AP Cybersecurity 4.1: Device Vulnerabilities & Attacks

Score0 / 10
📅 Last Updated: June 2026 ~55 min 📚 Lesson 1 of 4 — Unit 4
AP Cybersecurity — Unit 4: Securing Devices

Topic 4.1: Device Vulnerabilities & Attacks

Four device types, eight malware categories, seven exploitation vectors, and the High/Moderate/Low risk framework applied to devices — everything you need to identify, classify, and assess device-level threats on the AP exam.

Lesson 1 of 4 ~55 min LO 4.1.A – 4.1.D Skills: Analyze Risk
★ AP Exam Focus — Topic 4.1

• Classify the four CED device types (server, personal computer, handheld/mobile, embedded/IoT) and explain why embedded devices are uniquely difficult to defend
• Identify all eight malware types by mechanism: virus (user activation), worm (self-spreading), Trojan/RAT (disguised), ransomware (encryption + payment demand), spyware (tracks actions), keylogger (logs keystrokes), logic bomb (conditional trigger), rootkit (OS-level invisibility)
• Explain the seven CED device exploitation vectors and which vulnerability each targets (unpatched software, weak auth, no BIOS/UEFI protection, autorun, open ports, no firewall, no anti-malware)
• Apply the High/Moderate/Low risk framework to device vulnerabilities using the CED illustrative examples
• Distinguish fileless malware from file-based malware: fileless lives in RAM and uses legitimate programs already on the device

College Board Essential Knowledge Coverage

Topic 4.1 — What Is Testable

CED Ref Essential Knowledge Covered In
4.1.A.1 Server computers: provide services to other computers (DNS, DHCP, FTP); more processing power and storage than personal computers in enterprise environments Section 2 — Device Types
4.1.A.2 Personal computers: designed for one person (work or recreation); includes desktops, laptops, notebooks Section 2 — Device Types
4.1.A.3 Handheld/mobile computers: smaller than PCs, battery-powered; includes tablets, smartphones, smartwatches Section 2 — Device Types
4.1.A.4–A.5 Embedded computers: part of a machine; specific instruction sets; slower, cheaper, minimal storage. IoT devices are everyday embedded computers (cars, circuit breakers, IV pumps, washing machines) Section 2 — Device Types
4.1.B.1–B.2 Malware: malicious software that damages/destroys devices or grants adversary access. Used as a tool within a larger attack plan. Eight types: virus, worm, Trojan/RAT, ransomware, spyware, keylogger, logic bomb, rootkit Section 3 — Malware Types
4.1.B.3 Fileless malware: lives in RAM; uses legitimate programs already on the device; does not exist as a file → harder to detect with file-based scanning Section 3 — Fileless Malware
4.1.C.1 Unpatched software: adversaries exploit known vulnerabilities → crash system, view user actions, enable/disable services/components (webcam, microphone), take control, steal/destroy data Section 4 — Exploitation Vectors
4.1.C.2 Weak authentication: adversaries guess or social-engineer passwords Section 4 — Exploitation Vectors
4.1.C.3 No BIOS/UEFI protection: adversary boots into recovery mode for elevated privileges; loads own OS from external drive; alters/creates user profiles; changes passwords Section 4 — Exploitation Vectors
4.1.C.4 Autorun enabled: adversary loads malware onto external drive → device runs malware automatically when drive is inserted Section 4 — Exploitation Vectors
4.1.C.5 Open ports: adversaries can connect to a device through open ports Section 4 — Exploitation Vectors
4.1.C.6 No firewall or misconfigured firewall: adversaries send malicious data to disrupt or take control of devices Section 4 — Exploitation Vectors
4.1.C.7 No anti-malware software: devices more vulnerable to malware installation attempts Section 4 — Exploitation Vectors
4.1.D.1 Device risk comes from unauthorized access or malware enabling: impersonation, remote control, ransomware encryption, or data wiping. Risk level depends on criticality of device/services/data. Section 5 — Risk Assessment
4.1.D.2 High risk: potentially compromising sensitive data or critical operations. Example: email server with unpatched critical vulnerability Section 5 — Risk Levels
4.1.D.3 Moderate risk: weak authentication or less-likely-to-be-exploited vulnerabilities. Example: water treatment IoT pumps with username/password but no MFA Section 5 — Risk Levels
4.1.D.4 Low risk: vulnerabilities that, if exploited, would have little impact. Example: employee laptop with Telnet port 23 open Section 5 — Risk Levels

Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 1.C Evaluate likelihood/impact • 1.D Document risks

♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. A hospital has pacemakers embedded in patients, IV pumps on the ward, and MRI scanners in radiology. What device type are these, and why does the CED identify embedded devices as a unique security challenge compared to personal computers?
  2. Ransomware encrypts a device’s files and demands payment. A worm spreads from device to device without human interaction. Both are malware. What is the key behavioral difference between them, and which CIA property does each primarily violate?
  3. A water treatment plant’s IoT pump controllers can be accessed remotely with username and password, but do not require MFA. Rate this High, Moderate, or Low risk per the CED, and identify which CED illustrative example matches this scenario exactly.

Answers: (1) Embedded computers (4.1.A.4–A.5) — they have specific instruction sets, minimal storage, are slower and cheaper, and often can’t run security software; many can’t be patched without operational disruption. (2) Ransomware = single-device, encrypts files, violates Availability; Worm = self-spreads to other devices, violates Availability across multiple systems. (3) Moderate risk (CED 4.1.D.3) — this is the exact CED illustrative example: water treatment plant IoT pumps with username/password but no MFA.

In This Lesson
  • 4.1.1 — Learning Objectives (3 min)
  • 4.1.2 — Four Device Types (8 min)
  • 4.1.3 — Eight Malware Types (12 min)
  • 4.1.4 — Seven Exploitation Vectors (10 min)
Continued
  • 4.1.5 — Device Risk Assessment (8 min)
  • 4.1.6 — Worked Scenarios & CFUs (10 min)
  • 4.1.7 — Common Mistakes (3 min)
  • 4.1.8 — Key Terms & FAQ (4 min)

14.1.1 — Learning Objectives

  • Identify and classify the four CED device types: server, personal computer, handheld/mobile, and embedded/IoT (4.1.A)
  • Identify all eight malware types by name and mechanism, including fileless malware (4.1.B)
  • Explain the seven device exploitation vectors and which vulnerability each adversary technique targets (4.1.C)
  • Apply the High/Moderate/Low risk framework to device vulnerabilities using CED criteria and illustrative examples (4.1.D)
  • Explain why embedded/IoT devices present unique security challenges compared to general-purpose computers

24.1.2 — Four Device Types (LO 4.1.A)

The CED classifies computing devices into four categories. Device type affects attack surface, patching capability, and what defenses are feasible.

Servers
4.1.A.1
Devices that provide one or more services to other computers — DNS, DHCP, FTP, web hosting, email. Any computer can be a server. In enterprise environments, servers typically have more processing power and storage than personal computers.
Security significance: Servers are high-value targets because compromising one can affect every device that depends on its services. An email server compromise exposes all users’ communications.
Personal Computers
4.1.A.2
Devices designed to be used by one person for work or recreation: word processing, graphic design, web browsing, media. Includes desktops, laptops, and notebooks.
Security significance: Personal computers are the most common attack target. They store credentials, sensitive documents, and browser session tokens. A compromised workstation is often the initial access point for a larger attack.
Handheld / Mobile
4.1.A.3
Smaller than personal computers, run on battery power. Includes tablets, smartphones, and wearable technology like smartwatches.
Security significance: Handheld devices carry authentication apps (MFA codes), location data, and personal communications. They are also frequently lost or stolen, creating physical access vulnerabilities.
Embedded / IoT
4.1.A.4–A.5
Computers embedded inside machines with specific instruction sets for interfacing with specialized components. Tend to be slower, cheaper, with minimal storage. IoT devices are everyday embedded computers: transportation, critical infrastructure, medical equipment, home appliances.
Security significance: Most embedded devices cannot run security software, receive patches easily, or be taken offline for maintenance. A compromised pacemaker or water treatment pump represents direct physical harm risk, not just data loss.
★ Embedded / IoT — The AP Exam Focus Device Type

The CED dedicates extra attention to embedded devices because they connect digital security failures to real-world physical consequences. Exam scenarios often feature IoT devices in critical infrastructure (water treatment, power grid, medical equipment) where the impact of a compromise goes far beyond data theft. Key characteristics to remember: specific instruction sets, minimal storage, cannot easily run detection tools, often can’t be patched without operational disruption.

Check for UnderstandingSpot the Error
Q 1 of 10

A security analyst states: “Embedded devices in critical infrastructure are the lowest priority for patching because they are slow, cheap, and handle simple tasks.” Which statement correctly identifies the error?

AThe analyst is correct — slow, cheap devices with limited storage are less attractive to sophisticated adversaries.
BThe analyst is partially right — embedded devices should be lower priority than servers, but not lowest priority.
CThe analyst is wrong — embedded devices in critical infrastructure (power grids, water treatment, medical equipment) are high-priority targets because a compromise can cause direct physical harm, not just data loss. Their limited capabilities make them harder to defend, not less important to protect.
DThe analyst is wrong only because embedded devices can run anti-malware software, making them just as defensible as personal computers.

34.1.3 — Eight Malware Types (LO 4.1.B)

Malware is malicious software that damages or destroys a device or network, or allows an adversary access to a device and its data. The CED identifies eight types — each with a distinct mechanism and typical use in an adversary’s attack plan.

Malware Type Mechanism Key CED Fact CIA Violated
Virus Must be activated by a user executing or opening a file Requires human action to trigger — it does not spread on its own Varies by payload
Worm Spreads from computer to computer without human interaction Self-replicating — no user action required after initial infection Availability (spreads, consumes resources)
Trojan / RAT Malware embedded in apparently harmless software. RAT (Remote Access Trojan) provides adversary remote access to the target system Disguised as something legitimate — user installs it voluntarily Confidentiality + control
Ransomware Encrypts device files, presents payment demand with promise of decryption key Typically has a fixed payment window — pay or lose files permanently Availability (can’t access files)
Spyware Tracks user actions and sends information back to adversary Passive surveillance — operates silently in background Confidentiality
Keylogger Logs keystrokes (can be software or hardware) and sends data to adversary Usernames and passwords are commonly extracted from keylogger data Confidentiality
Logic Bomb Triggers only when specific conditions are met (time/date, OS version, character set, etc.) Lies dormant until conditions are satisfied — may be planted by insiders Varies by payload (often Availability)
Rootkit Gets into the operating system itself; controls nearly every aspect of the system including making itself invisible to detection Most sophisticated type — OS-level persistence makes detection and removal extremely difficult All three CIA (total compromise)
4.1.B.3Fileless Malware — The Exception
While most malware consists of files, fileless malware is malicious code that lives in RAM and uses legitimate programs already installed on a device to compromise it. Because it exists only in memory, traditional file-based signature scanning cannot detect it — there are no files to scan.
Why it matters on the AP exam: Fileless malware represents the boundary case for anti-malware software. The CED (4.3.B) describes anti-malware scanning files for signatures. Fileless malware bypasses this entirely. If an exam question asks whether anti-malware software would detect a threat, fileless malware is the correct exception.
Check for UnderstandingI / II / III
Q 2 of 10

Which of the following statements about malware are TRUE according to the AP CED?

I. A virus requires a user to execute or open a file to activate it, while a worm spreads from computer to computer without human interaction.
II. Fileless malware stores its code in files that are hidden from the operating system, making them invisible to anti-malware scans.
III. A rootkit gets into the target computer’s operating system and can make itself invisible to detection.

AI only
BI and III only
CII and III only
DI, II, and III
Check for UnderstandingMatching
Q 3 of 10

Match each scenario to the malware type it describes.

Click a scenario on the left, then click the malware type on the right.
Scenario
1After clicking a link in an email, all files on a user’s computer are encrypted and a screen appears demanding payment within 48 hours.
2A disgruntled employee plants code that will delete all HR records exactly 30 days after their last day of employment.
3A piece of malware infects one hospital computer and within minutes spreads to 200 other machines on the network without any user clicking anything.
4A user downloads what appears to be a free game, but the installer silently gives an adversary full remote access to control the computer.
Malware Type
ARansomware
BLogic Bomb
CWorm
DRemote Access Trojan (RAT)

44.1.4 — Seven Exploitation Vectors (LO 4.1.C)

The CED identifies seven specific ways adversaries exploit device vulnerabilities. Each maps to a specific weakness and a specific defense (covered in Topic 4.3).

4.1.C.1Unpatched Software
Adversaries develop exploits for known vulnerabilities in software, including operating systems. Devices with unpatched software are vulnerable to exploits that can crash the system, view user actions, enable or disable services/components (turning on a webcam or microphone), or take control of the device to issue commands including stealing or destroying data.
Defense: Keep software and OS updated (4.3.C). When a vendor releases a patch, the vulnerability becomes public knowledge — unpatched devices become easier targets.
4.1.C.2Weak Authentication
Adversaries guess a user’s password or use social engineering to get a user to divulge it. Weak or reused passwords and lack of MFA are the most common enablers of device compromise.
Defense: Strong password policy + MFA (4.2.D, 4.3.A.2). The CED water treatment plant example (4.1.D.3) is Moderate risk specifically because it has passwords but lacks MFA.
4.1.C.3No BIOS / UEFI Protection
Without a BIOS or UEFI password, an adversary with physical access can boot the computer into “recovery mode” gaining higher-level privileges. They can then load their own operating system from an external drive and use specialized tools to alter or create user profiles, including changing passwords — all without knowing the existing password.
Why this matters: BIOS/UEFI attacks bypass all OS-level security controls. A laptop left unattended for minutes is sufficient for this attack. Physical security and BIOS password configuration are the defenses.
4.1.C.4Autorun Enabled
An adversary loads malware onto an external drive. If autorun is enabled, the device will automatically execute the malware when the drive is inserted — no user interaction beyond plugging in the drive is required.
Defense: Disable autorun; prohibit external drives in acceptable use policy (4.3.A.1); disable USB ports (from Unit 2: 2.3.B.6). This connects physical security (who can plug in a drive) to device-level configuration.
4.1.C.5Open Ports
Adversaries can leverage open ports to connect to a device. Every open port is a potential entry point. Services listening on open ports may have vulnerabilities that allow unauthorized access or remote code execution.
Defense: Host-based firewall (4.3.D) — close ports and services not needed for a given device. The CED (4.3.D.3) notes host-based firewalls should always block ports/services not needed for a device’s specific role.
4.1.C.6No Firewall / Misconfigured Firewall
Adversaries send malicious data to devices to disrupt them or attempt to take control. Without a firewall, or with an improperly configured one, the device cannot filter out malicious incoming traffic.
Defense: Host-based firewall with properly configured ACL (4.3.D). Note this is a device-level firewall distinct from the network-level firewall covered in Unit 3. A device connected to a compromised network needs its own layer of protection.
4.1.C.7No Anti-Malware Software
Adversaries often attempt to install malware on devices to disrupt or control them. Devices lacking anti-malware software are more vulnerable to this type of attack because there is no mechanism to detect and quarantine malware files.
Defense: Anti-malware software (4.3.B) — scans files against a signature database. Note: this defense does not protect against fileless malware (4.1.B.3), which lives in RAM and has no files to scan.
Check for UnderstandingSpot the Error
Q 4 of 10

A security instructor states: “Installing anti-malware software on all devices eliminates the risk from all malware types, because anti-malware software detects and removes all malicious code on a device.” Which statement correctly identifies the error?

AThe instructor is correct — anti-malware software with an updated signature database can detect and remove all known malware types.
BThe instructor is wrong only because anti-malware software cannot detect new malware that hasn’t been added to the signature database yet, but it does detect all existing file types.
CThe instructor is wrong because fileless malware lives in RAM and uses legitimate programs already on the device — there are no malicious files to scan, so anti-malware software cannot detect it through file scanning.
DThe instructor is wrong because anti-malware software only detects viruses, not worms, Trojans, or ransomware.

54.1.5 — Device Risk Assessment (LO 4.1.D)

The CED applies the same High/Moderate/Low framework from Units 2 and 3 to device vulnerabilities, but introduces three specific illustrative examples you should know exactly.

CED 4.1.D.1 — What Device Risk Looks Like Risk from device vulnerabilities enables adversaries to: impersonate an authorized user, remotely control a device, encrypt a device’s drive for ransom, or wipe a device’s memory to destroy data or render it inoperable. The level of risk depends on the criticality of the device, the services it provides, or the data it stores.
Risk Level CED Definition CED Illustrative Example Why That Level
High (4.1.D.2) Potentially compromising sensitive data or critical operations Email server with unpatched critical vulnerability Email server = critical service + sensitive data; unpatched critical vuln = easy, high-impact exploit; all users exposed
Moderate (4.1.D.3) Weak authentication or vulnerabilities less likely to be exploited Water treatment IoT pump controllers with username/password but no MFA Critical infrastructure but requires valid credentials to reach; authentication exists; MFA gap reduces but doesn’t eliminate risk
Low (4.1.D.4) Vulnerabilities that, if exploited, would have little impact Employee laptop with Telnet port 23 open Single non-critical device; Telnet requires network access to exploit; impact is limited to one laptop
⚠ AP Exam Trap — Criticality Overrides Likelihood

The water treatment plant example (Moderate) surprises students who expect it to be High. The key: it has authentication (username/password), so exploitation requires valid or guessed credentials. The vulnerability is the absence of MFA, not complete lack of authentication. Contrast with the email server (High): a known critical vulnerability with a patch available means exploitation requires only skill, not valid credentials. On the AP exam, always identify both the vulnerability and the authentication/access requirements when rating risk.

Check for UnderstandingRisk Assessment
Q 5 of 10

A hospital’s network-connected MRI scanner runs firmware from 2019 that the vendor no longer supports with security patches. The scanner processes patient imaging data and connects to the internal medical records network. Using CED 4.1.D criteria, what is the risk level and primary justification?

AHigh — the device processes sensitive patient data, connects to a critical medical network, runs unpatched firmware with known vulnerabilities, and compromise could disrupt critical operations and expose patient records.
BModerate — it is a specialized medical device, so adversaries would need specific knowledge to exploit it, which reduces the likelihood of attack.
CLow — MRI scanners are embedded devices with minimal storage, so the impact of any compromise would be limited.
DModerate — embedded devices typically receive lower risk ratings because they have limited processing capabilities that make exploitation difficult.

64.1.6 — Worked Scenarios

Check for UnderstandingMCQ
Q 6 of 10

An adversary gains physical access to an unattended laptop in a conference room. The laptop has no BIOS password. The adversary inserts a USB drive and boots the laptop into recovery mode. Which exploitation vector from CED 4.1.C does this represent, and what can the adversary accomplish that they could NOT do if a BIOS password was set?

AAutorun (4.1.C.4) — the USB drive triggers automatic execution of malware when inserted.
BOpen ports (4.1.C.5) — the adversary connects to the laptop through an exposed network service.
CWeak authentication (4.1.C.2) — the adversary guesses the Windows login password to gain access.
DNo BIOS/UEFI protection (4.1.C.3) — without BIOS protection, the adversary boots into recovery mode for elevated privileges, can load their own OS, and alter or create user profiles including changing the Windows login password — none of which requires knowing the existing credentials.
Check for UnderstandingFill in the Blank
Q 7 of 10

Fill in the correct term for each blank.

Word Bank rootkit logic bomb fileless keylogger spyware

1. An adversary plants malware that will only activate when the date is January 1, 2027. This is a .

2. Malware that gets into the operating system itself and can make itself invisible to antivirus scans is a .

3. An adversary uses malware that captures every character a user types and sends those characters to a remote server, enabling extraction of passwords. This is a .

4. Malware that lives only in RAM and uses legitimate programs already on the device is called malware.

5. Malware that silently monitors a user’s actions on a computer and sends information back to an adversary — without encrypting files or granting remote control — is .

Check for UnderstandingI / II / III
Q 8 of 10

Which of the following statements about device exploitation vectors are TRUE per the CED?

I. An adversary with physical access to a device that has no BIOS password can boot into recovery mode, load their own OS from an external drive, and change or create user accounts without knowing existing passwords.
II. Autorun must be explicitly enabled by the manufacturer and cannot be disabled by users or administrators.
III. Adversaries can leverage open ports to connect to a device, making firewall configuration that closes unused ports an important device-level defense.

AI only
BI and III only
CII and III only
DI, II, and III
Check for UnderstandingSpot the Error
Q 9 of 10

A security textbook states: “The Telnet port (port 23) open on an employee’s laptop represents a High risk because Telnet transmits credentials in plaintext, allowing adversaries to intercept passwords.” How does the CED framework classify this specific scenario, and what error does the textbook make?

AThe CED (4.1.D.4) classifies this as Low risk — it is its exact illustrative example. The textbook confuses the technical severity of the protocol weakness with the overall risk level. CED risk assessment considers both vulnerability AND impact: this is a single non-critical endpoint with limited potential impact, making it Low despite the Telnet protocol being inherently insecure.
BThe CED classifies this as Moderate risk. The textbook is mostly right but overstates the severity since it is only one laptop.
CThe textbook is correct. Plaintext credential transmission is always a High risk regardless of device type or criticality.
DThe CED classifies this as Moderate because open ports require network access to exploit, which reduces likelihood.
End of LessonIntegrative Scenario
Q 10 of 10
A security audit of a regional hospital finds: (1) The email server runs software with a known critical vulnerability that has been unpatched for 60 days. (2) IoT infusion pumps controlling medication delivery can be accessed remotely via username/password but have no MFA. (3) Radiology workstations have Telnet port 23 open. (4) Nurse workstations have no BIOS passwords and USB autorun is enabled.

Ranking these from highest to lowest risk using CED 4.1.D criteria, which ordering is correct?

AInfusion pumps > Email server > Nurse workstations > Radiology workstations
BEmail server > Infusion pumps > Radiology workstations > Nurse workstations
CEmail server > Nurse workstations > Infusion pumps > Radiology workstations
DNurse workstations > Email server > Infusion pumps > Radiology workstations

!Common AP Exam Mistakes — Topic 4.1

Mistake Why It’s Wrong What to Do Instead
Rating embedded/IoT devices as low priority because they are “simple” Embedded devices in critical infrastructure (pacemakers, water treatment, power grid) have catastrophic failure impacts. Simplicity does not mean low risk. Risk = criticality + data + services. Simple device + critical function = potentially High risk.
Confusing spyware with keyloggers Spyware tracks and sends user actions broadly. A keylogger specifically logs keystrokes to extract credentials. Keylogger is a subset of spyware in common usage, but the CED treats them as distinct types. Spyware = broad behavioral monitoring. Keylogger = specifically captures keystrokes for credential theft.
Thinking anti-malware detects fileless malware Anti-malware scans files for signatures (CED 4.3.B.2). Fileless malware lives in RAM and has no files to scan — traditional file scanning cannot detect it. Fileless malware = RAM-based, uses legitimate programs. File-scanning tools cannot detect it.
Rating “Telnet port open on an employee laptop” as High risk The CED (4.1.D.4) uses this exact scenario as its Low risk illustrative example. Protocol insecurity (Telnet = plaintext) ≠ High risk. Impact on one non-critical laptop = limited. Always apply CED criteria: vulnerability + likelihood + impact. Single non-critical endpoint = Low despite protocol weakness.
Assuming BIOS password attacks require knowing the existing OS password A BIOS/UEFI attack (4.1.C.3) bypasses the OS entirely. The adversary boots their own OS from external media — the Windows login password is irrelevant. No BIOS protection = OS-level passwords provide zero protection against physical access attacks.

84.1.8 — Key Terms & FAQ

Term Definition AP Exam Note
Malware Malicious software that damages/destroys a device or allows adversary access A tool within a larger attack plan, not the end goal itself
Virus Malware requiring user activation (executing or opening a file) Contrast with worm: virus needs a human, worm does not
Worm Malware that spreads without human interaction Self-propagating; can infect entire networks rapidly
Ransomware Encrypts device files; presents payment demand with promise of decryption key Availability violation; typically time-limited payment window
RAT Remote Access Trojan — Trojan that gives adversary remote control of target system Disguised as legitimate software (Trojan); provides ongoing access (RAT)
Rootkit Sophisticated malware embedded in OS; can control the system including making itself invisible Most difficult to detect and remove; OS-level persistence
Logic Bomb Malware that triggers only when specific conditions are met (time, date, OS version, etc.) Lies dormant; often planted by insiders; hard to detect before trigger
Fileless Malware Malicious code in RAM that uses legitimate programs; has no file form Cannot be detected by file-based anti-malware scanning
IoT Device Everyday embedded computer (transportation, medical, infrastructure, appliances) Often cannot run security software; minimal storage; hard to patch
BIOS / UEFI Basic Input/Output System / Unified Extensible Firmware Interface — firmware that initializes hardware at boot No password = adversary can boot own OS from external drive, bypassing all OS security
  • Can a worm also be ransomware?

    Yes — malware types are not mutually exclusive. Real-world malware often combines characteristics. WannaCry (2017) was ransomware that spread like a worm. However, on AP exam questions, each scenario description will make one type clearly primary. If a malware description says “spreads from computer to computer without human interaction,” the answer is worm regardless of what payload it delivers. If it says “encrypts files and demands payment,” the answer is ransomware. Focus on the mechanism described.

  • Why is the water treatment plant Moderate risk instead of High given the physical danger?

    The CED (4.1.D.3) applies its framework based on what the vulnerability is, not just what the target is. The IoT pumps require valid credentials (username/password) to access — an adversary must first obtain or guess those credentials. The vulnerability is the absence of MFA, which makes this harder to exploit than an unpatched server with a known exploit. High risk (4.1.D.2) involves potentially compromising sensitive data or critical operations with fewer barriers to exploitation. Moderate risk acknowledges the critical nature but recognizes that authentication is present.

  • What is the difference between a keylogger and spyware?

    Spyware (4.1.B.2) broadly tracks a user’s actions on a computer and sends information to an adversary — it can capture browsing history, application usage, file access, screenshots, and more. A keylogger (4.1.B.2) is specifically focused on logging keystrokes and sending that data to the adversary; its primary value is extracting usernames and passwords. The CED treats these as distinct malware types. In a scenario, look for: tracks actions generally = spyware; captures keystrokes specifically = keylogger.

📋 Exit Ticket — Topic 4.1 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name all four CED device types. For embedded/IoT devices specifically, explain two reasons why they are more difficult to secure than personal computers. (AP Skill: Analyze Risk)
  2. A bank employee downloads what appears to be a legitimate PDF viewer. The installer silently installs software that lets an adversary remotely access and control the employee’s computer at any time. Name the malware type(s) involved and explain the mechanism. (AP Skill: Analyze Risk)
  3. List all seven CED device exploitation vectors (4.1.C.1–C.7). For each, state in one phrase what the adversary takes advantage of. (AP Skill: Analyze Risk)
  4. Why can’t traditional anti-malware software detect fileless malware? Be specific about how anti-malware works and what makes fileless malware different. (AP Skill: Analyze Risk)
  5. Apply the CED risk framework to each scenario and justify: (a) A hospital’s DNS server has a known unpatched vulnerability. (b) Smart thermostats in an office building can be accessed remotely via default username/password. (c) A developer’s laptop has FTP port 21 open but the developer rarely uses FTP. (AP Skill: Analyze Risk)
Answer Key: (1) Servers, personal computers, handheld/mobile, embedded/IoT. Embedded challenges: (a) often cannot run security software due to insufficient system resources; (b) difficult to patch without operational disruption; (c) minimal storage limits defenses. (2) Trojan (disguised as legitimate software — PDF viewer) + RAT (Remote Access Trojan provides ongoing remote control). The two work together: Trojan is the delivery mechanism, RAT is the payload. (3) 4.1.C.1: unpatched software (known vulnerabilities); C.2: weak auth (guessable/social-engineered passwords); C.3: no BIOS/UEFI protection (bypass OS via recovery mode); C.4: autorun enabled (external drive triggers malware automatically); C.5: open ports (connection entry points); C.6: no/misconfigured firewall (malicious data reaches device); C.7: no anti-malware (malware installs without detection). (4) Anti-malware scans files against a signature database (CED 4.3.B.2). Fileless malware lives in RAM only — it has no files to scan. Legitimate programs already on the device execute its code. File-based scanning finds nothing because nothing exists as a file. (5a) High — DNS server = critical infrastructure service + sensitive role; unpatched known vulnerability = easy exploitation; all network users depend on it. (5b) Moderate — authentication exists (default credentials) but is weak; default credentials are easily guessable but exploitation requires network access; smart thermostats = low data sensitivity but some operational impact. (5c) Low — single non-critical developer device; open port on one workstation (mirrors the Telnet/CED Low risk example pattern).
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating 499+ Reviews
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
← Unit 3 Lesson 5 Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]