Malware, social engineering, network attacks. The actual threats β what they look like in real life, not just textbook definitions.
Attacks fall into three families: (1) Malware = malicious software running on a system (virus, worm, trojan, ransomware, spyware). (2) Social engineering = tricking PEOPLE rather than computers (phishing, pretexting, baiting). (3) Network attacks = exploiting how data moves (MITM, DoS/DDoS, packet sniffing, spoofing). Almost every real-world breach combines two or more of these. The Optus and Medibank breaches you've heard about? Both started with one of these categories and cascaded.
10.1 The Three Families of Attack
Real breaches almost always combine families. A phishing email that drops malware that opens a backdoor β that's all three working together.
10.2 Family 1 β Malware
Malware is just a contraction of "malicious software." It's any program that does something the user didn't intend, usually for the attacker's benefit. The categories below describe how it spreads and behaves, not what damage it does β most modern malware mixes several types.
Type
What it does
How it spreads
CIA impact
Real-world example
Virus
Attaches to a legitimate file. Runs when the file is opened. Spreads to other files on the same system.
User has to run the infected file (open an .exe, enable macros in a Word doc).
Macro viruses in Word documents β the classic "enable content" trap.
Worm
Self-replicating. Spreads on its own without user action. Often uses network vulnerabilities.
Crawls across networks automatically β no clicking needed.
All three: consumes bandwidth (A), may modify systems (I), often installs data-stealers (C)
WannaCry (2017) spread to 200,000+ machines in a weekend by exploiting a Windows SMB vulnerability.
Trojan
Pretends to be legitimate software. User installs it thinking it's safe.
Downloaded from sketchy sites, fake "free" software, cracked games.
Depends on payload β usually Confidentiality (stealing data)
Banking trojans like Emotet β disguised as invoice attachments.
Ransomware
Encrypts the victim's files and demands payment for the decryption key.
Usually arrives via phishing or exploits unpatched systems. Often spreads laterally inside a network.
Availability (files unusable) + increasingly Confidentiality (double extortion: pay or we leak)
Colonial Pipeline (2021) β fuel supply to the US East Coast halted; $4.4M ransom paid.
Spyware
Quietly collects information β keystrokes, screenshots, browsing, credentials.
Bundled with free software, malicious browser extensions, drive-by downloads.
Confidentiality (data exfiltration)
Pegasus β commercial spyware used to surveil journalists and activists.
Adware
Pops up unwanted ads, sometimes redirects browser. Less malicious but annoying and often a stepping stone.
Bundled with "free" software downloads.
Integrity (modifies browsing experience)
Browser hijackers that change your search engine without permission.
Rootkit
Hides itself deep in the operating system, giving the attacker persistent access. Very hard to detect.
Installed by other malware after initial breach. Lives at OS or firmware level.
All three β gives attacker total control
Sony BMG rootkit scandal (2005) β installed by music CDs to enforce DRM.
Botnet (zombie)
Infected machines that the attacker remotely controls. Used to launch DDoS attacks, send spam, mine cryptocurrency.
Various β usually trojans or worms. Victim usually doesn't notice.
Victim: Integrity (machine compromised). Target of the botnet: Availability.
Mirai botnet β 600,000+ hacked IoT devices used to take down major websites in 2016.
CIA AS AN EXAM SHORTCUT: Every attack can be classified by which pillar of the CIA triad it violates β Confidentiality (data exposed), Integrity (data modified), Availability (service denied). Tag every attack you discuss with at least one letter. Examiners reward this structured thinking. Chapter 8 covers the triad in depth.
TRAP: "Virus" and "malware" are not synonyms. A virus is ONE TYPE of malware. Saying "it's a virus" when it's actually ransomware or a worm shows you don't understand the distinction. Use the specific term.
TRAP: Worms vs viruses β the key difference is self-spreading. A virus needs a human to run something. A worm spreads on its own. If a question asks "why was WannaCry so devastating?" the answer is "it was a worm β it spread automatically across networks without anyone clicking anything."
WannaCry β May 2017
A ransomware-worm hybrid. It used a Windows vulnerability called EternalBlue (originally developed by the US NSA, then leaked) to spread automatically across networks. Once on a machine, it encrypted all files and demanded $300 in Bitcoin.
In 4 days it hit 200,000+ machines across 150 countries. The UK's NHS lost access to patient records and had to cancel surgeries. TelefΓ³nica, FedEx, Renault and Russian Railways all got hit.
What made it catastrophic: Microsoft had released a patch two months earlier, but countless organisations hadn't installed it. The combination of (1) a worm that spread automatically, (2) ransomware that demanded payment, and (3) widespread unpatched systems = a global disaster. The lesson: patching isn't optional, and "we'll do it next quarter" is a security posture that fails catastrophically.
10.3 Family 2 β Social Engineering (the human exploit)
Why bother hacking a computer when you can trick a person into handing you the keys? Social engineering attacks bypass technical defences by targeting the squishy meat at the keyboard (in exam terms: human vulnerability). Most major breaches start here β not with brilliant code, but with a convincing email.
Type
What it looks like
The psychological trick
Phishing
Mass email or SMS pretending to be from a real org (bank, ATO, Australia Post). Contains a link to a fake login page or a malware attachment.
Authority + urgency. "Your package is held up. Click to fix." or "Suspicious login detected. Confirm now."
Spear phishing
Targeted phishing aimed at one specific person, usually using personal details to seem credible.
Personalisation. "Hi Sarah, here's the contract from yesterday's meeting" β when there was a meeting.
Whaling
Spear phishing aimed at high-value targets β CEOs, CFOs.
Often impersonates the target back at staff: "Urgent β wire $50K to this supplier. β CEO"
Smishing
Phishing via SMS. The "you have a parcel" or "ATO refund" texts you've definitely received.
Mobile phones feel more personal/trusted than email; harder to inspect links.
Vishing
Phishing by voice call. "I'm from Microsoft Support, your computer has a virus."
Pressure under live conversation; harder to think critically when someone's talking at you.
Pretexting
Inventing a believable scenario to get info. Fake "IT support" calls asking for your password.
People want to be helpful. A confident-sounding stranger gets answers.
Baiting
Leaving infected USB drives in carparks, or offering "free" downloads of pirated content laced with malware.
Curiosity and getting-something-for-nothing.
Tailgating
Following an authorised person through a secure door without swiping in.
Politeness. Most people will hold the door for someone carrying coffee.
Quid pro quo
Offering something in exchange for info or access. "Free Spotify Premium β just confirm your password."
Reciprocity bias.
The Twitter Bitcoin Hack β July 2020
A 17-year-old in Florida named Graham Ivan Clark, working with a couple of others, took over the Twitter accounts of Barack Obama, Elon Musk, Bill Gates, Apple, Uber, and dozens more. Each account tweeted a Bitcoin scam ("send $1000, get $2000 back"). They made about $120K before Twitter shut it down.
How did teenagers compromise the most prominent accounts on the platform? Phone-based social engineering. They called Twitter employees pretending to be from internal IT, and convinced one to hand over credentials to an internal admin tool. No code was exploited. No firewalls were bypassed. They just talked their way in.
Lesson: Technical controls alone cannot fully prevent a confident phone call to the right person (in exam terms: social engineering bypasses technical defences by targeting human decision-making). This is why companies now drill staff on social engineering and why "verify out-of-band" (call them back on a known number) is a core security practice.
TRAP: Social engineering is NOT "hacking." Students often write "the attacker hacked the email account." If no system was actually compromised β if the user just typed their password into a fake page β the attack was social engineering, not a hack. Get the term right.
HOW TO SPOT PHISHING (the checklist):
1. Sender address looks slightly off (service@paypa1.com, not paypal.com)
2. Generic greeting ("Dear customer")
3. Urgency or threat ("account closing in 24 hours")
4. Hover the link β does the URL match the displayed text?
5. Unexpected attachment, especially .zip, .exe, or macro-enabled docs
6. Asks for credentials or payment via the message itself
If you can name three of these in an exam answer, you've nailed the question.
AUTHENTICATION vs AUTHORISATION β get this right: Phishing is an authentication attack β it tricks you into giving up credentials that prove who you are. Once the attacker logs in, they inherit your authorisation β everything you're allowed to do. Students constantly mix these up. Quick memory aid: AuthN = "who are you?" (identity), AuthZ = "what are you allowed to do?" (permissions). Chapter 13 covers both in depth.
10.4 Family 3 β Network Attacks
These exploit how data moves between devices, rather than the devices themselves. They often happen invisibly β the user has no idea anything's wrong.
The attacker secretly sits between two parties who think they're talking directly to each other. Everything you send goes through the attacker, who can read it (breaches Confidentiality) and modify it (breaches Integrity).
MITM is the network equivalent of someone secretly reading your mail before re-sealing the envelope and delivering it.
Common MITM scenarios:
Evil twin Wi-Fi: Attacker sets up a fake hotspot called "Free_Airport_WiFi". You connect. They see everything.
ARP spoofing: On a local network, attacker tricks devices into routing traffic through their machine.
SSL stripping: Attacker downgrades your HTTPS connection to plain HTTP, then reads everything.
WHY HTTPS MITIGATES MITM: When your traffic is encrypted with TLS (the S in HTTPS), an attacker sitting in the middle sees gibberish. They can't read it, and if they try to modify it, the receiver detects the tampering. This is why HTTPS rolled out across the entire web β it prevents most MITM attacks under normal conditions. (Chapter 12 explains how.) It's not unbreakable, though: if the user clicks through certificate warnings, or if the attacker has compromised a certificate authority, the protection breaks down. Defence in depth matters.
Denial of Service (DoS) and Distributed DoS (DDoS) [CIA: Availability]
The attacker doesn't try to break in β they overwhelm the server with so much traffic that legitimate users can't get through. Imagine 100,000 fake customers crowding a real shop so actual customers can't enter.
Attack
Source
Target effect
DoS
One attacker, one machine
Easy to block β just blacklist the source IP
DDoS
Thousands of machines (a botnet) attacking simultaneously
Very hard to block β traffic comes from everywhere at once
TRAP: A DoS/DDoS attack does NOT steal data. It attacks availability β the A in the CIA triad. If a question describes data being stolen, it's NOT a DoS attack. Get the categorisation right.
The 2022 Optus breach wasn't a DDoS β it was data theft. But for a real DDoS example: GitHub, February 2018. They were hit with the largest DDoS attack ever recorded at the time β 1.35 Tbps of traffic. The attackers used a technique called "memcached amplification" to multiply their attack traffic by 50,000x. GitHub stayed up β they had Akamai's anti-DDoS protection β but it was a wake-up call about the scale modern attacks can reach.
Packet Sniffing [CIA: Confidentiality]
Capturing and reading network traffic as it passes by. On an unencrypted network (open Wi-Fi, plain HTTP), an attacker with the right tools can read everything: passwords, messages, browsing history. This is purely a Confidentiality violation β the attacker sees data but doesn't change it.
# The most famous packet sniffer is Wireshark β free, used by network admins worldwide # Don't run it on networks you don't own β it can be illegal # On your own network, you can see exactly what your devices are sending # Try it: install Wireshark, capture for 30 seconds, see how much HTTPS vs plain HTTP traffic you have
Spoofing [CIA: Integrity, often leads to Confidentiality]
Pretending to be someone or something you're not. This is fundamentally an Integrity attack β the identity of a sender or source has been falsified β and usually enables a follow-on Confidentiality breach. Several flavours:
IP spoofing: Forging the source IP address of packets so the receiver thinks they came from a trusted source
MAC spoofing: Changing your device's hardware address to bypass network filters
DNS spoofing: Poisoning DNS responses so users get redirected to attacker-controlled sites
Email spoofing: Forging the "From:" address β used in phishing
Caller ID spoofing: Forging the number that shows up β used in vishing scams
SQL Injection (briefly) [CIA: all three β depending on what the attacker does]
An attacker enters specially crafted text into a website form so that the server's database treats it as a command rather than data. Result: the attacker can read, change, or delete database contents.
Example: a login form expects a username. Attacker enters: admin' OR '1'='1. The server's database query becomes: "log in if username = 'admin' OR 1=1" β which is always true. The attacker is logged in as admin. This is the attack that got Optus.
The Optus Breach β September 2022
9.8 million Australian customer records exposed: names, dates of birth, phone numbers, email addresses, addresses, passport and licence numbers. About 40% of the country's population.
The cause: an unauthenticated, internet-exposed API endpoint. There was an interface that should have required a login but didn't β and you could just iterate through customer ID numbers (0000001, 0000002, 0000003...) and pull each customer's full record. No actual hacking. No password cracking. Just an open door.
This is technically a kind of access-control failure rather than SQL injection, but the lesson is the same: web-facing endpoints that expose data without proper authentication are catastrophic. Every Australian student in this course should know the Optus breach by name.
Legal trigger: Because this exposed personal information of Australian residents, it triggered the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 β Optus was legally required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC). Chapter 17 covers the NDB scheme in detail, but recognise the trigger now: any eligible data breach of personal information held by most Australian organisations must be reported.
The Medibank Breach β October 2022
9.7 million customers (active and former) had data stolen, including 480,000 health claims with details of diagnoses and procedures. The attackers (a Russian-aligned group called REvil) demanded $10M ransom, which Medibank refused to pay. The attackers then began publishing the most sensitive data (mental health, drug abuse, terminations) on the dark web.
The initial entry point: compromised credentials belonging to an IT contractor. Almost certainly obtained through phishing or credential reuse. Once inside, the attackers moved laterally through the network for nearly two months before being detected.
Lesson: The first compromise is rarely the final compromise. Lateral movement, weak internal segmentation, and lack of monitoring are what turn an incident into a catastrophe. (Chapter 14 covers segmentation, Chapter 15 covers monitoring.)
AuthN vs AuthZ in action: The initial compromise was an authentication failure β stolen credentials got the attacker logged in. But the damage came from authorisation failure β once inside, that IT contractor account had far more access than it should have. Least-privilege access (only give an account the minimum it needs) is the defence that would have contained this. Chapter 13 covers this principle.
Legal trigger: Medibank also triggered the Notifiable Data Breaches scheme. Additionally, because health information was involved, it fell under the stricter protections of the My Health Records Act and the Privacy Act's health-data provisions. The OAIC launched an investigation. This is why health data is treated as especially sensitive under Australian law.
10.5 Why Real Attacks Combine Multiple Categories
Look at how a typical modern breach unfolds β every step uses a different attack family:
A "ransomware attack" in the news is actually four chained attacks. Each defence layer that fails moves the attacker forward.
EXAM PATTERN: When asked to analyse a real breach, identify the chain. "The attack began with [social engineering type] which delivered [malware type] which then [network behaviour]." Showing you understand the chain demonstrates higher-order thinking and earns more marks than naming a single technique.
10.6 Defences Map (preview of Chapters 12β15)
Attack
Primary defence
Covered in
Malware (general)
Antivirus, patching, user training, email filtering, application allowlisting
Ch 14, 15
Phishing
User training, email filters (SPF/DKIM/DMARC), MFA on accounts
Ch 13, 17
MITM
HTTPS/TLS everywhere, VPN on untrusted networks, HSTS
MFA, monitoring for anomalous logins, network segmentation, least privilege
Ch 13, 14, 15
10.7 Quick Quizzes
A user receives an email claiming to be from the ATO offering a tax refund. Clicking the link goes to a fake login page. What category of attack is this?
Phishing (a type of social engineering). Specifically, it's a generic mass phishing email rather than spear phishing, because it doesn't appear to be personally targeted. Bonus marks for naming the psychological trick: authority (claims to be ATO) and reward (refund).
An attacker overwhelms a website with traffic from 50,000 hijacked IoT devices. The site goes offline for 6 hours. Name the attack and the CIA principle violated.
Distributed Denial of Service (DDoS). The 50,000 devices form a botnet. The CIA principle violated is Availability β legitimate users couldn't access the service. Confidentiality and integrity were not affected (no data was read or modified).
Why is a worm considered more dangerous than a virus?
A worm is self-replicating β it spreads automatically across networks without any user action. A virus needs a user to run an infected file. This means a worm can propagate across thousands of machines in minutes, while a virus is limited by how often users open infected files. WannaCry's worm behaviour is what turned it from "a problem" into "a global crisis."
You connect to "Free_Airport_WiFi" at the airport and log into your bank. What attack might you be vulnerable to, and what protects you?
You're at risk of man-in-the-middle (MITM) via an evil twin hotspot. The attacker who set up the fake Wi-Fi can see all unencrypted traffic. What protects you: if the bank uses HTTPS (which all modern banks do), the traffic is encrypted with TLS β the attacker sees the connection happening but can't read the contents. Even better protection: use a VPN, which encrypts ALL traffic regardless of whether the destination supports HTTPS.
A company is hit by ransomware. They had backups but the backups were on the same network and also got encrypted. Which defence principle did they violate?
They violated the principle of backup isolation (sometimes called the 3-2-1 rule: 3 copies, 2 different media, 1 offline/offsite). Backups that are reachable from the main network are reachable by ransomware. Proper backups should be air-gapped (offline) or immutable (write-once) so ransomware can't reach them. This is why "we have backups" is not the same as "we're protected from ransomware."