AP Cybersecurity Unit 4 Exam: Securing Devices

🎯 Instructions
  • 20 multiple-choice questions spanning all five lessons in Unit 4 (four questions per lesson).
  • Click Check Answer after each question to see feedback.
  • Your total score and a per-lesson breakdown appear at the bottom once you’ve answered all 20.
  • Target: 16 of 20 (80%) or better. Below 14 of 20, revisit the weakest lessons before the real AP exam.

00:00

📑 Exam Coverage

4.1 Device Types and Vulnerabilities (Q1–Q4) · 4.2 Malware (Q5–Q8) · 4.3 Authentication and Access Control (Q9–Q12) · 4.4 Device Hardening and Configuration (Q13–Q16) · 4.5 Securing IoT and Embedded Devices (Q17–Q20)

✎ Unit 4 Final Exam
Question 1 of 20 · Lesson 4.1 A hospital IT team is performing a risk audit on a 2010-era infusion pump. The vendor ended firmware support in 2017, yet the pump is still clinically certified for use through 2032. Which characteristic BEST explains why this device is structurally harder to secure than a standard employee laptop?
Question 2 of 20 · Lesson 4.1 In 2017, a North American casino was breached through a smart thermometer in its lobby aquarium. Which single architectural decision MOST directly enabled the attackers to pivot from the thermometer to the customer database?
Question 3 of 20 · Lesson 4.1 A security team is categorizing devices for policy purposes. Which of the following is BEST classified as an embedded system rather than an IoT device?
Question 4 of 20 · Lesson 4.1 All of the following are common device vulnerabilities from Lesson 4.1 EXCEPT:
Question 5 of 20 · Lesson 4.2 A home router is compromised. The owner notices no unusual behavior, but their ISP sends an abuse notice because the router is simultaneously flooding traffic at third-party banking sites as part of a coordinated denial-of-service attack. Which malware category BEST fits?
Question 6 of 20 · Lesson 4.2 Consider the following statements about detection approaches.
I. Signature-based detection is effective against known malware but not against brand-new variants.
II. Behavioral detection is blind to fileless attacks because fileless malware does not touch disk.
III. Sandbox analysis detonates suspicious files in an isolated VM to observe behavior.
Which statement(s) are TRUE?
Question 7 of 20 · Lesson 4.2 A security operations center analyst observes malware that: (1) spread across 200+ workstations in 30 minutes, (2) required no user action or email click to propagate, and (3) exploited an unpatched SMB service. Which malware category BEST matches these observations?
Question 8 of 20 · Lesson 4.2 An attacker compromises a trusted software vendor and plants malicious code inside an otherwise legitimate product update. Every organization that installs the update is compromised — including organizations that verify the vendor’s digital signature, because the attacker has access to the signing infrastructure. What delivery pattern does this BEST describe?
Question 9 of 20 · Lesson 4.3 Which of the following combinations is TRUE multi-factor authentication?
Question 10 of 20 · Lesson 4.3 A large hospital uses role-based access control (RBAC). Over time, the “Registered Nurse” role has accumulated 130+ distinct permissions. A new patient-portal feature only requires 2 of those permissions. The organization is experiencing which RBAC anti-pattern, and what is the correct fix?
Question 11 of 20 · Lesson 4.3 A procurement system requires that one employee submit a purchase order and a different employee approve it before funds are released. This design PRIMARILY implements which security principle?
Question 12 of 20 · Lesson 4.3 A user is phished via a convincing fake login page. The page is actually a real-time proxy that forwards the password to the real site, prompts for the user’s TOTP code, forwards that too, and captures the resulting session cookie. Which statement BEST explains why the user’s MFA did not stop this?
Question 13 of 20 · Lesson 4.4 An organization discovers that its file server is missing 18 months of OS security updates. All of the following are reasonable responses to this specific gap EXCEPT:
Question 14 of 20 · Lesson 4.4 A small private-sector company with no government contracts wants a well-respected, free reference baseline for hardening its Windows and Linux servers. Which baseline is the BEST fit?
Question 15 of 20 · Lesson 4.4 A server was fully CIS L2 hardened when deployed in 2022. An audit today shows many original hardening settings have been undone, new test accounts exist, and logging agents are disabled — none of which appears in the formal change history. What has happened to this server?
Question 16 of 20 · Lesson 4.4 A company allows BYOD. An employee needs access to corporate email and a CRM app on her personal iPhone, but she refuses to enroll the phone in full MDM because it would give IT visibility into her personal photos, messages, and apps. Legal counsel supports the privacy objection. Which approach BEST satisfies both the security need and the privacy requirement?
Question 17 of 20 · Lesson 4.5 A pediatric ICU uses 80 bedside vital-signs monitors running an embedded OS. The manufacturer stopped shipping firmware updates in 2019, but the devices are FDA-cleared through 2031 and replacement would cost millions plus require recertification. Which defense provides the BEST risk reduction for the remaining service life?
Question 18 of 20 · Lesson 4.5 A logistics company is deploying 12,000 GPS trackers across its truck fleet. The security team wants trucker-tracker authentication to the cloud platform that does NOT rely on a shared secret printed in manuals. Which authentication approach scales BEST to 12,000 devices?
Question 19 of 20 · Lesson 4.5 A manufacturer wants to prevent an attacker from pushing tampered firmware to its industrial controllers, even if the attacker can intercept the update in transit. The boot chain must reject unsigned or modified code. Which combination BEST addresses this?
Question 20 of 20 · Lesson 4.5 A security auditor asks a manufacturing firm to produce an authoritative list of every IoT device it owns, including each device’s firmware version, owner, network segment, and planned replacement date. The firm cannot. Which fundamental IoT security practice is missing?
0 / 20 0% Exam complete. Review any missed questions above.
Free Tool
AP Cybersecurity Score Calculator
Enter your MCQ and FRQ raw scores to instantly see your predicted AP grade (1–5) with personalized study tips.
Calculate My Score →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]