AP Cybersecurity Unit 2 Lesson 2 Exercise 1
Exercise 1 — Defense-in-Depth Layer Analysis
6 questions — Evaluate layered security architectures and identify weaknesses
Sycamore School District is implementing a defense-in-depth strategy to protect student data across 8 schools. The current security posture relies almost entirely on a single perimeter firewall. The CISO wants to add multiple overlapping layers so that no single failure leaves the district exposed.
(A) Incorrect — no security device is immune to bypass; the issue is relying on a single layer, not the device’s age.
(C) Incorrect — firewalls are essential; the problem is relying on one alone without additional layers.
(D) Incorrect — moving the firewall’s location does not add defense-in-depth; it just changes where the single point of failure sits.
Layer 1: Perimeter firewall
Layer 2: Network segmentation (VLANs separating student, staff, and admin networks)
Layer 3: Endpoint antivirus on all devices
Layer 4: Multi-factor authentication for all staff accounts
Layer 5: Encrypted backups stored offsite
Which of the following statements about this architecture are correct?
I. If the firewall is bypassed, VLANs still limit the attacker’s lateral movement within the network.
II. If malware evades the firewall and network segmentation, endpoint antivirus provides a third chance to detect it.
III. Encrypted offsite backups ensure the district can recover even if ransomware encrypts all on-site systems.
(A) Incomplete — Statements II and III are also correct.
(B) Incomplete — Statement III is also correct.
(C) Incomplete — Statement I is also correct.
(A) Valid layer — physical security is the outermost defense-in-depth layer.
(B) Valid layer — administrative controls (policies, training) are a recognized defense-in-depth category.
(C) Valid layer — IDS is a technical security control that adds detection capability.
I. The teacher’s security awareness training causes them to recognize the suspicious login page and close it before entering credentials.
II. The endpoint browser isolation tool opens the link in a sandboxed container, preventing the malicious site from accessing the teacher’s real credentials.
III. Even if credentials are stolen, MFA prevents the attacker from logging in without the teacher’s second authentication factor.
(A) Incomplete — technical controls (II and III) also provide post-click protection.
(B) Incomplete — training and browser isolation also contribute.
(C) Incomplete — browser isolation (II) is also a valid layer.
(A) Incorrect — HA pairs do add availability value; the limitation is specifically about security diversity, not cost.
(C) Incorrect — HA pairs are designed to avoid conflicts; one is active while the other is standby.
(D) Incorrect — all hardware can fail; HA pairs exist specifically because failures occur.
(A) Incorrect — a single device, no matter how advanced, is still a single point of failure. Defense-in-depth requires multiple independent controls.
(C) Incorrect — air-gapping the SIS makes it inaccessible to authorized users (teachers, administrators), destroying availability.
(D) Incorrect — insurance transfers financial risk but does not prevent breaches or protect student data. It is a risk management tool, not a security control.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]