AP Cybersecurity Unit 1 Exam | Introduction to Security (20 Questions)

AP Cyber Hub Unit 1 1.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz

Unit 1 • End-of-Unit Exam

Unit 1 Exam: Introduction to Security

20 questions covering all Unit 1 topics — Social Engineering, Password Attacks, AI Threats, and Wireless Security

Score: 0 / 0 Answer each question individually to see feedback

Exam Instructions: Predict your answer before selecting an option. Use “slash the trash” — eliminate obviously wrong choices first. Key words are bolded and underlined.

Q1 Social Engineering

Which of the following BEST describes social engineering in the context of cybersecurity?

(A) Exploiting unpatched software vulnerabilities to gain unauthorized system access (B) Manipulating individuals psychologically to disclose confidential information or perform insecure actions (C) Intercepting network traffic between two communicating parties without their knowledge (D) Flooding a server with requests until it becomes unavailable to legitimate users

Social engineering targets the human element rather than technical vulnerabilities. Attackers exploit trust, authority, fear, and urgency to convince people to hand over credentials, click malicious links, or bypass security procedures. Options A and C describe technical attacks; D describes a denial-of-service attack.

(A) This describes exploitation of a software vulnerability, a technical attack unrelated to human manipulation.

(C) This describes a man-in-the-middle or eavesdropping attack, not social engineering.

(D) This describes a denial-of-service (DoS) attack targeting infrastructure availability.

AP Exam Tip: Social engineering definitions are frequently tested. The key distinguisher is that the target is a person, not a system or software.

Q2 Attack Types

A caller claims to be from the company’s IT department and tells an employee their account has been compromised. The caller asks the employee to read back their current password so it can be “verified and reset.” This is MOST LIKELY an example of:

(A) Phishing via email spoofing (B) Pretexting combined with vishing (C) A brute-force password attack (D) A man-in-the-middle interception

The attacker constructed a fabricated scenario (pretext) — the fake IT identity and account compromise story — and delivered it over the phone (vishing = voice phishing). Phishing typically occurs via email. Brute-force and MitM attacks do not involve deceiving a human into voluntarily giving up a password.

(A) Phishing uses email; this attack occurs over a phone call, making vishing the correct channel term.

(C) Brute-force attacks are automated technical attempts; no human deception is involved.

(D) MitM intercepts existing communications; it does not involve tricking someone into revealing a password directly.

AP Exam Tip: Distinguish the delivery channel: phishing = email, vishing = voice/phone, smishing = SMS. Pretexting is the technique (fabricating a story); vishing is the medium.

Q3 Password Security

A company publishes the following password policy. Which rule is INCORRECT and would actually REDUCE security?

(A) Passwords must be at least 12 characters long. (B) Passwords must be changed every 30 days regardless of any detected breach. (C) Passwords must not be reused from the previous 10 passwords. (D) Multi-factor authentication is required for all administrative accounts.

Mandatory periodic password resets (especially short intervals like 30 days) are now considered counterproductive by NIST guidelines. Users respond by creating predictable, weaker passwords (e.g., incrementing a number) and writing them down. Passwords should be changed when a compromise is detected or suspected, not on an arbitrary schedule. Options A, C, and D all describe practices that genuinely improve security.

(A) Correct policy — length is the single most important password strength factor.

(C) Correct policy — preventing reuse stops predictable password cycling.

(D) Correct policy — MFA on admin accounts is a critical control.

AP Exam Tip: NIST’s current guidance discourages forced periodic rotation. This is a high-value AP exam concept because it contradicts older “common sense” advice.

Q4 Wireless Security

Which of the following represent techniques attackers use to exploit users on public Wi-Fi networks?

I. Setting up a rogue access point with an SSID that mimics a legitimate nearby network
II. Using packet sniffers to capture unencrypted data transmitted over the network
III. Physically destroying the legitimate router to force users onto the attacker’s network

(A) I and II only (B) I and III only (C) II and III only (D) I, II, and III

Rogue access points (evil twin attacks) and packet sniffing are both documented, common wireless attacks. Physical destruction of infrastructure (Statement III) is not a practical or typical cyberattack technique — it is a physical attack that would be immediately obvious, noisy, and criminal in a highly visible way. AP Cybersecurity focuses on the realistic threat landscape.

(B) Incorrect — physical destruction is not a standard wireless attack technique on the AP exam.

(D) Incorrect — Statement III is not a realistic wireless attack scenario tested by AP Cybersecurity.

AP Exam Tip: Rogue access points and packet sniffing are the two wireless attack techniques most heavily tested. Know that HTTPS helps against sniffing but does not protect against all MitM scenarios.

Q5 AI in Cyber Defense

A security operations center deploys an AI system that monitors network logs and automatically flags unusual login patterns at 3 AM from foreign IP addresses. This is an example of AI being used for:

(A) Automated threat generation to test defensive controls (B) Anomaly-based intrusion detection (C) Symmetric key encryption of log files (D) Social engineering simulation training

The system is comparing observed behavior (3 AM logins from foreign IPs) against a baseline of normal behavior and flagging deviations — this is the definition of anomaly-based detection. It is a defensive application of AI. Option A describes offensive red-team testing. Options C and D describe unrelated security functions.

(A) Threat generation is an offensive technique used in penetration testing, not log analysis.

(C) Encryption protects data confidentiality; it has no connection to detecting login anomalies.

(D) Social engineering simulations train employees on recognizing attacks, not on log analysis.

AP Exam Tip: AI on the AP exam appears in both offensive contexts (generating personalized phishing) and defensive contexts (anomaly detection, threat intelligence). Know both sides.

⎯ Part 2: Physical & Wireless Security ⎯

Q6 Physical Social Engineering

An attacker carries a large stack of boxes and waits near a secure door. When an authorized employee badges in, the attacker says “Could you hold that? My hands are full.” The employee holds the door open. This attack is called:

(A) Phishing (B) Tailgating (piggybacking) (C) Shoulder surfing (D) Dumpster diving

Tailgating (also called piggybacking) is a physical social engineering attack in which an unauthorized person gains access to a restricted area by following an authorized person through a secured door. The attacker exploits the social norm of politeness. The other options are distinct attacks: phishing = deceptive emails, shoulder surfing = observing screens/keyboards, dumpster diving = searching discarded materials.

(A) Phishing uses deceptive digital communications, not physical presence.

(C) Shoulder surfing involves observing someone’s screen or keystrokes, not bypassing door access.

(D) Dumpster diving involves searching through discarded physical items for sensitive information.

AP Exam Tip: Physical social engineering attacks (tailgating, shoulder surfing, dumpster diving) are tested alongside digital ones on AP Cybersecurity. Know all three.

Q7 Authentication

A user logs into a system by entering a password and then receiving a one-time code via SMS that must also be entered. This authentication method is BEST described as:

(A) Single-factor authentication using two steps (B) Multi-factor authentication combining something you know and something you have (C) Multi-factor authentication combining something you know and something you are (D) Two-step verification using only something you know

Multi-factor authentication (MFA) requires two or more different factor categories. A password is “something you know.” An SMS code delivered to a phone is “something you have” (the phone). Together they constitute true MFA. “Something you are” refers to biometrics (fingerprint, face scan). Two SMS codes would be two instances of the same factor, not MFA.

(A) Incorrect — two different factor categories are used, making this MFA not single-factor.

(C) Incorrect — “something you are” refers to biometrics; an SMS is “something you have.”

(D) Incorrect — an SMS code is “something you have,” not something you know.

AP Exam Tip: The three MFA factor categories appear on almost every practice exam: know (password, PIN), have (phone, hardware token, smart card), are (biometrics). Know which category each example falls into.

Q8 Phishing Defense

A company wants to reduce the risk of employees falling for phishing attacks. Which of the following measures would be effective?

I. Training employees to verify sender domains before clicking links
II. Deploying email filters that flag messages containing external links
III. Requiring employees to use longer passwords on all accounts

(A) I only (B) I and II only (C) II and III only (D) I, II, and III

Statement I directly addresses phishing: recognizing spoofed domains is the primary human defense. Statement II describes a technical control (email filtering) that reduces exposure to phishing links. Statement III is a password strength measure — longer passwords reduce brute-force risk but do nothing to prevent an employee from clicking a phishing link and voluntarily entering their credentials. Phishing and password attacks are separate threat vectors.

(A) Incomplete — email filtering (II) is also an effective anti-phishing control.

(D) Incorrect — password length (III) does not address the social engineering vector of phishing.

AP Exam Tip: Distinguish between defenses that address social engineering vs. defenses that address technical credential attacks. The exam frequently tests whether students can match a defense to the correct threat.

Q9 AI-Based Attacks

An attacker uses AI to generate a convincing audio clip of a CEO’s voice instructing the CFO to wire funds to a new account. The CFO complies. Which term BEST describes the AI technique used?

(A) Adversarial machine learning (B) Deepfake audio synthesis (C) Ransomware deployment (D) Packet injection

AI-generated synthetic audio that realistically mimics a specific person’s voice is a deepfake (specifically, an audio deepfake). This is a documented attack technique used in business email compromise and executive impersonation fraud. Adversarial ML involves manipulating model inputs to cause misclassification. Ransomware encrypts files for extortion. Packet injection inserts forged packets into network streams.

(A) Adversarial ML manipulates AI model inputs/outputs; it doesn’t describe generating fake voice audio.

(C) Ransomware is malware that encrypts victim data and demands payment; no voice synthesis involved.

(D) Packet injection is a network-layer attack unrelated to audio impersonation.

AP Exam Tip: Deepfakes extend social engineering into audio and video. Treat them as a high-tech form of impersonation/pretexting on the AP exam.

Q10 AI Defense

A cybersecurity consultant makes four claims about using AI in cyber defense. Which claim is INCORRECT?

(A) AI can identify malware variants it has never seen before by analyzing behavioral patterns. (B) AI-powered systems can respond to detected intrusions faster than human analysts. (C) Once an AI security model is trained, it requires no further updates to remain effective against new threats. (D) AI can correlate data from thousands of log sources simultaneously to surface anomalies.

A trained AI model is a snapshot of the threat landscape at the time of training. New malware, novel attack techniques, and evolving adversary behavior constantly emerge. An AI model that is never updated will become progressively less effective — this is why continuous model retraining and threat intelligence updates are essential. Options A, B, and D are genuine advantages of AI in security operations.

(A) True — behavioral analysis (heuristics) allows AI to detect zero-day malware it hasn’t seen before.

(B) True — automated response (SOAR) is faster than manual analyst workflows.

(D) True — AI’s ability to process large volumes of log data simultaneously is a core security advantage.

AP Exam Tip: AI limitations are as important as AI capabilities on the AP exam. Know that AI models require ongoing training, can produce false positives/negatives, and are themselves targets of adversarial attacks.

⎯ Part 3: Wireless Attacks ⎯

Q11 Wireless Security

A coffee shop’s legitimate network is named “CafeWifi.” An attacker nearby creates a network also named “CafeWifi” with a stronger signal. Customers connect to the attacker’s network thinking it is legitimate. This type of attack is called:

(A) A distributed denial-of-service (DDoS) attack (B) An evil twin attack (C) A DNS poisoning attack (D) A SQL injection attack

An evil twin attack involves creating a rogue wireless access point that impersonates a legitimate one — same SSID, potentially stronger signal. Victims unknowingly connect to the attacker’s network, allowing traffic interception. DDoS overwhelms a server with traffic. DNS poisoning corrupts DNS records to redirect domain queries. SQL injection targets database-driven web applications.

(A) DDoS makes a service unavailable; it doesn’t involve impersonating a Wi-Fi network.

(C) DNS poisoning manipulates domain resolution records, not wireless access points.

(D) SQL injection exploits web application input validation; it is unrelated to wireless networks.

AP Exam Tip: Evil twin attacks are the primary wireless attack scenario tested in Unit 1. Always associate rogue AP + matching SSID + traffic interception with this term.

Q12 Defense Strategies

Which of the following are effective defenses against social engineering attacks?

I. Implementing a call-back verification procedure before fulfilling unusual requests
II. Training employees to recognize urgency and authority as social engineering triggers
III. Installing the latest operating system security patches

(A) I and II only (B) II and III only (C) I, II, and III (D) III only

Statements I and II both directly address the human-manipulation aspect of social engineering. Call-back verification breaks the attacker’s manufactured urgency by introducing an independent verification step. Employee training on psychological triggers is the foundation of any anti-social-engineering program. Statement III (OS patching) is a critical security practice but addresses software vulnerabilities, not human-targeted manipulation.

(C) Incorrect — OS patches address software vulnerabilities; they do not prevent an employee from being deceived.

(D) Incomplete — patching alone does nothing to counter social engineering techniques.

AP Exam Tip: Security awareness training is the primary defense against social engineering — technology alone cannot fully protect against human manipulation. The AP exam tests whether you understand this distinction.

Q13 Phishing Variants

A threat actor researches a target company on LinkedIn, identifies a specific employee’s name, role, and recent project, then sends that employee a tailored email referencing those details to appear credible. This attack is BEST described as:

(A) Generic phishing using a bulk email list (B) Smishing via SMS (C) Spear phishing targeting a specific individual (D) Whaling targeting a C-level executive

Spear phishing is a targeted form of phishing directed at a specific individual or organization, using personalized details to appear credible. Generic phishing sends identical messages to large lists hoping someone clicks. Smishing uses SMS. Whaling is spear phishing specifically targeting high-value executives (C-suite) — the target here is not identified as an executive.

(A) Generic phishing is untargeted; this attack used specific research to personalize the message.

(B) Smishing uses text messages as the delivery channel, not email.

(D) Whaling specifically targets C-level executives; the scenario describes a general employee.

AP Exam Tip: Know the phishing hierarchy: phishing (bulk) → spear phishing (targeted individual/org) → whaling (targeted executive). AI has dramatically lowered the cost of spear phishing by automating the research step.

Q14 Password Attacks

A data breach at an online retailer exposes millions of username/password pairs. An attacker downloads this list and automatically tries each pair against a major bank’s login portal. This attack is called:

(A) A brute-force attack (B) A dictionary attack (C) Credential stuffing (D) A rainbow table attack

Credential stuffing uses credentials obtained from a previous breach and tests them against other services, exploiting password reuse. It is effective because many users reuse the same password across multiple sites. Brute-force tries all possible combinations. Dictionary attacks use wordlists of common passwords (not previously breached real credentials). Rainbow tables precompute hashes.

(A) Brute-force generates combinations; it doesn’t rely on a stolen credential list.

(B) Dictionary attacks use common password wordlists, not real stolen credentials from a specific breach.

(D) Rainbow tables target password hashes; credential stuffing tests plaintext credentials against live logins.

AP Exam Tip: Credential stuffing is why password reuse is so dangerous. The AP exam will test whether you can distinguish it from brute-force and dictionary attacks.

Q15 Wireless + Encryption

A user connects to a rogue Wi-Fi access point and visits their bank’s website, which uses HTTPS. An attacker monitoring the rogue AP attempts to read the transmitted data. Which statement is MOST ACCURATE?

(A) HTTPS fully eliminates the risk because the attacker cannot read any transmitted data. (B) HTTPS reduces the risk but does not eliminate it; attackers may use SSL stripping to downgrade the connection. (C) HTTPS is irrelevant because the rogue AP can inject code directly into the browser. (D) The attacker can read all transmitted data because HTTPS only encrypts stored files.

HTTPS encrypts data in transit, making it significantly harder for a passive eavesdropper to read the content. However, a MitM attacker on a rogue AP can attempt SSL stripping — a technique that downgrades the connection from HTTPS to HTTP before it reaches the user’s browser — if the site does not implement HTTP Strict Transport Security (HSTS). HTTPS is protective but not an absolute guarantee in a MitM scenario.

(A) Overstates protection — SSL stripping and certificate-based MitM attacks can defeat HTTPS in some configurations.

(C) Exaggerates the attack; code injection via a rogue AP is a separate, more complex attack not implied here.

(D) Fundamentally wrong — HTTPS encrypts data in transit, which is exactly the protection relevant here.

AP Exam Tip: HTTPS vs. no HTTPS on public Wi-Fi is a nuanced AP exam topic. The correct answer is almost always the qualified one: HTTPS helps significantly but does not provide absolute protection.

⎯ Part 4: Defense Strategies ⎯

Q16 Terminology

A student creates a study guide with the following definitions. Which definition is INCORRECT?

(A) Vulnerability: a weakness in a system that could be exploited by a threat actor. (B) Threat: any potential event or actor that could cause harm to an asset. (C) Risk: the likelihood that a threat will exploit a vulnerability multiplied by the potential impact. (D) Control: a weakness in a system intentionally introduced to allow authorized backdoor access.

A control (or security control) is a safeguard or countermeasure designed to reduce risk — examples include firewalls, encryption, and access policies. The definition given in D describes a backdoor, not a control. Options A, B, and C are accurate definitions of core cybersecurity concepts (vulnerability, threat, and risk) that students must know for the AP exam.

(A) Correct definition of vulnerability.

(B) Correct definition of threat.

(C) Correct definition of risk (likelihood x impact framework).

AP Exam Tip: The risk equation (vulnerability + threat + likelihood + impact = risk) is fundamental. Controls reduce one or more of these variables. Know the precise definition of each term.

Q17 Wireless Defense

Which of the following BEST protects a user from an evil twin (rogue access point) attack when using public Wi-Fi?

(A) Using a longer and more complex Wi-Fi password (B) Routing all traffic through a trusted Virtual Private Network (VPN) (C) Disabling Bluetooth while connected to Wi-Fi (D) Clearing browser cookies before connecting

A VPN encrypts all outbound traffic from the user’s device before it leaves for the network, creating an encrypted tunnel to a trusted server. Even if the user connects to a rogue access point, the attacker sees only encrypted VPN traffic. Password complexity only matters for protecting the Wi-Fi password itself, not for protecting traffic on an attacker-controlled network. Bluetooth and cookies are unrelated to this attack vector.

(A) A stronger Wi-Fi password prevents unauthorized connections to your own network; it doesn’t protect you on someone else’s rogue network.

(C) Bluetooth is a separate radio technology; disabling it has no effect on Wi-Fi interception.

(D) Cookies are stored session tokens; clearing them does not encrypt or protect network traffic.

AP Exam Tip: VPNs on public Wi-Fi is a classic exam pairing. Know that a VPN protects against rogue APs by encrypting traffic end-to-end regardless of which network you’re on.

Q18 AI: Benefits and Risks

Consider the following statements about AI in cybersecurity.

I. AI can enable attackers to scale spear phishing attacks that previously required manual research.
II. AI-powered security tools can reduce mean time to detect (MTTD) threats compared to manual analysis.
III. AI completely eliminates the need for human security analysts in a modern SOC.

(A) I only (B) II only (C) I and II only (D) I, II, and III

AI does enable scaled, automated spear phishing (I) and does reduce threat detection time compared to purely manual analysis (II). Statement III is false: AI augments but does not replace human analysts. AI generates false positives, lacks contextual judgment, and requires human oversight for decision-making, especially in incident response. The “AI replaces humans entirely” claim is a known distractor on this topic.

(D) Incorrect — Statement III overstates AI capabilities; human analysts remain essential for judgment and context.

AP Exam Tip: For any statement claiming AI ‘completely eliminates’ human involvement, the answer is almost always false. AI augments human judgment; it does not replace it.

Q19 Authentication

An employee authenticates to a corporate system using a PIN (entered on a keypad) and a fingerprint scan. This represents authentication using:

(A) Two instances of something you know (B) Something you know and something you have (C) Something you know and something you are (D) Something you have and something you are

A PIN is “something you know” (memorized secret). A fingerprint is “something you are” (biometric). Together they constitute multi-factor authentication across two different categories. “Something you have” would be a physical token, smart card, or phone receiving an OTP code.

(A) Two PINs or two passwords are the same factor category; this would not be true MFA.

(B) “Something you have” is a physical device (phone, card, token); a fingerprint is biometric.

(D) Incorrect — the PIN is a known secret, not a physical possession.

AP Exam Tip: Fingerprint, retina scan, face ID, and voice recognition are all “something you are.” Physical devices (phone, YubiKey, smart card) are “something you have.” Memorized secrets (password, PIN, passphrase) are “something you know.”

Q20 Defense in Depth

A security manager wants to protect employees from the widest range of Unit 1 threats (social engineering, password attacks, and wireless risks). Which combination of controls is MOST COMPREHENSIVE?

(A) Mandatory password rotation every 30 days and email spam filtering (B) Security awareness training, multi-factor authentication, and a VPN policy for remote/public Wi-Fi use (C) Antivirus software installation and firewall configuration on all endpoints (D) Encrypting all files stored on employee laptops and disabling USB ports

Option B provides layered coverage across all three threat categories: security awareness training addresses social engineering, MFA mitigates password-based attacks (even if credentials are stolen, the second factor blocks unauthorized login), and VPN policy protects against wireless interception. Option A includes a discredited password policy and only one technical control. Options C and D address endpoint/malware threats but not social engineering or wireless attacks specifically.

(A) Forced 30-day rotation is counterproductive per NIST; this combination also doesn’t address wireless threats.

(C) Antivirus and firewalls protect against malware and network intrusion but don’t defend against human manipulation or rogue APs.

(D) Disk encryption and USB controls address data loss; neither prevents phishing or Wi-Fi interception.

AP Exam Tip: Defense in depth questions require you to match controls to the specific threats described. Read the threat categories in the stem carefully before evaluating each option.

Unit 1 Exam Complete

out of 20

Back to Course Hub Review Unit 1 Guide →

← Lesson 1 Quiz Course Hub Unit 1 Study Guide →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

Send me free AP CS exam tips — daily practice questions, study resources, and exam strategies. + 20% OFF TUTORING
Unsubscribe anytime.

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com