Security+ Flashcards: Endpoint Security, EDR, Antivirus, Mobile Device Management

Traditional antivirus relies primarily on signature-based detection, comparing files against a database of known malware signatures, and is effective against known threats but misses novel attacks. Endpoint detection and response, or EDR, continuously monitors endpoint activity, collects telemetry data, uses behavioral analysis and machine learning to detect suspicious activity, and provides investigation and response capabilities. EDR can detect fileless malware, living-off-the-land attacks, and zero-day exploits that signature-based antivirus misses.

Mobile device management, or MDM, is a centralized platform that manages and secures smartphones, tablets, and laptops used in an organization. MDM enforces security policies including requiring device encryption, mandating screen lock with PIN or biometric, enforcing minimum operating system versions, controlling which applications can be installed, configuring VPN and Wi-Fi settings, enabling remote wipe if a device is lost or stolen, separating personal and corporate data through containerization, and restricting features like camera or Bluetooth in sensitive areas.

Endpoint data loss prevention monitors and controls data movement on individual devices to prevent unauthorized disclosure of sensitive information. It can block or alert when users attempt to copy classified files to USB drives, upload sensitive documents to personal cloud storage, print confidential information, attach restricted files to emails, or take screenshots of protected content. Endpoint DLP uses content inspection to identify sensitive data based on patterns, keywords, data fingerprints, and classification labels.

Application whitelisting, also called application allowlisting, permits only pre-approved software to execute on a system and blocks everything else by default. This is a deny-by-default approach that is fundamentally more secure than traditional antivirus, which allows everything except known malware. Whitelisting prevents zero-day malware, unauthorized software installation, and many fileless attacks because the malicious code is not on the approved list. The challenge is maintaining the whitelist as legitimate software is updated and new applications are added.

Full disk encryption, or FDE, encrypts the entire contents of a storage device so that data is unreadable without the correct authentication credentials at boot time. BitLocker for Windows and FileVault for macOS are common implementations. FDE protects data at rest if a device is lost, stolen, or decommissioned, making the data inaccessible to anyone without the decryption key. It should be used on all laptops, mobile devices, and removable media that may contain sensitive data.

Secure Boot is a firmware security feature that ensures only digitally signed and trusted software can execute during the system startup process. When the computer powers on, Secure Boot verifies the digital signature of the bootloader against certificates stored in the firmware before allowing execution. If the signature is invalid or missing, the boot process is halted, preventing rootkits and boot-level malware from loading before the operating system and its security controls. ---