5.1 Exercise 2: Applied Breach Analysis

AP Cybersecurity · Unit 5 · Topic 5.1 · Exercise 2

Applied Breach Analysis: The Mercer Financial Incident

Real breaches rarely involve one vulnerability. They chain together. Follow the Mercer Financial attack timeline, classify each stage, and identify which control would have broken the chain earliest.

6 Questions ~18 min Scored Applied

How This Exercise Works

Scenario: Mercer Financial is a fictitious mid-size SaaS company. The breach timeline described below is composited from real incidents (Target 2013, LastPass 2022, Equifax 2017).

Your job: For each step in the timeline, classify the OWASP category that applies, then identify the earliest control that would have broken the attack chain.

Predict-first rule: Commit to your category before reading the options. This is what the AP exam rewards.

Score0 / 6
Question 1
Mercer Financial's SaaS platform is breached. The security team reconstructs this timeline:

Step 1 (Day 1): An employee receives a phishing email and enters their corporate password on a fake login page.
Step 2 (Day 1): The attacker logs in to the corporate VPN successfully — no MFA was enforced.

You are asked to classify Step 2 specifically. Which category best describes the Step 2 failure?
✎ Predict before reading options. Commit to a category first.
Exam TipSingle-factor authentication when multi-factor should have been required = Broken Authentication. The enabler was Unit 1 phishing; the failure at this step is auth.
Question 2
Mercer timeline continues:

Step 3 (Day 2): The attacker, now inside the VPN, accesses an internal web portal. They add ' UNION SELECT password_hash FROM users -- to a report filter field. The application concatenates this into its SQL query. The attacker gets a dump of every password hash in the user table.

Which category applies to Step 3?
✎ Predict before reading options. Commit to a category first.
Exam TipStep classifications are about the vulnerability, not the consequence. Password exposure is the result; SQLi is the flaw.
Question 3
Mercer timeline continues:

Step 4 (Day 2): The attacker downloads the password_hash table. The hashes are unsalted MD5. Using a $200 GPU, they crack 89% of the hashes in 4 hours.

Which category best describes the Step 4 failure?
✎ Predict before reading options. Commit to a category first.
Exam TipPassword storage choices = Cryptographic Failures. Even if the login system itself is perfect, weak hashing makes every password breach 1000x worse.
Question 4
Mercer timeline continues:

Step 5 (Day 3): Armed with cracked passwords, the attacker logs into the CFO's account. They navigate to /reports/finance/2025. The URL works. They change it to /reports/hr/salaries and that also works — even though the CFO role shouldn't have HR access. They download 8 years of HR data.

Which category applies to Step 5?
✎ Predict before reading options. Commit to a category first.
Exam TipNavigating to a URL you shouldn't be allowed to see = Broken Access Control. Happens after auth, not during.
Question 5
Mercer's post-breach review uncovers additional evidence:

Additional finding: The attacker's SQL injection attempts (thousands of them, over 6 hours) were never flagged by any alerting system. No one noticed until 9 days later when cracked passwords appeared on a forum.

Which category applies to this finding?
✎ Predict before reading options. Commit to a category first.
Exam Tip'Attack went undetected,' 'no alerts,' 'discovered months later' = Logging and Monitoring Failures. Separate OWASP category, often invisible until the breach is already complete.
Question 6
Synthesis question. Given the full Mercer breach chain, which of the following controls would have broken the attack earliest?
✎ Predict before reading options. Commit to a category first.
Exam TipBreach-chain analysis: identify the earliest control that would have stopped everything downstream. Defense-in-depth layers are ranked by where they'd cut the chain.

Exercise Complete

— / 6

← Exercise 1 Next: Lab →
AP Cybersecurity · Unit 5 · Lesson 5.1 · Exercise 2
LessonExercise 1Exercise 2Quiz
Back to:Lesson 5.1Unit 5 Study GuideCourse Guide

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]