Cybersecurity - Lesson 6
Free Theory Cybersecurity Lesson 6
Cybersecurity - Lesson 6 of 6

Layered Defence & Exam Technique

The final lesson. This is where everything comes together. Matching attacks to defences, understanding why no single measure is ever sufficient, and the exam technique that turns good knowledge into full marks.

45 - 60 min Defence in Depth, Threat-Defence Matching, Exam Scenarios
Opening question

A medieval castle didn't rely on just a high wall. There was a moat, then a drawbridge, then a portcullis, then a gatehouse, then inner walls, then a keep. Each layer was designed so that breaching one left you facing the next. No attacker was expected to be stopped by a single barrier.

Think about it: Modern cybersecurity uses exactly the same principle. What is it called? And why is it particularly effective against sophisticated attackers?

The principle is defence in depth - using multiple overlapping layers of security so that an attacker who defeats one layer immediately faces the next. This lesson brings together everything from the series into a complete picture.

Section 1

Defence in depth - the layered model

Defence in depth is a security strategy where multiple, independent layers of protection are used. No single measure is treated as infallible - instead, each layer reduces risk, and an attacker must defeat all layers to succeed.

Consider a company that uses: a firewall (filters traffic) + anti-malware (detects threats that get through) + encryption (makes stolen data useless) + 2FA (prevents stolen credentials from being used) + regular backups (allows recovery if everything else fails) + staff training (reduces social engineering success). An attacker who defeats the firewall still faces five more layers.

Defence in depth
A security strategy using multiple independent layers of protection so that compromising one layer does not compromise the whole system.
Attack surface
The total set of entry points through which an attacker could potentially gain access. Reducing attack surface is a core security goal.
Residual risk
The remaining risk after all practical security measures have been applied. No system achieves zero risk - the goal is to reduce risk to an acceptable level.

Threat to defence mapping

This table is the most useful revision tool in the series - memorise the right-hand column for every row.

Threat / Attack
Best Defence(s)
Malware (virus, worm, trojan)
Anti-malware software, automatic updates, user training
Ransomware
Regular off-site backups, anti-malware, staff training
Phishing
Staff training, 2FA (even if credentials stolen), email filtering
Blagging / social engineering
Staff training, clear security policies, verification procedures
Brute force attack
Strong passwords, account lockout, 2FA
DoS / DDoS attack
Firewalls, traffic filtering, rate limiting, CDN services
SQL injection
Input validation, parameterised queries (not firewalls)
Packet sniffing / MITM
Encryption (HTTPS/TLS)
Physical unauthorised access
Physical security (locks, keycards, CCTV), access levels
Insider threat / excessive access
User access levels, AUP, monitoring and audit logs last
Section 2

Worked exam scenarios

Read each exam question and attempt an answer before revealing the mark scheme. The goal is to practise the level of precision these questions require.

Exam Question 1 [4 marks]
A small business discovers that an attacker has been intercepting communications between its website and its customers. Customer login credentials have been captured. Identify the type of attack and describe two technical measures that could prevent this in future.
[1]Identifies the attack as a man-in-the-middle attack (MITM) or packet sniffing attack.
[1]Measure 1: Implement HTTPS/TLS encryption - this encrypts data in transit so intercepted packets are unreadable (ciphertext). Even if an attacker captures data, they cannot read it without the decryption key.
[1]Measure 2: Two-factor authentication - even if login credentials are captured, the attacker cannot use them to log in without the second authentication factor.
[1]Explanation of how measure reduces the risk (mechanism must be given, not just the name of the measure).
Examiner note: A common error is writing "use a firewall" - a firewall does not protect against interception of already-permitted traffic. Encryption is the correct answer.
Exam Question 2 [6 marks]
A hospital network is targeted by ransomware. Patient records on the hospital's server are encrypted by the malware and a ransom demand is displayed. The hospital has a firewall and uses strong passwords, but has no anti-malware software and no backup system. Evaluate the effectiveness of the hospital's current security measures and suggest what additional measures they should implement.
[1]Current measures: Firewall filters network traffic - it may have prevented some external attacks but cannot stop malware that arrives via email attachments or social engineering, because that traffic is permitted.
[1]Strong passwords prevent brute force attacks but are irrelevant once ransomware is already running inside the network.
[1]Additional measure 1: Anti-malware software - would detect and quarantine the ransomware before it executes, preventing the encryption from occurring.
[1]Additional measure 2: Regular off-site backups - would allow the hospital to restore all data from a clean backup without paying the ransom, minimising disruption and cost.
[1]Additional measure 3: Staff training - ransomware often arrives via phishing emails. Training staff to recognise and avoid phishing would reduce the likelihood of initial infection.
[1]Evaluation point: No single measure is sufficient. The hospital needs a layered approach - technical defences (anti-malware, firewall) combined with procedural measures (training, backups) provides far greater resilience than any single measure.
Section 3

Common exam mistakes - and how to avoid them

"A firewall prevents SQL injection."
✓ Correct answer
SQL injection is an application-layer vulnerability. The defence is input validation and parameterised queries - not network-level controls like firewalls.
"Ransomware deletes your files."
✓ Correct answer
Ransomware encrypts files - the data still exists but is inaccessible without the decryption key. This distinction is frequently tested.
"A virus spreads automatically across a network."
✓ Correct answer
A worm spreads automatically. A virus requires user action (opening or sharing an infected file) to spread.
"Phishing and blagging are the same thing."
✓ Correct answer
Phishing uses fraudulent digital messages (usually email). Blagging uses a fabricated story or false identity - often verbal or written directly.
"Encryption prevents data being intercepted."
✓ Correct answer
Encryption does not prevent interception - it makes intercepted data unreadable. An attacker can still capture encrypted packets; they just can't use them.
"DDoS attacks steal data from servers."
✓ Correct answer
DoS and DDoS attacks disrupt service by overwhelming servers - they do not extract data. The attack goal is availability disruption, not data theft.
Defence Matcher
For each scenario, select the most appropriate defence(s). Multiple selections may be correct.
Final quiz
Final 5-Question Check
Layered defence & exam technique
Question 1 of 5
What is "defence in depth"?
Question 2 of 5
An attacker steals a user's password via phishing. The user has 2FA enabled. What happens when the attacker tries to log in?
Question 3 of 5
A student writes: "You should use a firewall to prevent SQL injection." Why is this answer incorrect?
Question 4 of 5
Which combination of measures best illustrates the "defence in depth" principle for a company concerned about ransomware?
Question 5 of 5
Why is no single security measure ever sufficient to fully protect a system?
0/5
Questions answered correctly - series complete!
Think deeper

A security consultant tells a company: "You will never achieve perfect security - the goal is to make the cost of attacking you higher than the value an attacker would gain." Evaluate this statement in the context of defence in depth.

Agreement: The statement accurately reflects the economic reality of cybersecurity. Perfect security is theoretically impossible - there will always be new vulnerabilities, human error, and unforeseen attack vectors. The goal is therefore to make successful attacks so difficult, time-consuming, and expensive that attackers choose easier targets instead. This is exactly what defence in depth achieves: each additional layer increases the cost and complexity of a successful attack.

How defence in depth achieves this: A brute force attack that takes months is impractical even if theoretically possible. Ransomware that can be recovered from via backups costs the attacker time with no financial return. Social engineering that fails because staff are trained to be suspicious yields nothing. Each layer raises the cost of success.

Limitations: The statement implies that sufficiently determined and well-resourced attackers (nation-states, for example) will eventually succeed regardless. In these cases, the goal shifts from prevention to detection and response - and this is where monitoring, incident response plans, and backups become critical even when defences are strong.

Cybersecurity series complete!

You've covered all 6 lessons. Review with flashcards, practise with exam questions, or download the unit exam paper.

Flashcards Exam Questions Series overview
Printable Worksheets

Practice what you have learned

Three levels of worksheet for this lesson. Download, print and complete offline.

Recall
Defence in Depth
Identify the security layer each measure belongs to. Explain why multiple overlapping layers are more effective than one.
Download
Apply
Evaluate the Defence
Given an attack scenario, evaluate which combination of defences provides the best protection and justify your answer.
Download
Exam Style
Exam-Style Questions
Extended evaluation questions requiring you to recommend, justify, and evaluate complete security strategies.
Download
Cybersecurity Flashcards
Review all Cybersecurity terms with flashcards. Filter by lesson, shuffle, and track what you know.
Open Flashcards
Lesson 5 Series Overview
Teacher Panel
L6: Layered Defence & Exam Technique
Suggested timing
0–5 min: Castle analogy hook - class discussion
5–20 min: Defence in depth model + threat-defence map (print or project)
20–35 min: Worked exam questions - attempt individually then discuss
35–48 min: Common mistakes review + defence matcher
48–60 min: Final quiz + series celebration / revision planning
Learning objectives
1
Explain the defence in depth model and why multiple layers are needed
2
Match specific threats to the most appropriate defences
3
Apply security knowledge to novel exam scenarios with precision
4
Identify and correct common exam errors
Starter / revision activity
Before revealing the castle analogy, show the image and ask: "How does a medieval castle's defence relate to modern cybersecurity?" Students make excellent connections to firewalls (walls), locks (gates), anti-malware (guards), backups (second castle). This is a memorable revision frame for the whole series.
Most common exam mistakes
"Firewall prevents SQL injection" - application-layer attack; defence is input validation.
"DDoS steals data" - it disrupts availability, not confidentiality.
"Encryption prevents interception" - it makes intercepted data unreadable.
"Virus spreads automatically" - worm. Virus needs user action.
"Ransomware deletes files" - it encrypts them. Files still exist.
Exit tickets
Explain what defence in depth means and give an example of a company applying this principle.
[4 marks]
A bank's customer data is intercepted during a transaction. Describe the attack and suggest two technical measures to prevent recurrence.
[4 marks]
Evaluate the following statement: "A firewall alone is sufficient to protect a company's network."
[6 marks]
Resources
Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper (all 6 lessons) Cybersecurity Flashcards Exam Questions