AP Cybersecurity Unit 4: Securing Devices
Unit 4: Securing Devices
Device Types, Malware, Authentication & Device Hardening
“‹ Unit 4 Contents
Learning Objectives
By the end of this unit, you will be able to:
- Identify device types and their associated vulnerabilities
- Explain how malware compromises devices
- Describe authentication factors and strong password practices
- Assess and document risks from device vulnerabilities
- Determine mitigation strategies for device threats
- Identify detection methods for attacks on devices
4.1 Device Types and Vulnerabilities
Every device connected to a network represents a potential attack surface. Understanding the different types of devices and their unique vulnerabilities is essential for developing comprehensive security strategies.
Categories of Devices
| Device Type | Description | Common Vulnerabilities |
|---|---|---|
| Servers | Powerful computers that provide services to other devices (web, email, database, file) | High-value targets; unpatched software; misconfigurations; exposed services |
| Workstations | Desktop and laptop computers used by employees | User-initiated malware; weak passwords; unpatched software; physical theft |
| Mobile Devices | Smartphones, tablets, and other portable computing devices | Lost/stolen devices; malicious apps; insecure Wi-Fi; outdated OS |
| Network Devices | Routers, switches, firewalls, access points | Default credentials; outdated firmware; misconfigurations |
| IoT Devices | Internet of Things: smart cameras, thermostats, sensors, appliances | Weak/no authentication; unencrypted communications; rarely updated |
| Embedded Systems | Specialized computers in industrial equipment, medical devices, vehicles | Long lifecycles; difficult to update; legacy protocols |
IoT Security Challenges
Internet of Things (IoT) devices present unique security challenges:
- Limited processing power: Can't run complex security software
- Default credentials: Many ship with admin/admin or similar defaults
- Infrequent updates: Manufacturers may not provide patches
- Long deployment cycles: Devices may be in use for 10+ years
- Physical accessibility: Often deployed in public or remote locations
Mirai Botnet (Real-World Example)
The Mirai malware exploited IoT devices (cameras, routers, DVRs) with default credentials to create a massive botnet. In 2016, this botnet launched DDoS attacks that took down major websites including Twitter, Netflix, and Reddit.
Lesson: Even "simple" devices like cameras can be weaponized when security is neglected.
Device Vulnerability Assessment
When assessing device vulnerabilities, consider:
| Factor | Questions to Ask |
|---|---|
| Patch Status | Is the OS/firmware current? Are all applications patched? |
| Configuration | Are unnecessary services disabled? Are defaults changed? |
| Authentication | Are strong passwords required? Is MFA enabled? |
| Encryption | Is data at rest encrypted? Are communications encrypted? |
| Physical Security | Can the device be physically accessed by unauthorized persons? |
| Network Exposure | Is the device exposed to the internet? Is it segmented? |
4.2 Malware Types and Attacks
Types of Malware
¦ Virus
Malicious code that attaches to legitimate programs or files. Requires user action (opening a file, running a program) to spread.
Like a biological virus, it needs a "host" to propagate.
› Worm
Self-replicating malware that spreads automatically across networks without user interaction. Exploits vulnerabilities to propagate.
Can spread rapidly and consume network bandwidth.
Ž Trojan
Malware disguised as legitimate software. Users are tricked into installing it, thinking it's something useful.
Named after the Trojan Horse-appears harmless but contains hidden threat.
’ Ransomware
Encrypts victim's files and demands payment (ransom) for the decryption key. May also threaten to publish stolen data.
One of the most damaging modern threats.
Spyware
Secretly monitors user activity and collects information (keystrokes, browsing history, credentials) without consent.
Often bundled with "free" software.
Keylogger
Records every keystroke the user types, capturing passwords, credit card numbers, and private messages.
Can be software-based or hardware (physical device).
•³ Rootkit
Hides deep in the operating system, providing persistent, privileged access while concealing its presence from security tools.
Extremely difficult to detect and remove.
šª Backdoor
Creates a hidden entry point that bypasses normal authentication, allowing unauthorized remote access.
Often installed by other malware for persistent access.
– Bot/Botnet
Infected device controlled remotely as part of a network (botnet). Used for DDoS attacks, spam, or cryptocurrency mining.
Your device becomes a "zombie" controlled by attackers.
How Malware Spreads
| Vector | Description | Prevention |
|---|---|---|
| Email Attachments | Malicious files attached to phishing emails | Email filtering; user training; don't open unexpected attachments |
| Malicious Downloads | Infected software from untrusted sources | Only download from official sources; verify signatures |
| Drive-by Downloads | Automatic download when visiting compromised websites | Keep browsers patched; use ad blockers; avoid suspicious sites |
| USB Drives | Infected removable media | Disable autorun; scan before opening; use only trusted drives |
| Network Propagation | Worms exploiting network vulnerabilities | Patch systems; segment networks; monitor traffic |
Malware Analysis Scenario
A user reports their computer is running slowly. You investigate and find:
- High CPU usage even when idle
- Outbound network connections to unknown IP addresses
- A new process running that doesn't match any installed software
- The antivirus software has been disabled
Analysis: These symptoms suggest the device is infected with a bot that has joined a botnet. The high CPU could indicate cryptocurrency mining; the outbound connections are the bot communicating with its command-and-control (C2) server; the disabled antivirus is a common malware self-protection technique.
Know the key differences between malware types: viruses need user action; worms spread automatically; trojans disguise themselves; ransomware encrypts; rootkits hide. The exam may describe symptoms and ask you to identify the malware type.
4.3 Authentication and Password Security
Authentication Factors
Authentication can be based on one or more factors:
Something You Know
Passwords, PINs, security questions, passphrases
Knowledge-based factors
Something You Have
Phone, security token, smart card, hardware key
Possession-based factors
Something You Are
Fingerprint, face scan, retina scan, voice recognition
Biometric factors
Multifactor Authentication (MFA)
- Two-factor authentication (2FA): Exactly two factors required
- Multifactor authentication (MFA): Two or more factors required
- Important: Two passwords is NOT 2FA-both are "something you know"
Password Attacks
| Attack Type | Method | Defense |
|---|---|---|
| Brute Force | Try every possible combination systematically | Long passwords; account lockout; rate limiting |
| Dictionary Attack | Try common words and known passwords from breaches | Avoid dictionary words; use random characters |
| Credential Stuffing | Use stolen username/password pairs from other breaches | Unique passwords per site; password managers |
| Password Spraying | Try a few common passwords against many accounts | Strong password policies; anomaly detection |
| Rainbow Table | Precomputed tables to reverse password hashes | Salted hashes (unique random data added before hashing) |
Password Hashing
// Example: Password hashing concept Password: "MySecurePass123!" ↓ Hash Function (SHA-256) Hash: "a7f5d2c3e8b9f1a4d6c7e2b5a8d3f0c1..." // The hash cannot be reversed to reveal the original password // But the same input always produces the same hash
Salting
A salt is random data added to a password before hashing. This ensures that even if two users have the same password, their hashes will be different.
User 1: "password123" + salt "X7k9" → Hash: "abc123..." User 2: "password123" + salt "M2pQ" → Hash: "def456..." // Same password, different salts = different hashes // This defeats rainbow table attacks
Strong Password Guidelines
✔ Password Best Practices
- Length: Minimum 12 characters (longer is better)
- Complexity: Mix of uppercase, lowercase, numbers, symbols
- Uniqueness: Different password for every account
- Randomness: Avoid personal information, dictionary words, patterns
- Management: Use a password manager to generate and store passwords
- MFA: Enable multifactor authentication wherever possible
✘ Weak Password Patterns to Avoid
- Dictionary words:
sunshine,password - Personal info:
john1985,fluffy123 - Simple substitutions:
P@ssw0rd,H3ll0 - Keyboard patterns:
qwerty,123456 - Common formats:
Word + Year + Symbol(e.g.,Summer2024!)
4.4 Protecting and Hardening Devices
Hardening Techniques
| Technique | Description | Example |
|---|---|---|
| Patch Management | Keep OS, applications, and firmware updated | Enable automatic updates; schedule regular patching |
| Disable Unnecessary Services | Turn off features and services not needed | Disable Telnet if SSH is available; close unused ports |
| Remove Default Accounts | Delete or rename default admin accounts | Change "admin" to unique name; disable guest accounts |
| Change Default Passwords | Replace factory-set credentials immediately | Router default "admin/admin" → strong unique password |
| Enable Encryption | Encrypt data at rest and in transit | Full disk encryption; HTTPS; encrypted backups |
| Configure Firewalls | Enable and configure host-based firewalls | Windows Firewall; iptables on Linux |
| Implement Least Privilege | Users/processes get minimum permissions needed | Standard user accounts for daily work; admin for specific tasks |
Endpoint Protection
›¡ Endpoint Protection Platform (EPP)
Modern endpoint protection goes beyond traditional antivirus to include:
- Antivirus/Anti-malware: Signature-based detection of known threats
- Behavioral Analysis: Detect suspicious behavior patterns
- Host-based Firewall: Control inbound/outbound traffic
- Application Whitelisting: Only allow approved applications to run
- Device Control: Manage USB and removable media
- Data Loss Prevention (DLP): Prevent sensitive data from leaving
Mobile Device Management (MDM)
MDM capabilities include:
- Remote wipe: Erase data if device is lost/stolen
- App management: Deploy/remove apps; block unapproved apps
- Policy enforcement: Require encryption, PINs, biometrics
- Location tracking: Find lost devices
- Configuration profiles: Push Wi-Fi, VPN, email settings
Secure Boot and Trusted Platform Module
Secure Boot: Ensures only trusted, digitally signed software loads during startup. Prevents rootkits and boot-level malware.
Trusted Platform Module (TPM): A hardware chip that securely stores encryption keys, certificates, and passwords. Used for disk encryption and hardware-based authentication.
Backup Strategies
’¾ The 3-2-1 Backup Rule
- 3 copies of your data
- 2 different storage media types
- 1 copy stored offsite/cloud
Backups are critical for recovering from ransomware attacks. Ensure backups are tested regularly and stored securely (encrypted, access-controlled).
4.5 Detecting Attacks on Devices
Indicators of Compromise (IoCs)
| Indicator | What It May Suggest |
|---|---|
| Unexpected outbound network connections | Malware communicating with C2 server |
| Unusual process activity or unknown processes | Malware running on system |
| High CPU/memory/disk usage when idle | Cryptomining malware or botnet activity |
| Disabled security software | Malware protecting itself from detection |
| Unauthorized configuration changes | Attacker establishing persistence |
| Unexpected user accounts | Backdoor accounts for future access |
| Modified system files | Rootkit or other persistent malware |
| Encrypted files with ransom notes | Ransomware infection |
Detection Tools and Techniques
Host-Based Detection
- Antivirus/Anti-malware: Scans files for known malware signatures
- Host-based IDS (HIDS): Monitors system logs, file integrity, and processes
- Endpoint Detection and Response (EDR): Advanced threat detection with behavioral analysis and investigation capabilities
- File Integrity Monitoring (FIM): Alerts when critical files are modified
Log Analysis
Device logs are essential for detecting and investigating attacks:
| Log Type | Information Captured | Security Value |
|---|---|---|
| Authentication Logs | Login attempts, successes, failures | Detect brute force attacks, unauthorized access |
| System Logs | Service starts/stops, errors, crashes | Detect system manipulation, malware activity |
| Application Logs | Application-specific events and errors | Detect application-level attacks |
| Security Logs | Security events, policy changes | Audit trail, compliance, incident response |
Scenario: Investigating a Compromised Workstation
An employee reports they can't open their files. You investigate and find:
- All document files have a new ".encrypted" extension
- A text file named "READ_ME_TO_DECRYPT.txt" on the desktop
- The antivirus was disabled yesterday at 3:47 PM
- Authentication logs show a failed login attempt from an external IP at 3:45 PM, followed by a successful login at 3:46 PM
Timeline reconstruction:
- 3:45 PM - Attacker attempted login (failed)
- 3:46 PM - Attacker successfully logged in (credential compromise)
- 3:47 PM - Attacker disabled antivirus
- Shortly after - Ransomware deployed and executed
Conclusion: This is a ransomware attack. The attacker gained access through compromised credentials, disabled security software, then deployed ransomware.
Response: Isolate the device from the network immediately; do not pay the ransom; restore from backups if available; investigate how credentials were compromised.
Unit 4 Practice Questions
Which type of malware can spread across a network WITHOUT user interaction?
- A) Virus
- B) Trojan
- C) Worm
- D) Spyware
Answer: C
Explanation: A worm is self-replicating malware that spreads automatically across networks by exploiting vulnerabilities. Unlike viruses, worms don't require user action to propagate. Trojans require users to install them; viruses need users to run infected programs.
A user enters their password, then receives a code on their phone that they must also enter. This is an example of:
- A) Single-factor authentication
- B) Multifactor authentication
- C) Password hashing
- D) Biometric authentication
Answer: B
Explanation: This is multifactor authentication (MFA) because it requires two different types of factors: something you know (password) and something you have (phone receiving the code). This significantly increases security over password alone.
What is the purpose of adding a "salt" to a password before hashing?
- A) To make the password longer
- B) To encrypt the password
- C) To ensure identical passwords produce different hashes
- D) To make the password easier to remember
Answer: C
Explanation: A salt is random data added to a password before hashing. This ensures that even if two users have the same password, their stored hashes will be different. This defeats rainbow table attacks where attackers precompute hashes for common passwords.
Which malware type is specifically designed to hide its presence from security software while maintaining persistent privileged access?
- A) Ransomware
- B) Rootkit
- C) Keylogger
- D) Adware
Answer: B
Explanation: A rootkit operates at a low level in the operating system, often at the kernel level, allowing it to hide its presence and the presence of other malware from security tools. Rootkits provide persistent, privileged access and are extremely difficult to detect and remove.
Which hardening technique involves ensuring only approved applications can execute on a system?
- A) Patch management
- B) Application whitelisting
- C) Full disk encryption
- D) Network segmentation
Answer: B
Explanation: Application whitelisting only allows pre-approved applications to run. Any program not on the whitelist is blocked, preventing unauthorized software (including malware) from executing even if it reaches the system.
Which of the following is NOT an indicator of compromise (IoC) for a malware infection?
- A) Unexpected outbound network connections
- B) Security software disabled without authorization
- C) Successful authentication from the user's normal workstation
- D) Unknown processes consuming high CPU
Answer: C
Explanation: A successful authentication from a user's normal workstation is expected behavior, not an indicator of compromise. The other options-unexpected network connections, disabled security software, and unknown high-CPU processes-are all classic IoCs that suggest malware infection.
A company wants to be able to remotely wipe data from lost employee phones. Which technology enables this?
- A) VPN
- B) Mobile Device Management (MDM)
- C) SIEM
- D) Intrusion Prevention System
Answer: B
Explanation: Mobile Device Management (MDM) allows organizations to manage and secure mobile devices, including the ability to remotely wipe data from lost or stolen devices. MDM also enables policy enforcement, app management, and location tracking.
A small business discovers that their IoT security cameras have been compromised and are being used in a botnet to launch DDoS attacks.
(a) Identify TWO vulnerabilities that likely allowed this compromise.
(b) Recommend TWO specific hardening measures the business should implement.
(c) Explain why IoT devices are particularly attractive targets for botnet recruitment.
Sample Response:
(a) Vulnerabilities:
1. The cameras likely had default credentials (such as admin/admin) that were never changed, allowing attackers to easily log in.
2. The cameras probably had outdated firmware with known security vulnerabilities that have not been patched.
(b) Hardening Measures:
1. Change all default passwords to strong, unique passwords immediately upon installation. Each device should have its own unique credential.
2. Place IoT devices on a separate network segment (VLAN) isolated from the main business network. This limits the damage if devices are compromised and prevents lateral movement to critical systems.
(c) Why IoT devices are attractive for botnets:
IoT devices are attractive botnet targets because they often have weak or default credentials, limited security features due to processing constraints, and receive infrequent firmware updates. They are typically always-on and connected to the internet 24/7, providing constant availability for attacks. Additionally, IoT devices often go unmonitored-users may not notice compromised cameras or thermostats the way they would notice a compromised computer-allowing them to remain part of botnets for extended periods.
Compare and contrast viruses, worms, and trojans. For each, explain:
(a) How it spreads
(b) Whether it requires user interaction
(c) One defensive measure specifically effective against that type
Sample Response:
Virus:
(a) Viruses spread by attaching themselves to legitimate programs or files. When an infected file is shared or an infected program is distributed, the virus travels with it.
(b) Yes, viruses require user interaction-the user must run an infected program or open an infected file for the virus to execute and spread.
(c) Antivirus software with signature-based detection is effective because viruses have identifiable code patterns. Scanning files before opening them can detect known viruses.
Worm:
(a) Worms spread automatically across networks by exploiting vulnerabilities in operating systems or applications. They scan for vulnerable systems and propagate without needing to attach to other files.
(b) No, worms do not require user interaction. They spread automatically once they find a vulnerable system.
(c) Patch management is critical because worms exploit known vulnerabilities. Keeping systems patched closes the security holes worms use to spread.
Trojan:
(a) Trojans spread by disguising themselves as legitimate, desirable software. Users download and install them thinking they're getting useful applications.
(b) Yes, trojans require user interaction-users must be tricked into downloading and running the malicious software.
(c) User security awareness training is effective because trojans rely on social engineering. Teaching users to download only from trusted sources and to verify software authenticity prevents trojan infections.
Explain the concept of defense-in-depth as it applies to protecting a corporate laptop. Provide at least FOUR different security controls across different layers and explain what each protects against.
Sample Response:
Defense-in-depth uses multiple overlapping security controls so that if one fails, others continue to protect. For a corporate laptop:
1. Full Disk Encryption (Data Layer): Encrypts all data stored on the hard drive. If the laptop is lost or stolen, the data remains unreadable without the encryption key, protecting against physical theft and data breach.
2. Endpoint Protection Software (Device Layer): Antivirus and anti-malware software scans for and blocks known threats. This protects against malware infections from email attachments, malicious downloads, and other vectors.
3. Host-based Firewall (Network Layer): Controls inbound and outbound network connections. This prevents unauthorized network access and can block malware from communicating with command-and-control servers.
4. Multifactor Authentication (Access Control Layer): Requires both password and a second factor (like a phone code) to log in. This protects against credential theft-even if an attacker obtains the password, they cannot access the system without the second factor.
5. Strong Password Policy (Managerial Layer): Requires complex passwords that are changed periodically. This makes brute-force and dictionary attacks more difficult.
Together, these controls mean an attacker would need to overcome multiple barriers: steal the physical device AND crack encryption AND bypass authentication AND evade endpoint protection. No single point of failure compromises the entire system.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
tanner@apcsexamprep.com
Courses
AP CSA, CSP, & Cybersecurity
Response Time
Within 24 hours
Prefer email? Reach me directly at tanner@apcsexamprep.com