Exercise 2: Authentication Advisor | AP Cybersecurity 1.2
Exercise 2: Authentication Advisor
You are a security consultant. Three clients have hired you to audit their authentication systems and deliver specific, prioritized recommendations. Each client has a different budget, risk profile, and technical maturity.
Sunrise Coffee & Bakery
Retail — 6 Employees — Low Budget
Systems: One shared point-of-sale (POS) tablet, a Wi-Fi router for customers, an email account (sunrise.bakery@gmail.com), and an online ordering platform.
Current auth: POS uses a 4-digit PIN (1234). Wi-Fi password is “SunriseCoffee” (same for staff and customers). Gmail has no MFA. The online ordering admin password is “Sunrise2023!” — the owner and two managers share it.
Recent incident: A customer complained that a fraudulent order was placed using their account. The owner suspects someone on the guest Wi-Fi intercepted login credentials.
Question 1: What is the MOST critical vulnerability? (2 pts)
- AThe POS PIN is too simple (1234)
- BGmail has no MFA enabled
- CStaff and customers share the same Wi-Fi network, allowing traffic interception
- DThe online ordering password follows a predictable pattern (BusinessName + Year + !)
Question 2: Which attack type likely caused the fraudulent order? (2 pts)
- ATraffic interception on the shared Wi-Fi (evil twin or packet sniffing)
- BBrute force attack on the ordering platform
- CCredential stuffing from a previous data breach
- DSocial engineering of the customer by phone
Question 3: Write your top 3 prioritized recommendations (6 pts)
Riverside Unified School District
K-12 Education — 2,400 Students — 180 Staff — Medium Budget
Systems: Google Workspace for Education (email, Drive, Classroom), a student information system (SIS) with grades and parent contact info, 800 Chromebooks, and 40 staff laptops.
Current auth: Students use passwords in the format FirstnameLastinitial + graduation year (e.g., “JohnS2028”). Staff use self-chosen passwords with no minimum length requirement. MFA is available but not enforced for anyone. Password reset requests go to the front office secretary, who resets them over the phone without identity verification.
Recent incident: A student guessed another student’s password (the format is publicly known), logged in, and changed their grades in the SIS. The breach was discovered 3 weeks later when a parent noticed incorrect grades on a report card.
Question 1: What is the PRIMARY weakness that enabled this breach? (2 pts)
- AMFA is not enforced
- BPhone-based password resets have no identity verification
- CStaff have no minimum password length
- DThe predictable password format makes every student’s password guessable
Question 2: The district argues “MFA would fix everything.” Which statement BEST evaluates this claim? (2 pts)
- ACorrect — MFA alone would have prevented this breach entirely
- BMFA adds a valuable layer but does not fix the root cause — predictable passwords still allow an attacker to pass the first factor, and the unverified reset process could bypass MFA
- CMFA is unnecessary for a school district because student data is not financially valuable
- DMFA would help staff accounts but cannot be used with student Chromebooks
Question 3: Write your top 3 prioritized recommendations (6 pts)
Lakewood Family Medicine
Healthcare Clinic — 3 Doctors, 12 Staff — HIPAA Regulated — Higher Budget
Systems: Electronic Health Records (EHR) system with patient medical data, a billing system linked to insurance companies, email (Outlook), and a patient portal where patients view test results and message doctors.
Current auth: EHR uses individual accounts with 8-character minimum passwords, changed every 60 days. Staff report they rotate between “Lakewood1!”, “Lakewood2!”, “Lakewood3!” etc. because they cannot remember new passwords every 2 months. Two doctors share a single “provider” account to save time between patient rooms. The patient portal requires only an email and a 6-character password with no MFA.
Regulatory context: HIPAA requires that access to protected health information (PHI) be logged with individual accountability. Shared accounts violate this requirement.
Question 1: Which vulnerability creates the GREATEST regulatory and security risk? (2 pts)
- ATwo doctors share a provider account, eliminating individual accountability for PHI access
- BStaff rotate predictable passwords (Lakewood1!, Lakewood2!, etc.)
- CPatient portal has weak password requirements and no MFA
- DThe 60-day password rotation is too frequent
Question 2: The office manager says “We rotate passwords every 60 days because that’s what our last auditor recommended.” Why is this counterproductive? (2 pts)
- A60-day rotation is fine — the problem is that they are not using special characters
- BRotating passwords is always beneficial regardless of user behavior
- CFrequent forced rotation causes users to choose predictable sequential passwords (Lakewood1!, 2!, 3!), which are easily guessable and effectively negates the rotation
- DPassword rotation only matters for admin accounts, not regular staff
Question 3: Write your top 3 prioritized recommendations (6 pts)
All Clients Advised
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
tanner@apcsexamprep.com
Courses
AP CSA, CSP, & Cybersecurity
Response Time
Within 24 hours
Prefer email? Reach me directly at tanner@apcsexamprep.com