Security Basics Lesson 3 – Types of Cyber Threats | Dataplexa

Security Basics

I. Core Security Fundamentals
1. What is Cybersecurity 2. Why Cybersecurity Matters 3. Types of Cyber Threats 4. Vulnerabilities, Risks & Exploits 5. CIA Triad 6. Authentication vs Authorization 7. Security Policies & Procedures 8. Defense in Depth 9. Security Best Practices 10. Introduction to Security Careers
II. Systems, Network & App Security
11. OS Security Basics 12. Linux Security Fundamentals 13. Windows Security Fundamentals 14. Network Security Basics 15. Firewalls & Access Control 16. Secure Network Architecture 17. Application Security Basics 18. Web Security Fundamentals 19. Security Misconfigurations 20. Security Hardening Basics
III. Threats, Attacks & Prevention
21. Malware Types & Analysis 22. Phishing & Social Engineering 23. Password Attacks & Protection 24. Insider Threats 25. Denial of Service Attacks 26. Man-in-the-Middle Attacks 27. Web Application Attacks 28. Data Breaches & Case Studies 29. Security Monitoring Basics 30. Incident Response Introduction
IV. Governance, Risk & Real World
31. Risk Management Basics 32. Security Compliance Overview 33. ISO 27001 Fundamentals 34. SOC & Security Operations 35. Logging & Auditing 36. Security Tools Overview 37. Cloud Security Basics 38. Security Automation 39. Security Best Practices Checklist 40. Mini Project – Security Assessment
Section I · Lesson 3

Types of Cyber Threats

This lesson covers

Malware types explained → Phishing and its variants → Social engineering tactics → DoS and DDoS attacks → Man-in-the-Middle and insider threats → Checking files for malware

A cyber threat is any potential action or event that could damage, disrupt, or gain unauthorised access to a system, network, or data. Understanding the different types isn't academic — each one behaves differently, spreads differently, and requires a different defence.

Malware — software built to cause harm

Malware is the umbrella term for any software written with malicious intent. It's not a single thing — it's a category containing several distinct types, each designed to do something different. Knowing the differences matters because each type requires a different detection approach and a different response.

Virus

Attaches itself to legitimate files and spreads when those files are shared. Needs a host file to propagate — can't move on its own.

Worm

Self-replicates across networks without needing a host file. WannaCry was a worm — once it was inside one machine, it spread automatically to every vulnerable system it could reach.

Trojan

Disguises itself as legitimate software. The user installs it willingly. Once installed, it does something entirely different from what it claimed — opening backdoors, stealing credentials, downloading other malware.

Ransomware

Encrypts the victim's files and demands payment for the decryption key. The most financially damaging category of malware in the last five years by a large margin.

Spyware

Runs silently in the background, recording keystrokes, capturing screenshots, or exfiltrating files. Often used for credential theft or corporate espionage.

Rootkit

Embeds itself deep in the OS — sometimes at the kernel level — and hides its own presence. Designed to be nearly undetectable while maintaining persistent access.

Phishing — the human exploit

Phishing is the practice of tricking people into handing over credentials, clicking malicious links, or transferring money — by impersonating someone or something they trust. It's consistently the most common initial attack vector across every sector, every year. Not because it's technically sophisticated, but because it works.

The basic version — a mass email pretending to be your bank asking you to verify your account — everyone knows about. The dangerous version is spear phishing: targeted, researched, personalised attacks that reference real people, real projects, and real relationships. In 2020, the CEO of a UK energy company received a phone call from someone who convincingly impersonated the voice of his German parent company's CEO — using AI-generated audio — and authorised a €220,000 transfer. That's phishing at its most evolved.

Other variants include smishing (phishing via SMS), vishing (voice calls), and whaling (spear phishing specifically targeting executives). The delivery method changes. The underlying manipulation doesn't.

Social engineering — the broader category

Phishing is a subset of social engineering — the art of manipulating people rather than systems. Where technical attacks exploit software vulnerabilities, social engineering exploits psychological ones: authority, urgency, fear, helpfulness, and trust.

Pretexting is when an attacker fabricates a scenario to extract information. A classic example: someone calls the IT helpdesk pretending to be a new employee who can't log in. With enough plausible detail — a manager's name, a department, a recent company event — they can often get a password reset without any authentication.

Baiting works by leaving something tempting — a USB drive in a car park labelled "Payroll Q4", for instance. In studies, a significant percentage of people who found such drives plugged them into their work machines out of curiosity. Once plugged in, the drive installs whatever's on it automatically.

The Attacker's Perspective

Social engineering is often the preferred first move because it bypasses every technical control simultaneously. The most hardened firewall, the most up-to-date antivirus, the best intrusion detection system — none of it matters if an employee hands over their credentials voluntarily. Attackers spend considerable time on LinkedIn, company websites, and social media before making contact, building a profile that makes their approach convincing.

Denial of Service attacks

A Denial of Service attack floods a target system — a website, an API, a network — with so much traffic that it can't respond to legitimate requests. The goal isn't theft or access — it's disruption. Sometimes it's extortion ("pay us or we keep the attack going"). Sometimes it's competitive sabotage. Sometimes it's a distraction while a more subtle attack happens elsewhere.

The more dangerous variant is a Distributed Denial of Service (DDoS) attack, where the traffic comes from thousands or millions of compromised machines — a botnet — rather than a single source. This makes it much harder to block because you can't just firewall one IP address. In 2016, the Mirai botnet — composed almost entirely of compromised IoT devices like security cameras and home routers — launched a DDoS attack that took down Dyn, a major DNS provider, temporarily making Twitter, Netflix, Reddit, and CNN inaccessible for much of the US East Coast.

Man-in-the-Middle and Insider Threats

A Man-in-the-Middle (MitM) attack happens when an attacker positions themselves between two parties who think they're communicating directly with each other. The attacker intercepts, and potentially modifies, the traffic passing between them. Public Wi-Fi networks are a common setup for this — an attacker creates a hotspot with a plausible name ("Airport_WiFi_Free"), users connect to it, and every unencrypted request they make goes through the attacker's machine first.

Insider threats are a different category entirely — damage caused by people who already have legitimate access. This includes disgruntled employees deliberately exfiltrating data, careless staff who misconfigure systems or fall for phishing attacks, and contractors with broader access than they need. The 2013 Edward Snowden case is the most famous example, but insider threats in corporate settings are far more common and far less reported. They're also significantly harder to detect because the person is using legitimate credentials to do what looks, at first glance, like legitimate work.

Checking a file for known malware signatures

Before running any unfamiliar file — an attachment, a downloaded tool, a binary from an unknown source — it's worth checking it against known malware signatures. Here's how to do a quick hash check and submit it to VirusTotal from the command line:

# Step 1: Generate the SHA256 hash of the suspicious file
# This gives you a unique fingerprint of the file's contents
sha256sum suspicious_file.exe

# Step 2: Query the VirusTotal API with the hash
# Replace YOUR_API_KEY with a free key from virustotal.com
# Replace the hash below with the output from step 1
curl -s --request GET \
  --url "https://www.virustotal.com/api/v3/files/a3b4c5d6e7f8..." \
  --header "x-apikey: YOUR_API_KEY" \
  | python3 -m json.tool | grep -E '"malicious"|"undetected"|"name"'
# Step 1 output — SHA256 hash of the file
a3b4c5d6e7f8901234567890abcdef1234567890abcdef1234567890abcdef12  suspicious_file.exe

# Step 2 output — VirusTotal scan results (abbreviated)
            "malicious": 41,
            "undetected": 31,
        "name": "suspicious_file.exe",
        "name": "Trojan.GenericKD.47821933",
        "name": "Win32:Malware-gen",
        "name": "Ransom.FileCryptor",

What just happened

41 out of 72 antivirus engines flagged this file as malicious. That's a decisive result — don't run it. The vendor names in the output tell you what type of malware it is: this one is being flagged as a Trojan and a ransomware variant. The SHA256 hash is the key — VirusTotal stores scan results by hash, so if anyone else has ever submitted this exact file, you get their results instantly without uploading the file itself. Useful when you don't want to hand a potentially sensitive file to a third-party service.

Instructor's Note

A clean VirusTotal result doesn't mean a file is safe. It means no known signature matches it. Zero-day malware — new, previously unseen samples — won't have signatures yet. Hash checking is a useful first filter, not a complete answer. Behavioural analysis in a sandboxed environment is the more thorough approach, which we'll cover in the malware analysis lesson later in this course.

Practice Questions

WannaCry spread automatically from machine to machine across networks without any user interaction. What type of malware does this behaviour describe?




An attacker researches a target company on LinkedIn, identifies the CFO's name and a recent acquisition, then sends a personalised email to the finance team impersonating the CFO and requesting an urgent wire transfer. What specific type of phishing is this?




The Mirai DDoS attack used thousands of compromised IoT devices to generate attack traffic. What is the collective term for a network of compromised machines used to launch such attacks?



Quiz

What distinguishes a Trojan from other types of malware?



Why are insider threats particularly difficult to detect compared to external attacks?



A file is submitted to VirusTotal and zero engines flag it as malicious. What is the correct conclusion?


Up Next · Lesson 4

Vulnerabilities, Risks & Exploits

The difference between a vulnerability and a risk — and how attackers turn one into the other using real exploit tools.

← Previous Course Index Next →