AP Cybersecurity Unit 2 Lesson 2 Lab

Unit 2 • 2.2 • Lab

Lab — Operation Layer Cake: Defense Failure Investigation

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30Each step uses a different assessment format
Investigation Target
Ridgecrest Community Hospital

Ridgecrest suffered a ransomware attack despite having multiple security layers. A phishing email reached a billing clerk, who entered credentials on a fake site. The attacker used stolen credentials to VPN in, moved laterally across a flat network, and deployed ransomware. Your investigation determines which layers held, failed, or were absent.

Step 1Matching
Classify Each Security Layer
Ridgecrest had these controls: email gateway, security training, and badge-controlled server room. Classify each by defense-in-depth category.
Think first: Physical = tangible barriers. Administrative = policies/procedures. Technical = software/hardware tools.
Email gateway filtering suspicious attachments
Annual cybersecurity awareness training (optional)
Badge-controlled server room with access logging
Email gateway = Technical (software tool). Training = Administrative (policy/procedure). Badge reader = Physical (tangible barrier). Defense-in-depth uses all three categories together.
Exam Tip: Three defense-in-depth categories: Physical (locks, fences, cameras), Administrative (policies, training, procedures), Technical (firewalls, encryption, IDS). A complete strategy includes all three.
Step 2Fill in the Blank
Complete the Attack Timeline
Fill in each blank with the correct term from the investigation findings.
Think first: Each blank describes a specific type of security failure.

The email gateway flagged the phishing email but did not quarantine it. This is a failure — detection without prevention.

The billing clerk never completed training because it was , not mandatory.

MFA was disabled for billing due to a temporary that was never revoked.

The network had no VLANs, making it a network where the attacker could reach any system.

Antivirus signatures were 45 days , missing the 3-week-old ransomware variant.

Answers: (1) partial/configuration — detected but permissive threshold. (2) optional — unenforced policy. (3) exemption — temporary exception made permanent. (4) flat — no segmentation. (5) outdated — unmaintained signatures.
Exam Tip: A security layer that exists but is misconfigured, unenforced, or unmaintained is effectively absent. Each of these failures turns a “layer” into a checkbox.
Step 3Select All That Apply
Identify All Failed Layers
Select ALL layers that FAILED during this breach.
Think first: A layer “failed” if it did not stop the attack at its stage, even partially.
Failed: Email gateway (partial), training (unenforced), MFA (exempted), antivirus (outdated), segmentation (absent). Held: Badge-controlled server room — physical access was never part of this attack vector.
Exam Tip: A layer can fail in different ways: partial detection (gateway), non-enforcement (training), exemption (MFA), outdated maintenance (AV), or complete absence (segmentation). All represent gaps.
Step 4Multiple Choice
Identify the Most Impactful Fix
If Ridgecrest could only fix ONE layer, which single fix would most likely have prevented this specific breach?
Predict first: Which layer, if functional, would have broken the attack chain entirely?
B (MFA) is most defensible. MFA directly blocks the critical pivot point: the attacker had a valid password but could not provide the second factor. The email gateway (A) might still be bypassed by a better phish. Antivirus (C) is probabilistic. Segmentation (D) contains but does not prevent.
Exam Tip: When choosing the “single best fix,” pick the control that breaks the attack chain at the point of highest leverage. MFA at the authentication step stops everything downstream.
Step 5Analysis
Evaluate the Backup Recovery
Ridgecrest’s primary backup was on a network-attached server — also encrypted by ransomware. A 2-week-old offsite tape survived.
5a. Select the backup architecture failure:
5b. Recommend a backup architecture that would survive this attack.
Key terms: 3-2-1, offline, immutable, air-gap, separate network, daily, test, verify, isolate
B is correct. The primary backup shared the same flat network as production, so ransomware encrypted it too. Recommended: 3-2-1 rule (3 copies, 2 media types, 1 offsite/offline). Primary backups should be on an isolated network or air-gapped. Daily backups with weekly verification restores.
Exam Tip: Backups on the same network as production WILL be encrypted by ransomware. The 3-2-1 rule exists specifically for this scenario. “Offline” or “immutable” backups are the key words.
Step 6Written Response
Write the Remediation Priority Plan
Write a prioritized remediation plan listing the top 3 fixes in order of urgency. For each, name the layer, the specific action, and which attack step it blocks.
Key terms: MFA, enforce, mandatory, segmentation, VLAN, training, backup, offline, patch, update, exempt, revoke, email, threshold
Model: Priority 1: MFA — enforce on ALL accounts with zero exemptions — blocks VPN credential abuse (step 3). Priority 2: Network segmentation — deploy VLANs isolating billing, clinical, and admin zones — blocks lateral movement (step 4). Priority 3: Mandatory training — require completion with verification, not optional — blocks credential entry on phishing sites (step 2).
Exam Tip: Prioritize by attack chain impact: MFA blocks the pivot point, segmentation contains damage, training reduces initial compromise. Address the most impactful gap first.
Total Points
Quiz 2.2 →Course Hub
← Exercise 2Quiz 2.2 →
AP Cybersecurity 2.2 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]