. It is done with the use of good pseudorandom number generators (it depends on how the program is coded. It will use either OS and programming language features, e.g. /dev/random in Linux or os.urandom() in Python). If the the key derives from a password (like in signing an account), a Key Derivation Algorithm (KDA) is used (the most popular ones are PBKDF2HMAC or HKDF)
2. Encrypt the data: Now that we have the private key, the software will start encrypting and converting plaintext into ciphertext by using an encryption algorithm like AES (Advanced Encryption Standard) or DES (Data Encryption Standard). As of writing this article, AES-256 is the standard.
3. Transfer the ciphertext: We use TLS (formerly known as SSL) to establish a secure channel for the transfer of the private key and the ciphertext. Under it, a key-exchange protocol will be used (e.g. Diffie-Hellmann (DH) or RSA key exchange, both of which do asymmetric cryptography) in order to ensure integrity for the TLS channel (link).
4. Decryption: By this point, both the host and the receiver have the same key. They are prepared to decrypt ciphertext to their corresponding decryption algorithm.

Notes:

• Both DES and 3DES (Triple DES) are obsolete (NIST made the announcement to stop the usage by 2017). I mentioned both "DES" as 3DES' as AES was not the only one.
• TLS is the successor of SSL (TLS 1.0 was actually SSL 3.1). The reason why both SSL and TLS are conjoined together as "SSL/TLS" is because SSL was made at a time when Netscape browsers were the norm. As soon as Microsoft Explorer overtook the market, Microsoft and Netscape made a deal to have SSL be taken over by IETF. It was also agreed to have the name changed to TLS upon Microsoft's request. Even then, a lot of people referred to it as "SSL" and not "TLS" (old habits don't die). To make up for this confusion, you may find websites that mention the name "SSL/TLS" instead (nodding the legacy of LTS).
• Asymmetric encryption is used to set up key-exchange in order to enable symmetric encryption between two hosts. Instead of having the public key being transferred on an insecure channel, the public key will already be known to both hosts by the time the computations are done.

Asymmetric Cryptography

In Asymmetric encryption (a.k.a "public-key cryptography"), different keys are used.

When both parties use different keys to encrypt and decrypt messages, it is referred to as asymmetric encryption. Each party has a pair of a public key and a private key.

In these pictures, we are seeing Bob is sending a secure message to Alice and vice versa.

• If Bob wants to send a message to Alice:
  • Bob needs his private key for signing (if used) and Alice's public key for encryption. Alice needs her private key for decryption and Bob's public key for verification (if used). Both need to know the other party's public key.

• If Alice wants to send a message to Bob:
  • Alice needs his private key for signing (if used) and Bob's public key for encryption. Bob needs his private key for decryption and Alice's public key for verification (if used). Both need to know the other party's public key.

• Public keys: They are used to encrypt plaintext and verify digital signature. They can be freely distributed or shared.
• Private keys: They are used to decrypt ciphertext and create digital signatures. To ensure security, they must not be shared.

Two important points for private keys:

• If the wrong private key is used, the ciphertext cannot be decrypted.
• If the private key is sent to anyone, anyone can impersonate the owner of the said key.

I have found an excellent video lecture by Ross Bagurdes. In it, he perfectly describes how the key exchange works to start up symmetric encryption. I can't recommend it enough:

Although it is not fast like in symmetric cryptography, it eliminates the need for a secure key exchange between two parties and provides better use of Confidentiality and Integrity. This is effectively done through the use of digital signatures and encryption schemes that ensure messages remain confidential while preventing any unauthorized modification.

Common Asymmetric algorithms:

• Rivest-Shamir-Adleman (RSA)
• Elliptic Curve Cryptography (ECC)
• Digital Signature Algorithm (DSA)

Encryption Methods

There are different methods to encrypt a message. One type of encryption is called Substitution Cipher and the other is Permutation Cipher (ciphers can have both).

• Substitution Cipher: It uses a substitution table ("key") to replace plaintext elements (bits, letters, or blocks) into ciphertext or vice versa. If the adversary does not have access to the subtitution table, they will not be able to decrypt it.

• Permutation (or Transposition) Cipher: It rearranges or reorders the positions of the plaintext elements based on a key (fixed algorithm) to form the ciphertext. If the adversary does not know the specific transposition pattern or rule, they will not be able to decrypt it.

• Product Cipher: A combination of both substitution and permutation.

Alongside encryption methods, cryptologists have also developed two popular encryption types, Stream Ciphers and Block Ciphers:

Type	Description	Properties	Example
Stream Ciphers	It is mainly a substitution cipher that encrypts data bit by bit (or byte by byte). They are faster and less complex to implement.	Employs Confusion only	Caesar cipher: it is a substitution cipher using a ROT13 (rotate 13) algorithm where half of the letters in the English alphabet are mapped to the other half.
Block Ciphers	Unlike stream ciphers, it processes fixed-sized blocks by reordering or rearranging bits within each block. It can incorporate both substitution and permutation.	Can employ both Confusion and Diffusion	- DES (Data Encryption Standard): Block sizes are 64 bits - AES (Advanced Encryption Standard): Block sizes are 128 bits

Getting into the nitty-gritty details of both DES and AES deserves a separate article (will require familiarity with advanced math knowledge), but both use multiple rounds of transformations (substitutions and permutations) to strengthen security, though they do so in different ways.

For people who are still curious, I highly recommend checking out Neso Academy's videos on DES and AES. They are perfect to get an overview on how it works. For DES, I have linked a playlist starting with him teaching about the Feistel Structure (which forms the basis of DES). The latter link is a mere introduction to AES.

Cryptanalysis

Cryptanalysis is the opposite of cryptography. It looks for hidden messages and deciphering/decrypting them.

Examples include:

• Known-plaintext analysis (KPA): Through frequency Analysis, pattern matching, and statistical analysis
• Chosen-Plaintext Analysis (CPA)
• Ciphertext-Only Analysis (COA)
• Adaptive Chosen-Plaintext Attack (ACPA)
• Man-in-the-Middle Attack (MITM)

Cryptanalysis' main goal is to discover vulnerabilities or flaws that can expoit the system's security.