By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
This guide covers the 10 A+ 220-1102 exam objectives related to security.
These objectives may comprise 25 percent of the exam questions: - Core 2 (220-1102): Objective 2.1: Summarize various security measures and their purposes. - Core 2 (220-1102): Objective 2.2: Compare and contrast wireless security protocols and authentication methods. - Core 2 (220-1102): Objective 2.3: Given a scenario, detect, remove, and prevent malware using appropriate tools and methods. - Core 2 (220-1102): Objective 2.4: Explain common social-engineering attacks, threats, and vulnerabilities. - Core 2 (220-1102): Objective 2.5: Given a scenario, manage and configure basic security settings in the Microsoft Windows OS. - Core 2 (220-1102): Objective 2.6: Given a scenario, configure a workstation to meet best practices for security. - Core 2 (220-1102): Objective 2.7: Explain common methods for securing mobile and embedded devices. - Core 2 (220-1102): Objective 2.8: Given a scenario, use common data destruction and disposal methods. - Core 2 (220-1102): Objective 2.9: Given a scenario, configure appropriate security settings on small office/home office (SOHO) wireless and wired networks. - Core 2 (220-1102): Objective 2.10: Given a scenario, install and configure browsers and relevant security settings. The most important asset most companies own is their data. Data has become so important to business success that it is what most thieves seek. Because of the interconnected nature of the Internet, a security breach of a single device or network can lead to data theft, including the theft of client financial data that can greatly affect the lives of millions. Large-scale data breaches have brought large companies to bankruptcy, so data security is among the top concerns of business leadership. In this guide, you learn about the multifaceted threats to security in the modern computing environment and how to mitigate them through the study of these CompTIA A+ Core 2 objectives.
This guide covers the following topics: - Physical security measures: Physical security practices and their implementation - Logical security concepts: Software-based security measures - Wireless security protocols and authentication: Types of wireless security and authentication - Malware removal and prevention: Methods and protocols for detection and prevention - Social engineering threats and vulnerabilities: The various types of threats - Microsoft Windows OS security settings: The important Microsoft security settings - Security best practices to secure a workstation: Implementation of best practices - Mobile device securing: Implementation methods for securing devices - Data destruction and disposal: Methods and techniques for safely and securely disposing of hardware - Security configuration on SOHO networks: Methods for configuring SOHO security - Browser security settings: Secure settings and practices in browsers Key Topics To Know: Security Measures Physical Security Access Control Vestibule Badge Reader Video Surveillance Alarm Systems Motion Sensors Guards Door Locks Equipment Locks Bollards Fences Physical Security for Staff Key Fobs Smart Card Keys Biometrics Lighting Magnetometers Privacy Screen Logical Security Concepts Principle of Least Privilege Access Control Lists Multifactor Authentication Email Hard Tokens Soft Tokens Short Message Service Voice Call Authentication Application Mobile Device Management Active Directory Wireless Security Protocols and Authentication Protocols and Encryption Authentication Single-Factor Multifactor RADIUS TACACS+ Kerberos Malware Removal and Prevention Malware Trojan Rootkit Virus Spyware Ransomware Keylogger Boot Sector Virus Cryptominers Tools and Methods Antivirus/Anti-malware Recovery Mode User Education Anti-Phishing Training OS Reinstallation Social Engineering Threats and Vulnerabilities Social Engineering Phishing Vishing Whaling Impersonation Shoulder Surfing Tailgating Dumpster Diving Evil Twin Threats DDoS DoS Zero-Day Spoofing On-Path Attack Brute Force Dictionary Attacks Insider Threat Structured Query Language (SQL) Injection Cross-Site Scripting (XSS) Vulnerabilities Noncompliant Systems Unpatched Systems Unprotected Systems EOL OSs Bring Your Own Device (BYOD) Microsoft Windows OS Security Settings Defender Antivirus Firewall Activate/Deactivate Port Security Application Security Access Control Users and Groups NTFS vs. Share Permissions Run as Administrator vs. Standard User User Account Control Login OS Options BitLocker BitLocker To Go EFS Security Best Practices to Secure a Workstation Data-at-Rest Encryption Password Best Practices Setting Strong Passwords Password Expiration Screensaver Required Password BIOS/UEFI Passwords Requiring Passwords End-User Best Practices Use Screensaver Locks Log Off When Not in Use Secure/Protect Critical Hardware Secure Personally Identifiable Information (PII) Account Management Restricting User Permissions Login Time Restrictions Disabling Guest Account Failed Attempts Lockout Changing Default Usernames and Passwords Disabling Autorun/AutoPlay Securing Mobile Devices Screen Locks Remote Wipes Locator Applications Remote Backup Applications Failed Login Attempts Restrictions Antivirus/Anti-malware Patches and OS Updates Biometric Authentication Full-Device Encryption Firewalls Policies and Procedures BYOD vs. Corporate-Owned Devices Profile Security Requirements Internet of Things Data Destruction and Disposal Physical Destruction Methods Recycling or Repurposing Best Practices Outsourcing Concepts Configuring Security on SOHO Networks Home Router Settings Change Default Passwords IP Filtering Firmware Updates Content Filtering Physical Placement/Secure Locations Dynamic Host Configuration Protocol (DHCP) Reservations Static WAN IP Universal Plug and Play Screened Subnet Wireless-Specific Security Changing the Service Set Identifier (SSID) Encryption Settings Disabling SSID Broadcast Disabling Guest Access Changing Channels Firewall Settings Port Forwarding/Mapping Disabling Ports Configuring Browser and Relevant Security Settings Browser Download and Installation Hashing Untrusted Sources Extensions and Plug-ins Password Managers Secure Connection/Sites—Valid Certificates Transport Layer Security (TLS) Hypertext Transfer Protocol Secure (HTTPS) Settings Pop-up Blocker Clearing Browsing Data Clearing the Cache Private Browsing Mode Sign-in/Browser Data Synchronization Ad Blockers 220-1102: Objective 2.1: Summarize various security measures and their purposes. Two basic categories of security exist: physical and logical. This section provides an in-depth look at both aspects of this vital topic. Physical Security Physical security of IT equipment is a fundamental first factor in a secure network. As mentioned earlier, data is typically the most valuable asset in a company; leaving it in an unlocked area is dangerous in two ways. First, computer equipment is valuable. A thief might want the equipment for its face value, not caring about the valuable data that it contains or the harm its release might do to customers. Second, an unlocked door is an invitation for someone to install sniffing equipment and gain access to company network assets that lie well beyond the physical room left unattended. In the realm of physical security, an IT professional must understand and practice several protective measures. Access Control Vestibule Some secure areas include an access control vestibule (formerly known as a mantrap), which is an area with two locking doors. A person might get past the first door by way of tailgating but likely will have difficulty getting past the second door, especially if there is a guard between the two doors. An access control vestibule essentially slows down the entry process, in hopes that any people sneaking in behind others will be thwarted before they gain entry to the secure area. If someone lacks the proper authentication, that person will be stranded in the access control vestibule until authorities arrive. Badge Reader Badge readers are devices that can interpret the data on a certain type of ID. Although photo IDs are still best assessed by humans, other types of IDs add extra security that badge readers can govern. ID badges and readers can use a variety of physical security methods, including the following: - Photos: If the bearer of the card doesn’t look like the person on the card, the bearer might be using someone else’s card and should be detained. - Barcodes and magnetic strips: The codes embedded on these cards carry a range of information about the bearers and can limit individuals’ access to only authorized areas of buildings. These cards can be read quickly by a barcode scanner or swipe device. - RFID technology: As with barcoded badges, cards with radio-frequency identification (RFID) chips can be used to open only doors that are matched to the RFID chip. They can also track movement within a building and provide other access data required by a security officer. To prevent undetected tampering, ID badges should be coated with a tamper-evident outer layer. Video Surveillance Cameras are ubiquitous, thanks to the explosive growth of the Internet of Things (IoT). They are affordable and can easily store recordings for security and historical reference. Video surveillance of secure areas is essential. Alarm Systems Alarms are common in many areas of security, from failed drive alarms in computers to hacking attempts in firewalls. Less sophisticated but just as essential are physical alarms that alert security personnel when doors are open or cables are moved. Motion Sensors When used with video and alarm systems, motion sensors can provide good physical security. Motion detectors can activate alarms and time-stamp events for tracking on video recordings. Guards A determined and skillful thief can foil even the best security plans. The best way to deter a thief is to use a mix of technical barriers and human interaction. Guards can be deployed in different ways. When employees enter the work area in the presence of a guard, best practices most likely will be followed and everyone will scan in and be authenticated. Without a guard, people might hold the door open for others whom they recognize but who say they misplaced their IDs. Knowing that someone is watching carefully keeps honest people honest and deters dishonest people. Another way to deploy guards is to have them watch several areas via security cameras that record access into and out of the buildings. Although this method is not as effective as posting a guard at each door, it allows fewer security guards to scan different areas for traffic behaviors that warrant further attention. Door Locks Of course, the easiest way to secure an area is to lock doors. This seems like an obvious statement, but it is surprisingly common for people to simply wander into unauthorized areas. Some organizations have written policies explaining how, when, and where to lock doors. Beyond the main entrances, you should also always lock server rooms, wiring closets, labs, and other technical rooms when they are not in use. Physical door locks might seem like a simple solution, but they can’t be taken over by hackers. Equipment Locks Most desktops, laptops, and other mobile devices such as projectors and docking stations feature a security slot. On a laptop, the slot is typically located near a rear corner (see Figure 7-1). A Security Slot on a Laptop This slot is used with a laptop cable lock, such as the one shown in Figure 7-2. Laptop locks use a combination or keyed lock and are designed to lock a laptop (or other secured device) to a fixed location, such as a table. Keep in mind that many types of equipment locks can be used for lockers or even server rack systems. A Combination Laptop Security Lock Bollards Bollards are short wood, metal, or concrete posts installed in sidewalks and driveways to allow pedestrian and bike traffic to pass while keeping larger vehicles away. They are often removable with key access, to allow maintenance vehicles and other necessary traffic to get close to buildings. Bollards are a passive way of keeping vehicles that could be listening for signals away from sensitive data centers. People coming and going from buildings also are easier to keep track of with video cameras. Fences Of course, the most fundamental security device is a fence. Fences are usually subject to building codes, so effective design is important. They should be as tall as possible, sturdy, and monitored. Physical Security for Staff This section highlights security methods and practices that allow access to those who need it and help keep out people (and their software) who try to compromise an organization’s secure areas. Key Fobs Key fobs can be used with a variety of security devices. Key fobs can contain RFID chips, and many are used as part of a two-step authentication process that works as follows: - The user carries a key fob that generates a code every 30 to 60 seconds. Every time the code changes on the fob, it is also matched in the authentication server. In some cases, the user must also log into the fob to see the access code, for an extra layer of security. - The user then logs into the system or restricted area, using the randomly generated access code displayed on the key fob’s LCD display. The authentication server matches the current code and allows access. A key fob used in this way is often referred to as a hardware token. Smart Card A smart card is a credit card–sized card that contains stored information and possibly also a simple microprocessor or an RFID chip. Smart cards can be used to store identification information for use in security applications and to store values for use in prepaid telephone or debit card services, hotel guest room access, and other functions. Smart cards are available in contact and contactless form factors. Contactless cards are also known as proximity cards. Readers for these cards are usually wall mounted so that users can scan their cards within 6 inches of a reader. A smart card–based security system includes smart cards, card readers that are designed to work with smart cards, and a back-end system that contains a database that stores a list of approved smart cards for each secured location. Smart card–based security systems can also secure individual personal computers. To further enhance security, smart card security systems can be multifactor, requiring the user to input a PIN or security password and then provide the smart card at secured checkpoints, such as the entrance to a computer room. Keys Keeping track of keys is essential. If keys are entrusted to a careless person or, worse, a dishonest employee, the entire security plan can fail. Document who has keys to server rooms and wiring closets, and periodically change the locks and keys. Cipher locks that use punch codes also enhance security. Using a combination of these methods provides greater protection. Biometrics Biometric security refers to the use of a person’s biological information, gathered from scans. The following main types are currently in use: - Retina (iris) scanning: This highly accurate technology is nearly impossible to foil, but it requires specialized equipment and can be expensive. - Fingerprint scanning: As with iris scanning, fingerprint scanning is highly accurate, but this type of biometric scan is much more affordable to implement. The scan gathers data on fingerprints and compares their features to data stored for matching. More than one fingerprint can be stored for reference. - Palmprint scanning: This scan is less accurate than fingerprint scanning because the palm scanner does not analyze the structure of the fingerprints; it merely gathers data on the size of the hand. Facial recognition is not listed in the A+ objectives, but it might become more common as technology improves, cost drops, and hygienic practices become more widespread since the arrival of COVID-19. Facial recognition involves storing photographs, however, and privacy issues are arising as a result. Lighting Maintaining well-lit areas is important, for many obvious and not-so-obvious reasons. With the advent of LED lighting, good lighting is no longer the cost and energy concern it used to be. Well-lit areas can provide safety for workers, enhanced readability of tiny labels when working with racks of equipment, and enhanced quality for video cameras and other security measures. Magnetometers The term magnetometer is simply another name for a metal detector, common to all airports and many public areas. Highly sensitive areas generally have restrictions on weapons; a magnetometer can identify concealed weapons, to enforce the rules and reduce the likelihood of a violent incident. Privacy Screen Privacy issues are important to any company that handles confidential data. When that data is being used on a workstation screen or mobile device, it needs to be protected from unintentional viewing. Data on a computer screen can be easily protected by installing a privacy screen, which is a transparent cover for a PC monitor or laptop display. It reduces the cone of vision, usually to about 30 degrees, so that only the person directly in front of the screen can see the content. Many of these screens are also antiglare, to reduce the user’s eye strain. Logical Security Concepts A computer is a combination of physical and logical systems, and security practices must address both of these sides of computing. The physical components of security addressed in the previous section are only part of a good security plan and will be ineffective if the security policies stop there. Addressing software (logical) security practices is essential as well. Principle of Least Privilege Applying the principle of least privilege means giving users access to only what they require to do their jobs. Most users in a business environment do not need administrative access to computers and should be restricted from functions that can compromise security. The principle of least privilege appears to be basic common sense, but it should not be taken lightly. When user accounts are created locally on a computer—especially on a domain—great care should be taken in assigning users to groups. Additionally, many programs ask during installation who can use and make modifications to the program; often the default is “all users.” Some technicians just accept the defaults when hastily installing programs, without realizing that they are giving users full control of the program. It is an important practice to give clients all they need, but to limit their access to only what they need. Access Control Lists Access control lists (ACLs) are lists of permissions or restriction rules for access to an object, such as a file or folder. ACLs control which users or groups can perform specific operations on specified files or folders. Multifactor Authentication A multifactor authentication (MFA) system uses two or more authentication methods and is far more secure than single-factor authentication. For example, consider a person gaining access to a system by using a digital code from a fob and then typing a username and password. The combination of the password and the digital token makes it very difficult for imposters to gain access to a system. Multifactor authentication is more secure than earlier versions of software tokens, which could be stolen. Factors of authentication are often broken down into something a user is (biometrics), something a user has (a token or access card), something a user knows (a personal identification number [PIN]), and where the user is located (geolocation). For example, automated teller machines (ATMs) use a common example of a multifactor authentication system, requiring both a “something you have” physical key (your ATM card) and a “something you know” PIN. Email Email is the most common way to attack an organization because its employees might fall for phishing attacks (described in the section, “Social Engineering Threats and Vulnerabilities”). Filtering can automatically organize email into folders, but from a security standpoint, its most important function is to block spam and potentially dangerous messages. Email filtering can be performed at the point of entry to a network with a specialized email filtering server or appliance, as well as by enabling the spam- and threat-detection features that are built into email clients or security software. Users can discard or quarantine spam or suspicious emails, as well as retrieve false positives that are actually legitimate messages from the spam folder and place them back into the normal inbox. Email protocols should be secured to ensure that email is encrypted. For example, by default, POP and IMAP email protocols are not secure. Using secure protocols such as POP3S (port 995) or IMAPS (port 993) allows the incoming data from the client to be encrypted because they use an SSL/TLS session. Hard Tokens A hard token is any physical device that a user must carry to gain access to a specific system. Examples are smart cards, RFID cards, USB tokens, and key fobs. (Key fob hardware tokens are explained earlier in this section.) Soft Tokens As with key fobs, mentioned in the previous section on physical security, software tokens (or soft tokens) are part of a multifactor authentication process. The difference is that software tokens exist in software and are commonly stored on devices. For example, logging into a secure system might require sending a soft token via SMS message to a smartphone for code authentication. Both hard tokens and soft tokens can be used in multifactor authentication, as described earlier in this section.
Short Message Service Short Message Service (SMS) is the standard format of text messaging between devices. Products might have their own message formats (for example, Apple uses iMessage on its devices), but SMS is a standard. SMS is usually used for multifactor soft tokens, described earlier. Voice Call Soft tokens can be authenticated with a voice callback. When a user logs in to a site, they might have to authenticate with a voice call and pressing a key provided by the service app on the phone. This is similar to the SMS login just described.
Authentication Application Multifactor authentication services provide apps that are downloadable to phones and other devices. This is an easy way to provide second-factor authentications after login. When logging into a restricted site, the service pushes a token to the user’s registered device. Simply touching a confirmation button suffices for a fast and secure login. Mobile Device Management Organizations that have many mobile devices need to administer them so that all devices and users comply with the security practices and policies in place. This is usually done with a suite of software known as mobile device management (MDM). The MDM marketplace is quite competitive, and several solutions are available from companies such as VMware (AirWatch), Citrix (XenMobile), and SOTI MobiControl. These products push updates and allow an administrator to configure many mobile devices from a central location. Good MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise. Active Directory Active Directory is a Microsoft solution for managing users, computers, and information access in a network. It is based on a database of all resources and users that will be managed within the network. The information in the database determines what people can see and do within the network. A complete understanding of Active Directory is beyond the scope of this guide, but every IT support person should know the basics of what it is and how it works. Here are the basics: - Login script: When a user logs onto the network, Active Directory knows who that user is and runs a login script to make the assigned resources available. Examples of login tasks include virus updates, drive mappings, and printer assignments. - Domain: The domain is a computer network or group of computer networks under one administration. Users log into the Active Directory domain to access network resources within the domain. - Group Policy: This is a set of rules and instructions defining what a user or group of users can or cannot do when logged into the domain. A Group Policy Object (GPO) is a set of instructions assigned to a group of users or to certain machines on the network. - Organizational Unit (OU): OUs are logical groups that help organize users and computers so that GPOs can be assigned to them. For example, a team of accountants might be assigned to an OU, and their GPO might give them special access to financial records. - Home folder: This folder, which is accessible to the network administrator, is where the user’s data and files are kept locally. - Folder redirection: This allows for the work done by an OU to be saved on a common folder in the domain, as directed by the administrator instead of the user. For example, a policy might dictate that all work be kept in a common folder so that all members of a team can see the latest work and updates. - Security Groups: These provide an efficient way to assign user rights and permissions to approved users who are accessing resources on the network. Group Policy (earlier in the list) can be used to assign rights to security groups. Permissions can be assigned to a security group for shared resources at specific levels of access.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.