4.1 - Computing Resources

Secure Baseline

📏 A standardized, secure configuration for a specific system or device. (Purpose: To create a known-good starting point for all deployments.)

Establish (Baseline)

The process of creating the master image. (Action: Harden the OS, apply patches, install/configure required software like EDR.)

Workstation Hardening

• Key Actions: Apply patches (OS & apps), enforce least privilege (no local admin rights), enable host-firewall, install Endpoint Protection (EDR/AV).

Mobile Device Hardening

Key Actions: Enforce via MDM (strong PINs, screen lock), enable Full-Disk Encryption, configure remote wipe, use application control (allow/deny lists).

Server Hardening

Key Actions: Disable all unneeded services/ports (e.g., a web server only needs 80/443), apply secure baseline, forward logs to SIEM, use File Integrity Monitoring (FIM).

Cloud Hardening

Key Actions: Configure strict IAM roles (least privilege), use Security Groups/NSGs (cloud firewall), encrypt data at-rest and in-transit, disable public access to storage/DBs.

Switches and Router Hardening

Key Actions: Disable unused physical ports (port security), use secure admin (SSH/HTTPS, not Telnet/HTTP), apply ACLs to filter traffic, update firmware.

ICS/Scada Hardening

KeyActions: Network segmentation (air gap or firewall from IT network), use compensating controls (like NIDS) since patching is rare/risky, rely on strong physical security.

Embedded Systems/IoT/RTOS Hardening

Key Actions: CHANGE DEFAULT PASSWORDS (most critical step!), place on an isolated VLAN/network, disable unneeded services (like UPnP or web admin), update firmware (if possible).

D

Deploy (Baseline)

The process of using the image. (Action: Use the baseline image for all new systems to ensure 100% consistency.)

Maintain (Baseline)

The process of keeping the baseline current. (Action: Update the master image with new patches, then re-deploy.)

📡 Wireless Site Survey

The process of analyzing a physical location to plan a Wi-Fi network. (Purpose: To find interference, ensure coverage, and optimize Access Point (AP) placement.)

Software used to manage and secure all mobile devices. (Scenario: Used to enforce policies (like encryption), push apps, and remote wipe a lost COPE phone.)

📱 MDM (Mobile Device Management)

Heat Map

A visual map created from a site survey. (What it shows: Wi-Fi signal strength and coverage, helping to find dead zones or signal bleed outside the building.)

BYOD (Bring Your Own Device)

• Deployment Model: Employees use their personal devices for work.

• Security Implication: High risk. Data is on a device the company doesn't own. Requires strong MDM with containerization.

COPE (Corporate-Owned, Personally-Enabled)

• Deployment Model: Company owns the device, but lets the employee use it for personal tasks.

• Security Implication: Good balance. Company has full control and can wipe it at any time.

CYOD (Choose Your Own Device)

• Deployment Model: Company provides a list of approved devices for the employee to choose from.

• Security Implication: Easier to manage than BYOD, as IT only has to support a few known, secure models.

Mobile Connection Methods

• Cellular: Connects to the mobile carrier network (e.g., 4G/5G).

• Wi-Fi: Connects to a local wireless access point (WAP).

• Bluetooth: Short-range, point-to-point connection (e.g., headset, keyboard).

WPA 3

The most secure Wi-Fi protocol. (Key Feature: Uses SAE (Simultaneous Authentication of Equals), which replaces the WPA2-PSK handshake and protects against offline dictionary attacks.)

AAA/Radius

• AAA: Authentication (Who are you?), Authorization (What can you do?), Accounting (What did you do?).

• RADIUS: A protocol that implements AAA for network access. (Scenario: Used in WPA3-Enterprise to let users log in to Wi-Fi with their own username/password, not a shared key.)

Wireless Cryptographic Protocols

• CCMP/AES: The secure standard. CCMP is the protocol, AES is the encryption algorithm it uses. (Used by WPA2 and WPA3.)

• TKIP: Deprecated. The older protocol used by WPA. (Do not use.)

Wireless Authentication Protocols

• EAP (Extensible Authentication Protocol): A framework for authentication, not a single protocol.

• PEAP (Protected EAP): Encapsulates EAP in a secure TLS tunnel. (Commonly used, only requires a server-side certificate.)

• EAP-TLS: The most secure EAP type. (Requires a client-side certificate on every device. Very high security, but complex to manage.)

Input Validation

Scrubbing, filtering, or rejecting user-provided data before processing. (Scenario: Prevents SQL Injection by stripping characters like ' or ; from a username field.)

Secure Cookies

An HTTP cookie sent with the Secure flag. (What it does: Forces the browser to only send the cookie back over HTTPS, preventing it from being stolen in a man-in-the-middle attack.)

Static Code Analysis (SAST)

Analyzing an application's source code for bugs and vulnerabilities without running the program. (Scenario: A developer's tool scans the code before compilation.)

Code Signing

Using a digital certificate to add a digital signature to an executable. (Purpose: Provides Integrity (proves the code wasn't tampered with) and Authenticity (proves it came from the real publisher).)

Sandboxing

Running an application in an isolated, restricted environment with limited access to the host OS. (Scenario: A browser runs a website's JavaScript in a sandbox so it can't read files from your C: drive.)

Monitoring

Continuously observing systems and networks for anomalies, policy violations, or attacks. (Scenario: A SIEM collecting logs from firewalls, servers, and EDR to detect a pattern of attack.)