AP Cybersecurity Unit 4 Case File 4: Lock the Endpoint

AP Cybersecurity • Unit 4 • Case File 04

Lock the Endpoint

You are responding for Vantage Health after a clinician laptop with patient access was stolen. Assess the exposure and lock down the fleet.

Points: 0 / 12

Case closed.

You locked down the endpoint. Finish the report, then take the cold case.

Case briefing

A laptop with patient access was stolen from a car. Work the malware, authentication, hardening, and detection questions and decide what is most urgent.

Stage 1 • Device Vulnerabilities

Identify the malware

CED 4.1.A • Lesson: Malware Types

Software that encrypts the clinic files and demands payment for the key.

A program disguised as a legitimate PDF reader that opens a backdoor once installed.

Code that copies itself across the network to other machines with no user action.

Malware A

Malware B

Malware C

Stage 2 • Authentication

Judge the login factors

CED 4.2.A • Lesson: Authentication (four factors)

A password plus a PIN. Is that true multi-factor?

Which factor category does a fingerprint belong to?

A password plus a code from an authenticator app uses how many distinct factor categories?

Stage 3 • Authentication

Why hashing matters

CED 4.2 • Lesson: Why passwords are hashed

Recovered file

The stolen laptop held the app password file. It contained only hashes, not readable passwords.

Should well-stored passwords be plaintext, hashed, or reversibly encrypted?

If the file holds only hashes, why can the thief not read the actual passwords?

Stage 4 • Protecting Devices

Pick the protections

CED 4.3.A • Lesson: Protecting Devices (patching matters most)

Which core device protection most directly closes known, actively exploited vulnerabilities?

Which control most directly addresses malware running on the device?

Stage 5 • Detecting Attacks on Devices

Read the device log

CED 4.4.A • Lesson: Detecting Device Attacks

Host log

single account, 380 failed password attempts in 60 seconds, then 1 success

What attack does that pattern show?

Detection that watches for unusual behavior rather than a known file is called what?

Analyst's report

Name the single most urgent exposure with a reason, then give one control for each issue.

Model answer. The most urgent exposure is that a device with patient access can be reached if authentication is weak, so enforce real multi-factor authentication using factors from different categories. It leads.

Controls: real multi-factor authentication on the device and app; confirm the password file is stored hashed, not plaintext; patch the fleet promptly against known exploits; keep anti-malware current; and use behavior-based detection to catch the brute-force pattern in the logs.

Cold case

The worm in Stage 1 changes nothing on disk but spreads over the network. Which detection source, host logs or network monitoring, is most likely to catch it?

Field glossary (terms from the lessons)

malwareviruswormtrojanransomwarespywarerootkitauthentication factorsomething you knowsomething you havesomething you aresomewhere you aremulti-factorhashingpatchinganti-malwarebrute forcebehavior-based detection

← Unit 4 Hub Course Guide

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]