Exercises: Security Principles
These exercises move from recall of the principles to designing and critiquing real defenses with them. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.
Work in your own notebook or a private repository. Where an exercise asks you to classify, score, or design, the reasoning matters more than landing on one "official" answer; defend your choices.
Part A — The CIA triad and AAA ⭐
1.† Define confidentiality, integrity, and availability in one sentence each, then name the attacker's move (disclosure, tampering, or denial) that targets each.
2. For each asset, name the CIA leg that matters most and justify it in a phrase: (a) Meridian's core-banking ledger; (b) the public marketing website; (c) the customer PII database; (d) the audit-log archive the SOC relies on; (e) the online-banking service during business hours.
3. A control improves one leg of the triad while weakening another. Give two concrete examples — one where a confidentiality control hurts availability, and one where an availability measure hurts confidentiality.
4.† Distinguish authentication from authorization in one sentence each. Then describe a system that performs the first correctly but the second catastrophically wrong, and name the attacker move (impersonation or privilege escalation) each property defends against.
5. Explain why accounting (audit logging) is the foundation of the entire Security Operations discipline, and why an integrity attack on the logs themselves is especially dangerous.
6. Non-repudiation. Explain why enabling verbose logging does not, by itself, give you non-repudiation. Name the single most common cause of the gap and one mechanism that closes it.
Part B — Classifying controls ⭐⭐
7.† Classify each control on both axes (function: preventive / detective / corrective / compensating; nature: administrative / technical / physical): (a) a next-gen firewall rule blocking inbound traffic; (b) quarterly user-access reviews; (c) a CCTV camera in the server room; (d) restoring a database from backup after ransomware; (e) isolating and heavily monitoring a legacy system that cannot be patched; (f) a mandatory security-awareness training course; (g) a SIEM correlation rule that alerts on impossible-travel logins; (h) a badge reader at the data-center door; (i) a documented incident-response plan; (j) full-disk encryption on laptops.
8. Gap analysis. An organization lists its controls and they are: firewall, antivirus, encryption, strong passwords, a locked server room, and a VPN. Place each on the function × nature matrix, then name the two cells that are conspicuously empty and the specific risk that emptiness creates.
9.† Explain the difference between a compensating control and a corrective control. Give a Meridian example of each, and explain why PCI-DSS makes room for compensating controls at all.
10. A vendor markets a single product as "preventive, detective, and corrective." Is that plausible, or marketing? Argue your position and give an example of a real control that genuinely spans more than one function.
Part C — Least privilege, separation of duties, fail-safe ⭐⭐
11.† Harden it. A junior administrator hands you this (illustrative) summary of a Windows account used by the nightly database-backup job. Identify every least-privilege violation and propose a corrected set of permissions.
Account: svc_dbbackup
Group memberships: Domain Admins, Backup Operators, Remote Desktop Users
Interactive logon: enabled (can log in at the console)
Password: set 4 years ago, never rotated, shared with two human admins
Rights: full read/write to ALL file shares; local admin on 14 servers
Purpose (per ticket): "read the core DB nightly and write a backup file to the NAS"
12. A marketing employee's account is found with local-administrator rights on a production database server, granted two years ago for a one-time task and never removed. Name the principle violated, the specific risk if that account is phished, and the recurring process control that would have caught it.
13.† Write the policy. Draft a three-to-five-sentence separation-of-duties policy for Meridian wire transfers over $100,000. State who may initiate, who may approve, what is prohibited, and how an exception (if ever needed) must be handled. Then name the single account type most likely to silently defeat your policy.
14. Fail-safe vs. fail-open. For each system, state whether it should fail closed (secure) or fail open (permissive) when its control breaks, and justify in one phrase: (a) an authentication service for online banking; (b) the electronic locks on a building's emergency fire exits; (c) a firewall whose rule engine crashes; (d) an industrial safety interlock on a pressurized tank; (e) a door to a vault.
15. Explain how least privilege and separation of duties defend against different threats, using a single scenario (a phished back-office employee who wants to move money) to show what each principle does and does not stop.
Part D — Analyze this (incidents through the principles) ⭐⭐
16.† Analyze this log. You are handed this (illustrative) excerpt. The source IP is in the
documentation range 198.51.100.0/24; all times are UTC.
02:14:55 user=svc_admin src=198.51.100.7 action=login result=SUCCESS
02:15:31 user=svc_admin src=198.51.100.7 action=read_share path=\\fs01\HR\salaries
02:16:02 user=svc_admin src=198.51.100.7 action=add_member group="Domain Admins" target=temp_user
02:17:40 user=svc_admin src=198.51.100.7 action=clear_log target=Security
(a) Which CIA legs and which AAA properties are under attack across these four lines? (b) Why is the
shared svc_admin account a non-repudiation problem here? (c) Which single principle from this chapter,
if it had been enforced on svc_admin, would most have limited this damage? (d) Name one detective
control that should have fired.
17. A ransomware attack encrypts Meridian's file servers. Map the defense across the function × nature matrix: name one preventive, one detective, and one corrective control that together address it, and state which is the "last line" that decides whether the bank recovers.
18.† Respond to this incident. A reported phishing email reveals that one user clicked and entered credentials, but the login to the SSO portal failed because of a FIDO2 key. Walk through the first five steps you would take as the on-shift analyst, and for each step name which principle or control (from this chapter) it relies on. (Tabletop steps, not tool commands.)
19. Re-read Figure 3.3 (the Meridian near-miss as defense in depth). Two layers failed and the bank was fine. (a) Identify the failed layers and the layer that held. (b) Redesign the defense to add one detective layer earlier in the chain, and explain what it would have caught and when.
Part E — Design it ⭐⭐–⭐⭐⭐
20. Design the architecture. Meridian is deploying a new internal web application that lets branch managers approve small-business loans. Sketch (in words or a simple diagram) a defense-in-depth design with at least four independent layers spanning different control types and natures. For each layer, state what it assumes has already failed.
21.† Design it. A team proposes protecting an unpatchable legacy server (it runs core-banking software the vendor no longer updates) by "just putting a firewall in front of it." Critique this as a single-layer defense, then design a compensating-control package (three or more controls of different types/natures) that meets the intent of "keep this server secure" without patching it.
22. Write a one-paragraph control framework note for Meridian explaining, to a non-technical board member, why a defense that is "all firewalls and antivirus" is incomplete. Use the function × nature matrix and Theme 4 (defense in depth assumes failure) without using jargon they would not know.
23. ⭐⭐⭐ Apply least privilege at scale. Pick an organization you know (your school, employer, or a public company). Choose one role in it (e.g., a help-desk technician, a teaching assistant, a cashier). List the access that role actually needs to do its job, the access it probably has in practice, and the gap. Propose how you would close the gap and how you would keep it closed over time.
Part F — CTF-style challenge ⭐⭐⭐
24.† The principle audit. A new "secure" internal portal is described to you as follows. Find every principle from this chapter that it violates, rank the violations by the risk each creates, and rewrite the design to fix the top three.
- Anyone on the corporate network (no login) can READ all pages ("we trust our own network").
- Editing requires a login; all editors share one account, "editor", to "keep it simple".
- The single admin account can do everything, including approve its own changes.
- If the login service is down, the portal grants edit access to everyone "so work isn't blocked".
- There is no log of who changed what.
Part G — Interleaved & forward-looking ⭐⭐
25. (Builds on Chapter 1.) Using the risk equation Risk = Likelihood × Impact, explain precisely which term least privilege reduces and which term defense in depth reduces. Are they reducing the same thing or different things?
26. (Builds on Chapter 2.) The cyber kill chain describes an intrusion as stages (initial access → escalation → lateral movement → impact). Explain how placing an independent control at each stage is the kill-chain expression of defense in depth, and why detecting at any stage can stop the whole chain.
27. ⭐⭐⭐ Open reflection. This chapter argues zero trust is a synthesis of older principles, not a new invention. Write half a page defending or attacking that claim: is "never trust, always verify" genuinely new, or is it least privilege + fail-safe default + assume breach renamed for a post-perimeter world? (Revisit this note after Chapter 32.)
Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.