Network & Human Threats
Attacks that target the network infrastructure, and psychological manipulation targeting human error.
Examiner's Eye - Avoid the Trap!
The "Hacking" Generalisation Trap: Much like the word "malware", examiners heavily penalise the generic word "hacking". You will rarely get a mark just for saying someone "was hacked". Instead, specify the exact method used to gain unauthorised access (e.g. they used a Brute-Force attack, applied SQL Injection, or used Social Engineering). Be precise!
Concept Explorer: The Password Cracker
A "Brute Force" attack relies on automated guessing. Use the slider to see how long it takes a basic hacking algorithm to guess passwords of varying lengths using a combination of uppercase, lowercase, numbers, and symbols.
Extremely Vulnerable. An automated script will crack this instantly. Requires immediate change.
Concept Explorer: The Phish Hunter
Find 3 Red FlagsSocial Engineering relies on tricking the user. Below is a simulated "Phishing" email. Inspect the email carefully and click on the 3 critical red flags that prove this is a scam.
From: Server Support <admin-support@secure-login.ru>
To: Student <user1049@school.ac.uk>
Subject: URGENT: Account Suspension Notice
Dear Valued Customer,
We have detected unusual login activity on your university account originating from an unrecognised IP address.
To protect your data, your account will be permanently deleted in 12 hours unless you verify your identity immediately.
Please click the secure link below to log in and confirm your status:
Regards,
IT Security Team
Threat Neutralised!
You correctly identified the 3 key symptoms of a Phishing attack: a fake sender domain, a generic greeting, and artificial panic-inducing urgency.
Active Network Attacks
DoS / DDoS Attack
Denial of Service / Distributed Denial of Service
Flooding a server or network with an overwhelming, massive number of simultaneous data requests. The goal is to consume all available processing power or bandwidth, causing the server to crash or deny access to legitimate users.
Brute-Force Attack
Using automated software to systematically trial every possible password combination until the correct one is randomly guessed, granting unauthorised access to the system.
SQL Injection
Entering malicious SQL code (database queries) directly into a website's input form (like a username box). If the website does not properly validate the input, the code executes directly on the backend database, allowing the attacker to view, steal, or delete database records.
Data Interception
Unauthorised third parties passively eavesdropping, using software like "packet sniffers" to secretly monitor and capture data packets as they travel across a network without encryption.
Social Engineering
Targeting people as the weak point. Using psychological manipulation or deception to trick users into freely giving away sensitive data or installing malware themselves.
Phishing
Sending fake emails or messages disguised as a trusted brand (e.g. a bank) containing malicious links. The links direct the user to a fake clone website designed to harvest their login details when they try to sign in.
Pharming
Malicious code installed on a user's hard drive or corrupting a DNS server. It automatically redirects the user to a fake website, even if the user deliberately typed the correct web address into their browser.
Shoulder Surfing
Directly and physically observing a person as they enter sensitive information, such as watching over their shoulder as they type a password or ATM PIN code.
Check Your Understanding
A student tries to log into his school email at a local coffee shop. He types the URL `mail.school.com` perfectly in his browser, but when he hits enter, the browser takes him to a site that looks identical but is secretly controlled by a hacker to steal his password. Which attack type does this describe?
Stretch & Challenge (AO2 Application)
Written Exam Scenario (AO2/AO3)
...