TLDR
Device security starts with knowing what kind of device you are protecting, what malware can do to it, how adversaries break in, and how serious each weakness is. In AP Cybersecurity, you should be able to name device types, identify malware by its behavior, explain common attack openings like unpatched software and weak authentication, and rate a vulnerability as high, moderate, or low risk based on the device's importance.

Why This Matters for the AP Cybersecurity Exam
This topic builds the core adversarial thinking that runs through the whole Securing Devices unit. Once you can identify a device, spot the malware involved, and explain how an attacker would exploit a weakness, you can move on to protecting devices and detecting attacks in later topics.
The exam expects you to do more than memorize definitions. You need to identify malware from a described behavior, explain how a specific vulnerability could be exploited, and assess how risky a situation is given what the device does and what data it holds. Risk assessment in particular is a judgment skill: the same flaw can be high risk on a hospital device and low risk on a break-room printer.
Key Takeaways
- Devices fall into categories with different jobs and weak spots: servers, personal computers, handheld computers, and embedded computers, plus the IoT devices that connect everyday objects to the internet.
- Malware is a tool adversaries use to reach a bigger goal. Learn to identify viruses, worms, trojans (including RATs), ransomware, spyware, keyloggers, logic bombs, rootkits, and fileless malware by how they behave.
- Common attack openings include unpatched software, weak authentication, missing BIOS/UEFI passwords, autorun with external drives, open ports, missing or misconfigured firewalls, and no anti-malware software.
- Risk depends on both how likely a vulnerability is to be exploited and how bad the impact would be, which ties back to the criticality of the device and its data.
- High, moderate, and low risk levels are judgment calls. The same vulnerability can rate differently on different devices.
Types of Computing Devices
Before you can defend a device, you need to know what kind of device you are dealing with. Different categories have different jobs, different power levels, and different weak spots.
Server Computers
Servers are computers that provide services to other computers on a network. Think of them as the helpers that handle requests all day long. Common services include:
- DNS (Domain Name System): translates names like
fiveable.meinto IP addresses - DHCP (Dynamic Host Configuration Protocol): hands out IP addresses to devices joining a network
- FTP (File Transfer Protocol): lets users upload and download files
Technically any computer can act as a server. But in a real company, servers usually have more processing power, more RAM, and far more storage than a regular desktop because they are handling requests from many clients at once.
Personal Computers
Personal computers (PCs) are designed for one person at a time. You use them for word processing, gaming, browsing, editing videos, and similar tasks. This category includes desktops, laptops, and notebooks.
Handheld Computers
Handheld computers (also called mobile computers or information appliances) are smaller, run on batteries, and travel with you. Tablets, smartphones, and smartwatches all fall in this group. They have less power than a full PC but they are always with you, which makes them appealing targets for attackers.
Embedded Computers
Embedded computers are built into a machine to control specific parts of it. They run specialized instruction sets made for that machine and they are usually slower, cheaper, and have very little storage compared to a PC. You do not really "use" an embedded computer the way you use a laptop. It runs quietly inside the device.
IoT Devices
When everyday objects with embedded computers connect to the internet, we call them Internet of Things (IoT) devices. They show up in a lot of places:
- Transportation: cars, trains, airplanes
- Critical infrastructure: circuit breakers at electrical substations, pumps at water treatment plants
- Medical equipment: IV pumps, MRI scanners, pacemakers, insulin pumps
- Everyday devices: washing machines, coffee makers, thermostats
Many IoT devices ship with weak default passwords and rarely get patched. A compromised pacemaker or water pump is a much bigger problem than a hacked coffee maker, which is why device criticality matters so much in this topic.
Types of Malware
Malware is malicious software that can damage or harm a device or network, or give an adversary access to a device and the data on it. It is almost always a tool attackers use as one step in a bigger plan. Here are the main types you should be able to identify by behavior.
Viruses
A virus is malware that needs a user to activate it. Someone has to open the infected file, run the program, or click the attachment. No user action, no infection.
Worms
A worm spreads from computer to computer on its own. No clicking required. Once it is on a network, it scans for other vulnerable machines and copies itself over, which is why worms can spread across an entire network quickly.
Trojans
A trojan hides inside software that looks harmless. You think you are downloading a free game or a PDF reader, but malicious code is bundled with it. A specific kind, the [remote access trojan (RAT)](/ap-cybersecurity/key-terms/rat), gives the attacker remote control of your system once it is installed.
Ransomware
Ransomware encrypts the files on a device so the user cannot open them. Then it shows a message demanding payment within a set time, promising a decryption key if you pay. Hospitals, schools, and city governments have all been hit by this, which is an application of the concept, not required AP content.
Spyware and Keyloggers
Spyware quietly tracks what a user does on a computer and sends that information back to the adversary. A keylogger is a specific kind of spy tool (software or hardware) that records every keystroke. Attackers can often extract usernames and passwords from keylogger data.
Logic Bombs
A logic bomb sits dormant until specific conditions are met. The trigger could be a date, a particular OS version, a specific character set, or any other condition the attacker chooses.
Rootkits
A rootkit is some of the most dangerous malware out there. It buries itself deep in the operating system, gives the attacker near-total control, and hides itself from detection tools. Removing one often means wiping the device completely.
Fileless Malware
Most malware lives as a file on disk. Fileless malware is different. It runs in RAM and uses legitimate programs already installed on the device to do its work. Since there is no suspicious file to scan, traditional antivirus often misses it.
How Adversaries Exploit Device Vulnerabilities
Knowing what malware exists is one thing. Understanding how attackers actually get onto a device is what helps you defend it. Here are the most common openings.
Unpatched Software
When a vulnerability in software (including the operating system) becomes known, attackers build an exploit for it. If a device has not installed the patch yet, that exploit works. Depending on the vulnerability, the attacker might:
- Crash the system
- Spy on user actions
- Turn the webcam or microphone on or off
- Take full control and issue any command they want, including stealing or harming data
This is why keeping software updated is repeated so often. Unpatched means exploitable.
Weak Authentication
If passwords are short, common, or reused, attackers can guess them with automated tools. They can also use social engineering (tricking a person into handing over credentials) to skip the guessing entirely. Either way, weak authentication is one of the easiest ways in.
No BIOS/UEFI Password
The BIOS (Basic Input Output System) or UEFI (Unified Extensible Firmware Interface) is the low-level firmware that starts your computer before the OS loads. If there is no password protecting it, an attacker with physical access can:
- Boot the computer into recovery mode for higher privileges
- Boot from their own external drive loaded with a different OS
- Use special tools to create new user profiles or change passwords
Without a BIOS or UEFI password, physical access can give an attacker high-level control.
Autorun and External Drives
If autorun is enabled, plugging in an external drive automatically runs whatever is on it. Attackers can load malware onto a USB drive and count on someone plugging it into a computer, at which point the malware runs.
Open Ports
Every network service uses a port. Open ports that are not needed are like unlocked doors. An attacker who finds an open port can try to connect to whatever service is listening and look for ways to abuse it.
No Firewall or Misconfigured Firewall
A firewall filters network traffic. Without one, or with one that is set up poorly, malicious data sent to the device cannot be filtered out. Attackers can send crafted data to disrupt the device or attempt to take control of it.
No Anti-Malware Software
Devices without anti-malware protection have nothing actively scanning for and blocking known malicious files. That makes them easier targets for malware delivered through email, downloads, or external drives.
Assessing and Documenting Risk
Not every vulnerability is equally dangerous. When you assess risk, you are asking two questions: how likely is this to be exploited, and how bad would it be if it were? The risk level depends on what the device does, what data it holds, and how critical it is.
High Risk
High risks involve potentially compromising sensitive data or critical operations. These are the issues to fix first.
Example: An organization has not installed the most recent update for their email server, and that update included a patch for a known critical vulnerability. Email servers hold a lot of sensitive communication, and a known critical vulnerability means working exploits likely already exist.
Moderate Risk
Moderate risks come from weaker security practices or from vulnerabilities that are less likely to be exploited but still real.
Example: A water treatment plant has embedded systems controlling pumps. The pumps can be accessed remotely with just a username and password and do not require multi-factor authentication (MFA). The system is not wide open, but the authentication is weaker than it should be for something that critical.
Low Risk
Low risks are vulnerabilities that, even if exploited, would not cause much harm.
Example: An employee's laptop has telnet port 23 open. Telnet is old and insecure, but if nothing important is listening on that port and the laptop does not hold sensitive data, the actual impact is limited.
What Risk Actually Looks Like
When you document risk from device vulnerabilities, think about the concrete outcomes an attacker could cause:
- Impersonating an authorized user to access systems they should not
- Remotely controlling a device to spy, pivot to other systems, or cause damage
- Encrypting the drive for ransom (ransomware)
- Wiping memory, harming data or making the device unusable
Match the potential outcome to the value of the device. A compromised insulin pump or substation controller is high risk no matter what. A compromised break-room printer with no sensitive data on it is probably low. The same vulnerability can be high risk on one device and low risk on another, and that judgment call is exactly what this topic asks you to make.
How to Use This on the AP Cybersecurity Exam
Identify the Device First
When a question describes a scenario, name the device type before anything else. A server, a smartphone, an embedded pump controller, and a laptop all carry different stakes. The device type often points you toward how serious a vulnerability is.
Match Malware to Behavior
Most malware questions describe what the malicious software does, not what it is called. Use the behavior as your clue:
- Needs a user to open or run something: virus
- Spreads on its own across a network: worm
- Hidden inside harmless-looking software: trojan (with remote control: RAT)
- Encrypts files and demands payment: ransomware
- Records keystrokes: keylogger
- Tracks activity and reports back: spyware
- Triggers only when conditions are met: logic bomb
- Hides deep in the OS and avoids detection: rootkit
- Runs in RAM using legitimate programs, leaves no file: fileless malware
Connect a Vulnerability to an Exploit
If you are asked to explain how an adversary could exploit a weakness, name the opening and the outcome. For example, unpatched software lets an attacker run a known exploit to take control; no BIOS or UEFI password lets an attacker with physical access boot into recovery mode or load their own OS; open ports give an attacker a service to connect to and abuse.
Justify a Risk Level
When you rate a risk as high, moderate, or low, back it up with two things: how likely the vulnerability is to be exploited and how bad the impact would be given the device's role. Saying "high risk because it is an email server with a known critical patch missing" is stronger than just saying "high risk."
Common Misconceptions
- All malware spreads by itself. Only worms spread without human action. Viruses need a user to open or run something, and trojans rely on someone installing seemingly harmless software.
- A trojan and a virus are the same thing. A trojan is defined by hiding inside something that looks safe. A virus is defined by needing user activation. They can overlap, but the exam tests the defining behavior.
- Antivirus catches everything. Fileless malware runs in RAM and uses legitimate installed programs, so traditional file-scanning antivirus often misses it.
- Any open port is automatically high risk. Risk depends on what is listening on the port and what the device protects. An open telnet port on a laptop with no sensitive data is low risk, while an unpatched email server is high risk.
- IoT and embedded devices are too simple to matter. Embedded systems run critical infrastructure and medical equipment, so a vulnerability there can be among the most serious you will assess.
- Risk is just about the vulnerability. Risk combines likelihood of exploitation with impact, and impact depends on the criticality of the device and the data it holds. The same flaw can be high risk on one device and low risk on another.
Related AP Cybersecurity Guides
Vocabulary
The following words are mentioned explicitly in the AP® course framework for this topic.Term | Definition |
|---|---|
anti-malware software | Software that detects and removes malicious software (malware) from a device; another term for anti-malware software. |
authentication | The process of verifying the identity of a user or system, typically through credentials such as passwords. |
autorun | A feature that automatically executes programs when removable media is inserted into a device. |
Basic Input Output System | Basic Input Output System; firmware that controls a computer's hardware before the operating system loads. |
critical operations | Essential processes or services that, if disrupted, would significantly impact an organization's functionality or safety. |
device vulnerability | Weaknesses or flaws in device hardware, software, or configuration that can be exploited by adversaries to compromise security. |
Domain Name System | A service provided by server computers that translates domain names into IP addresses. |
Dynamic Host Configuration Protocol | A service provided by server computers that automatically assigns IP addresses to devices on a network. |
embedded computers | Computing devices that are part of a machine and have specific instruction sets for interfacing with specialized components. |
exploits | Techniques or code that take advantage of vulnerabilities in software to compromise a device or system. |
File Transfer Protocol | File Transfer Protocol; a network protocol used to transfer files between devices over a network. |
fileless malware | Malicious code that lives in RAM and uses legitimate programs already installed on a device to compromise it, rather than existing as a file. |
firewall | A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. |
handheld computers | Smaller computing devices that run on battery power, including tablets, smartphones, and wearable technology. |
impersonate | To fraudulently assume the identity of an authorized user to gain unauthorized access to a device or system. |
Internet of Things devices | Everyday devices with embedded computers that connect to networks, found in transportation, critical infrastructure, medical equipment, and household appliances. |
keylogger | Software or hardware that logs user keystrokes and sends the information to an adversary, often used to extract usernames and passwords. |
logic bomb | Malware set to trigger its effect only when a specific set of conditions are met, such as a particular date, time, or operating system version. |
malware | Malicious software designed to harm, exploit, or compromise computer systems and networks. |
Multi-factor authentication | Multi-factor authentication; a security measure requiring multiple forms of verification beyond just a password to authenticate a user. |
multi-factor authentication | A security method that requires users to provide multiple forms of verification to authenticate and access a system. |
open port | Network connection points on a device that are accessible and can be exploited to gain unauthorized access. |
operating system | The core software that manages a device's hardware and enables other applications to run. |
patch | A software update designed to fix a known vulnerability or security flaw in a device or application. |
personal computers | Devices designed to be used by one person for work or recreational purposes, including desktop, laptop, and notebook computers. |
ransomware | Malicious software used to encrypt or block access to data or systems until a ransom is paid. |
recovery mode | A special boot mode that provides elevated privileges to repair or modify a system. |
remote access trojan (RAT) | A type of malware that provides adversaries with remote access and control over a compromised device. |
remotely control | The ability of an adversary to operate and manipulate a device from a distance without physical access. |
rootkit | Sophisticated malware that embeds itself in a target computer's operating system and can control nearly every aspect of the system while remaining invisible to detection. |
sensitive data | Information that requires protection from unauthorized access, such as personal credentials, financial information, or private communications. |
server computers | Devices that provide one or more services to other computers, such as DNS, DHCP, or FTP services. |
social engineering attacks | Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links. |
spyware | Malware that tracks a user's actions on a computer and sends the information back to an adversary. |
trojan | Malware embedded in other software that appears harmless to the user. |
unauthorized access | Gaining entry to sensitive data or restricted physical spaces without proper permission or authorization. |
Unified Extensible Firmware Interface | Unified Extensible Firmware Interface; modern firmware that replaces BIOS and controls hardware initialization. |
unpatched software | Software that has not been updated with security fixes, leaving it susceptible to known exploits. |
virus | Malware that must be activated by a user executing or opening a file. |
vulnerability | Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security. |
weak authentication | Authentication methods that are easily compromised, such as simple or predictable passwords that lack sufficient complexity or randomness. |
worm | Malware that spreads from one computer to another without human interaction. |
Frequently Asked Questions
What is the difference between a virus and a worm in AP Cybersecurity?
A virus requires a user to activate it by opening or executing an infected file, while a worm spreads from computer to computer on its own without any human interaction. Both are types of malware, but their key difference is whether user action is needed to trigger the spread.
What are the four types of computing devices in AP Cybersecurity Topic 4.1?
The four device categories are server computers, personal computers, handheld computers, and embedded computers. IoT devices are everyday objects with embedded computers that connect to the internet, such as thermostats, pacemakers, and water treatment plant pumps.
How does ransomware work in AP Cybersecurity?
Ransomware encrypts the files on a device so the user cannot access them, then displays a message demanding payment within a set time and promising a decryption key in return. It is a type of malware adversaries use to hold a device's data hostage.
What is fileless malware and why is it hard to detect?
Fileless malware is malicious code that runs in RAM rather than as a file stored on disk, and it uses legitimate programs already installed on the device to carry out its attack. Because there is no suspicious file for traditional antivirus tools to scan, it is much harder to detect than standard malware.
How do you determine if a device vulnerability is high, moderate, or low risk?
Risk level depends on how likely the vulnerability is to be exploited and how severe the impact would be, which ties directly to the criticality of the device and the data it holds. High risk involves sensitive data or critical operations, moderate risk involves weaker authentication or less likely exploits, and low risk involves vulnerabilities whose exploitation would have little impact.