Welcome to your essential guide for Domain 2.0: Security, a critical component of the CompTIA A+ Core 2 (220-1102) exam. In an increasingly digital world, security is paramount. As an IT professional, you'll be responsible for safeguarding systems, data, and user privacy against a multitude of threats.
This guide delves into the core principles of security, covering physical and logical controls, wireless network security, malware protection and removal, understanding social engineering tactics, and fundamental incident response procedures. Mastering these concepts will empower you to implement robust security measures and protect valuable assets.
2.1 Physical Security Measures
The First Line of Defense
Physical security prevents unauthorized physical access to equipment, facilities, and resources. It is the foundation of any security strategy because if an attacker can physically touch your hardware, logical security controls (like passwords and firewalls) can often be bypassed given enough time and tools. Effective physical security employs the concept of "Defense in Depth"βusing multiple layers of controls so that if one fails, others are in place.
Detailed Physical Security Controls
Access Control & Entry
- Locks (Conventional & Electronic): Deadbolts and key locks are standard, but electronic locks leveraging smart cards or PINs provide audit trails (logs of who entered and when).
- Mantraps (Access Control Vestibules): A small space with two interlocking doors. One door must close and lock before the second can open. This physically prevents tailgating (one person following another).
-
Biometrics: Uses unique physical characteristics for authentication. Common types include fingerprint scanners, retinal/iris scanners, and facial recognition.
Best Practice: Combine biometrics with a PIN (MFA) for high-security areas. - Security Guards: Human presence is a powerful deterrent and allows for immediate judgment calls that automated systems cannot make.
Device & Perimeter Security
- Cable Locks (Kensington Locks): Essential for securing laptops, desktops, and projectors to immovable objects (like a desk frame) to prevent "grab-and-go" theft.
- USB Data Blockers: "Juice jacking" exploits USB charging ports to steal data. A data blocker allows power charging but physically disconnects the data pins.
- Video Surveillance (CCTV/IP Cameras): Acts as both a deterrent and a forensic tool. Modern IP cameras can use motion detection and night vision.
- Asset Tracking Tags: RFID tags or barcodes help track inventory. If a server is moved without authorization, sensors can trigger an alarm.
Real-World Scenario: The "Helpful" Employee
Situation: An attacker dressed in a generic repair uniform carries a ladder and a toolbox towards the secure server room entrance. They approach an employee who is swiping their badge to enter. The attacker smiles and says, "Sorry, my hands are full, could you hold the door?"
The Threat: This is a classic Tailgating (or Piggybacking) attempt utilizing Social Engineering.
Correct Response: The employee implies, "I cannot let you in without a badge," and directs them to the security desk. A policy of "No Tailgating" must be strictly enforced, even if it feels "rude."
Step-by-Step Procedure: Securing a New Workstation
- Positioning: Place the monitor so it is not visible from windows or public hallways (preventing shoulder surfing). Use a privacy filter if necessary.
- Physical Locking: Attach a cable lock to the chassis and secure it to the desk.
- BIOS/UEFI Password: Enable a BIOS/UEFI supervisor password to prevent unauthorized changes to boot order (stopping attackers from booting live USB OSs).
- Disable Ports: If high security, physically block unused USB ports or disable them in BIOS.
Common Mistakes to Avoid
- β Propping Doors Open: Using a trash can to hold a secure door open for "ventilation" or convenience defeats the entire access control system.
- β Badge sharing: Using a colleague's badge because you forgot yours messes up audit logs and compromises accountability.
- β Ignoring alarms: Assuming a beeping door is just a "glitch" allows breaches to go unnoticed. Always investigate.
Quick Check: Physical Security
1. What is the primary purpose of a "mantrap"?
Answer: To prevent tailgating by ensuring one door closes before the next opens.
2. Which lock type prevents equipment theft?
Answer: A Cable Lock (Kensington lock).
2.2 Logical Security Controls
Protecting Data and Systems
While physical security protects hardware, logical security uses software and protocols to protect the data on that hardware. This domain covers the "AAA" framework: Authentication (proving who you are), Authorization (access levels), and Accounting (tracking actions).
Authentication & Authorization Framework
Multi-Factor Authentication (MFA)
MFA is the single most effective logical control. It requires users to present two or more different types of evidence (factors) to log in.
-
Knowledge
"Something you know"
Passwords, PINs, Security Pattern. -
Possession
"Something you have"
Smart card, USB Key (YubiKey), Smartphone (Authenticator App). -
Inherence
"Something you are"
Fingerprint, Face ID, Retina scan.
Principle of Least Privilege
A core security tenant: users should have only the minimum access necessary to perform their job functions.
- Do not make regular users Local Administrators.
- If a user only needs to read a file, do not give them Write/Delete permissions.
- Review permissions regularly (Privilege Creep).
Password Best Practices
- Length over Complexity: Modern guidance (NIST) prefers long phrases (12-15+ chars) over short, complex codes.
- No Defaults: Immediately change default router/device passwords.
- History & Expiration: Enforce history (don't reuse last 5 passwords) and expiration (change every 90 days), though expiration is debating in modern standards.
Encryption & System Hardening
-
Full Disk Encryption (FDE)
Tools like BitLocker (Windows) and FileVault (macOS) encrypt the entire drive. If a laptop is stolen, the data remains unreadable without the decryption key.
Note: BitLocker typically requires a TPM (Trusted Platform Module) chip on the motherboard to store keys securely. -
Software Firewalls
Host-based firewalls (like Windows Defender Firewall) filter traffic entering and leaving a single device. This protects the device even if it connects to an untrusted public Wi-Fi network. -
Active Directory & Group Policy (GPO)
In corporate environments, admins use GPOs to enforce security settings across all computers instantly (e.g., "Force screensaver lock after 5 minutes," "Disable USB drives").
Step-by-Step Procedure: Creating a Standard User Account
To verify you aren't using an Administrator account for daily tasks (which is dangerous):
- Open Settings > Accounts > Family & other users (Windows).
- Click "Add account".
- Select "I don't have this person's sign-in information" > "Add a user without a Microsoft account" (for local test).
- Create username/password.
- Crucial Step: Ensure 'Account type' is set to Standard User, not Administrator. Standard users cannot install software or change system settings, effectively blocking most malware installation attempts.
Common Mistakes to Avoid
- β Sharing Accounts: Creating a generic "FrontDesk" login that everyone shares makes it impossible to trace who did what (Non-Repudiation fails).
- β Leaving Guest Accounts Enabled: The default Guest account is a common entry point. Always disable it.
- β Default Permissions: Assuming "Everyone" needs "Full Control" on a shared folder. Start with "Read-Only" and escalate only if needed.
Quick Check: Logical Security
1. Which AAA component is "Something you are"?
Answer: Inherence Factor (Biometrics like fingerprints).
2. Why use a Standard Account instead of Admin?
Answer: To prevent accidental system changes or malware installation (Least Privilege).
2.3 Wireless Security Protocols
Securing Wi-Fi Networks
Wireless networks broadcast data over radio waves, making them accessible to anyone within range. Without strong encryption and authentication, your data is open to the public. CompTIA A+ expects you to know which protocols are secure (WPA2/3) and which are deprecated (WEP/WPA).
Wireless Encryption Standards
The Gold Standards
-
WPA3 (Wi-Fi Protected Access 3): The latest and most secure standard.
- Uses Simultaneous Authentication of Equals (SAE) to replace the Pre-Shared Key exchange, making it immune to offline dictionary attacks (KRACK).
- Uses GCMP-256 encryption (Enterprise mode).
-
WPA2 (Wi-Fi Protected Access 2): The current industry workhorse.
- Uses AES (Advanced Encryption Standard) with CCMP.
- Secure for most uses, but older implementations possess vulnerabilities.
Obsolete (Do Not Use)
- WEP (Wired Equivalent Privacy): Extremely insecure. Can be cracked in minutes using basic tools due to weak Initialization Vectors (IVs).
- WPA (Original): Uses TKIP (Temporal Key Integrity Protocol), which is now considered compromised.
- WPS (Wi-Fi Protected Setup): While convenient (push-button connect), it has major security flaws (PIN brute-force). Disable WPS immediately.
Authentication Modes: Personal vs. Enterprise
| Mode | Mechanism | Best For |
|---|---|---|
| Personal (PSK) | Uses a single password (Pre-Shared Key) for all devices. | Home, Small Office (SOHO) |
| Enterprise (802.1x) | Authenticates individual users via a RADIUS/TACACS+ server. | Corporate, Large Business |
Checklist: Securing a SOHO Router
- Change Default Admin Credentials: Attackers know the default "admin/admin" logins for every major router brand. Change this immediately.
- Update Firmware: Router manufacturers patch security holes. Enable auto-update if available.
- Disable Remote Management: Ensure the router configuration page is not accessible from the internet (WAN side).
- Use Guest Network: Put IoT devices and visitors on a separate VLAN (Guest Network) so they cannot access your main file servers or printers.
Common Myths & Mistakes
- β SSID Hiding (Disabling Broadcast): This is "Security by Obscurity." Wireless frames still contain the SSID, and scanners can easily find it. It annoys legitimate users more than it stops hackers.
- β MAC Address Filtering: Whitelisting devices by MAC address is cumbersome to manage and easy to bypass (MAC spoofing takes seconds).
Quick Check: Wireless Security
1. Why is WEP considered insecure?
Answer: It uses weak Initialization Vectors (IVs) that can be cracked in minutes.
2. Which protocol uses SAE to prevent dictionary attacks?
Answer: WPA3.
2.4 Malware Protection & Removal
Combating Malicious Software
Malware (Malicious Software) comes in many forms, from annoying adware to destructive ransomware. As an A+ technician, you must know how to identify different infection types and, most importantly, follow the 7-Step Malware Removal Process rigorously to ensure the system is clean and safe.
Know Your Enemy: Malware Types
- Ransomware: Encrypts user files/systems and demands payment (crypto).
Response: Do not pay. Restore from offline backups. - Rootkits: Embeds deep into the OS kernel to hide itself. Extremely hard to detect.
Response: Often requires OS reinstallation. - Trojans: Disguises as legitimate software (e.g., "FreeAntivirus.exe") to trick users into installing it.
- Spyware/Keyloggers: Silently records keystrokes (passwords, credit cards) and browsing habits.
- Botnets (Zombies): Compromised computers controlled remotely by a "Bot Herder" for DDoS attacks.
- Viruses vs. Worms:
- Viruses need a host file and human action to run.
- Worms self-replicate and spread automatically over the network.
The 7-Step Malware Removal Process
Identify and research malware symptoms
Is it a slow PC? Pop-ups? Renamed files? check error logs. Research the symptoms online safely.
Quarantine the infected system
Disconnect from the network (Wi-Fi/Ethernet) immediately to prevent spread. Isolate removable media.
Disable System Restore (Windows)
Malware loves to hide in Restore Points. Disable it to delete all old points so you don't accidentally re-infect the PC later.
Remediate the infected systems
- Update anti-malware signatures (download on a clean PC if needed).
- Scan and remove. Use multiple tools if necessary (e.g., Malwarebytes).
- Use Safe Mode if the malware protects itself in normal mode.
Schedule scans and run updates
Re-enable automatic scanning. Run Windows Updates to patch the vulnerability that let the malware in initially.
Enable System Restore
Now that the system is clean, turn System Restore back on and manually create a new, clean restore point.
Educate the end user
Explain how they got infected (phishing link, bad download) and how to avoid it in the future.
Scenario: The "Unremoveable" Virus
Issue: User complains that every time they remove a virus, it comes back after a reboot.
Solution: The malware is likely loading incorrectly.
1. Boot into Safe Mode (minimal drivers, no startup apps).
2. Run the scan in Safe Mode.
3. If it persists, it might be a Rootkit or in the System Restore points (Step 3).
Quick Check: Malware
1. Why must you disable System Restore?
Answer: To remove infected restore points so the virus can't "come back to life."
2. What should you do *immediately* upon suspecting malware?
Answer: Quarantine the system (Disconnect from network/Internet).
2.6 Incident Response & Data Security
Handling Breaches and Protecting Data
How you react to a security breach is just as important as how you try to prevent it. A formalized Incident Response plan ensures that when things go wrong, the damage is minimized.
First Response Steps
A+ technicians are often the "First Responders." Your goal is to Identify and Protect.
- Identify the Incident: Confirm that a security breach is actually happening (distinguishing from a false alarm).
- Report via Proper Channels: Do not tweet about it! Notify your manager or the Security Operations Center (SOC) immediately. Escalation is key.
-
Data & Device Preservation: Secure the area. If the machine is on, leave it on (to preserve RAM data). If off, leave it off.
Chain of Custody: Document EXACTLY who had possession of the device and when. - Documentation: Record what is on the screen, take photos, document specific error messages or behavior.
Data Destruction & Compliance
Secure Disposal Methods
- Shredding/Pulverizing: Physical destruction. Best for SSDs and Optical Discs.
- Degaussing: Uses magnets to wipe magnetic fields. Effective for HDDs and Tapes. (Does NOT work on SSDs!)
- Standard Formatting: Insecure. Data can be recovered.
- Low-Level Format / Overwrite: Writing zeros/random data over the whole drive. Harder to recover.
Regulated Data Types
- PII (Personally Identifiable Information): Names, SSNs, Addresses.
- PHI (Protected Health Information): Medical records (HIPAA).
- PCI-DSS: Credit card information.
- GDPR: EU citizen data protection/privacy (Right to be Forgotten).
Quick Check: Incident Response
1. Why should you NOT turn off a machine during an incident?
Answer: Turning it off clears the RAM, destroying volatile evidence.
2. Does Degaussing work on SSDs?
Answer: No, because SSDs use flash memory, not magnetic storage.
Authoritative Security Resources
For further reading and official standards, refer to these trusted organizations:
CompTIA Official Site
Official exam objectives and certification details for A+ 220-1102.
NIST Cybersecurity Framework
National Institute of Standards and Technology - Industry standard security guidelines.
CISA (Cybersecurity & Infrastructure Security Agency)
US Government's cyber defense agency resources and alerts.
OWASP (Open Worldwide Application Security Project)
Resources for understanding web application vulnerabilities and security.
CompTIA A+ Security FAQ
- What is the primary purpose of Multi-Factor Authentication (MFA)?
- The primary purpose of MFA is to add an extra layer of security beyond just a username and password. By requiring two or more different types of verification factors (something you know, have, or are), MFA makes it significantly harder for unauthorized users to gain access even if one factor (like a password) is compromised.
- As a first responder to a security incident, what is one of the most important initial steps?
- One of the most important initial steps is to identify that an incident has occurred and then report it through the proper channels according to your organization's policy. Proper reporting ensures that the incident is handled correctly and that the appropriate teams are involved. Before extensive action, documentation and evidence preservation (if applicable) are also crucial.
- Which method of secure data destruction is suitable for solid-state drives (SSDs)?
- For SSDs, degaussing is generally ineffective. Physical destruction (shredding, pulverizing) is the most reliable method. Some SSDs also support secure erase commands (ATA Secure Erase) built into their firmware, which can be effective, but physical destruction provides the highest assurance for highly sensitive data. Overwriting multiple times is less effective on SSDs due to wear-leveling algorithms.
Ready to Test Your Knowledge?
You've mastered Domain 2.0. Now, verify your skills with our comprehensive practice exam or move on to the next domain.
2.5 Social Engineering & Common Threats Exploiting Human Psychology
Social Engineering (or "Hacking the Human") is the art of manipulating people into clicking malicious links, downloading viruses, or revealing confidential information. Technological controls cannot stop a user who willingly (though unknowingly) hands over their credentials. Defense relies entirely on User Training and Awareness.
Common Social Engineering Ploys
Phishing Variations
Physical Contact Exploits
The Principles of Influence (Why it works)
Scenario: The "Invoice Overdue" Email
Situation: You receive an email from "billing@partner-company.com" (spoofed) saying an invoice is overdue and services will be cut off in 2 hours. It contains a "Click Here to Pay" button.
Correct Procedure:
1. Do Not Click: Hover over the link to see the actual URL.
2. Verify Headers: Check if the sender address matches the domain exactly.
3. Out-of-Band Verification: Call the contact you know at that company (using a known number, not the one in the email) to verify if the request is real.
Other Technical Threats
Quick Check: Social Engineering
1. Which principle relies on "Fear of Missing Out" (FOMO)?
Answer: Scarcity.
2. How should you verify a suspicious email from a "known" sender?
Answer: Out-of-band verification (call them).