AP Cybersecurity Unit 3 Lesson 6 Lab

Unit 3 • 3.6 • Lab

Lab — Operation Cipher Sweep: Protocol Security Audit

6 steps, 30 points — Mixed formats: matching, fill-blank, select-all, MCQ, and written analysis

Score: 0 / 30Each step uses a different assessment format
Investigation Target
Meridian Energy Grid

Your team deployed network sensors across Meridian’s corporate office, SCADA operations center, and customer billing portal. You have 48 hours of packet captures revealing FTP credentials in plaintext, unencrypted Modbus commands to substations, HTTP-to-HTTPS redirect vulnerability, and Telnet root access to SCADA servers. Audit all findings.

Step 1Matching
Map Insecure Protocols to Secure Replacements
Match each insecure protocol found in the audit to its secure replacement.
Think first: Each insecure protocol has a direct encrypted replacement that provides the same functionality.
FTP (port 21) — plaintext file transfers with visible credentials
HTTP (port 80) — unencrypted web traffic on billing portal
Telnet (port 23) — plaintext remote management of SCADA servers
FTP → SFTP (encrypted file transfer over SSH). HTTP → HTTPS (encrypted web traffic over TLS). Telnet → SSH (encrypted remote terminal). Each replacement encrypts the same functionality.
Exam Tip: Protocol replacement pattern: FTP→SFTP, HTTP→HTTPS, Telnet→SSH, DNS→DoH/DoT. The secure version adds encryption to the same communication type.
Step 2Fill in the Blank
Complete the Protocol Security Concepts
Fill in the correct protocol/security term for each blank.
Think first: These describe how secure protocols protect data in different ways.

HTTPS wraps HTTP inside a tunnel to encrypt all data between browser and server.

A browser warning that a certificate has expired means the server’s cannot be verified.

An attacker intercepting an HTTP-to-HTTPS redirect to keep the user on the unencrypted site is performing SSL .

The technology that tells browsers to ALWAYS use HTTPS, eliminating the initial HTTP request, is called .

During the TLS handshake, the client and server establish a shared key for encrypting the session.

Answers: (1) TLS. (2) identity. (3) stripping. (4) HSTS (HTTP Strict Transport Security). (5) session.
Exam Tip: TLS encrypts transport. Certificates verify identity. SSL stripping exploits the HTTP→HTTPS redirect. HSTS eliminates the redirect entirely. Session keys encrypt the actual data after the handshake.
Step 3Select All That Apply
Identify All Risks From Telnet on SCADA
Meridian engineers use Telnet to manage SCADA servers with root access. Select ALL data an attacker could capture from a Telnet session.
Think first: Telnet transmits EVERYTHING in plaintext. What does a root management session contain?
Correct: Root password (A), all commands (B), all output (C), and enough to replicate the session (E). Wrong: Physical location (D) is not transmitted in a Telnet session.
Exam Tip: Telnet on SCADA = worst case. Root credentials + commands + output in plaintext = complete replay capability for the attacker. SSH encrypts all of this, making interception useless.
Step 4Multiple Choice
Prioritize the Remediation Order
Four insecure protocols found: FTP, Telnet on SCADA, HTTP redirect on billing, unencrypted Modbus. Rank by urgency. Which should be fixed FIRST?
Predict first: Which protocol creates the highest-impact risk if exploited?
C is correct. Telnet root access to SCADA combines maximum privilege (root) with maximum impact (power grid control) and maximum exposure (plaintext). A compromised SCADA server could cause physical harm. Protocol age (D) is irrelevant to urgency — impact determines priority.
Exam Tip: Prioritize by IMPACT, not by user count or protocol age. SCADA/critical infrastructure always ranks above corporate IT. Telnet + root + SCADA = immediate, highest-priority remediation.
Step 5Analysis
Evaluate the SSL Stripping Risk
The billing portal redirects HTTP to HTTPS. A MitM attacker could intercept the initial HTTP request and prevent the redirect, keeping customers on unencrypted HTTP.
5a. Select the defense that eliminates this vulnerability:
5b. Explain why HSTS is more effective than simply redirecting HTTP to HTTPS.
Key terms: preload, browser, hardcode, first request, initial, eliminate, redirect, intercept, strip, before, never, HTTP
B is correct. HSTS preloading tells browsers to ALWAYS use HTTPS for a domain, hardcoded at the browser level. Why it beats redirects: A redirect still makes the first request over HTTP — that first request is the interception point for SSL stripping. HSTS eliminates the initial HTTP request entirely, so there is nothing for the attacker to intercept. The browser never sends an unencrypted request.
Exam Tip: HSTS preloading is the definitive fix for SSL stripping. The redirect vulnerability exists in that brief first HTTP request. HSTS eliminates it. Standard HSTS trusts-on-first-use; preloading hardcodes it permanently.
Step 6Written Response
Write the Protocol Migration Plan
Write a protocol migration plan for Meridian that prioritizes by risk and maps each insecure protocol to its replacement. Include timelines.
Key terms: Telnet, SSH, SCADA, root, FTP, SFTP, HTTP, HTTPS, HSTS, TLS, Modbus, encrypt, immediate, 30 days, 60 days, priority, migrate, replace
Model: Priority 1 (Immediate): Telnet → SSH on all SCADA servers — root plaintext access to critical infrastructure is the highest risk. Priority 2 (30 days): HTTP → HTTPS + HSTS preloading on billing portal — customer financial data in transit. Priority 3 (60 days): FTP → SFTP for corporate file transfers — credentials and data exposed in transit. Priority 4 (90 days): Evaluate Modbus/TLS or VPN encapsulation for SCADA protocol encryption — requires careful testing to avoid operational disruption to substations.
Exam Tip: Protocol migration: prioritize by impact (SCADA > customer-facing > corporate), then by complexity (SSH replacement is straightforward; Modbus encryption requires OT testing). Never rush changes to industrial control systems without thorough testing.
Total Points
Quiz 3.6 →Course Hub
AP Cybersecurity 3.6 Lab | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board.
AP Cybersecurity · Unit 3 · Lesson 3.6 · Lab

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]