Symmetric Key Encryption vs. Asymmetric Key Encryption

Symmetric Key Encryption:
This is also referred as Secret Key Encryption as a single Secret Key is used for Encryption as well as Decryption. Assume that Alice needs to send some sensitive information to Bob. Alice encrypts the message using a Secret Key and sends it to Bob. The Secret Key is also shared with Bob by some other means. Now, Bob decrypts the received message using the Secret Key which was shared by Alice.

Asymmetric Key Encryption:
Also referred as Public Key Encryption. Two keys, Public & Private are used for Encryption and Decryption. Public Key Encryption is developed by overcoming the limitations that are present in the Symmetric Key Encryption. Referring to the above example, say Alice has shared the Secret Key with Bob over telephone or email. Unfortunately, an attacker has managed to get the Secret Key which was shared in the email. So, now the attacker can decrypt the message. This is the issue when single key is used for Encryption and Decryption.
Public Key Encryption uses a key pair (Public Key, Private Key). Public Key is used for Encryption and Private Key is used for Decryption. Each individual holds a key pair. Public Key is made freely available so that anyone who wants to send a message can use it for encryption. Bob's Public Key is freely available. Now Alice encrypts the message using Bob's Public Key. Bob can decrypt the message with his Private Key. In this process, no key sharing is required.

Encoding vs. Encryption vs. Hashing

Encoding:
Encoding is not a security component, therefore no keys are used. Encoding is to maintain usability. It transforms data into another format so that it can be exchanged between different types of systems. It is a reversible process. Data encoding can be performed by using publicly available schema. Encoded data can be decoded by using the same schema which is used for encoding.
Examples of Encoding schema are: Unicode, Base64, Hex

Encryption:
Encryption is to maintain confidentiality of the data. It transforms plain text into cipher text which is not human understandable. An encryption algorithm with a secret key is used to encrypt the data. It is a reversible process (decryption), but can be done only by a particular user with the secret key and the algorithm used for encryption is known. Encryption is mainly categorized into two: Symmetric Key Encryption and Asymmetric Key Encryption. They are detailed here.
Examples of Encryption algorithms are: RSA, AES, DES, 3DES

Hashing:
Unlike Encoding & Encryption, Hashing is a one way process (irreversible) and it ensures integrity of data. Hashing of any variable length message produces a fixed length message digest or hash. It is almost impossible that two different messages will have the same hash, if this occurs it is called as a collision. Any minor change in the message results in extreme change in the generated hash.
Examples of Hashing algorithms are: MD5, SHA

Digital Signature

Digital Signature ensures integrity of a message or a document. A digital signature is an encrypted message digest.
Message Digest: 
How a Message Digest is created?
A typical 128-bit hash is computed from the content of a document using a hashing algorithm like MD5.
The computed hash is the Message Digest of the document. A message digest helps in identifying a change that was made in the document either accidentally or intentionally.
Message Digest is then encrypted with the Private Key of the Sender, resulting a Digital Signature.

Authenticity of the content in the document can be verified by the recipient as follows:
1. Receiver decrypts the encrypted hash with the Public Key of the sender.
2. Receiver computes the hash value of the content in the document.
3. The hash is then compared with the decrypted hash.

If they are same, then the obtained content is not altered. Sender is also verified here because decryption with Public Key would be successful only when the Sender uses his Private Key to encrypt. This proves that the message is received from the reliable Sender.

Forced Browsing

Forced or Forceful browsing is the process of enumerating the web pages that are not referenced by the web application but are still accessible. They may contain sensitive information or some kind of admin login pages which are not intended for normal users.
Brute force attack can be launched on the application by accessing unreferenced links.
Let us consider an application www.<websitename>.com
Developers do not refer the admin login page of the web application. But it can be accessed by entering the URI. Attackers can try with the following examples to get access to admin login page.
www.<websitename>.com/admin.aspx
www.<websitename>.com/admin.php
www.<websitename>.com/admin
In the above application, data of particular period can be viewed by accessing the following link which is referred in the application:
www.<websitename>.com/userdata/2014/12
Now, attackers can try to view data from different period by modifying the URI as follows:
www.<websitename>.com/userdata/2014/11
www.<websitename>.com/userdata/2014/10
To prevent forced browsing, access control must be implemented on URIs with sensitive information. 

CIA Triad Explained

Confidentiality - Integrity - Availability Triad is a security policy model.

Confidentiality: Confidentiality is protecting the information which is in rest or transit from unauthorized access and should be available only to the authorized users. Encryption ensures confidentiality of an information. Access Controls and Passwords can also be used to protect the data. Following are the common attacks on confidentiality:
Passive Attacks:
Dumpster Diving
Social Engineering
Active Attacks:
Password attacks like brute force
Using keyloggers

Integrity: Integrity ensures trustworthiness of the information. Information must remain unchanged throughout its life sustaining from intentional and accidental modifications. Integrity of an information can be achieved by hashing and encryption. Integrity can be verified by using checksums.

Common attacks on Integrity are:
Data Diddling Attacks
Salami Attacks
Man-In-The-Middle Attacks

Availability: Availability is to ensure that the data must be available to the authorized users at any point of time. Redundancy, Backups, DRP (Disaster Recovery Plan), HA (High Availability) Clusters helps in maintaining availability of information.
Attacks on availability are:
DOS (Denial of Service)
DDOS (Distributed Denial of Service)

Privilege Escalation & Types

Privilege escalation is gaining access to the resource or function which is not intended for. Escalations are mainly categorized into two.
1. Horizontal Privilege Escalation and
2. Vertical Privilege Escalation
These are detailed below
Horizontal Privilege Escalation: When the access gained is between the users of same level, we call it as horizontal escalation. For example: Alice and Bob are two users and each have their own functions. When Alice gains the functions which are private to Bob then it is a horizontal privilege escalation.
Vertical Privilege Escalation: When the access gained is between the users of different levels, it is a vertical escalation. Continuing with the previous example: Apart from Alice and Bob, there is an Administrator who takes care of administrative functions which are protected and can be accessed only by an admin. Alice successfully managed to gain the protected functions of administrator. Here, the escalation is from a normal user to an administrator with higher privileges. This is vertical privilege escalation.