AP Cybersecurity Unit 2 Lesson 5 Exercise 1
Exercise 1 — Access Control Models
6 questions — Evaluate access control strategies and identify misconfigurations
Ridgecrest Community Hospital is overhauling its access control system after an audit found that 40% of employees have excessive permissions. Nurses can access billing data, billing clerks can view clinical records, and three former employees still have active accounts. You are reviewing six access control decisions.
(A) Incorrect — separation of duties concerns dividing critical tasks between multiple people, not permission scope.
(C) Incorrect — ALL the excess permissions violate need-to-know, not just pharmacy access.
(D) Incorrect — MAC is a valid model but the specific principle violated here is least privilege (too much access for the role).
(A) Incorrect — custom permission sets per user undermine the standardization that makes RBAC effective and auditable.
(C) Incorrect — starting with maximum access and removing permissions later violates least privilege and creates a window of excessive access.
(D) Incorrect — manager guesses are subjective and inconsistent; RBAC defines permissions by role, not by individual judgment.
(A) Incorrect — password strength is irrelevant; the accounts should not exist at all.
(C) Incorrect — even with segmentation, active credentials are a vulnerability; the root issue is the active account.
(D) Incorrect — encryption protects data at rest/transit; it does not prevent an authenticated user from accessing the application.
(A) Incorrect — MFA applies to every authentication, not just the first daily login.
(C) Incorrect — MFA does not hide usernames; it adds a second verification step after the password.
(D) Incorrect — MFA tokens regenerate continuously; there is no 24-hour expiration window that reverts to password-only.
(A) Incorrect — the pharmacist may legitimately need ordering access; the issue is that she ALSO has approval authority for her own orders.
(B) Incorrect — MAC classifies data by sensitivity; it does not enforce multi-person workflows.
(D) Incorrect — SSO simplifies authentication; it does not enforce dual-person authorization for transactions.
/ehr/billing to /ehr/admin. The admin panel gives her full control over user accounts, including the ability to create new admin accounts. This vulnerability is called:(A) Incorrect — modifying a URL path is not SQL injection; SQL injection targets database queries.
(B) Incorrect — URL modification is not XSS; XSS involves injecting executable scripts into web pages.
(D) Incorrect — DNS spoofing redirects domain names to wrong IPs; this is a URL path manipulation within the same application.
AP® is a registered trademark of the College Board, which was not involved in the production of this content.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]