AP Cybersecurity · Unit 5 · Topic 5.5 · Exercise 2
Chained Defense Analysis: The Harbor & Bridge Credit Union Breach
Real breaches chain multiple failures together. Walk through a composite six-stage incident and for each stage identify the earliest control that would have broken the attack chain. The final question asks you to rank the controls by prevention priority.
6 Questions~18 minScoredApplied
How This Exercise Works
Scenario: Harbor & Bridge Credit Union is a fictitious regional credit union. The breach timeline is composited from real incidents (Target 2013, Capital One 2019, LastPass 2022, Dropbox 2022).
Your job: For each stage, identify the control that would have broken the attack at that point. The final question asks for the earliest break point — the control whose absence made the whole chain possible.
Predict-first rule: Trace the failure before reading options. Match the failure to its OWASP category. The answer is the control that targets that category structurally.
Score0 / 6
Question 1
Stage 1 (Day 1, 09:14 EST): Harbor & Bridge Credit Union has a public-facing customer portal. An attacker submits the following in the portal's "forgot my account number" search box:
' UNION SELECT email, password_hash FROM admin_users --
The portal's search feature concatenates the input directly into a SQL query. The attacker retrieves the entire admin_users table. Which control, if deployed before the attack, would have broken this stage?
✎ Predict: the code concatenates input into SQL. What is the root-cause fix?
Question 2
Stage 2 (Day 1, 13:47 EST): The attacker now has [email protected]'s bcrypt-hashed password. They run hashcat with a rule set and crack the password in 6 hours because the admin chose a common password (H@rborBridge2023!). They then log in to the admin portal using just this password — no second factor is required. Which control would have broken this stage?
✎ Predict: the password was cracked, but what additional requirement would have stopped the login?
Question 3
Stage 3 (Day 1, 14:22 EST): Now logged in as admin, the attacker navigates to a customer-lookup page. The page's URL is /admin/customer?id=12045. The backend runs SELECT * FROM customers WHERE id = 12045 using a parameterized query. The attacker reads thousands of customer records by iterating the id parameter. The code checks that the user is authenticated as admin but does not check any per-record access rules. Which OWASP category is this, and which control is most effective?
✎ Predict: the query is parameterized, the user is authenticated. What is still missing?
Question 4
Stage 4 (Day 2, 03:10 EST): The attacker exfiltrates ~380,000 customer records by making a customer-lookup API call ~6 times per second for 18 hours straight. The API has no rate limiting. All requests come from a single residential IP the attacker is using as a VPN exit. Which single control would most effectively have halted this exfiltration?
✎ Predict: one IP, high request volume, over 18 hours. What caps volume?
Question 5
Stage 5 (Day 3, 08:00 EST): While investigating, the incident response team finds that the attacker also planted a stored XSS payload in a customer-support ticket. The payload uses fetch() to exfiltrate session cookies from any employee who views the ticket. The browsers of two support agents executed the script; their session cookies were sent to attacker-exfil.example. The attacker replayed the cookies to impersonate those agents. Which combination of controls would have broken this stage?
✎ Predict: cookies were readable by JS, and an arbitrary external origin was reachable. Which flags and policies block this?
Question 6
Post-mortem: The incident response team is preparing a one-page recommendation for executive leadership. They must pick the single highest-priority control to implement first — the one whose absence made every subsequent stage possible. Based on the chain from Stages 1-5, which control belongs at the top of the list?
✎ Predict: trace backward through the chain. Which control's absence enabled the earliest failure?
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.