AP Cybersecurity 4.3: Protecting Devices

Score0 / 10
📅 Last Updated: June 2026 ~50 min 📚 Lesson 3 of 4 — Unit 4
AP Cybersecurity — Unit 4: Securing Devices

Topic 4.3: Protecting Devices

Three managerial policies, anti-malware signature scanning, OS patching, and host-based firewall configuration — the defensive controls that directly address the exploitation vectors from Topic 4.1.

Lesson 3 of 4 ~50 min LO 4.3.A – 4.3.D Skills: Mitigate Risk
★ AP Exam Focus — Topic 4.3

• Identify the three CED managerial policies: acceptable use policy (user activities on devices), password policy (password requirements), software installation policy (what software users may install)
• Explain how anti-malware works: maintains signature database, periodically scans files, quarantines matches — and its key limitation: cannot detect fileless malware (no files to scan)
• Explain the patch release risk window: once a patch is released, the vulnerability is public knowledge — unpatched devices become immediately more exploitable
• Distinguish host-based firewall (protects one device) from network-based firewall (protects a segment); both use identical ACL first-match rule ordering
• Apply CED 4.3.D.3: host-based firewalls should always block ports/services not needed — including outbound (e.g., block outbound FTP to prevent exfiltration)

College Board Essential Knowledge Coverage

Topic 4.3 — What Is Testable

CED Ref Essential Knowledge Covered In
4.3.A.1 Acceptable use policy: permissible, prohibited, or required activities on organization-owned devices. May include: prohibit specific websites, require software updates, allow/prohibit peripherals, prohibit external drives Section 2 — Managerial Policies
4.3.A.2 Password policy: requirements for user passwords. May include: min/max length, min/max time before change, prohibition of reuse, construction rules (no dictionary words, character sets), suggest password manager Section 2 — Managerial Policies
4.3.A.3 Software installation policy: what software users may install. May include: prohibition on user installs, process to request software, list of approved software Section 2 — Managerial Policies
4.3.B.1–B.2 Anti-malware: maintains signature database; periodically scans files; if file matches a signature, quarantines and removes. Limitation: cannot detect fileless malware (no files to scan) Section 3 — Anti-Malware
4.3.C.1–C.2 Patching: vendors fix vulnerabilities and release updates; a small update = patch. Keeping OS and software updated prevents adversaries from exploiting known vulnerabilities Section 4 — Patching
4.3.D.1 Host-based firewall: allows or denies traffic into or out of a single device; provides extra security layer if device is on a compromised network Section 5 — Host-Based Firewall
4.3.D.2 Host-based firewall: software running on the device; follows ACL rules like network firewall; rules in order, first match applies Section 5 — Host-Based Firewall
4.3.D.3 Host-based firewall can block outbound traffic. Should always block ports/services not needed. Example: block outbound FTP prevents adversary with remote access from exfiltrating files Section 5 — Host-Based Firewall
4.3.D.4 Host-based firewall rules allow/deny based on: source or destination port, IP address, service, protocol, or application Section 5 — Host-Based Firewall

Source: AP Cybersecurity CED Effective Fall 2026. AP Skills: 2.C Evaluate mitigations • 2.D Implement mitigations

♡ Bellringer — 3 Questions, 5 Minutes

Answer independently. No notes.

  1. An employee installs a free screen recorder from an unofficial site on their work laptop. The software contains a RAT. Which two CED managerial policies (Topic 4.3.A) would have prevented this if enforced?
  2. A software vendor announces a critical vulnerability in their product and will release a patch in 7 days. What happens to unpatched devices the moment this announcement is made, and why does this make the 7-day window dangerous?
  3. A workstation has outbound FTP (port 21) open in its host-based firewall. An adversary gains remote access via a RAT. What can the adversary now do that they couldn’t if FTP were blocked, and which CED item requires blocking unused outbound ports?

Answers: (1) Software installation policy (4.3.A.3) — prohibiting unauthorized installs; acceptable use policy (4.3.A.1) — prohibiting unapproved software use. (2) The vulnerability becomes publicly documented — every adversary now knows exactly what to look for in unpatched systems. Unpatched devices become immediately more exploitable because the secret is out. (3) Adversary can exfiltrate stolen files via FTP to their external server. CED 4.3.D.3: host-based firewalls should always block ports/services not needed for a given device.

In This Lesson
  • 4.3.1 — Learning Objectives (3 min)
  • 4.3.2 — Three Managerial Policies (10 min)
  • 4.3.3 — Anti-Malware Software (8 min)
  • 4.3.4 — Patching & Updates (6 min)
Continued
  • 4.3.5 — Host-Based Firewall (10 min)
  • 4.3.6 — Worked Scenarios & CFUs (8 min)
  • 4.3.7 — Common Mistakes (3 min)
  • 4.3.8 — Key Terms & FAQ (4 min)

14.3.1 — Learning Objectives

  • Identify and distinguish the three CED managerial policies for device security (4.3.A)
  • Explain how anti-malware signature scanning works and its limitation against fileless malware (4.3.B)
  • Explain why patching closes the exploitation window and why the patch release moment creates immediate risk for unpatched devices (4.3.C)
  • Configure host-based firewall ACL rules and distinguish host-based from network-based firewalls (4.3.D)
  • Map each protective control from this lesson to the exploitation vectors from Topic 4.1 it addresses

24.3.2 — Three Managerial Policies (LO 4.3.A)

Managerial controls govern how users interact with organization-owned devices. They target human behavior as a vulnerability layer distinct from technical software or hardware weaknesses.

4.3.A.1Acceptable Use Policy (AUP)
Describes the range of activities that are permissible, prohibited, or required by users on organization-owned devices. CED-specified examples: prohibiting specific websites (social media, gaming), requiring software updates, allowing or prohibiting peripheral devices, prohibiting external drives or media.
Exploitation vectors addressed (Topic 4.1): Autorun attacks (4.1.C.4) via prohibiting external drives; malware via browsing via website restrictions; unpatched software (4.1.C.1) via required update policy.
4.3.A.2Password Policy
Details requirements for user passwords. CED-listed inclusions: minimum or maximum password length, minimum or maximum time before required change, prohibition of password reuse, construction rules (no dictionary words, character set requirements), suggestion to use secure password manager tools instead of writing passwords down.
Exploitation vectors addressed: Weak authentication (4.1.C.2); also directly addresses password attacks from Topic 4.2 (complexity + length = slower brute force; reuse prohibition = reduced credential stuffing impact).
4.3.A.3Software Installation Policy
Describes what software users are allowed to install. CED-listed inclusions: prohibition against user installs, a process to request new software needed for a role, a list of approved software.
Exploitation vectors addressed: Trojan/malware delivery (4.1.B.2, 4.1.C.7) — if users cannot install unauthorized software, they cannot install malware disguised as legitimate applications. Works with anti-malware (4.3.B) as a two-layer defense.
Check for UnderstandingClassification
Q 1 of 10

A company policy states: “All employees must update their operating system within 48 hours of a security patch release. Employees may not connect personal USB drives to company equipment. Social media websites are blocked on all company devices.” How many CED policy types are represented, and which type covers all three requirements?

AThree policy types — software updates = software installation policy; USB = password policy; social media = acceptable use policy.
BTwo policy types — updates + USB = software installation policy; social media = acceptable use policy.
COne policy type — all three belong in the acceptable use policy (4.3.A.1). The CED explicitly lists requiring software updates, prohibiting external drives, and prohibiting specific websites as AUP inclusions.
DTwo policy types — updates + social media = acceptable use policy; USB = software installation policy.
Check for UnderstandingSpot the Error
Q 2 of 10

A security manager says: “Our software installation policy covers everything about device security policy. It specifies that passwords must be at least 12 characters, prohibits social media, and lists approved applications.” What is the error?

AThe policy is correct — the CED allows organizations to combine all device policies into a single document.
BThe 12-character minimum password requirement belongs in the password policy (4.3.A.2), and prohibiting social media belongs in the acceptable use policy (4.3.A.1). Only the list of approved applications belongs in the software installation policy (4.3.A.3).
CThe password length requirement is correct in the software installation policy; only social media belongs in the acceptable use policy.
DThe manager is wrong only because social media restrictions require a separate network policy, not a device policy.

34.3.3 — Anti-Malware Software (LO 4.3.B)

How Anti-Malware Works (CED 4.3.B.1–B.2) Anti-malware software maintains a database of malware signatures. Signatures are indicators embedded in malware files that make them detectable. The software periodically scans device files and checks for signature matches. A match triggers quarantine and removal of the malicious file.
⚠ The Fileless Malware Gap

Anti-malware scans files. Fileless malware (CED 4.1.B.3) lives in RAM and uses legitimate programs already on the device — it has no file form. File scanning finds nothing to detect. A device with up-to-date anti-malware can still be fully compromised by fileless malware the scanner will never see. This is a frequently tested AP exam distinction.

Check for UnderstandingI / II / III
Q 3 of 10

Which of the following statements about anti-malware software are TRUE per the CED?

I. Anti-malware software can detect fileless malware because it monitors RAM in addition to scanning files.
II. Anti-malware software maintains a database of malware signatures and quarantines files that match those signatures.
III. Many embedded devices cannot run any detection tools because they lack sufficient system resources.

AI and II only
BI and III only
CI only
DII and III only

44.3.4 — Patching & Updates (LO 4.3.C)

CED 4.3.C.1–C.2 — How Patching Works When a vulnerability is discovered in an OS or software, the vendor fixes it and releases an update. A small update is called a patch. Applying updates to the most recent version prevents adversaries from exploiting known vulnerabilities.
⚠ The Patch Release Risk Window

Before a patch is released, a vulnerability may be known only to the vendor and a small group. After the patch is released, the vulnerability is publicly documented — every adversary now knows exactly what to exploit in unpatched systems. This is why the CED email server example (4.1.D.2) rates an unpatched known critical vulnerability as High risk: the patch exists, the vulnerability is public, unpatched devices are easy targets.

Check for UnderstandingSpot the Error
Q 4 of 10

A network administrator says: “When a vendor releases a patch, our unpatched systems actually become temporarily safer because the vendor is now actively monitoring the vulnerability and blocking exploit attempts.” What is the error?

AThe administrator is wrong. When a patch is released, the vulnerability becomes publicly documented — unpatched devices are immediately more exploitable, not safer. Vendors patch their software; they do not monitor or protect customers’ unpatched systems.
BThe administrator is partially correct — vendors do monitor for exploit attempts on unpatched systems for 30 days after patch release.
CThe administrator is correct — patching is only necessary for internet-facing systems, not internal devices.
DThe administrator is wrong only because vendors stop monitoring after the patch is released, leaving unpatched systems permanently vulnerable.

54.3.5 — Host-Based Firewall (LO 4.3.D)

Network Firewall
Unit 3 (CED 3.4)
Protects a network segment. Sits at a network boundary. Filters traffic entering or leaving the entire segment. All devices behind it share its protection.
A device connected to a compromised network is NOT protected by a network firewall that the adversary has already bypassed.
Host-Based Firewall
CED 4.3.D
Software running on a single device. Allows or denies traffic into or out of that one device. Provides protection even when the device is on a compromised network — it is an extra layer at the device itself.
Same ACL rule logic: rules checked in order, first matching rule executes. Same rule elements: direction + criterion + action.
CED 4.3.D.3 — Always Block What Is Not Needed, Including Outbound Host-based firewalls should always block ports or services not needed for a given device. This includes outbound blocking. CED illustrative example: block outbound FTP (port 21) → if an adversary gains remote access via a RAT, they cannot use FTP to exfiltrate stolen files to their server. The device still sends allowed traffic but FTP is never available as an exfiltration channel.
ACL Rule Element Options (CED 4.3.D.4) Example
Direction Inbound or outbound Outbound
Criterion Source/destination port or IP address, service, protocol, or application Port 21 (FTP), any destination
Action Permit or deny Deny
Complete rule: DENY outbound port 21 → adversary with RAT cannot exfiltrate via FTP
Check for UnderstandingMCQ
Q 5 of 10

A developer’s workstation host-based firewall has these ACL rules in order:
1. PERMIT outbound TCP port 443
2. PERMIT outbound TCP port 22
3. DENY outbound TCP all ports

The developer tries to connect outbound on TCP port 80 (HTTP). What happens?

APermitted — HTTP (port 80) is closely related to HTTPS (port 443), so Rule 1 implicitly covers both.
BDenied by Rule 3. Port 80 does not match Rule 1 (port 443) or Rule 2 (port 22), so the first matching rule is Rule 3, which denies all outbound TCP.
CPermitted — Rules 1 and 2 are permit rules, so the firewall defaults to allowing traffic not explicitly denied.
DDenied by Rule 1 — HTTP is blocked because it is less secure than HTTPS.

64.3.6 — Worked Scenarios

Check for UnderstandingI / II / III
Q 6 of 10

Which of the following statements about host-based firewalls are TRUE per the CED?

I. A host-based firewall provides an extra security layer if the device is connected to a compromised network, because it filters traffic at the device level regardless of network-layer controls.
II. Host-based firewall rules are evaluated all at once to determine the best matching rule, unlike network firewalls which use strict first-match ordering.
III. Host-based firewalls should always block ports or services not needed for a given device, including outbound blocking to prevent exfiltration.

AI and III only
BII and III only
CI and II only
DI, II, and III
Check for UnderstandingMatching
Q 7 of 10

Match each attack scenario to the CED defensive control that would have prevented or mitigated it.

Click a scenario, then click the matching control.
Attack Scenario
1An employee plugs in a personal USB drive containing malware; autorun executes the malware automatically.
2A ransomware file is downloaded to a device. Before it executes, a periodic scan detects its signature and quarantines it.
3An adversary exploits a vulnerability in email server software that was patched 3 weeks ago but never applied.
4A RAT on a workstation attempts outbound FTP to exfiltrate stolen data; the connection is blocked.
Defensive Control
AAcceptable Use Policy (4.3.A.1)
BAnti-Malware Software (4.3.B)
CPatching / Updates (4.3.C)
DHost-Based Firewall (4.3.D)
Check for UnderstandingScenario Application
Q 8 of 10

A hospital workstation’s host-based firewall is configured to PERMIT all inbound and outbound traffic. A RAT is installed via a phishing email attachment. The adversary uses the RAT to remotely browse files, then exfiltrates 50,000 patient records via FTP. Which two CED controls, if properly configured, would have together prevented the exfiltration step specifically?

AAnti-malware (would have caught the RAT file) and patching (would have prevented the phishing exploit)
BPassword policy (would require stronger credentials) and patching (would close email server vulnerabilities)
CHost-based firewall blocking outbound FTP (4.3.D.3) would have blocked the exfiltration channel; software installation policy (4.3.A.3) prohibiting unauthorized installs would have prevented the RAT from being installed via the attachment.
DAnti-malware and acceptable use policy prohibiting email attachments
Check for UnderstandingFill in the Blank
Q 9 of 10

Complete each statement with the correct CED term.

Word Bank patch signature quarantines host-based firewall acceptable use policy

1. An indicator embedded in a malware file that makes it detectable by anti-malware software is called a .

2. When anti-malware software detects a malicious file, it and removes it.

3. A small update that fixes a specific vulnerability in an OS or software is called a .

4. Software running on a single device that allows or denies traffic into or out of that device — providing protection even on a compromised network — is a .

5. The CED policy that describes permissible, prohibited, or required user activities on organization-owned devices — including website restrictions and USB drive prohibition — is the .

End of LessonIntegrative Scenario
Q 10 of 10
A security audit of a law firm finds: (1) Employees can install any software on their laptops. (2) Anti-malware software is installed but its signature database has not been updated in 6 months. (3) A critical vulnerability in the firm’s document management software was patched by the vendor 45 days ago but has not been applied. (4) Workstation host-based firewalls permit all outbound traffic. A paralegal downloads what appears to be a free PDF tool; it installs a RAT that exfiltrates confidential client files via FTP.

Which combination of findings most directly enabled the successful attack and exfiltration?

AFinding 2 (stale signatures missed the RAT) and Finding 3 (unpatched document software enabled initial access)
BFinding 3 (unpatched software) and Finding 4 (outbound FTP permitted)
CFinding 2 (stale anti-malware) and Finding 4 (outbound FTP permitted)
DFinding 1 (no software installation policy allowed the RAT to be installed) and Finding 4 (outbound FTP permitted allowed exfiltration) — these two findings directly enabled the installation and the exfiltration, the two phases of the attack.

!Common AP Exam Mistakes — Topic 4.3

Mistake Why It’s Wrong What to Do Instead
Putting password requirements in the software installation policy Password length, complexity, and reuse rules belong in the password policy (4.3.A.2). The software installation policy only covers what software users may install. These are distinct CED categories. Password policy = password construction. Software installation policy = what apps users may install. AUP = user behavior on devices.
Thinking anti-malware detects fileless malware Anti-malware scans files against a signature database (4.3.B.2). Fileless malware (4.1.B.3) has no file form — it lives in RAM. There are no files to scan. This is the most frequently missed Topic 4.3 concept. Anti-malware = file-based signature scanning. Fileless malware = RAM-based, undetectable by file scanning.
Assuming unpatched devices are safer before a patch is released Before the patch, the vulnerability may be unknown. After the patch, it is publicly documented — unpatched devices become immediately more exploitable, not less. The CED High risk email server example illustrates this. Patch release = vulnerability goes public. Unpatched devices become higher-priority targets the moment a patch exists.
Saying host-based firewall rules use best-match ordering CED 4.3.D.2 is explicit: rules are implemented in order and the first matching rule applies. This is the same first-match logic as network firewalls (3.4.B.2). There is no best-match evaluation. Both host-based and network firewalls: check rules in order, first match executes, stop checking.
Forgetting that host-based firewalls block outbound traffic Students associate firewalls with inbound protection. CED 4.3.D.3 explicitly requires blocking unneeded outbound traffic and uses FTP exfiltration as the illustrative example. Outbound blocking is the key differentiator tested for host-based firewalls. Host-based firewall = inbound AND outbound control. Always block outbound ports/services not needed for that device.

84.3.8 — Key Terms & FAQ

Term Definition AP Exam Note
Acceptable Use Policy Policy describing permissible, prohibited, or required user activities on organization-owned devices Covers website restrictions, external drives, software updates, peripheral devices
Password Policy Policy detailing password requirements: length, age, reuse, construction rules, password manager guidance Distinct from AUP — focuses on password construction and management
Software Installation Policy Policy describing what software users may install; may include prohibition on installs, request process, approved list Defense against Trojans and unauthorized software
Malware Signature An indicator embedded in a malware file that makes it detectable by anti-malware software Signature database must stay updated; fileless malware has no signature
Patch A small update that fixes a specific vulnerability in an OS or software application Release = vulnerability goes public; unpatched devices become immediate targets
Host-Based Firewall Software on a single device that allows or denies traffic into or out of that device Extra layer even on compromised network; same ACL first-match logic; blocks outbound too
  • If three CED policies overlap (e.g., all relate to software), how do I know which one a requirement belongs in?

    Use the CED’s own definitions. The acceptable use policy (4.3.A.1) governs how users behave with devices — what sites they visit, what drives they plug in, whether they keep software updated. The password policy (4.3.A.2) is exclusively about password construction and management. The software installation policy (4.3.A.3) is exclusively about what software users may install. If the requirement is about user behavior on the device, it belongs in the AUP. If it’s about password rules, it’s in the password policy. If it’s about installing applications, it’s in the software installation policy.

  • Can a host-based firewall protect a device from a RAT that is already installed?

    Partially. A host-based firewall configured to block outbound FTP (or other exfiltration channels) will prevent the RAT from sending files out, even if the RAT is running. However, the RAT can still browse files internally and may use other outbound channels not blocked by the firewall. This is why the CED (4.3.D.3) says to block all ports and services not needed — limiting outbound options limits the damage a RAT can do, but it does not remove the RAT. Complete remediation requires detection (Topic 4.4) and removal via anti-malware.

  • Why does the CED distinguish host-based firewalls from network firewalls if they use the same ACL logic?

    The scope and position are different. A network firewall sits at a segment boundary and protects all devices on that segment. A host-based firewall sits on a single device and protects only that device. If a device is connected to a compromised internal network — where the network firewall has been bypassed or the device is on the same segment as an attacker — the network firewall provides no protection for that device. The host-based firewall is the last line of defense at the device level. They are complementary, not interchangeable.

📋 Exit Ticket — Topic 4.3 | 5 Questions | Ready for Canvas / Google Classroom

Students submit before leaving.

  1. Name all three CED managerial policies for device security. For each, give one specific CED-listed requirement and identify which Topic 4.1 exploitation vector it addresses. (AP Skill: Mitigate Risk)
  2. Explain why anti-malware software with an up-to-date signature database cannot protect a device from fileless malware. Be specific about how the CED defines anti-malware’s detection mechanism and how fileless malware differs. (AP Skill: Analyze Risk)
  3. A host-based firewall ACL has: (1) PERMIT inbound TCP port 443, (2) PERMIT inbound TCP port 80, (3) DENY inbound all. A packet arrives: inbound TCP port 8080. Which rule fires, what is the result, and explain the rule-ordering logic. (AP Skill: Mitigate Risk)
  4. Why do unpatched devices become higher-risk targets specifically after a vendor releases a patch (not before)? Connect your answer to the CED risk framework. (AP Skill: Analyze Risk)
  5. A law firm workstation has a host-based firewall permitting all outbound traffic and no software installation policy. A paralegal installs a RAT disguised as a PDF editor. The adversary exfiltrates files via FTP. Identify exactly which two CED Topic 4.3 controls were missing that would have stopped the two phases of this attack. (AP Skill: Mitigate Risk)
Answer Key: (1) AUP (4.3.A.1): e.g., prohibit external drives → prevents autorun attacks (4.1.C.4). Password policy (4.3.A.2): e.g., minimum length → resists brute force / weak auth (4.1.C.2). Software installation policy (4.3.A.3): e.g., prohibit unauthorized installs → prevents Trojan installation (4.1.B.2, 4.1.C.7). (2) Anti-malware scans files against a signature database (4.3.B.2). Fileless malware lives in RAM and uses legitimate programs already installed (4.1.B.3) — it exists as no file. File scanning finds nothing. The malware is undetectable by file-based signature scanning regardless of database freshness. (3) Rule 3 fires (DENY inbound all). Port 8080 does not match Rule 1 (port 443) or Rule 2 (port 80). First matching rule is Rule 3 — denied. CED 4.3.D.2: rules applied in order, first match executes. (4) Before the patch, the vulnerability may be undocumented. After release, it is publicly documented: every adversary knows exactly what to exploit in unpatched systems. CED 4.3.C.2: unpatched = known vulnerability; the CED email server example (4.1.D.2) is High risk because the patch exists but hasn’t been applied. (5) Phase 1 (RAT installation): software installation policy (4.3.A.3) — prohibiting unauthorized installs would have prevented the paralegal from installing the malicious PDF editor. Phase 2 (FTP exfiltration): host-based firewall blocking outbound FTP (4.3.D.3) — even with the RAT running, blocked outbound FTP would have stopped the data transfer.
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.

2,067+ Verified Hours 5.0 Wyzant Rating 499+ Reviews
Learn About Expert Sessions →
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 2,067+ verified tutoring hours on Wyzant with a 5.0 rating from 499+ reviews.

11+ Years Teaching AP CS 2,067+ Verified Tutoring Hours 499+ Five-Star Reviews 5.0 Rating on Wyzant
Content last reviewed and updated: June 2026
← Topic 4.2 Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]