Devices are where data lives, gets processed, and leaks out: securing the endpoint is the last line of defense after physical and network controls fail.
The device landscape spans servers, personal computers, handheld mobile devices, and embedded systems, with Internet of Things (IoT) hardware now running everything from pacemakers to water treatment pumps.
Malware is the adversary's primary tool for compromising devices, and recognizing the distinct behaviors of viruses, worms, trojans, ransomware, spyware, and rootkits is foundational to incident response.
Authentication is the gatekeeper of device access, and most real-world breaches trace back to weak, reused, or stolen passwords rather than exotic exploits.
Cryptographic hashing underpins password storage and integrity checks, and understanding properties like collision resistance and pre-image resistance explains why some algorithms (MD5, SHA-1) are deprecated.
Defenders use a layered mix of managerial controls (policies), technical controls (anti-malware, firewalls, patching), and detective controls (log analysis) rather than relying on any single safeguard.
Logs from authentication systems, file activity, and processes generate indicators of compromise (IoCs) that let analysts reconstruct what an adversary did and when.
The themes here connect directly to network security (Unit 3), data protection (later units on encryption and confidentiality), and the broader CIA triad: a compromised device threatens confidentiality, integrity, and availability simultaneously.
Key Concepts and Terms
Malware: Malicious software designed to damage, disrupt, or grant unauthorized access to a device or network.
Fileless malware: Malicious code that lives in RAM and abuses legitimate installed programs rather than writing files to disk, making detection harder.
Ransomware: Malware that encrypts a victim's files and demands payment for the decryption key, exemplified by attacks like WannaCry and the Colonial Pipeline incident.
Rootkit: Sophisticated malware that embeds in the operating system, controls nearly every system function, and hides itself from detection tools.
Cryptographic hash function: A one-way mathematical algorithm (MD5, SHA-256, NTHash) that converts arbitrary input into a fixed-length output with collision and pre-image resistance.
Salt: Random bits added to a password before hashing so that identical passwords produce different stored hashes.
Rainbow table: A precomputed, sorted table of common passwords and their hashes used to reverse captured hashes quickly.
Multifactor authentication (MFA): Authentication requiring two or more factors from different categories (knowledge, possession, biometric, location).
Credential stuffing: An attack using lists of default or breached username:password pairs against many services, exploiting password reuse.
Password spraying: An attack that tries one common password (like "Spring2024!") against many user accounts to evade lockout thresholds.
BIOS/UEFI: Firmware that initializes hardware before the OS loads; without a password set, attackers can boot to recovery mode or external media.
Host-based firewall: Software running on a single device that allows or denies inbound and outbound traffic per a rule list (ACL).
Anti-malware signature: A unique pattern (often a file hash or byte sequence) used by antivirus software to identify known malicious files.
Patch: A small software update issued by a vendor to fix a discovered vulnerability before adversaries can exploit it widely.
Indicator of Compromise (IoC): Evidence in logs, files, or behavior that suggests a device or network has been breached.
Endpoint Detection and Response (EDR): A third-party service that centralizes monitoring, alerting, and response across an organization's devices.
Acceptable Use Policy (AUP): A managerial control that defines what users may and may not do on organization-owned devices.
The Device Landscape and Its Risks
Servers provide shared services (DNS, DHCP, FTP, email) and are high-value targets because a compromise affects many users at once.
An unpatched Microsoft Exchange server is the classic high-risk example: one vulnerability exposes every user's mail.
Personal computers (desktops, laptops, notebooks) are general-purpose endpoints used by a single person.
Handheld devices (smartphones, tablets, smartwatches) are battery-powered and often roam outside the corporate network, expanding the attack surface.
Embedded computers run specialized instruction sets inside larger machines and typically have minimal storage and processing power.
Examples: IV pumps and MRI scanners in hospitals, programmable logic controllers at electrical substations, microcontrollers in cars and airplanes.
IoT devices (thermostats, washing machines, smart speakers) inherit embedded-computer constraints and frequently ship with default credentials and irregular patching.
The Mirai botnet recruited tens of thousands of IoT cameras and routers using default logins.
Risk severity scales with what the device controls or stores: an open telnet port on one laptop is low risk, while missing MFA on a water-pump controller is moderate-to-high risk, and an unpatched email server is high risk.
Malware Families and Exploitation Techniques
Viruses require user action (opening an attachment, running an executable) while worms self-propagate across networks.
WannaCry behaved as a worm, spreading through the EternalBlue SMB vulnerability without any user click.
Trojans masquerade as benign software; Remote Access Trojans (RATs) give the adversary an interactive shell on the victim machine.
Spyware and keyloggers harvest data passively, often capturing typed credentials before any hash protection applies.
Logic bombs lie dormant until a trigger condition fires, such as a specific date or the firing of an employee from the payroll system.
Common exploitation paths exploit unpatched software, weak or default credentials, unprotected BIOS/UEFI, enabled autorun on USB drives, open ports, missing firewalls, and absent anti-malware.
Stuxnet famously combined USB autorun, multiple zero-day exploits, and embedded-system targeting at Iranian centrifuges.
Authentication, Hashing, and Password Attacks
Authentication factors fall into four categories: knowledge (password, PIN), possession (smart card, YubiKey, phone), biometric (fingerprint, iris), and location (GPS, IP geolocation).
Passwords are stored as salted hashes so that a breach of the user:password database does not immediately reveal plaintexts.
Hash functions must be collision resistant, pre-image resistant, repeatable, and fixed-length; MD5 and SHA-1 are deprecated because efficient collision attacks exist.
Online attacks happen against live login portals and are slowed by lockout policies; offline attacks run against stolen hash dumps on the attacker's own hardware and bypass lockouts entirely.
Tools like Hashcat and John the Ripper perform brute force, dictionary, and rainbow table attacks at billions of guesses per second on GPU rigs.
Reused passwords are the gateway to credential stuffing: when LinkedIn or Adobe credentials leak, those same passwords get tried against banking, email, and corporate VPN logins.
Login hardening settings include complexity rules, minimum length, password history (preventing reuse of the last 5 to 10 passwords), maximum age (often 90 to 120 days, though modern NIST guidance discourages forced rotation), and account lockout after 3 to 5 failed attempts.
Layered Protection: Managerial and Technical Controls
Managerial controls are written policies that shape user behavior before any technical enforcement kicks in.
Acceptable use policies restrict gaming and social media on work laptops, ban unauthorized USB drives, and require timely updates.
Password policies define length, construction rules, and rotation schedules, and often recommend password managers like 1Password or Bitwarden.
Software installation policies prevent shadow IT by listing approved applications and routing requests through IT.
Anti-malware software maintains a signature database, periodically scans files, and quarantines matches.
Patch management closes known vulnerabilities before adversaries weaponize them.
The Equifax breach exploited an unpatched Apache Struts vulnerability that had a fix available for two months.
Host-based firewalls filter both inbound and outbound traffic on a single device, processed top-down on the first matching rule.
Blocking outbound FTP on workstations stops adversaries from exfiltrating files even after an initial compromise.
Defense in depth means stacking these controls so that no single failure exposes the device.
Detecting Attacks Through Logs and IoCs
Computing systems continuously log logins, file operations, process starts, and configuration changes, providing the raw material for incident reconstruction.
Host-based IoCs surface in authentication logs, user activity logs, and config files: unexpected new services, modified system files, unauthorized software installs.
File-based IoCs include hash matches against malware databases (VirusTotal hashes), known malicious file names, or suspicious file paths like temp directories executing binaries.
Behavior-based IoCs include repeated failed logins, logins at 3 a.m. from a foreign IP, and unexplained privilege escalation attempts.
Detection methods trade off performance, cost, and protection level.
Signature-based detection is fast and low on false positives but is bypassed by novel malware and fileless attacks.
Anomaly-based detection catches new threats but consumes more CPU and memory, making it unsuitable for many embedded devices.
Endpoint Detection and Response (EDR) platforms like CrowdStrike Falcon or Microsoft Defender for Endpoint centralize alerts across thousands of devices.
Password attack signatures in auth logs are distinctive: many wrong passwords on one account points to brute force, one password tried against many accounts from a single IP signals password spraying, and rapid default-credential attempts indicate credential stuffing.
Offline password attacks are invisible to the defender because the cracking happens on the adversary's machine, which is why hash leak disclosures must trigger a forced password reset for every affected user.
