Common attacks, in plain terms
Key takeaways This is a field guide, defensively — a quick tour of the attacks you’ll hear about, what each one targets, and how they’re broadly prevented, so the specialised lessons that follow make sense. You don’t need to know how any of these are carried out to defend against them; you need to recognise the shape of each and the handful of controls that blunt it. Every attack here maps back to the threats, vulnerabilities and risk you already met.
There are a lot of attack names, and the jargon makes them sound more mysterious than they are. Most fall into a few families, and each family has a small set of well-understood defences. This lesson stays high level on purpose: enough to recognise and prevent each attack, and nothing that would help carry one out.
Malware
Malware is simply malicious software — a broad label covering viruses, worms, ransomware, spyware, and more. What they share is that they run code on a machine that the owner didn’t want there. Ransomware locks up your files and demands payment; spyware quietly watches and steals; a worm spreads itself from machine to machine. Between them they threaten both the confidentiality of your data and the availability of your systems.
The broad defences are unglamorous and effective: keep software updated so known holes are closed, run with least privilege so a compromise can’t reach everything, and keep backups so you can recover without paying anyone. We’ll go deeper in the endpoints lesson later in this path.
Phishing & social engineering
Not every attack targets a computer — many target the person at the keyboard. Social engineering is the art of tricking someone into handing over credentials, approving a payment, or clicking something they shouldn’t. Phishing is the most common form: a message that impersonates someone trustworthy to lure the reader into acting against their own interest.
Because these attacks bypass the technology and aim at human judgement, the defences are human and procedural too. Awareness — knowing the shape of these messages and slowing down when one arrives — stops most of them, and multi-factor authentication means a stolen password alone isn’t enough to get in. There’s a whole lesson on social engineering coming, because it’s that important.
Credential attacks
Some attacks go straight for the front door with someone else’s key. Brute force means guessing a password by trying many possibilities against an account until one works. Credential stuffing doesn’t bother guessing — it takes passwords already leaked from other breaches and tries them on your site, betting that people reuse the same password in many places. That bet pays off far too often.
The defences line up neatly: unique passwords so a leak from one site can’t unlock another, multi-factor authentication so a password by itself is worthless, and rate limiting so a system that sees thousands of login attempts slows or blocks them instead of politely trying each one.
Man-in-the-middle
A man-in-the-middle attack slips an attacker between two parties who believe they’re talking directly to each other. From that position the attacker can read the traffic, or quietly alter it, without either side noticing. Public Wi-Fi and other untrusted networks are classic settings for it.
The broad defence is encryption in transit: if the traffic is encrypted and each side can confirm who it’s really talking to, an interceptor sees only unreadable data and can’t tamper undetected. This is exactly what TLS and HTTPS provide on the web. We’ll cover the family more fully in the network attacks lesson.
Denial of service (DoS/DDoS)
A denial-of-service attack doesn’t try to break in or steal anything — it tries to make a service unavailable by overwhelming it with more traffic or requests than it can handle. A distributed denial of service (DDoS) does the same from many machines at once, which makes the flood far larger and harder to trace. This one squarely targets availability, the third leg of the CIA triad.
You rarely stop such an attack with a single fix; you absorb and filter it. That means having spare capacity, filtering that drops obviously bad requests before they cost you real work, and content delivery networks that spread and soak up huge volumes of traffic before it ever reaches your own servers.
Supply-chain attacks
Instead of attacking you directly, a supply-chain attack compromises something you already trust — a software dependency, a vendor, an update mechanism — and reaches you through it. One tampered library or vendor can touch every organisation that uses it, which is what makes these attacks so efficient and so damaging.
The defences are about knowing and controlling what you depend on: vet the dependencies and vendors you bring in, keep them updated so fixed versions reach you promptly, and pay attention to where your software actually comes from. The secure-coding lesson later in this path returns to this from a builder’s point of view.
Web application attacks
The applications you reach through a browser have their own distinct family of attacks — ones that abuse how a web app handles input, sessions, and trust. There’s enough there to fill its own lesson, so we give it one: see web application attacks next.
Quick check: credential stuffing succeeds mainly because…
Recap
- Most attacks fall into a few families, each with a small set of known defences.
- Malware is malicious software; counter it with updates, least privilege, and backups.
- Phishing and social engineering target people; counter them with awareness and MFA.
- Credential attacks (brute force, stuffing) fall to unique passwords, MFA, and rate limiting.
- Man-in-the-middle is beaten by encryption in transit; denial of service by capacity, filtering, and CDNs.
- Supply-chain attacks reach you through what you trust — vet and update your dependencies.
Next up: web application attacks