4.3 Exercise 2: Applied Authentication Challenge

🎯 Before You Start

Exercise 1 drilled single-factor classification. Exercise 2 pushes you into realistic breach-analysis territory: which attack defeated which defense, what layered fix would have stopped it, and how to read an audit finding critically.

Strategy: identify the ONE detail that eliminates each distractor — slash the trash. Every wrong option here was written to pass a casual read.

✎ Applied Challenge — 4 Questions
Question 1 of 4 — Multi-Select Fix Evaluation Review the Uber 2022 breach summary from Lesson 4.3 (credential reuse + push-MFA fatigue + hardcoded admin creds in a PowerShell script). Which of the following defensive changes would have independently stopped or materially contained this attack chain? Select ALL that apply. No credit for selecting incorrect options.
Question 2 of 4 — Spot the Error in the Audit Finding An internal auditor submitted this finding. Which statement in the finding is INCORRECT and should be revised?
FINDING #2024-18: Authentication Posture Review
Severity: MEDIUM
Scope: Payroll System

Observations:
(A) The payroll system uses RBAC. All "Payroll Clerk" roles
    inherit the same permission set. This is a textbook RBAC
    implementation, but scaling problems are now visible:
    one role now contains 47 distinct permissions, suggesting
    role explosion that should be refactored into sub-roles.
(B) MFA is required, with SMS as the second factor. NIST 800-63
    classifies SMS as the weakest verifier and it should be
    replaced with an authenticator app or hardware key.
(C) The "Super User" account is shared across three administrators.
    This violates individual accountability and should be replaced
    with per-administrator privileged accounts.
(D) Password history is enforced (24 passwords).
    MFA is layered on top, so password history alone is insufficient
    and the finding recommends also rotating shared secrets.
Question 3 of 4 — SSO Tradeoff A small company is debating whether to deploy SSO for its 30 internal applications. The security team supports it, but the CEO worries about putting “all the eggs in one basket.” Which statement BEST captures the real security tradeoff SSO introduces?
Question 4 of 4 — MFA Is Not a Silver Bullet A user is phished via a convincing fake login page. The page is actually a real-time proxy: it forwards the victim’s password to the genuine site, prompts the victim for their TOTP code, forwards that too, and then captures the resulting session cookie for the attacker to use. Which statement BEST explains why MFA did NOT stop this attack?
0 / 4 Questions correct — review any incorrect answers, then move to the Lab.
🚀 Extension Challenge

Pick ONE of the four access control models (DAC, MAC, RBAC, ABAC) and design an access policy for a school-district student information system. Your policy should specify: (1) which identities exist (students, teachers, admins, parents), (2) which resources they can access, (3) under what conditions, and (4) one scenario where your chosen model fails — and what you would switch to.

This mirrors an AP FRQ-style scenario question and forces you to think about access as a design choice, not just a definition.

AP Cybersecurity · Unit 4 · Lesson 4.3 · Exercise 2
LessonExercise 1Exercise 2Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]