Skip to content

Introduction to Security

AP Cybersecurity · Topic 1

Train
1.1

Understanding Social Engineering

Syllabus
Learning ObjectiveEssential Knowledge

1.1.A
Identify common indicators of social engineering tactics.

  • 1.1.A.1 Social engineering attacks employ psychological tactics to manipulate users into revealing sensitive information (elicitation), downloading a malicious file, or clicking on a malicious link. Social engineering can be performed in person but is often done by email, by text message, or through social media messages.
  • 1.1.A.2 Adversaries often use psychological tactics like intimidation and urgency to achieve their goals. Intimidation is when an adversary threatens a target with negative consequences if they don’t comply. Urgency is when an adversary creates reasons why a target should act quickly.

1.1.B
Explain how social engineering tactics influence victims to perform a desired action.

  • 1.1.B.1 Social engineering tactics rely on common psychological principles that influence human behavior.
  • 1.1.B.2 Intimidation leverages a natural human aversion to negative consequences. By drawing attention to possible negative consequences, adversaries use fear to incite targets to act.
  • 1.1.B.3 Urgency leverages a natural human response to react quickly to time-sensitive needs. When targets detect a sense of urgency in a message, they feel pressured to respond or act quickly, which can prevent them from taking the time to consider whether an action is reasonable or safe.

1.1.C
Describe possible impacts for victims of social engineering attacks.

  • 1.1.C.1 Victims may give an adversary personal information that could lead to impersonation, such as name, phone number, address, workplace, pets’ names, or birthdate. These types of information, and information like them, are often used on websites as challenge questions to verify a user’s identity.
  • 1.1.C.2 Victims may give an adversary secure information like a one-time password (OTP) or authentication login code, which could allow an adversary to log in to a service as the victim.
  • 1.1.C.3 Victims may download malware or click a link that installs malware on their device, steals information from their web browser, or directs them to a website where their login credentials can be captured by an adversary.

Source: College Board AP Course and Exam Description

Phishing: how a fake email steals a password

The weakest part of any computer system is often the human using it. Social engineering 社会工程学 is the art of tricking people into breaking security - giving away a password, opening a bad file, or clicking a bad link. The attacker (we call them an adversary 对手) does not need to break the code; they only need to fool a person.

Most social engineering happens by email, text message, or social media, though it can also happen in person or by phone. The goal is elicitation 套取信息 - getting sensitive information out of someone without them realising.

Adversaries lean on two powerful feelings:

  • Intimidation 恐吓 - the adversary threatens a bad result if you do not obey. Fear pushes you to act.
  • Urgency 紧迫感 - the adversary invents a deadline ("reply in the next hour or your account closes"). When we feel rushed, we stop thinking carefully about whether an action is safe.

Social engineering uses psychological pressure to make a victim act before they think Social engineering uses psychological pressure to make a victim act before they think

The impact 影响 on a victim can be serious. They might reveal personal details (name, address, pet's name, birthday) that are later used to answer security challenge questions 安全问题 and impersonate 冒充 them. They might hand over a one-time password (OTP) 一次性密码, letting the adversary log in as them. Or they might download malware 恶意软件 that steals data from their browser.

Worked example. A phishing email reads: "Over 90% of staff have already verified their account - confirm yours in the next hour or lose payroll access." Two tactics are stacked here. "In the next hour" is urgency (a deadline that rushes you), and "over 90% of staff have already" is consensus (social pressure to follow the crowd). Naming each tactic - not just calling the email "suspicious" - is exactly what an exam answer needs.

Explore

Which social-engineering tactic is it?

Intimidation threatens harm, urgency invents a deadline, consensus claims everyone else is doing it, and authority pretends to have power over you.

Vocabulary Train
English Chinese Pinyin
Social engineering 社会工程学 shè huì gōng chéng xué
adversary 对手 duì shǒu
elicitation 套取信息 tào qǔ xìn xī
Intimidation 恐吓 kǒng hè
Urgency 紧迫感 jǐn pò gǎn
impact 影响 yǐng xiǎng
challenge questions 安全问题 ān quán wèn tí
impersonate 冒充 mào chōng
one-time password (OTP) 一次性密码 yí cì xìng mì mǎ
malware 恶意软件 è yì ruǎn jiàn
1.2

Suspicious Website Logins

Syllabus
Learning ObjectiveEssential Knowledge

1.2.A
Identify common signs of a password attack.

  • 1.2.A.1 In an online password attack, adversaries try logging in to a device or service using common passwords, common password patterns, or stolen passwords.
  • 1.2.A.2 Signs of an online password attack include:
    • Many failed attempts to log in over a short duration
    • Login attempts at unusual times
    • Login attempts from unknown devices

1.2.B
Explain how adversaries take advantage of weak authentication.

  • 1.2.B.1 Many people use common patterns when creating passwords, such as:
    • Starting a password with one or two words, adding a two-digit number (often signifying a year), and putting a special character at the end
    • Including the names of family or pets in their passwords
    • Including personally significant dates in their passwords
  • 1.2.B.2 Adversaries often construct a dictionary of possible passwords based on personal information gathered about a target (e.g., birthday, anniversary, names of pets and family) and use an automated tool to submit potential passwords.

1.2.C
Explain how to make authentication stronger.

  • 1.2.C.1 Users should create passwords that are long, random, and unique. A password manager can be used to generate and store strong passwords, or a user may create long, unique passphrases for their accounts.
  • 1.2.C.2 When creating passwords, users should avoid names, dates, or other personally meaningful words or numbers.
  • 1.2.C.3 When available, users should enable multifactor authentication (MFA), which will require the user to provide extra proof of identity—such as a one-time code—in addition to the password as an extra layer of security.

Source: College Board AP Course and Exam Description

A password attack 密码攻击 is any attempt to log in using guessed or stolen passwords. In an online password attack the adversary tries passwords against a real login page. The warning signs are visible in the logs:

  • many failed logins in a short time,
  • login attempts at unusual hours,
  • login attempts from unknown devices.

Adversaries succeed because people choose weak passwords. Common patterns include a word plus a two-digit year plus a special character (like Summer24!), or a pet's or family member's name. Because these patterns are so common, an adversary can build a dictionary 字典 of likely passwords from information gathered about you and let an automated tool try each one.

To make authentication 身份验证 stronger:

  • Create passwords that are long, random, and unique - a password manager 密码管理器 can generate and store them for you.
  • Avoid names, dates, and meaningful words.
  • Turn on multifactor authentication (MFA) 多因素身份验证, which asks for extra proof (like a texted code) on top of the password.
Vocabulary Train
English Chinese Pinyin
password attack 密码攻击 mì mǎ gōng jī
weak ruò
dictionary 字典 zì diǎn
authentication 身份验证 shēn fèn yàn zhèng
password manager 密码管理器 mì mǎ guǎn lǐ qì
multifactor authentication (MFA) 多因素身份验证 duō yīn sù shēn fèn yàn zhèng
1.3

Best Practices for Public Networks

Syllabus
Learning ObjectiveEssential Knowledge

1.3.A
Identify the type of adversary conducting a cyberattack.

  • 1.3.A.1 Adversaries can be classified by their skill levels.
    • Low-skilled adversaries rely on malicious cyber tools created by others that can be purchased online. The tools they use exploit known vulnerabilities.
    • High-skilled adversaries have the capacity to create new malicious cyber tools or modify existing ones to adapt to new defensive techniques and tools. They also have the capacity to discover undocumented vulnerabilities, known as zero days.
  • 1.3.A.2 Adversaries have a variety of motivations, including greed, desire for recognition, dedication to a cause, revenge, politics, or beliefs.

1.3.B
Identify types of wireless cyberattacks.

  • 1.3.B.1 In an evil twin attack, an adversary sets up their own wireless access point (WAP) with a service set identifier (SSID) similar or identical to a target network; the adversary’s network is called the evil twin. Victims of this attack could select to unknowingly connect to the evil twin, allowing the adversary to capture their network traffic. The adversary cannot read traffic that uses an encrypted protocol like HTTPS.
  • 1.3.B.2 In a jamming attack, an adversary floods an area with a strong electromagnetic (EM) signal in the same frequency range as the wireless network, which prevents legitimate traffic between the access point (AP) and users. This type of attack that prevents users from accessing resources is called a denial of service (DoS) attack.
  • 1.3.B.3 In a war driving attack, adversaries try to detect wireless network beacons while driving or walking around a target. If a wireless signal is detected, the adversary can gather information about the type of wireless network used and find areas where the wireless signal extends outside the physical building.

1.3.C
Describe actions individuals can take to increase protection of sensitive data when using the internet and Wi-Fi.

  • 1.3.C.1 Individuals should verify that the name of any wireless network they join exactly matches the name of the network they intend to join.
  • 1.3.C.2 Most internet protocols are encrypted to protect network traffic. However, individuals may consider the sensitivity of their data in choosing whether to join unencrypted Wi-Fi networks to protect vulnerable data such as DNS queries.
  • 1.3.C.3 Individuals may consider using a virtual private network (VPN), which encrypts all their traffic to the VPN operator’s system. Although this action prevents a service provider from viewing traffic, the VPN provider can view the traffic.

Source: College Board AP Course and Exam Description

Not all adversaries are the same. We classify them by skill: low-skilled attackers buy ready-made tools online and reuse known exploits 漏洞利用, while high-skilled attackers write their own tools and can discover brand-new holes called zero days 零日漏洞. Their motivation 动机 varies too - greed, revenge, politics, or belief.

Public Wi-Fi is a favourite hunting ground. Three wireless attacks you must know:

  • Evil twin 双胞胎恶意热点 - the adversary sets up a fake access point 接入点 with a name (SSID 服务集标识符) copied from the real network. Victims connect to the fake one, and the adversary reads their traffic (though encrypted 加密的 sites like HTTPS stay safe).
  • Jamming 干扰攻击 - the adversary floods the air with a strong radio signal so no one can connect. This is one kind of denial of service (DoS) 拒绝服务 attack.
  • War driving 战争驾驶 - the adversary drives around detecting wireless networks and where their signal leaks outside a building.

An evil-twin access point copies the real network's name so victims connect to the attacker An evil-twin access point copies the real network's name so victims connect to the attacker

To protect yourself on public networks: check that the network name exactly matches the one you intend to join, prefer encrypted sites, and consider a virtual private network (VPN) 虚拟专用网络, which encrypts all of your traffic to the VPN operator.

Vocabulary Train
English Chinese Pinyin
exploits 漏洞利用 lòu dòng lì yòng
zero days 零日漏洞 líng rì lòu dòng
motivation 动机 dòng jī
Evil twin 双胞胎恶意热点 shuāng bāo tāi è yì rè diǎn
access point 接入点 jiē rù diǎn
SSID 服务集标识符 fú wù jí biāo shí fú
encrypted 加密的 jiā mì de
Jamming 干扰攻击 gān rǎo gōng jī
denial of service (DoS) 拒绝服务 jù jué fú wù
War driving 战争驾驶 zhàn zhēng jià shǐ
virtual private network (VPN) 虚拟专用网络 xū nǐ zhuān yòng wǎng luò
1.4

AI-Based Cybersecurity Attacks

Syllabus
Learning ObjectiveEssential Knowledge

1.4.A
Explain how adversaries use AI-powered tools to augment cyberattacks.

  • 1.4.A.1 Adversaries can use AI-powered tools that leverage existing voice and image samples of a person to create a digital avatar of that person. The use of these technologies enables adversaries to impersonate someone over the phone or even on a video call, which can lead to financial loss or the sharing of sensitive or private information. As more organizations adopt voice-based authentication, the impact of voice-impersonation has a larger potential impact.
  • 1.4.A.2 Adversaries can use generative AI tools, like large language models (LLMs), to create convincing phishing messages in any target language. Because traditional phishing messages are sometimes written by non-native speakers of the target’s language, unnatural language is a feature that has been used to distinguish phishing messages from legitimate messages. However, with AI tools, adversaries can now craft phishing messages in any language that read as though they were written by a native speaker.
  • 1.4.A.3 Adversaries can craft prompts that extract secure or sensitive information from LLMs. Secure or sensitive information in LLMs can come from user input and the large data sets used to train LLMs.
  • 1.4.A.4 Adversaries can publish websites or modify existing websites to contain false information so that the false information will be included in the training sets for LLMs, causing the LLMs to repeat the false information.
  • 1.4.A.5 Adversaries can perform reconnaissance on a target using AI-powered tools that scan the internet to gather information posted on social media and public websites.
  • 1.4.A.6 Adversaries can use AI-enhanced coding tools to help them write new malware, modify existing application code to perform malicious activities, or to find vulnerabilities in large code bases.

1.4.B
Explain how to protect against some AI-augmented cyberattacks.

  • 1.4.B.1 Shared secrets with close friends and relatives that can be used to verify each other’s identities should be established. A secret word or phrase known only to two parties can be used to authenticate identities in high-stakes situations.
  • 1.4.B.2 Multifactor authentication (MFA) should be enabled. If an adversary clones a target’s voice to access a system with voice authentication, requiring a second authentication factor could prevent an adversary from gaining access to accounts.
  • 1.4.B.3 Personal or sensitive data should not be entered into any AI-powered tools, such as chatbots or virtual assistants. Some AI-powered tools feed user input back into the model to provide continuous training. Adversaries could extract data that users have included in prompts.
  • 1.4.B.4 Output from AI-powered tools should be carefully evaluated. Verify information from AI-powered tools using reputable, stable, non-AI-based sources.

Source: College Board AP Course and Exam Description

Artificial intelligence gives adversaries powerful new tools. With enough voice and image samples, an adversary can build a deepfake 深度伪造 avatar to impersonate someone on a call. Large language models (LLMs) 大语言模型 let them write convincing phishing 钓鱼 emails in perfect, native-sounding language - removing the clumsy wording that once gave scams away.

AI also helps adversaries on the back end: crafting prompts that pull secret data out of an LLM, planting false information on websites so it poisons an LLM's training data, scanning the internet to gather facts about a target, and even writing new malware.

You can defend against many AI-augmented attacks: agree on a shared secret 共享秘密 word with close contacts to verify identity, enable MFA (so a cloned voice alone cannot log in), never type sensitive data into a chatbot, and always double-check AI output against reliable, non-AI sources.

Vocabulary Train
English Chinese Pinyin
deepfake 深度伪造 shēn dù wěi zào
Large language models (LLMs) 大语言模型 dà yǔ yán mó xíng
phishing 钓鱼 diào yú
shared secret 共享秘密 gòng xiǎng mì mì
1.5

Leveraging AI in Cyber Defense

Syllabus
Learning ObjectiveEssential Knowledge

1.5.A
Explain how cyber defenders can leverage AI-powered tools to protect networks, applications, and data.

  • 1.5.A.1 AI tools can review current security configurations, like firewall rules and access controls, and recommend more secure options. Recommendations should always be checked by a knowledgeable security technician before being implemented.
  • 1.5.A.2 AI-powered tools can analyze application code to identify vulnerabilities and recommend mitigations. Recommendations should always be reviewed by a knowledgeable programmer before being implemented.
  • 1.5.A.3 AI-powered tools can suggest rules for automated detection systems. Detection rules should always be reviewed by a knowledgeable detection engineer before being added to a system.

1.5.B
Explain how AI-powered tools are enabling faster and more accurate threat detection and response.

  • 1.5.B.1 Of the millions of digital events that happen on networks daily, some likely represent an adversary conducting malicious activity. Humans cannot carefully examine all those events to identify the malicious activity.
  • 1.5.B.2 AI-powered tools can be trained to quickly analyze digital events and sort the events that are likely malicious activity from those that are harmless.
  • 1.5.B.3 AI-powered tools can be programmed to alert human cybersecurity personnel when likely malicious activity is detected or to take specific corrective actions based on the type of malicious activity detected.
  • 1.5.B.4 AI-powered tools enable threat-detection and response teams to catch malicious activity and intervene quickly to prevent loss, harm, damage, and destruction to digital infrastructure and data.

Source: College Board AP Course and Exam Description

The same technology defends us. AI tools can review firewall rules and access settings and recommend safer options - though a human expert must always check the advice before applying it. AI can scan application code for weaknesses and suggest detection rules.

Its biggest advantage is scale. A medium network produces millions of events every day - far too many for people to read. AI can quickly sort the harmless events from the likely-malicious ones, alert human staff, or take an automatic action. This lets defenders catch an attack and respond in seconds instead of days, preventing loss and damage.

1.5

Exam tips

  • When a question asks you to rank risks, remember high risk = high impact AND easy to exploit. A parking-lot Wi-Fi leak matters less than an open internal port that lets an adversary spoof a device.
  • Learn the social-engineering tactics by name - intimidation, urgency, pretexting, authority, consensus, scarcity, familiarity - and be ready to spot which one an email is using.
  • Encryption still protects you on an evil twin: the adversary sees your traffic but cannot read HTTPS. Say what is exposed, not just "it's unsafe".
  • For "how to make authentication stronger", MFA is almost always part of the answer, plus long/unique passwords from a manager.
  • AI is dual-use: the same tool (LLMs, code analysis) appears on both the attack and the defense side. Read the question carefully to see which side it asks about.

Log in or create account

IGCSE & A-Level