← Back to Home

AECSC Task 6 Cheatsheet II

20/05/2026

WACE Year 11 Computer Science ATAR: Unit 2 Exam Ultimate Cheatsheet

The Ultimate High-Yield Study Guide for Relational Database Solutions & Cyber Security Considerations

Module 1: Security Frameworks (CIA Triad & AAA Framework)

1.1 What is a Security Framework?

A security framework is a structured, standardized set of principles, policies, and technical guidelines used to protect computer systems, networks, and data from external threats and unauthorized access.

  • Purpose of Frameworks: They enable organizations to systematically identify security risks, analyze the root causes of security incidents, and maintain a consistent, standard method for scaling up cybersecurity defenses.

1.2 The CIA Triad

Developed during the rapid expansion of early computer security in the 1970s and 1980s, the CIA Triad was widely adopted by government agencies, military organizations, and security professionals. It provides a simple, foundational model to address three critical questions: Who should access the data? Can the data be trusted? Will the system remain available?

1. Confidentiality

  • Technical Definition: Confidentiality is the protection of sensitive information from unauthorized access, viewing, or exposure. It ensures that only validated, approved entities can read specific data assets.
  • Implementation Methods: Usernames and passwords, symmetric/asymmetric encryption, Multi-Factor Authentication (MFA), and biometrics.
  • Real-World Example: A hacker steals a student’s login credentials to read confidential internal school performance records.

2. Integrity

  • Technical Definition: Integrity is the assurance that data remains completely accurate, reliable, complete, and un-tampered with throughout its entire lifecycle. It guarantees that data cannot be modified, deleted, or injected by unauthorized actors without detection.
  • Implementation Methods: Cryptographic hashing algorithms (such as MD5, SHA-256), digital signatures, and strict input validation protocols.
  • Real-World Example: A student exploits a software flaw to change their final chemistry exam mark from a 55% to a 95% inside the school database.

3. Availability

  • Technical Definition: Availability ensures that all network systems, IT services, communication lines, and corporate datasets remain operational, responsive, and accessible to authorized users whenever they are needed.
  • Implementation Methods: Hardware redundancy (RAID drives), off-site automated data backups, Distributed Denial of Service (DDoS) mitigation services, and disaster recovery infrastructure.
  • Real-World Example: A malicious actor launches a DDoS attack against a school website, overloading the server and blocking parents from accessing the student report portal.

1.3 The AAA Framework

While the CIA Triad outlines the high-level goals of information security, the AAA Framework specifies the exact operational controls required to manage user access and identity within a network.

1.4 Interactive PowerPoint Scenario Analysis

Scenario 1: The Shared Network Drive Incident (Engineering Firm)

  • The Situation: A large Perth-based engineering firm utilizes a shared network drive. A junior intern uses their valid personal credentials to log in, but due to a total lack of folder permissions, they open and permanently delete several high-level, sensitive corporate project contracts. When management attempts to audit the incident, they discover that the server only tracks when users log in, completely failing to log file modifications.
  • Analysis via AAA Framework:
  • Failed Component 1: Authorisation. Although the intern authenticated successfully with valid credentials, the system failed to restrict their access permissions. Enforcing proper authorization through Access Control Lists (ACLs) or Role-Based Access Control (RBAC) would ensure that a junior intern is completely restricted from modifying or deleting critical corporate contract directories.
  • Failed Component 2: Accounting. The system failed to track user activity once inside the network. Implementing automated, immutable system audit logs that record all file creations, adjustments, and deletions would have allowed management to immediately pinpoint exactly who destroyed the files and when, discouraging malicious behavior and easing recovery.

Scenario 2: The Home VPN Security Breach (Software Company)

  • The Situation: A software enterprise allows its engineers to work remotely via a Virtual Private Network (VPN). An external attacker uses an automated brute-force tool to guess a senior developer’s weak password, establishing access to the internal network. The attacker alters key administrative configurations on the primary database, causing a complete system crash three days later.
  • Analysis via AAA Framework:
  • Initial Entry Compromise: Authentication was compromised. The system relied on single-factor authentication (a password alone) without checking if the entity behind the connection was truly the employee.
  • Prevention Approach: The company should enforce strict organizational password policies (requiring a minimum length of 12+ characters, combining character variety, and enforcing an account lockout threshold after 5 failed login attempts to block automated brute-force scripts). They must also mandate Multi-Factor Authentication (MFA), combining something you know (password) with something you have (such as an authenticator app token), keeping the network secure even if a password is stolen.
  • Accounting’s Role in Recovery: During the “three days later” recovery phase, IT engineers can parse the system’s accounting audit logs. These logs track all administrative modifications, command lines run, and setting alterations. By pinpointing the exact configuration changes the attacker made, the team can rapidly reverse the damage and restore the database without relying entirely on restoring old, potentially stale backups.

Module 2: Network Security, Authentication & Access Control

2.1 The Three Authentication Factors

Secure authentication systems rely on combining distinct categories of identity validation, known as authentication factors:

  1. Something you know (Knowledge): Information a user must memorize. Examples: Passwords, PINs, passphrase patterns, security questions.
  2. Something you have (Possession): A physical or digital asset a user must hold. Examples: Smartphones running authenticator apps, SMS one-time codes, hardware USB keys (YubiKeys), smart cards.
  3. Something you are (Inherence / Biometrics): Unique physical or behavioral traits. Examples: Fingerprint scanning, facial geometry mapping, retina scans.

2.2 Organisational Password Policies

An organisational approach to password policies refers to administrative rules and technical restrictions enforced by an enterprise across all user accounts to ensure secure credential management.

Core Password Policy Rules & Examples:

  • Minimum Length Requirements: Mandating that passwords must be at least 12 to 14 characters long. This exponentially increases the mathematical combinations required, making cracking attempts unfeasible.
  • Mandatory Password Rotation: Requiring employees to update their passwords every 60–90 days, limiting the operational window of leaked or stolen credentials.
  • Account Lockout Thresholds: Enforcing an automated system lockout after 5 consecutive failed login attempts. This stops high-speed automated brute-force software tools.
  • Password History Restrictions: Banning employees from reusing any of their last 10 historical passwords.
  • Banning Common Passwords: Preventing users from setting simple, predictable passwords like “12345678” or “password123”.

Impact on Corporate Data Security:

  • The Benefit: Drastically reduces the risk of credential stuffing, dictionary guessing, and brute-force access, raising the baseline security of corporate data assets.
  • The Trade-off / Risk: If password policies are configured to be overly complex or restrictive, it can cause user fatigue. Employees may resort to writing complex passwords down on physical sticky notes at their desks or saving them in unencrypted text files on their computers, introducing severe new physical security flaws.

2.3 Two-Factor Authentication (2FA)

  • Technical Definition: Two-Factor Authentication (2FA) is a defense-in-depth security practice that mandates users provide two completely distinct authentication factors before granting entry.
  • Security Value: It addresses the vulnerability of single-factor authentication. If an external cybercriminal successfully steals an employee’s password, access remains completely blocked because the attacker does not possess the secondary factor (e.g., the user’s physical phone running a synchronized authenticator app).

2.4 Biometrics: Benefits and Strategic Liabilities

  • Technical Definition: Biometrics is an identity verification methodology leveraging unique human physiological or behavioral traits (fingerprints, facial structures, retina maps).
  • The Advantage: Biometric markers are exceptionally difficult to replicate, guess, forge, or share among employees, providing strong security and convenience.
  • The Major Structural Liability: Unlike a password, token, or smart card, if a biometric database is breached and compromised, it cannot be changed. A user cannot reset a compromised fingerprint or replace a stolen retina map, creating a lifelong security risk for that individual’s identity.

Module 3: Network Threats, Malware & Vulnerabilities

3.1 External Network Threats & Attack Vectors

An external threat refers to any information security risk or malicious action that originates from outside an organization’s network perimeter. These threats aim to bypass security controls, steal data, disrupt availability, or compromise systems.

  • Social Engineering: A high-risk attack strategy that targets human psychology rather than software code. Attackers manipulate human trust, fear, curiosity, or lack of awareness to trick targets into compromising security.

  • Phishing: Sending fraudulent emails, texts, or digital messages disguised as trusted organizations (banks, government agencies, company executives) to trick users into entering credentials on fake websites or downloading malware.

  • Pretexting: Fabricating a highly detailed, false scenario where the attacker pretends to be an authorized entity (such as an urgent external IT support technician) to trick an employee into revealing passwords or network configurations.

  • Baiting: Leaving malware-infected physical assets (like a USB drive labeled “Executive Salaries”) in public areas, exploiting curiosity so a target plugs it into a corporate workstation.

  • Denial of Service (DoS) / Distributed Denial of Service (DDoS): An availability attack that floods a targeted network node or web server with an overwhelming volume of illegitimate traffic or data requests. This exhausts the server’s processing power, memory, and network bandwidth, causing it to crash and blocking access for legitimate users.

  • Back Door: A hidden entry point built into software or hardware that intentionally or accidentally bypasses standard network security authentication controls, allowing unauthorized actors persistent access.

  • IP Spoofing: A technical exploitation vector where an attacker modifies the source IP address headers inside transmitting network data packets. This hides the attacker’s true identity and tricks internal systems into treating the malicious packets as trusted local traffic.

  • SQL Injection (SQLi): An input validation attack where a malicious actor inputs harmful SQL command strings into web application entry fields (like login windows or search boxes). If the input is not sanitized, the backend database treats the text as executable code, giving the attacker unauthorized access to read, modify, or destroy database records.

  • Man-in-the-Middle (MitM): An interception attack where an unauthorized entity positions themselves between two communicating computer nodes. The attacker secretly intercepts, reads, or alters data packets during transmission without either party knowing.

  • Cross-Site Scripting (XSS): An application attack where a cybercriminal injects malicious client-side JavaScript code into a trusted website. The script executes within the web browsers of other users visiting that site, allowing the attacker to steal session cookies or hijack active user accounts.

  • Zero-Day Vulnerability: A software bug or security flaw that is completely unknown to the software developer or vendor. It represents a window of risk where “zero days” of patch protection are available, leaving systems vulnerable to exploitation until an official fix is released.

  • Physical Security Threats: Direct, physical violations of infrastructure hardware assets, such as a criminal breaking into a data center server room to steal storage arrays, cut networking trunk lines, or install hardware keyloggers.

3.2 Malware Taxonomy

Malware (Malicious Software) is an umbrella term for any software program explicitly engineered to compromise system integrity, steal sensitive data, spy on users, or disrupt operations.

Module 4: Cryptography Mechanics & Critical Skills

4.1 Cryptographic Core Concepts

  • Cryptography is the practice of securing information by transforming it into an unreadable format, ensuring confidentiality and preventing tampering.
  • Plain Text: The original, unaltered data message that is readable by humans (e.g., HELLO).
  • Cipher Text: The unreadable, scrambled output data produced after a cryptographic algorithm has run (e.g., KHOOR).

4.2 Historical Cipher Paradigms

  1. The Scytale Cipher (Ancient Greece): A physical cryptographic tool used by the Spartan military. A strip of parchment was wrapped tightly around a wooden rod of a specific diameter. The message was written across the parchment, making sense only when wrapped around a rod of the exact same size.
  2. The Caesar Cipher (Roman Empire): A basic monoalphabetic substitution cipher used for military communications. It shifts every letter in the plaintext message down the alphabet by a fixed numeric key position.

4.3 Substitution Ciphers & Attack Methodologies

1. Rotation Ciphers (Caesar Shifting)

  • The Mechanic: Every character is shifted by a single numeric constant. For example, with a Key of 3: A \rightarrow D, B \rightarrow E, C \rightarrow F.
  • Vulnerability: There are only 25 possible key shifts in the English alphabet (shifting by 0 or 26 does nothing). Because the key space is so small, an attacker can launch a manual or automated Brute Force Attack—trying every single possible key option until readable English text appears—making it trivial to crack.

2. Random Substitution Ciphers

  • The Mechanic: Instead of a fixed shift, each letter of the alphabet maps to a randomly selected, unique letter (e.g., A \rightarrow X, B \rightarrow Q, C \rightarrow M).
  • Vulnerability: The total number of possible keys is 26!26! (factorial), which is roughly 4×10264 \times 10^{26} combinations. Because this key space is massive, brute-force guessing is completely unrealistic. Instead, attackers use Frequency Analysis. In the English language, letters occur in a predictable distribution (e.g., E, T, and A are the most common). By analyzing the most frequent characters in the ciphertext, an attacker can match them to common English letters to systematically decode the message.

3. Polyalphabetic Ciphers (The Vigenère Cipher)

  • The Mechanic: A cipher that uses a repeating alphabetical keyword to encrypt text. The numeric shift value changes with every single letter based on the corresponding character of the keyword.
  • Vulnerability: The number of possible keys is 26n26^n, where nn is the length of the keyword (e.g., a keyword of length 6 yields ~308 million keys). It is significantly more secure than monoalphabetic substitution because it flattens standard single-letter frequency distributions. The same plaintext letter (e.g., “E”) will encrypt into entirely different ciphertext letters depending on its position relative to the keyword, making basic frequency analysis ineffective.

4.4 Modern Encryption Systems: Symmetric vs. Asymmetric

Symmetric Encryption

  • The Mechanic: Both the sending and receiving parties share the exact same single secret key to perform both encryption and decryption.
  • Algorithms: Advanced Encryption Standard (AES), which utilizes 128, 192, or 256-bit keys to securely process data through multiple rounds of substitution and shuffling, and Data Encryption Standard (DES), an obsolete 1970s 56-bit key algorithm that is easily cracked by modern computers via brute force.
  • Key Distribution Problem: While highly efficient for encrypting large datasets quickly, symmetric encryption has a major security flaw: key distribution is difficult. The shared key must be securely delivered to the recipient before communication can begin. If the key is transmitted over an unsecure network, it can be intercepted, compromising the entire communication line.

Public Key (Asymmetric) Encryption

  • The Mechanic: Uses a mathematically linked pair of keys: a Public Key (which can be distributed openly to anyone and is used solely for encryption) and a Private Key (which must be kept strictly secret by the owner and is used solely for decryption).
  • The Advantage: This completely resolves the key distribution problem over open networks like the Internet. A sender can use the recipient’s freely available public key to encrypt a message. Once encrypted, only the recipient’s private key can decrypt it. The private key never needs to be transmitted or shared across the network, ensuring secure communications.

Module 5: Cyber Security — Ethics and Law

5.1 Ethical Hacking vs. Penetration Testing

  • Ethical Hacking is the authorized, legal process of testing computer systems, networks, or software applications to discover security weaknesses before malicious actors can exploit them. Ethical hackers use the same tools, software scripts, and technical strategies as cybercriminals, but operate with explicit permission to improve security.
  • Penetration Testing (Pen Testing) is a structured, simulated cyber attack carried out by ethical hackers to systematically evaluate system security, evaluate employee security awareness, and test incident response processes.

The Four Distinct Stages of Penetration Testing:

  1. Reconnaissance: Gathering preliminary intelligence and data footprints about the target organization or infrastructure before launching an attack.
  2. Scanning: Using technical security tools to inspect the target network for active systems, open ports, software versions, and known vulnerabilities.
  3. Gaining Access: Actively exploiting the identified software or configuration vulnerabilities to break through security perimeters, simulating a malicious breach.
  4. Maintaining Access: Testing whether the tester can remain inside the network environment undetected to gauge long-term risk exposure.

Comparison Matrix:

The Privacy Act 1988 is the core pieces of Australian legislation regulating how government agencies and private organizations handle, collect, use, store, and secure personal information.

Core Australian Privacy Principles (APPs) for Unit 2:

  • APP 1 — Open and transparent management of information: Mandates that entities maintain an up-to-date, clearly written, and accessible privacy policy detailing exactly what data they collect and how it is managed.
  • APP 6 — Use or disclosure of personal information: Enforces that personal data can only be used or disclosed for the specific primary purpose for which it was originally collected, unless the user provides explicit secondary consent.
  • APP 11 — Security of personal information: Requires organizations to take active, reasonable technical and administrative steps to protect personal information from misuse, loss, interference, and unauthorized access, modification, or exposure.

The Notifiable Data Breaches (NDB) Scheme 2017:

An amendment to the Privacy Act that states if an organization experiences an eligible data breach—meaning personal data is lost, modified, or accessed without authorization—and that breach is likely to result in serious harm (financial, psychological, or reputational) to the affected individuals, the organization must:

  1. Immediately notify the Office of the Australian Information Commissioner (OAIC).
  2. Provide a clear, formal statement directly to all affected individuals, allowing them to take immediate protective measures (such as changing passwords or updating bank details).

Module 6: The Master Revision Answer Key

6.1 Solutions for the Cybersecurity Revision Booklet (Cybersecurity.docx)

Question 1: State the two primary methods used for cracking substitution ciphers.

Full-Mark Solution: Frequency Analysis and Brute Force.

Question 2: State the three main types of malware discussed in the syllabus that involve self-replication or deception.

Full-Mark Solution: Virus, Worm, and Trojan Horse.

Question 3: Outline the purpose of encryption in a networked environment.

Full-Mark Solution: The purpose of encryption is to convert readable plain text into an unreadable cipher text format using a mathematical algorithm. This ensures the confidentiality of sensitive data by preventing unauthorized users from reading the information during storage or transmission across unsecure networks.

Question 4: Outline the organisational approach to password policies.

Full-Mark Solution: An organizational approach to password policies involves establishing and enforcing administrative rules and technical controls across an enterprise (such as mandatory length, rotation schedules, and account lockouts). This ensures that all employees maintain secure credentials, reducing the risk of unauthorized access to network systems.

Question 5: Describe the characteristics of a strong password.

Full-Mark Solution: A strong password is characterized by having a long length of at least 12+ characters, which exponentially increases the mathematical combinations an attacker must guess. It also incorporates a high degree of character variety, combining uppercase letters, lowercase letters, numbers, and symbolic characters, thereby increasing the technical “work factor” and making automated brute-force attacks computationally unfeasible.

Question 6: Describe how a Man-in-the-Middle (MitM) attack is executed.

Full-Mark Solution: A Man-in-the-Middle attack is executed when an unauthorized third party secretly inserts themselves directly into the communication path between two legitimate network nodes. The attacker then intercepts, reads, or alters the transmitting network data packets in real-time without the knowledge or consent of either communicating party.

Question 7 (Scenario): A small accounting firm discovers that their website’s database has been leaked. Investigation shows that an attacker used a search bar on their “Client Login” page to bypass authentication. Explain the SQL Injection method used in this scenario and how it allows an attacker to compromise the system.

Full-Mark Solution: The attacker utilized a SQL Injection (SQLi) attack vector. This method occurs when a web application fails to properly sanitize user inputs entered into fields like login text boxes or search bars. The attacker enters malicious SQL command strings into the search field, which are then passed directly to the backend database server. Because the application treats the input text as executable code, the database runs the commands, allowing the attacker to bypass standard authentication controls, read sensitive database tables, and exfiltrate corporate records without permission.

Question 8 (Scenario): A university student is using a public Wi-Fi hotspot and notices their browser warns them that the “Connection is not private.” They ignore it and log into their bank. Later, they find their account has been accessed by a third party. Explain how IP Spoofing or SSL Stripping could have been used here and the role two-factor authentication (2FA) would have played in preventing the breach.

Full-Mark Solution:

  1. Threat Method Execution: The attacker could have used SSL Stripping on the unsecure public Wi-Fi hotspot to intercept the student’s connection and downgrade it from secure HTTPS to unencrypted HTTP. When the browser warned that the connection was not private, the student ignored it, allowing the attacker to capture their login password in clear text. Alternatively, the attacker could use IP Spoofing to forge network packet headers, impersonating the wireless gateway or bank server to route the student’s traffic through their own device.
  2. The Role of 2FA: Two-Factor Authentication introduces a mandatory secondary verification factor based on something the user has (such as a physical phone running an authenticator app) or something they are (biometrics).
  3. Prevention Conclusion: If 2FA had been enabled, the stolen bank password alone would be completely insufficient for the attacker to log in. The system would remain secure because the attacker lacked access to the secondary physical factor.

Question 9: Explain the process of a Vigenère Cipher and why it is more secure than a simple Rotation Cipher.

Full-Mark Solution:

  1. Process: The Vigenère Cipher encrypts text by using a repeating alphabetical keyword to determine shifting parameters.
  2. Polyalphabetic Shifting: Each successive letter of the keyword dictates a changing numeric shift value applied to the corresponding character of the plaintext message, creating a polyalphabetic shift pattern.
  3. Security Comparison: It is significantly more secure than a simple Rotation Cipher (like the Caesar Cipher) because a rotation cipher applies a single, fixed numeric shift across the entire message, perfectly preserving the frequency distribution of the letters. The Vigenère cipher flattens standard single-letter frequency signatures by encrypting the same plaintext character into entirely different ciphertext characters depending on its position relative to the keyword, making basic frequency analysis ineffective.

Question 10: Compare Symmetric Encryption and Public Key (Asymmetric) Encryption. Your answer should refer to the number of keys used and the ease of key distribution.

Full-Mark Solution: Symmetric Encryption utilizes a single, identical secret key shared between both the sending and receiving parties for encryption and decryption, whereas Public Key (Asymmetric) Encryption utilizes a mathematically linked pair of keys: a public key for encryption and a private key for decryption. In contrast to symmetric encryption, where key distribution is difficult and insecure because the shared key must be safely delivered over the network before communication can begin, asymmetric encryption is significantly better for open networks like the Internet because the public key can be shared openly with anyone, while the private key remains safely hidden with the owner, completely eliminating the risk of key interception during transmission.

6.2 Solutions for Ethics and Law Presentation Scenarios (Ethics_and_Law_Cybersecurity_Notes.pptx)

Comprehensive answers to the 16 core questions derived from the School Network Security Breach case study.

1. Explain the role of ethical hacking in this scenario.

Answer: The role of ethical hacking is to perform an authorized security evaluation of the school’s network infrastructure. Ethical hackers simulate real-world attacks to identify active system vulnerabilities, weak password habits, and missing technical controls, allowing the school to fix these issues before malicious actors exploit them.

2. Describe how penetration testing could help prevent future attacks.

Answer: Penetration testing helps prevent future attacks by actively testing the school’s security controls, evaluating staff awareness, and identifying unpatched software vulnerabilities or missing protections (like disabled MFA). This gives the school actionable recommendations to improve their cyber defenses before a real attack occurs.

3. Explain the difference between the ethical hackers hired by the school and the attackers who stole the data.

Answer: Ethical hackers operate legally with explicit authorization from management, follow strict ethical guidelines to respect user privacy, and document their findings to improve security. In contrast, the malicious attackers operate illegally without authorization, violate user privacy, and steal sensitive data for personal gain, disruption, or extortion.

4. Identify two unethical actions that occurred in this case study.

Answer: One unethical action was that school staff actively shared account passwords, which bypassed individual accountability. A second unethical action was that school administration stored legacy student records unnecessarily, exposing old personal information to potential data theft.

5. Explain why sharing passwords is considered unethical and insecure.

Answer: Sharing passwords is unsecure because it broadens the network exposure window, increasing the risk of unauthorized access. It is considered unethical and structurally flawed because it breaks individual accountability within the AAA Framework’s Accounting pillar, making it impossible for audit logs to accurately track which specific person performed an action on the network.

6. Discuss the ethical responsibility schools have when storing sensitive student information.

Answer: Schools handle sensitive personal information belonging to minors (including contact information, medical entries, and academic evaluations). They have an ethical responsibility to act as trusted guardians of this data, deploying modern security protections to prevent data breaches that could lead to identity theft or emotional harm.

7. Explain how the Privacy Act 1988 applies to this situation.

Answer: The Privacy Act 1988 legally regulates how the school collects, stores, uses, and secures personally identifiable information. It mandates that the school deploy appropriate security controls to safeguard records and creates legal liabilities for negligence if data is compromised due to inadequate security measures.

8. Identify which Australian Privacy Principle is most relevant to this breach.

Answer: The most relevant principle is APP 11 (Security of personal information).

9. Explain how the school may have failed to comply with APP 11.

Answer: The school failed to comply with APP 11 by actively disabling Multi-Factor Authentication (MFA), allowing weak and un-rotated passwords, providing no security training to employees, storing unneeded legacy student data, and failing to perform regular penetration testing, thereby failing to take reasonable steps to protect personal information.

10. Describe two “reasonable steps” the school should have taken to protect personal information.

Answer:

  1. Technical Step: Enforce a strict password complexity policy (minimum 12+ characters with character variety) and mandate the activation of Multi-Factor Authentication (MFA) across all staff accounts.
  2. Administrative Step: Implement automated data-retention schedules to permanently delete legacy student records that are no longer required, and mandate cybersecurity awareness training for all employees.

11. Explain why this incident may qualify as an eligible data breach.

Answer: This incident qualifies as an eligible data breach because sensitive personal information (student records) was accessed and stolen by unauthorized actors, creating a real risk of serious harm (such as identity fraud, targeted phishing scams, or financial exploitation) to the affected students and their families.

12. Describe what the school would likely be required to do under the Notifiable Data Breaches Act 2017.

Answer: Under the NDB Act 2017, the school is required to immediately notify the Office of the Australian Information Commissioner (OAIC) regarding the breach. They must also distribute a clear, formal notification statement directly to all affected parents and students, detailing what data was exposed and providing recommendations for protective steps.

13. Explain why affected students and parents should be notified.

Answer: Affected individuals must be notified so they are aware of the security risk and can take immediate steps to protect themselves. This allows them to update compromised passwords, monitor financial statements for identity fraud, and remain alert for targeted phishing scams.

14. Recommend four security improvements the school should implement.

Answer:

  1. Mandate and enforce Multi-Factor Authentication (MFA) for all user accounts.
  2. Enforce a strict password policy requiring a minimum of 12+ characters, character variety, and account lockouts.
  3. Establish an automated data lifecycle management policy to delete unneeded legacy records.
  4. Schedule regular penetration testing and implement ongoing cybersecurity awareness training for all staff members.

15. Explain how staff cyber security training could reduce future risks.

Answer: Security training helps reduce risk by educating staff members to recognize social engineering tactics like phishing emails, pretexting calls, or baiting links. This reduces the likelihood that an employee will inadvertently compromise their login credentials or download malware.

16. Describe how MFA would improve system security.

Answer: Multi-Factor Authentication improves security by requiring a secondary verification factor (such as an app token or physical key) alongside a user’s password. Even if a malicious actor successfully guesses or steals a staff member’s password, access remains blocked because the attacker lacks the secondary physical factor, preventing a breach.

Final Verification Checklist: PowerPoint Content Audit

This comprehensive checklist ensures that 100% of the high-yield technical content from the provided presentation files and revision booklet has been systematically covered in this study guide:

  • Security Frameworks Module (Security_Frameworks_CIA_AAA.pptx): Covered Security Framework purpose, CIA Triad core elements (Confidentiality, Integrity, Availability) with implementation methods and real-world examples, historical context (1970s-1980s), AAA Framework core components (Authentication, Authorisation, Accounting), and full analyses for both the Shared Network Drive and Home VPN security incidents.
  • Network Security Module (Network_Security.pptx): Covered Encryption purpose, plaintext vs. ciphertext, the history of DES (1970, 56-bit key, brute-force breakable), Symmetric encryption mechanics, Advanced Encryption Standard (AES) features, Asymmetric Public Key vs. Private Key mechanics, organizational password policy impacts and user fatigue trade-offs, 2FA configurations, and Biometric implementation liabilities.
  • Network Threats Module (Network Threats.pptx): Covered External threats definition, Social Engineering attack vectors (Phishing, Pretexting, Baiting), DoS/DDoS mechanics, Backdoors, IP Spoofing, SQL Injection, Man-in-the-Middle attacks, Cross-Site Scripting (XSS), Zero-Day risks, Physical security threats, and full Malware Taxonomy definitions (including the Fireball Adware and CryptoLocker Ransomware case studies).
  • Ethics & Law Module (Ethics_and_Law_Cybersecurity_Notes.pptx): Covered Ethical Hacking definition, Penetration Testing mechanics, the 4 distinct stages of Pen Testing (Reconnaissance, Scanning, Gaining Access, Maintaining Access), Ethical vs. Unethical hacker comparison, Privacy Act 1988 application, APPs 1, 6, and 11, the Notifiable Data Breaches Scheme criteria, and full solutions for all 16 School Data Breach questions.
  • Cryptography Basics Module (Cryptography_Introduction.pptx): Covered Plain text vs. Cipher text concepts, historical Scytale and Caesar ciphers, Rotation cipher brute-force vulnerabilities, Random substitution cipher frequency analysis vulnerabilities, and Vigenère cipher polyalphabetic mechanics.
  • Master Revision Booklet Module (Cybersecurity.docx): Verified and integrated full, high-scoring responses for all 10 core questions in Section 1 through Section 5.