Chapter 21 · Part E · Exam Night

Exam Night Summary Brain Primer

Read this once the night before, once on the morning of, once in the 5 minutes before reading time. The whole course in a primer card.

You know more than you think. Read through this once, slowly. Don't try to learn anything new — just remind yourself what you already know. Then close the laptop, eat dinner, sleep properly. Tired brain on exam day costs more marks than one extra hour of revision adds.

21.1 The Three Frameworks Everything Else Hangs Off

CIA Triad — what's being protected

Pillar	"Keep..."	Attacked by	Defended by
Confidentiality	secrets secret	sniffing, breach, MITM, phishing, insider	encryption (TLS), access control, least privilege
Integrity	data untampered	MITM, malware, SQLi, spoofing	hashing, digital signatures, input validation
Availability	systems usable	DDoS, ransomware, hardware failure	backups, redundancy, DDoS mitigation

AAA — how access is controlled

Authentication = who are you? (proves identity via factor: know / have / are)
Authorisation = what can you do? (RBAC, least privilege)
Accounting = what did you do? (logs, monitoring — useless if not reviewed)

Risk = Likelihood × Impact

Every security control either reduces likelihood (MFA, training, patching, firewalls) or reduces impact (segmentation, backups, least privilege, encryption at rest). Good design uses both.

21.2 The Layered Models

OSI 7 Layers (top → bottom)

Application — HTTP, DNS, SMTP, what users see
Presentation — encoding, encryption (TLS sits around here)
Session — managing connections
Transport — TCP (reliable) / UDP (fast); ports
Network — IP addressing, routing
Data Link — MAC addresses, switches, Wi-Fi frames
Physical — cables, radio waves

Memory: "All People Seem To Need Data Processing" (top to bottom).

TCP/IP 4 Layers (the practical version)

TCP/IP	Maps to OSI
Application	Application + Presentation + Session
Transport	Transport
Internet	Network
Network Access	Data Link + Physical

21.3 Ports You Should Know Cold

Port	Protocol	Encrypted?
20/21	FTP	No
22	SSH / SFTP	Yes
25	SMTP	Often (STARTTLS)
53	DNS	No (DoH/DoT encrypt)
67/68	DHCP	No
80	HTTP	No
110	POP3	No
143	IMAP	No
443	HTTPS	Yes (TLS)
3389	RDP	Yes

21.4 IP & Subnetting Quick Reference

Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Loopback: 127.0.0.1
APIPA (DHCP fail): 169.254.x.x
Usable hosts = 2^(host bits) − 2
Magic number = 256 − last octet of subnet mask

CIDR	Mask	Hosts
/24	255.255.255.0	254
/25	255.255.255.128	126
/26	255.255.255.192	62
/27	255.255.255.224	30
/28	255.255.255.240	14
/30	255.255.255.252	2

21.5 Attacks → CIA → Defences (Cheat Card)

Attack	Family	CIA	Primary defence
Phishing	Social	C	MFA, training, email filtering, DMARC
Ransomware	Malware	A (and increasingly C)	Backups (offline), EDR, segmentation
MITM	Network	C, I	HTTPS/TLS, VPN, certificate pinning
DDoS	Network	A	Scrubbing services (Cloudflare), rate limiting
SQL Injection	Web	C, I	Parameterised queries, WAF, input validation
Spoofing (email)	Network	I	SPF + DKIM + DMARC
Brute force	Authentication	C	MFA, account lockout, rate limit
Insider abuse	People	C, I	Least privilege, monitoring, offboarding
Zero-day	Various	Any	Defence in depth, EDR, monitoring

21.6 Australian Legal Framework — Names to Drop

Privacy Act 1988 + Australian Privacy Principles (APPs) — APP 11 = reasonable steps to protect personal info
Notifiable Data Breaches (NDB) scheme — assess in 30 days; notify OAIC + individuals if eligible (likely serious harm)
OAIC = Office of the Australian Information Commissioner — the privacy regulator
Cybercrime Act 2001 — criminalises unauthorised access, modification, impairment
ACSC = Australian Cyber Security Centre (part of ASD); runs cyber.gov.au, ReportCyber
Essential Eight = ACSC's baseline mitigation strategies
My Health Records Act 2012, Telecommunications (Interception and Access) Act 1979, Security of Critical Infrastructure Act 2018 — additional context

21.7 ACSC Essential Eight — Memory List

Application control
Patch applications
Configure macro settings
User application hardening
Restrict admin privileges
Patch operating systems
Multi-factor authentication
Regular backups

Memory hook: "App-Patch-Macro-Hardening, Admin-OS-MFA-Backup." Drop "ACSC Essential Eight" in any defence answer for free credibility.

21.8 Cryptography Quick Recall

Symmetric = same key both ends. AES. Fast. Key-distribution problem.
Asymmetric = public/private keypair. RSA, ECC. Slower. Solves distribution.
Hashing = one-way fingerprint. SHA-256. Same input → same hash; small change → completely different hash. Detects tampering.
Digital signature = hash of message encrypted with sender's private key. Provides integrity + authenticity + non-repudiation.
HTTPS/TLS = uses asymmetric to securely exchange a symmetric key, then symmetric for the actual data. Best of both.

21.9 Two Memorable Australian Breach Examples

Optus, Sept 2022: ~9.8M customer records exposed via an unauthenticated API endpoint. Massive NDB notification. Drove subsequent Privacy Act amendments.
Medibank, Oct 2022: ~9.7M customer records, including health information. Compromised contractor credential led to lateral movement and exfiltration. Highlighted least-privilege failures and the special sensitivity of health data.

Mention either when discussing breach response, NDB scheme, or insider/credential-related risks. Both are exam-credible Australian references.

21.10 Mark-Scoring Mental Habits

Underline the command word first — state, explain, analyse, evaluate. Match your answer's shape to it.
2 minutes per mark — adjust if needed but track time visibly.
Every attack: name + CIA tag + AAA failure + mechanism + defence.
Every design: requirements → threats → architecture → controls → justify (with risk = likelihood × impact framing).
Every "evaluate": take a position, support with reasons, acknowledge a trade-off, conclude.
Soften absolutes: "typically", "primary defence", "mitigates under normal conditions".
Name specifics: WPA3-Enterprise not "secure Wi-Fi"; AES not "encryption"; OAIC not "the regulator".
Australian context counts: Privacy Act + NDB + OAIC + ACSC + Essential Eight wherever they apply.
Diagrams labelled or zero credit.
Spread the butter thin if running out of time. Partial structured answers everywhere > perfect answers nowhere.

21.11 The Big Insights to Carry Into the Exam

Five things examiners reward:
1. Frameworks first. Always show CIA / AAA / risk thinking before content.
2. Specific over generic. Name technologies, attacks, laws, and breaches.
3. Tied controls. Each control should explicitly address an identified threat.
4. Australian context. Privacy Act, NDB, OAIC, ACSC, Essential Eight.
5. Defence in depth. Layers, not single solutions; trade-offs acknowledged.

21.12 What To Do Right Now

Close this guide.
Get dinner — actual food, not snacks.
Pack your bag for tomorrow: ID, pens, water, wristwatch (if allowed), tissues, calculator if permitted. Lay out clothes.
Set TWO alarms.
Sleep at least 7 hours. Yes, really. Tired brain costs more marks than late revision adds.
In the morning: light breakfast (carbs + protein), arrive 20 minutes early, deep breaths, pen ready.
During reading time: skim everything once; mark easy questions; mentally allocate time.
Start with what you're strongest at to bank early marks and confidence.
Use the templates. Use the vocabulary. Cite the Australian frameworks.
If you blank on a question — write the command-word response, tag CIA, name one control. Move on. Come back if time permits. Something always beats nothing.

21.13 Final Thought

You've covered 21 chapters, three frameworks, dozens of attacks and defences, the Australian legal landscape, and the practical tools of the trade. You know more than you think. The exam is just an opportunity to demonstrate it.

Trust the preparation. Stay calm under pressure. Take it one question at a time.

Good luck. You've got this. 🎓

← Previous

20. Practice Questions

Back to →

🏠 Home / TOC