AP Cybersecurity Unit 2 Lesson 5 Lab

Unit 2 • 2.5 • Lab

Lab — Operation Gatekeeper: Access Control Breach Investigation

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30Each step uses a different assessment format
Investigation Target
Catalyst Biotech Labs

An intern at Catalyst downloaded $400M in proprietary gene therapy formulas. The intern’s role should have limited access to the general research library only. Your investigation traces how access control failures enabled the breach: wrong role assignment, overly broad permissions, no access reviews, and no exfiltration controls.

Step 1Matching
Classify the Access Control Failures
Three failures enabled the breach. Match each to the access control principle it violates.
Think first: Least privilege = minimum access. Separation of duties = split critical tasks. Lifecycle = manage accounts birth-to-death.
Intern assigned “Researcher” role instead of “Intern” role, granting access to all research databases
14 employees changed roles over 18 months but retained all old permissions alongside new ones
8 former employees still have active accounts 6+ months after departure
Wrong role = Least Privilege (too much access for the job). Accumulated permissions = Least Privilege (privilege creep). Orphaned accounts = Account Lifecycle (failed offboarding). Note: both 1 and 2 are least privilege violations — one from initial assignment, one from accumulation over time.
Exam Tip: Least privilege failures come in two forms: wrong initial assignment (too much from day 1) and privilege creep (accumulation over time without cleanup). Regular access reviews catch both.
Step 2Fill in the Blank
Complete the Access Control Vocabulary
Fill in each blank with the correct access control term.
Think first: These terms describe how access controls are organized and enforced.

Assigning permissions to job titles rather than individuals is called access control (RBAC).

The gradual accumulation of excess permissions as employees change roles is called privilege .

Proving your identity with a password is . Verifying what you are allowed to do is authorization.

Requiring two different credential types (password + phone) is authentication.

Accounts that belong to former employees but were never disabled are called accounts.

Answers: (1) role-based. (2) creep. (3) authentication. (4) multi-factor. (5) orphaned (also accept: dormant, stale).
Exam Tip: Key vocabulary: RBAC (scalable permission management), privilege creep (accumulation without cleanup), authentication vs authorization (identity vs permissions), MFA (multiple factor types), orphaned accounts (active credentials with no legitimate owner).
Step 3Select All That Apply
Identify What the Intern Could Access
The intern was assigned the “Researcher” role. Select ALL systems this role grants access to that the intern should NOT have had.
Think first: An intern needs general library and training materials only. Everything else is excessive.
Excessive: Proprietary research (A), clinical trial data (C), patent applications (D), other teams’ data (F). Appropriate: General library (B) and training materials (E) are the only resources an intern legitimately needs.
Exam Tip: The “Researcher” role granted access to everything a senior scientist needs. An “Intern” role should be scoped to general/public resources only. This is why granular role definitions matter.
Step 4Multiple Choice
Identify the Root Process Failure
The intern was assigned the wrong role. Who is MOST likely responsible, and what process failed?
Predict first: Role assignment happens during onboarding. What step in that process broke down?
B is correct. Most role misassignments are human errors in the onboarding workflow — the wrong box checked on a form, a miscommunication between HR and IT. The fix is a verification step where IT cross-checks the requested role against the job description before provisioning.
Exam Tip: Most access control failures are PROCESS failures (wrong role requested, no verification), not TECHNICAL failures (system bugs). Fix the process: require job-description-to-role verification before any account is provisioned.
Step 5Analysis
Evaluate the Exfiltration Controls
The intern downloaded 2.1 GB to a personal USB drive. The workstation had no USB restrictions, no DLP, and no download monitoring.
5a. Even with correct database access, which control should have prevented the USB exfiltration?
5b. Explain why database authorization alone is insufficient to prevent data theft.
Key terms: endpoint, USB, DLP, download, monitor, copy, removable, egress, multiple layers, beyond database
B is correct. USB port restrictions prevent copying to removable media. DLP monitors and blocks bulk data transfers. Why authorization alone fails: Even correctly authorized users can abuse their access. Data protection requires controls at multiple points: database access (authorization), download monitoring (DLP), and physical media (USB restrictions). A user with legitimate read access can still steal data if no egress controls exist.
Exam Tip: Data protection requires defense-in-depth: authorization controls WHO can access, DLP controls HOW MUCH they can download, and USB restrictions control WHERE they can copy it. All three are needed.
Step 6Written Response
Write the Remediation Plan
Write four specific fixes that address each failure in the access control chain: role assignment, permission scope, access reviews, and exfiltration prevention.
Key terms: verify, job description, role, project-scoped, sub-role, quarterly, review, certify, DLP, USB, restrict, monitor, download, alert, bulk, offboard
Model: Fix 1: Verified onboarding — IT cross-checks requested role against job description before provisioning. Fix 2: Project-scoped sub-roles — split “Researcher” into project-specific roles so gene therapy researchers cannot see oncology data. Fix 3: Quarterly access certification — managers review each report’s permissions and confirm they match current responsibilities. Fix 4: Endpoint controls — deploy DLP monitoring on all workstations, restrict USB ports to IT-approved devices only, and alert on bulk downloads exceeding 500 MB.
Exam Tip: Access control remediation must address every link in the failure chain: provisioning (how accounts are created), scope (how broad permissions are), maintenance (how often they are reviewed), and egress (how data leaves the organization).
Total Points
Quiz 2.5 →Course Hub
AP Cybersecurity 2.5 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]