Three "harmless" facts: a runner posts her usual route (fitness app), her work badge photo (new-job post), and her birthday brunch (tagged location, date visible).
From those three posts a stranger can assemble: where she'll be at 6:30 tomorrow (route), where she works and her full name (badge), and her birth date (brunch) — enough for stalking, convincing impersonation ("Hi, this is HR, verifying your details — born March 12th, right?"), and password-reset guessing.
No hack occurred. No password leaked. Each post was individually innocent; the combination is the exposure — Lesson 6's "combining data reveals more than either source" wearing its darkest outfit. Safe computing starts from that math: your data aggregates whether you think about it or not. Attackers think about it.
PII is information that can identify you — alone or combined: name, address, birth date, ID/Social Security numbers, biometric records, and in context: location history, medical/financial records, even search history.
CED claims to answer with:
| Attack | How it works | The tell |
|---|---|---|
| Phishing | A fraudulent message (email/text/site) impersonates a trusted party to trick you into revealing credentials or installing malware | Urgency + credential request + slightly-off sender/URL ("your account will be locked — verify now") |
| Keylogging | Software/hardware records your keystrokes — capturing passwords as you type them | Often installed by malware or a malicious device |
| Malware / viruses | Software intended to damage or take control; a virus attaches to legitimate programs/files and spreads when they're shared or run | Unexpected attachments, untrusted downloads |
| Rogue access point | A wireless network set up (or compromised) to intercept traffic from devices that join it — e.g., fake "Free_Airport_WiFi" | Unsecured public Wi-Fi; data sent unencrypted through it can be read in transit |
Classification is the tested skill: deception to extract info = phishing; recording keystrokes = keylogging; self-spreading hostile software = virus/malware; hostile network intercepting traffic = rogue access point. Each question describes one mechanism in scenario clothes.
Defenses ladder (CED-level): skepticism toward unexpected requests (phishing); software from trusted sources + security updates (malware); avoiding sensitive business on untrusted networks — or encrypting traffic so interception yields gibberish (rogue APs). Which brings us to—
Encryption transforms data so only intended parties can read it; decryption reverses it with the proper key. Two architectures, one exam distinction:
Mailbox analogy: your public key is a mail slot anyone can drop letters through; your private key is the only key to the box. Publishing the slot's location risks nothing.
Certificate authorities (CAs) answer the remaining question — "is this public key really my bank's?" A CA is a trusted organization that verifies a site's identity and issues a digital certificate binding that identity to its public key. Your browser trusts the CA, the CA vouches for the site, the padlock appears. (An impostor site can offer a public key; it can't easily get a trusted CA to certify it as yourbank.com.)
Passwords are one factor — something you know. Multifactor authentication (MFA) requires evidence from multiple independent categories:
The independence is the strength: a phished password alone no longer opens the account, because the thief lacks your phone. Note the categories rule — password + security question is two things you know: one factor, twice, not MFA. The exam tests exactly that nuance.
Password hygiene still matters (long, unique per site — reuse means one breach unlocks many doors), but the CED's headline is MFA: layered categories, each layer an independent failure the attacker must cause.
Problem: An email styled like your bank's, from "security@yourbank-verify.com," warns of suspicious activity and links to a login page that harvests your credentials. Classify the attack.
Solution: Phishing — impersonation of a trusted party to trick you into surrendering credentials. The tells: urgency, credential request, off-domain sender.
Interpretation: No software was hacked; you were. Phishing attacks the human, which is why the defense is skepticism (verify via the bank's real site/app, never the message's link), not antivirus.
Problem: Two strangers — a shopper and an online store — have never communicated. With symmetric encryption alone, what's the fatal problem, and how does public-key encryption solve it?
Solution: Symmetric needs both sides to hold the same secret key before secure communication starts — but delivering that key to a stranger over the open Internet exposes it to interception (encrypting the delivery would need... another shared key; the problem recurses). Public-key breaks the loop: the store publishes its public key freely; the shopper encrypts with it; only the store's private key decrypts. No secret ever travels.
Interpretation: The exam asks this as "the main advantage of public-key cryptography" — credited answer: secure communication without prior secret/key exchange. Not "it's stronger" or "faster" (it's actually slower — real systems use it to establish a symmetric session key, a detail beyond the CED).
Problem: Which login setups are genuinely multifactor? (i) Password + code texted to your phone. (ii) Password + mother's maiden name. (iii) Fingerprint + PIN.
Solution: (i) Yes — know (password) + have (phone). (ii) No — two knows: one factor, doubled. (iii) Yes — are (fingerprint) + know (PIN).
Interpretation: Count categories, not prompts. The security-question distractor appears on real forms; it feels like a second factor and isn't.
Problem: A traveler joins an open Wi-Fi network named "CoffeeShop_Free" and logs into email via an HTTPS (encrypted) connection. Later she learns the network was a rogue access point run from a laptop in the corner. What could its operator most plausibly have captured?
(A) Her email password, since rogue access points break encryption (B) The encrypted traffic — readable only as scrambled data, though metadata like which sites she visited may leak (C) Nothing whatsoever, since HTTPS makes networks irrelevant (D) Her fingerprint
Solution: (B). The rogue AP sits in the traffic path and captures what passes — but HTTPS encryption means captured content is ciphertext without the keys. Interception ≠ decryption. Some routing metadata still leaks, and any unencrypted connection she used would be fully readable. (A) overpowers the attacker; (C) overtrusts — an attacker in the path can still attempt trickery (fake login pages), so caution on untrusted networks stands.
Interpretation: Layered reasoning is the graded skill: the rogue AP compromises the path; encryption protects the content; neither statement cancels the other. Answers acknowledging both layers win.
1. (B). Birth date + address — identifying, and note it's the combination that sharpens the identification. (A)/(C)/(D) identify no one.
2. (C). Manufactured urgency + credential request = phishing's fingerprint, pop-up edition.
3. (A). Keystroke recording, by definition — capturing secrets as typed, upstream of any encryption.
4. (B). Attach + spread via legitimate files — the virus's defining reproduction mechanism.
5. (C). The pairing rule: public encrypts → private (its twin) decrypts. (A) would make encryption pointless — this distractor tests whether you understand the asymmetry.
6. (B). The bootstrap problem: securing the key's delivery needs the security you don't have yet. Public-key crypto exists to break exactly this loop (Example 2).
7. (C). Identity verification + certificate issuance = trust anchoring. (D) is a security disaster, not a service — private keys never leave their owners.
8. (B). Know (password) + have (phone/app). (A)/(C)/(D) stack the same category — one factor in a trench coat.
9. (A) and (C). Aggregation risk + routine collection/personalization: both core CED claims. (B) denies permanence; (D) denies the data economy.
10. (B). Rogue-AP awareness + the two real mitigations (avoid, or encrypt). (A) is exactly how rogue APs are named; (C) confuses venue passwords with security.
11. (C). Remember-and-track — cookies' dual convenience/surveillance nature in one sentence (dual effects, one last time).
12. (Model answer.) (i) PII: names and birth dates directly; GPS routes and heart-rate data in context (routes reveal home address and schedule; health data is sensitive). (ii) Heat-map risk: aggregated routes can expose individuals' start/end points (homes) or reveal patterns at sensitive locations — "anonymized" location data re-identifies people whose routes are distinctive (the warm-up's aggregation logic; the military-base incident of Lesson 20 is the famous case). (iii) Authentication: offer multifactor authentication — e.g., password plus a code to the user's phone — so a leaked or phished password alone can't open an account containing location history. (Credit any answer hitting identification-by-combination in (ii) and a genuine second category in (iii).)
Answer letter distribution check: B, C, A, B, C, B, C, B, A+C, B, C — singles: A×1, B×5, C×4, D×0 + multi (A,C). Cumulative through L23 ≈ A 22%, B 32%, C 27%, D 19% — D-share persistently light across IOC lessons (definitional gravity); the mocks' engineered keys will restore global balance. Flagged for the final sweep.
12 (short response, passage-style). A fitness app stores users' names, birth dates, GPS running routes, and heart-rate data, and shares "anonymized" route heat-maps publicly. Identify (i) the PII involved, (ii) one specific risk created by the public heat-maps despite anonymization, and (iii) one authentication improvement the app should offer.
If your PT handles anything user-entered, one design sentence pays dividends: collect only what the program needs. A study-tracker that stores subject and minutes — not name, school, and birthday — has nothing to leak. Data minimization is professional-grade privacy thinking, and Written Response 1 credits purpose-driven design choices ("my program stores only the quiz scores because that's all the average requires").
And as you finish the course's content lessons: apply this one to yourself. You're about to spend weeks in exam-prep mode — enable MFA on the accounts that matter, and treat any "urgent: verify your College Board login" email with the skepticism this lesson just installed. Attackers know exam season too.
1. (B). Birth date + address — identifying, and note it's the combination that sharpens the identification. (A)/(C)/(D) identify no one.
2. (C). Manufactured urgency + credential request = phishing's fingerprint, pop-up edition.
3. (A). Keystroke recording, by definition — capturing secrets as typed, upstream of any encryption.
4. (B). Attach + spread via legitimate files — the virus's defining reproduction mechanism.
5. (C). The pairing rule: public encrypts → private (its twin) decrypts. (A) would make encryption pointless — this distractor tests whether you understand the asymmetry.
6. (B). The bootstrap problem: securing the key's delivery needs the security you don't have yet. Public-key crypto exists to break exactly this loop (Example 2).
7. (C). Identity verification + certificate issuance = trust anchoring. (D) is a security disaster, not a service — private keys never leave their owners.
8. (B). Know (password) + have (phone/app). (A)/(C)/(D) stack the same category — one factor in a trench coat.
9. (A) and (C). Aggregation risk + routine collection/personalization: both core CED claims. (B) denies permanence; (D) denies the data economy.
10. (B). Rogue-AP awareness + the two real mitigations (avoid, or encrypt). (A) is exactly how rogue APs are named; (C) confuses venue passwords with security.
11. (C). Remember-and-track — cookies' dual convenience/surveillance nature in one sentence (dual effects, one last time).
12. (Model answer.) (i) PII: names and birth dates directly; GPS routes and heart-rate data in context (routes reveal home address and schedule; health data is sensitive). (ii) Heat-map risk: aggregated routes can expose individuals' start/end points (homes) or reveal patterns at sensitive locations — "anonymized" location data re-identifies people whose routes are distinctive (the warm-up's aggregation logic; the military-base incident of Lesson 20 is the famous case). (iii) Authentication: offer multifactor authentication — e.g., password plus a code to the user's phone — so a leaked or phished password alone can't open an account containing location history. (Credit any answer hitting identification-by-combination in (ii) and a genuine second category in (iii).)
Answer letter distribution check: B, C, A, B, C, B, C, B, A+C, B, C — singles: A×1, B×5, C×4, D×0 + multi (A,C). Cumulative through L23 ≈ A 22%, B 32%, C 27%, D 19% — D-share persistently light across IOC lessons (definitional gravity); the mocks' engineered keys will restore global balance. Flagged for the final sweep.
Exam tip: Build the two tables on scratch paper if security questions rattle you: the attack zoo (phishing/keylogger/virus/rogue-AP × how-it-works) and the key rules (public = share & encrypt; private = secret & decrypt; CA = vouches; MFA = different categories). Every security item on the exam is one cell of those tables wearing a story.