Guide to Cybersecurity: Learn how to defend your systems

For any web application, there are a variety of ways that cyber-attackers can exploit vulnerabilities and cause damage. It’s crucial for applications to have robust defense systems in place against cyber attacks.

Designing these defense systems is an increasingly demanded service that takes a developer with specialized skills.

Today, we’ll get you started on your cyber security path by explaining some common cyber attacks and how to defend against them.

Learn how to defend your systems.#

Take your first step and learn the best practices for preventing vulnerabilities.

Practical Security: Simple Practices for Defending Your Systems

What is cyber security?#

Cyber security is the practice of protecting and recovering computer systems, services, and data from a cyber attack. Cyber security is a large subset that includes information security, network security, and other forms of security.

Cyber-attacks have existed for decades and continue to be an evolving danger to companies, customers, and employees. They can cause massive, irreparable damage to businesses and threaten the identities of customers and users.

Common forms of cyber attacks:

• Malware: Creates malicious software that exploits and damages a user’s computer. Common types of malware are ransomware, spyware, trojan horse, and adware.

• SQL injection: Involves taking control of a database or stealing data from a database by exploiting a system’s vulnerabilities.

• Phishing: Involves cybercriminals forging emails that appear to be from a legitimate person or company, asking for sensitive information or payment.

A simple framework to organize your defenses#

If you’re using this cyber security guide to build a practical plan, organize actions by the five functions used across the industry:

• Identify: inventory assets (devices, apps, data), classify sensitivity, list third-party dependencies.

• Protect: enforce MFA everywhere, patch OS/apps/firmware on a schedule, use least-privilege access and role-based controls, encrypt data at rest/in transit, and harden endpoints.

• Detect: centralize logs, set alerts for anomalous sign-ins and data access, and monitor critical changes.

• Respond: maintain an incident-response runbook (who to call, triage steps, containment choices).

• Recover: test backups, define recovery time objectives (RTO/RPO), and practice restoration. This structure helps small teams prioritize and measure maturity over time.

Why cyber security is important#

In the digital age, cyber threats continue to increase year after year.

In the first nine months of 2019 alone, 7.9 billion records were exposed by data breaches: a figure more than doubles that of 2018. These cybersecurity threats undermine the livelihood of all businesses as they can damage company reputation and erode the trust of customers.

It can also result in a great amount of financial loss and burden. Because of this, it’s important that all businesses set up critical infrastructure and defenses to prevent unauthorized access and attacks.

Understanding SQL vulnerabilities#

Introduction#

Structured Query Language (SQL) is a language used to query and control database systems such as MySQL, Oracle, or Microsoft SQL Server.

Databases store all types of information to add functionality to web applications. Oftentimes, web applications will use user-supplied data to build SQL statements that will interact with the database.

A SQL injection attack seeks to exploit this by submitting SQL statements that subvert the original intent of the application. Depending on how the application processes SQL statements, a SQL injection can successfully access information and distribute malicious code.

How SQL injections work#

There are many types of possible SQL injections, so to understand how they work, let’s take a look at a simple example.

Say we have a simple login screen on a website asking for a username and password.

Normally, a site will run the SQL code above when a user requests to login. The above statement asks whether the database contains a user with the username ‘John’ and password ‘mypassword.’

An attacker determines whether the system uses a SQL database by providing single quotes for the Username and Password inputs.

Single quotes are special characters in the SQL language, and a poorly designed database system may not check for single quotes. Because of this, it will return an error saying that the syntax is not supported by the SQL server.

Now, the attacker can confirm that the system is using SQL.

The attacker can use the username ' OR 1=1 -- to bypass the login. Because the value 1 is always equal to 1, an undefended server will potentially log in the attacker to the first user in the table. This is an extremely simple example of a SQL attack, but it can be far more complex.

Impact of SQL injections#

• Bypassing authentication: Allows an attacker to access a user and potentially change details and access sensitive data.

• Information disclosure: Allows an attacker to access information from a database, compromising data security.

• Availability of data: Allows an attacker to delete important information, causing data loss, which results in harm to a business and its customers.

Defending against SQL injections#

To protect your information technology systems, you should conduct risk assessments to find security vulnerabilities. Below, is a general guide to preventing SQL injections.

Create layers of defense:

It’s important that your system has multiple systems of defense such that even if a hacker gets past one, there are more defenses in place. You can start by adding prepared statements against things like single quotations that may be exploited.

You can continue adding defense through continuous digital development. A final layer of defense is a broad defense such as database permissions.

Alerts:

You can also set up your system so that the attacks are “noisy”, meaning that they will stand out. You want to build an alert system in which you have a rigorous evaluation that indicates whether a security breach is happening.

With alerts, the system can quickly notify employees and take action.

Diligence:

You should also set up a system of ongoing diligence during development. This consists of creating a framework that developers can easily understand where/when diligence is required.

For example, you need to make it clear which parts of the database’s code should be accessible and where it shouldn’t.

Go beyond one vulnerability: Secure SDLC + OWASP focus#

To turn defenses into muscle memory, embed security in the development lifecycle:

• Requirements & design: threat-model new features; decide how the app will authenticate, authorize, and validate input.

• Build: adopt parameterized queries/ORMs by default, encode output to prevent XSS, validate and sanitize all untrusted input, and fail closed on errors.

• Test: add automated SAST/DAST checks in CI, dependency scanning, and secrets detection.

• Release & operate: set security headers, rotate keys regularly, and monitor for abuse patterns. Center your backlog around recurring risks like injection, broken auth, security misconfigurations, and vulnerable components—the same issues highlighted by community standards. This is what a modern cyber security guide should reinforce for engineers.

Understanding phishing#

Phishing is the practice of illegally obtaining personal information through deceptive e-mails and websites. This often results in identity theft and is considered a serious cyber attack.

In a phishing attack, the attacker will send an email to the recipient with false information to mislead the victim in providing their personal information.

The goal of the attacker is to trick the victim into believing that the email or request is from a legitimate organization like a bank or known company.

These types of attacks date back to the 1990s and are still one of the most widespread and successful cyber attacks because techniques have become increasingly sophisticated and require little effort.

With phishing, there is no need for the attacker to look for potential SQL injections or unpatched servers.

Modern phishing and social engineering defenses#

Attackers now weaponize AI to craft convincing emails, clone voices, and poison search results with fake downloads. Combine people, process, and technology:

• People: regular simulations and just-in-time training; teach verification via a second channel for payment or credential requests.

• Process: require change-management for bank details; enforce ticket-based approvals; document how to report suspicious messages.

Technology: enable DMARC, SPF, DKIM; quarantine unknown senders; block newly registered domains; and add browser/endpoint protections against malicious extensions and downloads. Expect hybrid tactics that blend email, SMS, and fake websites, including SEO poisoning. Keep this front-and-center in any cyber security guide aimed at non-specialists.

Types of phishing#

Let’s look over the three common types of phishing attacks: phished credentials, CSRF, and social engineering.

Phished credentials:

This is the most popular form of phishing, in which the attacker will replicate a popular website such as Instagram, Facebook, Gmail.

Oftentimes, an attacker mimics a social media platform. Then, the attacker will send emails asking potential victims to sign into their account through a malicious link.

Typically, they’ll copy an email format similar to the legitimate company’s emails and ask the recipient to take some form of action.

The phisher’s attack is successful when a recipient enters their login info or credit card info into the malicious website, giving the attacker access to their account and its private information.

This is considerably dangerous, as the attacker can reset passwords for accounts on other sites, beyond the initial website. And if a victim uses the same password on other sites, an attacker can access more private information.

Attackers can go one step further by resetting the account password so that they have complete control over the account. Because this approach is so common, applications must set up defense systems such as multi-factor authentication.

Cross-Site Request Forgery (CSRF):

CSRF is a cyberattack that tricks an application into executing an action that a victim will unknowingly execute.

An attacker can create a malicious email with a hyperlink that they want the recipient to click. When the recipient clicks the link, it will send a request to the application server based on the attacker’s intention.

The request, for example, could allow the attacker to take over the victim’s web app or validate a dangerous activity such as transferring funds on a bank application.

An attacker typically prepares for a response assault by studying the application API to make forged requests. So, if you are building a web application, it’s incredibly important that your system prevents CSRF attacks. Without any defense, a CRSF attack is completely cleared for a cyberattacker.

Social engineering:

This form of attack is the least technical type of attack. In this method, a phisher will pretend that they’re someone else in an effort to ask for certain personal details like banking information, passwords, usernames, and more.

Defenses against phishing#

Social defense#

One of the simplest and most effective methods to protect against phishing is social defense. This consists of educating everybody in your company or team about how to differentiate between legitimate emails and malicious emails. Here are a few tips for anti-phishing training:

Suspicious-looking domains in the email address and links provided.

A common trait with phishing emails is that they appear to be from someone legitimate, such as a company executive. These emails will also link to a site that appears legitimate. When you see an email requesting you to take action, be sure to check the sender’s email and the reply-to email. If they do not match, or the email address appears suspicious or it does not align with the email address of a legitimate website, this should raise a red flag. For example, a replicated email address of team@facebook.com could be

• team@facebo0k.com
• team@faceb00k.com

Oftentimes, phishing emails will link to a website that looks similar to a legitimate site. You should look at the web address to see if the URL is legitimate.

Be skeptical about attachments.

Another common trait of phishing emails is that they contain an attachment to open. It’s important that before you open an attachment, that you were expecting an attachment. Do not open attachments from random emails. Furthermore, make sure that the file type is the type you are expecting. If you were expecting an image, the file should be a .jpg or a .png. If the file attached is a .exe file, don’t open it. You should automatically be suspicious of .exe files, as you run the risk of downloading malware or other harmful programs into your computer. As a basic precaution, an easy way to defend against malware is to download an antivirus.

Be skeptical about emails with urgent deadlines.

Oftentimes, phishing emails will exploit a sense of urgency such that the recipient feels that they must take immediate action. An example could be an email with an invoice requesting money for an unfulfilled payment. You should be suspicious of these emails and follow-up with the appropriate people in your company or team. It’s better to ask than run the risks.

Consider whether the general premise of the email is legitimate.

Above all, you must confirm the legitimacy of the email by verifying its claims. If the email doesn’t add up or simply feels off, check with company customer support. Again, it’s safer to ask than put yourself at risk.

DNS-based defense#

The reason why phishing emails are so widespread is because anyone can send an email to anybody else. Email is sent and received using a system called SMTP (Simple Mail Transfer Protocol). SMTP allows any mail server on the internet to send and receive emails from one another. This system is a large part of the problem, as it allows spam to become so widespread.

Let’s say you receive an email from the address educative.io, such as support@educative.io. What’s to say that this email address is legitimate? There is no defense in place such that a server can determine whether the email address is legitimate.

So, what can we do? We can use DNS (Domain Name System) to analyze information about domains and potentially filter out fraudulent emails. The DNS stores all kinds of information about a domain. Let’s see how we can use a defense strategy like SPF to determine whether an incoming email address is legitimate.

SPF (Sender Policy Framework) is a technology that allows admins of a domain to specify which computers have permission to send an email representing a certain domain. This allows us to determine whether an email is legitimate.

For example, if you receive an email that claims to be from educative.io, the mail server that receives the email can check whether the sending-computer is authorized to send emails on behalf of educative.io.

So, say educative.io has an SPF record below:

When you receive an email that is supposedly from educative.io, the mail server can check whether it’s 1.2.3.4 that’s connecting to send the email. If not, its a forged email.

The two other DNS-based strategies are DKIM (Domain Keys Identified Mail) and DMARC (Domain-Based Message Authentication, Reporting, and Conformance).

Access, identity, and Zero Trust essentials#

Identity is the new perimeter. Make compromise more costly:

• MFA first: use phishing-resistant factors where possible (platform authenticators, passkeys).

• Least privilege: grant the minimum access necessary; separate admin and user accounts; time-bound high-risk permissions.

• Device health: require updated OS, disk encryption, and screen-lock policies before granting access.

Network assumptions: treat internal networks as untrusted; prefer authenticated, encrypted service-to-service calls over flat internal access. These basics drastically reduce the blast radius of compromised credentials.

Monitoring, incident response, and backups that actually work#

Detection and recovery are as important as prevention:

• Log the right things: sign-ins, admin actions, privilege changes, and data exports. Aggregate logs and alert on anomalies (e.g., impossible travel, mass deletions).

• Practice response: run quarterly tabletop exercises; pre-draft customer and regulatory notifications; define who can take systems offline.

• Containment playbook: rapid password resets, token revocation, isolating hosts, disabling risky apps/integrations.

• Backups: Keep immutable, off-network copies, test restores monthly, and track your actual recovery time versus your target.

A cyber security guide that skips response and recovery leaves readers unprepared for the moment that matters most.

Wrapping up and resources#

Now, you should have a good idea of cyber attacks from SQL injections to phishing. But there’s still a lot to learn!

Other topics such as cloud security, cryptography, patching, XSS (cross-site scripting), and window security also defend your systems against all forms of cybercrimes.

The post-2025 landscape: AI on both sides#

• Attackers are using AI to scale spear-phishing, write malware variants, and personalize scams.

• Defenders can use AI-assisted detection, log triage, and automated playbooks to shorten dwell time and speed containment. Bake AI use into policy: require human review before high-impact actions, and track false positives to tune models. Include these considerations in any up-to-date cyber security guide.

To get started with these concepts and to dive deeper into cybersecurity, get started with our course Practical Security: Simple Practices for Defending Your Systems course for real-world examples and hands-on practice. You will learn five simple, yet effective, best practices for preventing attackers from getting into your system.

10-step starter plan#

1. Inventory devices, apps, and data.

2. Turn on MFA everywhere (prefer phishing-resistant methods).

3. Patch OS/apps/firmware monthly; auto-update browsers.

4. Enforce least-privilege access and separate admin accounts.

5. Enable DNS/email protections (SPF/DKIM/DMARC).

6. Deploy endpoint protection and disk encryption.

7. Back up critical data off-network; test restores monthly.

8. Centralize logs and set high-signal alerts.

9. Run phishing simulations and secure-coding reviews quarterly.

10. Write a one-page incident-response plan and practice it.

Continue reading about cybersecurity#

• What is ethical hacking and penetration testing? Get paid to hack

• Kerberos in 5 Minutes: Introducing network authentication
• What is a Database Query? SQL and NoSQL queries explained