AP exam review verified for 2027

AP Cybersecurity Unit 4 Review: Securing Devices

Review AP Cybersecurity Unit 4 to understand how devices are attacked, authenticated, protected, and monitored. This unit covers malware types, hashing and multi-factor authentication, device hardening controls, and log analysis for indicators of compromise.

Use the topic guides, key terms, and practice questions available on Fiveable to work through each concept before your exam.

What is AP Cybersecurity unit 4?

Every digital device, from a server in a data center to a smart thermostat, can be a target. Unit 4 builds your ability to think like both an attacker and a defender at the device level. You will identify what makes devices vulnerable, explain how authentication systems work and fail, apply protective controls, and analyze logs to catch attacks in progress.

Unit 4 is about securing individual computing devices. It covers the types of malware adversaries use, how authentication mechanisms verify users, the controls that harden devices against attack, and how to read authentication and system logs to detect indicators of compromise.

Devices and malware

Servers, personal computers, handheld devices, embedded systems, and IoT devices each have distinct attack surfaces. Malware types including viruses, worms, trojans, ransomware, spyware, rootkits, keyloggers, and logic bombs each behave differently and require different detection approaches.

Authentication and password security

Systems store passwords as salted hashes using algorithms like SHA-256 or NTHash rather than plaintext. Authentication factors include something you know, have, are, or where you are. Password attacks range from online brute force to offline hash cracking, credential stuffing, and password spraying.

Protection and detection

Layered device defenses include acceptable use policies, password policies, anti-malware software with signature databases, OS patching, and host-based firewalls with ACL rules. Detection relies on log analysis to find IoCs such as failed logins, unexpected processes, and unauthorized configuration changes.

Defense in depth at the device level

No single control secures a device. Unit 4 treats device security as overlapping layers: policies set expectations, authentication verifies identity, anti-malware and patching reduce the attack surface, firewalls filter traffic, and logs provide visibility after a breach. Understanding how each layer fails helps you choose the right control for a given scenario.

AP Cybersecurity unit 4 topics

4.1

Device Vulnerabilities and Attacks

Covers server, personal, handheld, embedded, and IoT device types; malware behaviors including viruses, worms, trojans, ransomware, spyware, rootkits, keyloggers, and logic bombs; and how to rate vulnerability risk as high, moderate, or low based on device criticality.

open guide
4.2

Authentication

Explains cryptographic hashing and salting for password storage, the four authentication factor types, MFA configuration, and how online and offline password attacks, credential stuffing, and password spraying exploit weak authentication.

open guide
4.3

Protecting Devices

Covers managerial controls (acceptable use and password policies), anti-malware signature scanning and quarantine, OS and application patching, and host-based firewall rule configuration using ACLs.

open guide
4.4

Detecting Attacks on Devices

Covers log analysis for IoCs, authentication log patterns for brute force and spraying attacks, signature-based versus anomaly-based detection trade-offs, EDR services, and why embedded devices often cannot run local detection tools.

open guide

Unit 4 review notes

4.1

Device Types, Malware, and Vulnerability Risk

Adversaries target different device categories in different ways. Servers provide services like DNS, DHCP, and FTP to other machines and are high-value targets. Personal computers handle individual work tasks. Handheld devices like smartphones run on battery and have limited security controls. Embedded computers inside appliances and IoT devices often cannot run security software at all. Malware exploits these devices through unpatched software, weak authentication, and missing BIOS or UEFI passwords that allow boot-level access. Risk level depends on how critical the device or its data is.

  • Virus: Malware that requires a user to execute or open a file to activate and spread.
  • Worm: Malware that spreads automatically between computers without any user interaction.
  • Trojan: Malware hidden inside software that appears legitimate; a RAT variant gives the adversary remote control.
  • Ransomware: Encrypts a device's files and demands payment for the decryption key.
  • BIOS/UEFI: Firmware that initializes hardware at boot; no password on BIOS or UEFI lets an adversary boot into recovery mode and bypass OS-level controls.
Can you classify a described malware behavior as a virus, worm, trojan, ransomware, spyware, rootkit, keylogger, or logic bomb, and rate the associated risk as high, moderate, or low based on the device type and data involved?
Malware TypeRequires User Action?Primary Effect
VirusYesCorrupts or destroys files on activation
WormNoSelf-propagates across a network
Trojan / RATYes (opens file)Hides in software; RAT gives remote access
RansomwareNo (after delivery)Encrypts files and demands payment
RootkitNoHides deep in OS to maintain persistent access
4.2

Authentication: Hashing, Factors, and Password Attacks

Systems store passwords as hashes, not plaintext. A cryptographic hash function takes any input and produces a fixed-length output; SHA-256 and NTHash are common examples. Salting adds a random value before hashing to prevent rainbow table attacks. Authentication factors are categorized as knowledge (password, PIN), possession (access card, authenticator app), biometric (fingerprint, face), and location. Multi-factor authentication (MFA) requires two or more factor types. Password attacks exploit weak authentication: online attacks try combinations against a live login portal; offline attacks crack a stolen hash database without triggering lockouts. Credential stuffing uses leaked username-password pairs; password spraying tries one common password against many accounts.

  • Cryptographic hash: A one-way function that produces a fixed-length digest; pre-image resistance means you cannot reverse a hash to find the original input.
  • Salt: A random value added to a password before hashing so identical passwords produce different hashes, defeating precomputed rainbow tables.
  • MFA: Authentication requiring at least two different factor types, making a stolen password alone insufficient for access.
  • Offline password attack: Cracking a stolen hash database on the attacker's own machine, bypassing account lockout policies.
  • Password spraying: Trying one common password against many accounts to avoid triggering per-account lockout thresholds.
Given a scenario, can you identify which authentication factor type is being used, explain why salted hashes are stored instead of plaintext, and classify a described attack as brute force, credential stuffing, or password spraying?
Attack TypeTargetKey Indicator in Logs
Brute force (online)Single accountMany failed logins for one username
Password sprayingMany accountsMany accounts failing from one IP in seconds
Credential stuffingMany accountsDefault or known user:password pairs attempted rapidly
Offline hash crackingStolen hash databaseNo log trail on the victim system
4.3

Protecting Devices: Policies, Anti-Malware, Patching, and Firewalls

Device protection layers from policy to technical control. Acceptable use policies define what users may and may not do on organizational devices. Password policies enforce complexity, minimum length, maximum age, and reuse restrictions. Anti-malware software maintains a signature database, scans files, and quarantines matches. Keeping the OS and applications patched closes known vulnerabilities before adversaries can exploit them. A host-based firewall runs on the device itself and applies ACL rules to allow or deny inbound and outbound traffic by port, protocol, source, or destination, providing protection even when the device is on a compromised network.

  • Patch: A small software update that fixes a specific vulnerability in an OS or application.
  • Anti-malware signature: A pattern or fingerprint in a malware file that anti-malware software uses to detect and quarantine the threat.
  • Host-based firewall: Software running on a single device that filters traffic using an ordered ACL, independent of any network-level firewall.
  • ACL (Access Control List): An ordered list of rules a firewall evaluates in sequence; the first matching rule is applied.
  • Acceptable use policy: A managerial control that specifies permitted and prohibited activities on organizational devices.
Can you explain why a host-based firewall adds value even when a network firewall exists, and describe what happens when anti-malware software finds a file matching a known signature?
Control TypeExampleWhat It Stops
ManagerialAcceptable use policyRisky user behavior on org devices
ManagerialPassword policyWeak or reused passwords
TechnicalAnti-malware softwareKnown malware via signature matching
TechnicalOS patchingExploits targeting known vulnerabilities
TechnicalHost-based firewallUnauthorized inbound/outbound traffic by port or IP
4.4

Detecting Attacks: Logs, IoCs, and Detection Methods

Devices automatically log logins, file activity, process starts, and configuration changes. Analysts review these logs to find indicators of compromise (IoCs): unusual files, unexpected processes, unauthorized config changes, or unauthorized software installs. Authentication logs are the primary source for spotting password attacks. Detection methods are either signature-based (fast, low resource use, misses novel threats) or anomaly-based (catches new threats, uses more resources, higher false positive rate). Endpoint detection and response (EDR) services provide centralized, holistic detection across many devices. Embedded and IoT devices often lack the processing power to run any detection tool locally.

  • Indicator of compromise (IoC): Evidence in logs or configuration files that an adversary has accessed or modified a device.
  • Authentication log: A system log recording every login attempt, used to detect brute force, spraying, and credential stuffing attacks.
  • Signature-based detection: Compares files or traffic against a database of known malware patterns; fast and low-resource but blind to new threats.
  • Anomaly-based detection: Flags behavior that deviates from a baseline; catches novel attacks but uses more resources and generates more false positives.
  • EDR (Endpoint Detection and Response): A third-party service providing unified threat detection and response across an organization's devices.
Given a log excerpt showing repeated failed logins for one account, can you identify the attack type, name the IoC, and explain why signature-based detection is preferred on resource-limited embedded devices?
Detection MethodSpeedResource UseFalse PositivesBest For
Signature-basedFastLowLowDevices with limited processing power
Anomaly-basedSlowerHighHigherDevices where novel threat detection matters

Practice AP Cybersecurity unit 4 questions

Try AP-style multiple-choice questions and written prompts after you review the notes.

Example AP-style MCQs

open all practice
MCQ

AP-style practice question

Question

A hospital's network includes an unpatched MRI scanner running outdated firmware with a publicly known remote code execution vulnerability. A security analyst is documenting this risk. Which security control would most directly reduce the risk, and why is this vulnerability classified as high risk?

Apply the firmware patch immediately, because the device controls critical medical operations and holds sensitive patient data

Implement network segmentation immediately, because the device controls critical medical operations and holds sensitive patient data

Apply the firmware patch immediately, because the vulnerability requires physical access to exploit and poses moderate risk to the device

Restrict user access permissions immediately, because the device controls critical medical operations and holds sensitive patient data

MCQ

AP-style practice question

Question

A university's IT security team is auditing three devices: a research database server storing unpublished clinical trial data, a faculty member's smartphone with a weak four-digit PIN and no encryption, and a networked coffee maker in the faculty lounge with default credentials but no access to institutional data. The team must rank these devices by risk level from highest to lowest and justify the ranking.

Research server is highest risk, smartphone is moderate risk, and coffee maker is lowest risk, based on data sensitivity and device criticality

Coffee maker is highest risk, research server is moderate risk, and smartphone is lowest risk, based on data sensitivity and device criticality

Smartphone is highest risk, coffee maker is moderate risk, and research server is lowest risk, based on data sensitivity and device criticality

Research server is highest risk, coffee maker is moderate risk, and smartphone is lowest risk, based on data sensitivity and device criticality

Example FRQs

open all FRQs
FRQ

Network security risks and vulnerability assessment analysis

The following sources all come from the same device (IP address 192.168.5.100) and were captured during a routine risk assessment. Use them to answer parts A through E.

Source 1 — Device Firewall Settings

Rule Number

Action

Source

Destination

Direction

Port Number

Protocol

1

Allow

192.168.5.0/24

ALL

Inbound

22

SSH

2

Allow

ALL

ALL

Inbound

80

HTTP

3

Allow

ALL

ALL

Inbound

443

HTTPS

4

Allow

192.168.5.50

ALL

Inbound

3306

MySQL

5

Allow

ALL

ALL

Outbound

53

DNS

6

Allow

ALL

ALL

Outbound

80

HTTP

7

Allow

ALL

ALL

Outbound

443

HTTPS

8

Deny

ALL

ALL

Inbound

ALL

ALL

Source 2 — /home/admin/.bash_history

</>TEXT
tail -n 10 /home/admin/.bash_history
1  sudo apt update
2  sudo apt upgrade -y
3  systemctl status nginx
4  cd /var/www/html
5  ls -la
6  nano config.php
7  sudo systemctl restart nginx
8  ping 8.8.8.8
9  ufw status numbered
10 exit

Source 3 — /var/log/auth.log

</>TEXT
sudo tail -n 15 /var/log/auth.log
1  Oct 24 08:12:01 webserver CRON[4122]: pam_unix(cron:session): session opened for user root
2  Oct 24 08:12:01 webserver CRON[4122]: pam_unix(cron:session): session closed for user root
3  Oct 24 09:14:22 webserver sshd[5021]: Failed password for invalid user admin from 203.0.113.50 port 49211 ssh2
4  Oct 24 09:14:24 webserver sshd[5023]: Failed password for invalid user root from 203.0.113.50 port 49215 ssh2
5  Oct 24 09:14:25 webserver sshd[5025]: Failed password for invalid user ubuntu from 203.0.113.50 port 49218 ssh2
6  Oct 24 09:14:27 webserver sshd[5027]: Failed password for invalid user test from 203.0.113.50 port 49220 ssh2
7  Oct 24 09:14:28 webserver sshd[5029]: Failed password for invalid user admin from 203.0.113.50 port 49223 ssh2
8  Oct 24 09:14:30 webserver sshd[5031]: Failed password for invalid user user from 203.0.113.50 port 49225 ssh2
9  Oct 24 09:14:31 webserver sshd[5033]: Failed password for invalid user root from 203.0.113.50 port 49228 ssh2
10 Oct 24 09:14:33 webserver sshd[5035]: Failed password for invalid user support from 203.0.113.50 port 49230 ssh2
11 Oct 24 10:05:12 webserver kernel: [12456.789012] [UFW BLOCK] IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e SRC=198.51.100.22 DST=192.168.5.100 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=41234 DF PROTO=TCP SPT=51342 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
12 Oct 24 10:05:15 webserver kernel: [12459.123456] [UFW BLOCK] IN=eth0 OUT= MAC=00:1a:2b:3c:4d:5e SRC=198.51.100.22 DST=192.168.5.100 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=41235 DF PROTO=TCP SPT=51342 DPT=3306 WINDOW=65535 RES=0x00 SYN URGP=0
13 Oct 24 10:15:01 webserver sshd[5100]: Accepted publickey for admin from 192.168.5.45 port 55214 ssh2
14 Oct 24 10:15:01 webserver sshd[5100]: pam_unix(sshd:session): session opened for user admin
15 Oct 24 10:20:01 webserver CRON[5120]: pam_unix(cron:session): session opened for user root

Source 4 — /var/log/nginx/access.log

</>TEXT
sudo tail -n 8 /var/log/nginx/access.log
1  192.168.5.45 - - [24/Oct/2024:11:01:22 +0000] "GET /index.html HTTP/1.1" 200 1024 "-" "Mozilla/5.0"
2  192.168.5.45 - - [24/Oct/2024:11:01:25 +0000] "GET /css/style.css HTTP/1.1" 200 512 "http://192.168.5.100/index.html" "Mozilla/5.0"
3  198.51.100.77 - - [24/Oct/2024:11:05:10 +0000] "GET /images/logo.png HTTP/1.1" 200 4096 "-" "curl/7.68.0"
4  198.51.100.77 - - [24/Oct/2024:11:05:12 +0000] "GET /images/../../../etc/passwd HTTP/1.1" 400 154 "-" "curl/7.68.0"
5  198.51.100.77 - - [24/Oct/2024:11:05:13 +0000] "GET /images/../../../../etc/shadow HTTP/1.1" 400 154 "-" "curl/7.68.0"
6  198.51.100.77 - - [24/Oct/2024:11:05:15 +0000] "GET /images/../../../var/www/html/config.php HTTP/1.1" 200 842 "-" "curl/7.68.0"
7  192.168.5.88 - - [24/Oct/2024:11:10:05 +0000] "POST /login.php HTTP/1.1" 302 0 "-" "Mozilla/5.0"
8  192.168.5.88 - - [24/Oct/2024:11:10:06 +0000] "GET /dashboard.php HTTP/1.1" 200 2048 "-" "Mozilla/5.0"

Source 5 — ls -l /var/www/html

</>TEXT
ls -l /var/www/html
-rw-r--r-- 1 www-data www-data 1024 Oct 20 09:15 index.html
-rw-r--r-- 1 www-data www-data  512 Oct 20 09:15 login.php
-rw-r--r-- 1 www-data www-data 2048 Oct 20 09:15 dashboard.php
-rw-rw-rw- 1 www-data www-data  842 Oct 21 14:30 config.php
drwxr-xr-x 2 www-data www-data 4096 Oct 20 09:15 images
drwxr-xr-x 2 www-data www-data 4096 Oct 20 09:15 css

Source 6 — Acceptable Use Policy

  • Keep device operating systems and software applications updated to the most recent approved versions.

  • Use strong passwords meeting organizational complexity requirements.

  • Connecting company-issued peripheral devices (e.g., keyboards, mice, monitors).

  • Accessing the internet for business-related research and tasks.

  • Modifying system configuration settings, including firewalls and access controls, without authorization.

  • Connecting unauthorized removable media (e.g., personal USB drives).

  • Installing unapproved third-party software.


a.

Consider the policy for the device in Source 6.

i.

Explain how one provision of the acceptable use policy helps protect the device.

ii.

Explain how one rule in the current policy could be modified to make the device more secure. Include a specific example in your response.

b.

In the authorization log (Source 3), there is evidence of a password attack in rows 3–10.

i.

Describe the evidence in the log file that indicates a password attack. Include specific entries from the log file in your response.

ii.

Identify the IP address of the adversary conducting the password attack.

c.

Consider all the sources from the device.

i.

Explain how the permission settings for one file in the /var/www/html directory determine the level of access for that file for the owner, group, and all other users on the system. Include the name of the file in your response.

ii.

Other than removing all permissions from all users, describe one way the permission settings for one file on the system could be configured to restrict access for some users on the device. Include the name of the file in your response.

iii.

Using the explanation from part C (ii), write one or more chmod commands that set the permissions described.

d.

Consider all the sources from the device.

i.

Explain how one connection attempt on the device was blocked by the device's firewall. Include evidence from a log file in your response.

ii.

Other than allowing all traffic for all services, describe a modification to one firewall rule that would allow the connection attempt identified in part D (i).

iii.

Other than allowing the connection attempt identified in part D (i), describe one impact of your modification from part D (ii) on incoming or outgoing network traffic on the device.

e.

Apart from the password attack identified in part B, there is evidence of another attack on the device. Consider all the sources from the device.

i.

Determine the type of attack evidenced in a log file.

ii.

Describe specific information in the log file that indicates the attack named in part E (i).

iii.

Describe one way an automated system could halt this type of attack in real time.

iv.

This attack could be mitigated by an automated system, such as a firewall, IDS, IPS, or AI. Identify a different countermeasure that could mitigate, prevent, or deter the attack.

Key terms

TermDefinition
malwareMalicious software designed to damage a device, steal data, or give an adversary unauthorized access.
ransomwareMalware that encrypts a device's files and demands payment for the decryption key.
virusMalware that activates only when a user executes or opens an infected file.
wormMalware that spreads automatically from device to device without any user interaction.
remote access trojanA trojan that gives an adversary remote command-and-control access to the compromised device.
rootkitMalware that embeds itself deep in the OS to hide its presence and maintain persistent access.
keyloggerMalware or hardware that records keystrokes to capture passwords and other sensitive input.
BIOSFirmware that initializes hardware at boot; an unprotected BIOS lets an adversary boot into recovery mode and bypass OS security.
patchA small software update that fixes a specific known vulnerability in an OS or application.
anti-malwareSoftware that scans files against a signature database and quarantines matches to prevent malware from running.
knowledge factorAn authentication factor based on something the user knows, such as a password or PIN.
possession factorAn authentication factor based on something the user has, such as an access card or authenticator app.
loggingAutomatic recording of system events including login attempts, file changes, and process activity, used to detect and investigate attacks.
EDREndpoint Detection and Response; a service providing centralized, unified threat detection and response across an organization's devices.
ACLAccess Control List; an ordered set of rules a host-based or network firewall evaluates to allow or deny traffic.

Common unit 4 mistakes

Confusing viruses and worms

Viruses require a user to execute or open a file to activate. Worms spread on their own without any user action. In a scenario, the presence or absence of user interaction is the key distinguishing detail.

Thinking hashes are encryption

Hashing is a one-way process; you cannot decrypt a hash to recover the original password. Encryption is reversible with a key. Systems store password hashes precisely because they cannot be reversed.

Forgetting that offline attacks bypass lockout policies

Account lockout only stops online attacks against a live portal. Once an adversary steals the hash database and cracks it offline, no lockout policy applies because the attack happens on the adversary's own machine.

Treating a host-based firewall as redundant with a network firewall

A host-based firewall protects the device even when it is connected to a compromised or untrusted network where the network-level firewall has already been bypassed.

Assuming all devices can run detection tools

Embedded and IoT devices often lack the CPU and memory to run anti-malware or anomaly-based detection locally. Recognizing this constraint is part of selecting the right detection approach for a given device type.

How this unit shows up on the AP exam

Scenario-based control selection

AP Cybersecurity questions frequently present a device scenario with a described threat or vulnerability and ask you to identify the most appropriate control. Practice matching malware types to detection methods, attack patterns to authentication weaknesses, and device types to realistic protection options.

Log analysis and IoC identification

Expect questions that present a short log excerpt or event description and ask you to name the attack type, identify the IoC, or explain what the log pattern indicates. Focus on distinguishing brute force, password spraying, and credential stuffing from authentication log data.

Trade-off reasoning for detection methods

Questions may ask you to justify a detection method choice given constraints like device processing power, cost, or the need to catch novel threats. Be ready to explain the speed, resource, and false positive trade-offs between signature-based and anomaly-based detection in the context of a specific device type.

Final unit 4 review checklist

  • Classify device types and their attack surfacesBe able to distinguish servers, personal computers, handheld devices, embedded systems, and IoT devices and explain why each has a different vulnerability profile.
  • Identify malware by behaviorGiven a scenario description, name the malware type: virus (user activation), worm (self-spreading), trojan or RAT (hidden in software), ransomware (encrypts files), spyware, rootkit, keylogger, or logic bomb.
  • Explain hashing and salting for password storageDescribe why systems store salted hashes instead of plaintext, name at least two hash algorithms (SHA-256, NTHash), and explain collision resistance and pre-image resistance.
  • Apply authentication factor typesClassify a given authentication mechanism as knowledge, possession, biometric, or location, and explain how MFA combines factor types to reduce risk from a stolen password.
  • Select and justify device protection controlsMatch a given threat to the appropriate control: acceptable use policy, password policy, anti-malware, patching, or host-based firewall rule, and explain what each control blocks.
  • Read authentication logs for attack indicatorsIdentify brute force (many failures on one account), password spraying (many accounts failing from one IP), and credential stuffing (default pairs attempted rapidly) from log data.
  • Compare signature-based and anomaly-based detectionExplain the trade-offs in speed, resource use, and false positive rate, and justify which method fits a resource-limited embedded device versus a high-value server.

How to study unit 4

Start with device types and malwareRead the Topic 4.1 guide and practice naming each malware type from a behavior description. Build a quick reference table of malware types, how they spread, and what they do, then use the available practice questions to test your classification speed.
Work through authentication mechanicsRead the Topic 4.2 guide focusing on the hashing and salting process, the four factor types, and the four password attack patterns. Draw the flow from plaintext password to salted hash storage, then practice identifying attack types from log-style scenario descriptions.
Apply device protection controlsRead the Topic 4.3 guide and for each control (acceptable use policy, password policy, anti-malware, patching, host-based firewall) write one sentence explaining what specific threat it addresses. Practice writing a firewall ACL rule that blocks a named port or service.
Practice log analysis for IoCsRead the Topic 4.4 guide and work through any log-reading practice questions. Focus on matching log patterns to attack types and on explaining why signature-based detection is preferred on low-resource devices. Review the comparison between signature-based and anomaly-based detection trade-offs.
Connect all four topics in a scenarioPick a device type, describe a plausible attack path from initial vulnerability through malware delivery, explain which authentication weakness was exploited, name the controls that could have prevented it, and identify the IoC that would appear in the logs.

More ways to review

Topic study guides

Open the individual guides for Unit 4 when you want a closer review of one topic.

browse guides

Frequently Asked Questions

What topics are covered in AP Cyber Unit 4?

AP Cyber Unit 4 covers 4 topics: **4.1 Device Vulnerabilities and Attacks**, **4.2 Authentication**, **4.3 Protecting Devices**, and **4.4 Detecting Attacks on Devices**. You'll learn how adversaries exploit devices, how authentication systems work, how malware operates, and how to read log files for indicators of compromise (IoCs). See the full breakdown at /ap-cybersecurity/unit-4.

What's on the AP Cyber Unit 4 progress check (MCQ and FRQ)?

The AP Cyber Unit 4 progress check includes MCQ and FRQ parts drawn from all four unit topics: Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices. MCQ questions test your ability to identify attack types and authentication methods, while FRQ questions often ask you to analyze scenarios involving malware, log files, or IoCs. For matched practice questions that mirror the progress check format, visit /ap-cybersecurity/unit-4.

How do I practice AP Cyber Unit 4 FRQs?

AP Cyber Unit 4 FRQs most often come from Authentication, Protecting Devices, and Detecting Attacks on Devices. These questions typically ask you to analyze a scenario, such as identifying an authentication weakness, explaining how a piece of malware compromises a device, or interpreting a log file for indicators of compromise (IoCs). To practice, work through scenario-based prompts that ask you to justify your reasoning in writing, not just pick an answer. You can find Unit 4 FRQ practice at /ap-cybersecurity/unit-4.

Where can I find AP Cyber Unit 4 practice questions?

The best place to find AP Cyber Unit 4 practice questions, including multiple-choice and practice test sets, is /ap-cybersecurity/unit-4. There you'll find MCQs covering Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices, so you can check your understanding of every topic before the exam.

How should I study AP Cyber Unit 4?

Start Unit 4 by building a solid understanding of the attack types in 4.1, since Device Vulnerabilities and Attacks sets up everything else. Then move to Authentication (4.2) and make sure you can explain how different authentication methods work and where they fail. For 4.3, focus on how anti-malware software and software updates reduce risk. Finish with 4.4 by practicing how to read log files and spot indicators of compromise (IoCs). Use scenario-based practice questions to connect concepts across all four topics. Find study resources at /ap-cybersecurity/unit-4.

Ready to review Unit 4?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.