Reading 1: Threats: Knowing What You Are Up Against

You cannot defend against what you cannot name.

Why Cybersecurity Matters for K-12 Educators

Schools are not invisible to cybercriminals. In recent years, ransomware attacks have shut down entire school districts for days or weeks. Student and staff data has been stolen and published. Classroom devices have been compromised. Phishing emails targeting teachers and administrators have given attackers access to grade systems, financial records, and personal information.

As a K-12 educator, you are both a potential target and a potential line of defense. Understanding the types of threats that exist — what they are, how they work, and what distinguishes one from another — is the foundation of being able to protect yourself, your students, and your school.

This reading introduces seven defined categories of cybersecurity threats. They are organized not alphabetically but conceptually: first the software-based threats (malware and its subtypes), then the human-targeted attack (phishing), then the availability attack (denial of service).

Malware: The Umbrella Term

Malware is short for "malicious software" — any software designed to damage, disrupt, or gain unauthorized access to a computer system. It is an umbrella term that covers several more specific types of threats. Viruses, worms, Trojan horses, and spyware are all forms of malware.

What unites all malware is intent: the software is designed to do something harmful that the device owner did not authorize and would not want. Beyond that, different types of malware differ significantly in how they spread, how they hide, and what damage they cause.

Virus: The Parasite

A virus is malware that attaches itself to a legitimate file or program and spreads when that file is shared or executed. Like a biological virus, a computer virus cannot spread on its own — it requires a host and a vector. The vector is typically a human action: opening an infected email attachment, running a program downloaded from an untrusted source, or copying files from an infected drive.

When an infected file is opened or executed, the virus activates. It may immediately cause damage (deleting files, corrupting data), or it may lie dormant and replicate first, spreading copies of itself to other files on the system before its payload triggers.

The defining feature of a virus: It requires human action to spread. Someone has to open the infected file. This is why "do not open attachments from unknown senders" is one of the oldest and most consistent pieces of security advice — it targets exactly the vector that viruses depend on.

Example: A teacher receives an email with an attached Word document labeled "Substitute Plans." The document contains a macro virus. When the teacher opens it and enables macros, the virus activates, scans the teacher's contacts, and sends copies of itself to everyone in the address book.

Worm: The Self-Spreader

A worm is malware that spreads across networks without requiring human action. Unlike a virus, a worm does not need to attach itself to a file or wait for someone to open something. It exploits vulnerabilities in network software to copy itself from machine to machine automatically.

Worms can spread extraordinarily fast. A single infected machine can scan thousands of other machines in minutes, identify those with the vulnerability it exploits, and copy itself to them — each of which then does the same. The 2017 WannaCry ransomware spread across 150 countries in a single day using worm behavior, infecting hundreds of thousands of machines including much of the UK's National Health Service.

The defining feature of a worm: It spreads automatically across networks without any user interaction. Keeping software and operating systems updated is the primary defense against worms, because updates patch the vulnerabilities worms exploit.

Example: A school's network has an unpatched vulnerability in its file-sharing software. A worm enters through one exposed machine, automatically copies itself to every other machine on the network with the same vulnerability, and begins encrypting files on each. No teacher opened anything; no one made a mistake. The worm spread on its own.

Trojan Horse: The Impersonator

A Trojan horse (or simply a Trojan) is malware disguised as legitimate, useful software. The user is tricked into voluntarily installing it because it appears to do something desirable — a free game, a productivity tool, a security scanner — while secretly performing malicious actions in the background.

The name comes from the Greek myth: a gift that appears harmless conceals something destructive inside. A Trojan does not replicate itself like a virus or spread through networks like a worm. It relies entirely on deception — persuading the user to install it willingly.

Trojans are commonly used to create backdoors: hidden access points that allow attackers to remotely control a compromised machine, steal data, or install additional malware later. A machine with a backdoor Trojan may function perfectly normally from the user's perspective while silently sending data to an attacker or awaiting further instructions.

The defining feature of a Trojan Horse: It relies on deception rather than technical exploitation. The user installs it voluntarily because it appears legitimate. Downloading software only from trusted, official sources is the primary defense.

Example: A student downloads what appears to be a free version of a popular game from an unofficial website. The installer looks legitimate and the game works. But in the background, the Trojan has installed a keylogger that records every password the student types and sends it to the attacker.

Spyware: The Silent Watcher

Spyware is malware designed to collect information about a user without their knowledge and transmit it to a third party. It operates silently in the background, monitoring and recording activity while the user remains unaware.

Spyware can collect a wide range of information: keystrokes (capturing passwords and messages as they are typed), browsing history, screenshots, files, contacts, financial information, and location data. Some spyware is relatively benign in intent — used by advertisers to track browsing habits — while other spyware is designed for surveillance, identity theft, or corporate espionage.

Spyware often arrives bundled with other software (a form of Trojan behavior) or through drive-by downloads triggered by visiting a compromised website. It is designed to be invisible — a machine infected with spyware may show no obvious symptoms.

The defining feature of spyware: Its goal is surveillance rather than damage. It watches and reports. The harm comes from what is learned rather than from direct system damage. This makes it particularly relevant for student privacy discussions.

Example: A free browser extension promises to show price comparisons while shopping online. It works as advertised but also silently records every website visited, every form submitted, and every password entered, transmitting this data to the company that made it.

Phishing: The Social Attack

Phishing is a social engineering attack in which an attacker impersonates a trustworthy entity to trick a person into revealing sensitive information — passwords, financial details, personal data — or into taking an action that compromises security, such as clicking a malicious link or installing malware.

Phishing attacks typically arrive as email, text messages, or fake websites that appear to come from a legitimate source: a bank, a government agency, an employer, a popular service. The message creates urgency ("Your account will be closed in 24 hours"), fear ("Suspicious activity detected"), or opportunity ("You have been selected for a prize") to pressure the recipient into acting quickly without thinking critically.

Unlike malware, phishing does not require any technical exploit. It targets human psychology rather than software vulnerabilities. A perfectly up-to-date, well-protected computer is completely vulnerable to phishing if the person using it can be deceived.

The defining feature of phishing: It attacks the human, not the machine. Technical defenses alone cannot stop it — awareness and skepticism are the primary protections. This makes it the most important cybersecurity threat for a general audience to understand.

Example: A school administrator receives an email that appears to be from the district's IT department, saying that a required security update requires them to verify their login credentials by clicking a link. The link leads to a convincing fake login page. When they enter their username and password, the attacker captures the credentials and gains access to the district's systems.

Spear phishing is a targeted version of phishing directed at a specific individual or organization, often using personalized details to make the deception more convincing. A spear phishing email might address the recipient by name, reference their institution, and appear to come from someone they know.

Denial of Service: The Flood

A denial of service (DoS) attack does not try to steal data or compromise a system. Its goal is simpler and more disruptive: make a service unavailable by overwhelming it with traffic until it cannot respond to legitimate requests.

Every server has limits. It can only handle so many simultaneous connections, process so many requests per second, and store so much data in its buffers. A DoS attack exploits these limits by flooding the server with far more requests than it can handle, consuming all available resources so that legitimate users receive no response.

A distributed denial of service (DDoS) attack scales this up dramatically by coordinating the flood from thousands or millions of compromised machines simultaneously — often devices infected with malware that allows an attacker to use them remotely. These networks of compromised machines are called botnets. The combined traffic from a large botnet can overwhelm even well-resourced servers.

The defining feature of a DoS attack: The goal is disruption of availability, not data theft or system compromise. A successful DoS attack causes no lasting damage to the target's data — but it can take a service offline for hours or days, with significant financial and operational consequences.

Example: A school district's online testing platform is flooded with thousands of fake connection requests from a botnet during a statewide assessment period. The server cannot distinguish these from legitimate student connections and runs out of resources. Students statewide are unable to submit their exams.

Quick Reference: Telling Them Apart

The seven threat types are easy to confuse. The table below highlights the key distinguishing feature of each.

Threat Key Distinguishing Feature Primary Goal
Malware Umbrella term for all malicious software Varies by subtype
Virus Spreads by attaching to files; requires human action to spread Damage or replication
Worm Spreads automatically across networks; no human action needed Rapid spread; payload delivery
Trojan Horse Disguised as legitimate software; user installs it willingly Backdoor access; data theft
Spyware Operates silently; collects and transmits data Surveillance; information theft
Phishing Targets humans through deception; no technical exploit needed Credential theft; unauthorized access
Denial of Service Overwhelms a server with traffic; no data is stolen Disruption of availability