Network Security

Network security protects computers, data, and services when they are connected to other devices. A network is useful because it allows communication. The same connection also creates risk: an attacker, infected device, careless user, or overloaded service can affect systems that were previously isolated.

This topic is not about becoming a cybersecurity specialist. For H2 Computing, the goal is to explain common network threats and match them to suitable security controls.

Beginner Mental Model

Security questions usually start with two parts:

  1. What can go wrong?
  2. Which control reduces that risk?

Example:

Problem: attacker floods a server with requests
Effect: legitimate users cannot use the service
Main harmed goal: availability
Suitable controls: filtering, rate limiting, IDS/IPS alerts or blocking, resilient design

Do not answer security questions by naming a control without explaining the problem it solves.

A useful habit is to read every security scenario in this order:

asset -> threat -> harmed security goal -> suitable control -> remaining limitation

For example, if the asset is an online results system and the threat is a traffic flood, the main goal harmed is availability. Encryption may still be useful elsewhere, but it is not the main answer to the flood.

For a complete beginner, it helps to separate four words that are often mixed together.

WordMeaning in this topicSimple example
assetsomething worth protectingstudent records, a website, a password
threatsomething that can cause harmmalware, DoS, unauthorised access
vulnerabilitya weakness that makes harm easierweak password, unpatched software, open service
controla measure that reduces riskfirewall, authentication, encryption

Example sentence:

The student database is an asset.
A stolen password is a threat to it.
A weak password policy is a vulnerability.
Two-factor authentication is a control.

Learning Goals

By the end of this topic, you should be able to:

  • explain confidentiality, integrity, and availability as security goals;
  • describe malware and common malware categories;
  • explain denial of service and distributed denial of service;
  • explain what a firewall does and what it cannot do;
  • distinguish IDS from IPS;
  • explain encryption as protection for data confidentiality;
  • distinguish symmetric and asymmetric key ideas at a high level;
  • explain how a digital signature supports integrity and sender authenticity;
  • explain authentication and common authentication factors;
  • choose suitable controls for short security scenarios.

Scope Boundary

This topic follows H2 Computing 9569 section 4.3.

Core content:

  • malware, including worms and viruses;
  • denial of service and distributed denial of service;
  • firewalls and filtering;
  • intrusion detection systems;
  • intrusion prevention systems;
  • encryption;
  • digital signatures;
  • authentication.

Not core here:

  • detailed cryptographic mathematics;
  • certificate-authority infrastructure;
  • current cyberattack campaigns;
  • professional security operations;
  • penetration testing;
  • enterprise firewall configuration syntax.

Optional enrichment:

  • Real-World Deployment Map shows where real-world controls such as HTTPS, DNS proxying, DDoS filtering, access control, and secret management appear in deployments. This is useful context, not required exam-core content.
  • Browser Security Real-World Enrichment explains how browsers such as Chrome and Safari reduce phishing, malware-download, HTTPS, permission, sandboxing, and privacy risks. This is useful context, not required exam-core content.
  • Authentication in the Real World explains passwords, password managers, 2FA/MFA, passkeys, and external sign-in as real-world extensions of H2 authentication concepts. This is useful context, not required exam-core content.
  • Incident Response for Beginners explains what to do after account compromise, suspected malware, data leaks, or website defacement. This is useful context, not required exam-core content.

Security Goals

The three common security goals are confidentiality, integrity, and availability.

GoalMeaningExample riskExample control
confidentialitydata is only readable by authorised partiesa packet sniffer reads login dataencryption
integritydata is not changed improperlya message is altered in transitdigital signature or hash check
availabilityservice is usable when neededa server is flooded with trafficfiltering, monitoring, resilient design

This model helps students avoid vague answers. If a question describes a threat, ask which goal is being harmed.

Threats and Controls

The important skill is not memorising a long list of tools. It is matching the control to the correct type of harm. A control that protects one security goal may do little for another.

Security controls do not make a system perfectly safe. They reduce particular risks.

Threat or needWhat is happeningSuitable control family
malware infectionharmful software runs on a devicesafe software practices, filtering, monitoring, anti-malware tools
DoS or DDoSa service is overwhelmedtraffic filtering, detection, prevention, capacity planning
unauthorised accessthe wrong person tries to log inauthentication and access control
eavesdroppingsomeone can observe transmitted dataencryption
message tamperinga message may be changed or forgeddigital signatures and integrity checks

The exam skill is to match the control to the risk. For example, encryption protects the content of data, but it does not automatically stop a server from being flooded by requests.

How to Build Scenario Answers

Most short-answer questions can be handled with a compact explanation:

The threat is ...
This mainly affects confidentiality / integrity / availability because ...
A suitable control is ... because ...
However, this does not completely solve ...

This structure prevents vague answers such as “use security” or “install a firewall” without reasoning. It also makes it easier to earn marks for both the security goal and the control.

Worked Beginner Scenario

Scenario:

A school hosts a web application for checking CCA attendance.
Students log in from home.
An attacker tries three things:
1. sends many requests until the site becomes slow;
2. sends a fake login page to steal passwords;
3. captures network traffic on public Wi-Fi.

Reasoning:

Part of scenarioWhat can go wrong?Main security goalSuitable control idea
many requests make the site slowservice becomes unavailableavailabilityfiltering, IDS/IPS monitoring or blocking, capacity planning
fake login page steals passwordsattacker gains account accessconfidentiality and integrityuser education, authentication controls, two-factor authentication
traffic is captured on public Wi-Fidata may be read by outsidersconfidentialityencryption

This is how to build a clear exam answer:

Name the risk -> name the harmed goal -> choose a matching control -> explain why.

Branch Notes

Malware in One Page

Malware is malicious software designed to disrupt, damage, steal, spy, or gain unauthorised access.

Common categories:

Malware typeBeginner explanationMain risk
virusattaches to files or programs and spreads when they runinfection and damage
wormspreads across networks without needing to attach to another filerapid network spread
trojan horsepretends to be useful or harmless softwarehidden malicious action
ransomwareblocks access to files or systems until payment is demandedloss of access
spywaresecretly collects informationconfidentiality loss
keyloggerrecords keystrokespassword or account theft

The important exam distinction is not the brand name of malware. It is the behavior: spreading, hiding, spying, blocking access, or damaging data.

DoS and DDoS

A denial-of-service attack tries to make a service unavailable.

Normal case:
many users -> server handles requests -> users receive service
 
DoS case:
attacker floods server -> server resources are consumed -> real users are delayed or rejected

A distributed denial-of-service attack uses many attacking devices. These devices may be compromised computers or internet-connected devices controlled as a group. DDoS is harder to block than a single-source DoS because the traffic arrives from many places.

Firewalls, IDS, and IPS

These controls all deal with network traffic, but they have different jobs.

ControlMain jobSimple description
firewallfilter trafficallows or blocks traffic according to rules
IDSdetect suspicious activityobserves traffic and raises alerts
IPSprevent suspicious activitysits inline and can block traffic

A firewall is not a complete security solution. It cannot stop every attack, especially if the user allows unsafe traffic, the attack starts inside the network, or the traffic appears to be legitimate.

Encryption, Signatures, and Authentication

These ideas are often mixed up by beginners.

IdeaQuestion it answersMain goal
encryptionCan an unauthorised person read the data?confidentiality
digital signatureDid this message come from the claimed sender and remain unchanged?authenticity and integrity
authenticationIs this user or system really who it claims to be now?authorised access

Symmetric encryption uses the same secret key to encrypt and decrypt. It is efficient, but the key must be shared securely.

Asymmetric encryption uses a public key and a private key. One key can be shared openly, while the private key is kept secret. This helps with secure communication and digital signatures.

Digital Signature Flow

A digital signature is not just an image of a handwritten signature. It is a cryptographic proof attached to a message or document.

Conceptual flow:

Sender:
message -> hash algorithm -> message digest
message digest + sender private key -> digital signature
send message and signature
 
Receiver:
received message -> same hash algorithm -> new digest
signature + sender public key -> sender's digest
compare the two digests

If the digests match, the receiver has evidence that the message was not changed and that the signature was produced using the matching private key.

Authentication

Authentication is the process of proving identity.

Common authentication factors:

FactorMeaningExample
something you knowsecret knowledgepassword or PIN
something you havephysical or digital itemsecurity token or authenticator app
something you arebiological featurefingerprint or face recognition

Two-factor authentication is stronger than using only a password because an attacker needs evidence from more than one category.

Mini Decision Table

Clue in the questionFirst concept to considerWhy
service is slow or unreachableavailability, DoS/DDoSthe problem is access to the service
data is captured while travelling over a networkconfidentiality, encryptionthe problem is readability of transmitted data
a message may have been changedintegrity, digital signature or hash checkthe problem is tampering
the system must know who is logging inauthenticationthe problem is identity proof
suspicious packets must be reportedIDSthe problem asks for detection and alerting
suspicious packets must be stopped automaticallyIPSthe problem asks for inline blocking

Common Exam Mistakes

  • Writing “security” without naming confidentiality, integrity, or availability.
  • Saying a firewall prevents all attacks.
  • Confusing IDS and IPS: IDS detects and alerts; IPS can block.
  • Saying encryption proves who sent a message. Encryption protects readability; authentication and signatures address identity and trust.
  • Saying a digital signature hides the message. A signature proves integrity and sender authenticity; encryption hides content.
  • Treating DoS as data theft. DoS mainly harms availability.
  • Describing malware only as “a virus”. Virus is one malware type, not the whole category.

One-Minute Comparison Table

If the problem is…Do not jump to…Better first thought
service unavailableencryptionavailability, DoS, filtering or prevention
message can be readfirewall onlyconfidentiality, encryption
message may be forged or changedpassword onlyintegrity and authenticity, digital signature
user identity is uncertainencryption onlyauthentication
suspicious traffic is seen”the firewall solves all”decide whether detection, alerting, or blocking is needed

Revision Checklist

You should be able to:

  • identify whether a scenario harms confidentiality, integrity, or availability;
  • explain malware, virus, worm, trojan, ransomware, spyware, and keylogger in plain language;
  • distinguish DoS from DDoS;
  • explain why firewall rules can block some traffic but not all attacks;
  • distinguish IDS from IPS;
  • explain symmetric and asymmetric encryption without doing cryptographic mathematics;
  • trace a digital signature at a conceptual level;
  • choose suitable authentication factors for a scenario.

Practice