AP Cybersecurity Unit 2 Lesson 1 Lab

Unit 2 • 2.1 • Lab

Lab — Operation Triple Shield: CIA Triad Breach Investigation

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30 Each step uses a different assessment format
Investigation Target
Catalyst Biotech Labs

Catalyst Biotech Labs suffered a sophisticated three-phase attack over 72 hours. Phase 1: 14 GB of gene therapy research was exfiltrated. Phase 2: Clinical trial dosage data in 47 patient records was subtly altered (5-15% changes). Phase 3: Ransomware encrypted all servers. Your investigation covers all three phases.

Step 1Matching
Classify Each Attack Phase
Match each attack phase to the CIA Triad property it primarily violates.
Phase 1: 14 GB research data exfiltrated
Phase 2: Dosages altered in 47 patient records
Phase 3: Ransomware encrypted all servers
Phase 1 = Confidentiality (data disclosed to unauthorized party). Phase 2 = Integrity (data modified without authorization). Phase 3 = Availability (systems rendered inaccessible).
Exam Tip: Exfiltration = C. Modification = I. Encryption/denial = A.
Step 2Fill in the Blank
Complete the Incident Timeline
Fill in each blank with the correct technical term.

Day 1: The attacker transferred 14 GB of research data externally. This is called data .

Day 2: The attacker modified dosage values. Because the changes were subtle and hard to detect, this attacks data .

Day 3: Ransomware encrypted all servers. This primarily attacks .

Risk that remains after new security controls are implemented is called risk.

The offsite backup survived because it was stored , physically separated from the network.

Answers: (1) exfiltration (2) integrity (3) availability (4) residual (5) offsite / offline / air-gapped
Exam Tip: Key vocabulary: exfiltration = unauthorized data transfer out. Residual risk = what remains after controls.
Step 3Select All That Apply
Identify All Compromised Data Categories
Based on all three phases, select ALL data categories that were directly affected.
Correct: Research formulas, dosage records, payroll, email archives. Incorrect: Public website (external CDN), physical samples (not digital).
Exam Tip: Distinguish digital assets on affected systems from external/physical assets unaffected by the attack.
Step 4Multiple Choice
Determine the Most Dangerous Phase
Which phase caused the MOST dangerous long-term harm?
C is most defensible. Phase 2 threatens patient safety, may invalidate FDA research, and the subtle 5-15% modifications are designed to evade detection. Integrity attacks on safety-critical data are uniquely dangerous.
Exam Tip: Integrity attacks on medical/safety data outrank confidentiality breaches because they can cause physical harm.
Step 5Analysis
Evaluate the Backup Recovery
Catalyst’s last backup is 72 hours old, stored offsite on tape. IT proposes restoring from it.
5a. Select the CISO’s most likely concern:
5b. What should Catalyst do before restoring, and what data is permanently lost?
Key terms: verify, integrity, hash, compare, tampered, 72 hours, lost, gap, unrecoverable, validate
B is correct. Before restoring: verify backup integrity via checksums/manual review for Phase 2 modifications. Permanently lost: 72 hours of data created between backup and ransomware.
Exam Tip: Backups restore availability but do NOT fix confidentiality (data already stolen) or integrity (if corruption predates backup).
Step 6Written Response
Write the Countermeasure Recommendation
Map one specific control to each CIA property. Explain which phase it would have prevented.
Key terms: DLP, exfiltration, hash, checksum, signature, backup, offline, detect, prevent, monitor, alert, integrity check
Model: C: DLP to detect/block 14 GB exfiltration (Phase 1). I: Cryptographic checksums with automated integrity alerts for dosage changes (Phase 2). A: Offline immutable backups with daily verification, reducing recovery gap to 24h (Phase 3).
Exam Tip: DLP → C. Hashing/signatures → I. Backups/redundancy → A.
Total Points
Quiz 2.1 → Course Hub
AP Cybersecurity 2.1 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP Cybersecurity · Unit 2 · Lesson 2.1 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]