Defender Lens
For device questions, ask what the device can access, who can administer it, how it is updated, how malware is detected, and which logs show account or system changes.
AP Cybersecurity Unit 4
Securing Devices
This unit focuses on endpoints: laptops, tablets, phones, lab machines, shared devices, IoT equipment, and the controls that keep them trustworthy.
Detailed Study Notes
What to understand before practice
Read these notes slowly, then connect each idea to the topic panels below.
Device security starts with a known-good baseline
A baseline is the expected secure configuration for a device: approved software, screen lock, current updates, limited services, logging, encryption where appropriate, and managed administrator access.
Hardening removes unnecessary risk. If a service, app, port, or permission is not needed, it should not remain enabled by default. This reduces the number of ways a device can be misused.
Shared devices need extra care because many users touch them. Sign-in rules, automatic logout, device management, and clear ownership make investigations easier.
Exam Connection
When a scenario says “shared,” “lab,” or “public device,” think about screen locks, standard accounts, sign-out, device management, and accountability.
Patching is prioritized risk reduction
A patch fixes a known weakness, but patching is also an operational process. Teams must know which devices exist, which versions they run, which vulnerabilities matter most, and when updates can be applied safely.
Internet-facing systems, devices with sensitive data, and systems with known exploited vulnerabilities should usually be prioritized. A low-risk device may still need updates, but urgency depends on exposure and impact.
Unofficial fixes and random downloads can create new risk. Patches should come from trusted sources and be tracked so defenders know what changed.
Exam Connection
If all devices cannot be patched at once, rank by exposure, sensitivity, and known exploitation rather than by convenience alone.
Endpoint alerts need containment and scope
Malware can steal data, encrypt files, persist for later access, spy on activity, or use a device as a stepping stone. An endpoint alert is the beginning of investigation, not the end.
Containment may include disconnecting from the network, disabling an account, quarantining a file, preserving logs, or rebuilding the device. The action should match the severity and evidence.
Scope asks whether the problem is isolated or broader. Analysts compare similar devices, recent logins, file changes, network connections, and alerts from the same time period.
Exam Connection
Do not stop at “run antivirus” if the prompt asks for incident response. Include evidence preservation, containment, and scope.
Least privilege improves device accountability
Routine users should not operate as administrators because malware or mistakes inherit the user’s privileges. Standard accounts reduce the damage that one compromised session can cause.
Shared administrator accounts weaken evidence because actions cannot be tied to a specific person. Named admin accounts, approval processes, and logs create better accountability.
Logs matter only if they are enabled, protected, and reviewed. A device event log can help identify logins, installs, setting changes, and failures.
Exam Connection
When a prompt mentions unknown changes, suspicious installs, or shared admin passwords, least privilege and named accounts are likely relevant.
1
Hardening and Baselines
Hardening reduces unnecessary risk by using screen locks, approved software, secure settings, disabled unused services, and documented configuration baselines.
Apply It
Pick controls that reduce routine compromise while allowing the device to do its job.
Avoid This Trap
Installing one security tool does not replace patching, least privilege, backups, and secure configuration.
Study Move
Write a baseline checklist for a shared school laptop in ten lines or fewer.
2
Patch and Vulnerability Management
Patches fix known weaknesses. Good patching includes scheduling, testing, tracking, and prioritizing the highest-risk systems first.
Apply It
If a device is busy, schedule maintenance rather than ignoring the update forever.
Avoid This Trap
Unofficial downloads can create more risk than the vulnerability they claim to fix.
Study Move
Prioritize three devices for updates based on exposure, data sensitivity, and operational importance.
3
Malware, Endpoint Detection, and Response
Malware can steal, encrypt, spy, disrupt, or persist. Endpoint tools can quarantine files and create alerts, but humans still investigate scope.
Apply It
Preserve logs, report through the approved process, isolate affected systems when needed, and avoid running suspicious files.
Avoid This Trap
Quarantine is not the end of investigation. The question may ask what evidence to review next.
Study Move
For a malware alert, list what happened, which account was active, what file changed, and what network activity followed.
4
Device Accounts, Logs, and Least Privilege
Routine users should not use administrator permissions. Authentication logs, update logs, and system events can reveal suspicious changes.
Apply It
Use standard accounts for normal work, admin accounts for approved maintenance, and logs to investigate unexpected behavior.
Avoid This Trap
Shared administrator accounts reduce accountability because actions cannot be tied to a person.
Study Move
Turn a messy device incident into a timeline: login, change, alert, network connection, containment.
Evidence Drill
Practice the AP Cyber evidence habit
A lab tablet shows a suspicious login followed by a new app installation. List the logs and account records you would review before recommending containment.
Review Questions
- 1What is a secure baseline and why does it matter?
- 2When should a device be isolated from the network?
- 3Why are shared administrator accounts weak evidence?