Identifying security needs of my device
Every device connected to a network is a potential target. Understanding the types of attacks that exist, the harms they cause, and the controls that defend against them is the foundation of practical cybersecurity awareness.
Why security awareness matters
Most successful attacks do not exploit exotic vulnerabilities — they exploit human behavior. A user who can recognize the warning signs of a phishing email, understand why their password was targeted, or know what malware looks like in practice is far better protected than one who relies solely on software tools.
This topic builds the vocabulary and conceptual framework needed to correctly identify threats and match them to appropriate defenses.
What this topic covers
- › 1.3.A — Types of attacks: digital, physical, phishing, shoulder surfing, and malware
- › 1.3.B — Harms caused by attacks: PII exposure, identity theft, financial fraud, and reputation damage
- › 1.3.C — Security controls matched to specific threats
Types of attacks
Attacks on devices and data fall into two broad categories — digital and physical — with several specific attack types nested within each. Correctly identifying which type of attack has occurred is the first step toward applying the right defense.
Digital attacks
Digital attacks exploit software, networks, or human behavior through electronic means to gain unauthorized access to devices or data. They do not require the attacker to be physically near the target.
- › Phishing — deceptive emails or websites designed to steal credentials or personal information
- › Malware — malicious software installed on a device to cause harm or enable control
- › Credential stuffing — using stolen usernames and passwords from one breach to access other accounts
Physical attacks
Physical attacks require direct proximity to the target device or its user. They exploit physical access rather than software vulnerabilities.
- › Device theft — stealing a laptop, phone, or storage media to access its data directly
- › Shoulder surfing — observing a user's screen or keyboard to capture passwords or sensitive information
- › Unauthorized access — using an unattended, unlocked device to read or copy data
Phishing
Phishing is one of the most common and effective attacks. It relies on deception rather than technical exploitation. The attacker creates a fake communication that appears to come from a trusted source — a bank, an IT department, a popular website, or even a coworker.
Common phishing indicators:
- › Urgency or threats — "Your account will be suspended in 24 hours unless you act now."
- › Unsolicited credential requests — legitimate organizations do not ask for passwords via email.
- › Mismatched URLs — the link text says one site but hovering reveals a completely different destination.
- › Generic greetings — "Dear Valued Customer" instead of using the recipient's name.
Controls: phishing
- › Email filtering — automatically detects and quarantines suspicious messages before they reach the user
- › Security awareness training — teaches users to recognize indicators and verify before clicking
Best practice
When unsure whether an email is legitimate, do not click the link. Instead, navigate directly to the organization's website using a bookmark or by typing the known address, or call using a number from a trusted source.
Shoulder surfing
Shoulder surfing is the act of secretly observing another person's screen or keyboard to capture sensitive information such as passwords, PINs, or personal data. It requires no technical tools — just proximity and opportunity.
Common locations: open-plan offices, coffee shops, public transit, libraries, and anywhere users work in view of others.
Controls: shoulder surfing
- › Privacy screens — physical filters that restrict the display's viewing angle to the user directly in front of it
- › Screen positioning — orient the monitor toward a wall or away from public view to minimize what observers can see
What shoulder surfing is not
Shoulder surfing is a physical attack, not a digital one. Do not confuse it with keyloggers (malware) or phishing. The defining characteristic is that the attacker is physically observing the user, not intercepting data electronically.
Malware
Malware (malicious software) is any software intentionally designed to cause harm to a device, user, or organization. It is typically installed without the user's knowledge through phishing links, malicious attachments, compromised websites, or infected media.
Slowing the device
Malware running background processes consumes CPU and RAM, causing the device to respond slowly even during simple tasks.
Crashing applications
Some malware corrupts files or interferes with system processes, causing frequent application crashes or unexpected shutdowns.
Remote control
Remote access trojans (RATs) allow the attacker to view, control, and manipulate the infected device from a remote location without the user's knowledge.
Spreading to other devices
Worms and network-aware malware can propagate automatically from one infected device to other devices on the same local network, amplifying the damage.
Controls: malware
- › Antivirus / anti-malware software — detects and removes known malware based on signature databases; must be kept up to date to detect new threats
- › OS and application updates — patch known vulnerabilities that malware exploits; enabling automatic updates reduces the window between disclosure and protection
Why updates matter for malware
Malware often enters a device by exploiting a vulnerability in an unpatched application or OS. Once the vendor releases a patch, attackers know the exact vulnerability — and unpatched devices become easy targets. Updates and antivirus work together: updates remove the vulnerability, antivirus catches threats that slip through.
Harms caused by attacks
Understanding the real consequences of security failures provides context for why controls matter. Attacks are not abstract — they result in measurable, often lasting harm to individuals and organizations.
PII exposure
Personally identifiable information — Social Security numbers, addresses, birthdates, health records — can be used by attackers to impersonate victims, file fraudulent claims, or access additional accounts. Medical data exposure can also lead to discrimination and stigma.
Identity theft
Attackers use stolen PII to open accounts, apply for credit, or make purchases in the victim's name. Victims often discover the theft only after significant damage to their credit score and finances has occurred.
Financial fraud
Compromised banking credentials, credit card numbers, or payment accounts enable attackers to make unauthorized purchases, transfers, or withdrawals directly from victims' accounts.
Reputation damage
For organizations, a publicized breach destroys customer trust and may cost contracts, partnerships, and future business. For individuals, leaked private communications or data can damage personal and professional reputations.
Business disruption
Ransomware and other malware can render systems inoperable, blocking access to files and services for hours or days, causing operational and financial losses that extend beyond any individual user.
Security controls at a glance
| Threat | Recommended controls |
|---|---|
| Weak authentication / stolen passwords | Strong passwords, MFA, biometric authentication, account lockout |
| Phishing | Email filtering, security awareness training |
| Shoulder surfing | Privacy screens, screen positioning away from observers |
| Malware | Antivirus / anti-malware software, OS and application updates |
Ready to practice?
Test your ability to identify attack types, describe their consequences, and select the appropriate security control for each threat.