AP Cybersecurity Unit 1 Case File 1: The Onboarding Trap

AP Cybersecurity • Unit 1 • Case File 01

The Onboarding Trap

You are a junior analyst at Meridian Logistics. Work the evidence, classify what happened, decide what is most dangerous.

Points: 0 / 15

Case closed.

You worked all five leads. Finish the analyst's report below, then take the cold case to tie the week together.

Case briefing

A new hire in finance forwarded a week of events that felt off. Each item is a lead, not a verdict. Read the evidence, then answer in your own words. Spelling is forgiven; the key word is what matters.

Stage 1 • Social Engineering

Classify the approach

CED 1.1.A • Lesson 1.1.4 Attack Types, 1.1.5 Classification, 1.1.7 Defenses

Event A

From: "Dana Reyes, CFO" Subject: Quick favor before my flight "Buy several gift cards for a client today and send me the codes. Boarding soon, can't call."

Event B

Phone call: "This is IT support. We're clearing a login error on your account. Read me the six-digit code we just texted you so I can verify it cleared."

Event C

A USB drive labeled "Payroll Q3 - CONFIDENTIAL" is left on a break-room table.

Stage 2 • Password Attacks

Work the login log

CED 1.2.A / 1.2.B / 1.2.C, skill 1B • Lesson 1.2.4 Attack Types, 1.2.5 Hashing & Salting

Authentication log

03:11 FAIL user=a.singh src=198.51.100.23 tried="Summer2025!" 03:11 FAIL user=b.cole src=198.51.100.23 tried="Summer2025!" 03:11 FAIL user=c.diaz src=198.51.100.23 tried="Summer2025!" 03:12 FAIL user=d.evans src=198.51.100.23 tried="Summer2025!" 03:12 OK user=e.flores src=198.51.100.23 tried="Summer2025!"

Bonus: crack the hash (range-style)

A captured password hash and the five candidates from a wordlist. Which candidate produced it?

MD5: 7c6a180b36896a0a8c02787eeafb0e4c candidates: password1, dragon, qwerty, letmein, monkey

Stage 3 • Public Networks

Read the hotel session

CED 1.3.A / 1.3.B / 1.3.C • Lesson 1.3.3 Wireless Attacks, 1.3.4 Evil Twin, 1.3.5 Protections

Networks seen

Hotel_Guest and Hotel_Guest_FREE She joined Hotel_Guest_FREE.

# Protocol Host Body / notes
1 HTTPS mail.meridian-logistics.com encrypted, opaque
2 HTTP intranet-legacy.meridian-logistics.com login served over HTTP
3 HTTP intranet-legacy.meridian-logistics.com user=j.okafor&pass=Spring2026!
4 HTTPS payroll.meridian-logistics.com encrypted, opaque
Stage 4 • AI-Based Attacks

Name the AI-augmented method

CED 1.4.A / 1.4.B • Lesson 1.4.4 AI Phishing, 1.4.5 Deepfakes, 1.4.6 AI Malware, 1.4.7 Defenses

Event A

A flawless, personalized email naming the new hire's actual manager, asking her to approve a vendor invoice today.

Event B

A voicemail in the CEO's exact voice authorizing an urgent wire transfer.

Event C

Malware that changes its signature on every infection, slipping past the antivirus.

Stage 5 • AI in Defense

Tune the detector, keep the human

CED 1.5 • Lesson 1.5.5 Anomaly Detection, 1.5.6 Human Oversight

Event Description Anomaly score
E1 Known device, slightly early login 31
E2 New laptop, normal hours, office network 48
E3 VPN from a city the user travels to often 55
E4 Office login, then another continent eight minutes later 78
E5 Password-manager autofill, known device 22
Threshold 90: nothing flagged. The attack slips through.
Once E4 is flagged, why review it by hand instead of auto-locking the account?

Automated blocking on an anomaly score alone produces false positives that lock out legitimate users. A human confirms the deviation is real before acting. That human oversight is the non-negotiable point in Lesson 1.5.6: the score flags, the analyst judges.

Analyst's report

In six to eight sentences: summarize the week, name the single highest-severity item with a justification, and give one defense per event.

Model answer. The highest-severity item is the password spraying in Stage 2 combined with the plaintext credential exposure in Stage 3, because together they hand an attacker working credentials with no further victim action. The gift-card request and the cloned-voice transfer are serious but depend on a person choosing to act, and the AI phishing email was caught.

Defenses, one per event: out-of-band verification and DMARC for the gift-card BEC; account-lockout limits and salted slow hashing for the spraying; an evil-twin-aware VPN and HTTPS-only for the public network; call-back verification for the voice clone; and an anomaly threshold tuned above the everyday noise with a human in the loop.

Cold case

Compare Stage 1 Event A and Stage 4 Event B. The spoofed-email gift-card request and the cloned-voice wire authorization share one objective. What single policy closes both at once?

Field glossary (terms from the lessons)
social engineeringwhaling / BECvishingbaiting password sprayingbrute forcecredential stuffinghashing vs encryption saltingevil twinplaintextVPN AI-enhanced phishingdeepfake / voice cloningpolymorphic malwareprompt injection anomaly detectionbaselinefalse positivehuman oversight
← Unit 1 Study Guide Course Guide

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]