Confidentiality — only authorised users can read or access the data. Integrity — data is accurate and has not been modified by unauthorised parties. Availability — authorised users can access systems and data when needed.
Marker's notes: All three named with one-line definitions = 2 marks. Naming only one or two = 1 mark. Vague definitions ("CIA means security") = 0.

TCP is reliable (guarantees delivery and ordering using a 3-way handshake and acknowledgements); UDP is connectionless and provides no delivery guarantees. TCP has higher overhead and latency than UDP, which is why streaming media and online gaming typically use UDP.
Marker's notes: Two distinct, correct differences = 2 marks. Be careful with "TCP is better" — it's a different tool, not a better one.

Attack type: phishing — a social engineering attack. CIA pillar: primarily Confidentiality [CIA: C] if credentials are stolen. AAA failure: Authentication — the attack ultimately seeks to compromise the user's authentication credentials so that the attacker can impersonate them.
Marker's notes: 1 mark each for correct attack type, CIA, AAA. Penalty for vague attack type ("a hacking attack").

/27 = 5 host bits, so 32 addresses per subnet. Magic number = 256 − 224 = 32. Subnets: .128, .160. 150 falls in the .128 subnet.
Network address: 192.168.10.128 ✓
Broadcast address: 192.168.10.159 ✓
Usable hosts: 32 − 2 = 30 ✓
Marker's notes: 1 mark each. Show working — even with a wrong final answer, correct method earns the method mark.

Authentication answers "who are you?" — proving identity via something you know, have, or are (e.g., password + MFA code). Authorisation answers "what are you allowed to do?" — checking the authenticated user's permissions against the action they're attempting. Authentication happens once at login; authorisation is checked on every action.
Marker's notes: 1 mark for clearly distinguishing the two; 1 mark for accurate examples or describing the order/relationship.

HTTPS encrypts traffic between the browser and server using TLS, providing Confidentiality (data not readable by network observers) and Integrity (tampering is detectable). HTTP transmits in plaintext and provides neither, so any party between the user and server can sniff or modify the data.
Marker's notes: Naming both CIA properties = 2 marks. Naming one = 1 mark. Mentioning TLS adds rigour.

1. Multi-factor authentication — protects against credential theft (phishing, brute force) by requiring a second factor.
2. Patch operating systems / applications — closes known vulnerabilities before attackers can exploit them.
3. Regular backups — provides recovery from ransomware and other availability-impacting incidents.
(Other valid answers: application control, restrict admin privileges, configure macro settings, user application hardening, patch applications.)
Marker's notes: 1 mark per correctly named E8 control + brief justification. Naming "ACSC" or "Essential Eight" framework name in the answer is implicit but appreciated.

Least privilege means every user and service has only the minimum permissions needed for its role. If an account is compromised, the attacker inherits only those limited permissions — they cannot access systems or data outside that scope. This significantly reduces the blast radius of any single compromise. The Medibank breach showed the opposite: a single compromised credential gave broad access to many systems, allowing extensive data exfiltration. (In exam terms: least privilege constrains the impact axis of risk = likelihood × impact.)
Marker's notes: 1 mark for definition; 1 for impact-limiting reasoning; 1 for invoking blast radius / risk formula / real-world example.

Threat 1: SQL injection against the public-facing online store. Could leak the entire customer database. Control: use parameterised queries in all database access; deploy a Web Application Firewall (WAF) for an additional defensive layer.
Threat 2: Phishing / credential theft targeting staff with backend access, leading to data theft [CIA: C]. Control: MFA on all staff accounts (especially admin); regular anti-phishing training; email filtering.
Threat 3: Ransomware encrypting business systems and customer data [CIA: A]. Control: tested, offline/immutable backups; EDR on all endpoints; network segmentation to limit lateral spread.
Note: under the Privacy Act 1988 and NDB scheme, a breach of customer credit card or address data is likely "eligible" and requires notification to the OAIC.
Marker's notes: 1 mark per identified threat (3); 1 mark per matched control (3) — but capped at 5. Bonus for naming Australian legal context.

Comparison:
- Authentication model: WPA2-PSK uses one shared password for all users; WPA3-Enterprise uses individual user accounts authenticated against a RADIUS server.
- Accountability: PSK cannot identify which user did what (everyone looks the same); Enterprise links every connection to an individual.
- Revocation: If a student leaves under PSK, the password must be changed for all users; under Enterprise, just that account is disabled.
- Cryptographic strength: WPA3 uses SAE handshake, resistant to offline dictionary attacks and provides forward secrecy; WPA2 is vulnerable to KRACK and offline cracking with weak passwords.

Recommendation: WPA3-Enterprise. Three justifications: (1) per-user accountability is essential for managing minors' use of the network and supports compliance with reasonable security obligations under APP 11; (2) easy revocation when students graduate or staff leave avoids the operational burden of mass password rotations; (3) the stronger handshake resists modern attack techniques. Trade-off acknowledged: requires a RADIUS infrastructure, which is more complex to set up — but the long-term benefits substantially outweigh setup cost.
Marker's notes: 1 mark per genuine comparison point (target 3-4); 1-2 marks for clear recommendation; 1-2 marks for justifying with specific reasoning. Acknowledging trade-offs lifts the answer.

CIA analysis:
- Availability [CIA: A] is directly violated — patient files are encrypted and inaccessible, disrupting clinical care.
- Confidentiality [CIA: C] is violated by the data exfiltration claim. 50,000 patient records likely contain sensitive health information, which is given heightened protection under the Privacy Act.
- Integrity [CIA: I] may also be questioned — even after restoration from backups, there's uncertainty whether attackers altered any records during their access.

Australian legal obligations:
The clinic is covered by the Privacy Act 1988 (health service providers are covered regardless of turnover). It must:
1. Assess within 30 days whether this is an "eligible data breach" — given the sensitivity of health data and the scale (50,000 individuals), it almost certainly is.
2. Notify the OAIC as soon as practicable after assessment.
3. Notify affected individuals, explaining what data was involved and steps they should take.
4. Comply with APP 11 obligations and demonstrate reasonable steps were being taken (or not, in which case the clinic faces additional regulatory exposure).
5. Likely report to ACSC via ReportCyber; cooperate with any investigation.

Recent Privacy Act amendments mean penalties for serious or repeated breaches are now in the tens of millions of dollars for corporations. (In exam terms: legal obligations run in parallel with the technical incident response.)
Marker's notes: 3 marks for CIA analysis (one per pillar with clear application to the scenario); 3 marks for legal obligations (Privacy Act + NDB + OAIC named, process described, sensitivity of health data acknowledged).

How it works: on an open Wi-Fi, all traffic is broadcast unencrypted in radio. An attacker positions themselves between the victim and the legitimate destination — for example, by setting up an "evil twin" access point with the same SSID as the cafe's real one. The victim's device auto-connects to whichever has the stronger signal. The attacker now sees, and can modify, every packet to and from the victim. Captured data may include credentials, session cookies, or sensitive information sent over plaintext protocols. The attack violates Confidentiality [CIA: C] and potentially Integrity [CIA: I] if data is modified in transit.

Defences:
1. HTTPS / TLS everywhere — even on a hostile network, the TLS tunnel between browser and server is encrypted end-to-end. Attackers see only metadata (which sites, when), not content. Mitigates the attack significantly under normal conditions, though not absolutely (users who ignore certificate warnings can still fall victim).
2. VPN — encrypts all traffic between the user's device and the VPN server, regardless of whether each application uses TLS. Particularly important when working with legacy apps or where metadata leakage matters.

Both are layers of defence in depth — neither is absolute on its own.
Marker's notes: 2-3 marks for clear mechanism explanation including evil-twin element; 2 marks for two distinct defences with brief justification.

Risk analysis (Likelihood × Impact):
Phishing → credential theft → data access: Likelihood HIGH (single-factor passwords + targeting based on charity's public profile); Impact HIGH (significant donor PII at risk under Privacy Act). Risk: HIGH.
Exploitation of unpatched software: Likelihood HIGH (18 months unpatched means many known vulnerabilities are present); Impact HIGH (could lead to full system compromise). Risk: HIGH.
Ransomware: Likelihood MEDIUM-HIGH (charities are routinely targeted); Impact HIGH (data unavailable + possible exfiltration). Risk: HIGH.
Insider mistake (misdirected email, lost device): Likelihood MEDIUM (typical for any organisation); Impact MEDIUM-HIGH depending on what's exposed. Risk: MEDIUM-HIGH.

Prioritised controls (highest-risk first):
1. Deploy MFA on all staff accounts immediately, especially email and admin. Attacks the likelihood axis of credential-based attacks. ACSC Essential Eight #7.
2. Establish a patching cadence — apply OS and application patches monthly, security patches within 48 hours. Closes known vulnerabilities. Essential Eight #2 and #6.
3. Implement tested, offline backups — primary defence against ransomware. Attacks the impact axis. Essential Eight #8.
4. Restrict admin privileges — apply least privilege so a compromised user account doesn't equal full system control. Essential Eight #5.
5. Anti-phishing staff training + email filtering with SPF/DKIM/DMARC enforcement. Reduces likelihood of initial access.
6. Centralised logging and monitoring — even basic SIEM enables detection of breaches in progress, not just after the fact.

Australian legal context:
The charity is covered by the Privacy Act 1988 if turnover > $3M (most national charities qualify). APP 11 requires reasonable steps to protect personal information; given the current state (no MFA, 18 months unpatched), the OAIC may find this falls short of reasonable. Any breach would trigger the NDB scheme: assess within 30 days, notify the OAIC and affected individuals if eligible. Recent Privacy Act amendments raise penalty exposure to tens of millions of dollars for serious breaches. Reporting to ACSC via ReportCyber is also expected.

Conclusion: the highest-leverage immediate actions are MFA + patching cadence + backups. These three alone would dramatically reduce the risk score. Defence in depth is built on top through least privilege, training, and monitoring. (In exam terms: priorities are determined by where Likelihood × Impact is highest, and where controls give the largest reduction per dollar/effort.)

Marker's notes: 3 marks for risk analysis using the formula; 3 marks for prioritised controls with justification; 2 marks for Australian legal context. The structure (risk first, then controls, then legal) is part of what's being assessed.

Step 1 — Requirements
The network must support: clinical staff workflows (EMR access, lab/imaging integration); administrative functions (billing, scheduling); patient/visitor Wi-Fi; networked medical devices; reliable connectivity (lives may depend on availability). Sensitive health information is the most critical data; under the Privacy Act, health information is given heightened protection.

Step 2 — Threats
- Cybercriminals (ransomware): hospitals are frequently targeted; consequences include cancelled surgeries and potential patient harm. [CIA: A, C]
- Insider threats (malicious or negligent): staff accessing celebrity/colleague records without authorisation; misdirected emails containing health data. [CIA: C]
- Compromised medical devices: often unpatchable, run old OSes; can be entry points or pivots. [CIA: I, A]
- Phishing of clinical staff: credential theft leading to EMR access. [CIA: C]
- Visitor Wi-Fi abuse: anything from bandwidth saturation to attempts to pivot into the clinical network. [CIA: A, C]
- Nation-state interest in health data: low likelihood at this size but possible.

Step 3 — Architecture
Strict segmentation into VLANs, each with separate firewall rules:
1. Clinical VLAN — staff workstations and clinical apps. Authenticated via WPA3-Enterprise + per-user accounts. Permitted: outbound to EMR servers (specific ports).
2. EMR / server VLAN — EMR application and database. Strict access from Clinical VLAN only on required ports. No internet access except patched-via-management.
3. Admin VLAN — billing, scheduling. Limited cross-VLAN access; cannot reach EMR database directly.
4. Medical device VLAN — IoT segment for monitors, pumps, etc. Heavily restricted: no outbound internet, no inbound except from designated management hosts. Critical because devices are often unpatchable.
5. Guest/visitor Wi-Fi VLAN — fully isolated from all internal VLANs; only internet access. Captive portal for terms of use.
6. Management VLAN — admin tools, monitoring, jump hosts. Tightly controlled; MFA required.

Border firewall (stateful, ideally NGFW) between WAN and internal; internal firewalls between VLANs. Internet-facing services minimised.

Step 4 — Controls
- Authentication: MFA on all staff accounts (clinical, admin, management); WPA3-Enterprise on Wi-Fi. Addresses likelihood of credential-based attacks. (Essential Eight #7.)
- Authorisation: RBAC for EMR access — clinicians see only patients in their care; admin staff see only what's needed for billing. Audit trail enabled. (Reduces blast radius and supports detection of insider misuse.)
- Patching: formal cadence for OS, applications, network device firmware. Medical devices receive vendor updates per regulatory guidance. (Essential Eight #2, #6.)
- Backups: daily backups of EMR, offline/immutable, tested quarterly via real restore. Critical given ransomware threat to hospitals. (Essential Eight #8.)
- Endpoint protection: EDR on all workstations; application control where feasible (Essential Eight #1).
- Encryption: TLS for all network traffic; at-rest encryption for EMR database and backups.
- Monitoring: centralised logging from firewalls, authentication, EMR, EDR into a SIEM. Alerts on impossible travel, mass record access, unusual outbound transfers. 24/7 SOC coverage (in-house or MSSP).
- Physical security: server room access controlled and logged; medical devices secured against tampering.
- Staff training: mandatory annual privacy and security training; phishing simulation; clear consequences for unauthorised record access.
- Incident response plan: tested via tabletop exercises; includes legal pathway for NDB assessment.

Step 5 — Justification
Each control addresses identified threats per Risk = Likelihood × Impact:
- MFA + training reduce likelihood of credential-based access.
- Segmentation + RBAC + least privilege reduce impact when an account or device is compromised.
- Backups + IR plan reduce impact of ransomware.
- Monitoring + SIEM reduce dwell time, limiting how much damage occurs before detection.
- Audit logging + RBAC address insider abuse — both deterrence (everyone knows access is logged) and detection.

Australian legal context:
- Health service providers are covered by the Privacy Act 1988 regardless of turnover.
- Health information is "sensitive information" with heightened protection requirements.
- APP 11 requires "reasonable steps" — for a hospital handling 60-bed clinical operations and EMR, this is interpreted strictly.
- Any breach involving patient records is almost certainly notifiable under the NDB scheme: assess within 30 days, notify OAIC and affected individuals.
- The My Health Records Act 2012 may also apply if integrating with national records systems.
- The Security of Critical Infrastructure Act 2018 may apply to large hospitals.
- ACSC Essential Eight provides the baseline cyber hygiene standard expected.

Conclusion: security at a hospital is unusually demanding because availability is itself a clinical concern — a system outage during a code blue is a patient-safety event. The design above prioritises segmentation (limiting blast radius), authentication strength (limiting initial access), and detection (limiting dwell time), with substantial Australian legal context shaping the standard expected. Defence in depth, with multiple layers no single failure will defeat.

Marker's notes: 2 marks per design step (10) + 2 marks for Australian legal context. Penalises generic answers ("use a firewall and antivirus"); rewards specific named controls tied to specific threats and the unique constraints of a clinical environment.

Hardware:
- Border firewall (NGFW) at the internet boundary — provides stateful filtering and can enforce content filtering required for minors.
- Core switch in the server room with VLAN support — single point that can enforce segmentation across the network.
- Distribution switches per building/wing — managed switches connected up to the core, supporting VLAN trunking.
- Ceiling-mounted access points across all areas — controller-managed for centralised configuration; supporting WPA3-Enterprise and multiple SSIDs per AP.
- RADIUS server integrated with the school's directory (e.g., Microsoft AD) for per-user Wi-Fi authentication.
- Wireless controller for managing all APs centrally — essential for monitoring, firmware updates, and rogue AP detection.
- Backup infrastructure — both on-premises and offsite (cloud) — for student/staff data and configuration.

Segmentation (VLANs):
1. Staff VLAN — teachers and administrative staff. WPA3-Enterprise authenticated.
2. Student VLAN — students. WPA3-Enterprise with per-student accounts. Restricted from staff systems.
3. Server VLAN — internal servers (file, print, LMS, AD). Tightly controlled; only specific ports open from staff/student VLANs.
4. IoT/AV VLAN — projectors, smartboards, printers. Isolated from user devices. (Many of these have weak security and shouldn't be on the same network as user data.)
5. Guest Wi-Fi VLAN — for visitors. Internet-only; cannot reach internal systems.
6. BYOD VLAN (if applicable) — student personal devices, separated from school-managed devices.

Authentication:
- WPA3-Enterprise for Staff and Student Wi-Fi — per-user accountability via RADIUS, easy revocation when students graduate, resistant to offline dictionary attacks. [CIA: C, I] protections improved over PSK.
- WPA3-Personal with rotating password for Guest Wi-Fi — simpler model appropriate for transient visitors; isolated VLAN ensures limited risk if compromised.
- MFA on all staff accounts, especially those with admin or sensitive data access. ACSC Essential Eight #7.
- RBAC — teachers see their own students' data; year coordinators see their year level; principal sees all; IT admins have separate accounts for admin tasks (least privilege, Essential Eight #5).

Monitoring:
- Centralised logging from firewall, RADIUS, AP controller, servers, content-filtering proxy.
- SIEM (could be lightweight cloud-hosted given school scale) for correlation and alerting.
- Content filtering at the firewall/proxy — required when serving minors; must align with state education department policies.
- Alerts for unusual patterns: failed login bursts, off-hours admin activity, suspected malware, large outbound transfers.
- Rogue AP detection via the wireless controller.
- Quarterly review of access logs, especially admin and staff access to student data.

Justifications (using Risk = Likelihood × Impact):
- Per-user authentication via WPA3-Enterprise reduces both likelihood (resistant to offline attacks) and impact (a single compromise affects only one user, not the whole school) compared to PSK.
- Segmentation reduces impact of any breach by limiting blast radius — a compromised IoT projector cannot reach student records.
- MFA on staff accounts blocks credential-stuffing and most phishing — high-likelihood attack vectors for any organisation.
- RBAC + least privilege ensures even a compromised teacher account cannot expose data outside that teacher's normal scope of access.
- Content filtering and monitoring meet the school's duty of care to minors and align with Privacy Act obligations to protect personal information of students (sensitive information for those under 18 in many contexts).
- Centralised monitoring shortens dwell time, turning attacks into detected incidents rather than long-term compromises.

Australian context:
- Schools fall under the Privacy Act 1988 (or applicable state privacy laws) with heightened obligations because of minors' data.
- ACSC Essential Eight provides the baseline; many controls above map directly (MFA, patching, backups, restrict admin privileges).
- Content filtering aligns with state education department mandatory practices.

Conclusion: the upgrade transforms a flat, low-accountability environment into a segmented, monitored, per-user-authenticated network appropriate for an organisation handling minors' personal data. Each design choice ties to a specific risk reduction. The result is meaningfully more secure under realistic threat scenarios while remaining operationally manageable. (In exam terms: defence in depth via authentication, segmentation, least privilege, and monitoring — each layer addressing a distinct attack path.)

Marker's notes: 2 marks for hardware; 2 for segmentation; 2 for authentication; 2 for monitoring; 2 for justifications + Australian context. Penalises vague answers ("use better security"); rewards naming specific technologies, mapping each to a specific risk.

Confidentiality, Integrity, Availability.

HTTPS (HTTP over TLS).

Authentication = who; authorisation = what.

Risk = Likelihood × Impact.

OAIC — Office of the Australian Information Commissioner.

Symmetric = same key for encrypt/decrypt (fast, key-distribution problem). Asymmetric = public/private keypair (slower, solves distribution).

Any of: application control, patch applications, configure macro settings, user application hardening, restrict admin privileges, patch OS, MFA, regular backups.

Metadata leaks (which sites, when), evil-twin MITM possible, non-TLS apps still expose data, DNS queries visible.

Eligible data breaches must be assessed within 30 days; if eligible, notify OAIC and affected individuals as soon as practicable.

Prepare, Identify, Contain, Eradicate, Recover, Lessons Learned.