Networks - Lesson 6
Free Theory Networks Lesson 6
Lesson 6 of 6 Final Lesson

Network Security

Understand how networks are attacked - malware, phishing, brute force, DoS/DDoS - and the defences that counter them: firewalls, encryption, 2FA and access control.

GCSE and A-Level 6 sections Threat-defence matcher + quiz
Section 1

Why Network Security Matters

In 2017, a ransomware attack known as WannaCry spread across 150 countries in a single day, encrypting files on over 200,000 computers. It hit hospitals, banks and telecoms companies. Some hospitals had to cancel operations because they could not access patient records. The attack exploited a single unpatched vulnerability in an operating system. The total economic damage was estimated in the billions.

Think about it: The WannaCry attack could have been prevented by installing a software update. A patch had been available for weeks before the attack. Why do organisations regularly fail to apply security updates, and what should a complete network security strategy look like?

Every network is a potential target. Attackers may want to steal data, cause disruption, demand money, or simply prove they can break in. Network security is the set of measures taken to protect data and systems from unauthorised access, theft, modification or destruction.

Security requires understanding both threats (how attacks are carried out) and defences (how to protect against them). Exam questions regularly ask you to match threats with appropriate defences and justify your recommendations.

Threats covered
  • Malware (viruses, ransomware, spyware, worms, trojans)
  • Phishing
  • Brute force attacks
  • Denial of Service (DoS/DDoS)
Defences covered
  • Firewalls
  • Encryption
  • Two-factor authentication (2FA)
  • Access control, updates, anti-malware
Section 2

Network Threats

Click each threat to expand its definition, a real-world example and key exam points.

Malware
Software-based threat
Any malicious software designed to harm, exploit or gain unauthorised access to a computer system. The term covers multiple specific types, each with different methods and goals.
VIRUS
Attaches to legitimate files. Spreads when infected files are shared. Can corrupt or delete data.
RANSOMWARE
Encrypts the victim's files and demands payment for the decryption key. Files are inaccessible until payment is made.
SPYWARE
Secretly collects information (passwords, keystrokes, browsing habits) and sends it to an attacker without the user's knowledge.
WORM
Self-replicating malware that spreads across networks automatically without user interaction, consuming bandwidth.
TROJAN
Disguises itself as legitimate software. Unlike viruses, it does not self-replicate. Once installed, it can create backdoors, steal data or download other malware.
Exam note: You must be able to distinguish between malware types. The key differences: viruses require a host file and user action to spread; worms spread automatically; ransomware demands payment; spyware collects and exfiltrates data silently; trojans disguise themselves as legitimate software.
Phishing
Social engineering
A social engineering attack where attackers send fraudulent messages (typically emails) impersonating trusted organisations (banks, employers, government) to trick victims into revealing credentials, personal data, or clicking links that install malware.
Example: An email that appears to be from your bank says "Suspicious activity detected on your account. Click here to verify your identity." The link leads to a fake website that captures your login credentials and sends them to the attacker.
Key detail: Phishing exploits human psychology (fear, urgency, trust), not software vulnerabilities. It is classified as social engineering - manipulating people rather than systems. Spear phishing is targeted phishing using personal information about the victim to appear more convincing.
Brute Force Attack
Authentication attack
An attack where automated software systematically tries every possible password combination until the correct one is found. Given unlimited attempts and time, any password can theoretically be broken - the question is how long it takes.
Example: A 4-digit PIN has 10,000 possible combinations. A brute force tool can try all 10,000 in seconds. A 12-character password using uppercase, lowercase, numbers and symbols has over 475 quadrillion combinations - at 1 billion attempts per second, this would take over 15 years.
Defences: Account lockout after X failed attempts; CAPTCHA; long, complex passwords; 2FA (even with the password, the attacker needs the second factor). Password length matters far more than complexity - a 20-character passphrase is stronger than an 8-character "complex" password.
DoS / DDoS
Availability attack
Denial of Service (DoS) - floods a server with more requests than it can handle, overwhelming its resources so legitimate users cannot be served. Distributed DoS (DDoS) - the same attack but coordinated from thousands of compromised machines (a botnet) simultaneously, making it harder to block.
Example: An e-commerce website during a sale. Attackers flood it with millions of fake page requests per second. The web servers, overwhelmed by fake traffic, cannot respond to real customers. The site goes down, costing the company lost sales and reputation damage.
DoS vs DDoS: DoS = one source; DDoS = many sources (botnet). DDoS is much harder to defend against because you cannot simply block one IP address. Defences: Traffic filtering, rate limiting, content delivery networks (CDN) that absorb traffic, specialist DDoS mitigation services.
Section 3

Network Defences

A robust network security strategy uses multiple layers of defence. Click each defence to understand how it works, what threats it counters, and exam-specific details.

Firewall
Access control
A hardware or software system that monitors and filters incoming and outgoing network traffic based on predefined security rules. Acts as a barrier between a trusted internal network and untrusted external networks.
How it works: Rules define which traffic to allow or block based on source/destination IP address, port number and protocol. For example: block all incoming traffic on port 23 (Telnet); allow all traffic on port 443 (HTTPS). Packet filtering firewalls inspect individual packets; stateful firewalls track the state of connections.
Protects against: Unauthorised access Some malware (C&C traffic) Port scanning Some DoS
Exam note: Firewalls can be hardware (a physical device, e.g. at the network perimeter) or software (installed on a device). A firewall does not protect against threats that enter via legitimate channels (e.g. an email attachment sent through allowed port 25). It is one layer of defence, not a complete solution.
Encryption
Data protection
The process of converting data into an unreadable format (ciphertext) using an algorithm and a key, so that only authorised parties with the correct decryption key can read it. Protects data in transit and at rest.
How it works: A symmetric key encrypts and decrypts with the same key (fast, used for bulk data). Asymmetric encryption uses a public key to encrypt and a private key to decrypt (used in HTTPS/TLS). Even if an attacker intercepts encrypted data, they see only unreadable ciphertext without the key.
Protects against: Data interception Man-in-the-middle attacks Data theft Unsecured Wi-Fi risks
Exam note: HTTPS uses TLS to encrypt web traffic. WPA2/WPA3 encrypts Wi-Fi communications. Encryption protects confidentiality but not availability - a DoS attack encrypts nothing; it simply overwhelms the server. Explain encryption as "converting data to ciphertext using a key" not just "making it unreadable".
Two-Factor Authentication
Authentication security
A security method requiring users to provide two separate forms of verification before gaining access. The two factors typically combine something you know (password) with something you have (a phone) or something you are (biometrics).
How it works: After entering a correct password, the system sends a one-time code to the user's registered phone (SMS or authenticator app). The user must enter this code to complete login. An attacker who steals the password alone cannot log in without also having the user's phone.
Protects against: Brute force Credential theft Phishing (credentials) Password leaks
The three authentication factors: Knowledge (something you know - password, PIN); Possession (something you have - phone, smart card, token); Inherence (something you are - fingerprint, face, retina). 2FA uses two different categories. Using two passwords is NOT 2FA (both are knowledge factors).
Access Control
Permission management
A system that restricts which users can access which resources on a network. Users are granted only the minimum permissions required for their role (the principle of least privilege). Unauthorised users are prevented from accessing sensitive data or systems.
How it works: User accounts are assigned roles and permissions. A receptionist can only access the appointments system; a doctor can access patient records; an IT admin can configure servers. If an attacker compromises one account, they can only access what that account is permitted to access.
Protects against: Insider threats Privilege escalation Data breaches Lateral movement
Exam note: Access control limits the damage if an account is compromised. "Principle of least privilege" - give users only the access they need for their job, nothing more. Also includes physical access control (locks on server rooms, badge access).
Software Updates & Patching
Vulnerability management
Regularly applying software updates (patches) that fix security vulnerabilities. Most successful malware attacks exploit known vulnerabilities for which patches already exist but have not been applied.
How it works: Software developers discover security vulnerabilities (either internally or via security researchers). They release patches to fix these vulnerabilities. Organisations must apply these patches promptly. Unpatched systems remain vulnerable to any attacker who knows about the flaw.
Protects against: Malware (exploit-based) Worms Remote code execution Known vulnerabilities
Context: WannaCry ransomware (2017) exploited a Windows vulnerability for which Microsoft had issued a patch 59 days earlier. Systems that applied the patch in those 59 days were protected. Keeping all software updated, including operating systems and third-party applications, is one of the most impactful security measures.
Anti-Malware Software
Threat detection
Software that detects, quarantines and removes malicious programs. Uses signature-based detection (comparing files against a database of known malware signatures) and heuristic detection (identifying suspicious behaviour).
How it works: Signature-based: scans files for patterns matching known malware. Requires up-to-date virus definitions to detect new malware. Heuristic: analyses program behaviour for malware-like actions (e.g. attempting to encrypt all files, making network connections to unknown servers).
Protects against: Viruses Trojans Spyware Ransomware Worms
Limitation: Anti-malware cannot detect zero-day malware (new malware not yet in signature databases) using signature-only methods. It is reactive rather than proactive. Must be kept updated to remain effective. Part of a layered security approach - not a single solution.
Section 4

Threat-Defence Matcher

For each attack scenario, identify the most appropriate defence. This is a core exam skill: linking specific threats to specific countermeasures with clear justification.

Choose the Best Defence
Select the most appropriate defence for each attack scenario. You'll get feedback explaining why.
Classify: Threat or Defence?
Drag each item to the correct category.
Ransomware
Firewall
Phishing email
Two-factor authentication
DDoS attack
Encryption
Brute force attack
Software updates
Spyware
Access control
Threats
Defences
Section 5

Quiz

Lesson Quiz - 5 questions
Network security threats and defences in exam question style.
Question 1 of 5
A user receives an email appearing to be from their bank, asking them to click a link and log in to verify their account. The link leads to a fake website that steals their credentials. What type of attack is this?
Question 2 of 5
What is the key difference between a DoS attack and a DDoS attack?
Question 3 of 5
A hospital network is attacked by ransomware that encrypts all patient records. Staff cannot access any files. Which type of malware is this and how does it work?
Question 4 of 5
Explain why two-factor authentication (2FA) makes a brute force attack significantly less effective.
Question 5 of 5
A company employs 500 staff. The company decides all employees will have administrator access to all systems for convenience. Identify the security risk this creates and state a better approach.
0
/5
Interactive Tool

Attack Walkthrough

Step through three common attacks to understand exactly how they work, who carries them out, and which defences would have stopped each stage.

Interactive Tool

Password Entropy Calculator

Entropy measures how unpredictable a password is. Type a password to see the maths behind brute-force resistance. Note: no data is sent anywhere. This runs entirely in your browser.

Very WeakWeakModerateStrongVery Strong
Character set used
a-z (26) A-Z (26) 0-9 (10) Symbols (32)
Password length
-
Character pool (N)
-
Entropy (bits)
-
Combinations (N^L)
-
Estimated brute-force time (worst case, exhaustive search)

These figures assume: (1) the password is completely random, (2) the attacker uses a fast hash (e.g. MD5 or SHA-1). Real-world attacks often use dictionary/rule attacks which are far faster against non-random passwords. Bcrypt hashing reduces cracking speed by many orders of magnitude.

Home PC (10,000/s)-
GPU rig (1 billion/s)-
Cloud cluster (1 trillion/s)-
Interactive Tool

Defence Selector

Read each attack scenario. Tick all defences that would help. Some defences fully stop the attack; others only partially reduce risk. Nuanced answers are what markers look for.

Section 6

Extended Thinking & Series Completion

Extended thinking

1. A small business stores customer payment data on a network accessible by all employees. Describe three different security measures the business should implement and explain how each protects the data.

Measure 1 - Encryption: All payment data should be encrypted both in transit (using HTTPS/TLS when customers submit payments) and at rest (using database encryption). If data is intercepted or the server is breached, the attacker sees only unreadable ciphertext. This directly protects customer payment data from theft.

Measure 2 - Access control (principle of least privilege): Only employees who genuinely need to access payment data (e.g. finance staff) should have permission to do so. Sales staff, receptionists and others should not have access to payment records. This limits the damage if one employee's account is compromised - the attacker can only access what that employee was permitted to see.

Measure 3 - Two-factor authentication: All accounts that can access payment data should require 2FA. Even if an attacker obtains an employee's password (through phishing or a data breach), they cannot log in without the second factor (e.g. a code sent to the employee's registered phone). This provides protection against credential theft attacks.

Also accept: firewall (blocks unauthorised external access to the network); anti-malware software (detects and removes malware that might exfiltrate payment data); regular software updates (patches vulnerabilities that could be exploited to gain access).
Extended thinking

2. Explain why using multiple layers of security (defence in depth) is more effective than relying on a single security measure.

The core principle: No single security measure is perfect. Every defence has weaknesses or scenarios where it fails to protect.

Examples of single-measure failures:
- Firewall alone: blocks external attacks but cannot stop malware that enters via an email attachment on an allowed port (port 25/SMTP). A phishing email can bypass a firewall entirely.
- Anti-malware alone: cannot detect zero-day malware not yet in its signature database.
- Strong passwords alone: useless if the user is phished into revealing their password.

How defence in depth works: Each layer compensates for weaknesses in other layers. An attacker who bypasses the firewall (layer 1) encounters access control (layer 2). If they compromise one account, encrypted data (layer 3) remains unreadable. If they have the right credentials, 2FA (layer 4) blocks them from logging in without the physical device.

Conclusion: Multiple overlapping defences mean an attacker must overcome several independent barriers to reach sensitive data, significantly increasing the difficulty and reducing the likelihood of a successful breach.
🎉
Networks Series Complete!
You have completed all 6 lessons covering the full GCSE/A-Level Networks topic: from what a network is to how it is kept secure. Review all concepts with the Networks flashcard set, or test yourself with the exam questions page.
Networks Flashcards Back to series
Printable Worksheets

Practice what you've learned

Three levels covering network security threats and defences.

Recall
Threats and Defences
Name the threat from its description, match defences to threats, define malware types.
Download
Apply
Security Recommendations
Given attack scenarios, recommend and justify the appropriate defence. DoS vs DDoS analysis tasks.
Download
Exam Style
Extended Security Answers
Multi-defence recommendation questions, "explain how encryption protects data" style extended answers.
Download
All Networks Flashcards
Review all 6 lessons of Networks terminology with spaced repetition.
Open Flashcards
Networks - End of Unit Exam
Full 60-mark exam paper covering all six lessons. Ideal for revision and exam preparation.
60 marks 60 minutes All 6 lessons
Download Exam
Networks Lesson 6 - Teacher Resources
Network Security
Teacher mode (all pages)
Shows examiner notes on exam practice pages
Suggested starter (5 min)
Read out this scenario: "You receive an email from 'Apple Support' saying your account has been compromised. The email looks exactly like Apple's branding. It says to click a link and verify your password within 24 hours or your account will be deleted. The link goes to apple-support-verify.com." Ask: "Hands up if you'd click the link." Some will, some won't. Then break down every red flag: sender domain, urgency, external link, threat of deletion. This is the world students already live in. Security is not abstract - it happened to someone in this room's family last month. That framing sets up the whole lesson.
Lesson objectives
1Define and distinguish between five types of malware: virus, ransomware, spyware, worm and trojan.
2Explain how phishing works and classify it correctly as social engineering, not malware.
3Describe brute force attacks and explain the relationship between password complexity and attack time.
4Distinguish between DoS and DDoS attacks, explaining how each works and why DDoS is harder to block.
5Explain the function of firewalls, encryption, 2FA, access control and penetration testing as network defences.
6Match specific defences to appropriate threats and justify recommendations in an exam context.
Key vocabulary (board-ready)
Malware
Any software designed to damage, disrupt or gain unauthorised access to a system. Includes viruses, worms, trojans, ransomware and spyware.
Phishing
Social engineering: fraudulent communications (usually email) that impersonate a trusted entity to trick users into revealing credentials or clicking malicious links. NOT malware - it is a human manipulation technique.
Brute force attack
Systematically trying every possible character combination until the correct password is found. Longer, more complex passwords have exponentially more combinations, making brute force impractical.
DoS / DDoS
DoS (Denial of Service): one machine floods a server with requests. DDoS (Distributed DoS): thousands of machines (a botnet) do the same simultaneously. DDoS is harder to block because requests come from many different IP addresses.
Firewall
Software or hardware that monitors incoming and outgoing network traffic and blocks connections that break predefined rules. Can filter by IP address, port, protocol or content.
Encryption
Converts data into an unreadable ciphertext using a key. Even if intercepted, encrypted data cannot be read without the decryption key. Protects data in transit (HTTPS) and at rest (disk encryption).
Two-Factor Authentication (2FA)
Requires two separate types of evidence before granting access: knowledge (password), possession (phone code), or inherence (fingerprint). A stolen password alone is not enough to log in.
Principle of least privilege
Users should only have access to the resources they need for their specific role. Limits the damage if an account is compromised. A receptionist does not need access to payroll or system settings.
Suggested lesson plan (60 min)
0-5 min: Starter: read the phishing email scenario aloud. Identify every red flag together. Frame security as a real, immediate concern. Students share examples they or their family have encountered.
5-20 min: Threats - work through malware types (virus, worm, trojan, ransomware, spyware) using the interactive cards. Key distinctions: virus needs a host file; worm self-propagates; trojan disguises itself; ransomware encrypts then demands payment; spyware collects silently. Then phishing - emphasise it is social engineering, NOT malware.
20-30 min: Threat-Defence Matcher - pairs work through each scenario, explaining to each other why they are choosing a specific defence. The "why not the other defences" reasoning is as important as the correct answer.
30-40 min: Defences - firewall, encryption, 2FA, access control, penetration testing. Build a "defence vs threat" matrix on the board. Students contribute which defences counter which threats. Highlight that no single defence is sufficient.
40-52 min: Exam practice - quiz and one extended question (recommend the "evaluate all five defences" question). Students write under timed conditions (10 minutes). Pair-share marking against a model answer on the board.
52-60 min: Exit ticket. Also: revision of the full Networks series - ask students to name one key concept from each of the six lessons. Award a point per correct, unprompted recall. This consolidates the series as a whole.
Discussion prompts
A company has a strong firewall, uses HTTPS, enforces complex passwords, and runs regular anti-malware scans. An employee receives a phishing email, clicks the link, and enters their credentials on a fake login page. The company's network is then accessed using those credentials. Which of the company's security measures failed to protect against this, and why? What additional measure would have helped?
A school decides to give all 1,500 students and 120 staff the same administrator-level access to the network to simplify IT management. Explain at least three specific security risks this creates, and what the school should do instead, and why.
Ransomware typically encrypts all files on a device and demands payment for the decryption key. Some organisations pay the ransom; others refuse. What are the arguments for and against paying, and what policy should an organisation have before an attack occurs to make the right decision under pressure?
A student argues that if their password is long enough, it cannot be cracked. Using the concept of brute force attacks, explain under what conditions even a very long password can still be cracked, and what two additional measures would guarantee it is practically uncrackable even with a stolen password hash.
Common misconceptions
X"A firewall prevents all attacks" - firewalls block traffic based on rules but cannot prevent malware entering through legitimate ports (e.g. an email attachment through SMTP port 25). Firewalls are one layer of a defence-in-depth strategy, not a complete solution.
X"2FA using two passwords counts" - 2FA requires two different factor categories: knowledge (password), possession (phone/token), or inherence (biometric). Two passwords are both knowledge factors and count as one factor. True 2FA combines different categories.
X"Encryption prevents DoS attacks" - encryption protects data confidentiality but has zero effect on the volume of incoming requests. A DoS attack does not try to read data; it simply overwhelms the server with traffic. These are completely different threats requiring completely different defences.
X"Phishing installs malware automatically" - phishing requires the user to take a deliberate action (click a link, enter credentials, open an attachment). It exploits human trust and psychology (social engineering). It is categorically different from malware that self-installs without user interaction.
Exit ticket questions
State two differences between a virus and a worm.
[4 marks - virus: requires a host file to attach to (1), needs user action to spread such as sharing an infected file (1). Worm: self-contained and self-replicating (1), spreads automatically across a network without user interaction (1)]
Explain how two-factor authentication protects an account against credential theft.
[3 marks - 2FA requires a second factor in addition to the password (1); even if an attacker steals or guesses the password (1), they cannot access the account without the second factor such as a one-time code sent to the registered phone (1)]
A school website is taken offline by a DoS attack. Give one reason why a DDoS attack would be harder to defend against than a DoS attack.
[2 marks - DDoS uses many different source IP addresses simultaneously via a botnet (1); blocking a single IP address is ineffective because requests come from thousands of different sources (1)]
State one measure a company should put in place specifically to minimise the damage caused if a staff account is compromised by a phishing attack.
[1 mark - principle of least privilege / user access levels: the compromised account can only access the resources it needs, limiting what the attacker can reach]
Homework idea
Security audit task: students are given the following fictional company profile - "MediTrack Ltd handles patient records for 50 GP surgeries. Staff access records from office computers and home laptops. Passwords are 6 characters, no complexity requirement. There is no firewall between the patient database and the public internet. All 200 staff have full admin access. Emails are not filtered for phishing." Students must: (1) identify every security vulnerability, (2) for each vulnerability name the specific threat it enables, (3) recommend a specific countermeasure for each. Minimum five vulnerabilities. Bring the audit to the next lesson for peer review using a provided checklist.
Classroom tips
The five malware types are frequently confused. A useful grid: write Virus / Worm / Trojan / Ransomware / Spyware as column headers. Then rows: Needs host file? Self-propagates? Disguises itself? Encrypts files? Collects silently? Students complete the grid, which forces them to distinguish rather than just list names.
Phishing is commonly mislabelled as "a type of malware" in student answers. Reinforce frequently: phishing is social engineering - it exploits humans, not software. The question "does it require the user to take an action?" is the key diagnostic. If yes, it's social engineering. If it self-installs, it's malware.
When teaching brute force, make the maths visible. If a password has 4 digits (0-9), there are 10,000 combinations. Add one digit: 100,000. Add uppercase and lowercase: 62 possibilities per character. At 8 characters: 62^8 = 218 billion combinations. Then introduce modern password crackers that try billions per second. This makes "use a long, complex password" feel like genuine protection, not just advice.
The Threat-Defence Matcher works best when students justify their choices in writing before they submit. A key exam skill is not just selecting the correct defence but explaining precisely why it counters that specific threat. Build this habit in every interaction with the tool.
Resources
Worksheet 1 - Recall: threats, defences and definitions Worksheet 2 - Apply: attack identification and defence matching Worksheet 3 - Exam-style questions Networks unit exam - all 6 lessons (60 marks) Networks series overview Networks flashcards Set as class homework (coming soon)