IB Computer Science Case Study 2026: An ethical approach to hacking

Buffer overflow attacks

An attack that occurs when a program writes more data to a buffer than it can hold, causing the excess data to overwrite adjacent memory.

Cross-Site Scripting (XSS)

an attacker injects malicious client-side code (usually JavaScript) into a trusted website. When unsuspecting users visit the compromised page, the browser executes this code, allowing attackers to steal session cookies, capture data, or impersonate users

Exploit development

A specialized area within the field of cybersecurity that focuses on discovering and utilizing software vulnerabilities. At its core, it involves analyzing software to find weak spots and then crafting code (known as an 'exploit') to take advantage of these vulnerabilities. This could be to gain unauthorized access, escalate privileges, or achieve other objectives.

password cracking tool

recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password.

penetration testing

Is a simulated cyberattack used to evaluate the security of a system or network. It involves ethical hackers, also known as pen testers, who attempt to exploit vulnerabilities to identify weaknesses and improve security measures.

Port scanning

network security technique used to identify which ports on a system are open, potentially revealing vulnerabilities and services running on that system.

Pretexting

form of social engineering where an attacker fabricates a story or "pretext" to gain a victim's trust and trick them into sharing sensitive information, performing actions, or granting access to systems.

Response plan

outlines specific actions to be taken in response to a particular event or situation, ensuring a coordinated and effective reaction. These plans can cover a wide range of scenarios, from natural disasters and security breaches to medical emergencies or cyberattacks. Effective response plans are characterised by clarity, actionability, and regular updates to address evolving risks.

Search engine dorking

Is a technique that uses advanced search operators to find specific, often hidden or sensitive, information on the web. It leverages the extensive indexing of webpages by search engines like Google, allowing users to target precise information by combining keywords and search operators.

Common operators include site:, filetype:, inurl:, and intitle:.For example, site:example.com filetype:pdf would search for PDF files within the example.com website.

Security posture assessment

a comprehensive evaluation of an organization's cybersecurity strength, focusing on identifying vulnerabilities and assessing overall resilience against cyber threats. It helps organizations understand their current security status and prioritize areas for improvement.

Hacker

a person who uses computers to gain access/control to data/systems.

Social Engineering Attacks

These are manipulative tactics used to deceive individuals into revealing sensitive information or performing actions that compromise security. Common forms are BAITING, SCAREWARE, and PHISHING.

IP Address

A number that identifies each computer or device on a network

Network Mapping

Discovery and documentation of physical and logical connectivity that exists in the network

Network topology

Arrangement of different elements in a network.

OS detection

Performs various tests including registry checks, ICMP, and TCP fingerprinting to determine target OS

SQL Injection

An attacker issues a SQL command to a web server as part of the URL or as input to a form on a website; web server might pass the command onto the database which then allows potentially anything to be done to the database

White Box Testing

This involves sharing full network and system information with the tester, including network maps and credentials. This helps to save time and reduce the overall cost of an engagement. A white box penetration test is useful for simulating a targeted attack on a specific system utilising as many attack vectors as possible.

Gray Box Testing

Only limited information is shared with the tester. Usually, this takes the form of login credentials. It is useful to help understand the level of access a privileged user could gain and the potential damage they could cause. These tests strike a balance between depth and efficiency and can be used to simulate either an insider threat or an attack that has breached the network perimeter.

Black Box Testing

No information is provided to the tester at all. The pen tester in this instance follows the approach of an unprivileged attacker, from initial access and execution through to exploitation. This scenario can be seen as the most authentic, demonstrating how an adversary with no inside knowledge would target and compromise an organisation. However, this typically makes it the costliest option too.

OSINT

Open Source Intelligence

-information of potential intelligence value that is available to the general public

Network scanning

Involves detecting all active hosts on a network and mapping them to their IP addresses, as well as running services and open ports

Malware

software that is intended to damage or disable computers and computer systems to gain access to user's data

Vishing (Voice Phishing)

Fraudulent method of making voice calls or leaving voice messages imitating reputable companies to take individuals' personal information.

CVEs

A list of publicly known cybersecurity vulnerabilities in systems used to address issues and track patch progress

Return-Oriented Programming (ROP)

A sophisticated technique that uses existing code snippets ('gadgets') in memory, chaining them together to bypass certain protection mechanisms and execute arbitrary code.

Network/packet sniffing

A computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network.

Fuzzers

automatically input a vast amount of random, unexpected, or malformed data into software applications to discover coding errors and vulnerabilities.

active-active healthcare data centre

A configuration where two or more data centres are running the same services and applications simultaneously, and are synchronised with each other, such that if one data centre fails or experiences a disruption, the other one can take over seamlessly, without any data loss or downtime.

PACS

A digital medical imaging technology that manages, stores, retrieves, and transmits diagnostic images (such as X-rays, MRIs, and CT scans) and related reports

Io T-Enabled medical devices

Devices with unique and critical vulnerabilities: Usually can't easily be patched, use hard-coded passwords and failure can have immediate life or death consequences (Eg. infusion pumps, heart monitors).

NMap

a free, open-source tool used for network discovery, inventory management, and security auditing. It acts as a powerful port scanner, identifying active hosts, available services, operating systems, and packet filters on a network by analyzing raw IP packets

MetaSploit

A framework designed for developing exploits and executing them in a systematic manner. They can significantly reduce the time needed for writing custom exploits.

Lateral Movement

The technique attacers use to move from a compromised system to others within the network. A key part of Post-Exploitation.

Priviledge Escalation

Ways that hackers use to exploit access to compromised machines through vertical priviledge escalation (gaining higher priviledges on the same machine) and horizontal (gaining access to another user's priviledges at the same level).

Persistence Mechanisms

How attackers maintain access e.g. scheduled tasks, new user accounts, Dynamic Loaded Library hacking.

Security Information and Event Management (SIEM)

An application that aggregates and analyzes log data to monitor critical activities in an organization

Zero-Day Vulnerability

A software vulnerability that is unknown to the vendor that can be exploited by attackers.

Internet of Medical Things

The specific subset of IoT for healthcare. Using this term instead of just IoT is a major mark-earner.

Clinical Engineering vs. IT Departments

Highlights the organizational silos in hospitals that create security gaps for medical devices.

Protected Health Information (PHI)

The specific term for the sensitive data in EHRs that HIPAA protects.

STRIDE Model

threat modelling framework. Spoofing, tampering, repudiation, information Disclosure, denial of Service, elevation of Privilege

CVSS

Common Vulnerability Scoring System: used to determine the severity of a vulnerability to aid in prioritisation

DREAD Model

A vulnerability severity model. Damage potential, reproducibility, exploitability, affected users, discoverability

BC&DR

Business Continuity and Disaster Recovery: Broader plans that a cybersecurity incident response plan feeds into

HIPAA (Health Insurance Portability and Accountability Act)

The primary U.S. regulation for health and data privacy and security. The legal context for everything in the case study.

Responsible Disclosure

The process of privately reporting a vulnerability to the vendor before making it public. The ethical hacking counterpart to finding bugs.

Get Out Of Jail Free Card

A formal, signed document from a client authorizing a tester to perform specific, often intrusive, security tests, protecting the tester from legal prosecution.

Non-Disclosure Agreement (NDA)

A legal document that binds the testers to confidentiality - crucial for protecting Personal Health Information (PHI) and details of any vulnerabilities.

Burp Suite / OWASP ZAP

Tools for web application testing (highly relevant for EHR systems and login portals).

Nessus / OpenVAS

Industry standard vulnerability scanners.