OBJECTIVE 4.1 Given a scenario (PBQ-likely)
Apply common security techniques to computing resources
Secure baselines, hardening across target types (mobile, workstations, switches, routers, cloud, servers, ICS/SCADA, embedded, IoT), wireless security (WPA3, RADIUS, EAP-TLS), mobile solutions (MDM, BYOD/COPE/CYOD), and application security (input validation, code analysis, sandboxing).
Exam approach: “Given a scenario” — expect to select and apply the correct hardening actions for a described environment. Not just knowing what WPA3 is, but configuring it correctly for an enterprise vs. small business vs. public hotspot.
Offensive context: Every hardening action is a friction multiplier — you’re raising the cost of attack, not chasing perfection. Mobile hardening gets real when you consider state-level spyware: FLAG_SECURE, overlay detection, and the assumption that the OS is already compromised.
Secure Baselines
A baseline is the minimum secure configuration for a system type before it goes into production.
- Establish: Define the standard configuration for each system category — OS settings, enabled services, installed software, open ports, user accounts
- Deploy: Automate baseline deployment (Golden images, GPO, Ansible, Terraform). Manual configuration doesn’t scale and introduces drift.
- Maintain: Baselines aren’t static. Update when new vulnerabilities emerge, when the environment changes, or on a regular review cycle.
- Monitor: Continuously compare running systems against baseline. Deviation = either drift (fix it) or compromise (investigate it).
Hardening Targets
Mobile Devices
- Enforce encryption at rest (enabled by default on modern iOS/Android, but verify)
- Require screen lock with biometric or PIN (minimum 6 digits)
- Remote wipe capability via MDM
- Application whitelisting or managed app stores
- Disable USB debugging, developer options in production
- Patch management — OS and app updates enforced via MDM policy
Workstations
- Remove unnecessary software and services. Every installed application is attack surface.
- Disable local admin accounts or rename them. Use managed admin credentials.
- Full-disk encryption (BitLocker on Windows, FileVault on macOS)
- Host-based firewall enabled and configured
- Endpoint protection (EDR, not just AV)
- Automatic patching or managed patch cycles
- Disable autorun/autoplay for removable media
Network Infrastructure (Switches, Routers)
- Change default credentials. This still catches people.
- Disable unused ports and services (Telnet, HTTP management interfaces)
- Use SSH for management, not Telnet
- Enable port security (MAC filtering, 802.1X)
- VLAN segmentation — separate management, user, guest, IoT traffic
- NTP synchronization (logs are useless without accurate time)
- Logging to centralized syslog
Cloud Infrastructure
- Identity-based access (IAM), not key-based where possible
- Least privilege on all service accounts and roles
- Enable audit logging on everything (CloudTrail, GCP Audit Logs)
- Encrypt data at rest and in transit by default
- Restrict public access to storage buckets and databases
- Use managed services over self-hosted where security maintenance is a concern
- Infrastructure as code — configuration is versioned, auditable, reproducible
Servers
- Minimal install — no GUI, no unnecessary packages
- Disable root/admin SSH login. Use named accounts with sudo.
- SSH key authentication, disable password auth
- File integrity monitoring (AIDE, OSSEC, Tripwire)
- Centralized logging
- Regular vulnerability scanning
ICS/SCADA
- Air-gap or heavily segment from corporate network. These systems control physical processes.
- No internet connectivity unless absolutely required (and monitored heavily if so)
- Default credentials are epidemic in ICS. Change them.
- Patch carefully — downtime in ICS can mean physical safety risk. Test patches in staging.
- Monitor for anomalous commands to PLCs/RTUs
Embedded Systems and IoT
- Change default credentials (again — IoT is the worst offender)
- Disable UPnP
- Segment onto dedicated VLAN with restricted internet access
- Firmware updates — many IoT devices never get patched. Factor this into procurement.
- Monitor for unexpected outbound connections (IoT botnets phone home)
Wireless Security
WPA3
The current standard. Key improvements over WPA2:
- SAE (Simultaneous Authentication of Equals): Replaces PSK 4-way handshake. Resistant to offline dictionary attacks — capturing the handshake doesn’t give you crackable material.
- PMF (Protected Management Frames): Mandatory in WPA3. Prevents deauthentication attacks.
- 192-bit security mode: Enterprise option using CNSA suite (GCMP-256, HMAC-SHA-384).
- Forward secrecy: Compromising the password doesn’t let you decrypt previously captured traffic.
Enterprise Wireless (802.1X + RADIUS)
- Each user authenticates individually. No shared PSK.
- Authentication handled by RADIUS server (FreeRADIUS, NPS, cloud RADIUS)
- EAP methods:
- EAP-TLS: Mutual certificate authentication. Strongest. Requires PKI (client certs on every device).
- PEAP: Server cert + user credentials inside TLS tunnel. Most common enterprise deployment.
- EAP-FAST: Cisco’s alternative to PEAP. Uses PACs (Protected Access Credentials) instead of certs.
- EAP-TTLS: Similar to PEAP. TLS tunnel with inner authentication method.
Configuration by Context
| Environment | Configuration |
|---|---|
| Enterprise | WPA3-Enterprise, 802.1X, RADIUS, EAP-TLS or PEAP, certificate-based auth |
| Small Business | WPA3-Personal (SAE), strong passphrase, separate guest network |
| Public Hotspot | Open + captive portal, OWE (Opportunistic Wireless Encryption) for encryption without authentication |
| IoT Devices | Dedicated SSID on isolated VLAN, WPA2/3-Personal if device supports it |
Mobile Solutions
Deployment Models
| Model | Who Owns Device | Who Manages Device | Use Case |
|---|---|---|---|
| BYOD (Bring Your Own Device) | Employee | Partial (MDM container) | Cost savings, employee preference. Hardest to secure. |
| COPE (Corporate-Owned, Personally Enabled) | Company | Full (MDM) | Company controls the device but allows personal use. Best balance. |
| CYOD (Choose Your Own Device) | Company | Full (MDM) | Employee picks from approved list. Company owns and manages. |
| Corporate-Owned | Company | Full | Highest control. Work-only device. |
MDM Capabilities
- Remote wipe (full or selective/corporate data only)
- Application management (whitelist, blacklist, managed distribution)
- Configuration profiles (WiFi, VPN, email, certificate deployment)
- Geofencing (restrict features based on location)
- Containerization (separate work data from personal data)
- Jailbreak/root detection
- Compliance enforcement (require encryption, OS version, screen lock)
Wireless Security Decision Logic
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Enterprise with individual user authentication” | WPA3-Enterprise + 802.1X + RADIUS | Per-user credentials, centralized auth |
| ”Highest security, mutual certificate auth” | EAP-TLS | Both client and server present certs, strongest EAP |
| ”Enterprise, no PKI for client certs” | PEAP | Server cert + user password in TLS tunnel |
| ”Small business, no RADIUS server” | WPA3-Personal (SAE) | Strong passphrase, resistant to offline attacks |
| ”Public hotspot, no authentication needed” | OWE (Enhanced Open) | Encryption without authentication |
| ”Legacy devices that only support WPA2” | WPA2-Enterprise | Better than WPA2-Personal, at least individual auth |
| ”IoT devices on isolated network” | WPA2/3-Personal on dedicated VLAN | Many IoT devices don’t support Enterprise |
Deployment Model Decision Logic
| If the scenario says… | Choose… | Because… |
|---|---|---|
| ”Company wants full control, employee prefers own device” | COPE | Company owns, personal use allowed, full MDM |
| ”Minimize device cost, employees already have phones” | BYOD | Employee-owned, MDM container for work data |
| ”Employee picks from approved list, company pays” | CYOD | Employee choice within approved options, company owns |
| ”Highest security, work only” | Corporate-owned | Full control, no personal use complications |
| ”Need to remote wipe entire device” | COPE or Corporate-owned | Company owns = full wipe authority |
| ”Can only wipe corporate data, not personal” | BYOD | Selective/container wipe only |
Application Security
Input Validation
- Validate all input at the boundary. Type, length, format, range.
- Whitelist (allow known-good) over blacklist (block known-bad). Blacklists are always incomplete.
- Server-side validation is mandatory. Client-side validation is a UX convenience, not a security control.
- Parameterized queries for database interaction. Never concatenate user input into SQL.
Secure Coding Practices
- Output encoding (HTML encoding, URL encoding) to prevent XSS
- Least privilege in application code — services run as non-root, database connections use restricted accounts
- Error handling that doesn’t leak information (no stack traces in production, no database error details to users)
- Session management — secure cookie flags, token rotation, timeout
Code Analysis
- SAST (Static Application Security Testing): Scans source code for vulnerabilities before compilation/deployment. Finds injection flaws, hardcoded secrets, insecure patterns.
- DAST (Dynamic Application Security Testing): Tests running application by sending crafted requests. Finds runtime vulnerabilities that SAST misses.
- SCA (Software Composition Analysis): Scans dependencies for known vulnerabilities. This is what Syft/Grype do.
Sandboxing
- Execute untrusted code in an isolated environment
- Limits blast radius — if the sandboxed process is compromised, it can’t reach the rest of the system
- Common in browsers (each tab is sandboxed), mobile apps (app sandbox), and security analysis (detonation chambers for malware)