---
title: "AP Cybersecurity Unit 4 Review: Devices | Fiveable"
description: "Review AP Cybersecurity Unit 4: device vulnerabilities, attacks, authentication, device protection, access controls, and detecting attacks on devices."
canonical: "https://fiveable.me/ap-cybersecurity/unit-4"
type: "unit"
subject: "AP Cybersecurity"
unit: "Unit 4 – Securing Devices"
---

# AP Cybersecurity Unit 4 Review: Devices | Fiveable

## Overview

Unit 4 focuses on the full lifecycle of device security: identifying device types and their vulnerabilities, verifying user identity through authentication mechanisms, applying layered defenses like anti-malware and host-based firewalls, and detecting attacks by reading log files for indicators of compromise.

## AP CED Alignment

This unit hub is organized around AP Course and Exam Description topics, skills, and exam task types when they are available in the source data.
- Topic 4.1: Device Vulnerabilities and Attacks
- Topic 4.2: Authentication
- Topic 4.3: Protecting Devices
- Topic 4.4: Detecting Attacks on Devices
- Topic 4.1: Device Types, Malware, and Vulnerability Risk
- Topic 4.2: Authentication: Hashing, Factors, and Password Attacks
- Topic 4.3: Protecting Devices: Policies, Anti-Malware, Patching, and Firewalls
- Topic 4.4: Detecting Attacks: Logs, IoCs, and Detection Methods
- Skill Category 2 - Mitigate Risk
- Skill Category 3 - Detect Attacks
- Device Security Analysis

## Topics

- [Topic 4.1: Device Vulnerabilities and Attacks](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK): Covers server, personal, handheld, embedded, and IoT device types; malware behaviors including viruses, worms, trojans, ransomware, spyware, rootkits, keyloggers, and logic bombs; and how to rate vulnerability risk as high, moderate, or low based on device criticality.
- [Topic 4.2: Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7): Explains cryptographic hashing and salting for password storage, the four authentication factor types, MFA configuration, and how online and offline password attacks, credential stuffing, and password spraying exploit weak authentication.
- [Topic 4.3: Protecting Devices](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn): Covers managerial controls (acceptable use and password policies), anti-malware signature scanning and quarantine, OS and application patching, and host-based firewall rule configuration using ACLs.
- [Topic 4.4: Detecting Attacks on Devices](/ap-cybersecurity/unit-4/detecting-attacks-on-devices/study-guide/JpiXN2cti74uJERazuw3): Covers log analysis for IoCs, authentication log patterns for brute force and spraying attacks, signature-based versus anomaly-based detection trade-offs, EDR services, and why embedded devices often cannot run local detection tools.

## Review Notes

### Topic 4.1: Device Types, Malware, and Vulnerability Risk

Adversaries target different device categories in different ways. Servers provide services like DNS, DHCP, and FTP to other machines and are high-value targets. Personal computers handle individual work tasks. Handheld devices like smartphones run on battery and have limited security controls. Embedded computers inside appliances and IoT devices often cannot run security software at all. Malware exploits these devices through unpatched software, weak authentication, and missing BIOS or UEFI passwords that allow boot-level access. Risk level depends on how critical the device or its data is.

- **Virus**: Malware that requires a user to execute or open a file to activate and spread.
- **Worm**: Malware that spreads automatically between computers without any user interaction.
- **Trojan**: Malware hidden inside software that appears legitimate; a RAT variant gives the adversary remote control.
- **Ransomware**: Encrypts a device's files and demands payment for the decryption key.
- **BIOS/UEFI**: Firmware that initializes hardware at boot; no password on BIOS or UEFI lets an adversary boot into recovery mode and bypass OS-level controls.

**Checkpoint:** Can you classify a described malware behavior as a virus, worm, trojan, ransomware, spyware, rootkit, keylogger, or logic bomb, and rate the associated risk as high, moderate, or low based on the device type and data involved?

Malware Type | Requires User Action? | Primary Effect
--- | --- | ---
Virus | Yes | Corrupts or destroys files on activation
Worm | No | Self-propagates across a network
Trojan / RAT | Yes (opens file) | Hides in software; RAT gives remote access
Ransomware | No (after delivery) | Encrypts files and demands payment
Rootkit | No | Hides deep in OS to maintain persistent access

### Topic 4.2: Authentication: Hashing, Factors, and Password Attacks

Systems store passwords as hashes, not plaintext. A cryptographic hash function takes any input and produces a fixed-length output; SHA-256 and NTHash are common examples. Salting adds a random value before hashing to prevent rainbow table attacks. Authentication factors are categorized as knowledge (password, PIN), possession (access card, authenticator app), biometric (fingerprint, face), and location. Multi-factor authentication (MFA) requires two or more factor types. Password attacks exploit weak authentication: online attacks try combinations against a live login portal; offline attacks crack a stolen hash database without triggering lockouts. Credential stuffing uses leaked username-password pairs; password spraying tries one common password against many accounts.

- **Cryptographic hash**: A one-way function that produces a fixed-length digest; pre-image resistance means you cannot reverse a hash to find the original input.
- **Salt**: A random value added to a password before hashing so identical passwords produce different hashes, defeating precomputed rainbow tables.
- **MFA**: Authentication requiring at least two different factor types, making a stolen password alone insufficient for access.
- **Offline password attack**: Cracking a stolen hash database on the attacker's own machine, bypassing account lockout policies.
- **Password spraying**: Trying one common password against many accounts to avoid triggering per-account lockout thresholds.

**Checkpoint:** Given a scenario, can you identify which authentication factor type is being used, explain why salted hashes are stored instead of plaintext, and classify a described attack as brute force, credential stuffing, or password spraying?

Attack Type | Target | Key Indicator in Logs
--- | --- | ---
Brute force (online) | Single account | Many failed logins for one username
Password spraying | Many accounts | Many accounts failing from one IP in seconds
Credential stuffing | Many accounts | Default or known user:password pairs attempted rapidly
Offline hash cracking | Stolen hash database | No log trail on the victim system

### Topic 4.3: Protecting Devices: Policies, Anti-Malware, Patching, and Firewalls

Device protection layers from policy to technical control. Acceptable use policies define what users may and may not do on organizational devices. Password policies enforce complexity, minimum length, maximum age, and reuse restrictions. Anti-malware software maintains a signature database, scans files, and quarantines matches. Keeping the OS and applications patched closes known vulnerabilities before adversaries can exploit them. A host-based firewall runs on the device itself and applies ACL rules to allow or deny inbound and outbound traffic by port, protocol, source, or destination, providing protection even when the device is on a compromised network.

- **Patch**: A small software update that fixes a specific vulnerability in an OS or application.
- **Anti-malware signature**: A pattern or fingerprint in a malware file that anti-malware software uses to detect and quarantine the threat.
- **Host-based firewall**: Software running on a single device that filters traffic using an ordered ACL, independent of any network-level firewall.
- **ACL (Access Control List)**: An ordered list of rules a firewall evaluates in sequence; the first matching rule is applied.
- **Acceptable use policy**: A managerial control that specifies permitted and prohibited activities on organizational devices.

**Checkpoint:** Can you explain why a host-based firewall adds value even when a network firewall exists, and describe what happens when anti-malware software finds a file matching a known signature?

Control Type | Example | What It Stops
--- | --- | ---
Managerial | Acceptable use policy | Risky user behavior on org devices
Managerial | Password policy | Weak or reused passwords
Technical | Anti-malware software | Known malware via signature matching
Technical | OS patching | Exploits targeting known vulnerabilities
Technical | Host-based firewall | Unauthorized inbound/outbound traffic by port or IP

### Topic 4.4: Detecting Attacks: Logs, IoCs, and Detection Methods

Devices automatically log logins, file activity, process starts, and configuration changes. Analysts review these logs to find indicators of compromise (IoCs): unusual files, unexpected processes, unauthorized config changes, or unauthorized software installs. Authentication logs are the primary source for spotting password attacks. Detection methods are either signature-based (fast, low resource use, misses novel threats) or anomaly-based (catches new threats, uses more resources, higher false positive rate). Endpoint detection and response (EDR) services provide centralized, holistic detection across many devices. Embedded and IoT devices often lack the processing power to run any detection tool locally.

- **Indicator of compromise (IoC)**: Evidence in logs or configuration files that an adversary has accessed or modified a device.
- **Authentication log**: A system log recording every login attempt, used to detect brute force, spraying, and credential stuffing attacks.
- **Signature-based detection**: Compares files or traffic against a database of known malware patterns; fast and low-resource but blind to new threats.
- **Anomaly-based detection**: Flags behavior that deviates from a baseline; catches novel attacks but uses more resources and generates more false positives.
- **EDR (Endpoint Detection and Response)**: A third-party service providing unified threat detection and response across an organization's devices.

**Checkpoint:** Given a log excerpt showing repeated failed logins for one account, can you identify the attack type, name the IoC, and explain why signature-based detection is preferred on resource-limited embedded devices?

Detection Method | Speed | Resource Use | False Positives | Best For
--- | --- | --- | --- | ---
Signature-based | Fast | Low | Low | Devices with limited processing power
Anomaly-based | Slower | High | Higher | Devices where novel threat detection matters

## Study Guides

- [4.2 Authentication](/ap-cybersecurity/unit-4/authentication/study-guide/8fehxw1s1LZlYi1K3rm7)
- [4.3 Protecting Devices](/ap-cybersecurity/unit-4/protecting-devices/study-guide/n86HF5aR65a2DLQwNHDn)
- [4.1 Device Vulnerabilities and Attacks](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK)
- [4.4 Detecting Attacks on Devices](/ap-cybersecurity/unit-4/detecting-attacks-on-devices/study-guide/JpiXN2cti74uJERazuw3)

## Practice Preview

### Multiple-choice practice

- **AP-style practice question**: Skill Category 2 - Mitigate Risk | A hospital's network includes an unpatched MRI scanner running outdated firmware with a publicly known remote code execution vulnerability. A security analyst is documenting this risk. Which security control would most directly reduce the risk, and why is this vulnerability classified as high risk?
- **AP-style practice question**: Skill Category 2 - Mitigate Risk | A university's IT security team is auditing three devices: a research database server storing unpublished clinical trial data, a faculty member's smartphone with a weak four-digit PIN and no encryption, and a networked coffee maker in the faculty lounge with default credentials but no access to institutional data. The team must rank these devices by risk level from highest to lowest and justify the ranking.
- **AP-style practice question**: Skill Category 2 - Mitigate Risk | An adversary installs a remote access trojan (RAT) on a logistics company's central inventory server by exploiting an unpatched operating system vulnerability. The server manages real-time shipping data for thousands of daily orders. A security analyst must assess the risk and identify which control would have prevented the initial compromise.
- **AP-style practice question**: Skill Category 2 - Mitigate Risk | A security team discovers that a company's primary email server has not received a patch addressing a known critical vulnerability that allows remote code execution. Separately, a break-room employee laptop has telnet port 23 open but stores no sensitive data and runs no critical services. Which statement correctly compares the risk levels and identifies an appropriate control for the higher-risk device?
- **AP-style practice question**: Skill Category 2 - Mitigate Risk | A city water treatment plant uses embedded pump controllers that can be accessed remotely using only a username and password, with no multi-factor authentication (MFA) required. A cybersecurity analyst must assign a risk level and recommend a control. Which assessment is most accurate?
- **AP-style practice question**: Skill Category 3 - Detect Attacks | A small business uses a router with a firewall that was installed three years ago and has never been reconfigured. An adversary sends a flood of malformed packets to the business's web server, causing it to crash. Which vulnerability most directly enabled this attack?

### FRQ practice

- **Network security risks and vulnerability assessment analysis**: Device Security Analysis | Network security risks and vulnerability assessment analysis

## Key Terms

- **malware**: Malicious software designed to damage a device, steal data, or give an adversary unauthorized access.
- **ransomware**: Malware that encrypts a device's files and demands payment for the decryption key.
- **virus**: Malware that activates only when a user executes or opens an infected file.
- **worm**: Malware that spreads automatically from device to device without any user interaction.
- **remote access trojan**: A trojan that gives an adversary remote command-and-control access to the compromised device.
- **rootkit**: Malware that embeds itself deep in the OS to hide its presence and maintain persistent access.
- **keylogger**: Malware or hardware that records keystrokes to capture passwords and other sensitive input.
- **BIOS**: Firmware that initializes hardware at boot; an unprotected BIOS lets an adversary boot into recovery mode and bypass OS security.
- **patch**: A small software update that fixes a specific known vulnerability in an OS or application.
- **anti-malware**: Software that scans files against a signature database and quarantines matches to prevent malware from running.
- **knowledge factor**: An authentication factor based on something the user knows, such as a password or PIN.
- **possession factor**: An authentication factor based on something the user has, such as an access card or authenticator app.
- **logging**: Automatic recording of system events including login attempts, file changes, and process activity, used to detect and investigate attacks.
- **EDR**: Endpoint Detection and Response; a service providing centralized, unified threat detection and response across an organization's devices.
- **ACL**: Access Control List; an ordered set of rules a host-based or network firewall evaluates to allow or deny traffic.

## Common Mistakes

- **Confusing viruses and worms**: Viruses require a user to execute or open a file to activate. Worms spread on their own without any user action. In a scenario, the presence or absence of user interaction is the key distinguishing detail.
- **Thinking hashes are encryption**: Hashing is a one-way process; you cannot decrypt a hash to recover the original password. Encryption is reversible with a key. Systems store password hashes precisely because they cannot be reversed.
- **Forgetting that offline attacks bypass lockout policies**: Account lockout only stops online attacks against a live portal. Once an adversary steals the hash database and cracks it offline, no lockout policy applies because the attack happens on the adversary's own machine.
- **Treating a host-based firewall as redundant with a network firewall**: A host-based firewall protects the device even when it is connected to a compromised or untrusted network where the network-level firewall has already been bypassed.
- **Assuming all devices can run detection tools**: Embedded and IoT devices often lack the CPU and memory to run anti-malware or anomaly-based detection locally. Recognizing this constraint is part of selecting the right detection approach for a given device type.

## Exam Connections

- **Scenario-based control selection**: AP Cybersecurity questions frequently present a device scenario with a described threat or vulnerability and ask you to identify the most appropriate control. Practice matching malware types to detection methods, attack patterns to authentication weaknesses, and device types to realistic protection options.
- **Log analysis and IoC identification**: Expect questions that present a short log excerpt or event description and ask you to name the attack type, identify the IoC, or explain what the log pattern indicates. Focus on distinguishing brute force, password spraying, and credential stuffing from authentication log data.
- **Trade-off reasoning for detection methods**: Questions may ask you to justify a detection method choice given constraints like device processing power, cost, or the need to catch novel threats. Be ready to explain the speed, resource, and false positive trade-offs between signature-based and anomaly-based detection in the context of a specific device type.

## Final Review Checklist

- **Classify device types and their attack surfaces**: Be able to distinguish servers, personal computers, handheld devices, embedded systems, and IoT devices and explain why each has a different vulnerability profile.
- **Identify malware by behavior**: Given a scenario description, name the malware type: virus (user activation), worm (self-spreading), trojan or RAT (hidden in software), ransomware (encrypts files), spyware, rootkit, keylogger, or logic bomb.
- **Explain hashing and salting for password storage**: Describe why systems store salted hashes instead of plaintext, name at least two hash algorithms (SHA-256, NTHash), and explain collision resistance and pre-image resistance.
- **Apply authentication factor types**: Classify a given authentication mechanism as knowledge, possession, biometric, or location, and explain how MFA combines factor types to reduce risk from a stolen password.
- **Select and justify device protection controls**: Match a given threat to the appropriate control: acceptable use policy, password policy, anti-malware, patching, or host-based firewall rule, and explain what each control blocks.
- **Read authentication logs for attack indicators**: Identify brute force (many failures on one account), password spraying (many accounts failing from one IP), and credential stuffing (default pairs attempted rapidly) from log data.
- **Compare signature-based and anomaly-based detection**: Explain the trade-offs in speed, resource use, and false positive rate, and justify which method fits a resource-limited embedded device versus a high-value server.

## Study Plan

- **Start with device types and malware**: Read the Topic 4.1 guide and practice naming each malware type from a behavior description. Build a quick reference table of malware types, how they spread, and what they do, then use the available practice questions to test your classification speed.
- **Work through authentication mechanics**: Read the Topic 4.2 guide focusing on the hashing and salting process, the four factor types, and the four password attack patterns. Draw the flow from plaintext password to salted hash storage, then practice identifying attack types from log-style scenario descriptions.
- **Apply device protection controls**: Read the Topic 4.3 guide and for each control (acceptable use policy, password policy, anti-malware, patching, host-based firewall) write one sentence explaining what specific threat it addresses. Practice writing a firewall ACL rule that blocks a named port or service.
- **Practice log analysis for IoCs**: Read the Topic 4.4 guide and work through any log-reading practice questions. Focus on matching log patterns to attack types and on explaining why signature-based detection is preferred on low-resource devices. Review the comparison between signature-based and anomaly-based detection trade-offs.
- **Connect all four topics in a scenario**: Pick a device type, describe a plausible attack path from initial vulnerability through malware delivery, explain which authentication weakness was exploited, name the controls that could have prevented it, and identify the IoC that would appear in the logs.

## More Ways To Review

- [Topic study guides](/ap-cybersecurity/unit-4#topics)
- [Key terms](/ap-cybersecurity/key-terms)

## FAQs

### What topics are covered in AP Cyber Unit 4?

AP Cyber Unit 4 covers 4 topics: **4.1 Device Vulnerabilities and Attacks**, **4.2 Authentication**, **4.3 Protecting Devices**, and **4.4 Detecting Attacks on Devices**. You'll learn how adversaries exploit devices, how authentication systems work, how malware operates, and how to read log files for indicators of compromise (IoCs). See the full breakdown at [/ap-cybersecurity/unit-4](/ap-cybersecurity/unit-4).

### What's on the AP Cyber Unit 4 progress check (MCQ and FRQ)?

The AP Cyber Unit 4 progress check includes MCQ and FRQ parts drawn from all four unit topics: Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices. MCQ questions test your ability to identify attack types and authentication methods, while FRQ questions often ask you to analyze scenarios involving malware, log files, or IoCs. For matched practice questions that mirror the progress check format, visit [/ap-cybersecurity/unit-4](/ap-cybersecurity/unit-4).

### How do I practice AP Cyber Unit 4 FRQs?

AP Cyber Unit 4 FRQs most often come from Authentication, Protecting Devices, and Detecting Attacks on Devices. These questions typically ask you to analyze a scenario, such as identifying an authentication weakness, explaining how a piece of malware compromises a device, or interpreting a log file for indicators of compromise (IoCs). To practice, work through scenario-based prompts that ask you to justify your reasoning in writing, not just pick an answer. You can find Unit 4 FRQ practice at [/ap-cybersecurity/unit-4](/ap-cybersecurity/unit-4).

### Where can I find AP Cyber Unit 4 practice questions?

The best place to find AP Cyber Unit 4 practice questions, including multiple-choice and practice test sets, is [/ap-cybersecurity/unit-4](/ap-cybersecurity/unit-4). There you'll find MCQs covering Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices, so you can check your understanding of every topic before the exam.

### How should I study AP Cyber Unit 4?

Start Unit 4 by building a solid understanding of the attack types in 4.1, since Device Vulnerabilities and Attacks sets up everything else. Then move to Authentication (4.2) and make sure you can explain how different authentication methods work and where they fail. For 4.3, focus on how anti-malware software and software updates reduce risk. Finish with 4.4 by practicing how to read log files and spot indicators of compromise (IoCs). Use scenario-based practice questions to connect concepts across all four topics. Find study resources at [/ap-cybersecurity/unit-4](/ap-cybersecurity/unit-4).

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-4#what-topics-are-covered-in-ap-cyber-unit-4","name":"What topics are covered in AP Cyber Unit 4?","acceptedAnswer":{"@type":"Answer","text":"AP Cyber Unit 4 covers 4 topics: **4.1 Device Vulnerabilities and Attacks**, **4.2 Authentication**, **4.3 Protecting Devices**, and **4.4 Detecting Attacks on Devices**. You'll learn how adversaries exploit devices, how authentication systems work, how malware operates, and how to read log files for indicators of compromise (IoCs). See the full breakdown at <a href=\"/ap-cybersecurity/unit-4\">/ap-cybersecurity/unit-4</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-4#whats-on-the-ap-cyber-unit-4-progress-check-mcq-and-frq","name":"What's on the AP Cyber Unit 4 progress check (MCQ and FRQ)?","acceptedAnswer":{"@type":"Answer","text":"The AP Cyber Unit 4 progress check includes MCQ and FRQ parts drawn from all four unit topics: Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices. MCQ questions test your ability to identify attack types and authentication methods, while FRQ questions often ask you to analyze scenarios involving malware, log files, or IoCs. For matched practice questions that mirror the progress check format, visit <a href=\"/ap-cybersecurity/unit-4\">/ap-cybersecurity/unit-4</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-4#how-do-i-practice-ap-cyber-unit-4-frqs","name":"How do I practice AP Cyber Unit 4 FRQs?","acceptedAnswer":{"@type":"Answer","text":"AP Cyber Unit 4 FRQs most often come from Authentication, Protecting Devices, and Detecting Attacks on Devices. These questions typically ask you to analyze a scenario, such as identifying an authentication weakness, explaining how a piece of malware compromises a device, or interpreting a log file for indicators of compromise (IoCs). To practice, work through scenario-based prompts that ask you to justify your reasoning in writing, not just pick an answer. You can find Unit 4 FRQ practice at <a href=\"/ap-cybersecurity/unit-4\">/ap-cybersecurity/unit-4</a>."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-4#where-can-i-find-ap-cyber-unit-4-practice-questions","name":"Where can I find AP Cyber Unit 4 practice questions?","acceptedAnswer":{"@type":"Answer","text":"The best place to find AP Cyber Unit 4 practice questions, including multiple-choice and practice test sets, is <a href=\"/ap-cybersecurity/unit-4\">/ap-cybersecurity/unit-4</a>. There you'll find MCQs covering Device Vulnerabilities and Attacks, Authentication, Protecting Devices, and Detecting Attacks on Devices, so you can check your understanding of every topic before the exam."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/unit-4#how-should-i-study-ap-cyber-unit-4","name":"How should I study AP Cyber Unit 4?","acceptedAnswer":{"@type":"Answer","text":"Start Unit 4 by building a solid understanding of the attack types in 4.1, since Device Vulnerabilities and Attacks sets up everything else. Then move to Authentication (4.2) and make sure you can explain how different authentication methods work and where they fail. For 4.3, focus on how anti-malware software and software updates reduce risk. Finish with 4.4 by practicing how to read log files and spot indicators of compromise (IoCs). Use scenario-based practice questions to connect concepts across all four topics. Find study resources at <a href=\"/ap-cybersecurity/unit-4\">/ap-cybersecurity/unit-4</a>."}}]}
```
