Lesson video

Hello, my name is Mrs. Jones, and I'm really pleased that you're here today to learn with me.

We're going to be looking at hacking and brute force attacks.

So let's get started.

Welcome to today's lesson from the unit Introduction to cybersecurity.

Today's lesson is called "Hacking and brute force attacks", and by the end of this lesson you'll be able to describe what illegal attacks on computer systems are.

There are three keywords to this lesson.

Hacking.

Hacking is accessing a computer system without permission.

DDoS stands for distributed denial of service, and is an attack used to disrupt communication.

And brute force attack.

This is accessing a protected resource by repeatedly attempting to guess the key to how it is protected.

There are three sections to today's lesson: identify reasons for hacking, describe how online services can be disrupted, and explain how brute force attacks work.

So let's have a look at the first section, identify reasons for hacking.

Hacking refers to the process of attempting to gain access to, or control of, a computer system without permission.

And there are two types of hacking: ethical and unethical.

Ethical hacking is legal.

Penetration testers, also known as pen testers, are paid to hack into a computer system to help a company identify weaknesses in their system.

This can help stop unethical, illegal hacking as vulnerabilities can be found and fixed.

Unethical hacking is illegal.

This is when someone accesses a system without permission for their own or others' benefit.

For example, they may do something harmful or illegal by stealing information or causing damage.

Unethical hacking is illegal and can cause lots of problems for people and companies.

It can be used to steal personal data, steal money, or even disrupt essential services.

For example, if a hospital system is hacked into, people's lives could be put at risk.

Unethical hackers have various motivations.

They may want to promote a political agenda or social change, and this is called hacktivism.

They might do it just because they find it fun or they might do it to simply prove they can.

So let's have a quick check.

What is gaining unauthorised access to a computer system known as? Is it A, hacking; B, malware; C, social engineering; or D, phishing? Pause the video and have a think, and then I'll reveal the answer.

Let's have a look at the answer.

The answer was A, hacking.

Well done if you got that correct.

Let's have another check.

If someone is employed to legally hack into computer systems to help a company find security weaknesses, what's their job? Is it A, an IT technician; B, an IT manager; C, a penetration tester; or D, a systems administrator? Pause the video to think about your answer, and then I will reveal it.

Let's have a look at the answer.

The answer was C, penetration tester.

Well done if you got that correct.

Hacktivists hack to create disruption, to embarrass others, or to support a cause.

They may hack for political reasons as a form of protest or to target big companies they believe are acting wrongly.

You'll need your worksheet for this activity, and this is a fill in the blanks.

Read through the paragraph and fill in the missing words.

Pause your video here, complete this activity with the worksheet, and then we'll go through the answers.

Let's have a look at the answers.

Hacking is when someone gains unauthorised access to your computer or system without permission.

An ethical hacker works for a company to find vulnerabilities.

This is legal.

An unethical hacker will have a harmful purpose and will not have permission to access the system or computer.

This is illegal.

Well done if you got that correct.

You'll need your worksheet again for this second part.

Why might people want to hack into a computer system? There are two columns: one ethically, which is legal, and one unethically, illegal.

Pause the video and fill in underneath in those columns why certain people might want to hack into a computer system.

Let's have a look at the answers.

Ethically, legal.

Well, this is to look for vulnerabilities as it is their job.

Unethically, which is illegal.

It could be to steal data, to disrupt services, for financial gain, for political reasons, for fun, or to prove they can.

Well done if you got that correct.

Let's move on to the second part of today's lesson, describe how online services can be disrupted.

Online services include banking, gaming, social media, shopping, communication, entertainment, education, storage, and much more.

An online service needs to remain operational and accessible to its users.

It can be affected by accidental damage or targeted attacks.

Accidental damage can occur due to natural disasters like floods, fires, or earthquakes, and these might destroy infrastructure or a system.

Human error can also result in accidental damage.

For example, accidentally deleting an important file or changing a system setting that stops it from working.

The internet is a global network of devices, which you can use to access information, services, and websites.

Websites, files, and service providers' systems are stored on servers in different locations around the world.

Many people rely on the internet to access those online services.

A denial of service attack, a DoS, is a cyber attack where the criminal makes network communication unavailable to its intended users.

This is done by flooding the targeted machine or website with lots of requests in attempt to overload the system.

Imagine somebody blocking the entrance to a shop so real customers can't get in.

That's what it's like for this type of attack.

A distributed denial of service attack, a DDoS attack, uses the same concept as a DoS attack, but multiple computers make the attacks at the same time.

This type of attack is harder to stop as it is not from a single source.

Identifying who is responsible is also more difficult as lots of machines are making requests.

Imagine lots of people trying to get into a shop all at once, blocking the entrance so real customers can't get in.

In this scenario, it's different because there's lots of people stopping you get in, whereas in the previous one, there was only one.

Instead of one computer sending multiple requests, a DDoS attack uses multiple computers, each making multiple requests.

The computers may be located in many different places, so it's a coordinated attack from many different sources at the same time.

So a DoS, a denial of service attack, is one attacker and one target.

A DDoS distributed denial of service attack, many attackers and one target.

Dyn is a company that controls the Internet's domain name system infrastructure, and this is an example of a DDoS attack.

In 2016, they suffered from a DDoS attack on its domain name servers.

Many people couldn't access their websites, and as a result of this DDoS attack, as the service that provides the addresses and locations of web servers was overwhelmed with requests.

And that image shows the areas affected by that Dyn attack.

So let's have a quick check.

True or false? A distributed denial of service, a DDoS attack, uses one attacker.

Pause the video, think about your answer before I reveal it.

Let's have a look at the answer.

The answer is false.

A distributed denial of service, a DDoS attack, has many attackers, but one target.

Well done if you got that correct.

Let's have another check.

What is the purpose of a DDoS attack? Is it A, to infiltrate a network in order to plant a virus? Is it, B to flood a network or server with internet traffic in order to disrupt a service? Or is it C, to seek confidential data such as company secrets or personal documents? Pause the video to think about your answer and then I'll reveal it.

Let's have a look at the answer.

The answer was B, to flood a network or server with internet traffic in order to disrupt a service.

Well done if you got that correct.

You'll need your worksheet again for this activity.

What are the differences between a DoS and a DDoS attack? And there is a table with two columns, on the left, a DoS, a denial of service, and on the right, a DDoS, a distributed denial of service.

Pause the video to complete the table and then we'll go through the answers.

Let's have a look at the answers.

A DoS, a denial of service attack, has one attacker, is easier to find who is responsible and easier to stop.

A DDoS, a distributed denial of service attack, has multiple attackers, is harder to find who is responsible, and harder to stop.

Well done if you got that correct.

You'll need your worksheet again for this second part.

Describe how a DDoS attack disrupts access to online services.

Pause the video and think about your answer and use your worksheet.

Let's have a look at the answer.

A DDoS attack disrupts access to online services by overwhelming the target server with a lot of traffic.

Instead of one computer attacking, a DDoS attack uses many computers, often from all over the world, to simultaneously send a massive number of requests to the target website or the service.

The server can't handle the number of requests, making the online service slow or even completely unavailable to users.

Well done if you got that correct.

Let's move on to the last part.

Explain how brute force attacks work.

A brute force attack is when a person or a computer programme tries many different passwords or codes until they find the right one to gain access.

Imagine you have a keyring with multiple keys and want to unlock a door.

In a brute force attack, you would try every single key, one after another, until you find the one that unlocks the door.

This approach doesn't require you to be smart about it, you just have to try every possibility.

A brute force attack will keep trying until it finds the answer.

A computer programme could try thousands of different combinations.

This is an example of lots of people trying to guess the password.

Sofia says, "Try password123." Izzy says, "Try PASSWORD123", but in capitals.

Alex says, "Try 123456." And Jun has said, "Just try password." Keeping trying until they find the solution.

To prevent brute force attacks, companies often set rules on their login screens.

For example, a website will check that it's really you trying to log in, but it may limit the number of times you can try entering your password.

A strong password should be at least eight characters long and include a mix of uppercase and lowercase letters, numbers and symbols, and it shouldn't be easy to guess.

Let's have a quick check.

Which of the following passwords would be best defence against a brute force attack? Is it A, peter1£@!, B, Petertherabbit, C, P3tertherabb1t, with 1 instead of the I there, or D, P$tertherabb1t, with 1 again instead of the I.

Pause the video and have a think over which one would be the best defence against a brute force attack.

Let's have a look at the answer.

The answer is D.

Well done if you got that correct.

With the growing use of online services and the threat of hacking and cyber attacks, the government passed legislation.

The Computer Misuse Act in 1990 established three offences.

Number one, unauthorised access to computer material.

This means getting into someone else's computer, files, or online account without their permission.

Izzy says, "This could be anything from looking at emails to copying files, accessing a social media account, or even changing settings." Number two is unauthorised access with intent to commit or facilitate the commission of further offences.

This means getting into someone's computer or account without permission with the intent to commit another crime.

Izzy says here, "A hacker breaks into a company's secure database without permission to steal customer information, planning to commit identity theft, or sell the data." And three, unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer.

This means doing something to a computer system that makes it not work properly or completely shuts it down.

This is done on purpose or without caring about the consequences.

And Izzy says here, "A person intentionally sending a virus to a computer system to slow it down or crash it." So you'll need your worksheet again.

How would a brute force attack try to access your social media account? Pause the video to think about your answer and use your worksheet, and then we'll go through the answer.

Let's have a look at the answer.

It would keep trying to find the correct password to gain access to my account.

This could be done by a person or with a computer programme.

A programme could try thousands of combinations in a short amount of time.

Well done if you got that correct.

And you'll need your worksheet again.

How can a company secure a login process from brute force attacks? Pause the video, think about your answer using the worksheet, and then we'll go through the answer.

Let's have a look at the answer.

A company can set rules on the login process.

This could be setting a maximum number of attempts to enter a password before locking access.

Another option is to set rules on how strong the password should be.

A password should be eight or more characters, not easy to guess, and a combination of upper and lowercase letters, numbers, and symbols.

Well done if you got that correct.

In summary, illegal hacking involves accessing a system without permission.

A distributed denial of service, a DDoS attack, is when multiple attackers flood a single service with requests to slow the service down or stop it working.

A brute force attack is repeatedly trying every possible combination of passwords, PINs, or login credentials until the correct one is found.