OBJECTIVE 4.1 Given a scenario (PBQ-likely)
Apply common security techniques to computing resources
Secure baselines, hardening across target types (mobile, workstations, switches, routers, cloud, servers, ICSIndustrial Control System — Systems managing physical industrial processes/SCADASupervisory Control and Data Acquisition — Industrial control system for remote monitoring, embedded, IoTInternet of Things — Connected devices (cameras, sensors, appliances)), wireless security (WPA3Wi-Fi Protected Access 3 — Current wireless security standard, RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA), EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure)), mobile solutions (MDMMobile Device Management — Centralized management of mobile devices, BYODBring Your Own Device — Employee uses personal device for work/COPECorporate-Owned, Personally Enabled — Company device with permitted personal use/CYODChoose Your Own Device — Employee picks from approved corporate devices), and application security (input validation, code analysis, sandboxing).
Exam approach: “Given a scenario” — expect to select and apply the correct hardening actions for a described environment. Not just knowing what WPA3Wi-Fi Protected Access 3 — Current wireless security standard is, but configuring it correctly for an enterprise vs. small business vs. public hotspot.
Offensive context: Every hardening action is a friction multiplier — you’re raising the cost of attack, not chasing perfection. Mobile hardening gets real when you consider state-level spyware: FLAG_SECURE, overlay detection, and the assumption that the OSOperating System — System software managing hardware and applications is already compromised.
Secure Baselines
A baseline is the minimum secure configuration for a system type before it goes into production.
- Establish: Define the standard configuration for each system category — OSOperating System — System software managing hardware and applications settings, enabled services, installed software, open ports, user accounts
- Deploy: Automate baseline deployment (Golden images, GPOGroup Policy Object — Windows policy enforcement mechanism, Ansible, Terraform). Manual configuration doesn’t scale and introduces drift.
- Maintain: Baselines aren’t static. Update when new vulnerabilities emerge, when the environment changes, or on a regular review cycle.
- Monitor: Continuously compare running systems against baseline. Deviation = either drift (fix it) or compromise (investigate it).
Hardening Targets
Mobile Devices
- Enforce encryption at rest (enabled by default on modern iOS/Android, but verify)
- Require screen lock with biometric or PINPersonal Identification Number — Numeric passcode for authentication (minimum 6 digits)
- Remote wipe capability via MDMMobile Device Management — Centralized management of mobile devices
- Application whitelisting or managed app stores
- Disable USBUniversal Serial Bus — Standard connector for peripherals debugging, developer options in production
- Patch management — OSOperating System — System software managing hardware and applications and app updates enforced via MDMMobile Device Management — Centralized management of mobile devices policy
Workstations
- Remove unnecessary software and services. Every installed application is attack surface.
- Disable local admin accounts or rename them. Use managed admin credentials.
- Full-disk encryption (BitLocker on Windows, FileVault on macOS)
- Host-based firewall enabled and configured
- Endpoint protection (EDREndpoint Detection and Response — Monitors endpoints for threats and enables response, not just AV)
- Automatic patching or managed patch cycles
- Disable autorun/autoplay for removable media
Network Infrastructure (Switches, Routers)
- Change default credentials. This still catches people.
- Disable unused ports and services (Telnet, HTTPHypertext Transfer Protocol — Port 80. Web protocol (unencrypted) management interfaces)
- Use SSHSecure Shell — Port 22. Encrypted remote administration protocol for management, not Telnet
- Enable port security (MACMandatory Access Control — System-enforced access based on security labels filtering, 802.1X)
- VLANVirtual Local Area Network — Logical network segmentation at Layer 2 segmentation — separate management, user, guest, IoTInternet of Things — Connected devices (cameras, sensors, appliances) traffic
- NTPNetwork Time Protocol — Port 123 (UDP). Synchronizes clocks across a network synchronization (logs are useless without accurate time)
- Logging to centralized syslog
Cloud Infrastructure
- Identity-based access (IAMIdentity and Access Management — Framework for managing digital identities and permissions), not key-based where possible
- Least privilege on all service accounts and roles
- Enable audit logging on everything (CloudTrail, GCP Audit Logs)
- Encrypt data at rest and in transit by default
- Restrict public access to storage buckets and databases
- Use managed services over self-hosted where security maintenance is a concern
- Infrastructure as code — configuration is versioned, auditable, reproducible
Servers
- Minimal install — no GUI, no unnecessary packages
- Disable root/admin SSHSecure Shell — Port 22. Encrypted remote administration protocol login. Use named accounts with sudo.
- SSHSecure Shell — Port 22. Encrypted remote administration protocol key authentication, disable password auth
- File integrity monitoring (AIDE, OSSEC, Tripwire)
- Centralized logging
- Regular vulnerability scanning
ICS/SCADA
- Air-gap or heavily segment from corporate network. These systems control physical processes.
- No internet connectivity unless absolutely required (and monitored heavily if so)
- Default credentials are epidemic in ICSIndustrial Control System — Systems managing physical industrial processes. Change them.
- Patch carefully — downtime in ICSIndustrial Control System — Systems managing physical industrial processes can mean physical safety risk. Test patches in staging.
- Monitor for anomalous commands to PLCs/RTUs
Embedded Systems and IoT
- Change default credentials (again — IoTInternet of Things — Connected devices (cameras, sensors, appliances) is the worst offender)
- Disable UPnP
- Segment onto dedicated VLANVirtual Local Area Network — Logical network segmentation at Layer 2 with restricted internet access
- Firmware updates — many IoTInternet of Things — Connected devices (cameras, sensors, appliances) devices never get patched. Factor this into procurement.
- Monitor for unexpected outbound connections (IoTInternet of Things — Connected devices (cameras, sensors, appliances) botnets phone home)
Wireless Security
WPA3
The current standard. Key improvements over WPA2:
- SAESimultaneous Authentication of Equals — WPA3 key exchange replacing PSK 4-way handshake (Simultaneous Authentication of Equals): Replaces PSKPre-Shared Key — Symmetric key shared before communication begins 4-way handshake. Resistant to offline dictionary attacks — capturing the handshake doesn’t give you crackable material.
- PMFProtected Management Frames — Wi-Fi protection against deauth attacks (Protected Management Frames): Mandatory in WPA3Wi-Fi Protected Access 3 — Current wireless security standard. Prevents deauthentication attacks.
- 192-bit security mode: Enterprise option using CNSA suite (GCMP-256, HMACHash-based Message Authentication Code — Combines hash with secret key for integrity + authentication-SHA-384).
- Forward secrecy: Compromising the password doesn’t let you decrypt previously captured traffic.
Enterprise Wireless (802.1X + RADIUS)
- Each user authenticates individually. No shared PSKPre-Shared Key — Symmetric key shared before communication begins.
- Authentication handled by RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA) server (FreeRADIUS, NPS, cloud RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA))
- EAPExtensible Authentication Protocol — Framework for network authentication methods methods:
- EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure): Mutual certificate authentication. Strongest. Requires PKIPublic Key Infrastructure — Trust framework for digital certificates (client certs on every device).
- PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password: Server cert + user credentials inside TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit tunnel. Most common enterprise deployment.
- EAP-FASTEAP Flexible Authentication via Secure Tunneling — Cisco EAP replacement for LEAP: Cisco’s alternative to PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password. Uses PACs (Protected Access Credentials) instead of certs.
- EAP-TTLSEAP Tunneled Transport Layer Security — EAP with TLS tunnel, inner authentication flexible: Similar to PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password. TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit tunnel with inner authentication method.
Configuration by Context
| Environment | Configuration |
|---|---|
| Enterprise | WPA3Wi-Fi Protected Access 3 — Current wireless security standard-Enterprise, 802.1X, RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA), EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure) or PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password, certificate-based auth |
| Small Business | WPA3Wi-Fi Protected Access 3 — Current wireless security standard-Personal (SAESimultaneous Authentication of Equals — WPA3 key exchange replacing PSK 4-way handshake), strong passphrase, separate guest network |
| Public Hotspot | Open + captive portal, OWE (Opportunistic Wireless Encryption) for encryption without authentication |
| IoTInternet of Things — Connected devices (cameras, sensors, appliances) Devices | Dedicated SSIDService Set Identifier — Wireless network name on isolated VLANVirtual Local Area Network — Logical network segmentation at Layer 2, WPA2/3-Personal if device supports it |
Mobile Solutions
Deployment Models
| Model | Who Owns Device | Who Manages Device | Use Case |
|---|---|---|---|
| BYODBring Your Own Device — Employee uses personal device for work (Bring Your Own Device) | Employee | Partial (MDMMobile Device Management — Centralized management of mobile devices container) | Cost savings, employee preference. Hardest to secure. |
| COPECorporate-Owned, Personally Enabled — Company device with permitted personal use (Corporate-Owned, Personally Enabled) | Company | Full (MDMMobile Device Management — Centralized management of mobile devices) | Company controls the device but allows personal use. Best balance. |
| CYODChoose Your Own Device — Employee picks from approved corporate devices (Choose Your Own Device) | Company | Full (MDMMobile Device Management — Centralized management of mobile devices) | Employee picks from approved list. Company owns and manages. |
| Corporate-Owned | Company | Full | Highest control. Work-only device. |
MDM Capabilities
- Remote wipe (full or selective/corporate data only)
- Application management (whitelist, blacklist, managed distribution)
- Configuration profiles (WiFi, VPNVirtual Private Network — Encrypted tunnel over public networks, email, certificate deployment)
- Geofencing (restrict features based on location)
- Containerization (separate work data from personal data)
- Jailbreak/root detection
- Compliance enforcement (require encryption, OSOperating System — System software managing hardware and applications version, screen lock)
Wireless Security Decision Logic
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Enterprise with individual user authentication” | WPA3Wi-Fi Protected Access 3 — Current wireless security standard-Enterprise + 802.1X + RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA) | Per-user credentials, centralized auth |
| ”Highest security, mutual certificate auth” | EAP-TLSEAP Transport Layer Security — EAP using mutual TLS certificates (most secure) | Both client and server present certs, strongest EAPExtensible Authentication Protocol — Framework for network authentication methods |
| ”Enterprise, no PKIPublic Key Infrastructure — Trust framework for digital certificates for client certs” | PEAPProtected Extensible Authentication Protocol — EAP method using TLS tunnel + password | Server cert + user password in TLSTransport Layer Security — Port 443 (HTTPS). Encryption protocol for data in transit tunnel |
| ”Small business, no RADIUSRemote Authentication Dial-In User Service — Port 1812/1813 (UDP). Protocol for centralized authentication (AAA) server” | WPA3Wi-Fi Protected Access 3 — Current wireless security standard-Personal (SAESimultaneous Authentication of Equals — WPA3 key exchange replacing PSK 4-way handshake) | Strong passphrase, resistant to offline attacks |
| ”Public hotspot, no authentication needed” | OWE (Enhanced Open) | Encryption without authentication |
| ”Legacy devices that only support WPA2” | WPA2-Enterprise | Better than WPA2-Personal, at least individual auth |
| ”IoT devices on isolated network” | WPA2/3-Personal on dedicated VLANVirtual Local Area Network — Logical network segmentation at Layer 2 | Many IoTInternet of Things — Connected devices (cameras, sensors, appliances) devices don’t support Enterprise |
Deployment Model Decision Logic
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Company wants full control, employee prefers own device” | COPECorporate-Owned, Personally Enabled — Company device with permitted personal use | Company owns, personal use allowed, full MDMMobile Device Management — Centralized management of mobile devices |
| ”Minimize device cost, employees already have phones” | BYODBring Your Own Device — Employee uses personal device for work | Employee-owned, MDMMobile Device Management — Centralized management of mobile devices container for work data |
| ”Employee picks from approved list, company pays” | CYODChoose Your Own Device — Employee picks from approved corporate devices | Employee choice within approved options, company owns |
| ”Highest security, work only” | Corporate-owned | Full control, no personal use complications |
| ”Need to remote wipe entire device” | COPECorporate-Owned, Personally Enabled — Company device with permitted personal use or Corporate-owned | Company owns = full wipe authority |
| ”Can only wipe corporate data, not personal” | BYODBring Your Own Device — Employee uses personal device for work | Selective/container wipe only |
Application Security
Input Validation
- Validate all input at the boundary. Type, length, format, range.
- Whitelist (allow known-good) over blacklist (block known-bad). Blacklists are always incomplete.
- Server-side validation is mandatory. Client-side validation is a UX convenience, not a security control.
- Parameterized queries for database interaction. Never concatenate user input into SQLStructured Query Language — Language for database queries.
Secure Coding Practices
- Output encoding (HTMLHypertext Markup Language — Standard markup language for web pages encoding, URLUniform Resource Locator — Web address for accessing resources encoding) to prevent XSSCross-Site Scripting — Injection of malicious scripts into web pages
- Least privilege in application code — services run as non-root, database connections use restricted accounts
- Error handling that doesn’t leak information (no stack traces in production, no database error details to users)
- Session management — secure cookie flags, token rotation, timeout
Code Analysis
- SASTStatic Application Security Testing — Analyzing source code for vulnerabilities (Static Application Security Testing): Scans source code for vulnerabilities before compilation/deployment. Finds injection flaws, hardcoded secrets, insecure patterns.
- DASTDynamic Application Security Testing — Testing running applications for vulnerabilities (Dynamic Application Security Testing): Tests running application by sending crafted requests. Finds runtime vulnerabilities that SASTStatic Application Security Testing — Analyzing source code for vulnerabilities misses.
- SCASoftware Composition Analysis — Identifying vulnerable third-party dependencies (Software Composition Analysis): Scans dependencies for known vulnerabilities. This is what Syft/Grype do.
Sandboxing
- Execute untrusted code in an isolated environment
- Limits blast radius — if the sandboxed process is compromised, it can’t reach the rest of the system
- Common in browsers (each tab is sandboxed), mobile apps (app sandbox), and security analysis (detonation chambers for malware)