Royal Army College

Lesson Overview

The last lessons protected the accounts behind your work and taught you to see through the messages that try to steal them. This lesson protects the things you actually hold: the phone, the laptop, and the tablet used on Army business. In the language of cyber security these are endpoints, the points where a person and the Principality's systems meet, and they are where a great many attacks either succeed or fail. A digitally organised state has no walls and no gate; the device in your pocket is a piece of the perimeter, and keeping it secure is an ordinary, learnable discipline rather than a specialist's art.

The lesson is deliberately practical, because almost everything in it is something you can do today on a device you already own. We work through keeping software updated and patched, since most attacks exploit holes already known and already fixed; the screen lock and full-disk encryption that protect a device that leaves your hand; installing apps only from trusted sources; the plain truth about anti-malware; the risk of untrusted public Wi-Fi and the place of a VPN; the safe handling of removable media; backing up your data on the 3-2-1 rule so that ransomware and loss lose their power over you; and the lost-or-stolen-device drill, which is to report at once so that access and certificates can be revoked. These are the Protect and Recover habits of the cyber-hygiene baseline, brought down to one person and one device.

This is the knowledge layer. Reading it well prepares you, but it does not by itself make a device secure. The practical parts, turning on encryption, configuring an automatic update, running a real backup and then a test restore, and walking through a lost-device report, are done and signed off in person where supervision allows, on the systems and devices the Army actually uses. By the end you will be able to explain why patching is the single highest-value habit and keep your devices updated, lock and encrypt a device so its loss is not a breach, install software only from trusted sources and keep anti-malware sensible, judge the risk of public Wi-Fi and use a VPN where it helps, handle removable media safely, back up important data on the 3-2-1 rule and test that you can restore it, and carry out the lost-or-stolen-device drill of immediate reporting so that access and certificates can be revoked.

Key Terms

Endpoint: any device a person uses to reach the Principality's systems and information, a phone, laptop, or tablet; the point where a human meets the network, and a favourite target of attackers.
Patch: a correction issued by the maker of software or a device to close a known security hole or fix a fault; applying patches promptly is called keeping software updated or patched.
Vulnerability: a known weakness in software or a system that an attacker can misuse. Most successful attacks exploit vulnerabilities for which a fix already exists but has not been installed.
Screen lock: the requirement to present a passcode, fingerprint, or face before a device will respond, so that a device left or lost does not simply open for whoever holds it.
Full-disk encryption: scrambling everything stored on a device so that, without the key, the contents are unreadable; it turns a lost or stolen device from a breach into a mere loss of hardware.
Trusted source: an official, reputable place to obtain software, the maker's own site or the platform's official store, as against an unofficial download, an attachment, or a link, which may carry hidden malware.
Anti-malware: software that watches for, blocks, and removes malicious software (viruses, ransomware, spyware, and the like); a useful layer, not a substitute for the other habits.
Public Wi-Fi: an open or shared wireless network in a cafe, station, hotel, or similar, which the user does not control and cannot trust; convenient, and a place where traffic may be watched or tampered with.
VPN (virtual private network): a service that wraps your connection in an encrypted tunnel to a trusted point, so that an untrusted network in between cannot read or alter what passes through.
Removable media: anything you can plug in and unplug that carries data, a USB memory stick, an external drive, a memory card; portable, easily lost, and a common way malware travels between machines.
Backup: a separate copy of important data, kept so that the loss, corruption, or ransoming of the original is recoverable; only a backup you have tested restoring is truly a backup.
3-2-1 rule: the working standard for backups, three copies of important data, on two different kinds of media, with one kept off-site or offline, the restore tested.
Ransomware: malicious software that encrypts or locks your data and demands payment to release it; tested backups are the answer that lets you refuse to pay.

Why the device is part of the perimeter

A traditional organisation could draw a line around its building and its network and concentrate its defences on that line. The Principality of Kaharagia cannot, because it has no building and no single network; it runs on self-hosted online services reached from wherever its members happen to be, on whatever device they carry. There is no perimeter to guard except the sum of the devices and the accounts. That is why the phone in your pocket and the laptop on your kitchen table are not private affairs the moment they touch Army business. Each is a small section of the state's defences, and the strength of the whole is the strength of the weakest of them.

This is also why the habits in this lesson sit alongside, and never compete with, the account habits of the earlier lessons. A strong passphrase and multi-factor authentication protect the account; the endpoint habits protect the device that holds the account, the keys, and the certificates. An attacker who cannot guess your passphrase may still take the unlocked phone you left on a table, or slip malware onto a laptop unpatched for a year, and so reach everything the device can reach. The two layers cover each other; neither is optional.

One more point frames the whole lesson. The most valuable thing an endpoint may hold is not a document but a credential: a saved login, a session, a per-user certificate or key such as the TAK .p12 that proves the device is who it claims to be. Lose control of the device and you risk losing control of those. That is the thread running through everything below, and it is why the lost-device drill at the end is treated with the seriousness it deserves.

Patching: the single highest-value habit

If you take one habit from this lesson, take this one. Most successful attacks exploit a known, unpatched hole. The weakness was discovered, the maker issued a fix, and the attacker simply went looking for the machines whose owners had not installed it. Patching is therefore not housekeeping you do when convenient; it is the front line, and it is largely free. Every modern operating system and reputable application can be kept current, and most can do it themselves if you let them.

The rule is plain: let your devices and your important software update automatically, and install updates promptly when they are offered. Turn on automatic updates for the operating system on every phone, tablet, and laptop you use on Army business, and for the applications that handle sensitive things, the browser above all, since the browser is the door through which most of the internet enters the device. Do not sit for weeks on a waiting update. When one is offered, especially a security update, treat it as the most urgent maintenance the device will ask of you.

A second part of patching is harder to see but just as real: software that is no longer supported can no longer be patched. When a maker stops issuing fixes for a version of an operating system or an application, every hole found in it after that day stays open forever. A phone too old to receive updates, or an operating system past its end of support, is a standing risk no care can close, because the fixes have stopped coming. Part of keeping a device patched is knowing when the device itself has aged out of being safe, and saying so. Where a device is used on Army business, that judgement belongs with the person responsible for the system, not with the individual alone.

The device that leaves your hand: lock and encrypt

Patching defends against an attacker who reaches your device over the network. The screen lock and encryption defend against one who reaches it in person, because devices are dropped, left, and stolen, and a phone is small enough to vanish in a moment. Two settings turn that loss from a disaster into an inconvenience.

The first is the screen lock. Every device used on Army business must require a passcode, a fingerprint, or a face before it will respond, and must lock itself automatically after a short idle time so that it is not left sitting open on a table or a train seat. Use a strong unlock secret, a proper passcode rather than a four-digit number an onlooker can shoulder-surf, and let a fingerprint or face stand in for the convenience of everyday use while the strong passcode guards the device underneath. A device that locks itself is a device that an opportunist who picks it up cannot simply open.

The second, and the one people forget, is full-disk encryption. A screen lock keeps a casual finder out of the running device, but a determined person can take the storage out of an unencrypted laptop, plug it into another machine, and read everything on it as though the lock had never existed. Encryption closes that route. With the whole disk encrypted, the contents are meaningless without the key, and the key is bound to your unlock secret, so the loss of the hardware is not the loss of the data. Modern phones encrypt themselves by default once a screen lock is set; laptops usually offer it as a setting you must switch on, and you should, on every machine that touches Army business. A lost laptop with an encrypted disk is a hardware cost. A lost laptop without one is a breach.

   DEVICE-HARDENING CHECKLIST (every device used on Army business)

   UPDATED       [ ] automatic updates ON for the operating system
                 [ ] browser and key apps kept current
                 [ ] device still supported (old enough = retire it)

   LOCKED        [ ] screen lock ON, auto-lock after a short idle
                 [ ] strong passcode (not a 4-digit PIN)

   ENCRYPTED     [ ] full-disk encryption ON (phones: usually default)

   CLEAN         [ ] apps from official store / maker only
                 [ ] anti-malware on, and updating itself
                 [ ] no unknown removable media plugged in

   PROTECTED     [ ] backed up on the 3-2-1 rule, restore tested
                 [ ] VPN ready for untrusted networks

   A device that is updated, locked, encrypted, clean, and backed up
   loses very little if it is lost. Aim every device at this line.

Trusted sources and a sensible view of anti-malware

Malware has to get onto a device somehow, and the commonest way is that someone installs it, believing it to be something else. The defence is the rule of trusted sources: obtain software only from the platform's official store or the maker's own site, never from an unexpected attachment, a link in a message, a pop-up that says your device is infected, or an unofficial site offering a paid program for free. Those last are favourite carriers of malware precisely because the lure, something for nothing, lowers the guard. On a phone or tablet, stay with the official store and resist the urge to sideload from elsewhere. On a laptop, go to the maker's real website rather than the first search result, which may be an impostor. The habit costs nothing and closes the busiest door malware uses.

This connects to the previous lesson. A great deal of malware arrives by the same routes as phishing, an attachment opened, a link followed, a file run, so the alert eye that questions an unexpected message is also the eye that questions an unexpected download. If a file or a program arrives that you did not expect, treat it as you would a suspicious message: do not open or run it, and verify by a separate known channel before you do anything.

Anti-malware is a genuine and worthwhile layer, and the cyber-hygiene baseline for small organisations expects it. Keep reputable anti-malware running on devices that support it, and, just as importantly, let it update itself, because anti-malware that has not refreshed its knowledge of new threats is half blind. But hold it in proportion. Anti-malware is the safety net beneath the other habits, not a replacement for them. It will catch some of what slips through, but it cannot save a device that is unpatched, unencrypted, left unlocked, and fed software from anywhere. The order of value is plain: patch, lock, encrypt, and install only from trusted sources first; run anti-malware as the backstop.

Untrusted networks and the place of a VPN

When a device connects to a wireless network, it trusts that network to carry its traffic faithfully. On your own home or Army network that trust is reasonable. On public Wi-Fi, the open or shared network in a cafe, a station, a hotel, or an airport, it is not, because you do not control the network and cannot know who else is on it or who runs it. An untrusted network may let others watch the traffic that crosses it, or may itself be a trap set up to harvest what passes through. The convenience is real and so is the risk.

Two things keep you safe on a network you do not trust. The first is already in place if you use the web sensibly: modern sites and apps encrypt their own traffic, so that even on a hostile network the contents of a properly secured connection cannot easily be read. The second, for anything sensitive, is a VPN. A VPN wraps your whole connection in an encrypted tunnel out to a trusted point, so that the untrusted network in between sees only scrambled traffic it can neither read nor alter. Where the Army provides or directs the use of a VPN for reaching its systems, use it, and use it as a matter of course on any network you do not control. Treat the plain rule as standing advice: on untrusted public Wi-Fi, do nothing sensitive without a VPN, and where in doubt, use your own mobile data, which you control, rather than a stranger's network. This sits squarely alongside the discipline taught in SIG 220 · Communications Security and Digital Discipline, where the security of the channel is the whole subject.

Removable media

A USB memory stick, an external drive, or a memory card is convenient precisely because it moves data easily from one machine to another, and that is also exactly why it is a security problem: malware moves the same way, and a small device is the easiest of all to lose. Two cautions cover most of the risk.

The first concerns media you did not bring. Never plug in removable media of unknown origin. A USB stick found in a car park, handed over at an event, or arriving unexpectedly in the post is a classic delivery method for malware, and curiosity is the lure. The safe assumption is that any unknown drive is hostile until a responsible person has cleared it. The second concerns media you do bring. Removable media that carries Army information should be kept to a minimum, should where possible be encrypted so that its loss is not a breach in the same way an unencrypted laptop's would be, and should be handled as the small, easily lost thing it is. The safe-data-handling lesson that follows treats the wider question of what information may go where; the device-level rule here is simpler: be wary of what you plug in, and careful with what you carry out.

Backups and the 3-2-1 rule

Everything so far is about preventing harm. Backups are about surviving it when prevention fails, and prevention will sometimes fail. A laptop is dropped in a river; a phone is stolen; a disk simply dies; or ransomware encrypts a machine and demands payment to unlock it. Against every one of these, the answer is the same and it is wonderfully reliable: a separate, tested copy of the data you cannot afford to lose. With a good backup, ransomware loses its hold, because you can refuse to pay and restore from your own copy, and an accident loses its sting, because what was lost is recoverable.

The working standard is the 3-2-1 rule, and it is worth holding exactly.

   THE 3-2-1 BACKUP RULE

        3  COPIES of important data
           the original, plus two more
                    |
        2  KINDS of media
           e.g. the device itself + an external drive
           (so one failure does not take all copies)
                    |
        1  OFF-SITE or OFFLINE copy
           somewhere else, or disconnected
           (survives fire, theft, AND ransomware that
            spreads to everything plugged in)
                    |
        +  TEST THE RESTORE
           a backup you have never restored from is
           only a HOPE. Prove you can get the data back.

   Three copies, two media, one away. Then test it.

Take the rule a part at a time. Three copies means the original plus two backups, so the failure of any one, even of a backup, still leaves you a copy. Two kinds of media means the copies do not all live on the same sort of thing, because a fault that kills one kind, or a single accident, should not be able to take them all; the device itself and an external drive are two kinds, and a reputable cloud backup is another. One off-site or offline is the part that defeats the worst cases: a copy kept somewhere else survives a fire or a theft that destroys everything in one place, and a copy kept offline, disconnected, survives ransomware, which spreads eagerly to every drive it can reach but cannot reach a disk that is not plugged in. That copy turns a catastrophe into an inconvenience, and it is the one people most often skip.

And then the part that is not a number at all but matters more than any of them: test that you can restore. A backup you have never restored from is not a backup; it is a hope, and hopes fail on the day they are tested in earnest, when the backup turns out to be empty, corrupt, or unreadable. The only way to know a backup works is to restore from it and see your data come back. Do it once when you set the backup up, and again from time to time, so the day you need it is not the first time you find out whether it works. For Army systems the backing-up and testing belong to those who run the systems, and continuity is carried further in HCR 220 · Emergency Preparedness and Civil Resilience; for your own device and the work you hold on it, the 3-2-1 rule is a personal discipline you can keep starting today.

The lost-or-stolen-device drill

For all the care above, devices are still lost and stolen, and a calm, immediate response is what limits the damage. The single most important thing to understand is that the worst thing about a lost device is rarely the hardware. It is the access the device may grant and the credentials it may hold: the saved logins, the live sessions, and above all the per-user certificates and keys, such as the TAK .p12, that prove the device is a trusted member of the Principality's systems. While those remain valid on a device outside your control, the device is a way in. Revoking them closes the way in. Everything in the drill serves that one end, and it serves it fastest when you report at once.

So the drill is, before anything else, to report immediately. The moment you know, or seriously suspect, that a device used on Army business is lost or stolen, tell the responsible person without delay, by whatever channel reaches them fastest, so that its access can be cut and its certificates and keys revoked. Speed is the whole point: a device reported in minutes is a near miss, while the same device sitting unreported for a day is a day in which someone may have used it. Do not delay out of embarrassment, and do not hope it will turn up; report it, and let it be a false alarm if the device is found, which is a far happier outcome than a real breach discovered late.

Two cautions go with the report. Do not try to investigate or recover the device yourself in any way that puts you at risk or that hides the loss; the point is revocation, which only the responsible person can do, not heroics. And report honestly and in full, including what the device could reach and what it held, because the responsible person can only revoke what they know about. A lost device handled this way costs the Principality a piece of hardware and an hour of administration. The same device hidden or reported late can cost far more.

   LOST OR STOLEN DEVICE: WHAT TO DO

   You realise a device used on Army business is gone
                    |
                    v
   [ 1 ] REPORT IMMEDIATELY ---- tell the responsible person now,
                                  by the fastest channel. Minutes matter.
                    |
                    v
   [ 2 ] SAY WHAT IT COULD REACH -- accounts, sessions, and any
                                     certificates/keys (e.g. TAK .p12)
                    |
                    v
   [ 3 ] ACCESS + CERTIFICATES REVOKED -- the responsible person
                                          cuts access and revokes keys
                    |
                    v
   [ 4 ] FOLLOW DIRECTION -- change affected passwords, set up a
                             clean device, restore from BACKUP (3-2-1)
                    |
                    v
   [ 5 ] LEARN FROM IT -- the team improves so it is less likely next time

   Do NOT: hide it, delay out of embarrassment, or hope it turns up.
   A false alarm reported fast is far better than a breach found late.

You will notice that the drill ends where the previous lesson's phishing drill ended and where the incident lesson begins: report at once, do not hide it, follow direction, and let the team learn. That is not a coincidence. It is the same disciplined response to trouble applied to a different kind of trouble, and it is the heart of how a small force stays safe. A device is replaceable. Honesty and speed in reporting are what keep its loss small.

In Practice: A Stolen Phone on a Crowded Platform

A member of the Principality, a systems assistant who carries Army business on a personal phone, has the phone lifted from a jacket pocket on a crowded station platform and realises within a minute that it is gone. The hour that follows shows why the unglamorous habits of this lesson are worth keeping.

The first thing that saves them is what they did long before. The phone has a strong screen lock and locks itself after a short idle, so the thief who walks away with it cannot simply open it; it encrypts itself by default, so its storage cannot be read out on another machine; and it was kept patched, so there is no easy hole to lever the lock open. The data on the device is, for the thief, a sealed box. But the member knows that a sealed box is not a guarantee, and that the phone holds saved sessions and a per-user certificate that proves it to Army systems. So they do not stand on the platform trying to track or recover it, and they do not put off the awkward call. From a colleague's phone they report it at once to the responsible person, plainly: a device used on Army business is stolen, here is roughly what it could reach, here are the certificate and the accounts that should be assumed compromised.

The responsible person acts on the report at once, revoking the phone's certificate and cutting its access, so that even if the lock is somehow defeated the device is no longer trusted by anything that matters. The member then changes the affected passwords from a clean device and, because their work was backed up on the 3-2-1 rule, sets up a replacement and restores what they had lost from a backup they had tested, rather than losing it with the phone. Within the day, the practical harm is a stolen handset and an hour's administration. Afterwards the team looks at what happened and agrees a small improvement, a shorter auto-lock on field devices. The phone is gone. Nothing that mattered went with it, because the member had done the dull things in advance and the brave thing, reporting fast and honestly, in the moment.

Check Your Understanding

Explain why keeping software updated and patched is described as the single highest-value device-security habit, referring to the fact that most successful attacks exploit known, unpatched holes. Why is software that is no longer supported a standing risk, and whose judgement is it whether a device used on Army business has aged out of being safe?
A laptop used on Army business is lost. Explain how a screen lock and full-disk encryption each protect it, why encryption is the part people forget, and why a lost encrypted laptop is "a hardware cost" while a lost unencrypted one is "a breach". Then set out the 3-2-1 backup rule in full, and explain why testing the restore matters more than any of the three numbers.
Describe the lost-or-stolen-device drill. Why is the worst thing about a lost device rarely the hardware, why must you report immediately rather than try to recover it yourself, and how does this tie to per-user certificates and keys such as the TAK .p12? Name two things you must not do when a device is lost.

Reflection (write a short paragraph): Take an honest look at the devices you use on Army business, by the device-hardening checklist in this lesson. Are automatic updates on, and are the devices still supported? Is each one locked with a strong passcode and encrypted? Do you install software only from trusted sources, and is anti-malware running and updating itself? Are you careful with public Wi-Fi and with what you plug in? And, most tellingly, are your important data backed up on the 3-2-1 rule, with a restore you have actually tested? Choose the two or three gaps that worry you most, decide what you will fix this week, and consider what you would do, in order, in the first five minutes after realising a device was stolen.

Summary

Your phone, laptop, and tablet are endpoints, the points where you meet the Principality's systems, and in a non-territorial state with no perimeter to guard they are a piece of the defences. Endpoint habits protect the device that holds your accounts, keys, and certificates, and sit alongside the account habits of the earlier lessons rather than replacing them.
Keeping software updated and patched is the single highest-value habit, because most successful attacks exploit known holes for which a fix already exists. Turn on automatic updates, install security updates promptly, keep the browser current, and retire devices and software too old to be supported, a judgement that for Army devices rests with the responsible person.
Lock and encrypt every device: a strong screen lock with a short auto-lock keeps an opportunist out of the running device, and full-disk encryption keeps the storage unreadable if the hardware is taken, turning a lost encrypted device from a breach into a hardware cost. Modern phones encrypt by default; switch it on for laptops.
Install software only from trusted sources, the official store or the maker's own site, never from unexpected attachments, links, or unofficial downloads, which echoes the phishing care of the previous lesson. Run anti-malware and let it update itself, but hold it as a backstop beneath patching, locking, encryption, and trusted sources, not a substitute for them.
Treat untrusted public Wi-Fi as hostile: use a VPN for anything sensitive, or your own mobile data, which connects to the channel discipline of SIG 220. Be wary of removable media, never plugging in a drive of unknown origin, and encrypt and minimise any media that carries Army information.
Back up important data on the 3-2-1 rule, three copies, two kinds of media, one off-site or offline, and test that you can restore, because tested backups are the answer to ransomware and loss and an untested backup is only a hope. Continuity is carried further in HCR 220.
If a device is lost or stolen, report immediately so its access and certificates can be revoked, because the danger is rarely the hardware but the credentials and per-user keys it holds, such as the TAK .p12. Do not try to recover it yourself, do not hide it or delay; report honestly and in full, follow direction, restore from backup, and let the team learn. It is the same disciplined response to trouble that runs through the whole course and into CIS 310.

Device and Endpoint Security