AP Cybersecurity Unit 2: Securing Spaces
Unit 2: Securing Spaces
Cyber Foundations, Risk Assessment, Defense-in-Depth & Physical Security
📋 Unit 2 Contents
🎯 Learning Objectives
By the end of this unit, you will be able to:
- Identify social engineering attacks and types of adversaries
- Describe the phases of a cyberattack
- Explain the risk assessment process and strategies for managing risk
- Identify types of security controls and explain defense-in-depth
- Assess and document risks from physical vulnerabilities
- Determine mitigation strategies and detection methods for physical attacks
2.1 Cyber Foundations
This foundational topic establishes the core concepts you'll use throughout the entire AP Cybersecurity course: how adversaries operate, how to assess risk, and how to implement layered security defenses.
Social Engineering Tactics (Review & Expansion)
Building on Unit 1, here are additional social engineering tactics adversaries use:
| Tactic | Description | Example |
|---|---|---|
| Pretexting | Creating a believable reason to contact a target | "I'm calling from IT about a ticket you submitted..." |
| Authority | Impersonating someone with power or claiming to relay their instructions | "The CEO asked me to get these files immediately." |
| Consensus | Creating social pressure by making targets believe everyone else is doing it | "All other departments have already completed this form." |
| Familiarity | Pretending to be or know someone close to establish trust | "Your colleague Sarah said you could help me with this." |
Types of Adversaries
Different adversaries have different motivations, capabilities, and targets:
| Adversary Type | Motivation | Characteristics |
|---|---|---|
| Script Kiddies | Greed, desire for recognition | Low-skilled; use tools developed by others without understanding them |
| Hacktivists | Social, political, or personal causes | Compromise systems to support their cause; believe goals justify methods |
| Insider Adversaries | Greed, revenge | Have legitimate credentials and access; can be recruited by third parties |
| Cyberterrorists | Politics, beliefs | Seek to disrupt communities/nations; may attack critical infrastructure |
| Transnational Criminal Organizations | Financial gain | Deploy ransomware; steal and sell intellectual property |
Insider adversaries are unique threats because they already have legitimate credentials and access to systems and data. They don't need to break in—they're already inside. This makes them extremely difficult to detect and potentially very damaging.
The Phases of a Cyberattack
Cyberattacks aim to disrupt, harm, steal, or destroy devices, networks, or data. Adversaries typically work in phases:
Reconnaissance
Adversaries gather as much information as possible about their target, often using Open Source Intelligence (OSINT)—freely available information from websites, social media, and public records.
Initial Access
Adversaries establish a foothold on the target's computer, often through social engineering, phishing, or exploiting compromised/weak credentials.
Persistence
After gaining access, adversaries establish ways to maintain access without needing to regain it. They may use Command and Control (C2) protocols with malware like Remote Access Trojans (RATs) or rootkits.
Lateral Movement
Adversaries try to escalate their privileges by accessing other computers and user accounts with elevated permissions to services and data.
Taking Action
Adversaries act on their objectives: collecting targeted data, exfiltrating it, disrupting services, or destroying data.
Evading Detection
Many adversaries try to remove or edit log files and erase other files they may have planted (malware) to cover their tracks.
The Risk Assessment Process
Risk = Threat × Vulnerability × Asset Value
Key Definitions
- Asset: Anything valuable—financial resources, intellectual property, data, digital infrastructure, physical property, reputation
- Threat: A potential danger that could exploit a vulnerability (human adversaries or natural disasters)
- Vulnerability: A weakness or flaw that could allow an asset to be compromised
Risk Assessment Factors
Risk assessment considers two primary factors:
| Factor | Considerations |
|---|---|
| Likelihood |
|
| Severity/Impact |
|
Quantitative vs. Qualitative Assessment
Quantitative
Assigns numeric values (1-10 scale) or financial amounts ($10,000 annual risk)
Qualitative
Uses descriptive terms: Low, Medium, High, Severe
Strategies for Managing Risk
Once risk is identified and assessed, organizations have four options:
| Strategy | Description | Example |
|---|---|---|
| Avoid | Stop the activity generating the risk | Discontinuing a vulnerable legacy system |
| Transfer | Place the burden on another entity | Purchasing cyber insurance |
| Mitigate | Implement controls to reduce likelihood or impact | Installing firewalls, enabling MFA |
| Accept | Acknowledge the residual risk that remains | Accepting minor risks after mitigation |
The CIA Triad
Security controls address at least one of these three fundamental principles:
Confidentiality
Ensures that only authorized individuals, systems, or processes can access data.
Systems lacking confidentiality are vulnerable to data theft.
Integrity
Ensures data are accurate and trustworthy.
Systems lacking integrity are vulnerable to data manipulation.
Availability
Ensures data and services are accessible to authorized individuals when needed.
Systems lacking availability may experience unexpected downtime.
Types of Security Controls
By Type
🏢 Physical Controls
Provide security in physical space
- Locks and fences
- Cameras and motion sensors
- Bollards and gates
- Security guards
💻 Technical Controls
Provide security in digital space
- Firewalls
- Anti-malware software
- Encryption
- Intrusion detection systems
📋 Managerial Controls
Rules, guidelines, policies, procedures
- Password policies
- Access reviews
- Incident response plans
- Security awareness training
By Function
| Function | Purpose | Examples |
|---|---|---|
| Preventative | Stop an adversary from attacking | Locks, encryption, firewalls |
| Detective | Identify attacks when they occur | IDS, cameras, SIEM systems |
| Corrective | Fix problems and restore systems | Patching, IPS, backups |
Defense-in-Depth
- Addresses different threats: Each control is suited to mitigate specific types of attacks
- Provides resilience: When one control fails, others continue to protect
- Creates layers: Human, physical, network, device, application, and data layers
Layer 1 (Physical): Server room with locked door and badge access
Layer 2 (Network): Firewall blocking unauthorized traffic
Layer 3 (Device): Anti-malware and OS hardening
Layer 4 (Application): Input validation and secure coding
Layer 5 (Data): Encryption of sensitive data at rest
Layer 6 (Managerial): Access control policies and regular audits
2.2 Physical Vulnerabilities and Attacks
Physical security is often the first line of defense. An adversary with physical access to devices can bypass many technical controls.
Common Physical Attacks
🚶 Tailgating
An adversary gains unauthorized access to a restricted area by following close behind an authorized individual without that person's awareness or knowledge.
The adversary is undetected—the authorized person doesn't know they're being followed.
🚪 Piggybacking
An adversary uses social engineering to manipulate an authorized individual to grant them access. Common tactics include:
- Carrying something large to get someone to hold the door
- Pretending to have forgotten their access badge
- Impersonating maintenance personnel
Unlike tailgating, the authorized person knowingly (but mistakenly) allows access.
👀 Shoulder Surfing
An adversary watches as a user accesses sensitive information (like entering a password or PIN) so the adversary can use it later. Sometimes they use a camera to record for later analysis.
🗑️ Dumpster Diving
An adversary goes through a target's physical trash looking for useful information: documents, notes, discarded devices, or anything that could aid an attack.
💳 Card Cloning
An adversary makes a copy of an authorized user's access card so they can gain access to all resources the user is authorized to access.
How Physical Vulnerabilities Are Exploited
| Vulnerability | Potential Exploitation | Impact |
|---|---|---|
| Unlocked server room | Direct access to critical systems | Data theft, malware installation, system destruction |
| Exposed USB ports | Plug in keylogger or malware-laden drive | Credential theft, remote access |
| Accessible power systems | Cut power or damage electrical equipment | Denial of service, data loss |
| Unmonitored entry points | Tailgating or unauthorized entry | Physical presence enables many attacks |
Assessing Physical Risk
| Risk Level | Characteristics | Example Scenario |
|---|---|---|
| HIGH | Sensitive info/systems exposed in physical spaces without controlled access | Server with customer data in unlocked room accessed via unmonitored hallway |
| MODERATE | Non-critical area left unprotected that could be a foothold for deeper access | Reception computer connected to internal network with exposed USB ports |
| LOW | Vulnerable asset has low value and exploitation is unlikely | Laptops without sensitive data left on desks in badge-access office |
Physical access to devices can bypass many technical controls. An adversary with physical access can boot from external media, install hardware keyloggers, extract hard drives, or simply destroy equipment. This is why physical security is foundational.
2.3 Protecting Physical Spaces
Managerial Controls for Physical Security
📚 Security Awareness Training
Educate employees about how they can contribute to security by:
- Detecting social engineering attempts like phishing
- Not badging other people into restricted areas (preventing piggybacking)
- Preventing device theft
- Reporting suspicious individuals or activities
🖥️ Workstation Security Policy
A policy outlining measures to protect physical workplaces:
- Locking devices before leaving workstations unattended
- Clean desk policy: Clearing sensitive documents before leaving
- Using privacy screen filters to prevent shoulder surfing
- Connecting devices to surge protectors or UPS
Physical Security Controls
| Control | Function | Protection Provided |
|---|---|---|
| Fencing, Gates, Bollards | Preventative | Deter adversaries from physically accessing buildings |
| Locks | Preventative | Prevent unauthorized access to doors, cabinets, devices |
| Card Readers | Preventative + Detective | Authenticate access and log entry times |
| Access Control Vestibules (Mantraps) | Preventative | Prevent tailgating/piggybacking with interlocking doors |
| Turnstiles | Preventative | Ensure one-person-at-a-time entry |
| Disabled USB Ports | Preventative | Prevent malware from external drives |
| UPS (Uninterruptible Power Supply) | Corrective | Backup power during outages |
Prioritizing Mitigations
Organizations prioritize security investments based on:
- Severity of risk: Higher risks get more resources
- Cost-effectiveness: Solutions should cost less to implement than the expected loss from an attack
- Ease of implementation: Quick wins that significantly reduce risk
2.4 Detecting Physical Attacks
Detection Controls
| Control | How It Detects | Best Placement |
|---|---|---|
| Cameras | Visual monitoring and recording of activity | Points of ingress/egress, sensitive areas. Consider coverage, angle, tamper resistance. |
| Security Guards | Human observation and immediate response | Stationary at entries/sensitive areas; patrolling perimeters |
| Motion Sensors | Alert when movement occurs in an area | Low-traffic areas like server rooms. High-traffic areas create too many false alarms. |
| Badge Readers with Logging | Record which badges accessed which doors when | All controlled entry points |
| Employees | Notice unauthorized individuals | Throughout the workplace (with training) |
Detection Techniques in Practice
📹 Camera Analysis
Camera feeds should be recorded and monitored. Recordings help with after-incident investigations. Cameras can be paired with facial recognition software to alert when unauthorized individuals enter.
🚨 Motion + Camera Integration
When a motion detector triggers, defenders can check camera feeds to visually verify whether it's a security breach or a false alarm.
⏱️ Door Open Duration Monitoring
When badge access is required, sensors can record how long doors remain open. Doors open longer than normal may indicate tailgating or piggybacking.
Scenario: Securing Xtensr Labs
You work on the physical security team at Xtensr Research Labs. Your company is acquiring a smaller research firm, and you must assess their physical security.
Your tasks:
- Review building plans and current controls; identify vulnerabilities
- Assess the risk from each vulnerability
- Recommend physical security controls for mitigation
- Recommend placement of detection equipment
The AP exam will present physical security scenarios where you must identify vulnerabilities, assess risk, and recommend controls. Practice matching specific vulnerabilities to appropriate preventative and detective controls. Remember that defense-in-depth means layering multiple controls—don't just recommend one solution.
📝 Unit 2 Practice Questions
Which of the following BEST describes the difference between tailgating and piggybacking?
- A) Tailgating uses technical means; piggybacking uses physical means
- B) In tailgating, the authorized person is unaware; in piggybacking, they knowingly grant access
- C) Tailgating involves multiple attackers; piggybacking involves a single attacker
- D) Piggybacking targets network access; tailgating targets physical access
Answer: B
Explanation: In tailgating, the adversary follows an authorized person without their knowledge. In piggybacking, the adversary uses social engineering to get the authorized person to knowingly (but mistakenly) allow them access—like holding a door for someone carrying boxes.
An organization's customer database is encrypted. Which element of the CIA triad does encryption PRIMARILY address?
- A) Availability
- B) Integrity
- C) Confidentiality
- D) Authentication
Answer: C
Explanation: Encryption primarily addresses confidentiality by ensuring that only authorized parties with the decryption key can read the data. Even if data is stolen, it remains unreadable without the key.
During which phase of a cyberattack does an adversary typically try to gain access to accounts with higher privileges?
- A) Reconnaissance
- B) Initial Access
- C) Lateral Movement
- D) Evading Detection
Answer: C
Explanation: Lateral movement is when adversaries try to escalate privileges by accessing other computers and user accounts with elevated permissions. They move "laterally" through the network to reach more valuable targets.
A company decides to purchase cyber insurance to cover potential losses from a data breach. Which risk management strategy is this?
- A) Avoid
- B) Transfer
- C) Mitigate
- D) Accept
Answer: B
Explanation: Risk transfer places the financial burden of the risk on another entity—in this case, the insurance company. If a breach occurs, the insurance pays for covered losses.
Which type of adversary has legitimate credentials and access to organizational systems?
- A) Script kiddie
- B) Hacktivist
- C) Insider threat
- D) Cyberterrorist
Answer: C
Explanation: Insider threats are unique because they already have legitimate credentials and access. They could be current or former employees who abuse their access for malicious purposes.
Which physical security control would BEST prevent both tailgating and piggybacking?
- A) Security cameras
- B) Motion sensors
- C) Access control vestibule (mantrap)
- D) Badge reader with logging
Answer: C
Explanation: An access control vestibule (mantrap) forces one-person-at-a-time entry. The interlocking doors prevent someone from following another person through. Cameras detect but don't prevent; badge readers don't prevent physical following.
A security policy is an example of what type of security control?
- A) Physical
- B) Technical
- C) Managerial
- D) Corrective
Answer: C
Explanation: Managerial controls are rules, guidelines, policies, and procedures. A security policy documents what security measures should be in place and how they should be implemented.
A hospital's server room contains patient medical records. Currently, the room has a standard lock that requires a physical key, which is kept at the front desk. No cameras or other monitoring exists in the hallway leading to the room.
(a) Identify TWO physical security vulnerabilities in this scenario.
(b) For each vulnerability, recommend a specific security control and explain how it addresses the vulnerability.
(c) Explain why a defense-in-depth approach is important in this scenario.
Sample Response:
(a) Vulnerabilities:
1. The physical key at the front desk could be accessed by anyone, including unauthorized visitors or a social engineer impersonating staff.
2. No monitoring in the hallway means unauthorized access attempts would not be detected or recorded.
(b) Recommendations:
1. Replace key lock with badge reader: Badge access ensures only authorized employees can enter. The system can log who accessed the room and when, providing accountability and an audit trail.
2. Install cameras in hallway: Cameras provide visual monitoring and recording of all activity leading to the server room. This enables detection of unauthorized individuals and provides evidence for investigations.
(c) Defense-in-Depth:
A defense-in-depth approach is critical here because patient medical records are highly sensitive (protected by HIPAA and other regulations). If one control fails—for example, if someone's badge is stolen—other controls like cameras and motion sensors can still detect the intrusion. Multiple layers also deter adversaries who recognize that bypassing one control won't give them full access. No single control is foolproof, so layering preventative, detective, and corrective controls provides resilience.
Explain the six phases of a cyberattack and identify which phase an organization's security team has the BEST opportunity to prevent significant damage. Justify your answer.
Sample Response:
The Six Phases:
- Reconnaissance: Adversary gathers information using OSINT
- Initial Access: Adversary gains first foothold via phishing/exploits
- Persistence: Adversary establishes ongoing access with malware
- Lateral Movement: Adversary escalates privileges across systems
- Taking Action: Adversary achieves objectives (theft, destruction)
- Evading Detection: Adversary covers tracks
Best Prevention Opportunity:
The Initial Access phase offers the best opportunity to prevent significant damage. At this point, the adversary has not yet established persistence or begun moving through the network. Effective controls at this phase—like email filtering, user security awareness training (to prevent phishing), strong authentication, and patched systems—can stop attacks before they truly begin.
Once an adversary achieves persistence, they are much harder to remove and can return even if initially detected. Stopping the attack at initial access prevents all subsequent phases from occurring.