AP Cybersecurity 4.3: Protecting Devices
Topic 4.3: Protecting Devices
Three managerial policies, anti-malware signature scanning, OS patching, and host-based firewall configuration — the defensive controls that directly address the exploitation vectors from Topic 4.1.
• Identify the three CED managerial policies: acceptable use policy (user activities on devices), password policy (password requirements), software installation policy (what software users may install)
• Explain how anti-malware works: maintains signature database, periodically scans files, quarantines matches — and its key limitation: cannot detect fileless malware (no files to scan)
• Explain the patch release risk window: once a patch is released, the vulnerability is public knowledge — unpatched devices become immediately more exploitable
• Distinguish host-based firewall (protects one device) from network-based firewall (protects a segment); both use identical ACL first-match rule ordering
• Apply CED 4.3.D.3: host-based firewalls should always block ports/services not needed — including outbound (e.g., block outbound FTP to prevent exfiltration)
Topic 4.3 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 4.3.A.1 | Acceptable use policy: permissible, prohibited, or required activities on organization-owned devices. May include: prohibit specific websites, require software updates, allow/prohibit peripherals, prohibit external drives | Section 2 — Managerial Policies |
| 4.3.A.2 | Password policy: requirements for user passwords. May include: min/max length, min/max time before change, prohibition of reuse, construction rules (no dictionary words, character sets), suggest password manager | Section 2 — Managerial Policies |
| 4.3.A.3 | Software installation policy: what software users may install. May include: prohibition on user installs, process to request software, list of approved software | Section 2 — Managerial Policies |
| 4.3.B.1–B.2 | Anti-malware: maintains signature database; periodically scans files; if file matches a signature, quarantines and removes. Limitation: cannot detect fileless malware (no files to scan) | Section 3 — Anti-Malware |
| 4.3.C.1–C.2 | Patching: vendors fix vulnerabilities and release updates; a small update = patch. Keeping OS and software updated prevents adversaries from exploiting known vulnerabilities | Section 4 — Patching |
| 4.3.D.1 | Host-based firewall: allows or denies traffic into or out of a single device; provides extra security layer if device is on a compromised network | Section 5 — Host-Based Firewall |
| 4.3.D.2 | Host-based firewall: software running on the device; follows ACL rules like network firewall; rules in order, first match applies | Section 5 — Host-Based Firewall |
| 4.3.D.3 | Host-based firewall can block outbound traffic. Should always block ports/services not needed. Example: block outbound FTP prevents adversary with remote access from exfiltrating files | Section 5 — Host-Based Firewall |
| 4.3.D.4 | Host-based firewall rules allow/deny based on: source or destination port, IP address, service, protocol, or application | Section 5 — Host-Based Firewall |
Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.C Evaluate mitigations • 2.D Implement mitigations
Answer independently. No notes.
- An employee installs a free screen recorder from an unofficial site on their work laptop. The software contains a RAT. Which two CED managerial policies (Topic 4.3.A) would have prevented this if enforced?
- A software vendor announces a critical vulnerability in their product and will release a patch in 7 days. What happens to unpatched devices the moment this announcement is made, and why does this make the 7-day window dangerous?
- A workstation has outbound FTP (port 21) open in its host-based firewall. An adversary gains remote access via a RAT. What can the adversary now do that they couldn’t if FTP were blocked, and which CED item requires blocking unused outbound ports?
Answers: (1) Software installation policy (4.3.A.3) — prohibiting unauthorized installs; acceptable use policy (4.3.A.1) — prohibiting unapproved software use. (2) The vulnerability becomes publicly documented — every adversary now knows exactly what to look for in unpatched systems. Unpatched devices become immediately more exploitable because the secret is out. (3) Adversary can exfiltrate stolen files via FTP to their external server. CED 4.3.D.3: host-based firewalls should always block ports/services not needed for a given device.
- 4.3.1 — Learning Objectives (3 min)
- 4.3.2 — Three Managerial Policies (10 min)
- 4.3.3 — Anti-Malware Software (8 min)
- 4.3.4 — Patching & Updates (6 min)
- 4.3.5 — Host-Based Firewall (10 min)
- 4.3.6 — Worked Scenarios & CFUs (8 min)
- 4.3.7 — Common Mistakes (3 min)
- 4.3.8 — Key Terms & FAQ (4 min)
14.3.1 — Learning Objectives
- Identify and distinguish the three CED managerial policies for device security (4.3.A)
- Explain how anti-malware signature scanning works and its limitation against fileless malware (4.3.B)
- Explain why patching closes the exploitation window and why the patch release moment creates immediate risk for unpatched devices (4.3.C)
- Configure host-based firewall ACL rules and distinguish host-based from network-based firewalls (4.3.D)
- Map each protective control from this lesson to the exploitation vectors from Topic 4.1 it addresses
24.3.2 — Three Managerial Policies (LO 4.3.A)
Managerial controls govern how users interact with organization-owned devices. They target human behavior as a vulnerability layer distinct from technical software or hardware weaknesses.
A company policy states: “All employees must update their operating system within 48 hours of a security patch release. Employees may not connect personal USB drives to company equipment. Social media websites are blocked on all company devices.” How many CED policy types are represented, and which type covers all three requirements?
A security manager says: “Our software installation policy covers everything about device security policy. It specifies that passwords must be at least 12 characters, prohibits social media, and lists approved applications.” What is the error?
34.3.3 — Anti-Malware Software (LO 4.3.B)
Anti-malware scans files. Fileless malware (CED 4.1.B.3) lives in RAM and uses legitimate programs already on the device — it has no file form. File scanning finds nothing to detect. A device with up-to-date anti-malware can still be fully compromised by fileless malware the scanner will never see. This is a frequently tested AP exam distinction.
Which of the following statements about anti-malware software are TRUE per the CED?
I. Anti-malware software can detect fileless malware because it monitors RAM in addition to scanning files.
II. Anti-malware software maintains a database of malware signatures and quarantines files that match those signatures.
III. Many embedded devices cannot run any detection tools because they lack sufficient system resources.
44.3.4 — Patching & Updates (LO 4.3.C)
Before a patch is released, a vulnerability may be known only to the vendor and a small group. After the patch is released, the vulnerability is publicly documented — every adversary now knows exactly what to exploit in unpatched systems. This is why the CED email server example (4.1.D.2) rates an unpatched known critical vulnerability as High risk: the patch exists, the vulnerability is public, unpatched devices are easy targets.
A network administrator says: “When a vendor releases a patch, our unpatched systems actually become temporarily safer because the vendor is now actively monitoring the vulnerability and blocking exploit attempts.” What is the error?
54.3.5 — Host-Based Firewall (LO 4.3.D)
| ACL Rule Element | Options (CED 4.3.D.4) | Example |
|---|---|---|
| Direction | Inbound or outbound | Outbound |
| Criterion | Source/destination port or IP address, service, protocol, or application | Port 21 (FTP), any destination |
| Action | Permit or deny | Deny |
| Complete rule: DENY outbound port 21 → adversary with RAT cannot exfiltrate via FTP | ||
A developer’s workstation host-based firewall has these ACL rules in order:
1. PERMIT outbound TCP port 443
2. PERMIT outbound TCP port 22
3. DENY outbound TCP all ports
The developer tries to connect outbound on TCP port 80 (HTTP). What happens?
64.3.6 — Worked Scenarios
Which of the following statements about host-based firewalls are TRUE per the CED?
I. A host-based firewall provides an extra security layer if the device is connected to a compromised network, because it filters traffic at the device level regardless of network-layer controls.
II. Host-based firewall rules are evaluated all at once to determine the best matching rule, unlike network firewalls which use strict first-match ordering.
III. Host-based firewalls should always block ports or services not needed for a given device, including outbound blocking to prevent exfiltration.
Match each attack scenario to the CED defensive control that would have prevented or mitigated it.
A hospital workstation’s host-based firewall is configured to PERMIT all inbound and outbound traffic. A RAT is installed via a phishing email attachment. The adversary uses the RAT to remotely browse files, then exfiltrates 50,000 patient records via FTP. Which two CED controls, if properly configured, would have together prevented the exfiltration step specifically?
Complete each statement with the correct CED term.
1. An indicator embedded in a malware file that makes it detectable by anti-malware software is called a .
2. When anti-malware software detects a malicious file, it and removes it.
3. A small update that fixes a specific vulnerability in an OS or software is called a .
4. Software running on a single device that allows or denies traffic into or out of that device — providing protection even on a compromised network — is a .
5. The CED policy that describes permissible, prohibited, or required user activities on organization-owned devices — including website restrictions and USB drive prohibition — is the .
Which combination of findings most directly enabled the successful attack and exfiltration?
!Common AP Exam Mistakes — Topic 4.3
| Mistake | Why It’s Wrong | What to Do Instead |
|---|---|---|
| Putting password requirements in the software installation policy | Password length, complexity, and reuse rules belong in the password policy (4.3.A.2). The software installation policy only covers what software users may install. These are distinct CED categories. | Password policy = password construction. Software installation policy = what apps users may install. AUP = user behavior on devices. |
| Thinking anti-malware detects fileless malware | Anti-malware scans files against a signature database (4.3.B.2). Fileless malware (4.1.B.3) has no file form — it lives in RAM. There are no files to scan. This is the most frequently missed Topic 4.3 concept. | Anti-malware = file-based signature scanning. Fileless malware = RAM-based, undetectable by file scanning. |
| Assuming unpatched devices are safer before a patch is released | Before the patch, the vulnerability may be unknown. After the patch, it is publicly documented — unpatched devices become immediately more exploitable, not less. The CED High risk email server example illustrates this. | Patch release = vulnerability goes public. Unpatched devices become higher-priority targets the moment a patch exists. |
| Saying host-based firewall rules use best-match ordering | CED 4.3.D.2 is explicit: rules are implemented in order and the first matching rule applies. This is the same first-match logic as network firewalls (3.4.B.2). There is no best-match evaluation. | Both host-based and network firewalls: check rules in order, first match executes, stop checking. |
| Forgetting that host-based firewalls block outbound traffic | Students associate firewalls with inbound protection. CED 4.3.D.3 explicitly requires blocking unneeded outbound traffic and uses FTP exfiltration as the illustrative example. Outbound blocking is the key differentiator tested for host-based firewalls. | Host-based firewall = inbound AND outbound control. Always block outbound ports/services not needed for that device. |
84.3.8 — Key Terms & FAQ
| Term | Definition | AP Exam Note |
|---|---|---|
| Acceptable Use Policy | Policy describing permissible, prohibited, or required user activities on organization-owned devices | Covers website restrictions, external drives, software updates, peripheral devices |
| Password Policy | Policy detailing password requirements: length, age, reuse, construction rules, password manager guidance | Distinct from AUP — focuses on password construction and management |
| Software Installation Policy | Policy describing what software users may install; may include prohibition on installs, request process, approved list | Defense against Trojans and unauthorized software |
| Malware Signature | An indicator embedded in a malware file that makes it detectable by anti-malware software | Signature database must stay updated; fileless malware has no signature |
| Patch | A small update that fixes a specific vulnerability in an OS or software application | Release = vulnerability goes public; unpatched devices become immediate targets |
| Host-Based Firewall | Software on a single device that allows or denies traffic into or out of that device | Extra layer even on compromised network; same ACL first-match logic; blocks outbound too |
-
If three CED policies overlap (e.g., all relate to software), how do I know which one a requirement belongs in?
Use the CED’s own definitions. The acceptable use policy (4.3.A.1) governs how users behave with devices — what sites they visit, what drives they plug in, whether they keep software updated. The password policy (4.3.A.2) is exclusively about password construction and management. The software installation policy (4.3.A.3) is exclusively about what software users may install. If the requirement is about user behavior on the device, it belongs in the AUP. If it’s about password rules, it’s in the password policy. If it’s about installing applications, it’s in the software installation policy.
-
Can a host-based firewall protect a device from a RAT that is already installed?
Partially. A host-based firewall configured to block outbound FTP (or other exfiltration channels) will prevent the RAT from sending files out, even if the RAT is running. However, the RAT can still browse files internally and may use other outbound channels not blocked by the firewall. This is why the CED (4.3.D.3) says to block all ports and services not needed — limiting outbound options limits the damage a RAT can do, but it does not remove the RAT. Complete remediation requires detection (Topic 4.4) and removal via anti-malware.
-
Why does the CED distinguish host-based firewalls from network firewalls if they use the same ACL logic?
The scope and position are different. A network firewall sits at a segment boundary and protects all devices on that segment. A host-based firewall sits on a single device and protects only that device. If a device is connected to a compromised internal network — where the network firewall has been bypassed or the device is on the same segment as an attacker — the network firewall provides no protection for that device. The host-based firewall is the last line of defense at the device level. They are complementary, not interchangeable.
Students submit before leaving.
- Name all three CED managerial policies for device security. For each, give one specific CED-listed requirement and identify which Topic 4.1 exploitation vector it addresses. (AP Skill: Mitigate Risk)
- Explain why anti-malware software with an up-to-date signature database cannot protect a device from fileless malware. Be specific about how the CED defines anti-malware’s detection mechanism and how fileless malware differs. (AP Skill: Analyze Risk)
- A host-based firewall ACL has: (1) PERMIT inbound TCP port 443, (2) PERMIT inbound TCP port 80, (3) DENY inbound all. A packet arrives: inbound TCP port 8080. Which rule fires, what is the result, and explain the rule-ordering logic. (AP Skill: Mitigate Risk)
- Why do unpatched devices become higher-risk targets specifically after a vendor releases a patch (not before)? Connect your answer to the CED risk framework. (AP Skill: Analyze Risk)
- A law firm workstation has a host-based firewall permitting all outbound traffic and no software installation policy. A paralegal installs a RAT disguised as a PDF editor. The adversary exfiltrates files via FTP. Identify exactly which two CED Topic 4.3 controls were missing that would have stopped the two phases of this attack. (AP Skill: Mitigate Risk)
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.
+Continue Learning
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]