5.5 Exercise 2: Chained Defense Analysis

AP Cybersecurity · Unit 5 · Topic 5.5 · Exercise 2

Chained Defense Analysis: The Harbor & Bridge Credit Union Breach

Real breaches chain multiple failures together. Walk through a composite six-stage incident and for each stage identify the earliest control that would have broken the attack chain. The final question asks you to rank the controls by prevention priority.

6 Questions ~18 min Scored Applied

How This Exercise Works

Scenario: Harbor & Bridge Credit Union is a fictitious regional credit union. The breach timeline is composited from real incidents (Target 2013, Capital One 2019, LastPass 2022, Dropbox 2022).

Your job: For each stage, identify the control that would have broken the attack at that point. The final question asks for the earliest break point — the control whose absence made the whole chain possible.

Predict-first rule: Trace the failure before reading options. Match the failure to its OWASP category. The answer is the control that targets that category structurally.

Score0 / 6
Question 1
Stage 1 (Day 1, 09:14 EST): Harbor & Bridge Credit Union has a public-facing customer portal. An attacker submits the following in the portal's "forgot my account number" search box:

' UNION SELECT email, password_hash FROM admin_users --

The portal's search feature concatenates the input directly into a SQL query. The attacker retrieves the entire admin_users table. Which control, if deployed before the attack, would have broken this stage?
✎ Predict: the code concatenates input into SQL. What is the root-cause fix?
Question 2
Stage 2 (Day 1, 13:47 EST): The attacker now has [email protected]'s bcrypt-hashed password. They run hashcat with a rule set and crack the password in 6 hours because the admin chose a common password (H@rborBridge2023!). They then log in to the admin portal using just this password — no second factor is required. Which control would have broken this stage?
✎ Predict: the password was cracked, but what additional requirement would have stopped the login?
Question 3
Stage 3 (Day 1, 14:22 EST): Now logged in as admin, the attacker navigates to a customer-lookup page. The page's URL is /admin/customer?id=12045. The backend runs SELECT * FROM customers WHERE id = 12045 using a parameterized query. The attacker reads thousands of customer records by iterating the id parameter. The code checks that the user is authenticated as admin but does not check any per-record access rules. Which OWASP category is this, and which control is most effective?
✎ Predict: the query is parameterized, the user is authenticated. What is still missing?
Question 4
Stage 4 (Day 2, 03:10 EST): The attacker exfiltrates ~380,000 customer records by making a customer-lookup API call ~6 times per second for 18 hours straight. The API has no rate limiting. All requests come from a single residential IP the attacker is using as a VPN exit. Which single control would most effectively have halted this exfiltration?
✎ Predict: one IP, high request volume, over 18 hours. What caps volume?
Question 5
Stage 5 (Day 3, 08:00 EST): While investigating, the incident response team finds that the attacker also planted a stored XSS payload in a customer-support ticket. The payload uses fetch() to exfiltrate session cookies from any employee who views the ticket. The browsers of two support agents executed the script; their session cookies were sent to attacker-exfil.example. The attacker replayed the cookies to impersonate those agents. Which combination of controls would have broken this stage?
✎ Predict: cookies were readable by JS, and an arbitrary external origin was reachable. Which flags and policies block this?
Question 6
Post-mortem: The incident response team is preparing a one-page recommendation for executive leadership. They must pick the single highest-priority control to implement first — the one whose absence made every subsequent stage possible. Based on the chain from Stages 1-5, which control belongs at the top of the list?
✎ Predict: trace backward through the chain. Which control's absence enabled the earliest failure?

Analysis Complete

Final Score: 0 / 6

AP Cybersecurity · Unit 5 · Lesson 5.5 · Exercise 2
LessonExercise 1Exercise 2Quiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]