AP Cybersecurity Unit 2 Lesson 2 Exercise 1

Unit 2 • 2.2 • Exercise 1

Exercise 1 — Defense-in-Depth Layer Analysis

6 questions — Evaluate layered security architectures and identify weaknesses

Score: 0 / 0 Predict the answer before selecting an option
Client Organization
Sycamore School District

Sycamore School District is implementing a defense-in-depth strategy to protect student data across 8 schools. The current security posture relies almost entirely on a single perimeter firewall. The CISO wants to add multiple overlapping layers so that no single failure leaves the district exposed.

Q1 Core Concept
Sycamore currently relies on a single perimeter firewall as its only security control. If this firewall is bypassed (through a zero-day exploit, misconfiguration, or insider access), the attacker has unrestricted access to all district systems. This architecture violates the defense-in-depth principle because:
Q2 Layer Identification
The CISO proposes the following security layers for the district:

Layer 1: Perimeter firewall
Layer 2: Network segmentation (VLANs separating student, staff, and admin networks)
Layer 3: Endpoint antivirus on all devices
Layer 4: Multi-factor authentication for all staff accounts
Layer 5: Encrypted backups stored offsite

Which of the following statements about this architecture are correct?

I. If the firewall is bypassed, VLANs still limit the attacker’s lateral movement within the network.
II. If malware evades the firewall and network segmentation, endpoint antivirus provides a third chance to detect it.
III. Encrypted offsite backups ensure the district can recover even if ransomware encrypts all on-site systems.
Q3 Layer Types
Which of the following is NOT an example of a defense-in-depth layer?
Q4 Failure Analysis
A phishing email bypasses Sycamore’s email gateway filter and reaches a teacher’s inbox. The teacher clicks the malicious link. In a well-designed defense-in-depth architecture, which layers could STILL prevent a successful compromise after this point?

I. The teacher’s security awareness training causes them to recognize the suspicious login page and close it before entering credentials.
II. The endpoint browser isolation tool opens the link in a sandboxed container, preventing the malicious site from accessing the teacher’s real credentials.
III. Even if credentials are stolen, MFA prevents the attacker from logging in without the teacher’s second authentication factor.
Q5 Redundancy vs Diversity
Sycamore deploys two identical firewalls from the same vendor in a high-availability pair. If one fails, the other takes over. A zero-day vulnerability is discovered in this firewall model that allows bypass. What is the limitation of this approach compared to true defense-in-depth?
Q6 Applied Design
The district’s student information system (SIS) contains FERPA-protected student records. Which defense-in-depth design provides the MOST comprehensive protection for this system?
Questions Correct
Exercise 2 → Course Hub
AP Cybersecurity Unit 2 • 2.2 • Exercise 1 | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
AP Cybersecurity · Unit 2 · Lesson 2.2 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]