• CIS Benchmarks: Industry-standard configuration guides (hundreds of OS/app checklists); consensus-based, prescriptive hardening steps
• STIGs (Security Technical Implementation Guides): DoD-specific hardening requirements (DISA); more rigid/strict than CIS; mandatory for federal systems
• Vendor Guidance: Manufacturer hardening guides (Cisco Hardening Guide, Microsoft Security Baselines); addresses product-specific features and known vulnerabilities
• WAP Placement: Site Surveys (measure coverage/interference); Heat Maps (visualize signal strength and overlap); minimize bleed to parking lots/adjacent buildings
• Encryption Evolution:
– WEP: Broken (RC4 stream cipher); never use
– WPS (Wi-Fi Protected Setup): PIN method vulnerable to brute force ( Pixie Dust attack); disable button/PIN, use only if necessary
– WPA2: PSK (Pre-Shared Key, home/SMB) vs Enterprise (802.1X/RADIUS); AES-CCMP encryption; vulnerable to KRACK
– WPA3: SAE (Simultaneous Authentication of Equals) replaces PSK; forward secrecy; Enhanced Open (OWE - Opportunistic Wireless Encryption) encrypts open networks without passwords
• DPP (Device Provisioning Protocol / Wi-Fi Easy Connect): Replaces WPS; uses QR codes or NFC for secure onboarding without PIN vulnerabilities
• Config Management: Ansible (agentless, YAML playbooks), Puppet, Chef; enforce desired state automatically, prevent configuration drift
• SCAP (Security Content Automation Protocol): Automated verification against hardening standards; XCCDF (checklist format), OVAL (vulnerability definitions), SCC (scanner tool for STIGs)
• Baseline Practices: Change default passwords/Community strings (SNMP); disable unnecessary services/ports (reduces attack surface); remove default accounts (guest, admin)
• Agent-Based: Persistent software on endpoint; deep inspection (AV status, patch level) but deployment/maintenance overhead; Dissolvable Agent: Runs temporarily then removes itself (flexible, less intrusive)
• Agentless: Uses SNMP, WMI, or Active Directory GPOs to assess posture; easier deployment but limited visibility (can’t check local security settings deeply); MAC Authentication Bypass (MAB) as fallback
• Categories: Block/allow by URL classification (malware, gambling, social media); SSL Inspection (MITM decryption to inspect HTTPS traffic, privacy concerns)
• Deployment: Cloud-based (DNS filtering, off-network protection) vs On-premise (proxy appliance); Time-based policies (allow social media only at lunch)