Every device that connects to a network is a potential target. From the laptop you're reading this on to the smart thermostat in your house, each one runs software that adversaries can poke at, trick, or break into. This topic is all about recognizing what kinds of devices exist, what malware can do to them, how attackers actually get in, and how to size up the risk when something is left vulnerable.
Types of Computing Devices
Before you can defend a device, you need to know what kind of device you're dealing with. Different categories have different jobs, different power levels, and different weak spots.
Server Computers
Servers are computers that provide services to other computers on a network. Think of them as the "helpers" that handle requests all day long. Common services include:
- DNS (Domain Name System): translates names like
fiveable.meinto IP addresses - DHCP (Dynamic Host Configuration Protocol): hands out IP addresses to devices joining a network
- FTP (File Transfer Protocol): lets users upload and download files
Technically any computer can act as a server. But in a real company, servers are usually beefed up with more processing power, more RAM, and way more storage than a regular desktop because they're handling requests from dozens, hundreds, or even millions of clients.
Personal Computers
Personal computers (PCs) are designed for one person at a time. You use them for word processing, gaming, browsing, editing videos, that kind of thing. This category includes desktops, laptops, and notebooks.
Handheld Computers
Handheld computers (also called mobile computers or information appliances) are smaller, run on batteries, and travel with you. Tablets, smartphones, and smartwatches all fall in this group. They have less power than a full PC but they're always with you, which makes them juicy targets for attackers.
Embedded Computers
Embedded computers are built into a machine to control specific parts of it. They run specialized instruction sets made for that machine and they're usually slower, cheaper, and have very little storage compared to a PC. You don't really "use" an embedded computer the way you use a laptop. It just runs quietly inside the device.
IoT Devices
When everyday objects with embedded computers connect to the internet, we call them Internet of Things (IoT) devices. They show up in a lot of places:
- Transportation: cars, trains, airplanes
- Critical infrastructure: circuit breakers at electrical substations, pumps at water treatment plants
- Medical equipment: IV pumps, MRI scanners, pacemakers, insulin pumps
- Everyday devices: washing machines, coffee makers, thermostats
The scary part? A lot of IoT devices ship with weak default passwords and rarely get patched. A compromised pacemaker or water pump is a way bigger problem than a hacked coffee maker.
Types of Malware
Malware is malicious software that can damage or destroy a device or network, or give an adversary access to a device and the data on it. It's almost always a tool attackers use as one step in a bigger plan. Here are the main types you should be able to identify by behavior.
Viruses
A virus is malware that needs a user to activate it. Someone has to open the infected file, run the program, or click the attachment. No click, no infection.
Worms
A worm spreads from computer to computer all by itself. No clicking required. Once it's on a network, it scans for other vulnerable machines and copies itself over. That's why worms can blow up an entire network in minutes.
Trojans
A trojan hides inside software that looks harmless. You think you're downloading a free game or a PDF reader, but malicious code is bundled with it. A specific kind, the remote access trojan (RAT), gives the attacker remote control of your system once it's installed.
Ransomware
Ransomware encrypts the files on a device so the user can't open them. Then it shows a message demanding payment (usually in cryptocurrency) within a set time, promising a decryption key if you pay. Hospitals, schools, and city governments have all been hit by this.
Spyware and Keyloggers
Spyware quietly tracks what a user does on a computer and sends that info back to the adversary. A keylogger is a specific kind of spy tool (software or hardware) that records every keystroke. Attackers love keyloggers because usernames and passwords get typed in plain text.
Logic Bombs
A logic bomb sits dormant until specific conditions are met. The trigger could be a date, a particular OS version, a specific character set, or any other condition the attacker chooses. A disgruntled employee might plant one that wipes data the day after they're fired.
Rootkits
A rootkit is some of the most dangerous malware out there. It buries itself deep in the operating system, gives the attacker near-total control, and hides itself from detection tools. Removing one often means wiping the device completely.
Fileless Malware
Most malware lives as a file on disk. Fileless malware is different. It runs in RAM and uses legitimate programs already installed on the device (like PowerShell on Windows) to do its dirty work. Since there's no suspicious file to scan, traditional antivirus often misses it.
How Adversaries Exploit Device Vulnerabilities
Knowing what malware exists is one thing. Understanding how attackers actually get onto a device is what helps you defend it. Here are the most common openings.
Unpatched Software
When a vulnerability in software (including the operating system) becomes public, attackers race to build an exploit for it. If a device hasn't installed the patch yet, that exploit works. Depending on the vulnerability, the attacker might:
- Crash the system
- Spy on user actions
- Turn the webcam or microphone on or off
- Take full control and issue any command they want, including stealing or destroying data
This is why "update your stuff" is repeated so much. Unpatched = exploitable.
Weak Authentication
If passwords are short, common, or reused, attackers can guess them with automated tools. They can also use social engineering (tricking a person into handing over credentials) to skip the guessing entirely. Either way, weak authentication is one of the easiest ways in.
No BIOS/UEFI Password
The BIOS (Basic Input Output System) or UEFI (Unified Extensible Firmware Interface) is the low-level firmware that starts your computer before the OS loads. If there's no password protecting it, an attacker with physical access can:
- Boot the computer into recovery mode for higher privileges
- Boot from their own external drive loaded with a different OS
- Use special tools to create new user profiles or change passwords
Basically, no BIOS/UEFI password means physical access equals game over.
Autorun and External Drives
If autorun is enabled, plugging in a USB drive automatically runs whatever's on it. Attackers can drop malware on a USB stick, leave it in a parking lot, and wait for someone to plug it into a work computer. (Yes, this actually works. People are curious.)
Open Ports
Every network service uses a port. Open ports that aren't needed are basically unlocked doors. An attacker who finds an open port can try to connect to whatever service is listening and look for ways to abuse it.
No Firewall or Misconfigured Firewall
A firewall filters network traffic. Without one, or with one that's set up poorly, malicious data sent to the device can't be blocked. Attackers can send specially crafted packets to crash services or take control of the device.
No Anti-Malware Software
Devices without anti-malware protection have nothing actively scanning for and blocking known malicious files. That makes them much easier targets for any malware delivered through email, downloads, or USB drives.
Assessing and Documenting Risk
Not every vulnerability is equally dangerous. When you assess risk, you're asking two questions: how likely is this to be exploited? and how bad would it be if it were? The risk level depends on what the device does, what data it holds, and how critical it is.
High Risk
High risks involve potentially compromising sensitive data or critical operations. These are the "stop everything and fix it now" issues.
Example: An organization hasn't installed the most recent update for their email server, and that update included a patch for a known critical vulnerability. Email servers hold tons of sensitive communication, and a known critical vulnerability means working exploits probably already exist in the wild.
Moderate Risk
Moderate risks come from weaker security practices or from vulnerabilities that are less likely to be exploited but still real.
Example: A water treatment plant has embedded systems controlling pumps. The pumps can be accessed remotely with just a username and password (no multi-factor authentication). The system isn't wide open, but the authentication is weaker than it should be for something that critical.
Low Risk
Low risks are vulnerabilities that, even if exploited, wouldn't cause much harm.
Example: An employee's laptop has telnet port 23 open. Telnet is old and insecure, but if nothing important is listening on that port and the laptop doesn't hold sensitive data, the actual impact is limited.
What Risk Actually Looks Like
When you document risk from device vulnerabilities, think about the concrete outcomes an attacker could cause:
- Impersonating an authorized user to access systems they shouldn't
- Remotely controlling a device to spy, pivot to other systems, or cause damage
- Encrypting the drive for ransom (ransomware)
- Wiping memory, destroying data or making the device unusable
Match the potential outcome to the value of the device. A compromised insulin pump or substation controller is high risk no matter what. A compromised break-room printer with no sensitive data on it is probably low. The same vulnerability can be high risk on one device and low risk on another, and that's the judgment call you need to be able to make.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
anti-malware software | Software that detects and removes malicious software (malware) from a device; another term for anti-malware software. |
authentication | The process of verifying the identity of a user or system, typically through credentials such as passwords. |
autorun | A feature that automatically executes programs when removable media is inserted into a device. |
Basic Input Output System | Basic Input Output System; firmware that controls a computer's hardware before the operating system loads. |
critical operations | Essential processes or services that, if disrupted, would significantly impact an organization's functionality or safety. |
device vulnerability | Weaknesses or flaws in device hardware, software, or configuration that can be exploited by adversaries to compromise security. |
Domain Name System | A service provided by server computers that translates domain names into IP addresses. |
Dynamic Host Configuration Protocol | A service provided by server computers that automatically assigns IP addresses to devices on a network. |
embedded computers | Computing devices that are part of a machine and have specific instruction sets for interfacing with specialized components. |
exploits | Techniques or code that take advantage of vulnerabilities in software to compromise a device or system. |
File Transfer Protocol | File Transfer Protocol; a network protocol used to transfer files between devices over a network. |
fileless malware | Malicious code that lives in RAM and uses legitimate programs already installed on a device to compromise it, rather than existing as a file. |
firewall | A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. |
handheld computers | Smaller computing devices that run on battery power, including tablets, smartphones, and wearable technology. |
impersonate | To fraudulently assume the identity of an authorized user to gain unauthorized access to a device or system. |
Internet of Things devices | Everyday devices with embedded computers that connect to networks, found in transportation, critical infrastructure, medical equipment, and household appliances. |
keylogger | Software or hardware that logs user keystrokes and sends the information to an adversary, often used to extract usernames and passwords. |
logic bomb | Malware set to trigger its effect only when a specific set of conditions are met, such as a particular date, time, or operating system version. |
malware | Malicious software designed to harm, exploit, or compromise computer systems and networks. |
Multi-factor authentication | Multi-factor authentication; a security measure requiring multiple forms of verification beyond just a password to authenticate a user. |
multi-factor authentication | A security method that requires users to provide multiple forms of verification to authenticate and access a system. |
open port | Network connection points on a device that are accessible and can be exploited to gain unauthorized access. |
operating system | The core software that manages a device's hardware and enables other applications to run. |
patch | A software update designed to fix a known vulnerability or security flaw in a device or application. |
personal computers | Devices designed to be used by one person for work or recreational purposes, including desktop, laptop, and notebook computers. |
ransomware | Malicious software used to encrypt or block access to data or systems until a ransom is paid. |
recovery mode | A special boot mode that provides elevated privileges to repair or modify a system. |
remote access trojan (RAT) | A type of malware that provides adversaries with remote access and control over a compromised device. |
remotely control | The ability of an adversary to operate and manipulate a device from a distance without physical access. |
rootkit | Sophisticated malware that embeds itself in a target computer's operating system and can control nearly every aspect of the system while remaining invisible to detection. |
sensitive data | Information that requires protection from unauthorized access, such as personal credentials, financial information, or private communications. |
server computers | Devices that provide one or more services to other computers, such as DNS, DHCP, or FTP services. |
social engineering attacks | Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links. |
spyware | Malware that tracks a user's actions on a computer and sends the information back to an adversary. |
trojan | Malware embedded in other software that appears harmless to the user. |
unauthorized access | Gaining entry to sensitive data or restricted physical spaces without proper permission or authorization. |
Unified Extensible Firmware Interface | Unified Extensible Firmware Interface; modern firmware that replaces BIOS and controls hardware initialization. |
unpatched software | Software that has not been updated with security fixes, leaving it susceptible to known exploits. |
virus | Malware that must be activated by a user executing or opening a file. |
vulnerability | Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security. |
weak authentication | Authentication methods that are easily compromised, such as simple or predictable passwords that lack sufficient complexity or randomness. |
worm | Malware that spreads from one computer to another without human interaction. |