Exercise 1 drilled single-factor classification. Exercise 2 pushes you into realistic breach-analysis territory: which attack defeated which defense, what layered fix would have stopped it, and how to read an audit finding critically.
Strategy: identify the ONE detail that eliminates each distractor — slash the trash. Every wrong option here was written to pass a casual read.
✎ Applied Challenge — 4 Questions
Question 1 of 4 — Multi-Select Fix EvaluationReview the Uber 2022 breach summary from Lesson 4.3 (credential reuse + push-MFA fatigue + hardcoded admin creds in a PowerShell script). Which of the following defensive changes would have independently stopped or materially contained this attack chain? Select ALL that apply. No credit for selecting incorrect options.
Question 2 of 4 — Spot the Error in the Audit FindingAn internal auditor submitted this finding. Which statement in the finding is INCORRECT and should be revised?
FINDING #2024-18: Authentication Posture Review
Severity: MEDIUM
Scope: Payroll System
Observations:
(A) The payroll system uses RBAC. All "Payroll Clerk" roles
inherit the same permission set. This is a textbook RBAC
implementation, but scaling problems are now visible:
one role now contains 47 distinct permissions, suggesting
role explosion that should be refactored into sub-roles.
(B) MFA is required, with SMS as the second factor. NIST 800-63
classifies SMS as the weakest verifier and it should be
replaced with an authenticator app or hardware key.
(C) The "Super User" account is shared across three administrators.
This violates individual accountability and should be replaced
with per-administrator privileged accounts.
(D) Password history is enforced (24 passwords).
MFA is layered on top, so password history alone is insufficient
and the finding recommends also rotating shared secrets.
Question 3 of 4 — SSO TradeoffA small company is debating whether to deploy SSO for its 30 internal applications. The security team supports it, but the CEO worries about putting “all the eggs in one basket.” Which statement BEST captures the real security tradeoff SSO introduces?
Question 4 of 4 — MFA Is Not a Silver BulletA user is phished via a convincing fake login page. The page is actually a real-time proxy: it forwards the victim’s password to the genuine site, prompts the victim for their TOTP code, forwards that too, and then captures the resulting session cookie for the attacker to use. Which statement BEST explains why MFA did NOT stop this attack?
0 / 4Questions correct — review any incorrect answers, then move to the Lab.
🚀 Extension Challenge
Pick ONE of the four access control models (DAC, MAC, RBAC, ABAC) and design an access policy for a school-district student information system. Your policy should specify: (1) which identities exist (students, teachers, admins, parents), (2) which resources they can access, (3) under what conditions, and (4) one scenario where your chosen model fails — and what you would switch to.
This mirrors an AP FRQ-style scenario question and forces you to think about access as a design choice, not just a definition.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.