Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA A+ Core Certification: The Basics of Security 1- Security Measures and Their Purposes
Source: https://www.fatskills.com/comptia-a-exam/chapter/comptia-a-core-certification-the-basics-of-security

CompTIA A+ Core Certification: The Basics of Security 1- Security Measures and Their Purposes

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~19 min read

This guide covers the 10 A+ 220-1102 exam objectives related to security.

These objectives may comprise 25 percent of the exam questions:
- Core 2 (220-1102): Objective 2.1: Summarize various security measures and their purposes.
- Core 2 (220-1102): Objective 2.2: Compare and contrast wireless security protocols and authentication methods.
- Core 2 (220-1102): Objective 2.3: Given a scenario, detect, remove, and prevent malware using appropriate tools and methods.
- Core 2 (220-1102): Objective 2.4: Explain common social-engineering attacks, threats, and vulnerabilities.
- Core 2 (220-1102): Objective 2.5: Given a scenario, manage and configure basic security settings in the Microsoft Windows OS.
- Core 2 (220-1102): Objective 2.6: Given a scenario, configure a workstation to meet best practices for security.
- Core 2 (220-1102): Objective 2.7: Explain common methods for securing mobile and embedded devices.
- Core 2 (220-1102): Objective 2.8: Given a scenario, use common data destruction and disposal methods.
- Core 2 (220-1102): Objective 2.9: Given a scenario, configure appropriate security settings on small office/home office (SOHO) wireless and wired networks.
- Core 2 (220-1102): Objective 2.10: Given a scenario, install and configure browsers and relevant security settings.

The most important asset most companies own is their data. Data has become so important to business success that it is what most thieves seek. Because of the interconnected nature of the Internet, a security breach of a single device or network can lead to data theft, including the theft of client financial data that can greatly affect the lives of millions. Large-scale data breaches have brought large companies to bankruptcy, so data security is among the top concerns of business leadership. In this guide, you learn about the multifaceted threats to security in the modern computing environment and how to mitigate them through the study of these CompTIA A+ Core 2 objectives.

This guide covers the following topics:
- Physical security measures:
Physical security practices and their implementation
- Logical security concepts: Software-based security measures
- Wireless security protocols and authentication: Types of wireless security and authentication
- Malware removal and prevention: Methods and protocols for detection and prevention
- Social engineering threats and vulnerabilities: The various types of threats
- Microsoft Windows OS security settings: The important Microsoft security settings
- Security best practices to secure a workstation: Implementation of best practices
- Mobile device securing: Implementation methods for securing devices
- Data destruction and disposal: Methods and techniques for safely and securely disposing of hardware
- Security configuration on SOHO networks: Methods for configuring SOHO security
- Browser security settings: Secure settings and practices in browsers

Key Topics To Know:
Security Measures
Physical Security
Access Control Vestibule
Badge Reader
Video Surveillance
Alarm Systems
Motion Sensors
Guards
Door Locks
Equipment Locks
Bollards
Fences
Physical Security for Staff
Key Fobs
Smart Card
Keys
Biometrics
Lighting
Magnetometers
Privacy Screen
Logical Security Concepts
Principle of Least Privilege
Access Control Lists
Multifactor Authentication
Email
Hard Tokens
Soft Tokens
Short Message Service
Voice Call
Authentication Application
Mobile Device Management
Active Directory
Wireless Security Protocols and Authentication
Protocols and Encryption
Authentication
Single-Factor
Multifactor
RADIUS
TACACS+
Kerberos
Malware Removal and Prevention
Malware
Trojan
Rootkit
Virus
Spyware
Ransomware
Keylogger
Boot Sector Virus
Cryptominers
Tools and Methods
Antivirus/Anti-malware
Recovery Mode
User Education
Anti-Phishing Training
OS Reinstallation
Social Engineering Threats and Vulnerabilities
Social Engineering
Phishing
Vishing
Whaling
Impersonation
Shoulder Surfing
Tailgating
Dumpster Diving
Evil Twin
Threats
DDoS
DoS
Zero-Day
Spoofing
On-Path Attack
Brute Force
Dictionary Attacks
Insider Threat
Structured Query Language (SQL) Injection
Cross-Site Scripting (XSS)
Vulnerabilities
Noncompliant Systems
Unpatched Systems
Unprotected Systems
EOL OSs
Bring Your Own Device (BYOD)
Microsoft Windows OS Security Settings
Defender Antivirus
Firewall
Activate/Deactivate
Port Security
Application Security
Access Control
Users and Groups
NTFS vs. Share Permissions
Run as Administrator vs. Standard User
User Account Control
Login OS Options
BitLocker
BitLocker To Go
EFS
Security Best Practices to Secure a Workstation
Data-at-Rest Encryption
Password Best Practices
Setting Strong Passwords
Password Expiration
Screensaver Required Password
BIOS/UEFI Passwords
Requiring Passwords
End-User Best Practices
Use Screensaver Locks
Log Off When Not in Use
Secure/Protect Critical Hardware
Secure Personally Identifiable Information (PII)
Account Management
Restricting User Permissions
Login Time Restrictions
Disabling Guest Account
Failed Attempts Lockout
Changing Default Usernames and Passwords
Disabling Autorun/AutoPlay
Securing Mobile Devices
Screen Locks
Remote Wipes
Locator Applications
Remote Backup Applications
Failed Login Attempts Restrictions
Antivirus/Anti-malware
Patches and OS Updates
Biometric Authentication
Full-Device Encryption
Firewalls
Policies and Procedures
BYOD vs. Corporate-Owned Devices
Profile Security Requirements
Internet of Things
Data Destruction and Disposal
Physical Destruction Methods
Recycling or Repurposing Best Practices
Outsourcing Concepts
Configuring Security on SOHO Networks
Home Router Settings
Change Default Passwords
IP Filtering
Firmware Updates
Content Filtering
Physical Placement/Secure Locations
Dynamic Host Configuration Protocol (DHCP) Reservations
Static WAN IP
Universal Plug and Play
Screened Subnet
Wireless-Specific Security
Changing the Service Set Identifier (SSID)
Encryption Settings
Disabling SSID Broadcast
Disabling Guest Access
Changing Channels
Firewall Settings
Port Forwarding/Mapping
Disabling Ports
Configuring Browser and Relevant Security Settings
Browser Download and Installation
Hashing
Untrusted Sources
Extensions and Plug-ins
Password Managers
Secure Connection/Sites—Valid Certificates
Transport Layer Security (TLS)
Hypertext Transfer Protocol Secure (HTTPS)
Settings
Pop-up Blocker
Clearing Browsing Data
Clearing the Cache
Private Browsing Mode
Sign-in/Browser Data Synchronization
Ad Blockers


220-1102: Objective 2.1: Summarize various security measures and their purposes.
Two basic categories of security exist: physical and logical. This section provides an in-depth look at both aspects of this vital topic.

Physical Security
Physical security of IT equipment is a fundamental first factor in a secure network.
As mentioned earlier, data is typically the most valuable asset in a company; leaving it in an unlocked area is dangerous in two ways. First, computer equipment is valuable. A thief might want the equipment for its face value, not caring about the valuable data that it contains or the harm its release might do to customers. Second, an unlocked door is an invitation for someone to install sniffing equipment and gain access to company network assets that lie well beyond the physical room left unattended. In the realm of physical security, an IT professional must understand and practice several protective measures.

Access Control Vestibule
Some secure areas include an access control vestibule (formerly known as a mantrap), which is an area with two locking doors.
A person might get past the first door by way of tailgating but likely will have difficulty getting past the second door, especially if there is a guard between the two doors. An access control vestibule essentially slows down the entry process, in hopes that any people sneaking in behind others will be thwarted before they gain entry to the secure area. If someone lacks the proper authentication, that person will be stranded in the access control vestibule until authorities arrive.

Badge Reader
Badge readers are devices that can interpret the data on a certain type of ID. Although photo IDs are still best assessed by humans, other types of IDs add extra security that badge readers can govern.

ID badges and readers can use a variety of physical security methods, including the following:
- Photos: If the bearer of the card doesn’t look like the person on the card, the bearer might be using someone else’s card and should be detained.
- Barcodes and magnetic strips: The codes embedded on these cards carry a range of information about the bearers and can limit individuals’ access to only authorized areas of buildings. These cards can be read quickly by a barcode scanner or swipe device.
- RFID technology: As with barcoded badges, cards with radio-frequency identification (RFID) chips can be used to open only doors that are matched to the RFID chip. They can also track movement within a building and provide other access data required by a security officer.
To prevent undetected tampering, ID badges should be coated with a tamper-evident outer layer.

Video Surveillance
Cameras are ubiquitous, thanks to the explosive growth of the Internet of Things (IoT).
They are affordable and can easily store recordings for security and historical reference. Video surveillance of secure areas is essential.

Alarm Systems
Alarms are common in many areas of security, from failed drive alarms in computers to hacking attempts in firewalls
. Less sophisticated but just as essential are physical alarms that alert security personnel when doors are open or cables are moved.

Motion Sensors
When used with video and alarm systems, motion sensors can provide good physical security.
Motion detectors can activate alarms and time-stamp events for tracking on video recordings.

Guards
A determined and skillful thief can foil even the best security plans.
The best way to deter a thief is to use a mix of technical barriers and human interaction. Guards can be deployed in different ways. When employees enter the work area in the presence of a guard, best practices most likely will be followed and everyone will scan in and be authenticated. Without a guard, people might hold the door open for others whom they recognize but who say they misplaced their IDs. Knowing that someone is watching carefully keeps honest people honest and deters dishonest people.
Another way to deploy guards is to have them watch several areas via security cameras that record access into and out of the buildings. Although this method is not as effective as posting a guard at each door, it allows fewer security guards to scan different areas for traffic behaviors that warrant further attention.

Door Locks
Of course, the easiest way to secure an area is to lock doors.
This seems like an obvious statement, but it is surprisingly common for people to simply wander into unauthorized areas. Some organizations have written policies explaining how, when, and where to lock doors. Beyond the main entrances, you should also always lock server rooms, wiring closets, labs, and other technical rooms when they are not in use. Physical door locks might seem like a simple solution, but they can’t be taken over by hackers.

Equipment Locks
Most desktops, laptops, and other mobile devices such as projectors and docking stations feature a security slot. On a laptop, the slot is typically located near a rear corner (see Figure 7-1).

Images
A Security Slot on a Laptop
This slot is used with a laptop cable lock, such as the one shown in Figure 7-2. Laptop locks use a combination or keyed lock and are designed to lock a laptop (or other secured device) to a fixed location, such as a table. Keep in mind that many types of equipment locks can be used for lockers or even server rack systems.

Images
A Combination Laptop Security Lock

Bollards
Bollards are short wood, metal, or concrete posts installed in sidewalks and driveways to allow pedestrian and bike traffic to pass while keeping larger vehicles away.
They are often removable with key access, to allow maintenance vehicles and other necessary traffic to get close to buildings. Bollards are a passive way of keeping vehicles that could be listening for signals away from sensitive data centers. People coming and going from buildings also are easier to keep track of with video cameras.

Fences
Of course, the most fundamental security device is a fence. Fences are usually subject to building codes, so effective design is important. They should be as tall as possible, sturdy, and monitored.

Physical Security for Staff
This section highlights security methods and practices that allow access to those who need it and help keep out people (and their software) who try to compromise an organization’s secure areas.

Key Fobs
Key fobs can be used with a variety of security devices.
Key fobs can contain RFID chips, and many are used as part of a two-step authentication process that works as follows:
- The user carries a key fob that generates a code every 30 to 60 seconds. Every time the code changes on the fob, it is also matched in the authentication server. In some cases, the user must also log into the fob to see the access code, for an extra layer of security.
- The user then logs into the system or restricted area, using the randomly generated access code displayed on the key fob’s LCD display. The authentication server matches the current code and allows access.
A key fob used in this way is often referred to as a hardware token.

Smart Card
A smart card is a credit card–sized card that contains stored information and possibly also a simple microprocessor or an RFID chip.
Smart cards can be used to store identification information for use in security applications and to store values for use in prepaid telephone or debit card services, hotel guest room access, and other functions. Smart cards are available in contact and contactless form factors.
Contactless cards are also known as proximity cards. Readers for these cards are usually wall mounted so that users can scan their cards within 6 inches of a reader.
A smart card–based security system includes smart cards, card readers that are designed to work with smart cards, and a back-end system that contains a database that stores a list of approved smart cards for each secured location. Smart card–based security systems can also secure individual personal computers.
To further enhance security, smart card security systems can be multifactor, requiring the user to input a PIN or security password and then provide the smart card at secured checkpoints, such as the entrance to a computer room.

Keys
Keeping track of keys is essential. If keys are entrusted to a careless person or, worse, a dishonest employee, the entire security plan can fail.
Document who has keys to server rooms and wiring closets, and periodically change the locks and keys. Cipher locks that use punch codes also enhance security. Using a combination of these methods provides greater protection.

Biometrics
Biometric security refers to the use of a person’s biological information, gathered from scans. The following main types are currently in use:
- Retina (iris) scannin
g: This highly accurate technology is nearly impossible to foil, but it requires specialized equipment and can be expensive.
- Fingerprint scanning: As with iris scanning, fingerprint scanning is highly accurate, but this type of biometric scan is much more affordable to implement. The scan gathers data on fingerprints and compares their features to data stored for matching. More than one fingerprint can be stored for reference.
- Palmprint scanning: This scan is less accurate than fingerprint scanning because the palm scanner does not analyze the structure of the fingerprints; it merely gathers data on the size of the hand.
Facial recognition is not listed in the A+ objectives, but it might become more common as technology improves, cost drops, and hygienic practices become more widespread since the arrival of COVID-19. Facial recognition involves storing photographs, however, and privacy issues are arising as a result.

Lighting
Maintaining well-lit areas is important, for many obvious and not-so-obvious reasons.
With the advent of LED lighting, good lighting is no longer the cost and energy concern it used to be. Well-lit areas can provide safety for workers, enhanced readability of tiny labels when working with racks of equipment, and enhanced quality for video cameras and other security measures.

Magnetometers
The term magnetometer is simply another name for a metal detector, common to all airports and many public areas. Highly sensitive areas generally have restrictions on weapons; a magnetometer can identify concealed weapons, to enforce the rules and reduce the likelihood of a violent incident.

Privacy Screen
Privacy issues are important to any company that handles confidential data
. When that data is being used on a workstation screen or mobile device, it needs to be protected from unintentional viewing. Data on a computer screen can be easily protected by installing a privacy screen, which is a transparent cover for a PC monitor or laptop display. It reduces the cone of vision, usually to about 30 degrees, so that only the person directly in front of the screen can see the content. Many of these screens are also antiglare, to reduce the user’s eye strain.

Logical Security Concepts
A computer is a combination of physical and logical systems, and security practices must address both of these sides of computing.
The physical components of security addressed in the previous section are only part of a good security plan and will be ineffective if the security policies stop there. Addressing software (logical) security practices is essential as well.

Principle of Least Privilege
Applying the principle of least privilege means giving users access to only what they require to do their jobs.
Most users in a business environment do not need administrative access to computers and should be restricted from functions that can compromise security.
The principle of least privilege appears to be basic common sense, but it should not be taken lightly. When user accounts are created locally on a computer—especially on a domain—great care should be taken in assigning users to groups. Additionally, many programs ask during installation who can use and make modifications to the program; often the default is “all users.” Some technicians just accept the defaults when hastily installing programs, without realizing that they are giving users full control of the program. It is an important practice to give clients all they need, but to limit their access to only what they need.

Access Control Lists
Access control lists (ACLs) are lists of permissions or restriction rules for access to an object, such as a file or folder. ACLs control which users or groups can perform specific operations on specified files or folders.

Multifactor Authentication
A multifactor authentication (MFA) system
uses two or more authentication methods and is far more secure than single-factor authentication. For example, consider a person gaining access to a system by using a digital code from a fob and then typing a username and password. The combination of the password and the digital token makes it very difficult for imposters to gain access to a system. Multifactor authentication is more secure than earlier versions of software tokens, which could be stolen.
Factors of authentication are often broken down into something a user is (biometrics), something a user has (a token or access card), something a user knows (a personal identification number [PIN]), and where the user is located (geolocation). For example, automated teller machines (ATMs) use a common example of a multifactor authentication system, requiring both a “something you have” physical key (your ATM card) and a “something you know” PIN.

Email
Email is the most common way to attack an organization because its employees might fall for phishing attacks (described in the section, “Social Engineering Threats and Vulnerabilities”). Filtering can automatically organize email into folders, but from a security standpoint, its most important function is to block spam and potentially dangerous messages.
Email filtering can be performed at the point of entry to a network with a specialized email filtering server or appliance, as well as by enabling the spam- and threat-detection features that are built into email clients or security software.
Users can discard or quarantine spam or suspicious emails, as well as retrieve false positives that are actually legitimate messages from the spam folder and place them back into the normal inbox.
Email protocols should be secured to ensure that email is encrypted. For example, by default, POP and IMAP email protocols are not secure. Using secure protocols such as POP3S (port 995) or IMAPS (port 993) allows the incoming data from the client to be encrypted because they use an SSL/TLS session.

Hard Tokens
A hard token is any physical device that a user must carry to gain access to a specific system. Examples are smart cards, RFID cards, USB tokens, and key fobs. (Key fob hardware tokens are explained earlier in this section.)

Soft Tokens
As with key fobs, mentioned in the previous section on physical security, software tokens (or soft tokens) are part of a multifactor authentication process. The difference is that software tokens exist in software and are commonly stored on devices. For example, logging into a secure system might require sending a soft token via SMS message to a smartphone for code authentication. Both hard tokens and soft tokens can be used in multifactor authentication, as described earlier in this section.
 

Short Message Service
Short Message Service (SMS) is the standard format of text messaging between devices. Products might have their own message formats (for example, Apple uses iMessage on its devices), but SMS is a standard. SMS is usually used for multifactor soft tokens, described earlier.

Voice Call
Soft tokens can be authenticated with a voice callback. When a user logs in to a site, they might have to authenticate with a voice call and pressing a key provided by the service app on the phone. This is similar to the SMS login just described.

Authentication Application
Multifactor authentication services provide apps that are downloadable to phones and other devices. This is an easy way to provide second-factor authentications after login. When logging into a restricted site, the service pushes a token to the user’s registered device. Simply touching a confirmation button suffices for a fast and secure login.

Mobile Device Management
Organizations that have many mobile devices need to administer them so that all devices and users comply with the security practices and policies in place. This is usually done with a suite of software known as mobile device management (MDM). The MDM marketplace is quite competitive, and several solutions are available from companies such as VMware (AirWatch), Citrix (XenMobile), and SOTI MobiControl. These products push updates and allow an administrator to configure many mobile devices from a central location. Good MDM software secures, monitors, manages, and supports multiple different mobile devices across the enterprise.

Active Directory
Active Directory is a Microsoft solution for managing users, computers, and information access in a network.
It is based on a database of all resources and users that will be managed within the network. The information in the database determines what people can see and do within the network. A complete understanding of Active Directory is beyond the scope of this guide, but every IT support person should know the basics of what it is and how it works. Here are the basics:
- Login script: When a user logs onto the network, Active Directory knows who that user is and runs a login script to make the assigned resources available. Examples of login tasks include virus updates, drive mappings, and printer assignments.
- Domain: The domain is a computer network or group of computer networks under one administration. Users log into the Active Directory domain to access network resources within the domain.
- Group Policy: This is a set of rules and instructions defining what a user or group of users can or cannot do when logged into the domain. A Group Policy Object (GPO) is a set of instructions assigned to a group of users or to certain machines on the network.
- Organizational Unit (OU): OUs are logical groups that help organize users and computers so that GPOs can be assigned to them. For example, a team of accountants might be assigned to an OU, and their GPO might give them special access to financial records.
- Home folder: This folder, which is accessible to the network administrator, is where the user’s data and files are kept locally.
- Folder redirection: This allows for the work done by an OU to be saved on a common folder in the domain, as directed by the administrator instead of the user. For example, a policy might dictate that all work be kept in a common folder so that all members of a team can see the latest work and updates.
- Security Groups: These provide an efficient way to assign user rights and permissions to approved users who are accessing resources on the network. Group Policy (earlier in the list) can be used to assign rights to security groups. Permissions can be assigned to a security group for shared resources at specific levels of access.



ADVERTISEMENT