Fiveable
🔒AP Cybersecurity
​

🔒AP Cybersecurity

Device Security Analysis
​
Unit 4: Securing Devices
FRQ Types & Units

Each FRQ type tests specific skills taught in particular units. Here's why certain units appear for each question type:

This mapping reflects College Board's exam structure - each FRQ type tests specific skills that are taught in particular units.

Practice FRQ 1 of 161/16

1. The following sources all come from the same device (hostname db01, IP address 10.0.5.50) and were captured during a routine risk assessment. Use them to answer parts A through E.

Source 1 — Device Firewall Settings

Rule Number

Action

Source

Destination

Direction

Port Number

Protocol

1

Allow

10.0.5.0/24

10.0.5.50

Inbound

22

SSH

2

Allow

ALL

10.0.5.50

Inbound

80

HTTP

3

Allow

ALL

10.0.5.50

Inbound

443

HTTPS

4

Allow

10.0.5.0/24

10.0.5.50

Inbound

3306

MySQL

5

Allow

ALL

10.0.5.50

Inbound

21

FTP

6

Allow

ALL

ALL

Outbound

ALL

ALL

7

Deny

ALL

ALL

Inbound

ALL

ALL

Source 2 — /home/dbadmin/.bash_history

</>TEXT
cat /home/dbadmin/.bash_history
1  sudo systemctl status mysql
2  ls -la /var/log/
3  ping 8.8.8.8
4  top
5  clear

Source 3 — /var/log/auth.log

</>TEXT
sudo tail -n 14 /var/log/auth.log
1  Nov 12 14:20:01 db01 CRON[3101]: pam_unix(cron:session): session opened for user root
2  Nov 12 14:20:01 db01 CRON[3101]: pam_unix(cron:session): session closed for user root
3  Nov 12 14:21:01 db01 vsftpd[3120]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
4  Nov 12 14:21:02 db01 vsftpd[3121]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
5  Nov 12 14:21:03 db01 vsftpd[3122]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
6  Nov 12 14:21:04 db01 vsftpd[3123]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
7  Nov 12 14:21:05 db01 vsftpd[3124]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
8  Nov 12 14:21:06 db01 vsftpd[3125]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
9  Nov 12 14:21:07 db01 vsftpd[3126]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
10 Nov 12 14:21:08 db01 vsftpd[3127]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
11 Nov 12 14:21:09 db01 vsftpd[3128]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
12 Nov 12 14:21:10 db01 vsftpd[3129]: Failed login for invalid user admin from 203.0.113.88 port 21 ftp
13 Nov 12 14:22:05 db01 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:1A:2B:3C:4D:5E SRC=203.0.113.88 DST=10.0.5.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41234 PROTO=TCP SPT=55432 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
14 Nov 12 14:22:08 db01 kernel: [UFW BLOCK] IN=eth0 OUT= MAC=00:1A:2B:3C:4D:5E SRC=203.0.113.88 DST=10.0.5.50 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=41235 PROTO=TCP SPT=55432 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0

Source 4 — /var/log/nginx/access.log

</>TEXT
sudo tail -n 6 /var/log/nginx/access.log
1  192.168.1.15 - - [12/Nov/2024:15:01:22 +0000] "GET / HTTP/1.1" 200 1024 "-" "Mozilla/5.0"
2  192.168.1.15 - - [12/Nov/2024:15:01:25 +0000] "GET /css/style.css HTTP/1.1" 200 512 "http://10.0.5.50/" "Mozilla/5.0"
3  198.51.100.42 - - [12/Nov/2024:15:10:05 +0000] "GET /ping?host=127.0.0.1 HTTP/1.1" 200 256 "-" "curl/7.68.0"
4  198.51.100.42 - - [12/Nov/2024:15:10:12 +0000] "GET /ping?host=127.0.0.1%3Bcat%20/etc/passwd HTTP/1.1" 200 1432 "-" "curl/7.68.0"
5  198.51.100.42 - - [12/Nov/2024:15:10:18 +0000] "GET /ping?host=127.0.0.1%3Bid HTTP/1.1" 200 312 "-" "curl/7.68.0"
6  198.51.100.42 - - [12/Nov/2024:15:10:25 +0000] "GET /ping?host=127.0.0.1%20%26%26%20uname%20-a HTTP/1.1" 200 405 "-" "curl/7.68.0"

Source 5 — ls -l /etc/mysql/conf.d/

</>TEXT
ls -l /etc/mysql/conf.d/
total 12
-rwxr-x--- 1 root    dbadmin 1024 Nov 05 09:15 backup.sh
-rw-rw-rw- 1 dbadmin dbadmin  512 Nov 11 14:30 db_credentials.cnf
-rw-r--r-- 1 root    root     256 Nov 10 10:00 mysql.cnf

Source 6 — Acceptable Use Policy

  • Lock device screens when stepping away from the workstation.

  • Apply security patches to operating systems and applications within 30 days of release.

  • Use of approved VPN clients for remote administration.

  • Connecting organization-issued peripheral devices.

  • Sharing user accounts or credentials with other individuals.

  • Storing administrative passwords or sensitive keys in plaintext files.

  • Modifying firewall rules or security settings without authorization.


A.

Consider the policy for the device in Source 6.

i.

Explain how one part of the policy helps protect the device.

ii.

Explain how one rule in the current policy could be modified to make the device more secure. Include a specific example in your response.

B.

In the authorization log, there is evidence of a password attack in rows 3–12.

i.

Describe the evidence in the log file that indicates a password attack. Include specific entries from the log file in your response.

ii.

Identify the IP address of the adversary.

C.

Consider all the sources from the device.

i.

Explain how the permission settings for one file in the /etc/mysql/conf.d/ directory determine the level of access for that file for the owner, group, and all other users on the system. Include the name of the file in your response.

ii.

Other than removing all permissions from all users, describe one way the permission settings for one file on the system could be configured to restrict access for some users on the device. Include the name of the file in your response.

iii.

Using the explanation from part C (ii), write one or more chmod commands that set the permissions described.

D.

Consider all the sources from the device.

i.

Explain how one connection attempt on the device was blocked by the device’s firewall. Include evidence from a log file in your response.

ii.

Other than allowing all traffic for all services, describe a modification to one firewall rule that would allow the connection attempt identified in part D (i).

iii.

Other than allowing the connection attempt identified in part D (i), describe one impact of your modification from part D (ii) on incoming or outgoing network traffic on the device.

E.

Apart from the password attack identified in part B, there is evidence of another attack on the device. Consider all the sources from the device.

i.

Determine the type of attack evidenced in a log file.

ii.

Describe specific information in the log file that indicates the attack named in part E (i).

iii.

Describe one way an automated system could halt this type of attack in real time.

iv.

This attack could be mitigated by an automated system, such as a firewall, IDS, IPS, or AI. Identify a different countermeasure that could mitigate, prevent, or deter the attack.







Pep

essential ap study content awaits..

Features
Testimonials
Testimonials
start studying →
FRQ Directions
Free Response Question Practice

This practice environment simulates the AP AP Cybersecurity Free Response Questions section. Here are some guidelines:

  • Read each question carefullybefore responding. Pay attention to command verbs like "identify," "explain," "analyze," or "evaluate."
  • Use the timer to practice time management. You can pause, restart, or hide the timer as needed.
  • Mark for Review if you want to come back to a question later.
  • Your responses are saved automatically as you type. You can also use the drawing tool for questions that require diagrams or graphs.
  • Use the toolbar for formatting options like bold, italic, subscript, and superscript.
  • Navigate between questions using the Previous and Next buttons at the bottom of the screen.

Tip: Answer all parts of each question. Partial credit is often available, so even if you are unsure, provide what you know.