Lesson 10: Endpoint Security

Endpoint Hardening

Operating System Security:

• Apply CIS Benchmarks or STIGs to harden Windows, Linux, macOS
• Configure secure baseline settings: disable unnecessary services, close ports, restrict interfaces
• Use least privilege: restrict user and system permissions
• Harden file systems, enforce ACLs, monitor with Group Policy or SELinux

Hardening Techniques:

• Change Defaults: Remove default credentials and settings
• Remove Unnecessary Software: Reduce attack surface
• Protect Physical Ports: Disable unused USBs, restrict console access
• Full Disk Encryption (FDE): BitLocker encrypts entire drive
• Removable Media Encryption: Protect data on USBs/external storage
• Email Encryption: Secure sensitive communications
• Host-Based Firewalls/IPS: Prevent unauthorized access
• VPNs: Encrypt traffic from remote devices

Endpoint Protection:

• Network Segmentation: Isolate departments or sensitive systems
• Isolation: Quarantine compromised endpoints
• Antivirus/Antimalware: Detect known threats
• Patch Management: Fix vulnerabilities proactively

Hardening Specialized Devices:

ICS/SCADA Systems:

• Network segmentation and unidirectional gateways (data diodes)
• Enforce strong authentication

Embedded Systems & RTOS:

• Choose secure hardware/software
• Avoid unnecessary network exposure

Advanced Endpoint Protection

Key Technologies:

• EDR (Endpoint Detection and Response): Real-time monitoring/response for endpoint threats, focused on individual endpoints
• XDR (Extended Detection and Response): Centralized view across endpoints, servers, networks, broader scope than EDR
• HIDS (Host-Based Intrusion Detection System): Detects threats on specific host (logs, files), passive - alerts only
• HIPS (Host-Based Intrusion Prevention System): Monitors and blocks malicious behavior on host, active - blocks threats
• UEBA (User & Entity Behavior Analytics): Detects anomalies in user/system behavior, good for insider threats

Mobile Security

Deployment Models:

• BYOD (Bring Your Own Device): User owns device, high flexibility, high risk
• COPE (Corporate-Owned, Personally Enabled): Company-owned with personal use allowed, balance of control
• COBO (Corporate-Owned, Business Only): Strict company-only use, high security
• CYOD (Choose Your Own Device): User selects from pre-approved device list, mix of control/customization

Mobile Device Hardening:

• Full Device Encryption: Protects stored data (iOS auto-enables with passcode)
• External Media Encryption: Encrypt removable storage (USB, SD cards)
• Geofencing: Trigger security actions based on location (disable camera in secure areas)
• Restrict Sensors/Connections: Limit camera, screen capture, Bluetooth, NFC, GPS, tethering, hotspot

Mobile Device Management (MDM):

Enforce security policies, app controls, remote wipe Tools: Intune, JAMF

Connection & Location Controls:

• Wi-Fi: Use secure enterprise networks, avoid public/rogue networks (evil twins)
• Cellular/GPS: Manage device tracking and data use
• PANs (Personal Area Networks): Bluetooth, wearables - restrict if not required
• NFC & Mobile Payments: Secure short-range communication, disable if not needed
• VPNs: Encrypt mobile traffic