• Baseline Config: Hardened image (CIS benchmarks, STIGs) deployed to all endpoints; prevents configuration drift
• FDE (Full Disk Encryption): Encrypts entire drive (BitLocker, FileVault); protects data at rest if device stolen; requires key escrow/recovery
• Patch Management: Automated deployment of OS/app updates; critical/urgent patches prioritized; test before prod; Patch Tuesday cycles
• Remove Unnecessary Software: Attack surface reduction; remove games, unused browsers, admin tools; prevents shadow IT vulnerabilities
• Group Policy (GPO): Windows centralized management; enforces password policies, USB restrictions, software restrictions, registry settings
• SELinux (Security-Enhanced Linux): MAC (Mandatory Access Control) enforcing security policies on Linux; restricts process capabilities beyond traditional permissions
• EDR (Endpoint Detection and Response): Real-time monitoring, threat hunting, automated response (isolation, file quarantine); replaces traditional AV
• XDR (Extended Detection and Response): EDR + network/email/cloud data; cross-layer correlation; single pane of glass
• HIDS/HIPS: HIDS (Host-based IDS) logs/analyzes endpoint activity (detection only); HIPS blocks malicious processes/files (prevention inline)
• UEBA (User and Entity Behavior Analytics): ML-driven anomaly detection; baselines normal behavior, flags impossible travel or off-hours data exfiltration
• Allow/Deny Lists: Whitelisting (default deny, explicit permit only—high security, high maintenance) vs Blacklisting (block known bad—traditional AV model)
• Deployment Models: BYOD (high risk, limited control), COBO (locked corporate), COPE (managed + personal allowance), CYOD (approved list selection)
• MDM: Centralized mobile control (Intune, VMware Workspace ONE); remote wipe, enforce encryption, managed apps, separate work/personal containers
• Geofencing: Location-based policy enforcement (disable camera in facility, wipe if leaves country); Privacy Concerns: location tracking, personal data separation, BYOD monitoring scope
• PAN/Network Risks: Personal Area Networks (Bluetooth), WiFi Tethering/Hotspots, Ad-hoc Networks; risks include data exfiltration via personal cloud, bypassing corporate firewall, bridging secure/unsecure networks, creating rogue APs for attackers
Quick Distinctions: EDR = endpoint deep dive; XDR = cross-platform correlation; HIDS alerts, HIPS blocks; SELinux = Linux MAC enforcement; Geofencing = location policy boundary.