Topic 3.1 Lab: Operation Baseline | Network Recon | AP Cybersecurity

Unit 3 • 3.1 • Lab

Lab — Operation Baseline: Network Reconnaissance Investigation

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30Each step uses a different assessment format
Investigation Target
NovaTech Solutions

NovaTech hired your firm to conduct a network reconnaissance assessment. Using only passive and active scanning techniques, you mapped the entire corporate network in 4 hours. Your findings reveal critical architecture weaknesses, forgotten systems, and excessive attack surface. Present your findings across 6 investigation steps.

Step 1Matching
Classify Scan Findings by OSI Layer
Your scans revealed three types of information. Match each finding to the OSI layer where it operates.
Think first: L2 = MAC/switches. L3 = IP/routing. L7 = applications/services.
14 IP subnets with routing between them (10.10.0.0/24 through 10.10.13.0/24)
47 web servers running Apache 2.4.49 with known CVE-2021-41773 path traversal
8 unmanaged switches with no 802.1X port authentication discovered via MAC scan
IP subnets/routing = Layer 3 (Network). Web server versions/CVEs = Layer 7 (Application). Unmanaged switches/MAC = Layer 2 (Data Link). Each finding requires a different remediation approach at its respective layer.
Exam Tip: Network recon findings map to OSI layers: MAC/switch issues at L2, IP/routing at L3, application vulnerabilities at L7. This determines which team (network, server, application) owns the remediation.
Step 2Fill in the Blank
Complete the Scan Methodology
Fill in the correct scanning term for each technique used during the assessment.
Think first: Each term describes a specific recon technique.

Scanning 65,535 TCP ports on each host to find open services is called a scan.

Identifying the operating system and software versions running on a host is called service/OS .

Mapping the network topology by tracing the path packets take between routers is called .

Monitoring network traffic without sending any packets (just listening) is called reconnaissance.

The total number of entry points discovered during scanning defines the organization’s attack .

Answers: (1) port scan. (2) fingerprinting. (3) traceroute. (4) passive. (5) surface.
Exam Tip: Recon techniques: port scanning (find services), fingerprinting (identify software), traceroute (map topology), passive listening (monitor without detection). Together they define the attack surface.
Step 3Select All That Apply
Identify Forgotten/Shadow Systems
Your scan found devices NovaTech’s IT team did not know about. Select ALL that qualify as shadow IT or forgotten systems.
Think first: Shadow IT = systems deployed without IT security team knowledge or approval.
Shadow/forgotten: Raspberry Pi (A), decommissioned server (B), personal NAS (D), test database with prod data (E). Not shadow IT: Production web server (C) and managed switch (F) are documented and known.
Exam Tip: Shadow IT and forgotten systems are among the most dangerous findings because they are unpatched, unmonitored, and often have default or weak credentials. Every network assessment should inventory ALL connected devices.
Step 4Multiple Choice
Identify the Highest-Risk Finding
Your recon found: 47 web servers with a known CVE, 8 unmanaged switches, 4 shadow IT devices, and 312 unnecessary open ports across 50 servers. Which is MOST critical?
Predict first: Which finding gives an attacker the easiest path to compromise with the broadest impact?
B is most critical. CVE-2021-41773 has a published exploit enabling remote code execution on 47 servers without authentication. An attacker can download the exploit and run it immediately. Open ports (A) require additional exploitation. Unmanaged switches (C) require physical access. Shadow IT (D) is fewer devices with unknown risk.
Exam Tip: Prioritize by: (1) exploit availability (published CVE = immediate risk), (2) authentication required (none = trivial to execute), (3) scale (47 servers = massive blast radius), (4) impact (RCE = complete server compromise).
Step 5Analysis
Evaluate the Attack Surface Reduction Plan
NovaTech proposes: “We will close the 312 unnecessary ports and consider the network hardened.”
5a. Select why this plan is insufficient:
5b. Write a comprehensive attack surface reduction plan covering ALL findings.
Key terms: patch, CVE, update, Apache, port, close, disable, switch, manage, 802.1X, shadow, remove, decommission, inventory, scan, regular, baseline
B is correct. Closing ports is one of four needed actions. Complete plan: (1) Patch all 47 Apache servers to fix CVE-2021-41773 immediately. (2) Close 312 unnecessary ports on 50 servers. (3) Replace 8 unmanaged switches with managed ones and enable 802.1X port authentication. (4) Remove/decommission all 4 shadow IT devices and establish an ongoing asset discovery scan.
Exam Tip: Attack surface reduction requires addressing ALL findings, not just the easiest one. Prioritize by risk (CVE first), then systematically work through ports, infrastructure, and shadow IT.
Step 6Written Response
Write the Executive Summary
Write an executive summary for NovaTech’s leadership team. Include: total attack surface size, top 3 critical findings ranked by risk, and one recommended immediate action for each.
Key terms: attack surface, CVE, patch, remote code execution, port, close, hardening, shadow IT, decommission, inventory, switch, manage, 802.1X, risk, critical, high, immediate
Model: NovaTech’s network has a significant attack surface: 200+ endpoints, 50+ servers with 312 unnecessary open ports, 47 servers with a known exploitable CVE, 8 unmanaged switches, and 4 shadow IT devices. Finding 1 (Critical): 47 Apache servers with CVE-2021-41773 — patch immediately, remote code execution requires zero authentication. Finding 2 (High): 312 unnecessary open ports — close all non-essential ports within 7 days to reduce entry points. Finding 3 (High): 4 shadow IT devices with unknown risk — disconnect immediately, inventory, and establish ongoing asset discovery scanning.
Exam Tip: Executive summaries for non-technical audiences: lead with scale (how big is the problem), prioritize by business impact (what could happen), and give specific actions (not just “fix it”). One sentence per finding, one action per finding.
Total Points
Quiz 3.1 →Course Hub
AP Cybersecurity 3.1 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP Cybersecurity · Unit 3 · Lesson 3.1 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]