You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
This lesson covers the most common threats to network security as required by OCR J277 Section 1.4. Understanding these threats is essential for protecting computer systems and is a key topic in your GCSE Computer Science exam.
Networks allow computers to communicate and share resources, but this connectivity also creates vulnerabilities. Any device connected to a network is potentially exposed to attack. Threats can come from outside an organisation (external threats) or from within (internal threats, such as disgruntled employees).
The CIA triad summarises the three main goals of network security:
| Goal | Meaning | Example |
|---|---|---|
| Confidentiality | Only authorised users can access data | Encryption prevents eavesdropping |
| Integrity | Data is not altered without authorisation | Checksums detect tampering |
| Availability | Systems and data are accessible when needed | Backups and redundancy prevent downtime |
Malware (malicious software) is any software designed to damage, disrupt or gain unauthorised access to a computer system. Malware is one of the most widespread network security threats.
Common types of malware include:
OCR Exam Tip: Make sure you can distinguish between different types of malware. A common exam question asks you to identify the type of malware from a description. Remember: a virus needs a host file, a worm is self-replicating, and a trojan pretends to be something useful.
Phishing is a form of social engineering where attackers send fraudulent communications (usually emails) that appear to come from a trusted source. The goal is to trick the recipient into revealing sensitive information such as passwords, bank details or personal data.
Unlike general phishing, spear phishing targets specific individuals or organisations. The attacker researches the target to make the email highly convincing.
A brute force attack is a method of cracking passwords by systematically trying every possible combination of characters until the correct one is found.
| Aspect | Detail |
|---|---|
| Method | Tries all possible character combinations |
| Speed | Depends on password length and complexity |
| Weakness exploited | Short or simple passwords |
| Prevention | Strong passwords, account lockouts, rate limiting |
A dictionary attack is a variation that tries common words and known passwords rather than every possible combination, making it faster for weak passwords.
OCR Exam Tip: When asked about preventing brute force attacks, mention strong passwords (mix of upper/lowercase, numbers, symbols), account lockout after failed attempts, and two-factor authentication.
A Denial of Service (DoS) attack aims to make a network, service or website unavailable to its intended users by flooding it with more traffic or requests than it can handle.
A Distributed Denial of Service (DDoS) attack uses multiple compromised computers (a botnet) to launch the attack simultaneously, making it much harder to defend against.
| Feature | DoS | DDoS |
|---|---|---|
| Source | Single computer | Multiple computers (botnet) |
| Difficulty to block | Easier — block one IP | Harder — thousands of IPs |
| Scale | Smaller | Much larger |
OCR Exam Tip: DDoS attacks do not steal data — they simply prevent access. Make sure you describe the impact correctly: the service becomes unavailable, causing financial loss and reputational damage.
| Threat | Description | Impact |
|---|---|---|
| Malware | Malicious software (viruses, worms, trojans, etc.) | Data theft, system damage, loss of control |
| Phishing | Fraudulent emails to steal credentials | Identity theft, financial loss |
| Brute force | Trying all password combinations | Unauthorised access |
| DoS/DDoS | Flooding servers with traffic | Service unavailability |
The tree diagram below organises the OCR J277 Section 1.4 threats by their attack vector — useful for keeping the categories straight in revision.
flowchart TD
T((Network<br/>Threats)) --> M[Malware]
T --> SE[Social Engineering]
T --> TA[Technical Attacks]
M --> M1[Virus]
M --> M2[Worm]
M --> M3[Trojan]
M --> M4[Ransomware]
SE --> SE1[Phishing]
SE --> SE2[Pharming]
SE --> SE3[Shouldering]
SE --> SE4[Blagging]
TA --> TA1[Brute Force]
TA --> TA2[SQL Injection]
TA --> TA3[DoS / DDoS]
Understanding these threats is the first step in protecting networks. In the following lessons, we will explore specific attack types in more detail and learn about the prevention methods used to defend against them.
The TalkTalk data breach of October 2015 is one of the most widely studied UK cyber-security incidents and neatly illustrates how several of the OCR J277 threats can combine in a single event. TalkTalk was a major telecommunications provider, so the breach affected a significant portion of the UK population and produced a substantial regulatory fine.
What happened. Attackers discovered a legacy web page connected to a TalkTalk database that had not been properly updated. The page contained an SQL injection vulnerability — user input was inserted directly into database queries without validation. By submitting crafted input to the vulnerable page, the attackers were able to manipulate the underlying query and retrieve records from the customer database.
What was stolen. Personal data for roughly 157,000 customers was exposed, including names, dates of birth, email addresses, phone numbers and, in around 15,000 cases, bank account numbers and sort codes. TalkTalk's own summary noted that the stolen data, while serious, was less extensive than some reports initially suggested — but the reputational damage was already done.
The wider attack pattern. In the weeks following the technical breach, TalkTalk customers reported receiving phishing and blagging calls. Attackers who had obtained customer phone numbers and reference details from the breach phoned victims, claimed to be from TalkTalk technical support and referenced genuine personal information to appear legitimate. Some victims were persuaded to install remote-access software or to transfer money to "safe accounts." This follow-on fraud showed how one data breach enables further social-engineering attacks long after the technical incident is closed.
The regulatory response. The Information Commissioner's Office investigated and fined TalkTalk £400,000 under the Data Protection Act 1998. The ICO's report stressed that the underlying SQL injection vulnerability was well understood, fixes had been available for years, and that TalkTalk had not conducted appropriate security testing of the legacy pages it still operated.
Lessons for OCR students. First, SQL injection is preventable: parameterised queries and input validation would have blocked the technical attack. Second, legacy systems matter: attackers deliberately target older, under-maintained parts of a network because that is where controls are weakest. Third, data breaches produce secondary attacks: stolen contact details fuel targeted phishing and blagging that defraud customers weeks or months later. Fourth, regulators expect proactive testing: routine penetration testing would almost certainly have uncovered the vulnerability before an attacker did. Finally, the breach illustrates why the CIA triad is useful — confidentiality was lost when personal data was exfiltrated, and the reputational impact lingered even after availability was restored.
For the exam, TalkTalk is a useful reference case whenever a question asks about the impact of network security failings on a business and its customers.
Misconception: "Network security is only about stopping hackers from outside."
Many serious incidents involve internal threats — a disgruntled employee copying data before leaving, a well-meaning staff member plugging in a compromised USB, or an administrator whose account is abused after credential theft. The CIA triad applies equally to insiders: confidentiality can be lost to an employee leaking a file, integrity to a user accidentally overwriting records, and availability to a misconfigured script that takes a system offline. OCR expects answers to acknowledge both external and internal threats and to describe measures such as access levels and policies that address insider risk.
Exam question: Explain three common threats to a computer network and for each threat recommend one appropriate prevention measure. (6 marks)
One threat is viruses which can damage files. You can use antivirus software to stop them. Another threat is hackers who try to guess passwords. People should use strong passwords. A third threat is phishing emails. The company should tell staff not to click on suspicious links.
Why this is Grade 3-4: The answer names three threats and a prevention for each, but uses informal language ("hackers who try to guess passwords") and shallow explanations. It would likely score 3 or 4 marks.
One common threat is malware, such as ransomware, which encrypts files and demands payment. To prevent this, an organisation should install and regularly update anti-malware software and keep operating systems patched.
A second threat is brute-force attacks, where an attacker systematically tries password combinations to guess a valid login. The prevention is a strong password policy that requires long, complex passwords, combined with account lockout after a set number of failed attempts.
A third threat is phishing, where fraudulent emails trick users into revealing credentials. Organisations should provide regular staff awareness training and enable two-factor authentication so a stolen password on its own is not enough to log in.
Why this is Grade 5-6: The answer uses correct OCR terminology, describes each threat accurately and pairs it with a specific, appropriate prevention. It would likely score 5 or 6 marks.
Distributed Denial of Service (DDoS) attacks use a network of compromised devices — a botnet — to flood a target with traffic that overwhelms its capacity. The impact is a loss of availability rather than confidentiality: the service becomes unreachable to genuine users, producing financial loss and reputational damage. Prevention is layered: upstream traffic-scrubbing services absorb volumetric attacks before they reach the target, rate limiting protects application-layer endpoints, and a well-designed architecture with geographic redundancy ensures that a single region under attack does not bring the whole service down.
SQL injection exploits a structural weakness in code that builds database queries by concatenating user input directly into the query string. A successful injection can bypass authentication, extract sensitive data from unrelated tables, or modify records. The 2015 TalkTalk breach, which exposed 157,000 customer records and attracted a £400,000 ICO fine, is a well-known example. The definitive prevention is parameterised queries, which separate the query structure from user-supplied data, backed up by input validation and a least-privilege database account.
Social engineering, particularly phishing, targets the human layer rather than the technical layer. A well-crafted email, SMS or call can persuade an employee to reveal credentials or authorise a fraudulent transaction even against well-designed technical controls. Defence is correspondingly layered: email filtering and domain authentication (SPF/DKIM/DMARC) at the gateway, staff awareness training with simulated phishing exercises, two-factor authentication so a stolen password alone is insufficient, and a no-blame reporting culture that encourages employees to escalate suspicious messages quickly.
Why this is Grade 7-9: The answer identifies three structurally different threats, explains the mechanism in precise terminology, references a real incident with quantified impact, and recommends layered prevention that combines technical, procedural and cultural measures. It demonstrates the evaluative depth OCR rewards at the top band.
This content is aligned with OCR GCSE Computer Science (J277) specification section 1.4 Network security. For the most accurate and up-to-date information, please refer to the official OCR specification document.