For most organisations, security has shifted from "harden the network perimeter" to "harden every endpoint" — because laptops, phones, and cloud apps don't sit inside one perimeter any more. This lesson covers the practical controls that protect the device-level attack surface.
The Threat Landscape
| Threat | What it does |
|---|---|
| Ransomware | Encrypts files; demands payment for decryption key |
| Phishing | Fake email/SMS tricks user into giving credentials or running malware |
| Credential stuffing | Reuses leaked username/password pairs against other services |
| Business Email Compromise (BEC) | Attacker impersonates exec to redirect payments |
| Drive-by download | Malicious site exploits browser/OS bug to install malware |
| USB drop | Infected USB drive plugged into the network |
| Insider threat | Disgruntled / careless employee leaks or destroys data |
| Supply-chain attack | Compromised legitimate software pushes malware via update |
Malware Categories
- Virus: Attaches to a host file; spreads when run
- Worm: Self-replicates across networks without a host file
- Trojan: Looks legitimate; carries hidden payload
- Ransomware: Encrypts and demands payment
- Spyware / keylogger: Records keystrokes, screenshots, browsing
- Adware: Forced advertisements; often bundled with free software
- Rootkit: Hides itself and other malware at OS or firmware level
- Cryptominer: Hijacks CPU/GPU to mine cryptocurrency
- Botnet client: Turns device into a node for DDoS / spam / proxying
The Endpoint Defence Stack
1. Patching
Most exploits target known, patched vulnerabilities. Patch:
- OS (Windows Update, macOS update, Linux package manager)
- Browsers (almost always auto-update — verify)
- Office suite, PDF reader, runtimes (Java, .NET)
- Drivers (vendor utilities; Windows Update for many)
- Firmware (BIOS / UEFI, GPU, SSD, dock)
Enterprises automate patching via Intune, WSUS, Jamf, SCCM, Patch My PC, or similar.
2. Anti-malware / EDR
Traditional antivirus has evolved into Endpoint Detection and Response (EDR) — behavioural detection, telemetry to a cloud console, automated response. Major products: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Sophos Intercept X, Bitdefender GravityZone.
Built-in (and now competitive): Microsoft Defender on Windows, XProtect + Notarisation on macOS.
3. Firewalls
- Host firewall: Windows Defender Firewall, pf on macOS, nftables / firewalld on Linux. Blocks unwanted inbound/outbound connections.
- Network firewall: At the perimeter / next-gen firewalls (Palo Alto, Fortinet, Cisco, Check Point) inspect traffic for known-bad patterns.
4. Authentication and MFA
Strong authentication is the cheapest, highest-impact control you'll deploy.
- Strong passwords / passphrases: Long > complex. Use a password manager.
- Multi-Factor Authentication (MFA): Something you know + something you have / are. Microsoft research finds MFA blocks >99% of automated account attacks.
- Methods: Authenticator app (best for general use), push notification, FIDO2 hardware key (YubiKey — phishing-resistant), passkeys (FIDO2 backed by biometric).
- Avoid SMS as MFA where possible — vulnerable to SIM swap.
- Single Sign-On (SSO): One identity (Azure AD/Entra ID, Okta, Google Workspace) federates to many apps. Reduces password sprawl + centralises MFA.
5. Encryption
| OS | Tool |
|---|---|
| Windows Pro/Enterprise | BitLocker (drive) |
| macOS | FileVault |
| Linux | LUKS (drive), gocryptfs / fscrypt (file-level) |
| iOS / Android | Default-on hardware-backed encryption |
Every laptop or phone that leaves the building should have full-disk encryption. The recovery key must be escrowed (Active Directory / Intune / Jamf / Apple Business Manager) — losing it means losing the data.
6. Backups
The 3-2-1 rule: 3 copies of data, on 2 different media types, with 1 offsite. For business:
- OneDrive / Google Drive / Dropbox for user files (continuous, versioned)
- Endpoint backup (Druva, Backblaze, Code42) for the full machine
- Cloud-app backup (M365, Google Workspace, Salesforce — vendors do not back up your data against you; third-party tools like Veeam, Datto, AvePoint do)
- Server / VM backup with off-network or immutable copies (immune to ransomware)
- Test restores quarterly — backups you haven't restored from don't really exist
7. User Account Control / Least Privilege
Users should run as standard accounts, not administrators. UAC on Windows prompts for elevation. Removing local admin rights blocks the vast majority of malware infections — many attacks require admin to fully install.
8. Browser Hygiene
- Keep auto-update on
- uBlock Origin or equivalent reduces malvertising exposure
- Phishing & malware protection enabled (Chrome Safe Browsing, Edge SmartScreen)
- Avoid unnecessary extensions; review permissions of installed ones
- Use isolated browser profiles for risky / personal browsing on work machines
9. Email Security
- SPF / DKIM / DMARC on your domain (server-side)
- Safe Links / Safe Attachments (M365), advanced phishing protection (Google Workspace)
- External-sender warnings on email
- Train users on phishing recognition; phishing-simulation platforms (KnowBe4, Hoxhunt) measurably reduce click rates
Mobile-Specific Controls
- Enforce passcode + biometric
- Required minimum OS version
- Jailbreak / root detection
- App allow / block lists
- App-protection policies separating corporate data from personal apps (BYOD)
- Remote wipe capability
- Disable installation of apps from unknown sources (Android)
Social Engineering
The most successful attacks bypass technology entirely:
- Phishing: Fraudulent email links to credential-stealing pages
- Spear-phishing: Targeted; references real names and projects
- Whaling: Targets executives
- Smishing: SMS
- Vishing: Voice — phone calls impersonating IT, banks, vendors
- Tailgating: Following an authorised person through a secure door
- Shoulder surfing: Reading a screen in public
- Pretexting: Inventing a scenario to extract information
- MFA fatigue: Flooding a user with push prompts until they approve one
User training plus phishing simulations plus phishing-resistant MFA (FIDO2 / passkeys) is the layered defence.
Disposal and Data Destruction
End-of-life devices contain recoverable data. Methods:
- Sanitisation (software wipe): Built-in commands (Secure Erase for SSDs), DBAN / shred for HDDs. Always verify.
- Cryptographic erase: Wipe the encryption key — fast, effective on encrypted drives
- Degaussing: Magnetic platter wipe; HDD only, not SSD
- Physical destruction: Shredding for high-classification devices
- Vendor disposal: Get a certificate of destruction
The Endpoint Security Baseline (Minimum Viable)
- Automatic OS, browser, and app patching
- Modern EDR/AV deployed and reporting
- Host firewall enabled
- Full-disk encryption with key escrow
- SSO with phishing-resistant MFA on every account that supports it
- Standard-user accounts; admin only when needed
- Cloud backup of user files + tested restore process
- MDM enrolment for laptops and mobiles
- Phishing-aware users (trained + simulated)
This baseline alone shuts down the overwhelming majority of attacks that hit small and medium organisations. The next lesson covers the professional procedures and customer-service skills that round out an entry-level IT role.