AP Cybersecurity students need to explain security decisions from evidence. A network log is not a magic answer key; it is one source of evidence that must be interpreted carefully.
Scenario: school club website
A student club website accepts event signups. The administrator notices unusual traffic in the web server logs.
10:14 172.16.4.21 GET /login
10:15 172.16.4.21 POST /login failed
10:15 172.16.4.21 POST /login failed
10:16 172.16.4.21 POST /login failed
10:17 172.16.4.21 GET /admin
10:17 172.16.4.21 GET /admin/usersWhat is suspicious?
The repeated failed logins followed by admin page requests are suspicious. That does not prove a compromise by itself. The next step is to compare with authentication logs, account permissions, and whether the source address belongs to a known admin device.
Possible mitigations
- Require multi-factor authentication for admin accounts.
- Limit admin routes to trusted networks or approved devices.
- Rate-limit repeated login attempts.
- Review whether old club officers still have admin access.
- Preserve logs before making changes that erase evidence.
AP Cyber writing habit
A strong answer ties evidence to a recommendation: "Because the logs show repeated failed logins and admin route access from one source, require MFA and review admin account activity." Avoid unsupported claims like "the attacker definitely stole data" unless the evidence shows it.