BobTheSkull logoBobTheSkull
Hack The Box

Structure of InfoSec - HTB

Difficulty: None

← Back to writeups

10-27-2025 00:33

Areas of Information Security

CIA Triad

  • Confidentiality
  • Integrity
  • Availability

Assets that fall under InfoSec

  1. Network Security
  2. Application Security
  3. Operational Security
  4. Disaster Recovery and Business Continuity
  5. Cloud Security
  6. Physical Security
  7. Mobile Security
  8. Internet of Things (IoT) Security
  9. LLM Security (personal opinion but very important as of late)
Role Description Relevance to Penetration Testing
Chief Information Security Officer (CISO) Oversees the entire information security program Sets overall security strategy that pen testers will evaluate
Security Architect Designs secure systems and networks Creates the systems that pen testers will attempt to breach
Penetration Tester Identifies vulnerabilities through simulated attacks Actively looks for and exploits vulnerabilities within a system, legally and ethically. This is likely your target role.
Incident Response Specialist Manages and responds to security incidents Often works in tandem with pen testers by responding to their attacks, and sharing/collaborating with them afterwards to discuss lessons learned.
Security Analyst Monitors systems for threats and analyzes security data May use pen test results to improve monitoring
Compliance Specialist Ensures adherence to security standards and regulations Pen test reports often support compliance efforts
CISO - Chief Information Security Officer
OpSec is a crucial component of an organization's overall security strategy.
  • Encompasses the processes, practices, and decisions related to handling and protecting data assets throughout their lifecycle. The primary goal of Operational Security is to maintain a secure environment for an organization's day-to-day operations, ensuring that sensitive information remains confidential, intact, and available only to authorized individuals.

Operational Security

It's often abbreviated as OpSec, which is a crucial component of an organization's overall security strategy. It encompasses the process, practice, and decisions related to handling and protecting data assets throughout their lifecycle.

  1. Assets Identification
    1. Figure out what items are the most important to protect. These are your "critical information assets."
  2. Threat Identification
    1. What could go wrong? Analyzing threats and assessing vulnerabilities in OpSec-figuring out where things could go awry.
  3. Vulnerability Identification
    1. Implementing measures like passwords, security badges, or surveillance cameras to protect important information.
  4. Access Control
    1. Companies use OpSec to determine who can access sensitive data, ensuring only the right people have the necessary permissions.
  5. Monitoring
    1. OpSec is a continuous process that adapts to new threats and changes to keep everything secure. Change management is also a significant part of OpSec. Organizations frequently need to implement changes to their systems and